Seperate Exec membership from Org admin (#343)

This allows us to have some people who are not exec representatives but
do have org admin privileges.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Exec Council membership is now synced asynchronously via a background
workflow; a new background sync operation can be triggered.

* **Refactor**
* Voting-lead discovery now aggregates leads across organizations with
stronger consistency and expanded lead details.
* GitHub team parent reference can be omitted and parent-team config key
renamed for clarity.
  
* **Style**
* Non-voting member wording updated to reference the specific
organization.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

Author: devksingh4

src/api/functions/github.ts

@@ -6,7 +6,7 @@ import { Octokit } from "octokit";
 export interface CreateGithubTeamInputs {
   githubToken: string;
   orgId: string;
-  parentTeamId: number;
+  parentTeamId?: number;
   name: string;
   description?: string;
   privacy?: "secret" | "closed";

src/api/functions/organizations.ts

@@ -101,7 +101,13 @@ export async function getOrgInfo({
               name: x.name,
               username: x.username,
               title: x.title,
-            }) as { name: string; username: string; title: string | undefined },
+              nonVotingMember: x.nonVotingMember || false,
+            }) as {
+              name: string;
+              username: string;
+              title: string | undefined;
+              nonVotingMember: boolean;
+            },
         );
       response = { ...response, leads: unmarshalledLeads };
     }
@@ -525,42 +531,106 @@ export const removeLead = async ({
 };
 
 /**
- * Returns the Microsoft 365 Dynamic User query to return all members of all lead groups.
- * Currently used to setup the Exec member list.
+ * Returns all voting org leads across all organizations.
+ * Uses consistent reads to avoid eventual consistency issues.
  * @param dynamoClient A DynamoDB client.
- * @param includeGroupIds Used to ensure that a specific group ID is included (Scan could be eventually consistent.)
+ * @param logger A logger instance.
  */
-export async function getLeadsM365DynamicQuery({
+export async function getAllVotingLeads({
   dynamoClient,
-  includeGroupIds,
+  logger,
 }: {
   dynamoClient: DynamoDBClient;
-  includeGroupIds?: string[];
-}): Promise<string | null> {
-  const command = new ScanCommand({
-    TableName: genericConfig.SigInfoTableName,
-    IndexName: "LeadsGroupIdIndex",
+  logger: ValidLoggers;
+}): Promise<
+  Array<{ username: string; org: string; name: string; title: string }>
+> {
+  // Query all organizations in parallel for better performance
+  const queryPromises = AllOrganizationNameList.map(async (orgName) => {
+    const leadsQuery = new QueryCommand({
+      TableName: genericConfig.SigInfoTableName,
+      KeyConditionExpression: "primaryKey = :leadName",
+      ExpressionAttributeValues: {
+        ":leadName": { S: `LEAD#${orgName}` },
+      },
+      ConsistentRead: true,
+    });
+
+    try {
+      const responseMarshall = await dynamoClient.send(leadsQuery);
+      if (responseMarshall.Items) {
+        return responseMarshall.Items.map((x) => unmarshall(x))
+          .filter((x) => x.username && !x.nonVotingMember)
+          .map((x) => ({
+            username: x.username as string,
+            org: orgName,
+            name: x.name as string,
+            title: x.title as string,
+          }));
+      }
+      return [];
+    } catch (e) {
+      if (e instanceof BaseError) {
+        throw e;
+      }
+      logger.error(e);
+      throw new DatabaseFetchError({
+        message: `Failed to get leads for org ${orgName}.`,
+      });
+    }
   });
-  const results = await dynamoClient.send(command);
-  if (!results || !results.Items || results.Items.length === 0) {
-    return null;
-  }
-  const entries = results.Items.map((x) => unmarshall(x)) as {
-    primaryKey: string;
-    leadsEntraGroupId: string;
-  }[];
-  const groupIds = entries
-    .filter((x) => x.primaryKey.startsWith("DEFINE#"))
-    .map((x) => x.leadsEntraGroupId);
-
-  if (groupIds.length === 0) {
-    return null;
+
+  const results = await Promise.all(queryPromises);
+  return results.flat();
+}
+
+/**
+ * Checks if a user should remain in exec council by verifying they are a voting lead of at least one org.
+ * Uses consistent reads to avoid eventual consistency issues.
+ * @param username The username to check.
+ * @param dynamoClient A DynamoDB client.
+ * @param logger A logger instance.
+ */
+export async function shouldBeInExecCouncil({
+  username,
+  dynamoClient,
+  logger,
+}: {
+  username: string;
+  dynamoClient: DynamoDBClient;
+  logger: ValidLoggers;
+}): Promise<boolean> {
+  // Query all orgs to see if this user is a voting lead of any org
+  for (const orgName of AllOrganizationNameList) {
+    const leadsQuery = new QueryCommand({
+      TableName: genericConfig.SigInfoTableName,
+      KeyConditionExpression: "primaryKey = :leadName AND entryId = :username",
+      ExpressionAttributeValues: {
+        ":leadName": { S: `LEAD#${orgName}` },
+        ":username": { S: username },
+      },
+      ConsistentRead: true,
+    });
+
+    try {
+      const responseMarshall = await dynamoClient.send(leadsQuery);
+      if (responseMarshall.Items && responseMarshall.Items.length > 0) {
+        const lead = unmarshall(responseMarshall.Items[0]);
+        // If they're a lead and not a non-voting member, they should be in exec
+        if (!lead.nonVotingMember) {
+          return true;
+        }
+      }
+    } catch (e) {
+      if (e instanceof BaseError) {
+        throw e;
+      }
+      logger.error(e);
+      throw new DatabaseFetchError({
+        message: `Failed to check lead status for ${username} in org ${orgName}.`,
+      });
+    }
   }
 
-  const formattedGroupIds = [
-    ...new Set([...(includeGroupIds || []), ...groupIds]),
-  ]
-    .map((id) => `'${id}'`)
-    .join(", ");
-  return `user.memberOf -any (group.objectId -in [${formattedGroupIds}])`;
+  return false;
 }

src/api/routes/organizations.ts

@@ -1,9 +1,5 @@
-import { FastifyError, FastifyPluginAsync } from "fastify";
-import {
-  AllOrganizationNameList,
-  getOrgByName,
-  Organizations,
-} from "@acm-uiuc/js-shared";
+import { FastifyPluginAsync } from "fastify";
+import { AllOrganizationNameList, getOrgByName } from "@acm-uiuc/js-shared";
 import rateLimiter from "api/plugins/rateLimiter.js";
 import { withRoles, withTags } from "api/components/index.js";
 import { z } from "zod/v4";
@@ -23,7 +19,6 @@ import {
 } from "common/errors/index.js";
 import {
   addLead,
-  getLeadsM365DynamicQuery,
   getOrgInfo,
   removeLead,
   SQSMessage,
@@ -35,8 +30,6 @@ import {
   TransactWriteItemsCommand,
 } from "@aws-sdk/client-dynamodb";
 import {
-  execCouncilGroupId,
-  execCouncilTestingGroupId,
   genericConfig,
   notificationRecipients,
   roleArns,
@@ -46,20 +39,12 @@ import { buildAuditLogTransactPut } from "api/functions/auditLog.js";
 import { Modules } from "common/modules.js";
 import { authorizeByOrgRoleOrSchema } from "api/functions/authorization.js";
 import { checkPaidMembership } from "api/functions/membership.js";
-import {
-  createM365Group,
-  getEntraIdToken,
-  setGroupMembershipRule,
-} from "api/functions/entraId.js";
+import { createM365Group, getEntraIdToken } from "api/functions/entraId.js";
 import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 import { getRoleCredentials } from "api/functions/sts.js";
-import { SendMessageCommand, SQSClient } from "@aws-sdk/client-sqs";
+import { SQSClient } from "@aws-sdk/client-sqs";
 import { sendSqsMessagesInBatches } from "api/functions/sqs.js";
 import { retryDynamoTransactionWithBackoff } from "api/utils.js";
-import {
-  assignIdpGroupsToTeam,
-  createGithubTeam,
-} from "api/functions/github.js";
 import { SKIP_EXTERNAL_ORG_LEAD_UPDATE } from "common/overrides.js";
 import { AvailableSQSFunctions, SQSPayload } from "common/types/sqsMessage.js";
 
@@ -499,20 +484,8 @@ const organizationsPlugin: FastifyPluginAsync = async (fastify, _options) => {
             `Store Entra group ID for ${request.params.orgId}`,
           );
 
-          // Update dynamic membership query
-          const newQuery = await getLeadsM365DynamicQuery({
-            dynamoClient: fastify.dynamoClient,
-            includeGroupIds: [entraGroupId],
-          });
-          if (newQuery) {
-            const groupToUpdate =
-              fastify.runEnvironment === "prod"
-                ? execCouncilGroupId
-                : execCouncilTestingGroupId;
-            request.log.info("Changing Exec group membership dynamic query...");
-            await setGroupMembershipRule(entraIdToken, groupToUpdate, newQuery);
-            request.log.info("Changed Exec group membership dynamic query!");
-          }
+          // Note: Exec council membership is now managed via SQS sync handler
+          // instead of dynamic membership rules
         } catch (e) {
           request.log.error(e, "Failed to create Entra group");
           throw new InternalServerError({
@@ -589,6 +562,19 @@ const organizationsPlugin: FastifyPluginAsync = async (fastify, _options) => {
           };
         sqsPayloads.push(sqsPayload);
       }
+
+      // Queue exec council sync to ensure voting members are added/removed
+      const syncExecPayload: SQSPayload<AvailableSQSFunctions.SyncExecCouncil> =
+        {
+          function: AvailableSQSFunctions.SyncExecCouncil,
+          metadata: {
+            initiator: request.username!,
+            reqId: request.id,
+          },
+          payload: {},
+        };
+      sqsPayloads.push(syncExecPayload);
+
       if (sqsPayloads.length > 0) {
         await sendSqsMessagesInBatches({
           sqsClient: fastify.sqsClient,

src/api/sqs/handlers/createOrgGithubTeam.ts

@@ -91,7 +91,7 @@ export const createOrgGithubTeamHandler: SQSHandlerFunction<
       const { updated, id: teamId } = await createGithubTeam({
         orgId: currentEnvironmentConfig.GithubOrgName,
         githubToken: secretConfig.github_pat,
-        parentTeamId: currentEnvironmentConfig.ExecGithubTeam,
+        parentTeamId: currentEnvironmentConfig.OrgAdminGithubParentTeam,
         name: finalName,
         description: githubTeamDescription,
         logger,

src/api/sqs/handlers/index.ts

@@ -4,3 +4,4 @@ export { provisionNewMemberHandler } from "./provisionNewMember.js";
 export { sendSaleEmailHandler } from "./sendSaleEmailHandler.js";
 export { emailNotificationsHandler } from "./emailNotifications.js";
 export { createOrgGithubTeamHandler } from "./createOrgGithubTeam.js";
+export { syncExecCouncilHandler } from "./syncExecCouncil.js";