feat: The Other Dude v9.0.1 — full-featured email system

ci: add GitHub Pages deployment workflow for docs site

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/routers/device_groups.py

@@ -0,0 +1,94 @@
+"""
+Device group management API endpoints.
+
+Routes: /api/tenants/{tenant_id}/device-groups
+
+RBAC:
+- viewer: GET (read-only)
+- operator: POST, PUT (write)
+- tenant_admin/admin: DELETE
+"""
+
+import uuid
+
+from fastapi import APIRouter, Depends, status
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.database import get_db
+from app.middleware.rbac import require_operator_or_above, require_tenant_admin_or_above
+from app.middleware.tenant_context import CurrentUser, get_current_user
+from app.routers.devices import _check_tenant_access
+from app.schemas.device import DeviceGroupCreate, DeviceGroupResponse, DeviceGroupUpdate
+from app.services import device as device_service
+
+router = APIRouter(tags=["device-groups"])
+
+
+@router.get(
+    "/tenants/{tenant_id}/device-groups",
+    response_model=list[DeviceGroupResponse],
+    summary="List device groups",
+)
+async def list_groups(
+    tenant_id: uuid.UUID,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> list[DeviceGroupResponse]:
+    """List all device groups for a tenant. Viewer role and above."""
+    await _check_tenant_access(current_user, tenant_id, db)
+    return await device_service.get_groups(db=db, tenant_id=tenant_id)
+
+
+@router.post(
+    "/tenants/{tenant_id}/device-groups",
+    response_model=DeviceGroupResponse,
+    status_code=status.HTTP_201_CREATED,
+    summary="Create a device group",
+    dependencies=[Depends(require_operator_or_above)],
+)
+async def create_group(
+    tenant_id: uuid.UUID,
+    data: DeviceGroupCreate,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> DeviceGroupResponse:
+    """Create a new device group. Requires operator role or above."""
+    await _check_tenant_access(current_user, tenant_id, db)
+    return await device_service.create_group(db=db, tenant_id=tenant_id, data=data)
+
+
+@router.put(
+    "/tenants/{tenant_id}/device-groups/{group_id}",
+    response_model=DeviceGroupResponse,
+    summary="Update a device group",
+    dependencies=[Depends(require_operator_or_above)],
+)
+async def update_group(
+    tenant_id: uuid.UUID,
+    group_id: uuid.UUID,
+    data: DeviceGroupUpdate,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> DeviceGroupResponse:
+    """Update a device group. Requires operator role or above."""
+    await _check_tenant_access(current_user, tenant_id, db)
+    return await device_service.update_group(
+        db=db, tenant_id=tenant_id, group_id=group_id, data=data
+    )
+
+
+@router.delete(
+    "/tenants/{tenant_id}/device-groups/{group_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+    summary="Delete a device group",
+    dependencies=[Depends(require_tenant_admin_or_above)],
+)
+async def delete_group(
+    tenant_id: uuid.UUID,
+    group_id: uuid.UUID,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> None:
+    """Delete a device group. Requires tenant_admin or above."""
+    await _check_tenant_access(current_user, tenant_id, db)
+    await device_service.delete_group(db=db, tenant_id=tenant_id, group_id=group_id)