🏠 Overview ✅ Implementation Tasks ✅ epic-organization-selection-and-onboarding-core-logic-task-008

Define OrgSelectionService interface and error model

epic-organization-selection-and-onboarding-core-logic-task-008 — Define the abstract OrgSelectionService interface including the selectOrg(orgId) method signature, OrgSelectionResult (success/deactivated/unavailable/networkError discriminated union), and the error recovery contract. Define the OrgDeactivatedMidFlowException that handles the critical edge case identified in requirements workshops.

critical priority low complexity backend pending backend specialist Tier 1

Acceptance Criteria

Abstract OrgSelectionService class is defined with a single public method: Future<OrgSelectionResult> selectOrg(String orgId)
OrgSelectionResult is a sealed/freezed discriminated union with exactly four variants: success, deactivated, unavailable, networkError
OrgDeactivatedMidFlowException is defined as a typed exception class with orgId, detectedAt, and a human-readable reason field
The interface file contains no implementation logic — only abstract declarations and data class definitions
OrgSelectionResult.success carries a reference to the confirmed org profile (or its ID) so callers do not need to re-fetch
OrgSelectionResult.networkError includes a retryable boolean field to guide UI retry affordance
All types are exported from a single barrel file for clean import ergonomics
The interface is documented with a contract comment describing the expected execution sequence and error recovery strategy
A fake/stub implementation of OrgSelectionService is provided alongside the interface for use in tests and widget previews

Technical Requirements

frameworks
Flutter
Riverpod
freezed (or sealed classes)
data models
assignment
performance requirements
Interface definition has zero runtime overhead — pure abstract class with no state
security requirements
OrgSelectionResult must never carry raw credentials, tokens, or PII beyond the minimum org identifier needed by callers

Execution Context

Execution Tier
Tier 1

Tier 1 - 540 tasks

Can start after Tier 0 completes

Implementation Notes

Use Dart sealed classes (Dart 3+) or the freezed package for OrgSelectionResult to enable exhaustive pattern matching in switch expressions — this prevents future variants being silently ignored. Place the interface and result types in lib/features/org_selection/domain/. Follow the clean architecture convention: domain layer has no Flutter or Supabase imports. OrgDeactivatedMidFlowException should extend a base AppException class if one exists in the project, ensuring consistent error handling across the codebase.

The fake implementation should default to returning OrgSelectionResult.success for the happy path, with configurable overrides for each failure variant — useful for golden tests and Storybook-equivalent widget previews.

Testing Requirements

Unit tests: verify OrgSelectionResult pattern matching covers all four variants without requiring a default branch (exhaustive switch). Test that OrgDeactivatedMidFlowException serializes and deserializes correctly for logging purposes. Test that the fake/stub implementation satisfies the interface contract for each result variant. No integration tests required at this stage — this task is interface definition only.

Component
Organization Selection Service
service low
Dependencies (1)
Define the abstract TenantContextService interface, TenantContext state model (org_id, branding tokens, feature flags, terminology labels, status), and the Riverpod StateNotifier contract. Establish the lifecycle methods: load, clear, and refresh. This interface is the contract that OrgSelectionService and OrgRouteGuard will depend on. epic-organization-selection-and-onboarding-core-logic-task-004
Epic Risks (4)
high impact medium prob technical

TenantContextService must invalidate all downstream Riverpod providers when the org context changes (org switch scenario). If any provider caches org-specific data without subscribing to the tenant context, it will serve stale data from the previous org after a switch — which is both a UX failure and a potential GDPR violation.

Mitigation & Contingency

Mitigation: Define a single TenantContextProvider at the root of the Riverpod provider graph that all org-scoped providers depend on via ref.watch(). When TenantContextService.seedContext() runs, it invalidates TenantContextProvider which cascades invalidation to all dependents. Document this pattern in an architectural decision record so all developers follow it.

Contingency: Implement a post-switch integrity check that re-fetches a sample of each major data entity type and confirms the returned org_id matches the newly selected context; surface a reload prompt if any mismatch is detected.

medium impact medium prob security

MultiOrgMembershipResolver must query role assignments across potentially multiple tenant schemas. The anon or authenticated Supabase RLS policy may not permit cross-schema queries, making it impossible to return the full list of orgs a user belongs to in a single call.

Mitigation & Contingency

Mitigation: Design the membership query to use a dedicated Supabase edge function or a shared public schema view that aggregates role assignments across tenant schemas with a service-role key, returning only the org IDs the calling user is permitted to see. This keeps the client read-only.

Contingency: If cross-schema queries cannot be made safely, fall back to a per-org sequential membership check using the list of known org IDs and coalesce results client-side with appropriate timeout handling.

medium impact low prob technical

go_router redirect guards behave differently on web vs. mobile for deep links and browser back-button navigation. If the app is later deployed as a Progressive Web App (PWA) for admin use, the OrgRouteGuard may loop or fail to apply correctly on browser navigation events.

Mitigation & Contingency

Mitigation: Implement the guard as a GoRouter.redirect callback (not a ShellRoute redirect) following go_router best practices for platform-agnostic guards. Write widget tests that simulate navigation with and without auth/org context on both mobile and web target platforms in CI.

Contingency: If web-specific guard behaviour differs unacceptably, introduce a platform check in the guard and apply separate redirect logic branches for web vs. mobile until a unified solution is found.

medium impact medium prob scope

In Phase 2 the OrgSelectionService will need to coordinate the handoff to BankID/Vipps authentication after the org is selected, storing the returned personnummer against the correct tenant's member record. If the service is designed too narrowly for Phase 1 email/password flow, retrofitting Phase 2 will require invasive changes to an already-tested component.

Mitigation & Contingency

Mitigation: Design OrgSelectionService with an AuthHandoffStrategy interface from the start (Phase 1 implementation: email/password, Phase 2: BankID/Vipps). The strategy pattern makes the Phase 2 swap an additive change rather than a rewrite. Stub the interface in Phase 1 with a TODO comment referencing the Phase 2 epic.

Contingency: If Phase 2 requirements diverge significantly from Phase 1 assumptions, create a dedicated Phase2OrgSelectionService subclass that extends the base and overrides the auth handoff step, preserving Phase 1 behaviour unchanged.

Quick Links
All Tasks Execution Plan