#260 CRITICAL: OAuth login allows any Google user to get JWT without tenant membership

## Security Vulnerability ### Problem OAuth login generates JWT for ANY Google user with any tenant_id (defaults to 'default') without checking if the user has any roles/memberships in the auth system. ### Impact - Random Google users can obtain valid JWT tokens - JWT contains tenant_id they don't belong to - RBAC blocks most API calls, but user gets valid session - Potential for information disclosure or privilege escalation ### Current Flow (Broken) 1. User clicks Google login with ?tenant_id=X 2. Google authenticates user 3. JWT generated with tenant_id=X (NO MEMBERSHIP CHECK) 4. User gets valid JWT even if they have no access ### Required Fix 1. After Google auth succeeds, check auth_rbac.auth_membership for user's email 2. Get list of tenants user has active memberships in 3. If NO memberships in ANY tenant → REJECT login (401) 4. If memberships exist but NOT in requested tenant → use first valid tenant OR reject 5. Only generate JWT for tenants user actually has access to ### Files to Modify - api/oauth_handlers/oauth2.py - oauth2_callback() function - May need helper in engine/security/auth_wrapper.py ### Testing - Login as user with roles → should succeed - Login as user without roles → should fail with clear error - Login with wrong tenant_id → should redirect to valid tenant or fail