Edit Issue - .issue.db

Title *

Description

## Security Vulnerability

### Problem
OAuth login generates JWT for ANY Google user with any tenant_id (defaults to 'default') without checking if the user has any roles/memberships in the auth system.

### Impact
- Random Google users can obtain valid JWT tokens
- JWT contains tenant_id they don't belong to
- RBAC blocks most API calls, but user gets valid session
- Potential for information disclosure or privilege escalation

### Current Flow (Broken)
1. User clicks Google login with ?tenant_id=X
2. Google authenticates user
3. JWT generated with tenant_id=X (NO MEMBERSHIP CHECK)
4. User gets valid JWT even if they have no access

### Required Fix
1. After Google auth succeeds, check auth_rbac.auth_membership for user's email
2. Get list of tenants user has active memberships in
3. If NO memberships in ANY tenant → REJECT login (401)
4. If memberships exist but NOT in requested tenant → use first valid tenant OR reject
5. Only generate JWT for tenants user actually has access to

### Files to Modify
- api/oauth_handlers/oauth2.py - oauth2_callback() function
- May need helper in engine/security/auth_wrapper.py

### Testing
- Login as user with roles → should succeed
- Login as user without roles → should fail with clear error
- Login with wrong tenant_id → should redirect to valid tenant or fail

Due Date (YYYY-MM-DD)

Tags (comma separated)

Related Issues (IDs)

Enter IDs of issues related to this one. They will be linked as 'related'.

Edit Issue #260