fix: add cross-team authorization to maintenance schedule endpoints

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/tests/test_maintenance_schedules.py

@@ -96,3 +96,45 @@ async def test_get_schedule_not_found(client: AsyncClient, auth_headers: dict):
     tree_id = await _create_maintenance_tree(client, auth_headers)
     resp = await client.get(f"/api/v1/maintenance-schedules/tree/{tree_id}", headers=auth_headers)
     assert resp.status_code == 404
+
+
+@pytest.mark.asyncio
+async def test_cannot_schedule_other_teams_tree(client: AsyncClient, auth_headers: dict, test_db):
+    """User cannot create a schedule for a tree belonging to another team."""
+    import uuid as _uuid
+    from app.models.team import Team
+    from app.models.tree import Tree
+
+    # Create a tree belonging to a DIFFERENT team directly in DB
+    other_team = Team(name=f"Other Team {_uuid.uuid4()}")
+    test_db.add(other_team)
+    await test_db.flush()
+
+    other_tree = Tree(
+        name="Other Team Tree",
+        tree_type="maintenance",
+        team_id=other_team.id,
+        tree_structure={
+            "steps": [
+                {"id": "s1", "type": "procedure_step", "title": "Step",
+                 "description": "Do it", "content_type": "action"},
+                {"id": "end", "type": "procedure_end", "title": "Done"},
+            ]
+        },
+        status="published",
+        visibility="team",
+    )
+    test_db.add(other_tree)
+    await test_db.flush()
+
+    # Current user (from auth_headers) tries to schedule it
+    resp = await client.post(
+        "/api/v1/maintenance-schedules",
+        json={
+            "tree_id": str(other_tree.id),
+            "cron_expression": "0 9 1 * *",
+            "timezone": "UTC",
+        },
+        headers=auth_headers,
+    )
+    assert resp.status_code in (403, 404)  # either is acceptable