fix: clean migration, cross-team isolation test, and PUT field-set fix for target_lists

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/tests/test_target_lists.py

@@ -105,3 +105,49 @@ async def test_delete_target_list(client: AsyncClient, auth_headers: dict):
 
     get = await client.get(f"/api/v1/target-lists/{list_id}", headers=auth_headers)
     assert get.status_code == 404
+
+@pytest.mark.asyncio
+async def test_cannot_access_other_teams_list(client: AsyncClient, auth_headers: dict, test_db):
+    """User from team B cannot access team A's list."""
+    import uuid
+    from app.models.team import Team
+    from app.models.user import User
+    from app.core.security import get_password_hash
+
+    # Create team A list using existing auth_headers
+    create = await client.post(
+        "/api/v1/target-lists/",
+        json={"name": "Team A List", "targets": [{"label": "SRV-A"}]},
+        headers=auth_headers,
+    )
+    assert create.status_code == 201
+    list_id = create.json()["id"]
+
+    # Create a separate team B with its own user
+    team_b = Team(name=f"Team B {uuid.uuid4()}")
+    test_db.add(team_b)
+    await test_db.flush()
+
+    user_b = User(
+        email=f"userb_{uuid.uuid4()}@test.com",
+        password_hash=get_password_hash("password123"),
+        name="User B",
+        is_active=True,
+        team_id=team_b.id,
+        role="engineer",
+    )
+    test_db.add(user_b)
+    await test_db.flush()
+
+    # Get auth token for user B
+    login = await client.post(
+        "/api/v1/auth/login/json",
+        json={"email": user_b.email, "password": "password123"},
+    )
+    assert login.status_code == 200
+    token_b = login.json()["access_token"]
+    headers_b = {"Authorization": f"Bearer {token_b}"}
+
+    # Team B cannot access Team A's list
+    resp = await client.get(f"/api/v1/target-lists/{list_id}", headers=headers_b)
+    assert resp.status_code == 404