musadaq-saas/app/modules_app/companies/index.php

<?php
/**
 * List Companies Endpoint (Synchronized Schema)
 */

use App\Core\Database;
use App\Core\Encryption;
use App\Middleware\AuthMiddleware;

$decoded = AuthMiddleware::check();
$db = Database::getInstance();

try {
    // 1. Super Admin sees ALL companies
    if ($decoded['role'] === 'super_admin') {
        $stmt = $db->prepare("SELECT c.*, t.name as tenant_name 
            FROM companies c 
            LEFT JOIN tenants t ON c.tenant_id = t.id 
            WHERE c.deleted_at IS NULL ORDER BY c.created_at DESC");
        $stmt->execute();
        $companies = $stmt->fetchAll();
    } 
    // 2. Tenant Users (Admin, Accountant, Employee) see all companies in their tenant
    else {
        $stmt = $db->prepare("SELECT * FROM companies WHERE tenant_id = ? AND deleted_at IS NULL ORDER BY created_at DESC");
        $stmt->execute([$decoded['tenant_id']]);
        $companies = $stmt->fetchAll();
    }

    // 3. Decrypt fields
    foreach ($companies as &$company) {
        // Decrypt Name
        $decryptedName = Encryption::decrypt($company['name']);
        $company['name'] = $decryptedName !== false ? $decryptedName : $company['name'];

        // Decrypt Name EN
        if (!empty($company['name_en'])) {
            $decryptedNameEn = Encryption::decrypt($company['name_en']);
            $company['name_en'] = $decryptedNameEn !== false ? $decryptedNameEn : $company['name_en'];
        }

        // Redact JoFotara secrets if returned to UI (or just don't return them)
        unset($company['jofotara_client_id_encrypted']);
        unset($company['jofotara_secret_key_encrypted']);
        unset($company['certificate_password_encrypted']);

        // Decrypt Tenant Name (if exists)
        if (isset($company['tenant_name'])) {
            $decTenantName = Encryption::decrypt($company['tenant_name']);
            $company['tenant_name'] = $decTenantName !== false ? $decTenantName : $company['tenant_name'];
        }
    }

    json_success($companies);

} catch (\Exception $e) {
    json_error('SQL Error in Companies List: ' . $e->getMessage(), 500);
}