From 7d592d476138661f4ab2b62b026e2269a07f51f0 Mon Sep 17 00:00:00 2001
From: Ryan Arakawa <arakawa.ryan@gmail.com>
Date: Tue, 30 Sep 2025 16:08:40 -0500
Subject: [PATCH 1/5] CP-11138 partnership refactor (#22)

* account group to partnership rename

* this is mostly converting the name account_group => partnership

* partnership user relationships are API request based

* so we don't need to maintain relational information in two databases, this many to many relationship is now handled via API context

* rubocop and test fixes
---
 app/controllers/templates_controller.rb       |  2 +-
 app/models/account.rb                         | 11 +---
 app/models/account_group.rb                   | 36 ------------
 .../concerns/account_group_validation.rb      | 19 -------
 app/models/concerns/partnership_validation.rb | 19 +++++++
 app/models/export_location.rb                 | 22 ++++----
 app/models/partnership.rb                     | 36 ++++++++++++
 app/models/template.rb                        | 14 ++---
 app/models/template_folder.rb                 | 28 +++++-----
 app/models/user.rb                            | 18 ------
 app/services/external_auth_service.rb         | 47 +++++++++++-----
 app/services/template_service.rb              | 15 ++++-
 ...0_rename_account_groups_to_partnerships.rb | 18 ++++++
 db/schema.rb                                  | 37 ++++++------
 lib/abilities/template_conditions.rb          | 51 ++++++++++++++---
 lib/template_folders.rb                       | 14 ++++-
 spec/factories/account_groups.rb              |  8 ---
 spec/factories/partnerships.rb                |  8 +++
 spec/models/account_group_spec.rb             | 56 -------------------
 spec/models/account_spec.rb                   | 23 +-------
 .../concerns/account_group_validation_spec.rb | 38 -------------
 .../concerns/partnership_validation_spec.rb   | 15 +++++
 spec/models/partnership_spec.rb               | 40 +++++++++++++
 spec/models/user_spec.rb                      | 25 ---------
 spec/services/external_auth_service_spec.rb   | 18 +++---
 spec/services/template_service_spec.rb        | 24 ++++----
 26 files changed, 314 insertions(+), 328 deletions(-)
 delete mode 100644 app/models/account_group.rb
 delete mode 100644 app/models/concerns/account_group_validation.rb
 create mode 100644 app/models/concerns/partnership_validation.rb
 create mode 100644 app/models/partnership.rb
 create mode 100644 db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
 delete mode 100644 spec/factories/account_groups.rb
 create mode 100644 spec/factories/partnerships.rb
 delete mode 100644 spec/models/account_group_spec.rb
 delete mode 100644 spec/models/concerns/account_group_validation_spec.rb
 create mode 100644 spec/models/concerns/partnership_validation_spec.rb
 create mode 100644 spec/models/partnership_spec.rb

diff --git a/app/controllers/templates_controller.rb b/app/controllers/templates_controller.rb
index f8908f27..c000263d 100644
--- a/app/controllers/templates_controller.rb
+++ b/app/controllers/templates_controller.rb
@@ -164,7 +164,7 @@ class TemplatesController < ApplicationController
     return unless authorized_clone_account_id?(params[:account_id])
 
     @template.account_id = params[:account_id]
-    @template.account_group = nil
+    @template.partnership = nil
     @template.folder = @template.account.default_template_folder if @template.account_id != current_account&.id
   end
 
diff --git a/app/models/account.rb b/app/models/account.rb
index fc9803b5..d7d3c96d 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -12,23 +12,16 @@
 #  uuid                :string           not null
 #  created_at          :datetime         not null
 #  updated_at          :datetime         not null
-#  account_group_id    :bigint
 #  external_account_id :integer
 #
 # Indexes
 #
-#  index_accounts_on_account_group_id     (account_group_id)
 #  index_accounts_on_external_account_id  (external_account_id) UNIQUE
 #  index_accounts_on_uuid                 (uuid) UNIQUE
 #
-# Foreign Keys
-#
-#  fk_rails_...  (account_group_id => account_groups.id)
-#
 class Account < ApplicationRecord
   attribute :uuid, :string, default: -> { SecureRandom.uuid }
 
-  belongs_to :account_group, optional: true
   has_many :users, dependent: :destroy
   has_many :encrypted_configs, dependent: :destroy
   has_many :account_configs, dependent: :destroy
@@ -66,9 +59,9 @@ class Account < ApplicationRecord
 
   scope :active, -> { where(archived_at: nil) }
 
-  def self.find_or_create_by_external_id(external_id, attributes = {})
+  def self.find_or_create_by_external_id(external_id, name, attributes = {})
     find_by(external_account_id: external_id) ||
-      create!(attributes.merge(external_account_id: external_id))
+      create!(attributes.merge(external_account_id: external_id, name: name))
   end
 
   def testing?
diff --git a/app/models/account_group.rb b/app/models/account_group.rb
deleted file mode 100644
index e2bde3f0..00000000
--- a/app/models/account_group.rb
+++ /dev/null
@@ -1,36 +0,0 @@
-# frozen_string_literal: true
-
-# == Schema Information
-#
-# Table name: account_groups
-#
-#  id                        :bigint           not null, primary key
-#  name                      :string           not null
-#  created_at                :datetime         not null
-#  updated_at                :datetime         not null
-#  external_account_group_id :integer          not null
-#
-# Indexes
-#
-#  index_account_groups_on_external_account_group_id  (external_account_group_id) UNIQUE
-#
-class AccountGroup < ApplicationRecord
-  has_many :accounts, dependent: :nullify
-  has_many :users, dependent: :nullify
-  has_many :templates, dependent: :destroy
-  has_many :template_folders, dependent: :destroy
-
-  validates :external_account_group_id, presence: true, uniqueness: true
-  validates :name, presence: true
-
-  def self.find_or_create_by_external_id(external_id, attributes = {})
-    find_by(external_account_group_id: external_id) ||
-      create!(attributes.merge(external_account_group_id: external_id))
-  end
-
-  def default_template_folder
-    template_folders.find_by(name: TemplateFolder::DEFAULT_NAME) ||
-      template_folders.create!(name: TemplateFolder::DEFAULT_NAME,
-                               author_id: users.minimum(:id))
-  end
-end
diff --git a/app/models/concerns/account_group_validation.rb b/app/models/concerns/account_group_validation.rb
deleted file mode 100644
index 028e03f8..00000000
--- a/app/models/concerns/account_group_validation.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module AccountGroupValidation
-  extend ActiveSupport::Concern
-
-  included do
-    validate :must_belong_to_account_or_account_group
-  end
-
-  private
-
-  def must_belong_to_account_or_account_group
-    if account.blank? && account_group.blank?
-      errors.add(:base, 'Must belong to either an account or account group')
-    elsif account.present? && account_group.present?
-      errors.add(:base, 'Cannot belong to both account and account group')
-    end
-  end
-end
diff --git a/app/models/concerns/partnership_validation.rb b/app/models/concerns/partnership_validation.rb
new file mode 100644
index 00000000..915d957d
--- /dev/null
+++ b/app/models/concerns/partnership_validation.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module PartnershipValidation
+  extend ActiveSupport::Concern
+
+  included do
+    validate :must_belong_to_account_or_partnership
+  end
+
+  private
+
+  def must_belong_to_account_or_partnership
+    if account.blank? && partnership.blank?
+      errors.add(:base, 'Must belong to either an account or partnership')
+    elsif account.present? && partnership.present?
+      errors.add(:base, 'Cannot belong to both account and partnership')
+    end
+  end
+end
diff --git a/app/models/export_location.rb b/app/models/export_location.rb
index 4090ef84..cf0c364d 100644
--- a/app/models/export_location.rb
+++ b/app/models/export_location.rb
@@ -4,17 +4,19 @@
 #
 # Table name: export_locations
 #
-#  id                   :bigint           not null, primary key
-#  api_base_url         :string           not null
-#  authorization_token  :string
-#  default_location     :boolean          default(FALSE), not null
-#  extra_params         :jsonb            not null
-#  name                 :string           not null
-#  submissions_endpoint :string
-#  templates_endpoint   :string
-#  created_at           :datetime         not null
-#  updated_at           :datetime         not null
+#  id                    :bigint           not null, primary key
+#  api_base_url          :string           not null
+#  authorization_token   :string
+#  default_location      :boolean          default(FALSE), not null
+#  extra_params          :jsonb            not null
+#  name                  :string           not null
+#  submissions_endpoint  :string
+#  templates_endpoint    :string
+#  created_at            :datetime         not null
+#  updated_at            :datetime         not null
+#  global_partnership_id :integer
 #
+# global_partnership_id is the Docuseal partnership ID associated with the export location
 class ExportLocation < ApplicationRecord
   validates :name, presence: true
   validates :api_base_url, presence: true
diff --git a/app/models/partnership.rb b/app/models/partnership.rb
new file mode 100644
index 00000000..c0591395
--- /dev/null
+++ b/app/models/partnership.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# == Schema Information
+#
+# Table name: partnerships
+#
+#  id                      :bigint           not null, primary key
+#  name                    :string           not null
+#  created_at              :datetime         not null
+#  updated_at              :datetime         not null
+#  external_partnership_id :integer          not null
+#
+# Indexes
+#
+#  index_partnerships_on_external_partnership_id  (external_partnership_id) UNIQUE
+#
+class Partnership < ApplicationRecord
+  has_many :templates, dependent: :destroy
+  has_many :template_folders, dependent: :destroy
+
+  validates :external_partnership_id, presence: true, uniqueness: true
+  validates :name, presence: true
+
+  def self.find_or_create_by_external_id(external_id, name, attributes = {})
+    find_by(external_partnership_id: external_id) ||
+      create!(attributes.merge(external_partnership_id: external_id, name: name))
+  end
+
+  def default_template_folder(author)
+    raise ArgumentError, 'Author is required for partnership template folders' unless author
+
+    template_folders.find_by(name: TemplateFolder::DEFAULT_NAME) ||
+      template_folders.create!(name: TemplateFolder::DEFAULT_NAME,
+                               author: author)
+  end
+end
diff --git a/app/models/template.rb b/app/models/template.rb
index 34cffdba..e7399124 100644
--- a/app/models/template.rb
+++ b/app/models/template.rb
@@ -17,38 +17,38 @@
 #  submitters           :text             not null
 #  created_at           :datetime         not null
 #  updated_at           :datetime         not null
-#  account_group_id     :bigint
 #  account_id           :integer
 #  author_id            :integer          not null
 #  external_id          :string
 #  folder_id            :integer          not null
+#  partnership_id       :bigint
 #
 # Indexes
 #
-#  index_templates_on_account_group_id                 (account_group_id)
 #  index_templates_on_account_id                       (account_id)
 #  index_templates_on_account_id_and_folder_id_and_id  (account_id,folder_id,id) WHERE (archived_at IS NULL)
 #  index_templates_on_account_id_and_id_archived       (account_id,id) WHERE (archived_at IS NOT NULL)
 #  index_templates_on_author_id                        (author_id)
 #  index_templates_on_external_id                      (external_id)
 #  index_templates_on_folder_id                        (folder_id)
+#  index_templates_on_partnership_id                   (partnership_id)
 #  index_templates_on_slug                             (slug) UNIQUE
 #
 # Foreign Keys
 #
-#  fk_rails_...  (account_group_id => account_groups.id)
 #  fk_rails_...  (account_id => accounts.id)
 #  fk_rails_...  (author_id => users.id)
 #  fk_rails_...  (folder_id => template_folders.id)
+#  fk_rails_...  (partnership_id => partnerships.id)
 #
 class Template < ApplicationRecord
-  include AccountGroupValidation
+  include PartnershipValidation
 
   DEFAULT_SUBMITTER_NAME = 'Employee'
 
   belongs_to :author, class_name: 'User'
   belongs_to :account, optional: true
-  belongs_to :account_group, optional: true
+  belongs_to :partnership, optional: true
   belongs_to :folder, class_name: 'TemplateFolder'
 
   has_one :search_entry, as: :record, inverse_of: :record, dependent: :destroy
@@ -92,8 +92,8 @@ class Template < ApplicationRecord
   def maybe_set_default_folder
     if account.present?
       self.folder ||= account.default_template_folder
-    elsif account_group.present?
-      self.folder ||= account_group.default_template_folder
+    elsif partnership.present?
+      self.folder ||= partnership.default_template_folder(author)
     end
   end
 end
diff --git a/app/models/template_folder.rb b/app/models/template_folder.rb
index c06ffeed..601940ac 100644
--- a/app/models/template_folder.rb
+++ b/app/models/template_folder.rb
@@ -4,35 +4,35 @@
 #
 # Table name: template_folders
 #
-#  id               :bigint           not null, primary key
-#  archived_at      :datetime
-#  name             :string           not null
-#  created_at       :datetime         not null
-#  updated_at       :datetime         not null
-#  account_group_id :bigint
-#  account_id       :integer
-#  author_id        :integer          not null
+#  id             :bigint           not null, primary key
+#  archived_at    :datetime
+#  name           :string           not null
+#  created_at     :datetime         not null
+#  updated_at     :datetime         not null
+#  account_id     :integer
+#  author_id      :integer          not null
+#  partnership_id :bigint
 #
 # Indexes
 #
-#  index_template_folders_on_account_group_id  (account_group_id)
-#  index_template_folders_on_account_id        (account_id)
-#  index_template_folders_on_author_id         (author_id)
+#  index_template_folders_on_account_id      (account_id)
+#  index_template_folders_on_author_id       (author_id)
+#  index_template_folders_on_partnership_id  (partnership_id)
 #
 # Foreign Keys
 #
-#  fk_rails_...  (account_group_id => account_groups.id)
 #  fk_rails_...  (account_id => accounts.id)
 #  fk_rails_...  (author_id => users.id)
+#  fk_rails_...  (partnership_id => partnerships.id)
 #
 class TemplateFolder < ApplicationRecord
-  include AccountGroupValidation
+  include PartnershipValidation
 
   DEFAULT_NAME = 'Default'
 
   belongs_to :author, class_name: 'User'
   belongs_to :account, optional: true
-  belongs_to :account_group, optional: true
+  belongs_to :partnership, optional: true
 
   has_many :templates, dependent: :destroy, foreign_key: :folder_id, inverse_of: :folder
   has_many :active_templates, -> { where(archived_at: nil) },
diff --git a/app/models/user.rb b/app/models/user.rb
index 0649504b..01f0b24f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -28,13 +28,11 @@
 #  uuid                   :string           not null
 #  created_at             :datetime         not null
 #  updated_at             :datetime         not null
-#  account_group_id       :bigint
 #  account_id             :integer
 #  external_user_id       :integer
 #
 # Indexes
 #
-#  index_users_on_account_group_id      (account_group_id)
 #  index_users_on_account_id            (account_id)
 #  index_users_on_email                 (email) UNIQUE
 #  index_users_on_external_user_id      (external_user_id) UNIQUE
@@ -44,12 +42,9 @@
 #
 # Foreign Keys
 #
-#  fk_rails_...  (account_group_id => account_groups.id)
 #  fk_rails_...  (account_id => accounts.id)
 #
 class User < ApplicationRecord
-  include AccountGroupValidation
-
   ROLES = [
     ADMIN_ROLE = 'admin'
   ].freeze
@@ -63,7 +58,6 @@ class User < ApplicationRecord
   has_one_attached :initials
 
   belongs_to :account, optional: true
-  belongs_to :account_group, optional: true
 
   has_one :access_token, dependent: :destroy
   has_many :access_tokens, dependent: :destroy
@@ -95,23 +89,11 @@ class User < ApplicationRecord
       )
   end
 
-  def self.find_or_create_by_external_group_id(account_group, external_id, attributes = {})
-    account_group.users.find_by(external_user_id: external_id) ||
-      account_group.users.create!(
-        attributes.merge(
-          external_user_id: external_id,
-          password: SecureRandom.hex(16)
-        )
-      )
-  end
-
   def access_token
     super || build_access_token.tap(&:save!)
   end
 
   def active_for_authentication?
-    return false unless account.present? || account_group.present?
-
     super && !archived_at? && !account&.archived_at?
   end
 
diff --git a/app/services/external_auth_service.rb b/app/services/external_auth_service.rb
index 569f85ca..7966b6e6 100644
--- a/app/services/external_auth_service.rb
+++ b/app/services/external_auth_service.rb
@@ -8,10 +8,10 @@ class ExternalAuthService
   def authenticate_user
     user = if @params[:account].present?
              find_or_create_user_with_account
-           elsif @params[:account_group].present?
-             find_or_create_user_with_account_group
+           elsif @params[:partnership].present?
+             find_or_create_user_with_partnership
            else
-             raise ArgumentError, 'Either account or account_group params must be provided'
+             raise ArgumentError, 'Either account or partnership params must be provided'
            end
 
     user.access_token.token
@@ -22,9 +22,11 @@ class ExternalAuthService
   def find_or_create_user_with_account
     account = Account.find_or_create_by_external_id(
       @params[:account][:external_id]&.to_i,
-      name: @params[:account][:name],
-      locale: @params[:account][:locale] || 'en-US',
-      timezone: @params[:account][:timezone] || 'UTC'
+      @params[:account][:name],
+      {
+        locale: @params[:account][:locale] || 'en-US',
+        timezone: @params[:account][:timezone] || 'UTC'
+      }
     )
 
     User.find_or_create_by_external_id(
@@ -34,16 +36,31 @@ class ExternalAuthService
     )
   end
 
-  def find_or_create_user_with_account_group
-    account_group = AccountGroup.find_or_create_by_external_id(
-      @params[:account_group][:external_id],
-      name: @params[:account_group][:name]
-    )
+  def find_or_create_user_with_partnership
+    # Ensure partnerships exist in DocuSeal before creating the user
+    # We need these partnerships to exist for templates and authorization to work
+    ensure_partnerships_exist
 
-    User.find_or_create_by_external_group_id(
-      account_group,
-      @params[:user][:external_id]&.to_i,
-      user_attributes
+    # For partnership users, we don't store any partnership relationship
+    # They get authorized via API request context (accessible_partnership_ids)
+    # Just ensure the user exists in DocuSeal for authentication
+    User.find_by(external_user_id: @params[:user][:external_id]&.to_i) ||
+      User.create!(
+        user_attributes.merge(
+          external_user_id: @params[:user][:external_id]&.to_i,
+          password: SecureRandom.hex(16)
+          # NOTE: No account_id or partnership_id - authorization comes from API context
+        )
+      )
+  end
+
+  def ensure_partnerships_exist
+    # Create the partnership if it doesn't exist in DocuSeal
+    return if @params[:partnership].blank?
+
+    Partnership.find_or_create_by_external_id(
+      @params[:partnership][:external_id],
+      @params[:partnership][:name]
     )
   end
 
diff --git a/app/services/template_service.rb b/app/services/template_service.rb
index a91b967b..32faa009 100644
--- a/app/services/template_service.rb
+++ b/app/services/template_service.rb
@@ -8,9 +8,18 @@ class TemplateService
   end
 
   def assign_ownership
-    if @user.account_group.present?
-      @template.account_group = @user.account_group
-      @template.folder = @user.account_group.default_template_folder
+    if @params[:external_partnership_id].present?
+      partnership = Partnership.find_by(external_partnership_id: @params[:external_partnership_id])
+      raise ArgumentError, "Partnership not found: #{@params[:external_partnership_id]}" unless partnership
+
+      @template.partnership = partnership
+      @template.folder = TemplateFolders.find_or_create_by_name(@user, @params[:folder_name], partnership: partnership)
+    elsif @params[:external_account_id].present?
+      account = Account.find_by(external_account_id: @params[:external_account_id])
+      raise ArgumentError, "Account not found: #{@params[:external_account_id]}" unless account
+
+      @template.account = account
+      @template.folder = TemplateFolders.find_or_create_by_name(@user, @params[:folder_name])
     elsif @user.account.present?
       @template.account = @user.account
       @template.folder = TemplateFolders.find_or_create_by_name(@user, @params[:folder_name])
diff --git a/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb b/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
new file mode 100644
index 00000000..bb43cde6
--- /dev/null
+++ b/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
@@ -0,0 +1,18 @@
+class RenameAccountGroupsToPartnerships < ActiveRecord::Migration[8.0]
+  def change
+    # Rename the table
+    rename_table :account_groups, :partnerships
+
+    # Rename the foreign key columns in other tables
+    rename_column :templates, :account_group_id, :partnership_id
+    rename_column :template_folders, :account_group_id, :partnership_id
+    rename_column :export_locations, :global_account_group_id, :global_partnership_id
+
+    # Remove partnership relationships since both users and accounts use API context now
+    remove_column :users, :account_group_id, :bigint
+    remove_column :accounts, :account_group_id, :bigint
+
+    # Rename the external ID column to match new naming
+    rename_column :partnerships, :external_account_group_id, :external_partnership_id
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 626e9dac..427e4c40 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
+ActiveRecord::Schema[8.0].define(version: 2025_09_24_174100) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "btree_gin"
   enable_extension "pg_catalog.plpgsql"
@@ -43,14 +43,6 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.index ["account_id"], name: "index_account_configs_on_account_id"
   end
 
-  create_table "account_groups", force: :cascade do |t|
-    t.integer "external_account_group_id", null: false
-    t.string "name", null: false
-    t.datetime "created_at", null: false
-    t.datetime "updated_at", null: false
-    t.index ["external_account_group_id"], name: "index_account_groups_on_external_account_group_id", unique: true
-  end
-
   create_table "account_linked_accounts", force: :cascade do |t|
     t.integer "account_id", null: false
     t.integer "linked_account_id", null: false
@@ -71,8 +63,6 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.string "uuid", null: false
     t.datetime "archived_at"
     t.integer "external_account_id"
-    t.bigint "account_group_id"
-    t.index ["account_group_id"], name: "index_accounts_on_account_group_id"
     t.index ["external_account_id"], name: "index_accounts_on_external_account_id", unique: true
     t.index ["uuid"], name: "index_accounts_on_uuid", unique: true
   end
@@ -238,6 +228,7 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.datetime "updated_at", null: false
     t.jsonb "extra_params", default: {}, null: false
     t.string "submissions_endpoint"
+    t.integer "global_partnership_id"
   end
 
   create_table "oauth_access_grants", force: :cascade do |t|
@@ -282,6 +273,14 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.index ["uid"], name: "index_oauth_applications_on_uid", unique: true
   end
 
+  create_table "partnerships", force: :cascade do |t|
+    t.integer "external_partnership_id", null: false
+    t.string "name", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["external_partnership_id"], name: "index_partnerships_on_external_partnership_id", unique: true
+  end
+
   create_table "search_entries", force: :cascade do |t|
     t.string "record_type", null: false
     t.bigint "record_id", null: false
@@ -377,10 +376,10 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.datetime "archived_at"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.bigint "account_group_id"
-    t.index ["account_group_id"], name: "index_template_folders_on_account_group_id"
+    t.bigint "partnership_id"
     t.index ["account_id"], name: "index_template_folders_on_account_id"
     t.index ["author_id"], name: "index_template_folders_on_author_id"
+    t.index ["partnership_id"], name: "index_template_folders_on_partnership_id"
   end
 
   create_table "template_sharings", force: :cascade do |t|
@@ -410,14 +409,14 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.text "preferences", null: false
     t.boolean "shared_link", default: false, null: false
     t.text "external_data_fields"
-    t.bigint "account_group_id"
-    t.index ["account_group_id"], name: "index_templates_on_account_group_id"
+    t.bigint "partnership_id"
     t.index ["account_id", "folder_id", "id"], name: "index_templates_on_account_id_and_folder_id_and_id", where: "(archived_at IS NULL)"
     t.index ["account_id", "id"], name: "index_templates_on_account_id_and_id_archived", where: "(archived_at IS NOT NULL)"
     t.index ["account_id"], name: "index_templates_on_account_id"
     t.index ["author_id"], name: "index_templates_on_author_id"
     t.index ["external_id"], name: "index_templates_on_external_id"
     t.index ["folder_id"], name: "index_templates_on_folder_id"
+    t.index ["partnership_id"], name: "index_templates_on_partnership_id"
     t.index ["slug"], name: "index_templates_on_slug", unique: true
   end
 
@@ -457,8 +456,6 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
     t.integer "consumed_timestep"
     t.boolean "otp_required_for_login", default: false, null: false
     t.integer "external_user_id"
-    t.bigint "account_group_id"
-    t.index ["account_group_id"], name: "index_users_on_account_group_id"
     t.index ["account_id"], name: "index_users_on_account_id"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["external_user_id"], name: "index_users_on_external_user_id", unique: true
@@ -484,7 +481,6 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
   add_foreign_key "account_configs", "accounts"
   add_foreign_key "account_linked_accounts", "accounts"
   add_foreign_key "account_linked_accounts", "accounts", column: "linked_account_id"
-  add_foreign_key "accounts", "account_groups"
   add_foreign_key "active_storage_attachments", "active_storage_blobs", column: "blob_id"
   add_foreign_key "active_storage_variant_records", "active_storage_blobs", column: "blob_id"
   add_foreign_key "document_generation_events", "submitters"
@@ -503,16 +499,15 @@ ActiveRecord::Schema[8.0].define(version: 2025_09_10_191227) do
   add_foreign_key "submissions", "users", column: "created_by_user_id"
   add_foreign_key "submitters", "submissions"
   add_foreign_key "template_accesses", "templates"
-  add_foreign_key "template_folders", "account_groups"
   add_foreign_key "template_folders", "accounts"
+  add_foreign_key "template_folders", "partnerships"
   add_foreign_key "template_folders", "users", column: "author_id"
   add_foreign_key "template_sharings", "templates"
-  add_foreign_key "templates", "account_groups"
   add_foreign_key "templates", "accounts"
+  add_foreign_key "templates", "partnerships"
   add_foreign_key "templates", "template_folders", column: "folder_id"
   add_foreign_key "templates", "users", column: "author_id"
   add_foreign_key "user_configs", "users"
-  add_foreign_key "users", "account_groups"
   add_foreign_key "users", "accounts"
   add_foreign_key "webhook_urls", "accounts"
 end
diff --git a/lib/abilities/template_conditions.rb b/lib/abilities/template_conditions.rb
index 6fa54ba1..01d965e8 100644
--- a/lib/abilities/template_conditions.rb
+++ b/lib/abilities/template_conditions.rb
@@ -4,7 +4,12 @@ module Abilities
   module TemplateConditions
     module_function
 
-    def collection(user, ability: nil)
+    def collection(user, ability: nil, request_context: nil)
+      # Handle partnership context first
+      if request_context && request_context[:accessible_partnership_ids].present?
+        return partnership_templates(request_context)
+      end
+
       if user.account_id.present?
         templates = Template.where(account_id: user.account_id)
 
@@ -15,18 +20,31 @@ module Abilities
                          .select(:template_id)
 
         Template.where(Template.arel_table[:id].in(Arel::Nodes::Union.new(templates.select(:id).arel, shared_ids.arel)))
-      elsif user.account_group_id.present?
-        Template.where(account_group_id: user.account_group_id)
       else
+        # Partnership users and accounts don't have stored relationships
+        # Authorization happens at controller level via request context
         Template.none
       end
     end
 
-    def entity(template, user:, ability: nil)
-      return true if template.account_id.blank? && template.account_group_id.blank?
+    def partnership_templates(request_context)
+      accessible_partnership_ids = request_context[:accessible_partnership_ids] || []
+
+      partnership_ids = Partnership.where(external_partnership_id: accessible_partnership_ids).pluck(:id)
+
+      Template.where(partnership_id: partnership_ids)
+    end
+
+    def entity(template, user:, ability: nil, request_context: nil)
+      return true if template.account_id.blank? && template.partnership_id.blank?
+
+      # Check request context first (from API params)
+      if request_context && request_context[:accessible_partnership_ids].present?
+        return authorize_via_partnership_context(template, request_context)
+      end
 
-      # Handle account group templates
-      return template.account_group_id == user.account_group_id if template.account_group_id.present?
+      # Handle partnership templates - users don't have stored relationships anymore
+      # This should not be reached for partnership users since they use API context
 
       # Handle regular account templates
       return true if template.account_id == user.account_id
@@ -39,5 +57,24 @@ module Abilities
         e.account_id.in?(account_ids) && (ability.nil? || e.ability == 'manage' || e.ability == ability)
       end
     end
+
+    def authorize_via_partnership_context(template, request_context)
+      accessible_partnership_ids = request_context[:accessible_partnership_ids] || []
+
+      # Handle partnership templates - check if user has access to the partnership
+      if template.partnership_id.present?
+        partnership = Partnership.find_by(id: template.partnership_id)
+        return false unless partnership
+
+        return accessible_partnership_ids.include?(partnership.external_partnership_id)
+      end
+
+      # Handle account templates - check if user has access via partnership context
+      if template.account_id.present?
+        return accessible_partnership_ids.any? && request_context[:external_account_id].present?
+      end
+
+      false
+    end
   end
 end
diff --git a/lib/template_folders.rb b/lib/template_folders.rb
index 9a3738ea..0e07c0e7 100644
--- a/lib/template_folders.rb
+++ b/lib/template_folders.rb
@@ -9,9 +9,17 @@ module TemplateFolders
     folders.where(TemplateFolder.arel_table[:name].lower.matches("%#{keyword.downcase}%"))
   end
 
-  def find_or_create_by_name(author, name)
-    return author.account.default_template_folder if name.blank? || name == TemplateFolder::DEFAULT_NAME
+  def find_or_create_by_name(author, name, partnership: nil)
+    return default_folder(author, partnership) if name.blank? || name == TemplateFolder::DEFAULT_NAME
 
-    author.account.template_folders.create_with(author:, account: author.account).find_or_create_by(name:)
+    if partnership.present?
+      partnership.template_folders.create_with(author:, partnership:).find_or_create_by(name:)
+    else
+      author.account.template_folders.create_with(author:, account: author.account).find_or_create_by(name:)
+    end
+  end
+
+  def default_folder(author, partnership)
+    partnership.present? ? partnership.default_template_folder(author) : author.account.default_template_folder
   end
 end
diff --git a/spec/factories/account_groups.rb b/spec/factories/account_groups.rb
deleted file mode 100644
index 4c34d847..00000000
--- a/spec/factories/account_groups.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-# frozen_string_literal: true
-
-FactoryBot.define do
-  factory :account_group do
-    external_account_group_id { Faker::Number.unique.number(digits: 8) }
-    name { Faker::Company.name }
-  end
-end
diff --git a/spec/factories/partnerships.rb b/spec/factories/partnerships.rb
new file mode 100644
index 00000000..3c58ce6d
--- /dev/null
+++ b/spec/factories/partnerships.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :partnership do
+    external_partnership_id { Faker::Number.unique.number(digits: 8) }
+    name { Faker::Company.name }
+  end
+end
diff --git a/spec/models/account_group_spec.rb b/spec/models/account_group_spec.rb
deleted file mode 100644
index bc291c26..00000000
--- a/spec/models/account_group_spec.rb
+++ /dev/null
@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-
-# == Schema Information
-#
-# Table name: account_groups
-#
-#  id                        :bigint           not null, primary key
-#  name                      :string           not null
-#  created_at                :datetime         not null
-#  updated_at                :datetime         not null
-#  external_account_group_id :integer          not null
-#
-# Indexes
-#
-#  index_account_groups_on_external_account_group_id  (external_account_group_id) UNIQUE
-#
-describe AccountGroup do
-  let(:account_group) { create(:account_group) }
-
-  describe 'associations' do
-    it 'has many accounts' do
-      expect(account_group).to respond_to(:accounts)
-    end
-  end
-
-  describe 'validations' do
-    it 'validates presence of external_account_group_id' do
-      account_group = build(:account_group, external_account_group_id: nil)
-      expect(account_group).not_to be_valid
-      expect(account_group.errors[:external_account_group_id]).to include("can't be blank")
-    end
-
-    it 'validates uniqueness of external_account_group_id' do
-      create(:account_group, external_account_group_id: 123)
-      duplicate = build(:account_group, external_account_group_id: 123)
-      expect(duplicate).not_to be_valid
-      expect(duplicate.errors[:external_account_group_id]).to include('has already been taken')
-    end
-
-    it 'validates presence of name' do
-      account_group = build(:account_group, name: nil)
-      expect(account_group).not_to be_valid
-      expect(account_group.errors[:name]).to include("can't be blank")
-    end
-  end
-
-  describe 'when account group is destroyed' do
-    it 'nullifies accounts account_group_id' do
-      account = create(:account, account_group: account_group)
-
-      account_group.destroy
-
-      expect(account.reload.account_group).to be_nil
-    end
-  end
-end
diff --git a/spec/models/account_spec.rb b/spec/models/account_spec.rb
index f9986e52..20f0296a 100644
--- a/spec/models/account_spec.rb
+++ b/spec/models/account_spec.rb
@@ -12,19 +12,13 @@
 #  uuid                :string           not null
 #  created_at          :datetime         not null
 #  updated_at          :datetime         not null
-#  account_group_id    :bigint
 #  external_account_id :integer
 #
 # Indexes
 #
-#  index_accounts_on_account_group_id     (account_group_id)
 #  index_accounts_on_external_account_id  (external_account_id) UNIQUE
 #  index_accounts_on_uuid                 (uuid) UNIQUE
 #
-# Foreign Keys
-#
-#  fk_rails_...  (account_group_id => account_groups.id)
-#
 require 'rails_helper'
 
 RSpec.describe Account do
@@ -43,16 +37,16 @@ RSpec.describe Account do
 
   describe '.find_or_create_by_external_id' do
     let(:external_id) { 123 }
-    let(:attributes) { { name: 'Test Account' } }
+    let(:name) { 'Test Account' }
 
     it 'finds existing account by external_account_id' do
       existing_account = create(:account, external_account_id: external_id)
-      result = described_class.find_or_create_by_external_id(external_id, attributes)
+      result = described_class.find_or_create_by_external_id(external_id, name)
       expect(result).to eq(existing_account)
     end
 
     it 'creates new account when none exists' do
-      result = described_class.find_or_create_by_external_id(external_id, attributes)
+      result = described_class.find_or_create_by_external_id(external_id, name)
       expect(result.external_account_id).to eq(external_id)
       expect(result.name).to eq('Test Account')
     end
@@ -69,17 +63,6 @@ RSpec.describe Account do
     end
   end
 
-  describe 'account_group association' do
-    it 'belongs to account_group optionally' do
-      account = create(:account)
-      expect(account.account_group).to be_nil
-
-      account_group = create(:account_group)
-      account.update!(account_group: account_group)
-      expect(account.reload.account_group).to eq(account_group)
-    end
-  end
-
   describe '#default_template_folder' do
     it 'creates default folder when none exists' do
       account = create(:account)
diff --git a/spec/models/concerns/account_group_validation_spec.rb b/spec/models/concerns/account_group_validation_spec.rb
deleted file mode 100644
index e0d74e1d..00000000
--- a/spec/models/concerns/account_group_validation_spec.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-# frozen_string_literal: true
-
-require 'rails_helper'
-
-RSpec.describe AccountGroupValidation do
-  # Test with User model since it includes the concern
-  describe 'validation' do
-    context 'with account only' do
-      it 'is valid' do
-        user = build(:user, account: create(:account), account_group: nil)
-        expect(user).to be_valid
-      end
-    end
-
-    context 'with account_group only' do
-      it 'is valid' do
-        user = build(:user, account: nil, account_group: create(:account_group))
-        expect(user).to be_valid
-      end
-    end
-
-    context 'with neither account nor account_group' do
-      it 'is invalid' do
-        user = build(:user, account: nil, account_group: nil)
-        expect(user).not_to be_valid
-        expect(user.errors[:base]).to include('Must belong to either an account or account group')
-      end
-    end
-
-    context 'with both account and account_group' do
-      it 'is invalid' do
-        user = build(:user, account: create(:account), account_group: create(:account_group))
-        expect(user).not_to be_valid
-        expect(user.errors[:base]).to include('Cannot belong to both account and account group')
-      end
-    end
-  end
-end
diff --git a/spec/models/concerns/partnership_validation_spec.rb b/spec/models/concerns/partnership_validation_spec.rb
new file mode 100644
index 00000000..4a35cec2
--- /dev/null
+++ b/spec/models/concerns/partnership_validation_spec.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe PartnershipValidation do
+  # Test with User model since it includes the concern
+  describe 'validation' do
+    context 'with account only' do
+      it 'is valid' do
+        user = build(:user, account: create(:account))
+        expect(user).to be_valid
+      end
+    end
+  end
+end
diff --git a/spec/models/partnership_spec.rb b/spec/models/partnership_spec.rb
new file mode 100644
index 00000000..00bfa3f3
--- /dev/null
+++ b/spec/models/partnership_spec.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+# == Schema Information
+#
+# Table name: partnerships
+#
+#  id                      :bigint           not null, primary key
+#  name                    :string           not null
+#  created_at              :datetime         not null
+#  updated_at              :datetime         not null
+#  external_partnership_id :integer          not null
+#
+# Indexes
+#
+#  index_partnerships_on_external_partnership_id  (external_partnership_id) UNIQUE
+#
+describe Partnership do
+  let(:partnership) { create(:partnership) }
+
+  describe 'validations' do
+    it 'validates presence of external_partnership_id' do
+      partnership = build(:partnership, external_partnership_id: nil)
+      expect(partnership).not_to be_valid
+      expect(partnership.errors[:external_partnership_id]).to include("can't be blank")
+    end
+
+    it 'validates uniqueness of external_partnership_id' do
+      create(:partnership, external_partnership_id: 123)
+      duplicate = build(:partnership, external_partnership_id: 123)
+      expect(duplicate).not_to be_valid
+      expect(duplicate.errors[:external_partnership_id]).to include('has already been taken')
+    end
+
+    it 'validates presence of name' do
+      partnership = build(:partnership, name: nil)
+      expect(partnership).not_to be_valid
+      expect(partnership.errors[:name]).to include("can't be blank")
+    end
+  end
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 2fe25f43..cf856950 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -28,13 +28,11 @@
 #  uuid                   :string           not null
 #  created_at             :datetime         not null
 #  updated_at             :datetime         not null
-#  account_group_id       :bigint
 #  account_id             :integer
 #  external_user_id       :integer
 #
 # Indexes
 #
-#  index_users_on_account_group_id      (account_group_id)
 #  index_users_on_account_id            (account_id)
 #  index_users_on_email                 (email) UNIQUE
 #  index_users_on_external_user_id      (external_user_id) UNIQUE
@@ -44,7 +42,6 @@
 #
 # Foreign Keys
 #
-#  fk_rails_...  (account_group_id => account_groups.id)
 #  fk_rails_...  (account_id => accounts.id)
 #
 require 'rails_helper'
@@ -143,26 +140,4 @@ RSpec.describe User do
       expect(user.friendly_name).to eq('john@example.com')
     end
   end
-
-  describe '.find_or_create_by_external_group_id' do
-    let(:account_group) { create(:account_group) }
-    let(:attributes) { { email: 'test@example.com', first_name: 'John' } }
-
-    it 'finds existing user by external_user_id and account_group' do
-      existing_user = create(:user, account: nil, account_group: account_group, external_user_id: 123)
-
-      result = described_class.find_or_create_by_external_group_id(account_group, 123, attributes)
-
-      expect(result).to eq(existing_user)
-    end
-
-    it 'creates new user when not found' do
-      result = described_class.find_or_create_by_external_group_id(account_group, 456, attributes)
-
-      expect(result.account_group).to eq(account_group)
-      expect(result.external_user_id).to eq(456)
-      expect(result.email).to eq('test@example.com')
-      expect(result.password).to be_present
-    end
-  end
 end
diff --git a/spec/services/external_auth_service_spec.rb b/spec/services/external_auth_service_spec.rb
index b1422177..3141d017 100644
--- a/spec/services/external_auth_service_spec.rb
+++ b/spec/services/external_auth_service_spec.rb
@@ -16,7 +16,9 @@ RSpec.describe ExternalAuthService do
     context 'with account params' do
       let(:params) do
         {
-          account: { external_id: 456, name: 'Test Account' },
+          account: {
+            external_id: '456', name: 'Test Account', locale: 'en-US', timezone: 'UTC', entity_type: 'Account'
+          },
           user: user_params
         }
       end
@@ -39,29 +41,31 @@ RSpec.describe ExternalAuthService do
       end
     end
 
-    context 'with account_group params' do
+    context 'with partnership params' do
       let(:params) do
         {
-          account_group: { external_id: 789, name: 'Test Group' },
+          partnership: {
+            external_id: '789', name: 'Test Group', locale: 'en-US', timezone: 'UTC', entity_type: 'Partnership'
+          },
           user: user_params
         }
       end
 
-      it 'returns access token for new account_group and user' do
+      it 'returns access token for new partnership and user' do
         token = described_class.new(params).authenticate_user
 
         expect(token).to be_present
-        expect(AccountGroup.last.external_account_group_id).to eq(789)
+        expect(Partnership.last.external_partnership_id).to eq(789)
         expect(User.last.external_user_id).to eq(123)
       end
     end
 
     context 'with invalid params' do
-      it 'raises error when neither account nor account_group provided' do
+      it 'raises error when neither account nor partnership provided' do
         params = { user: user_params }
 
         expect { described_class.new(params).authenticate_user }
-          .to raise_error(ArgumentError, 'Either account or account_group params must be provided')
+          .to raise_error(ArgumentError, 'Either account or partnership params must be provided')
       end
     end
   end
diff --git a/spec/services/template_service_spec.rb b/spec/services/template_service_spec.rb
index 141ac9c5..dd0af1f4 100644
--- a/spec/services/template_service_spec.rb
+++ b/spec/services/template_service_spec.rb
@@ -4,25 +4,27 @@ require 'rails_helper'
 
 RSpec.describe TemplateService do
   describe '#assign_ownership' do
-    let(:template) { build(:template, account: nil, account_group: nil) }
+    let(:template) { build(:template, account: nil, partnership: nil) }
     let(:params) { { folder_name: 'Custom Folder' } }
 
-    context 'with account_group user' do
-      let(:account_group) { create(:account_group) }
-      let(:user) { create(:user, account: nil, account_group: account_group) }
+    context 'with partnership user' do
+      let(:partnership) { create(:partnership) }
+      let(:user) { create(:user, account: nil) }
+      let(:params) { { folder_name: 'Custom Folder', external_partnership_id: partnership.external_partnership_id } }
 
-      it 'assigns account_group and default folder' do
+      it 'assigns partnership and creates custom folder' do
         service = described_class.new(template, user, params)
         service.assign_ownership
 
-        expect(template.account_group).to eq(account_group)
-        expect(template.folder).to eq(account_group.default_template_folder)
+        expect(template.partnership).to eq(partnership)
+        expect(template.folder.name).to eq('Custom Folder')
+        expect(template.folder.partnership).to eq(partnership)
       end
     end
 
     context 'with account user' do
       let(:account) { create(:account) }
-      let(:user) { create(:user, account: account, account_group: nil) }
+      let(:user) { create(:user, account: account) }
 
       it 'assigns account and finds/creates folder' do
         service = described_class.new(template, user, params)
@@ -33,15 +35,15 @@ RSpec.describe TemplateService do
       end
     end
 
-    context 'with user having neither account nor account_group' do
-      let(:user) { build(:user, account: nil, account_group: nil) }
+    context 'with user having neither account nor partnership' do
+      let(:user) { build(:user, account: nil) }
 
       it 'does not assign ownership' do
         service = described_class.new(template, user, params)
         service.assign_ownership
 
         expect(template.account).to be_nil
-        expect(template.account_group).to be_nil
+        expect(template.partnership).to be_nil
       end
     end
   end

From f4dc26786fcf9c7fca0c5d0241f94d36e52143cd Mon Sep 17 00:00:00 2001
From: Ryan Arakawa <arakawa.ryan@gmail.com>
Date: Tue, 30 Sep 2025 17:20:50 -0500
Subject: [PATCH 2/5] Update
 20250924174100_rename_account_groups_to_partnerships.rb (#24)

---
 .../20250924174100_rename_account_groups_to_partnerships.rb   | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb b/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
index bb43cde6..9075cec8 100644
--- a/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
+++ b/db/migrate/20250924174100_rename_account_groups_to_partnerships.rb
@@ -6,7 +6,9 @@ class RenameAccountGroupsToPartnerships < ActiveRecord::Migration[8.0]
     # Rename the foreign key columns in other tables
     rename_column :templates, :account_group_id, :partnership_id
     rename_column :template_folders, :account_group_id, :partnership_id
-    rename_column :export_locations, :global_account_group_id, :global_partnership_id
+
+    # Add global_partnership_id to export_locations
+    add_column :export_locations, :global_partnership_id, :integer
 
     # Remove partnership relationships since both users and accounts use API context now
     remove_column :users, :account_group_id, :bigint

From 741c548d269e68f5dcdafc0e6d5b010a99d541d7 Mon Sep 17 00:00:00 2001
From: Ryan Arakawa <arakawa.ryan@gmail.com>
Date: Wed, 22 Oct 2025 16:17:17 -0500
Subject: [PATCH 3/5] CP-11042 partnership features updated (#26)

* Add partnership template authorization and ability system

* Update template authorization to support partnership context
* Add request context-based authorization for API access
* Implement hybrid partnership/account authorization logic
* Add submission authorization conditions for partnerships
* Support global partnership template access

* Add template cloning services for partnership workflows

* Update template cloning to require explicit target parameters, to allow for cloning for either account or from partnership
* Add Templates::CloneToAccount service for partnership to account cloning
* Add Templates::CloneToPartnership service for global to partnership cloning
* Add logic to detect account vs partnership template cloning with validation
* Add folder assignment logic for cloned templates

* Add external authentication and partnership support

* Update ExternalAuthService to support partnership OR account authentication
* Implement user assignment to accounts when partnership context is provided
* Support pure partnership authentication without account assignment

* Update API controllers for partnership template support

* Add partnership request context to API base controller
* Update submissions controller to support partnership templates
* Add partnership template cloning to templates clone controller
* Refactor template controller webhook logic to reduce complexity
* Support external_account_id parameter for partnership workflows

* Update web controllers and views for partnership template support

* Add tests

* erb_lint fixes

* add local claude file

* shared concern for handling partnership context

* remove overly permissive case

* global templates should be available for partnerships and accounts

* pass through access context in vue

* add tests

* add partnership context and tests to submissions

* add token refresh as last resort for a corrupted token
---
 .gitignore                                    |   3 +-
 app/controllers/api/api_base_controller.rb    |   7 +-
 app/controllers/api/submissions_controller.rb |   2 +-
 .../api/templates_clone_controller.rb         |  72 +++++++-
 app/controllers/api/templates_controller.rb   |  42 ++++-
 .../api/token_refresh_controller.rb           |  31 ++++
 .../concerns/partnership_context.rb           |  21 +++
 .../template_documents_controller.rb          |   1 +
 app/controllers/templates_controller.rb       |  21 ++-
 .../templates_form_preview_controller.rb      |   5 +
 app/javascript/template_builder/builder.vue   |  60 +++++-
 app/javascript/template_builder/dropzone.vue  |   2 +-
 app/javascript/template_builder/upload.vue    |  38 +++-
 app/models/export_location.rb                 |   4 +
 app/services/external_auth_service.rb         |  49 ++++-
 app/services/token_refresh_service.rb         |  32 ++++
 app/views/submit_form/show.html.erb           |  17 +-
 .../templates_form_preview/show.html.erb      |   4 +-
 config/routes.rb                              |   6 +
 lib/abilities/submission_conditions.rb        |  88 +++++++++
 lib/abilities/template_conditions.rb          |  53 ++++--
 lib/ability.rb                                |  12 +-
 lib/submitters/form_configs.rb                |   4 +-
 lib/templates/clone.rb                        |  61 +++++-
 lib/templates/clone_to_account.rb             |  63 +++++++
 lib/templates/clone_to_partnership.rb         |  69 +++++++
 .../concerns/partnership_context_spec.rb      | 130 +++++++++++++
 spec/factories/submissions.rb                 |   3 +-
 spec/factories/templates.rb                   |  18 ++
 spec/factories/users.rb                       |   4 +
 .../abilities/submission_conditions_spec.rb   | 173 ++++++++++++++++++
 .../lib/abilities/template_conditions_spec.rb |  89 +++++++++
 spec/lib/templates/clone_spec.rb              |  68 +++++++
 spec/lib/templates/clone_to_account_spec.rb   |  66 +++++++
 .../templates/clone_to_partnership_spec.rb    | 171 +++++++++++++++++
 spec/requests/external_auth_spec.rb           |  39 ++++
 spec/requests/templates_spec.rb               |  35 ++++
 spec/services/external_auth_service_spec.rb   |  49 +++++
 spec/services/token_refresh_service_spec.rb   |  68 +++++++
 39 files changed, 1607 insertions(+), 73 deletions(-)
 create mode 100644 app/controllers/api/token_refresh_controller.rb
 create mode 100644 app/controllers/concerns/partnership_context.rb
 create mode 100644 app/services/token_refresh_service.rb
 create mode 100644 lib/abilities/submission_conditions.rb
 create mode 100644 lib/templates/clone_to_account.rb
 create mode 100644 lib/templates/clone_to_partnership.rb
 create mode 100644 spec/controllers/concerns/partnership_context_spec.rb
 create mode 100644 spec/lib/abilities/submission_conditions_spec.rb
 create mode 100644 spec/lib/abilities/template_conditions_spec.rb
 create mode 100644 spec/lib/templates/clone_spec.rb
 create mode 100644 spec/lib/templates/clone_to_account_spec.rb
 create mode 100644 spec/lib/templates/clone_to_partnership_spec.rb
 create mode 100644 spec/services/token_refresh_service_spec.rb

diff --git a/.gitignore b/.gitignore
index 012a440f..03d482a3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,4 +38,5 @@ yarn-debug.log*
 /ee
 dump.rdb
 .aider*
-.kilocode/*
\ No newline at end of file
+.kilocode/*
+CLAUDE.local.md
diff --git a/app/controllers/api/api_base_controller.rb b/app/controllers/api/api_base_controller.rb
index 05e56eb3..07dc2def 100644
--- a/app/controllers/api/api_base_controller.rb
+++ b/app/controllers/api/api_base_controller.rb
@@ -4,6 +4,7 @@ module Api
   class ApiBaseController < ActionController::API
     include ActiveStorage::SetCurrent
     include Pagy::Backend
+    include PartnershipContext
 
     DEFAULT_LIMIT = 10
     MAX_LIMIT = 100
@@ -45,11 +46,13 @@ module Api
       return 'Not authorized' unless error.subject.respond_to?(:account_id)
 
       linked_account_record_exists =
-        if current_user.account.testing?
+        if current_user.account&.testing?
           current_user.account.linked_account_accounts.where(account_type: 'testing')
                       .exists?(account_id: error.subject.account_id)
-        else
+        elsif current_user.account
           current_user.account.testing_accounts.exists?(id: error.subject.account_id)
+        else
+          false
         end
 
       return 'Not authorized' unless linked_account_record_exists
diff --git a/app/controllers/api/submissions_controller.rb b/app/controllers/api/submissions_controller.rb
index 1bef7f4e..923d9651 100644
--- a/app/controllers/api/submissions_controller.rb
+++ b/app/controllers/api/submissions_controller.rb
@@ -187,7 +187,7 @@ module Api
     def submissions_params
       permitted_attrs = [
         :send_email, :send_sms, :bcc_completed, :completed_redirect_url, :reply_to, :go_to_last,
-        :expire_at, :name,
+        :expire_at, :name, :external_account_id,
         {
           message: %i[subject body],
           submitters: [[:send_email, :send_sms, :completed_redirect_url, :uuid, :name, :email, :role,
diff --git a/app/controllers/api/templates_clone_controller.rb b/app/controllers/api/templates_clone_controller.rb
index 2619a243..dc40b70e 100644
--- a/app/controllers/api/templates_clone_controller.rb
+++ b/app/controllers/api/templates_clone_controller.rb
@@ -5,37 +5,91 @@ module Api
     load_and_authorize_resource :template
 
     def create
+      # Handle cloning from partnership templates to specific accounts
+      if params[:external_account_id].present? && @template.partnership_id.present?
+        return clone_from_partnership_to_account
+      end
+
       authorize!(:create, @template)
 
+      cloned_template = clone_template_with_service(Templates::Clone, @template)
+      finalize_and_render_response(cloned_template)
+    end
+
+    private
+
+    def clone_from_partnership_to_account
+      cloned_template = Templates::CloneToAccount.call(
+        @template,
+        external_account_id: params[:external_account_id],
+        current_user: current_user,
+        author: current_user,
+        name: params[:name],
+        external_id: params[:external_id].presence || params[:application_key],
+        folder_name: params[:folder_name]
+      )
+
+      cloned_template.source = :api
+      finalize_and_render_response(cloned_template)
+    rescue ArgumentError => e
+      if e.message.include?('Unauthorized')
+        render json: { error: e.message }, status: :forbidden
+      elsif e.message.include?('must be a partnership template')
+        render json: { error: e.message }, status: :unprocessable_entity
+      else
+        render json: { error: e.message }, status: :bad_request
+      end
+    rescue ActiveRecord::RecordNotFound => e
+      render json: { error: e.message }, status: :not_found
+    end
+
+    def clone_template_with_service(service_class, template, **extra_args)
       ActiveRecord::Associations::Preloader.new(
-        records: [@template],
+        records: [template],
         associations: [schema_documents: :preview_images_attachments]
       ).call
 
-      cloned_template = Templates::Clone.call(
-        @template,
+      # Determine target for same-type cloning (clone to same ownership type as original)
+      target_args = if template.account_id.present?
+                      { target_account: template.account }
+                    elsif template.partnership_id.present?
+                      { target_partnership: template.partnership }
+                    else
+                      {}
+                    end
+
+      cloned_template = service_class.call(
+        template,
         author: current_user,
         name: params[:name],
         external_id: params[:external_id].presence || params[:application_key],
-        folder_name: params[:folder_name]
+        folder_name: params[:folder_name],
+        **target_args,
+        **extra_args
       )
 
       cloned_template.source = :api
+      cloned_template
+    end
 
+    def finalize_and_render_response(cloned_template)
       schema_documents = Templates::CloneAttachments.call(template: cloned_template,
                                                           original_template: @template,
                                                           documents: params[:documents])
 
       cloned_template.save!
 
-      WebhookUrls.for_account_id(cloned_template.account_id, 'template.created').each do |webhook_url|
-        SendTemplateCreatedWebhookRequestJob.perform_async('template_id' => cloned_template.id,
-                                                           'webhook_url_id' => webhook_url.id)
-      end
-
+      enqueue_webhooks(cloned_template)
       SearchEntries.enqueue_reindex(cloned_template)
 
       render json: Templates::SerializeForApi.call(cloned_template, schema_documents)
     end
+
+    def enqueue_webhooks(template)
+      WebhookUrls.for_account_id(template.account_id, 'template.created').each do |webhook_url|
+        SendTemplateCreatedWebhookRequestJob.perform_async('template_id' => template.id,
+                                                           'webhook_url_id' => webhook_url.id)
+      end
+    end
   end
 end
diff --git a/app/controllers/api/templates_controller.rb b/app/controllers/api/templates_controller.rb
index aed33d35..682e6e24 100644
--- a/app/controllers/api/templates_controller.rb
+++ b/app/controllers/api/templates_controller.rb
@@ -70,11 +70,7 @@ module Api
       @template.update!(template_params)
 
       SearchEntries.enqueue_reindex(@template)
-
-      WebhookUrls.for_account_id(@template.account_id, 'template.updated').each do |webhook_url|
-        SendTemplateUpdatedWebhookRequestJob.perform_async('template_id' => @template.id,
-                                                           'webhook_url_id' => webhook_url.id)
-      end
+      enqueue_template_updated_webhooks
 
       render json: @template.as_json(only: %i[id updated_at])
     end
@@ -151,13 +147,30 @@ module Api
 
     def build_template
       template = Template.new
-      template.account = current_account
       template.author = current_user
-      template.folder = TemplateFolders.find_or_create_by_name(current_user, params[:folder_name])
       template.name = params[:name] || 'Untitled Template'
       template.external_id = params[:external_id] if params[:external_id].present?
       template.source = :api
       template.submitters = params[:submitters] if params[:submitters].present?
+
+      # Handle partnership vs account template creation
+      if params[:external_partnership_id].present?
+        partnership = Partnership.find_by(external_partnership_id: params[:external_partnership_id])
+        if partnership.blank?
+          raise ActiveRecord::RecordNotFound, "Partnership not found: #{params[:external_partnership_id]}"
+        end
+
+        template.partnership = partnership
+        template.folder = TemplateFolders.find_or_create_by_name(
+          current_user,
+          params[:folder_name],
+          partnership: partnership
+        )
+      else
+        template.account = current_account
+        template.folder = TemplateFolders.find_or_create_by_name(current_user, params[:folder_name])
+      end
+
       template
     end
 
@@ -199,9 +212,18 @@ module Api
     end
 
     def enqueue_template_created_webhooks(template)
-      WebhookUrls.for_account_id(template.account_id, 'template.created').each do |webhook_url|
-        SendTemplateCreatedWebhookRequestJob.perform_async('template_id' => template.id,
-                                                           'webhook_url_id' => webhook_url.id)
+      enqueue_template_webhooks(template, 'template.created', SendTemplateCreatedWebhookRequestJob)
+    end
+
+    def enqueue_template_updated_webhooks
+      enqueue_template_webhooks(@template, 'template.updated', SendTemplateUpdatedWebhookRequestJob)
+    end
+
+    def enqueue_template_webhooks(template, event_type, job_class)
+      return if template.account_id.blank?
+
+      WebhookUrls.for_account_id(template.account_id, event_type).each do |webhook_url|
+        job_class.perform_async('template_id' => template.id, 'webhook_url_id' => webhook_url.id)
       end
     end
 
diff --git a/app/controllers/api/token_refresh_controller.rb b/app/controllers/api/token_refresh_controller.rb
new file mode 100644
index 00000000..13394e29
--- /dev/null
+++ b/app/controllers/api/token_refresh_controller.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Api
+  class TokenRefreshController < ApiBaseController
+    skip_before_action :authenticate_via_token!
+    skip_authorization_check
+
+    def create
+      service = TokenRefreshService.new(token_refresh_params)
+      new_token = service.refresh_token
+
+      if new_token
+        render json: { access_token: new_token }, status: :ok
+      else
+        render json: { error: 'Unable to refresh token. User may not exist.' }, status: :unprocessable_entity
+      end
+    rescue ArgumentError => e
+      render json: { error: e.message }, status: :bad_request
+    rescue StandardError => e
+      Rails.logger.error "Token refresh error: #{e.message}"
+      render json: { error: 'Internal server error during token refresh' }, status: :internal_server_error
+    end
+
+    private
+
+    def token_refresh_params
+      params.permit(:account, :partnership, :external_account_id, user: %i[external_id email first_name last_name])
+            .to_h.deep_symbolize_keys
+    end
+  end
+end
diff --git a/app/controllers/concerns/partnership_context.rb b/app/controllers/concerns/partnership_context.rb
new file mode 100644
index 00000000..eb3d6b8b
--- /dev/null
+++ b/app/controllers/concerns/partnership_context.rb
@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module PartnershipContext
+  extend ActiveSupport::Concern
+
+  private
+
+  def current_ability
+    @current_ability ||= Ability.new(current_user, partnership_request_context)
+  end
+
+  def partnership_request_context
+    return nil if params[:accessible_partnership_ids].blank?
+
+    {
+      accessible_partnership_ids: Array.wrap(params[:accessible_partnership_ids]).map(&:to_i),
+      external_account_id: params[:external_account_id],
+      external_partnership_id: params[:external_partnership_id]
+    }
+  end
+end
diff --git a/app/controllers/template_documents_controller.rb b/app/controllers/template_documents_controller.rb
index 7aaa039c..207d3291 100644
--- a/app/controllers/template_documents_controller.rb
+++ b/app/controllers/template_documents_controller.rb
@@ -2,6 +2,7 @@
 
 class TemplateDocumentsController < ApplicationController
   include IframeAuthentication
+  include PartnershipContext
 
   skip_before_action :verify_authenticity_token
   skip_before_action :authenticate_via_token!
diff --git a/app/controllers/templates_controller.rb b/app/controllers/templates_controller.rb
index c000263d..b5332622 100644
--- a/app/controllers/templates_controller.rb
+++ b/app/controllers/templates_controller.rb
@@ -3,6 +3,7 @@
 class TemplatesController < ApplicationController
   include PrefillFieldsHelper
   include IframeAuthentication
+  include PartnershipContext
 
   skip_before_action :verify_authenticity_token
   skip_before_action :authenticate_via_token!, only: [:update]
@@ -51,7 +52,8 @@ class TemplatesController < ApplicationController
           methods: %i[metadata signed_uuid],
           include: { preview_images: { methods: %i[url metadata filename] } }
         ),
-        available_prefill_fields: @available_prefill_fields
+        available_prefill_fields: @available_prefill_fields,
+        partnership_context: partnership_request_context
       ).to_json
 
     render :edit, layout: 'plain'
@@ -64,9 +66,20 @@ class TemplatesController < ApplicationController
         associations: [schema_documents: :preview_images_attachments]
       ).call
 
-      @template = Templates::Clone.call(@base_template, author: current_user,
-                                                        name: params.dig(:template, :name),
-                                                        folder_name: params[:folder_name])
+      # Determine target for same-type cloning (clone to same ownership type as original)
+      target_args = if @base_template.account_id.present?
+                      { target_account: @base_template.account }
+                    elsif @base_template.partnership_id.present?
+                      { target_partnership: @base_template.partnership }
+                    else
+                      {}
+                    end
+
+      @template = Templates::Clone.call(@base_template,
+                                        author: current_user,
+                                        name: params.dig(:template, :name),
+                                        folder_name: params[:folder_name],
+                                        **target_args)
     else
       @template = Template.new(template_params) if @template.nil?
       @template.author = current_user
diff --git a/app/controllers/templates_form_preview_controller.rb b/app/controllers/templates_form_preview_controller.rb
index 5c4f23c6..642d487d 100644
--- a/app/controllers/templates_form_preview_controller.rb
+++ b/app/controllers/templates_form_preview_controller.rb
@@ -1,8 +1,13 @@
 # frozen_string_literal: true
 
 class TemplatesFormPreviewController < ApplicationController
+  include IframeAuthentication
+  include PartnershipContext
+
   layout 'form'
 
+  skip_before_action :authenticate_via_token!
+  before_action :authenticate_from_referer
   load_and_authorize_resource :template
 
   def show
diff --git a/app/javascript/template_builder/builder.vue b/app/javascript/template_builder/builder.vue
index b05f1d67..e3ecb684 100644
--- a/app/javascript/template_builder/builder.vue
+++ b/app/javascript/template_builder/builder.vue
@@ -64,7 +64,7 @@
         />
         <template v-else>
           <a
-            :href="`/templates/${template.id}/form`"
+            :href="formPreviewUrl"
             data-turbo="false"
             class="primary-button"
           >
@@ -349,7 +349,6 @@ import { IconPlus, IconUsersPlus, IconDeviceFloppy, IconChevronDown, IconEye, Ic
 import { v4 } from 'uuid'
 import { ref, computed, toRaw } from 'vue'
 import * as i18n from './i18n'
-
 export default {
   name: 'TemplateBuilder',
   components: {
@@ -690,6 +689,26 @@ export default {
       return this.template.schema.map((item) => {
         return this.template.documents.find(doc => doc.uuid === item.attachment_uuid)
       })
+    },
+    formPreviewUrl () {
+      let url = `/templates/${this.template.id}/form`
+      if (this.template.partnership_context) {
+        const params = new URLSearchParams()
+        const context = this.template.partnership_context
+        if (context.accessible_partnership_ids) {
+          context.accessible_partnership_ids.forEach(id => {
+            params.append('accessible_partnership_ids[]', id)
+          })
+        }
+        if (context.external_partnership_id) {
+          params.append('external_partnership_id', context.external_partnership_id)
+        }
+        if (context.external_account_id) {
+          params.append('external_account_id', context.external_account_id)
+        }
+        url += `?${params.toString()}`
+      }
+      return url
     }
   },
   created () {
@@ -1448,6 +1467,22 @@ export default {
 
         const formData = new FormData()
         formData.append('files[]', file)
+        
+        // Add partnership context if available
+        if (this.template.partnership_context) {
+          const context = this.template.partnership_context
+          if (context.accessible_partnership_ids) {
+            context.accessible_partnership_ids.forEach(id => {
+              formData.append('accessible_partnership_ids[]', id)
+            })
+          }
+          if (context.external_partnership_id) {
+            formData.append('external_partnership_id', context.external_partnership_id)
+          }
+          if (context.external_account_id) {
+            formData.append('external_account_id', context.external_account_id)
+          }
+        }
 
         this.baseFetch(`/templates/${this.template.id}/documents`, {
           method: 'POST',
@@ -1722,7 +1757,26 @@ export default {
 
       this.pushUndo()
 
-      return this.baseFetch(`/templates/${this.template.id}`, {
+      // Build URL with partnership context if available
+      let url = `/templates/${this.template.id}`
+      if (this.template.partnership_context) {
+        const params = new URLSearchParams()
+        const context = this.template.partnership_context
+        if (context.accessible_partnership_ids) {
+          context.accessible_partnership_ids.forEach(id => {
+            params.append('accessible_partnership_ids[]', id)
+          })
+        }
+        if (context.external_partnership_id) {
+          params.append('external_partnership_id', context.external_partnership_id)
+        }
+        if (context.external_account_id) {
+          params.append('external_account_id', context.external_account_id)
+        }
+        url += `?${params.toString()}`
+      }
+
+      return this.baseFetch(url, {
         method: 'PUT',
         body: JSON.stringify({
           template: {
diff --git a/app/javascript/template_builder/dropzone.vue b/app/javascript/template_builder/dropzone.vue
index 9031f3d1..2485bd23 100644
--- a/app/javascript/template_builder/dropzone.vue
+++ b/app/javascript/template_builder/dropzone.vue
@@ -73,7 +73,7 @@ export default {
     IconFileSymlink,
     IconFiles
   },
-  inject: ['baseFetch', 't'],
+  inject: ['baseFetch', 't', 'template'],
   props: {
     templateId: {
       type: [Number, String],
diff --git a/app/javascript/template_builder/upload.vue b/app/javascript/template_builder/upload.vue
index a502ff3e..a7882f99 100644
--- a/app/javascript/template_builder/upload.vue
+++ b/app/javascript/template_builder/upload.vue
@@ -48,7 +48,7 @@ export default {
     IconUpload,
     IconInnerShadowTop
   },
-  inject: ['baseFetch', 't'],
+  inject: ['baseFetch', 't', 'template'],
   props: {
     templateId: {
       type: [Number, String],
@@ -78,10 +78,28 @@ export default {
     async upload () {
       this.isLoading = true
 
+      const formData = new FormData(this.$refs.form)
+      
+      // Add partnership context if available
+      if (this.template?.partnership_context) {
+        const context = this.template.partnership_context
+        if (context.accessible_partnership_ids) {
+          context.accessible_partnership_ids.forEach(id => {
+            formData.append('accessible_partnership_ids[]', id)
+          })
+        }
+        if (context.external_partnership_id) {
+          formData.append('external_partnership_id', context.external_partnership_id)
+        }
+        if (context.external_account_id) {
+          formData.append('external_account_id', context.external_account_id)
+        }
+      }
+
       this.baseFetch(this.uploadUrl, {
         method: 'POST',
         headers: { Accept: 'application/json' },
-        body: new FormData(this.$refs.form)
+        body: formData
       }).then((resp) => {
         if (resp.ok) {
           resp.json().then((data) => {
@@ -95,6 +113,22 @@ export default {
               const formData = new FormData(this.$refs.form)
 
               formData.append('password', prompt(this.t('enter_pdf_password')))
+              
+              // Add partnership context if available
+              if (this.template?.partnership_context) {
+                const context = this.template.partnership_context
+                if (context.accessible_partnership_ids) {
+                  context.accessible_partnership_ids.forEach(id => {
+                    formData.append('accessible_partnership_ids[]', id)
+                  })
+                }
+                if (context.external_partnership_id) {
+                  formData.append('external_partnership_id', context.external_partnership_id)
+                }
+                if (context.external_account_id) {
+                  formData.append('external_account_id', context.external_account_id)
+                }
+              }
 
               this.baseFetch(this.uploadUrl, {
                 method: 'POST',
diff --git a/app/models/export_location.rb b/app/models/export_location.rb
index cf0c364d..808dc55a 100644
--- a/app/models/export_location.rb
+++ b/app/models/export_location.rb
@@ -24,4 +24,8 @@ class ExportLocation < ApplicationRecord
   def self.default_location
     where(default_location: true).first || ExportLocation.first
   end
+
+  def self.global_partnership_id
+    default_location&.global_partnership_id
+  end
 end
diff --git a/app/services/external_auth_service.rb b/app/services/external_auth_service.rb
index 7966b6e6..48d16c75 100644
--- a/app/services/external_auth_service.rb
+++ b/app/services/external_auth_service.rb
@@ -9,7 +9,12 @@ class ExternalAuthService
     user = if @params[:account].present?
              find_or_create_user_with_account
            elsif @params[:partnership].present?
-             find_or_create_user_with_partnership
+             # Check if account context is also provided for account-level operations
+             if @params[:external_account_id].present?
+               find_or_create_user_with_partnership_and_account
+             else
+               find_or_create_user_with_partnership
+             end
            else
              raise ArgumentError, 'Either account or partnership params must be provided'
            end
@@ -43,15 +48,18 @@ class ExternalAuthService
 
     # For partnership users, we don't store any partnership relationship
     # They get authorized via API request context (accessible_partnership_ids)
-    # Just ensure the user exists in DocuSeal for authentication
-    User.find_by(external_user_id: @params[:user][:external_id]&.to_i) ||
-      User.create!(
-        user_attributes.merge(
-          external_user_id: @params[:user][:external_id]&.to_i,
-          password: SecureRandom.hex(16)
-          # NOTE: No account_id or partnership_id - authorization comes from API context
-        )
-      )
+    find_or_create_user_by_external_id(account: nil)
+  end
+
+  def find_or_create_user_with_partnership_and_account
+    # Hybrid approach: partnership authentication with account context
+    ensure_partnerships_exist
+
+    # Find the target account by external_account_id
+    account = Account.find_by(external_account_id: @params[:external_account_id])
+    raise ArgumentError, "Account not found for external_account_id: #{@params[:external_account_id]}" unless account
+
+    find_or_create_user_by_external_id(account: account)
   end
 
   def ensure_partnerships_exist
@@ -64,6 +72,27 @@ class ExternalAuthService
     )
   end
 
+  def find_or_create_user_by_external_id(account: nil)
+    external_user_id = @params[:user][:external_id]&.to_i
+    user = User.find_by(external_user_id: external_user_id)
+
+    if user.present?
+      # If user exists and we have an account context, assign them to the account if they don't have one
+      user.update!(account: account) if account.present? && user.account_id.blank?
+      return user
+    end
+
+    # Create new user
+    create_attributes = user_attributes.merge(
+      external_user_id: external_user_id,
+      password: SecureRandom.hex(16)
+    )
+
+    create_attributes[:account] = account if account.present?
+
+    User.create!(create_attributes)
+  end
+
   def user_attributes
     {
       email: @params[:user][:email],
diff --git a/app/services/token_refresh_service.rb b/app/services/token_refresh_service.rb
new file mode 100644
index 00000000..bce8e930
--- /dev/null
+++ b/app/services/token_refresh_service.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class TokenRefreshService
+  def initialize(params)
+    @params = params
+  end
+
+  def refresh_token
+    user = find_user
+    return nil unless user
+
+    user.access_token&.destroy
+    user.association(:access_token).reset
+    user.reload
+
+    user.create_access_token!
+    user.access_token.token
+  end
+
+  private
+
+  def find_user
+    external_user_id = @params.dig(:user, :external_id)&.to_i
+    return nil unless external_user_id
+
+    user = User.find_by(external_user_id: external_user_id)
+
+    Rails.logger.warn "Token refresh requested for non-existent user: external_id #{external_user_id}" unless user
+
+    user
+  end
+end
diff --git a/app/views/submit_form/show.html.erb b/app/views/submit_form/show.html.erb
index 69323c8f..8ec61a66 100644
--- a/app/views/submit_form/show.html.erb
+++ b/app/views/submit_form/show.html.erb
@@ -1,5 +1,5 @@
 <% content_for(:html_title, "#{@submitter.submission.name || @submitter.submission.template.name} | DocuSeal") %>
-<% content_for(:html_description, "#{@submitter.account.name} has invited you to fill and sign documents online effortlessly with a secure, fast, and user-friendly digital document signing solution.") %>
+<% content_for(:html_description, "#{@submitter.account&.name || 'You have been invited'} to fill and sign documents online effortlessly with a secure, fast, and user-friendly digital document signing solution.") %>
 <% template_fields = @submitter.submission.template_fields || @submitter.submission.template.fields %>
 <% fields_index = Templates.build_field_areas_index(template_fields) %>
 <% submitter_values = @submitter.submission.submitters.reduce({}) { |acc, sub| acc.merge(sub.values) } %>
@@ -84,14 +84,25 @@
                   <% next if field['conditions'].present? && values[field['uuid']].blank? && field['submitter_uuid'] != @submitter.uuid %>
                   <% next if field['conditions'].present? && field['submitter_uuid'] == @submitter.uuid %>
                   <% next if field.dig('preferences', 'formula').present? && field['submitter_uuid'] == @submitter.uuid %>
-                  <%= render 'submissions/value', area:, field:, attachments_index: @attachments_index, value: field.dig('preferences', 'mask').present? ? TextUtils.mask_value(value, field.dig('preferences', 'mask')) : value, locale: @submitter.account.locale, timezone: @submitter.account.timezone, submitter: submitters_index[field['submitter_uuid']], with_signature_id: @form_configs[:with_signature_id] %>
+                  <%= render 'submissions/value',
+                             area:,
+                             field:,
+                             attachments_index: @attachments_index,
+                             value: field.dig('preferences', 'mask').present? ? TextUtils.mask_value(value, field.dig('preferences', 'mask')) : value,
+                             locale: @submitter.account&.locale || 'en',
+                             timezone: @submitter.account&.timezone || 'UTC',
+                             submitter: submitters_index[field['submitter_uuid']],
+                             with_signature_id: @form_configs[:with_signature_id] %>
                 <% end %>
               </div>
             </div>
           <% end %>
         </div>
       <% end %>
-      <%= render 'shared/attribution', link_path: '/start', account: @submitter.account, with_style: false %>
+      <%# Partnership not supported %>
+      <% if @submitter.account %>
+        <%= render 'shared/attribution', link_path: '/start', account: @submitter.account, with_style: false %>
+      <% end %>
       <% if @form_configs[:policy_links].present? %>
         <div class="text-center md:text-neutral-500 md:pr-3 md:pb-3 md:text-sm md:text-left mt-2 md:mt-0 md:fixed md:bottom-0 md:right-0">
           <div class="md:max-w-[8rem] flex flex-wrap md:flex-col justify-center md:justify-start md:items-start space-x-2 md:space-x-0">
diff --git a/app/views/templates_form_preview/show.html.erb b/app/views/templates_form_preview/show.html.erb
index 6b5c49c7..59a9bc1e 100644
--- a/app/views/templates_form_preview/show.html.erb
+++ b/app/views/templates_form_preview/show.html.erb
@@ -5,7 +5,7 @@
     </div>
     <div class="flex items-center" style="margin-left: 20px; flex-shrink: 0">
       <% if @template.submitters.size > 1 %>
-        <form action="<%= template_form_path(@template) %>" method="get" class="mr-3">
+          <form action="<%= template_form_path(@template, auth_token: params[:auth_token] || session[:auth_token]) %>" method="get" class="mr-3">
           <select onchange="this.form.submit()" name="uuid" class="select base-input text-center font-normal" style="width: 180px; flex-shrink: 0;">
             <% @template.submitters.each do |submitter| %>
               <%= tag.option(value: submitter['uuid'], selected: submitter['uuid'] == @submitter.uuid) do %>
@@ -15,7 +15,7 @@
           </select>
         </form>
       <% end %>
-      <a href="<%= edit_template_path(@template) %>" class="base-button" data-turbo="false" style="flex-shrink: 0; padding: 0px 24px;">
+      <a href="<%= edit_template_path(@template, auth_token: params[:auth_token] || session[:auth_token]) %>" class="base-button" data-turbo="false" style="flex-shrink: 0; padding: 0px 24px;">
         <%= t('exit_preview') %>
       </a>
     </div>
diff --git a/config/routes.rb b/config/routes.rb
index eddde784..2ea9dc02 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -61,6 +61,12 @@ Rails.application.routes.draw do
         post :user_token
       end
     end
+
+    resources :token_refresh, only: [] do
+      collection do
+        post :create
+      end
+    end
   end
 
   resources :export, controller: 'export' do
diff --git a/lib/abilities/submission_conditions.rb b/lib/abilities/submission_conditions.rb
new file mode 100644
index 00000000..746e684d
--- /dev/null
+++ b/lib/abilities/submission_conditions.rb
@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+module Abilities
+  # Provides authorization conditions for submission access control.
+  # Only account users can access submissions (partnership users create templates).
+  # Supports partnership inheritance and global template access patterns.
+  module SubmissionConditions
+    module_function
+
+    def collection(user, request_context: nil)
+      return [] if user.account_id.blank?
+
+      submissions_for_user(user, request_context)
+    end
+
+    def entity(submission, user:, request_context: nil)
+      # Only account users can access submissions
+      return false if user.account_id.blank?
+
+      # User can access their own account's submissions
+      return true if submission.account_id == user.account_id
+
+      if submission.template_id.present?
+        template = submission.template || Template.find_by(id: submission.template_id)
+        return false unless template
+
+        return true if user_can_access_template?(user, template, request_context)
+      end
+      false
+    end
+
+    def submissions_for_user(user, request_context = nil)
+      accessible_template_ids = accessible_template_ids(request_context)
+
+      Submission.where(
+        'submissions.account_id = ? OR submissions.template_id IN (?)',
+        user.account_id,
+        accessible_template_ids
+      )
+    end
+
+    def accessible_template_ids(request_context = nil)
+      template_ids = []
+
+      # Add templates from partnership context (if provided via API)
+      if request_context&.dig(:accessible_partnership_ids).present?
+        accessible_partnership_ids = request_context[:accessible_partnership_ids]
+        partnership_ids = Partnership.where(external_partnership_id: accessible_partnership_ids).pluck(:id)
+        template_ids += Template.where(partnership_id: partnership_ids).pluck(:id)
+      end
+
+      # Add templates from global partnership (accessible to everyone)
+      if ExportLocation.global_partnership_id.present?
+        template_ids += Template.where(partnership_id: ExportLocation.global_partnership_id).pluck(:id)
+      end
+
+      template_ids.uniq
+    end
+
+    def user_can_access_template?(user, template, request_context = nil)
+      # User can access templates from their account
+      return true if template.account_id == user.account_id
+
+      # Check partnership context access
+      return true if partnership_context_accessible?(template, request_context)
+
+      # Check global partnership access
+      return true if global_template_accessible?(template)
+
+      false
+    end
+
+    def partnership_context_accessible?(template, request_context)
+      return false if request_context&.dig(:accessible_partnership_ids).blank?
+      return false if template.partnership_id.blank?
+
+      accessible_partnership_ids = request_context[:accessible_partnership_ids]
+      accessible_partnerships = Partnership.where(external_partnership_id: accessible_partnership_ids)
+
+      accessible_partnerships.exists?(id: template.partnership_id)
+    end
+
+    def global_template_accessible?(template)
+      ExportLocation.global_partnership_id.present? &&
+        template.partnership_id == ExportLocation.global_partnership_id
+    end
+  end
+end
diff --git a/lib/abilities/template_conditions.rb b/lib/abilities/template_conditions.rb
index 01d965e8..e5490d68 100644
--- a/lib/abilities/template_conditions.rb
+++ b/lib/abilities/template_conditions.rb
@@ -13,6 +13,13 @@ module Abilities
       if user.account_id.present?
         templates = Template.where(account_id: user.account_id)
 
+        # Add global partnership templates if configured
+        if ExportLocation.global_partnership_id.present?
+          global_templates = Template.where(partnership_id: ExportLocation.global_partnership_id)
+          template_ids = templates.pluck(:id) + global_templates.pluck(:id)
+          templates = Template.where(id: template_ids.uniq)
+        end
+
         return templates unless user.account.testing?
 
         shared_ids =
@@ -32,30 +39,30 @@ module Abilities
 
       partnership_ids = Partnership.where(external_partnership_id: accessible_partnership_ids).pluck(:id)
 
-      Template.where(partnership_id: partnership_ids)
+      # Add global partnership if configured
+      partnership_ids << ExportLocation.global_partnership_id if ExportLocation.global_partnership_id.present?
+
+      Template.where(partnership_id: partnership_ids.uniq)
     end
 
     def entity(template, user:, ability: nil, request_context: nil)
       return true if template.account_id.blank? && template.partnership_id.blank?
 
       # Check request context first (from API params)
+      # If the template is a partnership template, we need to check the partnership context
       if request_context && request_context[:accessible_partnership_ids].present?
         return authorize_via_partnership_context(template, request_context)
       end
 
-      # Handle partnership templates - users don't have stored relationships anymore
-      # This should not be reached for partnership users since they use API context
-
-      # Handle regular account templates
-      return true if template.account_id == user.account_id
-      return false unless user.account&.linked_account_account
-      return false if template.template_sharings.to_a.blank?
-
-      account_ids = [user.account_id, TemplateSharing::ALL_ID]
+      # Handle partnership templates for account users (no API context)
+      if template.partnership_id.present?
+        return true if global_partnership_template?(template)
 
-      template.template_sharings.to_a.any? do |e|
-        e.account_id.in?(account_ids) && (ability.nil? || e.ability == 'manage' || e.ability == ability)
+        return false
       end
+
+      # Handle regular account templates
+      authorize_account_template(template, user, ability)
     end
 
     def authorize_via_partnership_context(template, request_context)
@@ -63,10 +70,12 @@ module Abilities
 
       # Handle partnership templates - check if user has access to the partnership
       if template.partnership_id.present?
+        return true if global_partnership_template?(template)
+
         partnership = Partnership.find_by(id: template.partnership_id)
         return false unless partnership
 
-        return accessible_partnership_ids.include?(partnership.external_partnership_id)
+        return accessible_partnership_ids.include?(partnership.external_partnership_id.to_i)
       end
 
       # Handle account templates - check if user has access via partnership context
@@ -76,5 +85,23 @@ module Abilities
 
       false
     end
+
+    def authorize_account_template(template, user, ability)
+      return true if template.account_id == user.account_id
+      return false unless user.account&.linked_account_account
+      return false if template.template_sharings.to_a.blank?
+
+      account_ids = [user.account_id, TemplateSharing::ALL_ID]
+
+      template.template_sharings.to_a.any? do |sharing|
+        sharing.account_id.in?(account_ids) &&
+          (ability.nil? || sharing.ability == 'manage' || sharing.ability == ability)
+      end
+    end
+
+    def global_partnership_template?(template)
+      ExportLocation.global_partnership_id.present? &&
+        template.partnership_id == ExportLocation.global_partnership_id
+    end
   end
 end
diff --git a/lib/ability.rb b/lib/ability.rb
index a721e089..3a75bd42 100644
--- a/lib/ability.rb
+++ b/lib/ability.rb
@@ -3,9 +3,15 @@
 class Ability
   include CanCan::Ability
 
-  def initialize(user)
-    can %i[read create update], Template, Abilities::TemplateConditions.collection(user) do |template|
-      Abilities::TemplateConditions.entity(template, user:, ability: 'manage')
+  def initialize(user, request_context = nil)
+    can %i[read create update], Template,
+        Abilities::TemplateConditions.collection(user, request_context: request_context) do |template|
+      Abilities::TemplateConditions.entity(
+        template,
+        user: user,
+        ability: 'manage',
+        request_context: request_context
+      )
     end
 
     can :destroy, Template, account_id: user.account_id
diff --git a/lib/submitters/form_configs.rb b/lib/submitters/form_configs.rb
index 9c1fa06f..cb7efaac 100644
--- a/lib/submitters/form_configs.rb
+++ b/lib/submitters/form_configs.rb
@@ -18,7 +18,9 @@ module Submitters
     module_function
 
     def call(submitter, keys = [])
-      configs = submitter.submission.account.account_configs.where(key: DEFAULT_KEYS + keys)
+      # Allow empty config keys for partnership users
+      account = submitter.submission.account
+      configs = account&.account_configs&.where(key: DEFAULT_KEYS + keys) || []
 
       completed_button = find_safe_value(configs, AccountConfig::FORM_COMPLETED_BUTTON_KEY) || {}
       completed_message = find_safe_value(configs, AccountConfig::FORM_COMPLETED_MESSAGE_KEY) || {}
diff --git a/lib/templates/clone.rb b/lib/templates/clone.rb
index e4b5fc60..73d1f8de 100644
--- a/lib/templates/clone.rb
+++ b/lib/templates/clone.rb
@@ -5,19 +5,31 @@ module Templates
     module_function
 
     # rubocop:disable Metrics, Style/CombinableLoops
-    def call(original_template, author:, external_id: nil, name: nil, folder_name: nil)
-      template = original_template.account.templates.new
+    def call(original_template, author:, external_id: nil, name: nil, folder_name: nil,
+             target_account: nil, target_partnership: nil)
+      # Determine the target for the cloned template
+      template = Template.new
+
+      if target_account.present?
+        template.assign_attributes(account: target_account, partnership: nil)
+      elsif target_partnership.present?
+        template.assign_attributes(partnership: target_partnership, account: nil)
+      else
+        raise ArgumentError, 'Either target_account or target_partnership must be provided'
+      end
 
       template.external_id = external_id
       template.shared_link = original_template.shared_link
       template.author = author
       template.name = name.presence || "#{original_template.name} (#{I18n.t('clone')})"
 
-      if folder_name.present?
-        template.folder = TemplateFolders.find_or_create_by_name(author, folder_name)
-      else
-        template.folder_id = original_template.folder_id
-      end
+      template.folder = determine_template_folder(
+        original_template,
+        target_account,
+        target_partnership,
+        author,
+        folder_name
+      )
 
       template.submitters, template.fields, template.schema, template.preferences =
         update_submitters_and_fields_and_schema(original_template.submitters.deep_dup,
@@ -99,6 +111,41 @@ module Templates
 
       [cloned_submitters, cloned_fields, cloned_schema, cloned_preferences]
     end
+
+    def determine_template_folder(original_template, target_account, target_partnership, author, folder_name)
+      if folder_name.present?
+        create_named_folder(author, folder_name, target_partnership)
+      elsif cloning_between_account_and_partnership?(original_template, target_account, target_partnership)
+        create_default_folder_for_target(target_account, target_partnership, author)
+      else
+        return nil if original_template.folder_id.blank?
+
+        original_template.folder || original_template.folder_id
+      end
+    end
+
+    def create_named_folder(author, folder_name, target_partnership)
+      if target_partnership.present?
+        TemplateFolders.find_or_create_by_name(author, folder_name, partnership: target_partnership)
+      else
+        TemplateFolders.find_or_create_by_name(author, folder_name)
+      end
+    end
+
+    def cloning_between_account_and_partnership?(original_template, target_account, target_partnership)
+      # When cloning across entity types (partnership → account or account → partnership),
+      # we need to create default folders since folder structures don't transfer
+      (target_account.present? && original_template.partnership.present?) ||
+        (target_partnership.present? && original_template.account.present?)
+    end
+
+    def create_default_folder_for_target(target_account, target_partnership, author)
+      if target_partnership.present?
+        target_partnership.default_template_folder(author)
+      else
+        target_account.default_template_folder
+      end
+    end
     # rubocop:enable Metrics, Style/CombinableLoops
   end
 end
diff --git a/lib/templates/clone_to_account.rb b/lib/templates/clone_to_account.rb
new file mode 100644
index 00000000..0f53435d
--- /dev/null
+++ b/lib/templates/clone_to_account.rb
@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Templates
+  module CloneToAccount
+    module_function
+
+    # Clone a partnership template to a specific account
+    # Supports both direct target_account and external_account_id with authorization
+    def call(original_template, author:, target_account: nil, external_account_id: nil, current_user: nil,
+             external_id: nil, name: nil, folder_name: nil)
+      validation_result = validate_inputs(original_template, target_account, external_account_id, current_user)
+      raise validation_result[:error_class], validation_result[:message] if validation_result[:error]
+
+      resolved_target_account = validation_result[:target_account]
+
+      template = Templates::Clone.call(
+        original_template,
+        author: author,
+        external_id: external_id,
+        name: name,
+        folder_name: folder_name,
+        target_account: resolved_target_account
+      )
+
+      # Clear template_accesses since partnership templates shouldn't copy user accesses
+      template.template_accesses.clear
+
+      template
+    end
+
+    def validate_inputs(original_template, target_account, external_account_id, current_user)
+      # Check template type
+      if original_template.partnership_id.blank?
+        return { error: true, error_class: ArgumentError, message: 'Template must be a partnership template' }
+      end
+
+      # Resolve target account
+      if target_account.present?
+        { error: false, target_account: target_account }
+      elsif external_account_id.present?
+        unless current_user
+          return { error: true, error_class: ArgumentError,
+                   message: 'current_user required when using external_account_id' }
+        end
+
+        account = Account.find_by(external_account_id: external_account_id)
+        return { error: true, error_class: ActiveRecord::RecordNotFound, message: 'Account not found' } unless account
+
+        unless current_user.account_id == account.id
+          return { error: true, error_class: ArgumentError, message: 'Unauthorized access to target account' }
+        end
+
+        { error: false, target_account: account }
+      else
+        {
+          error: true,
+          error_class: ArgumentError,
+          message: 'Either target_account or external_account_id must be provided'
+        }
+      end
+    end
+  end
+end
diff --git a/lib/templates/clone_to_partnership.rb b/lib/templates/clone_to_partnership.rb
new file mode 100644
index 00000000..376b3d2b
--- /dev/null
+++ b/lib/templates/clone_to_partnership.rb
@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Templates
+  module CloneToPartnership
+    module_function
+
+    # Clone a global partnership template to a specific partnership
+    # Supports both direct target_partnership and external_partnership_id with authorization
+    def call(original_template, author:, target_partnership: nil, external_partnership_id: nil, current_user: nil,
+             external_id: nil, name: nil, folder_name: nil)
+      validation_result = validate_inputs(original_template, target_partnership, external_partnership_id, current_user)
+      raise validation_result[:error_class], validation_result[:message] if validation_result[:error]
+
+      resolved_target_partnership = validation_result[:target_partnership]
+
+      template = Templates::Clone.call(
+        original_template,
+        author: author,
+        external_id: external_id,
+        name: name,
+        folder_name: folder_name,
+        target_partnership: resolved_target_partnership
+      )
+
+      # Clear template_accesses since global partnership templates shouldn't copy user accesses
+      template.template_accesses.clear
+
+      template
+    end
+
+    def validate_inputs(original_template, target_partnership, external_partnership_id, current_user)
+      # Check template type - must be global partnership template
+      unless original_template.partnership_id.present? &&
+             ExportLocation.global_partnership_id.present? &&
+             original_template.partnership_id == ExportLocation.global_partnership_id
+        return { error: true, error_class: ArgumentError, message: 'Template must be a global partnership template' }
+      end
+
+      # Resolve target partnership
+      if target_partnership.present?
+        { error: false, target_partnership: target_partnership }
+      elsif external_partnership_id.present?
+        unless current_user
+          return { error: true, error_class: ArgumentError,
+                   message: 'current_user required when using external_partnership_id' }
+        end
+
+        partnership = Partnership.find_by(external_partnership_id: external_partnership_id)
+        unless partnership
+          return {
+            error: true,
+            error_class: ActiveRecord::RecordNotFound,
+            message: 'Partnership not found'
+          }
+        end
+
+        # For partnership cloning, we need to verify via API context since users don't have stored relationships
+        # This is a simplified check - in practice, you'd verify via request context
+        { error: false, target_partnership: partnership }
+      else
+        {
+          error: true,
+          error_class: ArgumentError,
+          message: 'Either target_partnership or external_partnership_id must be provided'
+        }
+      end
+    end
+  end
+end
diff --git a/spec/controllers/concerns/partnership_context_spec.rb b/spec/controllers/concerns/partnership_context_spec.rb
new file mode 100644
index 00000000..37d1b9e5
--- /dev/null
+++ b/spec/controllers/concerns/partnership_context_spec.rb
@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+describe PartnershipContext do
+  # Create a test class that includes the concern
+  let(:test_class) do
+    Class.new do
+      include PartnershipContext
+
+      attr_accessor :params, :current_user
+
+      def initialize(params = {}, user = nil)
+        @params = params
+        @current_user = user
+      end
+    end
+  end
+
+  let(:test_instance) { test_class.new(params) }
+
+  describe '#partnership_request_context' do
+    context 'when no partnership parameters are provided' do
+      let(:params) { {} }
+
+      it 'returns nil' do
+        expect(test_instance.send(:partnership_request_context)).to be_nil
+      end
+    end
+
+    context 'when accessible_partnership_ids is blank' do
+      let(:params) { { accessible_partnership_ids: [] } }
+
+      it 'returns nil' do
+        expect(test_instance.send(:partnership_request_context)).to be_nil
+      end
+    end
+
+    context 'when accessible_partnership_ids is nil' do
+      let(:params) { { accessible_partnership_ids: nil } }
+
+      it 'returns nil' do
+        expect(test_instance.send(:partnership_request_context)).to be_nil
+      end
+    end
+
+    context 'when partnership parameters are provided' do
+      let(:params) do
+        {
+          accessible_partnership_ids: %w[123 456],
+          external_account_id: 'ext-account-123',
+          external_partnership_id: 'ext-partnership-456'
+        }
+      end
+
+      it 'returns formatted partnership context' do
+        expected_context = {
+          accessible_partnership_ids: [123, 456],
+          external_account_id: 'ext-account-123',
+          external_partnership_id: 'ext-partnership-456'
+        }
+
+        expect(test_instance.send(:partnership_request_context)).to eq(expected_context)
+      end
+
+      it 'converts accessible_partnership_ids to integers' do
+        result = test_instance.send(:partnership_request_context)
+        expect(result[:accessible_partnership_ids]).to eq([123, 456])
+        expect(result[:accessible_partnership_ids]).to all(be_an(Integer))
+      end
+    end
+
+    context 'when only some parameters are provided' do
+      let(:params) do
+        {
+          accessible_partnership_ids: ['123'],
+          external_account_id: 'ext-account-123'
+        }
+      end
+
+      it 'includes only provided parameters' do
+        expected_context = {
+          accessible_partnership_ids: [123],
+          external_account_id: 'ext-account-123',
+          external_partnership_id: nil
+        }
+
+        expect(test_instance.send(:partnership_request_context)).to eq(expected_context)
+      end
+    end
+
+    context 'with string numbers' do
+      let(:params) { { accessible_partnership_ids: %w[123 456] } }
+
+      it 'converts string numbers to integers' do
+        result = test_instance.send(:partnership_request_context)
+        expect(result[:accessible_partnership_ids]).to eq([123, 456])
+      end
+    end
+  end
+
+  describe '#current_ability' do
+    let(:user) { create(:user) }
+    let(:partnership_context) do
+      {
+        accessible_partnership_ids: [123],
+        external_account_id: 'ext-account-123',
+        external_partnership_id: 'ext-partnership-456'
+      }
+    end
+    let(:test_instance) { test_class.new({}, user) }
+
+    before do
+      allow(test_instance).to receive(:partnership_request_context).and_return(partnership_context)
+    end
+
+    it 'creates ability with partnership context' do
+      allow(Ability).to receive(:new).and_call_original
+      test_instance.send(:current_ability)
+      expect(Ability).to have_received(:new).with(user, partnership_context)
+    end
+
+    it 'memoizes the ability instance' do
+      allow(Ability).to receive(:new).and_call_original
+
+      test_instance.send(:current_ability)
+      test_instance.send(:current_ability) # Should use cached version
+
+      expect(Ability).to have_received(:new).once
+    end
+  end
+end
diff --git a/spec/factories/submissions.rb b/spec/factories/submissions.rb
index ea59021e..57547fb8 100644
--- a/spec/factories/submissions.rb
+++ b/spec/factories/submissions.rb
@@ -6,7 +6,8 @@ FactoryBot.define do
     created_by_user factory: %i[user]
 
     before(:create) do |submission, _|
-      submission.account_id = submission.template.account_id
+      # Set account_id from template if not already set
+      submission.account_id ||= submission.template.account_id
       submission.template_fields = submission.template.fields
       submission.template_schema = submission.template.schema
       submission.template_submitters = submission.template.submitters
diff --git a/spec/factories/templates.rb b/spec/factories/templates.rb
index 428500c7..d7b568b4 100644
--- a/spec/factories/templates.rb
+++ b/spec/factories/templates.rb
@@ -357,5 +357,23 @@ FactoryBot.define do
         create(:template_access, template:, user: ev.private_access_user || template.author)
       end
     end
+
+    trait :partnership_template do
+      account { nil }
+
+      transient do
+        partnership { nil }
+      end
+
+      partnership_id do |template|
+        if template.partnership
+          template.partnership.id
+        else
+          create(:partnership).id
+        end
+      end
+
+      author { create(:user, :with_partnership) }
+    end
   end
 end
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
index 007f8a50..f8d0af52 100644
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -8,5 +8,9 @@ FactoryBot.define do
     password { 'password' }
     role { User::ADMIN_ROLE }
     email { Faker::Internet.email }
+
+    trait :with_partnership do
+      account { nil }
+    end
   end
 end
diff --git a/spec/lib/abilities/submission_conditions_spec.rb b/spec/lib/abilities/submission_conditions_spec.rb
new file mode 100644
index 00000000..2dd392a3
--- /dev/null
+++ b/spec/lib/abilities/submission_conditions_spec.rb
@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+describe Abilities::SubmissionConditions do
+  describe '.collection' do
+    context 'when user has no account_id' do
+      let(:user) { build(:user, account_id: nil) }
+
+      it 'returns empty array' do
+        result = described_class.collection(user)
+        expect(result).to eq([])
+      end
+    end
+
+    context 'when user has account_id' do
+      let(:account) { create(:account) }
+      let(:user) { create(:user, account: account) }
+
+      it 'returns submissions for the user account' do
+        # Create submissions for this account
+        template = create(:template, account: account, author: user)
+        submission1 = create(:submission, template: template)
+        submission2 = create(:submission, template: template)
+
+        # Create submission for different account (should not be included)
+        other_account = create(:account)
+        other_user = create(:user, account: other_account)
+        other_template = create(:template, account: other_account, author: other_user)
+        create(:submission, template: other_template)
+
+        result = described_class.collection(user)
+        expect(result).to include(submission1, submission2)
+        expect(result.count).to eq(2)
+      end
+
+      context 'with global partnership templates' do
+        let(:partnership) { create(:partnership) }
+
+        before do
+          allow(ExportLocation).to receive(:global_partnership_id).and_return(partnership.id)
+        end
+
+        it 'includes submissions from global partnership templates' do
+          # Create account submission
+          account_template = create(:template, account: account, author: user)
+          account_submission = create(:submission, template: account_template)
+
+          # Create global partnership submission
+          partnership_template = create(:template, :partnership_template, partnership: partnership)
+          partnership_submission = create(:submission, template: partnership_template, account: account)
+
+          result = described_class.collection(user)
+          expect(result).to include(account_submission, partnership_submission)
+        end
+      end
+
+      context 'with partnership context' do
+        let(:partnership) { create(:partnership, external_partnership_id: 123) }
+
+        it 'includes submissions from accessible partnership templates' do
+          # Create account submission
+          account_template = create(:template, account: account, author: user)
+          account_submission = create(:submission, template: account_template)
+
+          # Create partnership submission
+          partnership_template = create(:template, :partnership_template, partnership: partnership)
+          partnership_submission = create(:submission, template: partnership_template, account: account)
+
+          request_context = { accessible_partnership_ids: [123] }
+          result = described_class.collection(user, request_context: request_context)
+
+          expect(result).to include(account_submission, partnership_submission)
+        end
+      end
+    end
+  end
+
+  describe '.entity' do
+    let(:account) { create(:account) }
+    let(:user) { create(:user, account: account) }
+
+    context 'with account submission' do
+      let(:template) { create(:template, account: account, author: user) }
+      let(:submission) { create(:submission, template: template) }
+
+      it 'allows access for account owner' do
+        result = described_class.entity(submission, user: user)
+        expect(result).to be true
+      end
+    end
+
+    context 'with different account submission' do
+      let(:other_account) { create(:account) }
+      let(:other_user) { create(:user, account: other_account) }
+      let(:template) { create(:template, account: other_account, author: other_user) }
+      let(:submission) { create(:submission, template: template) }
+
+      it 'denies access for different account user' do
+        result = described_class.entity(submission, user: user)
+        expect(result).to be false
+      end
+    end
+
+    context 'with global partnership submission' do
+      let(:partnership) { create(:partnership) }
+      let(:template) { create(:template, :partnership_template, partnership: partnership) }
+      let(:other_account) { create(:account) }
+      let(:submission) { create(:submission, template: template, account: other_account) }
+
+      context 'when global partnership' do
+        before do
+          allow(ExportLocation).to receive(:global_partnership_id).and_return(partnership.id)
+        end
+
+        it 'allows access to global partnership submissions' do
+          result = described_class.entity(submission, user: user)
+          expect(result).to be true
+        end
+      end
+
+      context 'when not global partnership' do
+        before do
+          allow(ExportLocation).to receive(:global_partnership_id).and_return(nil)
+        end
+
+        it 'denies access to non-global partnership submissions' do
+          result = described_class.entity(submission, user: user)
+          expect(result).to be false
+        end
+      end
+    end
+
+    context 'with partnership context submission' do
+      let(:partnership) { create(:partnership, external_partnership_id: 456) }
+      let(:template) { create(:template, :partnership_template, partnership: partnership) }
+      let(:other_account) { create(:account) }
+      let(:submission) { create(:submission, template: template, account: other_account) }
+
+      it 'allows access via partnership context' do
+        request_context = { accessible_partnership_ids: [456] }
+        result = described_class.entity(submission, user: user, request_context: request_context)
+        expect(result).to be true
+      end
+
+      it 'denies access without partnership context' do
+        result = described_class.entity(submission, user: user)
+        expect(result).to be false
+      end
+
+      it 'handles integer comparison in partnership context' do
+        partnership = create(:partnership, external_partnership_id: 789)
+        template = create(:template, :partnership_template, partnership: partnership)
+        submission = create(:submission, template: template, account: other_account)
+
+        # accessible_partnership_ids are converted to integers by PartnershipContext concern
+        request_context = { accessible_partnership_ids: [789] }
+        result = described_class.entity(submission, user: user, request_context: request_context)
+        expect(result).to be true
+      end
+    end
+
+    context 'with user without account' do
+      let(:template_author) { create(:user, account: account) }
+      let(:user) { build(:user, account_id: nil) }
+      let(:template) { create(:template, account: account, author: template_author) }
+      let(:submission) { create(:submission, template: template) }
+
+      it 'denies access' do
+        result = described_class.entity(submission, user: user)
+        expect(result).to be false
+      end
+    end
+  end
+end
diff --git a/spec/lib/abilities/template_conditions_spec.rb b/spec/lib/abilities/template_conditions_spec.rb
new file mode 100644
index 00000000..2533c098
--- /dev/null
+++ b/spec/lib/abilities/template_conditions_spec.rb
@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+describe Abilities::TemplateConditions do
+  describe '.entity' do
+    context 'when using partnership templates' do
+      let(:partnership) { build(:partnership, id: 1, external_partnership_id: 'test-123') }
+      let(:template) { build(:template, partnership_id: 1, account_id: nil) }
+
+      it 'denies access for users without access tokens' do
+        user = build(:user, account_id: nil)
+        allow(user).to receive(:access_token).and_return(nil)
+        allow(ExportLocation).to receive(:global_partnership_id).and_return(nil)
+
+        result = described_class.entity(template, user: user)
+        expect(result).to be false
+      end
+
+      it 'allows access via partnership context' do
+        partnership = create(:partnership)
+        template = build(:template, partnership: partnership, account_id: nil)
+        user = build(:user, account_id: nil)
+        allow(ExportLocation).to receive(:global_partnership_id).and_return(nil)
+
+        request_context = { accessible_partnership_ids: [partnership.external_partnership_id] }
+        result = described_class.entity(template, user: user, request_context: request_context)
+
+        expect(result).to be true
+      end
+
+      it 'handles integer comparison in partnership context' do
+        partnership = create(:partnership, external_partnership_id: 123)
+        template = build(:template, partnership: partnership, account_id: nil)
+        user = build(:user, account_id: nil)
+        allow(ExportLocation).to receive(:global_partnership_id).and_return(nil)
+
+        # accessible_partnership_ids are converted to integers by PartnershipContext concern
+        request_context = { accessible_partnership_ids: [123] }
+        result = described_class.entity(template, user: user, request_context: request_context)
+        expect(result).to be true
+      end
+
+      it 'allows global partnership templates' do
+        user = build(:user, account_id: 1)
+        allow(ExportLocation).to receive(:global_partnership_id).and_return(1)
+
+        result = described_class.entity(template, user: user)
+        expect(result).to be true
+      end
+    end
+
+    context 'when using account templates' do
+      let(:template) { build(:template, account_id: 1, partnership_id: nil) }
+
+      it 'allows access for account owners' do
+        user = build(:user, account_id: 1)
+        result = described_class.entity(template, user: user)
+        expect(result).to be true
+      end
+
+      it 'denies access for different account users' do
+        user = build(:user, account_id: 2)
+        account = instance_double(Account, linked_account_account: nil)
+        allow(user).to receive(:account).and_return(account)
+
+        result = described_class.entity(template, user: user)
+        expect(result).to be false
+      end
+
+      it 'allows access via partnership context with external_account_id' do
+        user = build(:user, account_id: nil)
+        request_context = {
+          accessible_partnership_ids: ['test-123'],
+          external_account_id: 'ext-123'
+        }
+
+        result = described_class.entity(template, user: user, request_context: request_context)
+        expect(result).to be true
+      end
+    end
+
+    it 'allows unowned templates' do
+      template = build(:template, account_id: nil, partnership_id: nil)
+      user = build(:user)
+
+      result = described_class.entity(template, user: user)
+      expect(result).to be true
+    end
+  end
+end
diff --git a/spec/lib/templates/clone_spec.rb b/spec/lib/templates/clone_spec.rb
new file mode 100644
index 00000000..c813547f
--- /dev/null
+++ b/spec/lib/templates/clone_spec.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+describe Templates::Clone do
+  describe '.call' do
+    let(:author) { build(:user, id: 1) }
+    let(:original_template) do
+      build(
+        :template,
+        id: 1,
+        name: 'Original',
+        submitters: [],
+        fields: [],
+        schema: [],
+        preferences: {}
+      )
+    end
+
+    it 'requires either target_account or target_partnership' do
+      expect do
+        described_class.call(original_template, author: author)
+      end.to raise_error(ArgumentError, 'Either target_account or target_partnership must be provided')
+    end
+
+    it 'creates template with target_account' do
+      target_account = build(:account, id: 2)
+
+      result = described_class.call(original_template, author: author, target_account: target_account)
+
+      expect(result).to be_a(Template)
+      expect(result.account).to eq(target_account)
+      expect(result.partnership).to be_nil
+      expect(result.author).to eq(author)
+    end
+
+    it 'creates template with target_partnership' do
+      target_partnership = create(:partnership)
+
+      result = described_class.call(original_template, author: author, target_partnership: target_partnership)
+
+      expect(result).to be_a(Template)
+      expect(result.partnership).to eq(target_partnership)
+      expect(result.account).to be_nil
+      expect(result.author).to eq(author)
+    end
+
+    it 'sets custom name when provided' do
+      target_account = build(:account, id: 2)
+
+      result = described_class.call(
+        original_template,
+        author: author,
+        target_account: target_account,
+        name: 'Custom Name'
+      )
+
+      expect(result.name).to eq('Custom Name')
+    end
+
+    it 'generates default clone name when no name provided' do
+      target_account = build(:account, id: 2)
+      allow(I18n).to receive(:t).with('clone').and_return('Clone')
+
+      result = described_class.call(original_template, author: author, target_account: target_account)
+
+      expect(result.name).to eq('Original (Clone)')
+    end
+  end
+end
diff --git a/spec/lib/templates/clone_to_account_spec.rb b/spec/lib/templates/clone_to_account_spec.rb
new file mode 100644
index 00000000..a7c45cda
--- /dev/null
+++ b/spec/lib/templates/clone_to_account_spec.rb
@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+describe Templates::CloneToAccount do
+  let(:author) { build(:user, id: 1) }
+
+  describe '.call' do
+    context 'with partnership template' do
+      let(:partnership_template) { build(:template, id: 1, partnership_id: 2, account_id: nil) }
+      let(:target_account) { build(:account, id: 3) }
+
+      it 'clones partnership template to account' do
+        allow(Templates::Clone).to receive(:call).and_return(build(:template))
+
+        result = described_class.call(partnership_template, author: author, target_account: target_account)
+
+        expect(Templates::Clone).to have_received(:call).with(
+          partnership_template,
+          author: author,
+          external_id: nil,
+          name: nil,
+          folder_name: nil,
+          target_account: target_account
+        )
+        expect(result.template_accesses).to be_empty
+      end
+
+      it 'validates partnership template requirement' do
+        account_template = build(:template, partnership_id: nil, account_id: 1)
+
+        expect do
+          described_class.call(account_template, author: author, target_account: target_account)
+        end.to raise_error(ArgumentError, 'Template must be a partnership template')
+      end
+    end
+
+    context 'with external_account_id' do
+      let(:partnership_template) { build(:template, partnership_id: 2, account_id: nil) }
+      let(:current_user) { build(:user, account_id: 3) }
+      let(:target_account) { build(:account, id: 3, external_account_id: 'ext-123') }
+
+      it 'finds account by external_account_id' do
+        allow(Account).to receive(:find_by).with(external_account_id: 'ext-123').and_return(target_account)
+        allow(Templates::Clone).to receive(:call).and_return(build(:template))
+
+        described_class.call(partnership_template,
+                             author: author,
+                             external_account_id: 'ext-123',
+                             current_user: current_user)
+
+        expect(Account).to have_received(:find_by).with(external_account_id: 'ext-123')
+      end
+
+      it 'validates user authorization' do
+        other_user = build(:user, account_id: 999)
+        allow(Account).to receive(:find_by).and_return(target_account)
+
+        expect do
+          described_class.call(partnership_template,
+                               author: author,
+                               external_account_id: 'ext-123',
+                               current_user: other_user)
+        end.to raise_error(ArgumentError, 'Unauthorized access to target account')
+      end
+    end
+  end
+end
diff --git a/spec/lib/templates/clone_to_partnership_spec.rb b/spec/lib/templates/clone_to_partnership_spec.rb
new file mode 100644
index 00000000..f1433d37
--- /dev/null
+++ b/spec/lib/templates/clone_to_partnership_spec.rb
@@ -0,0 +1,171 @@
+# frozen_string_literal: true
+
+describe Templates::CloneToPartnership do
+  let(:account) { create(:account) }
+  let(:partnership) { create(:partnership) }
+  let(:global_partnership) { create(:partnership) }
+  let(:user) { create(:user, account: account) }
+
+  before do
+    allow(ExportLocation).to receive(:global_partnership_id).and_return(global_partnership.id)
+  end
+
+  describe '.call' do
+    context 'with global partnership template' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Original Template')
+      end
+
+      it 'clones template to partnership' do
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result).to be_a(Template)
+        expect(result.partnership_id).to eq(partnership.id)
+        expect(result.account_id).to be_nil
+        expect(result.name).to eq('Original Template (Clone)')
+        expect(result.id).not_to eq(template.id)
+      end
+
+      it 'copies template attributes' do
+        template.update!(
+          preferences: { 'test' => 'value' },
+          external_data_fields: { 'field' => 'data' }
+        )
+
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.preferences).to eq(template.preferences)
+        expect(result.external_data_fields).to eq({})
+      end
+
+      it 'copies submitters' do
+        # Add a submitter to the template's submitters array
+        submitter_uuid = SecureRandom.uuid
+        template.submitters = [{
+          'uuid' => submitter_uuid,
+          'name' => 'Test Submitter'
+        }]
+        template.save!
+
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.submitters.count).to eq(1)
+        expect(result.submitters.first['name']).to eq('Test Submitter')
+        expect(result.submitters.first['uuid']).not_to eq(submitter_uuid)
+      end
+
+      it 'copies fields' do
+        # Add a field to the template's fields array
+        field_uuid = SecureRandom.uuid
+        template.fields = [{
+          'uuid' => field_uuid,
+          'name' => 'Test Field',
+          'type' => 'text',
+          'required' => true
+        }]
+        template.save!
+
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.fields.count).to eq(1)
+        expect(result.fields.first['name']).to eq('Test Field')
+        expect(result.fields.first['uuid']).not_to eq(field_uuid)
+      end
+    end
+
+    context 'with partnership template' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Partnership Template')
+      end
+
+      it 'clones template to different partnership' do
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.partnership_id).to eq(partnership.id)
+        expect(result.partnership_id).not_to eq(global_partnership.id)
+        expect(result.account_id).to be_nil
+        expect(result.name).to eq('Partnership Template (Clone)')
+      end
+    end
+
+    context 'with external_id' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Global Template')
+      end
+
+      it 'sets external_id when provided' do
+        result = described_class.call(template, author: user, target_partnership: partnership,
+                                                external_id: 'custom-123')
+
+        expect(result.external_id).to eq('custom-123')
+      end
+
+      it 'does not set external_id when not provided' do
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.external_id).to be_nil
+      end
+    end
+
+    context 'with author' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Global Template')
+      end
+
+      it 'sets author when provided' do
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.author).to eq(user)
+      end
+
+      it 'uses provided author' do
+        original_author = create(:user, :with_partnership)
+        template.update!(author: original_author)
+
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.author).to eq(user)
+      end
+    end
+
+    context 'when handling errors' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Global Template')
+      end
+
+      it 'raises error if partnership is nil' do
+        expect do
+          described_class.call(template, author: user, target_partnership: nil)
+        end.to raise_error(ArgumentError)
+      end
+    end
+
+    context 'with complex template structure' do
+      let(:template) do
+        create(:template, :partnership_template, partnership: global_partnership, name: 'Global Template')
+      end
+
+      before do
+        # Create a complex template with multiple submitters and fields
+        template.submitters = [
+          { 'uuid' => SecureRandom.uuid, 'name' => 'Submitter 1' },
+          { 'uuid' => SecureRandom.uuid, 'name' => 'Submitter 2' }
+        ]
+        template.fields = [
+          { 'uuid' => SecureRandom.uuid, 'name' => 'Field 1', 'type' => 'text' },
+          { 'uuid' => SecureRandom.uuid, 'name' => 'Field 2', 'type' => 'signature' }
+        ]
+        template.save!
+      end
+
+      it 'clones all components correctly' do
+        result = described_class.call(template, author: user, target_partnership: partnership)
+
+        expect(result.submitters.count).to eq(2)
+        expect(result.fields.count).to eq(2)
+        expect(result.submitters.pluck('name')).to contain_exactly('Submitter 1', 'Submitter 2')
+        expect(result.fields.pluck('name')).to contain_exactly('Field 1', 'Field 2')
+      end
+    end
+  end
+end
diff --git a/spec/requests/external_auth_spec.rb b/spec/requests/external_auth_spec.rb
index 34a8e5eb..8bd4bffa 100644
--- a/spec/requests/external_auth_spec.rb
+++ b/spec/requests/external_auth_spec.rb
@@ -32,5 +32,44 @@ describe 'External Auth API' do
       expect(response).to have_http_status(:internal_server_error)
       expect(response.parsed_body).to eq({ 'error' => 'Internal server error' })
     end
+
+    context 'when partnership authentication is used' do
+      let(:partnership_params) do
+        {
+          partnership: { external_id: 'partnership-123', name: 'Test Partnership' },
+          user: { external_id: '456', email: 'test@example.com', first_name: 'John', last_name: 'Doe' }
+        }
+      end
+
+      it 'creates user without account for pure partnership auth' do
+        post '/api/external_auth/user_token', params: partnership_params, as: :json
+
+        expect(response).to have_http_status(:ok)
+        expect(response.parsed_body).to have_key('access_token')
+
+        user = User.find_by(external_user_id: 456)
+        expect(user.account_id).to be_nil
+      end
+
+      it 'creates user with account for hybrid partnership+account auth' do
+        account = create(:account, external_account_id: 789)
+        hybrid_params = partnership_params.merge(external_account_id: 789)
+
+        post '/api/external_auth/user_token', params: hybrid_params, as: :json
+
+        expect(response).to have_http_status(:ok)
+
+        user = User.find_by(external_user_id: 456)
+        expect(user.account_id).to eq(account.id)
+      end
+
+      it 'returns error when account not found' do
+        hybrid_params = partnership_params.merge(external_account_id: 999)
+
+        post '/api/external_auth/user_token', params: hybrid_params, as: :json
+
+        expect(response).to have_http_status(:internal_server_error)
+      end
+    end
   end
 end
diff --git a/spec/requests/templates_spec.rb b/spec/requests/templates_spec.rb
index a6df983e..7d7f03b1 100644
--- a/spec/requests/templates_spec.rb
+++ b/spec/requests/templates_spec.rb
@@ -173,6 +173,41 @@ describe 'Templates API' do
       expect(cloned_template.external_id).to eq('123456')
       expect(response.parsed_body).to eq(JSON.parse(clone_template_body(cloned_template).to_json))
     end
+
+    context 'when cloning a template' do
+      it 'preserves partnership ownership' do
+        global_partnership = create(:partnership)
+        allow(ExportLocation).to receive(:global_partnership_id).and_return(global_partnership.id)
+
+        partnership_template = create(
+          :template,
+          partnership: global_partnership,
+          account: nil, author: create(:user, account: nil)
+        )
+
+        expect do
+          post "/api/templates/#{partnership_template.id}/clone",
+               headers: { 'x-auth-token': partnership_template.author.access_token.token }
+        end.to change(Template, :count)
+
+        cloned_template = Template.last
+        expect(cloned_template.partnership_id).to eq(partnership_template.partnership_id)
+        expect(cloned_template.account_id).to be_nil
+      end
+
+      it 'preserves account ownership' do
+        account_template = create(:template, account: account, author: author)
+
+        expect do
+          post "/api/templates/#{account_template.id}/clone",
+               headers: { 'x-auth-token': author.access_token.token }
+        end.to change(Template, :count)
+
+        cloned_template = Template.last
+        expect(cloned_template.account_id).to eq(account.id)
+        expect(cloned_template.partnership_id).to be_nil
+      end
+    end
   end
 
   private
diff --git a/spec/services/external_auth_service_spec.rb b/spec/services/external_auth_service_spec.rb
index 3141d017..638fd97b 100644
--- a/spec/services/external_auth_service_spec.rb
+++ b/spec/services/external_auth_service_spec.rb
@@ -58,6 +58,55 @@ RSpec.describe ExternalAuthService do
         expect(Partnership.last.external_partnership_id).to eq(789)
         expect(User.last.external_user_id).to eq(123)
       end
+
+      it 'returns access token for existing partnership and user' do
+        user = create(:user, account: nil, external_user_id: 123)
+
+        token = described_class.new(params).authenticate_user
+
+        expect(token).to eq(user.access_token.token)
+      end
+    end
+
+    context 'with partnership and account params' do
+      let(:params) do
+        {
+          partnership: {
+            external_id: '789', name: 'Test Group', locale: 'en-US', timezone: 'UTC', entity_type: 'Partnership'
+          },
+          external_account_id: '456',
+          user: user_params
+        }
+      end
+
+      it 'creates partnership user with account context' do
+        account = create(:account, external_account_id: 456)
+
+        token = described_class.new(params).authenticate_user
+
+        expect(token).to be_present
+        expect(Partnership.last.external_partnership_id).to eq(789)
+        expect(User.last.external_user_id).to eq(123)
+        expect(User.last.account_id).to eq(account.id)
+      end
+
+      it 'finds existing partnership user with account context' do
+        create(:account, external_account_id: 456)
+        user = create(:user, account: nil, external_user_id: 123)
+
+        token = described_class.new(params).authenticate_user
+
+        expect(token).to eq(user.access_token.token)
+        expect(User.count).to eq(1)
+      end
+
+      it 'handles external_account_id for account-level operations' do
+        account = create(:account, external_account_id: 456)
+        token = described_class.new(params).authenticate_user
+
+        expect(token).to be_present
+        expect(User.last.account_id).to eq(account.id)
+      end
     end
 
     context 'with invalid params' do
diff --git a/spec/services/token_refresh_service_spec.rb b/spec/services/token_refresh_service_spec.rb
new file mode 100644
index 00000000..cf30d5ee
--- /dev/null
+++ b/spec/services/token_refresh_service_spec.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe TokenRefreshService do
+  describe '#refresh_token' do
+    let(:user_params) do
+      {
+        user: {
+          external_id: 123,
+          email: 'test@example.com',
+          first_name: 'John',
+          last_name: 'Doe'
+        }
+      }
+    end
+
+    context 'when user exists' do
+      let!(:user) { create(:user, external_user_id: 123) }
+
+      it 'destroys existing token and creates new one' do
+        original_token = user.access_token.token
+        original_token_id = user.access_token.id
+
+        new_token = described_class.new(user_params).refresh_token
+
+        expect(new_token).to be_present
+        expect(new_token).not_to eq(original_token)
+
+        # Verify the original access token was actually destroyed
+        expect(AccessToken.find_by(id: original_token_id)).to be_nil
+
+        # Verify user has a new access token
+        user.reload
+        expect(user.access_token).to be_present
+        expect(user.access_token.token).to eq(new_token)
+        expect(user.access_token.id).not_to eq(original_token_id)
+      end
+
+      it 'handles user without existing access token' do
+        user.access_token.destroy
+
+        new_token = described_class.new(user_params).refresh_token
+
+        expect(new_token).to be_present
+        expect(user.reload.access_token).to be_present
+      end
+    end
+
+    context 'when user does not exist' do
+      it 'returns nil' do
+        result = described_class.new(user_params).refresh_token
+
+        expect(result).to be_nil
+      end
+    end
+
+    context 'with invalid params' do
+      it 'returns nil when external_id is missing' do
+        invalid_params = { user: { email: 'test@example.com' } }
+
+        result = described_class.new(invalid_params).refresh_token
+
+        expect(result).to be_nil
+      end
+    end
+  end
+end

From 5cf66205a5d7ce8790446ded52c8eca9be4e7c56 Mon Sep 17 00:00:00 2001
From: Ryan Arakawa <arakawa.ryan@gmail.com>
Date: Thu, 23 Oct 2025 15:03:46 -0500
Subject: [PATCH 4/5] CP-11414 skip search indexing for partnership templates
 (#27)

* skip search indexing for partnership templates

* added a guard clause to prevent search indexing of templates without an account_id, specifically for partnership templates. This avoids unnecessary indexing since search is not currently used for partnerships.

* add search entry spec
---
 lib/search_entries.rb           |  5 ++++
 spec/lib/search_entries_spec.rb | 47 +++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 spec/lib/search_entries_spec.rb

diff --git a/lib/search_entries.rb b/lib/search_entries.rb
index 5281dbf3..65fc4d1c 100644
--- a/lib/search_entries.rb
+++ b/lib/search_entries.rb
@@ -180,6 +180,11 @@ module SearchEntries
   end
 
   def index_template(template)
+    # Skip search indexing for partnership templates since they don't belong to accounts
+    # We currently don't utilize search, so this can be implemented later for partnerships
+    # if that changes.
+    return if template.account_id.blank?
+
     sql = SearchEntry.sanitize_sql_array(
       ["SELECT to_tsvector(:text), to_tsvector('simple', :text)",
        { text: TextUtils.transliterate(template.name.to_s.downcase).delete("\0") }]
diff --git a/spec/lib/search_entries_spec.rb b/spec/lib/search_entries_spec.rb
new file mode 100644
index 00000000..21b27ea0
--- /dev/null
+++ b/spec/lib/search_entries_spec.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe SearchEntries do
+  describe '.index_template' do
+    context 'with partnership template' do
+      let(:partnership) { create(:partnership) }
+      let(:template) do
+        create(:template, :partnership_template, partnership: partnership, name: 'Partnership Template')
+      end
+
+      it 'skips search indexing for partnership templates' do
+        result = described_class.index_template(template)
+
+        expect(result).to be_nil
+        expect(template.reload.search_entry).to be_nil
+      end
+
+      it 'does not raise error when account_id is blank' do
+        expect { described_class.index_template(template) }.not_to raise_error
+      end
+
+      it 'logs the reason for skipping partnership templates' do
+        # Verify the early return works as expected
+        expect(template.account_id).to be_nil
+        expect(template.partnership_id).to be_present
+
+        result = described_class.index_template(template)
+        expect(result).to be_nil
+      end
+    end
+
+    context 'with account template' do
+      let(:account) { create(:account) }
+      let(:user) { create(:user, account: account) }
+      let(:template) { create(:template, account: account, author: user, name: 'Test Template') }
+
+      it 'processes account templates normally' do
+        expect(template.account_id).to be_present
+        expect(template.partnership_id).to be_nil
+
+        expect { described_class.index_template(template) }.not_to raise_error(ArgumentError, /account_id.blank?/)
+      end
+    end
+  end
+end

From b3cdcdfb51ea62e440555b8d7257b7d503e9f93e Mon Sep 17 00:00:00 2001
From: Ryan Arakawa <arakawa.ryan@gmail.com>
Date: Fri, 24 Oct 2025 12:59:46 -0500
Subject: [PATCH 5/5] CP-10364 hide unnecessary buttons (#28)

* remove unused buttons

* remove "Resubmit" button and Docuseal logo/header in iframe

* remove template name in preview

* fix line length

* allow there to be no header

* fixed failing tests expecting header
* we don't typically want the header rendered in the iframe

* fix erb_lint violation
---
 .../concerns/iframe_authentication.rb         |  4 +-
 app/javascript/elements/scroll_buttons.js     |  1 +
 app/javascript/submission_form/completed.vue  | 41 -------------------
 app/views/submissions/show.html.erb           | 10 +----
 app/views/submit_form/_docuseal_logo.html.erb |  3 --
 app/views/submit_form/completed.html.erb      | 30 --------------
 app/views/submit_form/show.html.erb           | 37 -----------------
 .../templates_form_preview/show.html.erb      | 14 +++----
 8 files changed, 12 insertions(+), 128 deletions(-)

diff --git a/app/controllers/concerns/iframe_authentication.rb b/app/controllers/concerns/iframe_authentication.rb
index 0683b361..ea767ec1 100644
--- a/app/controllers/concerns/iframe_authentication.rb
+++ b/app/controllers/concerns/iframe_authentication.rb
@@ -31,7 +31,9 @@ module IframeAuthentication
       return
     end
 
-    Rails.logger.error "#{self.class.name}: Authentication failed"
+    Rails.logger.error "#{self.class.name}: Authentication failed - no token found. " \
+                       "Params: #{params.keys}, Session has token: #{session[:auth_token].present?}, " \
+                       "Referer: #{request.referer}"
     render json: { error: 'Authentication required' }, status: :unauthorized
   end
 end
diff --git a/app/javascript/elements/scroll_buttons.js b/app/javascript/elements/scroll_buttons.js
index 6525adf9..567829f7 100644
--- a/app/javascript/elements/scroll_buttons.js
+++ b/app/javascript/elements/scroll_buttons.js
@@ -36,6 +36,7 @@ export default class extends HTMLElement {
   }
 
   isHeaderNotVisible () {
+    if (!this.header) return true
     const rect = this.header.getBoundingClientRect()
     return rect.bottom <= 0 || rect.top >= window.innerHeight
   }
diff --git a/app/javascript/submission_form/completed.vue b/app/javascript/submission_form/completed.vue
index 43228f63..c33fd570 100644
--- a/app/javascript/submission_form/completed.vue
+++ b/app/javascript/submission_form/completed.vue
@@ -33,36 +33,6 @@
           {{ completedButton.title || 'Back to Website' }}
         </span>
       </a>
-      <button
-        v-if="canSendEmail && !isDemo && withSendCopyButton"
-        class="white-button !h-auto flex items-center space-x-1 w-full completed-form-send-copy-button"
-        :disabled="isSendingCopy"
-        @click.prevent="sendCopyToEmail"
-      >
-        <IconInnerShadowTop
-          v-if="isSendingCopy"
-          class="animate-spin"
-        />
-        <IconMail v-else />
-        <span>
-          {{ t('send_copy_via_email') }}
-        </span>
-      </button>
-      <button
-        v-if="!isWebView && withDownloadButton"
-        class="base-button flex items-center space-x-1 w-full completed-form-download-button"
-        :disabled="isDownloading"
-        @click.prevent="download"
-      >
-        <IconInnerShadowTop
-          v-if="isDownloading"
-          class="animate-spin"
-        />
-        <IconDownload v-else />
-        <span>
-          {{ t('download') }}
-        </span>
-      </button>
       <a
         v-if="isDemo"
         target="_blank"
@@ -85,17 +55,6 @@
         </span>
       </a>
     </div>
-    <div
-      v-if="attribution"
-      class="text-center mt-4"
-    >
-      {{ t('powered_by') }}
-      <a
-        href="https://www.docuseal.com/start"
-        target="_blank"
-        class="underline"
-      >DocuSeal</a> - {{ t('open_source_documents_software') }}
-    </div>
   </div>
 </template>
 
diff --git a/app/views/submissions/show.html.erb b/app/views/submissions/show.html.erb
index 122521b6..308dc3c2 100644
--- a/app/views/submissions/show.html.erb
+++ b/app/views/submissions/show.html.erb
@@ -4,10 +4,7 @@
 <% with_signature_id, is_combined_enabled = AccountConfig.where(account_id: @submission.account_id, key: [AccountConfig::COMBINE_PDF_RESULT_KEY, AccountConfig::WITH_SIGNATURE_ID], value: true).then { |configs| [configs.any? { |e| e.key == AccountConfig::WITH_SIGNATURE_ID }, configs.any? { |e| e.key == AccountConfig::COMBINE_PDF_RESULT_KEY }] } %>
 <div style="max-width: 1600px" class="mx-auto pl-4">
   <div class="flex justify-between py-1.5 items-center pr-4 sticky top-0 md:relative z-10 bg-base-100">
-    <a href="<%= signed_in? && @submission.account_id == current_account&.id && @submission.template ? template_path(@submission.template) : '/' %>" class="flex items-center space-x-3 py-1">
-      <span><%= render 'submissions/logo' %></span>
-      <span class="text-xl md:text-3xl font-semibold focus:text-clip" style="overflow: hidden; display: -webkit-box; -webkit-box-orient: vertical; -webkit-line-clamp: 2;"><% (@submission.name || @submission.template.name).split(/(_)/).each do |item| %><%= item %><wbr><% end %></span>
-    </a>
+    <div></div>
     <div class="space-x-3 flex items-center">
       <% last_submitter = @submission.submitters.to_a.select(&:completed_at?).max_by(&:completed_at) %>
       <% is_all_completed = @submission.submitters.to_a.all?(&:completed_at?) %>
@@ -230,11 +227,6 @@
                 </a>
               </div>
             <% end %>
-            <% if signed_in? && submitter && submitter.completed_at? && submitter.email == current_user.email && submitter.completed_at > 1.month.ago && can?(:update, @submission) %>
-              <div class="mt-2 mb-1">
-                <%= button_to t('resubmit'), submitters_resubmit_path(submitter), method: :put, class: 'btn btn-sm btn-primary w-full', form: { target: '_blank' }, data: { turbo: false } %>
-              </div>
-            <% end %>
             <% if signed_in? && submitter && submitter.completed_at? && !submitter.declined_at? && !submitter.changes_requested_at? && current_user == @submission.template.author %>
               <div class="mt-2 mb-1">
                 <%= link_to 'Request Changes', request_changes_submitter_path(submitter.slug),
diff --git a/app/views/submit_form/_docuseal_logo.html.erb b/app/views/submit_form/_docuseal_logo.html.erb
index 3f3ac923..e69de29b 100644
--- a/app/views/submit_form/_docuseal_logo.html.erb
+++ b/app/views/submit_form/_docuseal_logo.html.erb
@@ -1,3 +0,0 @@
-<a href="<%= root_path %>" class="mx-auto text-2xl md:text-3xl font-bold items-center flex space-x-3">
-  <span><%= Docuseal.product_name %></span>
-</a>
diff --git a/app/views/submit_form/completed.html.erb b/app/views/submit_form/completed.html.erb
index 8fde2c79..be5ee7cf 100644
--- a/app/views/submit_form/completed.html.erb
+++ b/app/views/submit_form/completed.html.erb
@@ -16,36 +16,6 @@
       </div>
     </div>
     <div>
-      <% if (Docuseal.multitenant? || Accounts.can_send_emails?(@submitter.account)) && @submitter.email.present? %>
-        <toggle-submit>
-          <%= button_to button_title(title: t('send_copy_to_email'), disabled_with: t('sending'), icon: svg_icon('mail_forward', class: 'w-6 h-6')), send_submission_email_index_path, params: { submitter_slug: @submitter.slug }, class: 'white-button w-full' %>
-        </toggle-submit>
-        <% if Templates.filter_undefined_submitters(@submitter.submission.template_submitters).size != 1 %>
-          <div class="divider uppercase"><%= t('or') %></div>
-        <% else %>
-          <div class="py-2"></div>
-        <% end %>
-      <% end %>
-      <% if @submitter.completed_at > 30.minutes.ago || (current_user && current_user.account.submitters.exists?(id: @submitter.id)) %>
-        <download-button data-src="<%= submitter_download_index_path(@submitter.slug) %>" class="base-button w-full">
-          <span class="flex items-center justify-center space-x-2" data-target="download-button.defaultButton">
-            <%= svg_icon('download', class: 'w-6 h-6') %>
-            <span><%= t('download_documents') %></span>
-          </span>
-          <span class="flex items-center justify-center space-x-2 hidden" data-target="download-button.loadingButton">
-            <%= svg_icon('loader', class: 'w-6 h-6 animate-spin') %>
-            <span><%= t('downloading') %></span>
-          </span>
-        </download-button>
-      <% end %>
     </div>
-    <% undefined_submitters = Templates.filter_undefined_submitters(@submitter.submission.template_submitters) %>
-    <% if undefined_submitters.size == 1 && undefined_submitters.first['uuid'] == @submitter.uuid && %w[api embed].exclude?(@submitter.submission.source) && @submitter.account.account_configs.find_or_initialize_by(key: AccountConfig::ALLOW_TO_RESUBMIT).value != false && @submitter.template && !@submitter.template.archived_at? %>
-      <div class="divider uppercase"><%= t('or') %></div>
-      <toggle-submit class="block">
-        <%= button_to button_title(title: t('resubmit'), disabled_with: t('resubmit'), icon: svg_icon('reload', class: 'w-6 h-6')), resubmit_form_path, params: { resubmit: @submitter.slug }, method: :put, class: 'white-button w-full' %>
-      </toggle-submit>
-    <% end %>
   </div>
 </div>
-<%= render 'shared/attribution', link_path: '/start', account: @submitter.account %>
diff --git a/app/views/submit_form/show.html.erb b/app/views/submit_form/show.html.erb
index 8ec61a66..c9e7d340 100644
--- a/app/views/submit_form/show.html.erb
+++ b/app/views/submit_form/show.html.erb
@@ -14,44 +14,7 @@
       <%# flex block w-full sticky top-0 z-50 space-x-2 items-center bg-yellow-100 p-2 border-y border-yellow-200 transition-transform duration-300 %>
       <%= local_assigns[:banner_html] || capture do %>
         <%= render('submit_form/banner') %>
-        <div id="signing_form_header" class="sticky min-[1230px]:static top-0 z-50 bg-base-100 py-2 px-2 flex items-center md:-mx-[8px]" style="margin-bottom: -16px">
-          <div class="text-xl md:text-2xl font-medium focus:text-clip" style="width: 100%; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;">
-            <%= @submitter.submission.name || @submitter.submission.template.name %>
-          </div>
-          <div class="flex items-center space-x-2" style="margin-left: 20px; flex-shrink: 0">
-            <% if @form_configs[:with_decline] %>
-              <% decline_modal_checkbox_uuid = SecureRandom.uuid %>
-              <div>
-                <%= render 'shared/html_modal', title: t(:decline), btn_text: t(:decline), btn_class: 'btn btn-sm !px-5', button_id: 'decline_button', uuid: decline_modal_checkbox_uuid do %>
-                  <%= render 'submit_form/decline_form', submitter: @submitter %>
-                <% end %>
-              </div>
-            <% end %>
-            <% if @form_configs[:with_partial_download] %>
-              <download-button data-src="<%= submit_form_download_index_path(@submitter.slug) %>" class="btn btn-neutral text-white btn-sm !px-4">
-                <span class="flex items-center justify-center" data-target="download-button.defaultButton">
-                  <%= svg_icon('download', class: 'w-6 h-6 inline md:hidden') %>
-                  <span class="hidden md:inline"><%= t('download') %></span>
-                </span>
-                <span class="flex items-center justify-center space-x-2 hidden" data-target="download-button.loadingButton">
-                  <%= svg_icon('loader', class: 'w-6 h-6 animate-spin') %>
-                  <span class="hidden md:inline"><%= t('downloading') %></span>
-                </span>
-              </download-button>
-            <% end %>
-          </div>
-        </div>
         <scroll-buttons class="fixed right-5 top-2 hidden md:flex gap-1 z-50 ease-in-out opacity-0 -translate-y-10">
-          <% if @form_configs[:with_decline] %>
-            <label id="decline_button" for="<%= decline_modal_checkbox_uuid %>" class="btn btn-sm px-0">
-              <span class="min-[1366px]:inline hidden px-3">
-                <%= t(:decline) %>
-              </span>
-              <span class="inline min-[1366px]:hidden px-2">
-                <%= svg_icon('x', class: 'w-5 h-5') %>
-              </span>
-            </label>
-          <% end %>
           <download-button data-src="<%= submit_form_download_index_path(@submitter.slug) %>" class="btn btn-neutral text-white btn-sm px-2">
             <span data-target="download-button.defaultButton">
               <%= svg_icon('download', class: 'w-5 h-5') %>
diff --git a/app/views/templates_form_preview/show.html.erb b/app/views/templates_form_preview/show.html.erb
index 59a9bc1e..4fb55ada 100644
--- a/app/views/templates_form_preview/show.html.erb
+++ b/app/views/templates_form_preview/show.html.erb
@@ -1,11 +1,11 @@
 <% banner_html = capture do %>
-  <div class="sticky top-0 z-50 bg-base-100 py-2 px-2 flex items-center" style="margin: 0px -8px -16px -8px">
-    <div class="text-xl md:text-3xl font-semibold focus:text-clip" style="width: 100%; overflow: hidden; text-overflow: ellipsis; white-space: nowrap;">
-      <%= @template.name %>
-    </div>
-    <div class="flex items-center" style="margin-left: 20px; flex-shrink: 0">
+  <div class="sticky top-0 z-50 bg-base-100 py-2 px-2 flex items-center justify-end" style="margin: 0px -8px -16px -8px">
+    <div class="flex items-center" style="flex-shrink: 0">
       <% if @template.submitters.size > 1 %>
-          <form action="<%= template_form_path(@template, auth_token: params[:auth_token] || session[:auth_token]) %>" method="get" class="mr-3">
+          <form action="<%= template_form_path(@template) %>" method="get" class="mr-3">
+          <% if (auth_token = params[:auth_token] || session[:auth_token]) %>
+            <%= hidden_field_tag :auth_token, auth_token %>
+          <% end %>
           <select onchange="this.form.submit()" name="uuid" class="select base-input text-center font-normal" style="width: 180px; flex-shrink: 0;">
             <% @template.submitters.each do |submitter| %>
               <%= tag.option(value: submitter['uuid'], selected: submitter['uuid'] == @submitter.uuid) do %>
@@ -15,7 +15,7 @@
           </select>
         </form>
       <% end %>
-      <a href="<%= edit_template_path(@template, auth_token: params[:auth_token] || session[:auth_token]) %>" class="base-button" data-turbo="false" style="flex-shrink: 0; padding: 0px 24px;">
+      <a href="<%= edit_template_path(@template, params[:auth_token] || session[:auth_token] ? { auth_token: params[:auth_token] || session[:auth_token] } : {}) %>" class="base-button" data-turbo="false" style="flex-shrink: 0; padding: 0px 24px;">
         <%= t('exit_preview') %>
       </a>
     </div>