labels page, api as well as integrating labels in the node pool page

internal/api/routes.go

@@ -100,6 +100,11 @@ func RegisterRoutes(r chi.Router) {
 				np.Get("/{id}/taints", nodepools.ListNodePoolTaints)
 				np.Post("/{id}/taints", nodepools.AttachNodePoolTaints)
 				np.Delete("/{id}/taints/{taintId}", nodepools.DetachNodePoolTaint)
+
+				// labels
+				np.Get("/{id}/labels", nodepools.ListNodePoolLabels)
+				np.Post("/{id}/labels", nodepools.AttachNodePoolLabels)
+				np.Delete("/{id}/labels/{labelId}", nodepools.DetachNodePoolLabel)
 			})
 
 			v1.Route("/taints", func(t chi.Router) {
@@ -110,6 +115,7 @@ func RegisterRoutes(r chi.Router) {
 				t.Patch("/{id}", taints.UpdateTaint)
 				t.Delete("/{id}", taints.DeleteTaint)
 				t.Post("/{id}/node_pools", taints.AddTaintToNodePool)
+				t.Get("/{id}/node_pools", taints.ListNodePoolsWithTaint)
 				t.Delete("/{id}/node_pools/{poolId}", taints.RemoveTaintFromNodePool)
 			})
 
@@ -120,6 +126,9 @@ func RegisterRoutes(r chi.Router) {
 				l.Get("/{id}", labels.GetLabel)
 				l.Patch("/{id}", labels.UpdateLabel)
 				l.Delete("/{id}", labels.DeleteLabel)
+				l.Get("/{id}/node_pools", labels.ListNodePoolsWithLabel)
+				l.Post("/{id}/node_pools", labels.AddLabelToNodePool)
+				l.Delete("/{id}/node_pools/{poolId}", labels.RemoveLabelFromNodePool)
 			})
 		})
 	})

internal/handlers/labels/dto.go

@@ -24,3 +24,7 @@ type updateLabelRequest struct {
 	Key   *string `json:"key"`
 	Value *string `json:"value"`
 }
+
+type addLabelToPoolRequest struct {
+	NodePoolIDs []string `json:"node_pool_ids"`
+}

internal/handlers/labels/labels.go

@@ -17,14 +17,14 @@ import (
 
 // ListLabels godoc
 // @Summary      List node labels (org scoped)
-// @Description  Returns node labels for the organization in X-Org-ID. Filters: `name`, `value`, and `q` (name contains). Add `include=node_pools` to include linked node groups.
+// @Description  Returns node labels for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_pools` to include linked node groups.
 // @Tags         labels
 // @Accept       json
 // @Produce      json
 // @Param        X-Org-ID header string true "Organization UUID"
-// @Param        name query string false "Exact name"
+// @Param        key query string false "Exact key"
 // @Param        value query string false "Exact value"
-// @Param        q query string false "Name contains (case-insensitive)"
+// @Param        q query string false "Key contains (case-insensitive)"
 // @Param        include query string false "Optional: node_pools"
 // @Security     BearerAuth
 // @Success      200 {array}  labelResponse
@@ -39,19 +39,25 @@ func ListLabels(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	q := db.DB.Where("organization_id = ?", ac.OrganizationID)
+	qb := db.DB.Where("organization_id = ?", ac.OrganizationID)
+	if key := strings.TrimSpace(r.URL.Query().Get("key")); key != "" {
+		qb = qb.Where(`"key" = ?`, key)
+	}
+	if val := strings.TrimSpace(r.URL.Query().Get("value")); val != "" {
+		qb = qb.Where(`"value" = ?`, val)
+	}
 	if needle := strings.TrimSpace(r.URL.Query().Get("q")); needle != "" {
-		q = q.Where("name ILIKE ?", "%"+needle+"%")
+		qb = qb.Where("name ILIKE ?", "%"+needle+"%")
 	}
 
 	includePools := strings.EqualFold(strings.TrimSpace(r.URL.Query().Get("include")), "node_pools")
 	if includePools {
-		q.Preload("NodePools")
+		qb.Preload("NodePools")
 	}
 
 	var rows []models.Label
-	if err := q.Order("created_at DESC").Find(&rows).Error; err != nil {
-		http.Error(w, "failed to list taints", http.StatusInternalServerError)
+	if err := qb.Order("created_at DESC").Find(&rows).Error; err != nil {
+		http.Error(w, "failed to list labels", http.StatusInternalServerError)
 		return
 	}
 
@@ -264,10 +270,225 @@ func DeleteLabel(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := db.DB.Where("id = ? AND organization_id = ?", id, ac.OrganizationID).Delete(&models.Taint{}).Error; err != nil {
+	if err := db.DB.Where("id = ? AND organization_id = ?", id, ac.OrganizationID).Delete(&models.Label{}).Error; err != nil {
 		http.Error(w, "delete failed", http.StatusInternalServerError)
 		return
 	}
 
 	response.NoContent(w)
 }
+
+// ListNodePoolsWithLabel godoc
+// @Summary      List node pools linked to a label (org scoped)
+// @Description  Returns node pools attached to the label. Supports `q` (name contains, case-insensitive).
+// @Tags         labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Param        q query string false "Name contains (case-insensitive)"
+// @Security     BearerAuth
+// @Success      200 {array}  nodePoolBrief
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "fetch failed"
+// @Router       /api/v1/labels/{id}/node_pools [get]
+func ListNodePoolsWithLabel(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	labelID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	// Ensure the label exists and belongs to this org
+	var l models.Label
+	if err := db.DB.Where("id = ? AND organization_id = ?", labelID, ac.OrganizationID).
+		First(&l).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	// Query pools through the join table defined on the model: many2many:node_labels
+	q := db.DB.Model(&models.NodePool{}).
+		Joins("JOIN node_labels nl ON nl.node_pool_id = node_pools.id").
+		Where("nl.label_id = ? AND node_pools.organization_id = ?", labelID, ac.OrganizationID)
+
+	if needle := strings.TrimSpace(r.URL.Query().Get("q")); needle != "" {
+		q = q.Where("node_pools.name ILIKE ?", "%"+needle+"%")
+	}
+
+	var pools []models.NodePool
+	if err := q.Order("node_pools.created_at DESC").Find(&pools).Error; err != nil {
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	out := make([]nodePoolBrief, 0, len(pools))
+	for _, p := range pools {
+		out = append(out, nodePoolBrief{ID: p.ID, Name: p.Name})
+	}
+
+	_ = response.JSON(w, http.StatusOK, out)
+}
+
+// AddLabelToNodePool godoc
+// @Summary      Attach label to node pools (org scoped)
+// @Description  Links the label to one or more node pools in the same organization.
+// @Tags         labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Param        body body addLabelToPoolRequest true "IDs to attach"
+// @Param        include query string false "Optional: node_pools"
+// @Security     BearerAuth
+// @Success      200 {object} labelResponse
+// @Failure      400 {string} string "invalid id / invalid json / invalid node_pool_ids"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "attach failed"
+// @Router       /api/v1/labels/{id}/node_pools [post]
+func AddLabelToNodePool(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	labelID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var t models.Label
+	if err := db.DB.
+		Where("id = ? AND organization_id = ?", labelID, ac.OrganizationID).
+		First(&t).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	var in struct {
+		NodePoolIDs []string `json:"node_pool_ids"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&in); err != nil || len(in.NodePoolIDs) == 0 {
+		http.Error(w, "invalid json or empty node_pool_ids", http.StatusBadRequest)
+		return
+	}
+
+	ids, err := parseUUIDs(in.NodePoolIDs)
+	if err != nil {
+		http.Error(w, "invalid node_pool_ids", http.StatusBadRequest)
+		return
+	}
+	if err := ensureNodePoolsBelongToOrg(ac.OrganizationID, ids); err != nil {
+		http.Error(w, "invalid node_pool_ids for this organization", http.StatusBadRequest)
+		return
+	}
+
+	var pools []models.NodePool
+	if err := db.DB.
+		Where("id IN ? AND organization_id = ?", ids, ac.OrganizationID).
+		Find(&pools).Error; err != nil {
+		http.Error(w, "attach failed", http.StatusInternalServerError)
+		return
+	}
+	if err := db.DB.Model(&t).Association("NodePools").Append(&pools); err != nil {
+		http.Error(w, "attach failed", http.StatusInternalServerError)
+		return
+	}
+
+	includePools := strings.EqualFold(strings.TrimSpace(r.URL.Query().Get("include")), "node_pools")
+	if includePools {
+		if err := db.DB.Preload("NodePools").
+			First(&t, "id = ? AND organization_id = ?", labelID, ac.OrganizationID).Error; err != nil {
+			http.Error(w, "fetch failed", http.StatusInternalServerError)
+			return
+		}
+	}
+
+	_ = response.JSON(w, http.StatusOK, toResp(t, includePools))
+}
+
+// RemoveLabelFromNodePool godoc
+// @Summary      Detach label from a node pool (org scoped)
+// @Description  Unlinks the label from the specified node pool.
+// @Tags         labels
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Label ID (UUID)"
+// @Param        poolId path string true "Node Pool ID (UUID)"
+// @Security     BearerAuth
+// @Success      204 {string} string "No Content"
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "detach failed"
+// @Router       /api/v1/labels/{id}/node_pools/{poolId} [delete]
+func RemoveLabelFromNodePool(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	labelID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+	poolID, err := uuid.Parse(chi.URLParam(r, "poolId"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var t models.Label
+	if err := db.DB.Where("id = ? AND organization_id = ?", labelID, ac.OrganizationID).
+		First(&t).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	var p models.NodePool
+	if err := db.DB.Where("id = ? AND organization_id = ?", poolID, ac.OrganizationID).
+		First(&p).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	if err := db.DB.Model(&t).Association("NodePools").Delete(&p); err != nil {
+		http.Error(w, "detach failed", http.StatusInternalServerError)
+		return
+	}
+
+	response.NoContent(w)
+}

internal/handlers/nodepools/dto.go

@@ -41,3 +41,23 @@ type taintBrief struct {
 type attachTaintsRequest struct {
 	TaintIDs []string `json:"taint_ids"`
 }
+
+type labelBrief struct {
+	ID    uuid.UUID `json:"id"`
+	Key   string    `json:"key"`
+	Value string    `json:"value"`
+}
+
+type attachLabelsRequest struct {
+	LabelIDs []string `json:"label_ids"`
+}
+
+type annotationBrief struct {
+	ID    uuid.UUID `json:"id"`
+	Key   string    `json:"key"`
+	Value string    `json:"value"`
+}
+
+type attachAnnotationsRequest struct {
+	AnnotationIDs []string `json:"annotation_ids"`
+}

internal/handlers/nodepools/funcs.go

@@ -70,3 +70,35 @@ func ensureTaintsBelongToOrg(orgID uuid.UUID, ids []uuid.UUID) error {
 	}
 	return nil
 }
+
+func ensureLabelsBelongToOrg(orgID uuid.UUID, ids []uuid.UUID) error {
+	if len(ids) == 0 {
+		return nil
+	}
+	var cnt int64
+	if err := db.DB.Model(&models.Label{}).
+		Where("organization_id = ? AND id IN ?", orgID, ids).
+		Count(&cnt).Error; err != nil {
+		return err
+	}
+	if cnt != int64(len(ids)) {
+		return errors.New("one or more labels not in organization")
+	}
+	return nil
+}
+
+func ensureAnnotationsBelongToOrg(orgID uuid.UUID, ids []uuid.UUID) error {
+	if len(ids) == 0 {
+		return nil
+	}
+	var cnt int64
+	if err := db.DB.Model(&models.Annotation{}).
+		Where("organization_id = ? AND id IN ?", orgID, ids).
+		Count(&cnt).Error; err != nil {
+		return err
+	}
+	if cnt != int64(len(ids)) {
+		return errors.New("one or more annotations not in organization")
+	}
+	return nil
+}

internal/handlers/nodepools/nodepools.go

@@ -624,3 +624,185 @@ func DetachNodePoolTaint(w http.ResponseWriter, r *http.Request) {
 	}
 	response.NoContent(w)
 }
+
+// ListNodePoolLabels godoc
+// @Summary      List labels attached to a node pool (org scoped)
+// @Tags         node-pools
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Node Pool ID (UUID)"
+// @Security     BearerAuth
+// @Success      200 {array}  labelBrief
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "fetch failed"
+// @Router       /api/v1/node-pools/{id}/labels [get]
+func ListNodePoolLabels(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	ngID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var ng models.NodePool
+	if err := db.DB.Where("id = ? AND organization_id = ?", ngID, ac.OrganizationID).
+		Preload("Labels").First(&ng).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	out := make([]labelBrief, 0, len(ng.Labels))
+	for _, l := range ng.Labels {
+		out = append(out, labelBrief{
+			ID:    l.ID,
+			Key:   l.Key,
+			Value: l.Value,
+		})
+	}
+	_ = response.JSON(w, http.StatusOK, out)
+}
+
+// AttachNodePoolLabels godoc
+// @Summary      Attach labels to a node pool (org scoped)
+// @Tags         node-pools
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Node Pool ID (UUID)"
+// @Param        body body attachLabelsRequest true "Label IDs to attach"
+// @Security     BearerAuth
+// @Success      204 {string} string "No Content"
+// @Failure      400 {string} string "invalid id / invalid label_ids"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "attach failed"
+// @Router       /api/v1/node-pools/{id}/labels [post]
+func AttachNodePoolLabels(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	ngID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var ng models.NodePool
+	if err := db.DB.Where("id = ? AND organization_id = ?", ngID, ac.OrganizationID).
+		First(&ng).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	var body attachLabelsRequest
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil || len(body.LabelIDs) == 0 {
+		http.Error(w, "invalid label_ids", http.StatusBadRequest)
+		return
+	}
+
+	ids, err := parseUUIDs(body.LabelIDs) // already used in this package for servers/taints
+	if err != nil {
+		http.Error(w, "invalid label_ids", http.StatusBadRequest)
+		return
+	}
+	if err := ensureLabelsBelongToOrg(ac.OrganizationID, ids); err != nil {
+		http.Error(w, "invalid label_ids for this organization", http.StatusBadRequest)
+		return
+	}
+
+	var labels []models.Label
+	if err := db.DB.Where("id IN ? AND organization_id = ?", ids, ac.OrganizationID).
+		Find(&labels).Error; err != nil {
+		http.Error(w, "attach failed", http.StatusInternalServerError)
+		return
+	}
+	if err := db.DB.Model(&ng).Association("Labels").Append(&labels); err != nil {
+		http.Error(w, "attach failed", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// DetachNodePoolLabel godoc
+// @Summary      Detach one label from a node pool (org scoped)
+// @Tags         node-pools
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Node Pool ID (UUID)"
+// @Param        labelId path string true "Label ID (UUID)"
+// @Security     BearerAuth
+// @Success      204 {string} string "No Content"
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "detach failed"
+// @Router       /api/v1/node-pools/{id}/labels/{labelId} [delete]
+func DetachNodePoolLabel(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	ngID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+	lid, err := uuid.Parse(chi.URLParam(r, "labelId"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	var ng models.NodePool
+	if err := db.DB.Where("id = ? AND organization_id = ?", ngID, ac.OrganizationID).
+		First(&ng).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	var l models.Label
+	if err := db.DB.Where("id = ? AND organization_id = ?", lid, ac.OrganizationID).
+		First(&l).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	if err := db.DB.Model(&ng).Association("Labels").Delete(&l); err != nil {
+		http.Error(w, "detach failed", http.StatusInternalServerError)
+		return
+	}
+	response.NoContent(w)
+}

internal/handlers/taints/dto.go

@@ -31,3 +31,17 @@ type updateTaintRequest struct {
 type addTaintToPoolRequest struct {
 	NodePoolIDs []string `json:"node_pool_ids"`
 }
+
+type nodePoolResponse struct {
+	ID      uuid.UUID     `json:"id"`
+	Name    string        `json:"name"`
+	Servers []serverBrief `json:"servers,omitempty"`
+}
+
+type serverBrief struct {
+	ID       uuid.UUID `json:"id"`
+	Hostname string    `json:"hostname"`
+	IP       string    `json:"ip"`
+	Role     string    `json:"role"`
+	Status   string    `json:"status"`
+}

internal/handlers/taints/taints.go

@@ -17,14 +17,14 @@ import (
 
 // ListTaints godoc
 // @Summary      List node taints (org scoped)
-// @Description  Returns node taints for the organization in X-Org-ID. Filters: `name`, `value`, and `q` (name contains). Add `include=node_groups` to include linked node groups.
+// @Description  Returns node taints for the organization in X-Org-ID. Filters: `key`, `value`, and `q` (key contains). Add `include=node_groups` to include linked node groups.
 // @Tags         taints
 // @Accept       json
 // @Produce      json
 // @Param        X-Org-ID header string true "Organization UUID"
-// @Param        name query string false "Exact name"
+// @Param        key query string false "Exact key"
 // @Param        value query string false "Exact value"
-// @Param        q query string false "Name contains (case-insensitive)"
+// @Param        q query string false "key contains (case-insensitive)"
 // @Param        include query string false "Optional: node_pools"
 // @Security     BearerAuth
 // @Success      200 {array}  taintResponse
@@ -40,6 +40,12 @@ func ListTaints(w http.ResponseWriter, r *http.Request) {
 	}
 
 	q := db.DB.Where("organization_id = ?", ac.OrganizationID)
+	if key := strings.TrimSpace(r.URL.Query().Get("key")); key != "" {
+		q = q.Where("key = ?", key)
+	}
+	if val := strings.TrimSpace(r.URL.Query().Get("value")); val != "" {
+		q = q.Where("value = ?", val)
+	}
 	if needle := strings.TrimSpace(r.URL.Query().Get("q")); needle != "" {
 		q = q.Where("name ILIKE ?", "%"+needle+"%")
 	}
@@ -423,3 +429,67 @@ func RemoveTaintFromNodePool(w http.ResponseWriter, r *http.Request) {
 
 	response.NoContent(w)
 }
+
+// ListNodePoolsWithTaint godoc
+// @Summary      List node pools linked to a taint (org scoped)
+// @Description  Returns node pools attached to the taint. Supports `q` (name contains, case-insensitive).
+// @Tags         taints
+// @Accept       json
+// @Produce      json
+// @Param        X-Org-ID header string true "Organization UUID"
+// @Param        id path string true "Taint ID (UUID)"
+// @Param        q query string false "Name contains (case-insensitive)"
+// @Security     BearerAuth
+// @Success      200 {array}  nodePoolResponse
+// @Failure      400 {string} string "invalid id"
+// @Failure      401 {string} string "Unauthorized"
+// @Failure      403 {string} string "organization required"
+// @Failure      404 {string} string "not found"
+// @Failure      500 {string} string "fetch failed"
+// @Router       /api/v1/taints/{id}/node_pools [get]
+func ListNodePoolsWithTaint(w http.ResponseWriter, r *http.Request) {
+	ac := middleware.GetAuthContext(r)
+	if ac == nil || ac.OrganizationID == uuid.Nil {
+		http.Error(w, "organization required", http.StatusForbidden)
+		return
+	}
+
+	taintID, err := uuid.Parse(chi.URLParam(r, "id"))
+	if err != nil {
+		http.Error(w, "invalid id", http.StatusBadRequest)
+		return
+	}
+
+	// Ensure the taint exists and belongs to this org
+	var t models.Taint
+	if err := db.DB.Where("id = ? AND organization_id = ?", taintID, ac.OrganizationID).
+		First(&t).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Error(w, "not found", http.StatusNotFound)
+			return
+		}
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	// Build query for pools linked via join table
+	q := db.DB.Model(&models.NodePool{}).
+		Joins("JOIN taint_node_pools tnp ON tnp.node_pool_id = node_pools.id").
+		Where("tnp.taint_id = ? AND node_pools.organization_id = ?", taintID, ac.OrganizationID)
+
+	if needle := strings.TrimSpace(r.URL.Query().Get("q")); needle != "" {
+		q = q.Where("node_pools.name ILIKE ?", "%"+needle+"%")
+	}
+
+	var pools []models.NodePool
+	if err := q.Order("node_pools.created_at DESC").Find(&pools).Error; err != nil {
+		http.Error(w, "fetch failed", http.StatusInternalServerError)
+		return
+	}
+
+	// If you have a serializer like toNodePoolResp, use it; otherwise return models with JSON tags.
+	//out := make([]nodePoolResponse, 0, len(pools))
+	//for _, p := range pools { out = append(out, toNodePoolResp(p)) }
+
+	_ = response.JSON(w, http.StatusOK, pools)
+}