fix(webapp): fail closed when a scoped authorization check has no org scope

The dashboard route builder resolves an org/project scope in each route context
and runs the authorization check against it. When the scope could not be
resolved the check evaluated an unscoped ability, so it silently became a no-op
for a missing org. The builder now treats a scoped authorization block with no
resolved org or project as a denial (requireSuper stays global), so the check
can never pass unscoped.

Add a shared resolveOrgIdFromSlug that reads the replica first and falls back to
the primary on a miss, and use it across the dashboard routes, so replica lag
never leaves a real org unresolved.

Author: matt-aitken

apps/webapp/app/models/organization.server.ts

@@ -9,7 +9,7 @@ import type {
 import { customAlphabet } from "nanoid";
 import { generate } from "random-words";
 import slug from "slug";
-import { prisma, type PrismaClientOrTransaction } from "~/db.server";
+import { $replica, prisma, type PrismaClientOrTransaction } from "~/db.server";
 import { env } from "~/env.server";
 import { featuresForUrl } from "~/features.server";
 import { createApiKeyForEnv, createPkApiKeyForEnv, envSlug } from "./api-key.server";
@@ -18,6 +18,28 @@ export type { Organization };
 
 const nanoid = customAlphabet("1234567890abcdef", 4);
 
+/**
+ * Resolve an organization id from its slug for use as an RBAC auth scope.
+ * Reads the replica first (the common case) and falls back to the primary on a
+ * miss, so replica lag never leaves a real org unresolved, which the dashboard
+ * route builder treats as an unauthorized request.
+ */
+export async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
+  const fromReplica = await $replica.organization.findFirst({
+    where: { slug },
+    select: { id: true },
+  });
+  if (fromReplica) {
+    return fromReplica.id;
+  }
+
+  const fromPrimary = await prisma.organization.findFirst({
+    where: { slug },
+    select: { id: true },
+  });
+  return fromPrimary?.id ?? null;
+}
+
 export async function createOrganization(
   {
     title,

apps/webapp/app/routes/_app.github.install/route.tsx

@@ -1,6 +1,7 @@
 import { redirect } from "remix-typedjson";
 import { z } from "zod";
 import { $replica } from "~/db.server";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { createGitHubAppInstallSession } from "~/services/gitHubSession.server";
 import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { newOrganizationPath } from "~/utils/pathBuilder";
@@ -14,11 +15,6 @@ const QuerySchema = z.object({
   }),
 });
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     // The org for the auth scope comes from the `org_slug` query param.

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -29,6 +29,7 @@ import { env } from "~/env.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { inviteMembers } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
 import { scheduleEmail } from "~/services/scheduleEmail.server";
 import { rbac } from "~/services/rbac.server";
@@ -40,11 +41,6 @@ const Params = z.object({
   organizationSlug: z.string(),
 });
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     params: Params,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.apikeys/route.tsx

@@ -31,8 +31,8 @@ import { InputGroup } from "~/components/primitives/InputGroup";
 import { Label } from "~/components/primitives/Label";
 import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/PageHeader";
 import * as Property from "~/components/primitives/PropertyTable";
-import { $replica } from "~/db.server";
 import { useOrganization } from "~/hooks/useOrganizations";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { ApiKeysPresenter } from "~/presenters/v3/ApiKeysPresenter.server";
 import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { cn } from "~/utils/cn";
@@ -46,11 +46,6 @@ export const meta: MetaFunction = () => {
   ];
 };
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     params: EnvironmentParamSchema,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx

@@ -23,10 +23,10 @@ import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/message.server";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { BulkActionPresenter } from "~/presenters/v3/BulkActionPresenter.server";
-import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { checkPermissions } from "~/services/routeBuilders/permissions.server";
@@ -45,14 +45,6 @@ const BulkActionParamSchema = EnvironmentParamSchema.extend({
   bulkActionParam: z.string(),
 });
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  // Resolve from the primary (not the replica) so the RBAC auth scope is never
-  // resolved without an org under replica lag, which would let the role check
-  // run unscoped under the enterprise plugin.
-  const org = await prisma.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     params: BulkActionParamSchema,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.deployments/route.tsx

@@ -66,12 +66,12 @@ import {
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import {
   type DeploymentListItem,
   DeploymentListPresenter,
 } from "~/presenters/v3/DeploymentListPresenter.server";
 import { requireUserId } from "~/services/session.server";
-import { $replica } from "~/db.server";
 import { rbac } from "~/services/rbac.server";
 import { checkPermissions } from "~/services/routeBuilders/permissions.server";
 import { titleCase } from "~/utils";
@@ -101,11 +101,6 @@ const SearchParams = z.object({
   version: z.string().optional(),
 });
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const userId = await requireUserId(request);
   const { organizationSlug, projectParam, envParam } = EnvironmentParamSchema.parse(params);

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx

@@ -47,6 +47,7 @@ import { useList } from "~/hooks/useList";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useTypedMatchesData } from "~/hooks/useTypedMatchData";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { dashboardAction } from "~/services/routeBuilders/dashboardBuilder";
 import { cn } from "~/utils/cn";
 import {
@@ -101,11 +102,6 @@ const schema = z.object({
   }, Variable.array().nonempty("At least one variable is required")),
 });
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await prisma.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const action = dashboardAction(
   {
     params: EnvironmentParamSchema,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx

@@ -59,6 +59,7 @@ import { useSearchParams } from "~/hooks/useSearchParam";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { redirectWithSuccessMessage } from "~/models/message.server";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import {
   type EnvironmentVariableWithSetValues,
   EnvironmentVariablesPresenter,
@@ -118,11 +119,6 @@ export type EnvironmentVariablesPageLoaderData = {
 export const environmentVariablesRouteId =
   "routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables";
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await prisma.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     params: EnvironmentParamSchema,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx

@@ -56,12 +56,13 @@ import { Spinner } from "~/components/primitives/Spinner";
 import { TabButton, TabContainer } from "~/components/primitives/Tabs";
 import { TextArea } from "~/components/primitives/TextArea";
 import { TimeFilter } from "~/components/runs/v3/SharedFilters";
-import { $replica, prisma } from "~/db.server";
+import { prisma } from "~/db.server";
 import { useEnvironment } from "~/hooks/useEnvironment";
 import { useInterval } from "~/hooks/useInterval";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { useProject } from "~/hooks/useProject";
 import { useSearchParams } from "~/hooks/useSearchParam";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { type GenerationRow, PromptPresenter } from "~/presenters/v3/PromptPresenter.server";
@@ -121,11 +122,6 @@ const ActionSchema = z.discriminatedUnion("intent", [
   }),
 ]);
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const action = dashboardAction(
   {
     params: ParamSchema,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.settings.integrations/route.tsx

@@ -6,7 +6,6 @@ import { typedjson, useTypedLoaderData, useTypedFetcher } from "remix-typedjson"
 import { z } from "zod";
 import { MainHorizontallyCenteredContainer } from "~/components/layout/AppLayout";
 import { throwPermissionDenied } from "~/utils/permissionDenied";
-import { $replica } from "~/db.server";
 import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { Button } from "~/components/primitives/Buttons";
 import { CheckboxWithLabel } from "~/components/primitives/Checkbox";
@@ -39,13 +38,9 @@ import {
   VercelOnboardingModal,
 } from "../resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel";
 import type { loader as vercelLoader } from "../resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.vercel";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import { OrgIntegrationRepository } from "~/models/orgIntegration.server";
 
-async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
-  return org?.id ?? null;
-}
-
 export const loader = dashboardLoader(
   {
     params: EnvironmentParamSchema,