fix(webapp): close two RBAC scope gaps from review

Add writableEnvironmentIds to the env vars page loader data type so the
create form sees write access rather than an undefined field. Guard the
prompt action on a resolved org before its per-intent ability checks, since
it has no top-level authorization block and so skips the builder fail-closed.

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx

@@ -114,6 +114,8 @@ export type EnvironmentVariablesPageLoaderData = {
   vercelIntegration: PageVercelIntegration | null;
   // Environment ids whose env vars the current role can read.
   accessibleEnvironmentIds: string[];
+  // Environment ids whose env vars the current role can write (create/edit/delete).
+  writableEnvironmentIds: string[];
 };
 
 export const environmentVariablesRouteId =

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.prompts.$promptSlug/route.tsx

@@ -130,9 +130,17 @@ export const action = dashboardAction(
       return organizationId ? { organizationId } : {};
     },
   },
-  async ({ request, params, user, ability }) => {
+  async ({ request, params, user, ability, context }) => {
     const { organizationSlug, projectParam, envParam, promptSlug } = params;
 
+    // This action checks permissions per intent inline (below) rather than via
+    // a top-level authorization block, so the builder's fail-closed scope guard
+    // doesn't run. Enforce it here: without a resolved org the inline
+    // ability.can checks would evaluate an unscoped ability.
+    if (!context.organizationId) {
+      return json({ error: "Unauthorized" }, { status: 403 });
+    }
+
     const project = await findProjectBySlug(organizationSlug, projectParam, user.id);
     if (!project) return json({ error: "Project not found" }, { status: 404 });