Fix paid organization creation limit

Author: RhysSullivan

.oxlintrc.jsonc

@@ -29,6 +29,7 @@
     "executor/no-try-catch-or-throw": "error",
     "executor/no-unknown-error-message": "error",
     "executor/no-unsupported-effect-api": "error",
+    "executor/prefer-effect-predicate": "error",
     "executor/prefer-schema-inferred-types": "error",
     "executor/prefer-value-inferred-extension-types": "error",
     "executor/prefer-yield-tagged-error": "error",

apps/cloud/src/auth/create-organization.e2e.node.test.ts

@@ -0,0 +1,103 @@
+import { assert, describe, it } from "@effect/vitest";
+import { Effect, Exit } from "effect";
+
+import {
+  CloudAuthApiTestContext,
+  CloudAuthApiTestContextLayer,
+  makeCloudAuthApiTestState,
+} from "./cloud-auth-api.test-context";
+import { makeWorkOSTestMembership, makeWorkOSTestState } from "./workos.test-layer";
+import { makeAutumnTestState } from "../services/autumn.test-layer";
+
+describe("create organization API", () => {
+  it.effect("lets a paid user create another organization through the HTTP API client", () => {
+    const state = makeCloudAuthApiTestState({
+      workos: makeWorkOSTestState({
+        memberships: [
+          makeWorkOSTestMembership("org_free_1", "active"),
+          makeWorkOSTestMembership("org_free_2", "active"),
+          makeWorkOSTestMembership("org_paid", "active"),
+        ],
+      }),
+      autumn: makeAutumnTestState({
+        subscriptionsByOrgId: {
+          org_paid: [{ planId: "team", status: "active" }],
+        },
+      }),
+    });
+
+    return Effect.gen(function* () {
+      const { client } = yield* CloudAuthApiTestContext;
+
+      const result = yield* client.cloudAuth.createOrganization({
+        payload: { name: "Paid Extra Org" },
+      });
+
+      assert.deepEqual(result, { id: "org_created", name: "Paid Extra Org" });
+      assert.deepEqual(state.workos.createdOrganizations, [
+        { id: "org_created", name: "Paid Extra Org" },
+      ]);
+      assert.deepEqual(state.workos.createdMemberships, [
+        { organizationId: "org_created", userId: "user_1", roleSlug: "admin" },
+      ]);
+      assert.deepEqual(state.userStore.upsertedOrganizations, [
+        { id: "org_created", name: "Paid Extra Org" },
+      ]);
+    }).pipe(Effect.provide(CloudAuthApiTestContextLayer(state)));
+  });
+
+  it.effect(
+    "rejects a free-only user at the free organization limit through the HTTP API client",
+    () => {
+      const state = makeCloudAuthApiTestState({
+        workos: makeWorkOSTestState({
+          memberships: [
+            makeWorkOSTestMembership("org_free_1", "active"),
+            makeWorkOSTestMembership("org_free_2", "active"),
+            makeWorkOSTestMembership("org_free_3", "active"),
+          ],
+        }),
+      });
+
+      return Effect.gen(function* () {
+        const { client } = yield* CloudAuthApiTestContext;
+
+        const exit = yield* Effect.exit(
+          client.cloudAuth.createOrganization({
+            payload: { name: "Blocked Org" },
+          }),
+        );
+
+        assert.isTrue(Exit.isFailure(exit));
+        assert.deepEqual(state.workos.createdOrganizations, []);
+        assert.deepEqual(state.workos.createdMemberships, []);
+        assert.deepEqual(state.userStore.upsertedOrganizations, []);
+      }).pipe(Effect.provide(CloudAuthApiTestContextLayer(state)));
+    },
+  );
+
+  it.effect("does not count pending memberships toward the free organization limit", () => {
+    const state = makeCloudAuthApiTestState({
+      workos: makeWorkOSTestState({
+        memberships: [
+          makeWorkOSTestMembership("org_free_1", "active"),
+          makeWorkOSTestMembership("org_free_2", "active"),
+          makeWorkOSTestMembership("org_invited", "pending"),
+        ],
+      }),
+    });
+
+    return Effect.gen(function* () {
+      const { client } = yield* CloudAuthApiTestContext;
+
+      const result = yield* client.cloudAuth.createOrganization({
+        payload: { name: "Below Active Limit" },
+      });
+
+      assert.deepEqual(result, { id: "org_created", name: "Below Active Limit" });
+      assert.deepEqual(state.workos.createdOrganizations, [
+        { id: "org_created", name: "Below Active Limit" },
+      ]);
+    }).pipe(Effect.provide(CloudAuthApiTestContextLayer(state)));
+  });
+});

apps/cloud/src/auth/handlers.ts

@@ -1,6 +1,6 @@
 import { HttpApi, HttpApiBuilder } from "effect/unstable/httpapi";
 import { HttpServerResponse } from "effect/unstable/http";
-import { Duration, Effect } from "effect";
+import { Duration, Effect, Predicate } from "effect";
 import { setCookie, deleteCookie } from "@tanstack/react-start/server";
 
 import { AUTH_PATHS, CloudAuthApi, CloudAuthPublicApi } from "./api";
@@ -12,6 +12,12 @@ import { ApiKeyManagementError } from "./api-key-errors";
 import { WorkOSError } from "./errors";
 import { WorkOSAuth } from "./workos";
 import { ApiKeyService } from "./api-keys";
+import { AutumnService } from "../services/autumn";
+import {
+  hasPaidOrganizationSubscription,
+  isOverFreeOrganizationLimit,
+  shouldApplyFreeOrganizationLimit,
+} from "./organization-limits";
 
 const COOKIE_OPTIONS = {
   path: "/",
@@ -49,7 +55,6 @@ const DELETE_COOKIE_OPTIONS = {
   secure: true,
 };
 
-const MAX_ORGANIZATIONS_PER_USER = 3;
 const MAX_API_KEY_NAME_LENGTH = 80;
 
 const randomState = (): string => {
@@ -232,9 +237,7 @@ export const CloudSessionAuthHandlers = HttpApiBuilder.group(
           );
 
           return {
-            organizations: organizations.filter(
-              (org): org is NonNullable<typeof org> => org !== null,
-            ),
+            organizations: organizations.filter(Predicate.isNotNull),
             activeOrganizationId: session.organizationId,
           };
         }),
@@ -258,11 +261,38 @@ export const CloudSessionAuthHandlers = HttpApiBuilder.group(
           const workos = yield* WorkOSAuth;
           const users = yield* UserStoreService;
           const session = yield* SessionContext;
+          const autumn = yield* AutumnService;
 
           const name = payload.name.trim();
           const memberships = yield* workos.listUserMemberships(session.accountId);
-          if (memberships.data.length >= MAX_ORGANIZATIONS_PER_USER) {
-            return yield* new WorkOSError();
+          const activeMemberships = memberships.data.filter(
+            (membership) => membership.status === "active",
+          );
+
+          if (isOverFreeOrganizationLimit(activeMemberships)) {
+            const paidOrganizationIds = yield* Effect.all(
+              activeMemberships.map((membership) =>
+                autumn
+                  .use((client) =>
+                    client.customers.getOrCreate({ customerId: membership.organizationId }),
+                  )
+                  .pipe(
+                    Effect.map((customer) =>
+                      hasPaidOrganizationSubscription(customer.subscriptions)
+                        ? membership.organizationId
+                        : null,
+                    ),
+                  ),
+              ),
+              { concurrency: 3 },
+            ).pipe(
+              Effect.catchTag("AutumnError", () => Effect.fail(new WorkOSError())),
+              Effect.map((ids) => new Set(ids.filter(Predicate.isNotNull))),
+            );
+
+            if (shouldApplyFreeOrganizationLimit(activeMemberships, paidOrganizationIds)) {
+              return yield* new WorkOSError();
+            }
           }
 
           const org = yield* workos.createOrganization(name);
@@ -342,7 +372,7 @@ export const CloudSessionAuthHandlers = HttpApiBuilder.group(
           );
 
           return {
-            invitations: enriched.filter((i): i is NonNullable<typeof i> => i !== null),
+            invitations: enriched.filter(Predicate.isNotNull),
           };
         }),
       )

apps/cloud/src/auth/organization-limits.node.test.ts

@@ -0,0 +1,51 @@
+import { describe, expect, it } from "@effect/vitest";
+
+import {
+  FREE_ORGANIZATIONS_PER_USER_LIMIT,
+  hasPaidOrganizationSubscription,
+  isOverFreeOrganizationLimit,
+  shouldApplyFreeOrganizationLimit,
+} from "./organization-limits";
+
+describe("organization limits", () => {
+  it("treats active and trialing paid org subscriptions as paid", () => {
+    expect(hasPaidOrganizationSubscription([{ planId: "team", status: "active" }])).toBe(true);
+    expect(hasPaidOrganizationSubscription([{ planId: "team", status: "trialing" }])).toBe(true);
+  });
+
+  it("does not treat inactive paid plans or free plans as paid", () => {
+    expect(hasPaidOrganizationSubscription([{ planId: "team", status: "canceled" }])).toBe(false);
+    expect(hasPaidOrganizationSubscription([{ planId: "free", status: "active" }])).toBe(false);
+    expect(hasPaidOrganizationSubscription([{ planId: null, status: "active" }])).toBe(false);
+  });
+
+  it("applies the free org limit only when none of the user's active orgs are paid", () => {
+    const activeMemberships = [
+      { organizationId: "org_free_1", status: "active" },
+      { organizationId: "org_paid", status: "active" },
+    ];
+
+    expect(shouldApplyFreeOrganizationLimit(activeMemberships, new Set())).toBe(true);
+    expect(shouldApplyFreeOrganizationLimit(activeMemberships, new Set(["org_paid"]))).toBe(false);
+  });
+
+  it("caps free-only users at active org memberships, not pending invitations", () => {
+    expect(
+      isOverFreeOrganizationLimit(
+        Array.from({ length: FREE_ORGANIZATIONS_PER_USER_LIMIT - 1 }, (_, index) => ({
+          organizationId: `org_${index}`,
+          status: "active",
+        })),
+      ),
+    ).toBe(false);
+
+    expect(
+      isOverFreeOrganizationLimit(
+        Array.from({ length: FREE_ORGANIZATIONS_PER_USER_LIMIT }, (_, index) => ({
+          organizationId: `org_${index}`,
+          status: "active",
+        })),
+      ),
+    ).toBe(true);
+  });
+});

apps/cloud/src/auth/organization-limits.ts

@@ -0,0 +1,37 @@
+import {
+  ACTIVE_AUTUMN_SUBSCRIPTION_STATUSES,
+  PAID_AUTUMN_PLAN_IDS,
+} from "../services/autumn-plans";
+
+export const FREE_ORGANIZATIONS_PER_USER_LIMIT = 3;
+
+export type OrganizationLimitSubscriptionSummary = {
+  readonly planId?: string | null;
+  readonly status?: string | null;
+};
+
+export type OrganizationLimitMembershipSummary = {
+  readonly organizationId: string;
+  readonly status?: string | null;
+};
+
+export const isPaidOrganizationSubscription = (
+  subscription: OrganizationLimitSubscriptionSummary,
+): boolean =>
+  subscription.planId != null &&
+  PAID_AUTUMN_PLAN_IDS.has(subscription.planId) &&
+  ACTIVE_AUTUMN_SUBSCRIPTION_STATUSES.has(subscription.status ?? "");
+
+export const hasPaidOrganizationSubscription = (
+  subscriptions: ReadonlyArray<OrganizationLimitSubscriptionSummary>,
+): boolean => subscriptions.some(isPaidOrganizationSubscription);
+
+export const shouldApplyFreeOrganizationLimit = (
+  activeMemberships: ReadonlyArray<OrganizationLimitMembershipSummary>,
+  paidOrganizationIds: ReadonlySet<string>,
+): boolean =>
+  !activeMemberships.some((membership) => paidOrganizationIds.has(membership.organizationId));
+
+export const isOverFreeOrganizationLimit = (
+  activeMemberships: ReadonlyArray<OrganizationLimitMembershipSummary>,
+): boolean => activeMemberships.length >= FREE_ORGANIZATIONS_PER_USER_LIMIT;

apps/cloud/src/org/member-limits.ts

@@ -1,3 +1,5 @@
+import { ACTIVE_AUTUMN_SUBSCRIPTION_STATUSES } from "../services/autumn-plans";
+
 const MEMBER_LIMITS: Record<string, number | null> = {
   free: 3,
   "free-pay-as-you-go": 3,
@@ -16,7 +18,7 @@ export const selectActiveMemberLimitPlan = (
 ): string => {
   const active =
     subscriptions.find((subscription) =>
-      ["active", "trialing"].includes(subscription.status ?? ""),
+      ACTIVE_AUTUMN_SUBSCRIPTION_STATUSES.has(subscription.status ?? ""),
     ) ?? subscriptions[0];
   return active?.planId ?? "free";
 };

apps/cloud/src/services/autumn-plans.ts

@@ -0,0 +1,5 @@
+import { team } from "../../autumn.config";
+
+export const PAID_AUTUMN_PLAN_IDS = new Set([team.id]);
+
+export const ACTIVE_AUTUMN_SUBSCRIPTION_STATUSES = new Set(["active", "trialing"]);

apps/cloud/src/services/mcp-worker-transport.ts

@@ -1,6 +1,6 @@
 import { WorkerTransport, type WorkerTransportOptions } from "agents/mcp";
 import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-import { Data, Effect, Exit, Match, Option } from "effect";
+import { Data, Effect, Exit, Match, Option, Predicate } from "effect";
 
 export class McpWorkerTransportError extends Data.TaggedError("McpWorkerTransportError")<{
   readonly cause: unknown;
@@ -100,7 +100,7 @@ export class JsonRpcRequestIdQueue {
     const ids = [...new Set(await extractJsonRpcRequestIdKeys(request))];
     if (ids.length === 0) return await run();
 
-    const previous = ids.map((id) => this.inFlight.get(id)).filter((p) => p !== undefined);
+    const previous = ids.map((id) => this.inFlight.get(id)).filter(Predicate.isNotUndefined);
     let release!: () => void;
     const current = new Promise<void>((resolve) => {
       release = resolve;

packages/core/execution/src/tool-invoker.ts

@@ -404,7 +404,7 @@ export const searchTools = Effect.fn("executor.tools.search")(function* (
   const ranked = all
     .filter((tool: Tool) => matchesNamespace(tool, options?.namespace))
     .map((tool: Tool) => scoreToolMatch(tool, query))
-    .filter((tool): tool is ToolDiscoveryResult => tool !== null)
+    .filter(Predicate.isNotNull)
     .sort((left, right) => right.score - left.score || left.path.localeCompare(right.path));
 
   const page = paginate(ranked, offset, limit);

packages/core/sdk/src/oxlint-plugin-executor.test.ts

@@ -139,4 +139,46 @@ describe("executor oxlint plugin", () => {
     expect(result.stdout).toContain("Found 0 warnings and 0 errors.");
     expect(result.stderr).toBe("");
   });
+
+  it("rejects hand-rolled null predicates in Effect files", async () => {
+    const result = await runOxlintOn(
+      "manual-null-predicate.ts",
+      `
+        import { Effect } from "effect";
+
+        const isNonNull = <A>(value: A | null): value is A => value !== null;
+
+        export const values = [Effect.void, null].filter(isNonNull);
+      `,
+    );
+
+    expect(result.status).toBe(1);
+    expect(result.stdout).toContain("executor(prefer-effect-predicate)");
+  });
+
+  it("rejects inline nullish filter predicates in Effect files", async () => {
+    const result = await runOxlintOn(
+      "inline-nullish-filter.ts",
+      `
+        import { Predicate } from "effect";
+
+        export const values = ["ok", null].filter((value): value is string => value !== null);
+      `,
+    );
+
+    expect(result.status).toBe(1);
+    expect(result.stdout).toContain("executor(prefer-effect-predicate)");
+  });
+
+  it("allows null filters in files that do not import Effect", async () => {
+    const result = await runOxlintOn(
+      "plain-null-filter.ts",
+      `
+        export const values = ["ok", null].filter((value): value is string => value !== null);
+      `,
+    );
+
+    expect(result.status).toBe(0);
+    expect(result.stdout).toContain("Found 0 warnings and 0 errors.");
+  });
 });