feat(sso): implement organization-level OIDC configuration (#2736)

* feat(sso): implement organization-level OIDC configuration and enforcement

- Add database migration and storage layer for org SSO config and sessions
- Implement OIDC authorization code flow with PKCE in org-sso routes
- Add API endpoints for OIDC flow, config management, and status checks
- Create frontend SSO settings page for org admins with config form
- Add React Query hooks for SSO state management
- Integrate SSO enforcement in shell-layout to block access without valid session
- Add SsoRequiredScreen component to guide users through SSO login
- Update storage types and context factory to include new storage classes
- Update test mocks with new storage fields

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* fix(sso): fix hooks ordering violation and org membership authorization

Move useOrgSsoStatus above conditional early returns in ShellLayoutContent
to comply with React Rules of Hooks. Replace query-string orgId with
ctx.organization?.id in /status and /authorize endpoints to prevent
unauthorized users from probing SSO config of arbitrary organizations.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(sso): mount routes after context middleware and fix redirect path

- Move org-sso route mount after meshContext injection middleware to
  ensure context is available when handlers execute
- Fix post-SSO redirect to use org root instead of removed org-admin path
- Remove debug logging from SSO enforcement middleware

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(sso): add SSRF protection for OIDC discovery and token endpoints

Validate all outbound URLs in the OIDC flow against SSRF attacks:
- Enforce HTTPS in production
- Block private/link-local IP ranges (169.254.x.x, 10.x.x.x, etc.)
- Validate discovery document endpoints (token, jwks, authorization)
- Allow HTTP + loopback in development for local OIDC providers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(sso): block localhost in SSRF validation for production

Add localhost hostname pattern to privatePatterns so it is blocked
in production. The dev-mode loopback allowance already handles it
for local testing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

Author: viktormarinho

apps/mesh/migrations/051-org-sso.ts

@@ -0,0 +1,72 @@
+import { type Kysely, sql } from "kysely";
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+  // SSO provider configuration per organization
+  await db.schema
+    .createTable("org_sso_config")
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("organization_id", "text", (col) =>
+      col.notNull().references("organization.id").onDelete("cascade"),
+    )
+    .addColumn("issuer", "text", (col) => col.notNull())
+    .addColumn("client_id", "text", (col) => col.notNull())
+    .addColumn("client_secret", "text", (col) => col.notNull()) // encrypted
+    .addColumn("discovery_endpoint", "text")
+    .addColumn("scopes", "text", (col) =>
+      col.notNull().defaultTo('["openid","email","profile"]'),
+    )
+    .addColumn("domain", "text", (col) => col.notNull())
+    .addColumn("enforced", "integer", (col) => col.notNull().defaultTo(0))
+    .addColumn("created_at", "text", (col) =>
+      col.notNull().defaultTo(sql`CURRENT_TIMESTAMP`),
+    )
+    .addColumn("updated_at", "text", (col) =>
+      col.notNull().defaultTo(sql`CURRENT_TIMESTAMP`),
+    )
+    .execute();
+
+  // One SSO config per organization
+  await db.schema
+    .createIndex("idx_org_sso_config_org_id")
+    .unique()
+    .on("org_sso_config")
+    .column("organization_id")
+    .execute();
+
+  // Lookup by email domain
+  await db.schema
+    .createIndex("idx_org_sso_config_domain")
+    .on("org_sso_config")
+    .column("domain")
+    .execute();
+
+  // Tracks per-user SSO authentication per organization
+  await db.schema
+    .createTable("org_sso_sessions")
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("user_id", "text", (col) =>
+      col.notNull().references("user.id").onDelete("cascade"),
+    )
+    .addColumn("organization_id", "text", (col) =>
+      col.notNull().references("organization.id").onDelete("cascade"),
+    )
+    .addColumn("authenticated_at", "text", (col) => col.notNull())
+    .addColumn("expires_at", "text", (col) => col.notNull())
+    .addColumn("created_at", "text", (col) =>
+      col.notNull().defaultTo(sql`CURRENT_TIMESTAMP`),
+    )
+    .execute();
+
+  // One active session per user per org
+  await db.schema
+    .createIndex("idx_org_sso_sessions_user_org")
+    .unique()
+    .on("org_sso_sessions")
+    .columns(["user_id", "organization_id"])
+    .execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+  await db.schema.dropTable("org_sso_sessions").execute();
+  await db.schema.dropTable("org_sso_config").execute();
+}

apps/mesh/migrations/index.ts

@@ -49,6 +49,7 @@ import * as migration047addnextrunat from "./047-add-next-run-at.ts";
 import * as migration048mergeprojectsagents from "./048-merge-projects-agents.ts";
 import * as migration049removeorgadminprojects from "./049-remove-org-admin-projects.ts";
 import * as migration050durableagentruns from "./050-durable-agent-runs.ts";
+import * as migration051orgsso from "./051-org-sso.ts";
 
 /**
  * Core migrations for the Mesh application.
@@ -112,6 +113,7 @@ const migrations: Record<string, Migration> = {
   "048-merge-projects-agents": migration048mergeprojectsagents,
   "049-remove-org-admin-projects": migration049removeorgadminprojects,
   "050-durable-agent-runs": migration050durableagentruns,
+  "051-org-sso": migration051orgsso,
 };
 
 export default migrations;

apps/mesh/src/api/app.ts

@@ -31,6 +31,7 @@ import {
   tracingMiddleware,
 } from "../observability";
 import authRoutes from "./routes/auth";
+import orgSsoRoutes from "./routes/org-sso";
 import { createDecopilotRoutes } from "./routes/decopilot";
 import downstreamTokenRoutes from "./routes/downstream-token";
 import decoSitesRoutes from "./routes/deco-sites";
@@ -988,6 +989,53 @@ export async function createApp(options: CreateAppOptions = {}) {
     return next();
   });
 
+  // ============================================================================
+  // Server-side SSO Enforcement Middleware
+  // ============================================================================
+  // When an org has SSO enforcement enabled, block API requests from users
+  // who haven't completed the SSO flow. Exempt paths: SSO routes themselves,
+  // auth routes, and non-org-scoped endpoints.
+  app.use("*", async (c, next) => {
+    const path = c.req.path;
+    // Skip SSO enforcement for SSO routes, auth routes, and public endpoints
+    if (
+      path.startsWith("/api/org-sso/") ||
+      path.startsWith("/api/auth/") ||
+      path.startsWith("/api/tools/management") ||
+      path.startsWith("/oauth-proxy/")
+    ) {
+      return next();
+    }
+
+    const ctx = c.get("meshContext") as MeshContext | undefined;
+    if (!ctx?.organization?.id || !ctx?.auth?.user?.id) {
+      return next();
+    }
+
+    const ssoConfig = await ctx.storage.orgSsoConfig.getByOrgId(
+      ctx.organization.id,
+    );
+    if (!ssoConfig?.enforced) {
+      return next();
+    }
+
+    const hasValidSession = await ctx.storage.orgSsoSessions.isValid(
+      ctx.auth.user.id,
+      ctx.organization.id,
+    );
+    if (!hasValidSession) {
+      return c.json(
+        { error: "SSO authentication required for this organization" },
+        403,
+      );
+    }
+
+    return next();
+  });
+
+  // Organization-level SSO routes (must be after context middleware)
+  app.route("/api/org-sso", orgSsoRoutes);
+
   // Get all management tools (for OAuth consent UI)
   app.get("/api/tools/management", (c) => {
     return c.json({