refactor(web): add authenticatedPage HOC, remove SINGLE_TENANT_ORG_ID from settings pages

Introduces `authenticatedPage` HOC in `middleware/authenticatedPage.tsx`
for server component pages. It resolves the auth context (user, org,
role, prisma) and optionally gates by role, replacing the manual
org-lookup-and-role-check boilerplate in settings pages.

Migrates all settings pages to use authenticatedPage, removing direct
references to SINGLE_TENANT_ORG_ID from within the (app) route group.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

packages/web/src/app/(app)/CLAUDE.md

@@ -0,0 +1,25 @@
+# (app) Route Group
+
+## Auth in pages
+
+Use `authenticatedPage` from `@/middleware/authenticatedPage` for all pages in this directory. Do NOT use `SINGLE_TENANT_ORG_ID` or direct `prisma` imports from `@/prisma` to look up the org — use the `org` and `prisma` provided by the auth context instead.
+
+```tsx
+import { authenticatedPage } from "@/middleware/authenticatedPage";
+
+export default authenticatedPage(async ({ org, role, prisma }, props) => {
+    // ...
+});
+```
+
+Options:
+- `{ minRole: OrgRole.OWNER, redirectTo: '/settings' }` — gate by role
+- `{ allowAnonymous: true }` — allow unauthenticated access (user may be undefined)
+
+## Layout
+
+The `layout.tsx` in this directory handles authentication, org membership, onboarding, and SSO account linking. Pages do not need to re-check these. See `README.md` for the full guard pipeline.
+
+## Adding new routes
+
+New pages automatically inherit the layout's auth/membership guard. Use `authenticatedPage` if the page needs the auth context (org, user, role, prisma) or role-based gating.

packages/web/src/app/(app)/README.md

@@ -0,0 +1,52 @@
+# (app) Route Group
+
+This is a Next.js [route group](https://nextjs.org/docs/app/building-your-application/routing/route-groups). The parenthesized folder name does not affect the URL structure. Routes here are served at the root (e.g., `/search`, `/chat`, `/settings`).
+
+## Why this route group exists
+
+Routes outside `(app)/` (like `/login`, `/signup`, `/invite`, `/onboard`) are accessible without authentication. Routes inside `(app)/` go through the layout's auth and membership guards before rendering.
+
+## What the layout does
+
+The `layout.tsx` acts as a gate and app shell. It runs the following checks in order, short-circuiting if any condition is met:
+
+1. **Org existence** - Looks up the single-tenant org by `SINGLE_TENANT_ORG_ID`. Returns 404 if missing.
+2. **Authentication** - If the user is not logged in and anonymous access is not enabled, redirects to `/login` (or renders GCP IAP auth if configured).
+3. **Membership** - If the user is logged in but not a member of the org, renders one of:
+   - `JoinOrganizationCard` if the org does not require approval
+   - `SubmitJoinRequest` / `PendingApprovalCard` if the org requires approval
+4. **Onboarding** - If the org has not completed onboarding, wraps children in `OnboardGuard`.
+5. **SSO account linking** - If required SSO providers are not linked, renders `ConnectAccountsCard`.
+6. **Mobile splash screen** - Shows an unsupported screen on mobile devices (dismissible via cookie).
+
+After all guards pass, the layout wraps children with shared UI: `SyntaxGuideProvider`, `PermissionSyncBanner`, `GitHubStarToast`, and `UpgradeToast`.
+
+## What the layout does NOT do
+
+- **Role-based access control** - The layout does not check `OWNER` vs `MEMBER`. Pages that require a specific role should use `authenticatedPage` with the `minRole` option.
+- **Guarantee a user exists** - When anonymous access is enabled, the user may be undefined.
+
+## Writing pages in (app)
+
+Use the `authenticatedPage` HOC from `@/middleware/authenticatedPage`. It resolves the auth context (`user`, `org`, `role`, `prisma`) and handles redirects on auth failure. This avoids manual org lookups with `SINGLE_TENANT_ORG_ID` — pages inside `(app)/` should not reference that constant directly.
+
+```tsx
+import { authenticatedPage } from "@/middleware/authenticatedPage";
+
+// Basic authenticated page
+export default authenticatedPage(async ({ prisma }) => {
+    const data = await prisma.repo.findMany();
+    return <MyPage data={data} />;
+});
+
+// Owner-only page
+export default authenticatedPage(async ({ org }) => {
+    return <AdminPage orgName={org.name} />;
+}, { minRole: OrgRole.OWNER, redirectTo: '/settings' });
+
+// Page that allows anonymous access
+export default authenticatedPage(async ({ user, prisma }) => {
+    // user may be undefined
+    return <PublicPage />;
+}, { allowAnonymous: true });
+```

packages/web/src/app/(app)/settings/access/page.tsx

@@ -1,32 +1,8 @@
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
 import { OrganizationAccessSettings } from "@/app/components/organizationAccessSettings";
-import { isServiceError } from "@/lib/utils";
-import { ServiceErrorException } from "@/lib/serviceError";
-import { getMe } from "@/actions";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { OrgRole } from "@sourcebot/db";
-import { redirect } from "next/navigation";
-
-export default async function AccessPage() {
-    const org = await prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-    if (!org) {
-        throw new Error("Organization not found");
-    }
-
-    const me = await getMe();
-    if (isServiceError(me)) {
-        throw new ServiceErrorException(me);
-    }
-
-    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
-    if (!userRoleInOrg) {
-        throw new Error("User role not found");
-    }
-
-    if (userRoleInOrg !== OrgRole.OWNER) {
-        redirect('/settings');
-    }
 
+export default authenticatedPage(async () => {
     return (
         <div className="flex flex-col gap-6">
             <div>
@@ -46,4 +22,7 @@ export default async function AccessPage() {
             <OrganizationAccessSettings />
         </div>
     )
-}
+}, {
+    minRole: OrgRole.OWNER,
+    redirectTo: '/settings',
+});

packages/web/src/app/(app)/settings/analytics/page.tsx

@@ -1,39 +1,15 @@
-import { getMe } from "@/actions";
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
 import { AnalyticsContent } from "@/ee/features/analytics/analyticsContent";
 import { AnalyticsEntitlementMessage } from "@/ee/features/analytics/analyticsEntitlementMessage";
-import { ServiceErrorException } from "@/lib/serviceError";
-import { isServiceError } from "@/lib/utils";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { OrgRole } from "@sourcebot/db";
 import { hasEntitlement } from "@sourcebot/shared";
-import { redirect } from "next/navigation";
 
-export default async function AnalyticsPage() {
-    const org = await prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-    if (!org) {
-        throw new Error("Organization not found");
-    }
-
-    const me = await getMe();
-    if (isServiceError(me)) {
-        throw new ServiceErrorException(me);
-    }
+export default authenticatedPage(async () => {
+    const hasAnalyticsEntitlement = hasEntitlement("analytics");
 
-    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
-    if (!userRoleInOrg) {
-        throw new Error("User role not found");
+    if (!hasAnalyticsEntitlement) {
+        return <AnalyticsEntitlementMessage />;
     }
 
-    if (userRoleInOrg !== OrgRole.OWNER) {
-        redirect('/settings');
-    }
-
-  const hasAnalyticsEntitlement = hasEntitlement("analytics");
-
-  if (!hasAnalyticsEntitlement) {
-    return <AnalyticsEntitlementMessage />;
-  }
-
-  return <AnalyticsContent />;
-}
+    return <AnalyticsContent />;
+}, { minRole: OrgRole.OWNER, redirectTo: '/settings' });

packages/web/src/app/(app)/settings/apiKeys/layout.tsx

@@ -1,31 +1,12 @@
-import { getMe } from "@/actions";
-import { ServiceErrorException } from "@/lib/serviceError";
 import { notFound } from "next/navigation";
-import { isServiceError } from "@/lib/utils";
 import { OrgRole } from "@sourcebot/db";
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
 import { env } from "@sourcebot/shared";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 
-export default async function ApiKeysLayout({ children }: { children: React.ReactNode }) {
-    const org = await prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-    if (!org) {
-        throw new Error("Organization not found");
-    }
-
-    const me = await getMe();
-    if (isServiceError(me)) {
-        throw new ServiceErrorException(me);
-    }
-
-    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
-    if (!userRoleInOrg) {
-        throw new Error("User role not found");
-    }
-
-    if (env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true' && userRoleInOrg !== OrgRole.OWNER) {
+export default authenticatedPage<{ children: React.ReactNode }>(async ({ role }, { children }) => {
+    if (env.DISABLE_API_KEY_USAGE_FOR_NON_OWNER_USERS === 'true' && role !== OrgRole.OWNER) {
         return notFound();
     }
 
-    return children;
-}
+    return <>{children}</>;
+});

packages/web/src/app/(app)/settings/apiKeys/page.tsx

@@ -1,20 +1,13 @@
-import { getMe } from "@/actions";
-import { isServiceError } from "@/lib/utils";
 import { env } from "@sourcebot/shared";
 import { OrgRole } from "@sourcebot/db";
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
 import { ApiKeysPage } from "./apiKeysPage";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 
-export default async function Page() {
+export default authenticatedPage(async ({ role }) => {
     let canCreateApiKey = true;
     if (env.DISABLE_API_KEY_CREATION_FOR_NON_OWNER_USERS === 'true') {
-        const [org, me] = await Promise.all([prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } }), getMe()]);
-        if (org && !isServiceError(me)) {
-            const role = me.memberships.find((m) => m.id === org.id)?.role;
-            canCreateApiKey = role === OrgRole.OWNER;
-        }
+        canCreateApiKey = role === OrgRole.OWNER;
     }
 
     return <ApiKeysPage canCreateApiKey={canCreateApiKey} />;
-}
+});

packages/web/src/app/(app)/settings/connections/layout.tsx

@@ -1,35 +1,6 @@
-import { getMe } from "@/actions";
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
-import { ServiceErrorException } from "@/lib/serviceError";
-import { notFound } from "next/navigation";
-import { isServiceError } from "@/lib/utils";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { OrgRole } from "@sourcebot/db";
 
-
-interface ConnectionsLayoutProps {
-    children: React.ReactNode;
-}
-
-export default async function ConnectionsLayout({ children }: ConnectionsLayoutProps) {
-    const org = await prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-    if (!org) {
-        throw new Error("Organization not found");
-    }
-
-    const me = await getMe();
-    if (isServiceError(me)) {
-        throw new ServiceErrorException(me);
-    }
-
-    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
-    if (!userRoleInOrg) {
-        throw new Error("User role not found");
-    }
-
-    if (userRoleInOrg !== OrgRole.OWNER) {
-        return notFound();
-    }
-
-    return children;
-}
+export default authenticatedPage<{ children: React.ReactNode }>(async (_auth, { children }) => {
+    return <>{children}</>;
+}, { minRole: OrgRole.OWNER, redirectTo: '/settings' });

packages/web/src/app/(app)/settings/license/page.tsx

@@ -1,34 +1,13 @@
 import { getLicenseKey, getEntitlements, getPlan, SOURCEBOT_UNLIMITED_SEATS } from "@sourcebot/shared";
 import { Button } from "@/components/ui/button";
 import { Info, Mail } from "lucide-react";
-import { getMe, getOrgMembers } from "@/actions";
+import { getOrgMembers } from "@/actions";
 import { isServiceError } from "@/lib/utils";
 import { ServiceErrorException } from "@/lib/serviceError";
-import { SINGLE_TENANT_ORG_ID } from "@/lib/constants";
-import { prisma } from "@/prisma";
+import { authenticatedPage } from "@/middleware/authenticatedPage";
 import { OrgRole } from "@sourcebot/db";
-import { redirect } from "next/navigation";
-
-export default async function LicensePage() {
-    const org = await prisma.org.findUnique({ where: { id: SINGLE_TENANT_ORG_ID } });
-    if (!org) {
-        throw new Error("Organization not found");
-    }
-
-    const me = await getMe();
-    if (isServiceError(me)) {
-        throw new ServiceErrorException(me);
-    }
-
-    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
-    if (!userRoleInOrg) {
-        throw new Error("User role not found");
-    }
-
-    if (userRoleInOrg !== OrgRole.OWNER) {
-        redirect('/settings');
-    }
 
+export default authenticatedPage(async () => {
     const licenseKey = getLicenseKey();
     const entitlements = getEntitlements();
     const plan = getPlan();
@@ -136,4 +115,4 @@ export default async function LicensePage() {
             </div>
         </div>
     )
-}
+}, { minRole: OrgRole.OWNER, redirectTo: '/settings' });