chore(web): add ESLint rule require-auth-wrapper (#1199)

* chore(web): add ESLint rule require-auth-wrapper

Adds an authz/require-auth-wrapper rule that flags exported route handlers
and server actions whose body doesn't textually reference withAuth() or
withOptionalAuth(). The check is boundary-only by design — false positives
are allowlisted with a // eslint-disable-next-line comment plus a reason.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: update CHANGELOG for #1199

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Move changelog entry

Removed mention of the `authz/require-auth-wrapper` ESLint rule from the changelog.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

packages/web/eslint.config.mjs

@@ -1,11 +1,20 @@
 import nextCoreWebVitals from 'eslint-config-next/core-web-vitals';
 import tseslint from 'typescript-eslint';
 import tanstackQuery from '@tanstack/eslint-plugin-query';
+import authzLocal from './tools/eslint-plugin-local/index.mjs';
 
 const config = [
     ...nextCoreWebVitals,
     ...tseslint.configs.recommended,
     ...tanstackQuery.configs['flat/recommended'],
+    {
+        plugins: {
+            authz: authzLocal,
+        },
+        rules: {
+            'authz/require-auth-wrapper': 'error',
+        },
+    },
     {
         rules: {
             // New react-hooks v7 rules disabled as too strict for this codebase's existing patterns.

packages/web/src/actions.ts

@@ -817,6 +817,7 @@ export const getOrgAccountRequests = async () => sew(() =>
         }));
     }));
 
+// eslint-disable-next-line authz/require-auth-wrapper -- calls getAuthenticatedUser() directly; runs pre-org-membership so cannot use withAuth
 export const createAccountRequest = async () => sew(async () => {
     const authResult = await getAuthenticatedUser();
     if (!authResult) {
@@ -920,6 +921,7 @@ export const createAccountRequest = async () => sew(async () => {
     }
 });
 
+// eslint-disable-next-line authz/require-auth-wrapper -- public org-config bit consulted on login/signup screens before any session exists
 export const getMemberApprovalRequired = async (): Promise<boolean | ServiceError> => sew(async () => {
     const org = await __unsafePrisma.org.findUnique({
         where: {
@@ -1181,6 +1183,7 @@ export const getRepoImage = async (repoId: number): Promise<ArrayBuffer | Servic
     })
 });
 
+// eslint-disable-next-line authz/require-auth-wrapper -- public org-config bit consulted before authentication to decide whether to gate the UI
 export const getAnonymousAccessStatus = async (): Promise<boolean | ServiceError> => sew(async () => {
     const org = await __unsafePrisma.org.findUnique({
         where: { id: SINGLE_TENANT_ORG_ID },
@@ -1244,6 +1247,7 @@ export const setAnonymousAccessStatus = async (enabled: boolean): Promise<Servic
     });
 });
 
+// eslint-disable-next-line authz/require-auth-wrapper -- UI-only preference cookie, no DB access
 export const setAgenticSearchTutorialDismissedCookie = async (dismissed: boolean) => sew(async () => {
     const cookieStore = await cookies();
     cookieStore.set(AGENTIC_SEARCH_TUTORIAL_DISMISSED_COOKIE_NAME, dismissed ? "true" : "false", {
@@ -1253,6 +1257,7 @@ export const setAgenticSearchTutorialDismissedCookie = async (dismissed: boolean
     return true;
 });
 
+// eslint-disable-next-line authz/require-auth-wrapper -- UI-only preference cookie, no DB access
 export const dismissMobileUnsupportedSplashScreen = async () => sew(async () => {
     const cookieStore = await cookies();
     cookieStore.set(MOBILE_UNSUPPORTED_SPLASH_SCREEN_DISMISSED_COOKIE_NAME, 'true');

packages/web/src/app/api/(server)/[...slug]/route.ts

@@ -10,4 +10,5 @@ const handler = () => {
     });
 }
 
+// eslint-disable-next-line authz/require-auth-wrapper -- 404 catch-all for unknown API endpoints, returns no user data
 export { handler as GET, handler as POST, handler as PUT, handler as PATCH, handler as DELETE }

packages/web/src/app/api/(server)/auth/[...nextauth]/route.ts

@@ -1,2 +1,3 @@
 import { handlers } from "@/auth";
+// eslint-disable-next-line authz/require-auth-wrapper -- NextAuth's own auth-flow handlers, not user-data endpoints
 export const { GET, POST } = handlers;

packages/web/src/app/api/(server)/blame/route.ts

@@ -7,6 +7,7 @@ import { queryParamsSchemaValidationError, serviceErrorResponse } from "@/lib/se
 import { isServiceError } from "@/lib/utils";
 import { NextRequest } from "next/server";
 
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to getFileBlame() which calls withOptionalAuth
 export const GET = apiHandler(async (request: NextRequest) => {
     const rawParams = Object.fromEntries(
         Object.keys(fileBlameRequestSchema.shape).map(key => [

packages/web/src/app/api/(server)/chat/blocking/route.ts

@@ -37,6 +37,7 @@ const blockingChatRequestSchema = z.object({
  * The chat session is persisted to the database, allowing users to view the full
  * conversation (including tool calls and reasoning) in the web UI.
  */
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to askCodebase() which calls withOptionalAuth
 export const POST = apiHandler(async (request: NextRequest) => {
     const requestBody = await request.json();
     const parsed = await blockingChatRequestSchema.safeParseAsync(requestBody);

packages/web/src/app/api/(server)/commit/route.ts

@@ -5,6 +5,7 @@ import { queryParamsSchemaValidationError, serviceErrorResponse } from "@/lib/se
 import { isServiceError } from "@/lib/utils";
 import { NextRequest } from "next/server";
 
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to getCommit() which calls withOptionalAuth
 export const GET = apiHandler(async (request: NextRequest): Promise<Response> => {
     const rawParams = Object.fromEntries(
         Object.keys(getCommitQueryParamsSchema.shape).map(key => [

packages/web/src/app/api/(server)/commits/authors/route.ts

@@ -6,6 +6,7 @@ import { serviceErrorResponse, queryParamsSchemaValidationError } from "@/lib/se
 import { isServiceError } from "@/lib/utils";
 import { NextRequest } from "next/server";
 
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to listCommitAuthors() which calls withOptionalAuth
 export const GET = apiHandler(async (request: NextRequest): Promise<Response> => {
     const rawParams = Object.fromEntries(
         Object.keys(listCommitAuthorsQueryParamsSchema.shape).map(key => [

packages/web/src/app/api/(server)/commits/route.ts

@@ -6,6 +6,7 @@ import { serviceErrorResponse, queryParamsSchemaValidationError } from "@/lib/se
 import { isServiceError } from "@/lib/utils";
 import { NextRequest } from "next/server";
 
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to listCommits() which calls withOptionalAuth
 export const GET = apiHandler(async (request: NextRequest): Promise<Response> => {
     const rawParams = Object.fromEntries(
         Object.keys(listCommitsQueryParamsSchema.shape).map(key => [

packages/web/src/app/api/(server)/diff/route.ts

@@ -5,6 +5,7 @@ import { queryParamsSchemaValidationError, serviceErrorResponse } from "@/lib/se
 import { isServiceError } from "@/lib/utils";
 import { NextRequest } from "next/server";
 
+// eslint-disable-next-line authz/require-auth-wrapper -- delegates to getDiff() which calls withOptionalAuth
 export const GET = apiHandler(async (request: NextRequest): Promise<Response> => {
     const rawParams = Object.fromEntries(
         Object.keys(getDiffRequestSchema.shape).map(key => [