fix(app): prevent duplicate org creation during setup onboarding

* fix(app): prevent duplicate org creation during setup onboarding

When users retry or refresh during the redirect after org creation,
the action fires again and creates a duplicate org. Add server-side
idempotency check that reuses an existing incomplete org with the
same name owned by the user, plus a client-side guard against
double-submission.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(app): complete partial setup when reusing existing org

When reusing an existing incomplete org (idempotency path), ensure
onboarding record and framework initialization exist. Handles the
case where the original request failed after DB insert but before
completing all setup steps.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Tofik Hasanov <72318342+tofikwest@users.noreply.github.com>

Author: 4 people

apps/app/src/app/(app)/setup/actions/create-organization-minimal.ts

@@ -46,6 +46,67 @@ export const createOrganizationMinimal = authActionClientWithoutOrg
       // Check if self-hosted
       const isSelfHosted = env.NEXT_PUBLIC_SELF_HOSTED === 'true';
 
+      // Idempotency: if the user already has a recently created org with the
+      // same name that hasn't completed onboarding, reuse it instead of
+      // creating a duplicate (protects against retry/refresh during redirect).
+      const existingOrg = await db.organization.findFirst({
+        where: {
+          name: parsedInput.organizationName,
+          onboardingCompleted: false,
+          members: {
+            some: {
+              userId: session.user.id,
+              role: 'owner',
+            },
+          },
+        },
+        orderBy: { createdAt: 'desc' },
+      });
+
+      if (existingOrg) {
+        // Ensure post-creation steps are completed in case the original
+        // request failed partway through (after DB insert but before
+        // onboarding record or framework initialization).
+        const existingOnboarding = await db.onboarding.findUnique({
+          where: { organizationId: existingOrg.id },
+        });
+
+        if (!existingOnboarding) {
+          await db.onboarding.create({
+            data: {
+              organizationId: existingOrg.id,
+              triggerJobCompleted: false,
+            },
+          });
+        }
+
+        if (parsedInput.frameworkIds && parsedInput.frameworkIds.length > 0) {
+          const existingFrameworks = await db.frameworkInstance.findFirst({
+            where: { organizationId: existingOrg.id },
+          });
+
+          if (!existingFrameworks) {
+            await initializeOrganization({
+              frameworkIds: parsedInput.frameworkIds,
+              organizationId: existingOrg.id,
+            });
+          }
+        }
+
+        // Ensure this org is set as the active one
+        await auth.api.setActiveOrganization({
+          headers: await headers(),
+          body: {
+            organizationId: existingOrg.id,
+          },
+        });
+
+        return {
+          success: true,
+          organizationId: existingOrg.id,
+        };
+      }
+
       // Resolve framework IDs to display names (e.g. "SOC 2", "ISO 27001")
       const frameworks = await db.frameworkEditorFramework.findMany({
         where: { id: { in: parsedInput.frameworkIds } },

apps/app/src/app/(app)/setup/hooks/useOnboardingForm.ts

@@ -146,6 +146,9 @@ export function useOnboardingForm({
   });
 
   const handleCreateOrganizationAction = (currentAnswers: Partial<CompanyDetails>) => {
+    // Guard against duplicate submissions (retry/double-click)
+    if (isOnboarding || isFinalizing) return;
+
     // Only pass the first 3 fields to the minimal action
     createOrganizationAction.execute({
       frameworkIds: currentAnswers.frameworkIds || [],