fix(webapp): plan-gate SSO settings before role gate and remove client session fetch guard

[0ski]

SSO settings page: resolve plan before the role check. A non-Enterprise org now renders the upsell state for every role instead of showing a "permission denied" panel to non-Owners for a feature their org can't use yet. manage:sso is only enforced once the org is actually entitled. Extracts EMPTY_SSO_STATUS and uses throwPermissionDenied().

Also removes the client-side SSO session fetch guard. It monkeypatched global window.fetch, which made it the initiator of every request and obfuscated the real call site on any 4xx/5xx. Session revocation is still enforced server-side on every authenticated request and surfaces as a logout redirect on the next navigation/refresh, so the client guard was UX-only and not worth the cross-cutting cost.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e8051cb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ebbd44e2-0561-476b-a471-ff7c46f5ae7e

📥 Commits

Reviewing files that changed from the base of the PR and between 1891657 and e8051cb.

📒 Files selected for processing (7)

• apps/webapp/app/entry.client.tsx
• apps/webapp/app/hooks/useEventSource.tsx
• apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.sso/route.tsx
• apps/webapp/app/routes/resources.session-check.ts
• apps/webapp/app/services/ssoSessionRevalidation.server.ts
• apps/webapp/app/utils/ssoSession.ts
• apps/webapp/app/utils/ssoSessionGuard.ts

💤 Files with no reviewable changes (5)

• apps/webapp/app/entry.client.tsx
• apps/webapp/app/utils/ssoSessionGuard.ts
• apps/webapp/app/routes/resources.session-check.ts
• apps/webapp/app/utils/ssoSession.ts
• apps/webapp/app/hooks/useEventSource.tsx

🚧 Files skipped from review as they are similar to previous changes (2)

• apps/webapp/app/services/ssoSessionRevalidation.server.ts
• apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.sso/route.tsx

📜 Recent review details

⏰ Context from checks skipped due to timeout. (13)

• GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: typecheck / typecheck
• GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: audit

---

Walkthrough

The PR removes the client-side SSO session guard startup and removes the EventSource error probe for SSO session checks. It updates SSO session revalidation to return a plain 401 JSON error without the invalidation header, while keeping the shared logout path helper. The SSO settings route now checks the organization plan first, resolves the organization from the primary database, returns an empty SSO status for non-Enterprise organizations, and only applies manage:sso enforcement and SSO data loading for Enterprise organizations.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the change, but it misses the required template sections like Closes #, checklist, testing, changelog, and screenshots.	Add the required template sections: Closes #, checklist, testing steps, changelog, and screenshots, even if some are brief or marked N/A.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: SSO plan-gating plus removal of the client session guard.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch oskar/chore-remove-sso-client-fetch-guard

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.