Summary

• Treat User.is_superuser as platform-admin eligibility instead of implicit tenant-context privilege.
• Resolve superuser tenant access through normal org/workspace membership and RBAC paths across HTTP auth, MCP, OIDC, SAML, and invitation flows.
• Keep explicit superadmin routes on SuperuserRole, and prevent AuthenticatedUserOnly from activating platform privileges.
• Update frontend post-auth routing so superusers land in the workspace app when they have tenant memberships, with /admin as the fallback when they have no org access.

Validation

• uv run pytest tests/unit/test_admin_org_invitations_service.py tests/unit/test_auth_middleware.py tests/unit/test_mcp_auth.py tests/unit/test_mcp_oidc_session.py tests/unit/test_organization_membership.py tests/unit/test_organization_service.py tests/unit/test_saml_client_config.py -q
• uv run pytest tests/unit/api/test_api_users_router.py -q
• uv run ruff check <changed Python files>
• uv run ruff format --check tracecat/auth/credentials.py tests/unit/test_auth_middleware.py
• uv run basedpyright <changed Python files>
• pnpm -C frontend test -- src/lib/auth-redirect.test.ts tests/auth-ui-matrix.test.tsx --runInBand
• pnpm -C frontend exec biome check src/app/workspaces/layout.tsx src/lib/auth-redirect.ts src/lib/auth-redirect.test.ts tests/auth-ui-matrix.test.tsx
• pnpm -C frontend run typecheck

Pre-commit also ran during commit and passed after regenerating the frontend client.

Summary by cubic

Treat superusers as tenant users: platform admin is opt-in and tenant access comes only from org/workspace membership and RBAC. Frontend keeps superusers on normal routes; only redirect to /admin when they have no org memberships.

• Refactors

  • Unify tenant auth paths: remove superuser-only tenant shortcuts across HTTP auth, MCP, OIDC, and SAML; all tenant access resolves via memberships and scopes.
  • Redefine Role.is_platform_superuser to mean explicit platform-admin execution; authenticated_user_only no longer enables it; scope computation updated.
  • MCP: resolve_role, list_user_workspaces, and org-role resolution use memberships/RBAC; superusers no longer bypass checks; issued tokens set is_platform_superuser=false.
  • OIDC (MCP): session resolution derives org from the user’s memberships; API updated to resolve_authorize_session(user); tokens no longer carry platform-superuser execution.
  • Invitations: allow inviting and accepting superuser accounts as regular members; remove multi-tenant blocks in org services.
  • SAML: drop automatic org access for superusers; allow only via membership, pending invite, or first superadmin bootstrap.
  • Org deletion: restricted to org owners/admins through tenant RBAC.
  • Tests: make the registry integration auth setup deterministic by seeding a membership and owner role, hashing the test password, and setting the org cookie.

• Frontend

  • Post-auth redirect: remove superuser special-casing; honor returnUrl; use /admin only when a superuser has no org memberships.
  • Workspace layout: detect “no memberships”; redirect superusers to /admin; regular users see the help screen. Updated tests and generated client docs.

^{Written for commit 6d3557d. Summary will update on new commits.}