fix(api): Refine SAML invitation handling and guard auto-provisioning

[topher-lo]

Summary

• ensure invitation accept and sign-in flows keep relay state plus org slug in query params
• update generated client types/services to match removed OAuth endpoints and add organization slug field
• drop SSO auto-provisioning toggle and gate backend provisioning to superadmin or pending invitations only
• tighten SAML authorization helper tests for invitations, pending selection, and superadmin allowance

Testing

• Not run (not requested)

---

Summary by cubic

Refines SAML invite handling and org access by preserving org context, enforcing domain allowlists, and removing auto‑provisioning. Updates auth discovery to default to the default org’s SAML in single‑tenant and to platform OIDC in multi‑tenant, with email selection that prefers pending invites.

• Bug Fixes

  • Preserve org context in invitation accept and auth flows via returnUrl and org slug.
  • Remove sign‑up CTA on invitation accept; always route to sign‑in with org preserved.
  • Prefer pending invitations when selecting the SAML assertion email; fall back to allowlisted domains. Reject when the org has no active domains, except for first‑user superadmin bootstrap in the default org.
  • Update auth discovery for unknown domains: single‑tenant defaults to the default org’s SAML; multi‑tenant falls back to platform OIDC.
  • Pass org slug to auth discovery; hide sign‑up links and password UI when basic auth is disabled.

• Refactors

  • Remove saml_auto_provisioning setting and UI; auto‑provision only for invitees or first superadmin bootstrap.
  • Require existing membership or pending invite for org access; no JIT membership (bootstrap allowed).
  • Add organization_slug to minimal invitation response and propagate through SignIn/SignUp.
  • Use /api/auth/oauth/authorize without client‑side scopes.
  • Remove unused SAML email policy helper.
  • Add tests for auth UI gating, discovery fallback, invitation selection, email authorization, superadmin bootstrap, and org access rules.

^{Written for commit ab0b07d. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 13 files

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ffefd25927

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[topher-lo]

@cursor review

[topher-lo]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6bc0681cb3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[topher-lo]

@cursor review

[topher-lo]

@cubic review

[cubic-dev-ai]

@cubic review

@topher-lo I have started the AI code review. It will take a few minutes to complete.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cubic-dev-ai]

1 issue found across 20 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tracecat/auth/saml.py">

<violation number="1" location="tracecat/auth/saml.py:342">
P3: `should_allow_email_for_org` is now dead production code. After refactoring `_select_allowlisted_email` → `_select_authorized_email`, the new function calls `_get_active_org_domains` and `_is_normalized_domain_allowed_for_org` directly, bypassing this public function entirely. It has zero production callers — only test code exercises it, creating a false sense of coverage while the actual production path relies on different tests. Consider removing this function or updating tests to target the actual production code paths.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}