TenantAssignment and readside filtering

src/app/[locale]/tenants/[name]/page.tsx

@@ -2,6 +2,7 @@ import { getSessionUser, canMutate } from "@/lib/session";
 import { getTranslations, getFormatter } from "next-intl/server";
 import { redirect, notFound } from "next/navigation";
 import { getTenant } from "@/lib/k8s";
+import { canUserSeeTenant } from "@/lib/visibility";
 import { StatusBadge } from "@/components/ui/status-badge";
 import { UsageDisplay } from "@/components/dashboard/usage-display";
 import { PackageList } from "@/components/packages/package-list";
@@ -26,11 +27,10 @@ export default async function TenantDetailPage({
   const tenant = await getTenant(name);
   if (!tenant) notFound();
 
-  // Scope check
-  if (
-    !user.isPlatform &&
-    tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
-  ) {
+  // Slice 6: visibility check encompasses org membership AND, for
+  // user-role members, the tenant_user_assignments check. notFound()
+  // (404) rather than redirect/403 to avoid leaking tenant existence.
+  if (!(await canUserSeeTenant(user, tenant))) {
     notFound();
   }