TenantAssignment and readside filtering

src/app/api/tenants/[name]/route.ts

@@ -1,5 +1,6 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSessionUser, canMutate } from "@/lib/session";
+import { canUserSeeTenant } from "@/lib/visibility";
 import { getTenant, patchTenantSpec } from "@/lib/k8s";
 import { getPackageDef } from "@/lib/packages";
 import { safeError } from "@/lib/errors";
@@ -22,11 +23,11 @@ export async function GET(
     if (!tenant)
       return NextResponse.json({ error: "Not found" }, { status: 404 });
 
-    if (
-      !user.isPlatform &&
-      tenant.metadata.labels?.["pieced.ch/zitadel-org-id"] !== user.orgId
-    ) {
-      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+    // Slice 6: visibility now includes assignment-table check for
+    // user-role members. We return 404 (not 403) to avoid leaking
+    // tenant existence — same as cross-org reads.
+    if (!(await canUserSeeTenant(user, tenant))) {
+      return NextResponse.json({ error: "Not found" }, { status: 404 });
     }
 
     return NextResponse.json(tenant);

src/app/api/tenants/route.ts

@@ -1,21 +1,14 @@
 import { NextResponse } from "next/server";
 import { getSessionUser } from "@/lib/session";
 import { listTenants } from "@/lib/k8s";
+import { listVisibleTenants } from "@/lib/visibility";
 
 export async function GET() {
   const user = await getSessionUser();
   if (!user)
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
 
-  const tenants = await listTenants();
-
-  if (user.isPlatform) {
-    return NextResponse.json(tenants);
-  }
-
-  // Customers see only their own tenant
-  const own = tenants.filter(
-    (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-  );
-  return NextResponse.json(own);
+  const all = await listTenants();
+  const visible = await listVisibleTenants(user, all);
+  return NextResponse.json(visible);
 }