TenantAssignment and readside filtering

src/app/api/usage/route.ts

@@ -1,6 +1,7 @@
 import { NextRequest, NextResponse } from "next/server";
 import { getSessionUser } from "@/lib/session";
 import { listTenants } from "@/lib/k8s";
+import { listVisibleTenants } from "@/lib/visibility";
 import { getTeamInfo, getTeamSpendLogsV2 } from "@/lib/litellm";
 import { safeError } from "@/lib/errors";
 
@@ -36,12 +37,17 @@ export async function GET(req: NextRequest) {
     keyAlias = req.nextUrl.searchParams.get("keyAlias") ?? null;
   }
 
-  // For customers (or admins without explicit params): resolve from their tenant.
+  // For customers (or admins without explicit params): resolve from
+  // the user's *visible* tenants. With Slice 6, a `user`-role member
+  // can only see usage for tenants they're assigned to — a non-assigned
+  // user defaults to "no active tenant" (404).
+  //
+  // Owner and platform get the full org-scoped list and pick the first
+  // tenant, matching the dashboard's "current instance" semantics.
   if (!teamId) {
-    const tenants = await listTenants();
-    const orgTenant = tenants.find(
-      (t) => t.metadata.labels?.["pieced.ch/zitadel-org-id"] === user.orgId
-    );
+    const allTenants = await listTenants();
+    const visible = await listVisibleTenants(user, allTenants);
+    const orgTenant = visible.find((t) => !!t.status?.litellmTeamId);
 
     if (!orgTenant?.status?.litellmTeamId) {
       return NextResponse.json(