Role split and owner gating

src/app/api/onboarding/route.ts

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from "next/server";
-import { getSessionUser } from "@/lib/session";
+import { getSessionUser, canMutate } from "@/lib/session";
 import {
   createTenantRequest,
   getTenantRequestById,
@@ -157,6 +157,15 @@ export async function POST(request: Request) {
     return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
   }
 
+  // Slice 5: only owners (or platform users) may create new instances.
+  // A `user`-role member of an existing org cannot self-provision.
+  if (!canMutate(user)) {
+    return NextResponse.json(
+      { error: "Only the organization owner can create new instances." },
+      { status: 403 }
+    );
+  }
+
   const body = await request.json();
   const parsed = onboardingSchema.safeParse(body);
   if (!parsed.success) {