fix(api): repair OSS auth bootstrap for legacy default scope

[bekossy]

Summary

Fixes an OSS API auth failure caused by legacy DB state where the singleton organization has no oss-default slug. The API now promotes that legacy org during default workspace resolution and self-heals a missing default project, preventing valid sessions from being rejected with cached 401 auth denials

Testing

Verified locally

Added or updated tests

QA follow-up

Demo

Checklist

• I have included a video or screen recording for UI changes, or marked Demo as N/A
• Relevant tests pass locally
• Relevant linting and formatting pass locally
• I have signed the CLA, or I will sign it when the bot prompts me

Contributor Resources

• Contributing guide
• Creating your first PR
• Development mode
• Testing
• Formatting and linting
• Slack support

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	May 22, 2026 2:43pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 783a2c7a-f199-4793-bde1-a47c76f327ea

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/oss-auth-legacy-default-scope

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1620b32ec4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Serialize default-project repair to avoid duplicate defaults

This new auth-path repair call can run concurrently on multiple first requests when a workspace has no default project, but create_or_update_default_project does a read-then-insert without a lock/unique guard. In that race, multiple is_default=True projects can be created for the same workspace, and later get_default_project_id_from_workspace uses .first() (no ordering), so request scoping becomes nondeterministic across project IDs.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Prefer a legacy org that actually has a workspace

When no oss-default slug is found, this fallback promotes the oldest slug IS NULL organization without checking whether it owns any workspace. If the oldest legacy org is orphaned but a newer legacy org has the real workspace, promotion still leaves workspaces empty and auth fails, even though recoverable data exists. The selection should be constrained to orgs that have at least one workspace.

Useful? React with 👍 / 👎.

[github-actions]

Railway Preview Environment

Status	Destroyed (PR converted to draft)

Updated at 2026-05-21T15:02:48.922Z