fix(ui): hide OrganizationProfile Security tab when lacking manage enterprise connections permission

[iagodahlem]

Summary

ConfigureSSO is embedded in <OrganizationProfile /> → Security tab, which shows when self-serve SSO is enabled at the org level. A member without the org:sys_entconns:manage permission previously landed on the Security tab and hit a missing-permission state that was built as a wizard step, so it rendered wizard chrome (header/footer) that doesn't fit someone who never entered a flow.

Since SSO is currently the only section in Security, this hides the Security tab entirely when the current member lacks org:sys_entconns:manage — matching how the Members, Billing, and API keys tabs are permission-gated.

Changes

• OrganizationProfileNavbar.tsx — filter out the Security nav item via useProtect(has => has({ permission: 'org:sys_entconns:manage' })), mirroring the existing Members/Billing filters.
• OrganizationProfileRoutes.tsx — wrap the Security route in <Protect> so a direct navigation is gated too (matches the Billing/API keys routes).
• OrganizationSecurityPage.tsx — drop the now-redundant page-level ConfigureSSOProtect wrapper; the route guard covers it. ConfigureSSOProtect stays in place for the standalone <ConfigureSSO /> component.
• Tests updated to assert the Security tab is hidden when the permission is missing. The "hide when self-serve SSO is disabled at the org/instance level" behavior is unchanged and still covered by tests.

Follow-up

When the Security page gains non-SSO settings, the permission-error state should be redesigned to scope to the SSO section only (so the tab can stay visible for other settings). Tracked separately.

Resolves ORGS-1676.

Summary by CodeRabbit

• Bug Fixes
  • Tightened access control for the Organization Security tab so it stays hidden unless org:sys_entconns:manage is granted.
  • Protected the self-serve SSO “organization-security” route with the same permission gate.
  • Updated the Security page to show the correct content (or centered loading spinner) only when access is allowed, instead of a permission-denied message.
  • Refined navbar/route filtering to include Security only when permitted (and keep the existing API keys visibility rule consistent).
• Tests
  • Updated and refactored route/SSO permission assertions to verify “hidden vs. warning” behavior and guarded routing.

[changeset-bot]

🦋 Changeset detected

Latest commit: 6b479e1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@clerk/ui	Patch
@clerk/chrome-extension	Patch
@clerk/swingset	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 23, 2026 6:26pm
swingset	Ready	Preview, Comment	Jun 23, 2026 6:26pm

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5e5cf517-be6e-463b-b817-306a3f646216

📥 Commits

Reviewing files that changed from the base of the PR and between 714ea02 and 6b479e1.

📒 Files selected for processing (5)

• .changeset/olive-pans-sin.md
• packages/ui/src/components/OrganizationProfile/OrganizationProfileNavbar.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationProfileRoutes.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
• packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx

✅ Files skipped from review due to trivial changes (1)

• .changeset/olive-pans-sin.md

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/ui/src/components/OrganizationProfile/OrganizationProfileRoutes.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationProfileNavbar.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
• packages/ui/src/components/OrganizationProfile/tests/OrganizationProfile.test.tsx

---

📝 Walkthrough

Walkthrough

OrganizationProfile now hides the Security tab for members without org:sys_entconns:manage, protects the security route with the same permission, removes page-level SSO protection wrappers, updates tests to expect the tab to be absent, and records the behavior in a changeset.

Changes

Security Tab Permission Gating

Layer / File(s)	Summary
Navbar permission guard for Security route packages/ui/src/components/OrganizationProfile/OrganizationProfileNavbar.tsx	OrganizationProfileNavbar adds a permission check for org:sys_entconns:manage and filters out the SECURITY route when that permission is not granted, alongside the existing API keys visibility filter.
Route-level Protect wrapper and page ConfigureSSOProtect removal packages/ui/src/components/OrganizationProfile/OrganizationProfileRoutes.tsx, packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx	The organization-security route is wrapped in Protect with org:sys_entconns:manage, and OrganizationSecurityPage no longer uses ConfigureSSOProtect in loading or main render paths.
Test updates and changeset packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx, .changeset/olive-pans-sin.md	Tests are updated to assert that Security is not rendered without the permission, import statements are standardized, and the changeset records the hidden-tab behavior plus patch version bumps for @clerk/ui.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• clerk/javascript#8796: Changes the page/path/component to OrganizationSecurityPage, and the main PR further adds a Protect permission gate around that same security route.
• clerk/javascript#8813: Added the Security tab SSO overview rendering that this PR now adjusts with permission-based route/tab gating.
• clerk/javascript#8864: Also modifies the Security page / ConfigureSSO wizard flow with overlapping integration points at the OrganizationSecurityPage level.

Suggested reviewers

• LauraBeatris

Poem

🐇 I hid a tab behind a gate,
so only permitted paws navigate.
The route now checks before hello,
old wrappers bowed and let it go.
In clovered tests, no warning spree—
just quiet paths and tidy tea. 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: hiding the OrganizationProfile Security tab from users without the manage enterprise connections permission.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8971

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8971

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8971

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8971

@clerk/electron

npm i https://pkg.pr.new/@clerk/electron@8971

@clerk/electron-passkeys

npm i https://pkg.pr.new/@clerk/electron-passkeys@8971

@clerk/eslint-plugin

npm i https://pkg.pr.new/@clerk/eslint-plugin@8971

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8971

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8971

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8971

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8971

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8971

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8971

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8971

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8971

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8971

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8971

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8971

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8971

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8971

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8971

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8971

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8971

commit: 6b479e1

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-23T18:27:17.753Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	0
🔴 Breaking changes	0
🟡 Non-breaking changes	0
🟢 Additions	0

No API Changes Detected

All packages have stable APIs with no detected changes.

---

Report generated by Break Check

_{Last ran on 6b479e1.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx (1)

540-557: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a direct-navigation test for the new security route guard.

This assertion only validates navbar/tab visibility. Please add a case that initializes routing to organization-security without org:sys_entconns:manage and verifies the security page content does not render, so the new route-level <Protect> behavior is covered too.

As per coding guidelines, "**/*.{test,spec}.{ts,tsx,js,jsx}: Unit tests are required for all new functionality" and "Include tests for all new features."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx`
around lines 540 - 557, The current test only checks that the Security tab is
hidden, but it does not cover the new route guard behavior. Add a
direct-navigation test in OrganizationProfile.test.tsx that starts the router on
the organization-security route without the org:sys_entconns:manage permission,
then assert the security page content is not rendered; use the existing
OrganizationProfile render setup and the route/protection behavior introduced
around OrganizationProfile and Protect to locate the right test path.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In
`@packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx`:
- Around line 540-557: The current test only checks that the Security tab is
hidden, but it does not cover the new route guard behavior. Add a
direct-navigation test in OrganizationProfile.test.tsx that starts the router on
the organization-security route without the org:sys_entconns:manage permission,
then assert the security page content is not rendered; use the existing
OrganizationProfile render setup and the route/protection behavior introduced
around OrganizationProfile and Protect to locate the right test path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 4f69c249-aa9e-4dfa-a31b-dffc15bee231

📥 Commits

Reviewing files that changed from the base of the PR and between a536a0d and 2472ddf.

📒 Files selected for processing (5)

• .changeset/hide-security-tab-without-permission.md
• packages/ui/src/components/OrganizationProfile/OrganizationProfileNavbar.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationProfileRoutes.tsx
• packages/ui/src/components/OrganizationProfile/OrganizationSecurityPage.tsx
• packages/ui/src/components/OrganizationProfile/__tests__/OrganizationProfile.test.tsx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.changeset/olive-pans-sin.md:
- Around line 1-6: Remove the `@clerk/clerk-js` package from the changeset file.
The PR changes are scoped exclusively to `@clerk/ui` components and do not
affect `@clerk/clerk-js`, so only `@clerk/ui` should be listed with a patch
version bump in the changeset. Delete the line containing `'`@clerk/clerk-js`':
patch` and keep only the `@clerk/ui` entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 6f402220-e8b7-4390-bb60-aa60a21fd6fd

📥 Commits

Reviewing files that changed from the base of the PR and between 2472ddf and 0109697.

📒 Files selected for processing (1)

• .changeset/olive-pans-sin.md