Fix scoped session access for onboarding pack previews

[JSONbored]

Motivation

• The new /v1/repos/:owner/:repo/onboarding-pack/preview route was guarded by requireAppRole but mounted under /v1/repos/*, and a global protected-route gate denied ordinary browser sessions before the route-level role check ran.
• Make the preview reachable to legitimate maintainer/owner browser sessions while preserving per-repository scoping and existing static/operator access rules.

Description

• Allow session identities to reach the preview endpoint by recognizing the preview path in canSessionAccessPath via a new isRepoOnboardingPackPreviewPath helper.
• Enforce repository-scoped access for session identities inside the preview handler by calling authenticateRequestIdentity, fetching the repo, and invoking requireSessionRepoAccess before building the preview.
• Add integration test coverage that seeds registered/installed repos, verifies an owner session can fetch the preview, and checks a different-owner session receives forbidden_repo, plus a small test helper seedRegisteredInstalledRepo.
• Import upsertRepositoryFromGitHub where needed and adjust the integration test file accordingly.

Testing

• Ran the targeted integration test: npx vitest run test/integration/routes-errors.test.ts, which passed (Test Files 1 passed, Tests 12 passed).
• Ran TypeScript checks: npm run typecheck, which completed successfully.
• Verified the modified integration test exercises the new route-level repo-scoped authorization and confirms the fix (owner succeeds, other owner forbidden).

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	gittensory-ui	1b5d49e	Commit Preview URL Branch Preview URL	Jun 05 2026, 08:56 AM