refactor: unify dashboard menu permission routing

[cxymds]

Summary

• unify dashboard menu routing rules so sidebar visibility, route guarding, and default landing all use the same permission logic
• treat as an admin-only dashboard route and move admin status initialization into the shared permissions flow
• remove misleading menu-level flags and make dashboard entrypoints resolve the first accessible route instead of always redirecting to
• avoid linking performance summary cards to when the user cannot access that page

Testing

• (existing warnings only, no new errors)

[overtrue]

@codex review

[Copilot]

Pull request overview

This PR centralizes dashboard route permission logic so that sidebar visibility, route guarding, and post-auth “landing” redirects all follow the same access rules (including treating /oidc as admin-only).

Changes:

• Added shared dashboard route metadata/helpers and a useFirstAccessibleDashboardRoute hook to resolve the first accessible dashboard route (or fallback).
• Moved admin-status resolution into the permissions flow and updated dashboard guarding/sidebar visibility to use the shared access helper.
• Updated dashboard/auth entrypoints (home redirect, login/SSO callback, 403 back button) and performance cards to avoid linking to inaccessible routes.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
types/app-config.d.ts	Removes NavItem.isAdminOnly from the shared nav item type.
lib/dashboard-route-meta.ts	Introduces centralized admin-only routing + menu-derived route list + access helpers.
lib/console-permissions.ts	Removes legacy ADMIN_ONLY_PATHS constant from permissions layer.
hooks/use-permissions.tsx	Adds admin-resolution step (/is-admin) and exposes hasResolvedAdmin to coordinate permission readiness.
hooks/use-first-accessible-dashboard-route.ts	New hook to compute the first accessible dashboard route once permissions are ready.
config/navs.ts	Removes isAdminOnly flags from nav config; visibility now relies on permission routing.
components/user/dropdown.tsx	Removes redundant admin-status initialization from the dropdown.
components/dashboard-auth-guard.tsx	Uses centralized canAccessDashboardRoute and waits for admin/policy readiness before guarding.
components/app-sidebar.tsx	Filters nav visibility using centralized access logic; updates “home” link to first accessible route.
app/(dashboard)/status/page.tsx	Avoids linking summary cards to /browser when the user can’t access it.
app/(dashboard)/page.tsx	Replaces hard redirect to /browser with client-side redirect to first accessible route.
app/(dashboard)/403/page.tsx	“Back to Home” now routes to first accessible route.
app/(auth)/auth/oidc-callback/page.tsx	Redirects to a safe redirect target or first accessible route after SSO login.
app/(auth)/auth/login/page.tsx	Redirects authenticated users to the first accessible route instead of always /browser.

Comments suppressed due to low confidence (1)

lib/console-permissions.ts:26

• PAGE_PERMISSIONS still includes an entry for /oidc, but /oidc is now treated as admin-only via ADMIN_ONLY_DASHBOARD_ROUTES/canAccessDashboardRoute. Having both mechanisms in play for the same route is contradictory and can mislead future changes (e.g., someone may grant console:OIDCSettings expecting it to work for non-admins). Consider removing /oidc from PAGE_PERMISSIONS (or clearly documenting that admin-only routing overrides scope-based permissions).

export const PAGE_PERMISSIONS: Record<string, ConsoleScope[]> = {
  "/browser": [CONSOLE_SCOPES.VIEW_BROWSER],
  "/buckets": [CONSOLE_SCOPES.VIEW_BROWSER],
  "/access-keys": [CONSOLE_SCOPES.VIEW_ACCESS_KEYS],
  "/policies": [CONSOLE_SCOPES.VIEW_POLICIES],

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.