fix(billing): gate org billing query to invite modal open state and allow GA doubleclick in CSP

[waleedlatif1]

Summary

• Gate useOrganizationBilling behind the invite modal's open state so it stops firing on app load (was returning 403 for users whose active workspace points at an org they aren't a member of)
• Add enabled option to useOrganizationBilling matching the documented React Query pattern
• Allow https://*.g.doubleclick.net and https://stats.g.doubleclick.net in CSP connect-src (hosted only) so GA conversion-linker pings stop violating CSP and flooding the console on the app + 404 page

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 29, 2026 0:10am

[cursor]

PR Summary

Low Risk
Low risk: limits when useOrganizationBilling runs and adds a single hosted-only CSP connect-src allowlist entry; main risk is unintended query not firing if callers rely on default behavior.

Overview
Prevents organization billing data from being fetched until the workspace invite modal is opened by adding an enabled option to useOrganizationBilling and using it from InviteModal, avoiding unwanted/unauthorized billing requests on initial load.

Updates CSP connect-src (hosted only) to allow https://*.g.doubleclick.net, reducing GA-related CSP violations.

^{Reviewed by Cursor Bugbot for commit 6dc4055. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes two independent bugs: a 403 error caused by useOrganizationBilling firing on app load for users not in the active workspace's org (fixed by gating the query behind the invite modal's open state), and GA conversion-linker CSP violations in hosted deployments (fixed by adding https://*.g.doubleclick.net to connect-src). Both fixes are minimal, targeted, and follow established project patterns.

Confidence Score: 5/5

Safe to merge — all three changes are minimal, targeted bug fixes with no regressions.

No P0 or P1 issues found. The enabled option follows the project's own documented React Query pattern exactly, the modal gating is the canonical fix for the 403, and the CSP wildcard is standard for GA conversion tracking.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/hooks/queries/organization.ts	Adds optional enabled option to useOrganizationBilling, matching the project's documented React Query pattern. Logic !!orgId && (options?.enabled ?? true) is backward-compatible and correct.
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workspace-header/components/invite-modal/invite-modal.tsx	Gates useOrganizationBilling behind the modal open state, preventing the 403-triggering query from firing on app load for users not in the org.
apps/sim/lib/core/security/csp.ts	Adds https://*.g.doubleclick.net wildcard to hosted connect-src to stop GA conversion-linker CSP violations. Specific stats.g.doubleclick.net entry correctly omitted as it is covered by the wildcard.

Sequence Diagram

sequenceDiagram
    participant User
    participant InviteModal
    participant useOrganizationBilling
    participant API

    Note over InviteModal: Before fix
    User->>InviteModal: App loads (modal closed)
    InviteModal->>useOrganizationBilling: query fires (orgId, enabled=true)
    useOrganizationBilling->>API: GET /api/organizations/:id/billing
    API-->>useOrganizationBilling: 403 (user not org member)

    Note over InviteModal: After fix
    User->>InviteModal: App loads (modal closed)
    InviteModal->>useOrganizationBilling: query skipped (enabled=false)
    User->>InviteModal: Opens invite modal
    InviteModal->>useOrganizationBilling: query fires (orgId, enabled=true)
    useOrganizationBilling->>API: GET /api/organizations/:id/billing
    API-->>useOrganizationBilling: 200 OK

Loading

_{Reviews (2): Last reviewed commit: "fix(csp): drop redundant stats.g.doublec..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 6dc4055. Configure here.}