portal/src/app/[slug]/layout.tsx

import { notFound, redirect } from "next/navigation";
import type { ReactNode } from "react";
import { getPortalSession } from "@/lib/get-session";
import { loadTenantForShell } from "@/lib/portal-data";
import { Lifeline } from "@/components/portal/Lifeline";
import { NavRail } from "@/components/portal/NavRail";
import { Topbar } from "@/components/portal/Topbar";
import { ArchivedLockout } from "@/components/portal/ArchivedLockout";
import { MockWorker } from "@/components/portal/MockWorker";
import { ToastHost } from "@/components/portal/ToastHost";

const MOCK_API = !!process.env.BP_DEV_FIXTURE;

export default async function TenantLayout({
  children,
  params,
}: {
  children: ReactNode;
  params: Promise<{ slug: string }>;
}) {
  const { slug } = await params;
  const tenant = await loadTenantForShell(slug);
  if (!tenant) notFound();

  const session = await getPortalSession();

  // Tenant mismatch guard — a JWT scoped to tenant A must not be allowed
  // to view tenant B. If the slug in the path doesn't match the session
  // tenant_slug, redirect back to whatever this user CAN see.
  if (session && session.tenant_slug && session.tenant_slug !== slug) {
    redirect(`/${session.tenant_slug}/dashboard`);
  }

  // Archived tenants get a full-page 410 — no shell, no nav, no chrome.
  if (tenant.status === "archived") {
    return <ArchivedLockout tenant={tenant} />;
  }

  // Unauthenticated visitors land on the existing in-page sign-in (each
  // route handles its own zero-session affordance).
  if (!session) {
    return (
      <div className="app">
        <div className="app-body">
          <main className="main">
            <div className="content">
              <div className="content-inner">{children}</div>
            </div>
          </main>
        </div>
      </div>
    );
  }

  return (
    <div className="app">
      {MOCK_API ? (
        <>
          <script
            dangerouslySetInnerHTML={{
              __html: `window.__BP_MOCK_API__=true;window.__BP_TENANT_STATUS__=${JSON.stringify(tenant.status)};`,
            }}
          />
          <MockWorker />
        </>
      ) : null}
      <ToastHost />
      <Lifeline
        tenant={{
          status: tenant.status,
          slug,
          plan: tenant.plan,
          seats: tenant.seats,
          trialDaysLeft: tenant.trialDaysLeft,
          trialEnds: tenant.trialEnds,
          frozenReason: tenant.frozenReason,
        }}
      />
      <div className="app-body">
        <NavRail
          slug={slug}
          tenant={{
            name: tenant.name,
            short: tenant.short,
            mono: tenant.mono,
            plan: tenant.plan,
            status: tenant.status,
          }}
          session={session}
        />
        <main className="main">
          <Topbar crumbs={[{ label: tenant.short }]} />
          <div className="content">{children}</div>
        </main>
      </div>
      {tenant.status === "demo" ? (
        <div className="watermark" aria-hidden />
      ) : null}
    </div>
  );
}