Add super admin console at /-/admin/

[ericokuma]

Internal superuser console at /-/superuser/, giving CS and account managers a GUI for operations currently only available via rill sudo CLI commands.

• Route group /-/superuser/ with auth guard (checks GetCurrentUserResponse.superuser)
• Uses ContentContainer + LeftNav layout pattern (matches Settings pages)
• 6 pages: Users (search/assume/delete), Superusers (list/add/remove), Billing (setup link/extend trial/issues), Quotas (org quotas), Organizations (lookup/members/projects), Projects (search/slots/hibernate/redeploy)
• Destructive actions use GuardedDeleteDialog (type-to-confirm) or ConfirmActionDialog
• "Superuser Console" link in avatar menu (above "View as"), visible only to superusers
• Self-removal from superuser list is prevented

Checklist:

• Covered by tests
• Ran it and it works as intended
• Reviewed the diff before requesting a review
• Checked for unhandled edge cases
• Linked the issues it closes
• Checked if the docs need to be updated. If so, create a separate Linear DOCS issue
• Intend to cherry-pick into the release branch
• I am proud of this work!

---

Developed in collaboration with Claude Code

[ericokuma]

Re-review: Issues Found & Fixed

After re-reviewing the current state of the PR, I identified and fixed the following issues:

Fixed in this pass

1. Auth guard control flow clarity (+layout.ts): Restructured the catch block so redirectToLogin() is only called inside the 401 branch, with non-401 errors always throwing a redirect. Same behavior, clearer intent.

2. Unreachable code (+page.svelte Users): Removed notifySuccess() call after assumedUser.assume() — since assume() sets window.location.href, the notification never displays.

3. Unfiltered invalidateQueries() (superusers/+page.svelte): Both add and remove handlers called queryClient.invalidateQueries() with no filter, invalidating every query in the app. Scoped to /v1/superuser queries.

4. Unfiltered invalidateQueries() (billing/+page.svelte): handleDeleteIssue invalidated all queries. Scoped to /v1/organizations and /v1/superuser/billing.

5. ConfirmDialog closes on error (ConfirmDialog.svelte): If onConfirm threw, the dialog would close via the finally block, hiding the error. Added a catch block so the dialog stays open on failure, letting users retry or cancel.

Not applicable

• Annotations page, whitelist page, and OrgHeader component do not exist in the current diff — these were false positives from the earlier review.
• superuserForceAccess on getOrgProjects: the AdminServiceListProjectsForOrganizationParams type does not include this field, so no change needed.

---

Developed in collaboration with Claude Code

[ericokuma]

https://www.loom.com/share/c2371a742c5446ed8f33bd2f2da311b9

[royendo]

Would be nice to have a header in each page; naving from Organizations to Projects is hard to tell if i swapped pages

id remove the ability to remove yourself from superuser by accident

[royendo]

addressed my review

[ericpgreen2]

Three issues worth addressing before merge, one structural recommendation for after.

Assumed sessions affect all browser tabs, but the banner is per-tab only.

RepresentingBanner reads from sessionStorage, which is scoped to a single tab. Auth cookies are not — they apply to the entire browser session. If a superuser assumes a user in Tab A and then switches to or opens Tab B, Tab B is authenticated as the customer with no banner. Any action taken there happens on behalf of the customer without any visible indication. This is the highest-risk behavior in the PR.

Redeploy should require type-to-confirm, not a single click.

Delete organization correctly uses GuardedDeleteDialog. Redeploy uses ConfirmActionDialog — one button click, no friction. Redeploy is disruptive to active users; it warrants the same safeguard.

getOrgProjects is missing superuserForceAccess: true.

In organizations/selectors.ts, getOrgProjects passes {} as params while getOrganization and getOrgMembers both pass { superuserForceAccess: true }. Without it, listing projects for an org the superuser isn't a member of returns a 403. The flag is a per-request opt-in required by the server (forceAccess = claims.Superuser(ctx) && req.SuperuserForceAccess) — normal membership checks apply otherwise. Given that every selector in this surface needs it, each selector file should make it impossible to forget, whether through a local constant, a comment at the top, or a wrapping helper.

Structural: hibernate and redeploy belong only on the Projects page.

These actions are duplicated across organizations/+page.svelte and projects/+page.svelte with separate handler functions and dialog state in each. When the API changes, both pages need updating. The Organizations page is for inspection; project-level operations (hibernate, redeploy, slots) have a natural home in Projects. Removing them from Organizations would eliminate the duplication and give each page a clearer scope.

---

Developed in collaboration with Claude Code

[ericpgreen2]

It looks like this PR now has a bunch of unintentionally committed code.

I'm certain the above is a mistake, but, related, I've noticed that the base PR is itself very large. Going forward, let's please try to scope PRs to be less than 1000 lines-of-code changed.

[ericokuma]

It looks like this PR now has a bunch of unintentionally committed code.

I'm certain the above is a mistake, but, related, I've noticed that the base PR is itself very large. Going forward, let's please try to scope PRs to be less than 1000 lines-of-code changed.

For sure, I addressed to remove unintentionally committed code