fix(sso): gate SSO UI on plugin presence, not managed-cloud

The SSO controller is built with forceFallback: !SSO_ENABLED || SSO_FORCE_FALLBACK,
so ssoController.isUsingPlugin() is true only when SSO_ENABLED is on AND a real
plugin is loaded — it already encodes 'env var on + plugin available'. The UI
gates were leading on isManagedCloud instead, which is neither necessary nor
the intended signal (per review).

- login button: gate purely on isUsingPlugin(); drop the isManagedCloud host
  check and the hasSso global-flag check (login is pre-auth — plugin presence
  is the source of truth). Still short-circuits before any flag fetch.
- SSO settings page: drop isManagedCloud from both the loader and action gates;
  key both on isUsingPlugin() so config mutations require an active plugin too.

Addresses PR #3911 review (Matt).

Author: 0ski

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.sso/route.tsx

@@ -31,7 +31,6 @@ import { Paragraph } from "~/components/primitives/Paragraph";
 import { Select, SelectItem } from "~/components/primitives/Select";
 import { Switch } from "~/components/primitives/Switch";
 import { $replica } from "~/db.server";
-import { featuresForRequest } from "~/features.server";
 import { useOrganization } from "~/hooks/useOrganizations";
 import { rbac } from "~/services/rbac.server";
 import { ssoController } from "~/services/sso.server";
@@ -79,12 +78,11 @@ export const loader = dashboardLoader(
     authorization: { action: "manage", resource: { type: "sso" } },
   },
   async ({ context, request }) => {
-    const { isManagedCloud } = featuresForRequest(request);
-    // Gate on managed cloud AND the SSO plugin actually being loaded
-    // (SSO_ENABLED off → OSS fallback → isUsingPlugin false). Without
-    // this the page renders for every managed-cloud org even when SSO
-    // is disabled for the deployment.
-    if (!isManagedCloud || !(await ssoController.isUsingPlugin())) {
+    // Gate purely on the SSO plugin being loaded. `isUsingPlugin()` is true
+    // only when SSO_ENABLED is on AND a real plugin is installed (the
+    // controller forces the OSS fallback otherwise), so plugin presence is the
+    // authoritative signal — no separate managed-cloud host check needed.
+    if (!(await ssoController.isUsingPlugin())) {
       throw new Response("Not Found", { status: 404 });
     }
 
@@ -175,8 +173,9 @@ export const action = dashboardAction(
       throw new Response("Not Found", { status: 404 });
     }
 
-    const { isManagedCloud } = featuresForRequest(request);
-    if (!isManagedCloud) {
+    // Mirror the loader gate: SSO config mutations are only valid when the
+    // plugin is actually active (SSO_ENABLED + plugin installed).
+    if (!(await ssoController.isUsingPlugin())) {
       throw new Response("Not Found", { status: 404 });
     }
     await requireSsoEntitlement(orgId);

apps/webapp/app/routes/login._index/route.tsx

@@ -13,14 +13,12 @@ import { FormError } from "~/components/primitives/FormError";
 import { Header1 } from "~/components/primitives/Headers";
 import { Paragraph } from "~/components/primitives/Paragraph";
 import { TextLink } from "~/components/primitives/TextLink";
-import { featuresForRequest } from "~/features.server";
 import { isGithubAuthSupported, isGoogleAuthSupported } from "~/services/auth.server";
 import { getLastAuthMethod } from "~/services/lastAuthMethod.server";
 import { commitSession, setRedirectTo } from "~/services/redirectTo.server";
 import { getUserId } from "~/services/session.server";
 import { getUserSession } from "~/services/sessionStorage.server";
 import { ssoController } from "~/services/sso.server";
-import { flags as getGlobalFlags } from "~/v3/featureFlags.server";
 import { requestUrl } from "~/utils/requestUrl.server";
 import { SSO_SESSION_EXPIRED_REASON } from "~/utils/ssoSession";
 import { cn } from "~/utils/cn";
@@ -86,17 +84,13 @@ export async function loader({ request }: LoaderFunctionArgs) {
       ? "Your SSO session expired. Please sign in again."
       : null;
 
-  const { isManagedCloud } = featuresForRequest(request);
-  // /login is unauthenticated and high-traffic; don't pay the plugin
-  // resolution + flag fetch on self-hosted where the result is unused.
-  let showSsoAuth = false;
-  if (isManagedCloud) {
-    const [pluginActive, globalFlags] = await Promise.all([
-      ssoController.isUsingPlugin(),
-      getGlobalFlags(),
-    ]);
-    showSsoAuth = pluginActive && (globalFlags as Record<string, unknown>).hasSso === true;
-  }
+  // Show the SSO entry purely on plugin presence. `isUsingPlugin()` is true
+  // only when SSO_ENABLED is on AND a real SSO plugin is loaded — the
+  // controller is built with `forceFallback: !SSO_ENABLED || SSO_FORCE_FALLBACK`,
+  // so this single signal already encodes "the env var is on and the plugin is
+  // available". /login is unauthenticated + high-traffic, but this only awaits
+  // the controller's cached init — no per-request plugin resolution or flag fetch.
+  const showSsoAuth = await ssoController.isUsingPlugin();
 
   if (redirectTo) {
     const session = await setRedirectTo(request, redirectTo);