feat: bypass managed template trial limits for Vercel team members

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: martinsione

apps/web/app/api/auth/vercel/callback/route.test.ts

@@ -37,11 +37,17 @@ mock.module("next/headers", () => ({
   }),
 }));
 
+const hasAccessToVercelTeamSlugMock = mock(async () => false);
+
 mock.module("@/lib/vercel/oauth", () => ({
   exchangeVercelCode: exchangeVercelCodeMock,
   getVercelUserInfo: getVercelUserInfoMock,
 }));
 
+mock.module("@/lib/vercel/projects", () => ({
+  hasAccessToVercelTeamSlug: hasAccessToVercelTeamSlugMock,
+}));
+
 mock.module("@/lib/db/users", () => ({
   upsertUser: upsertUserMock,
 }));
@@ -85,6 +91,7 @@ beforeEach(() => {
 
   exchangeVercelCodeMock.mockClear();
   getVercelUserInfoMock.mockClear();
+  hasAccessToVercelTeamSlugMock.mockClear();
   upsertUserMock.mockClear();
   encryptMock.mockClear();
   encryptJWEMock.mockClear();
@@ -153,6 +160,34 @@ describe("GET /api/auth/vercel/callback", () => {
     expect(upsertUserMock).toHaveBeenCalledTimes(1);
   });
 
+  test("includes isAllowedTeamMember in the encrypted session", async () => {
+    hasAccessToVercelTeamSlugMock.mockResolvedValueOnce(true);
+
+    const { GET } = await routeModulePromise;
+    await GET(createRequest());
+
+    expect(hasAccessToVercelTeamSlugMock).toHaveBeenCalledWith(
+      "access-token",
+      "vercel",
+    );
+    const sessionArg = (
+      encryptJWEMock.mock.calls as unknown as [Record<string, unknown>][]
+    )[0][0];
+    expect(sessionArg.isAllowedTeamMember).toBe(true);
+  });
+
+  test("sets isAllowedTeamMember to false for non-team users", async () => {
+    hasAccessToVercelTeamSlugMock.mockResolvedValueOnce(false);
+
+    const { GET } = await routeModulePromise;
+    await GET(createRequest());
+
+    const sessionArg = (
+      encryptJWEMock.mock.calls as unknown as [Record<string, unknown>][]
+    )[0][0];
+    expect(sessionArg.isAllowedTeamMember).toBe(false);
+  });
+
   test("allows non-Vercel emails on self-hosted deployments", async () => {
     process.env.VERCEL_GIT_REPO_OWNER = "someone-else";
     process.env.VERCEL_GIT_REPO_SLUG = "open-harness-clone";

apps/web/app/api/auth/vercel/callback/route.ts

@@ -4,7 +4,9 @@ import { encrypt } from "@/lib/crypto";
 import { upsertUser } from "@/lib/db/users";
 import { encryptJWE } from "@/lib/jwe/encrypt";
 import { SESSION_COOKIE_NAME } from "@/lib/session/constants";
+import { ALLOWED_VERCEL_TEAM_SLUG } from "@/lib/managed-template-trial";
 import { exchangeVercelCode, getVercelUserInfo } from "@/lib/vercel/oauth";
+import { hasAccessToVercelTeamSlug } from "@/lib/vercel/projects";
 
 function clearVercelOauthCookies(store: Awaited<ReturnType<typeof cookies>>) {
   store.delete("vercel_auth_state");
@@ -49,7 +51,10 @@ export async function GET(req: NextRequest): Promise<Response> {
       redirectUri,
     });
 
-    const userInfo = await getVercelUserInfo(tokens.access_token);
+    const [userInfo, isAllowedTeamMember] = await Promise.all([
+      getVercelUserInfo(tokens.access_token),
+      hasAccessToVercelTeamSlug(tokens.access_token, ALLOWED_VERCEL_TEAM_SLUG),
+    ]);
 
     const tokenExpiresAt = new Date(Date.now() + tokens.expires_in * 1000);
 
@@ -74,6 +79,7 @@ export async function GET(req: NextRequest): Promise<Response> {
     const session = {
       created: Date.now(),
       authProvider: "vercel" as const,
+      isAllowedTeamMember,
       user: {
         id: userId,
         username,

apps/web/app/api/sessions/route.test.ts

@@ -3,6 +3,7 @@ import type { VercelProjectSelection } from "@/lib/vercel/types";
 
 let currentSession: {
   authProvider?: "vercel" | "github";
+  isAllowedTeamMember?: boolean;
   user: {
     id: string;
     username: string;
@@ -147,6 +148,37 @@ describe("/api/sessions POST vercel project linking", () => {
     expect(createCalls).toHaveLength(0);
   });
 
+  test("allows additional sessions for Vercel team members on the managed deployment", async () => {
+    const { POST } = await routeModulePromise;
+
+    currentSession = {
+      authProvider: "vercel",
+      user: {
+        id: "user-1",
+        username: "nico",
+        name: "Nico",
+        email: "person@example.com",
+      },
+      isAllowedTeamMember: true,
+    };
+    existingSessionCount = 5;
+
+    const response = await POST(
+      createJsonRequest(
+        {
+          branch: "main",
+          cloneUrl: "https://github.com/vercel/open-harness",
+          repoOwner: "vercel",
+          repoName: "open-harness",
+        },
+        "https://open-agents.dev/api/sessions",
+      ),
+    );
+
+    expect(response.status).toBe(200);
+    expect(createCalls).toHaveLength(1);
+  });
+
   test("explicit Vercel project is validated against live repo matches before it is persisted", async () => {
     const { POST } = await routeModulePromise;
 

apps/web/lib/managed-template-trial.ts

@@ -1,6 +1,7 @@
 import type { Session } from "@/lib/session/types";
 
 const ALLOWED_VERCEL_EMAIL_DOMAIN = "vercel.com";
+export const ALLOWED_VERCEL_TEAM_SLUG = "vercel";
 const MANAGED_TEMPLATE_HOSTS = new Set([
   "open-agents.dev",
   "www.open-agents.dev",
@@ -60,12 +61,16 @@ export function hasAllowedManagedTemplateEmail(email?: string) {
 }
 
 export function isManagedTemplateTrialUser(
-  session: Pick<Session, "authProvider" | "user"> | null | undefined,
+  session:
+    | Pick<Session, "authProvider" | "user" | "isAllowedTeamMember">
+    | null
+    | undefined,
   url: string | URL,
 ) {
   return (
     session?.authProvider === "vercel" &&
     isManagedTemplateDeployment(url) &&
+    !session.isAllowedTeamMember &&
     !hasAllowedManagedTemplateEmail(session.user.email)
   );
 }

apps/web/lib/session/server.ts

@@ -12,6 +12,7 @@ export async function getSessionFromCookie(
       return {
         created: decrypted.created,
         authProvider: decrypted.authProvider,
+        isAllowedTeamMember: decrypted.isAllowedTeamMember,
         user: decrypted.user,
       };
     }

apps/web/lib/session/types.ts

@@ -1,6 +1,7 @@
 export interface Session {
   created: number;
   authProvider: "vercel" | "github";
+  isAllowedTeamMember?: boolean;
   user: {
     id: string;
     username: string;

apps/web/lib/vercel/projects.ts

@@ -158,6 +158,19 @@ async function listAccessibleVercelTeams(
     }));
 }
 
+export async function hasAccessToVercelTeamSlug(
+  token: string,
+  slug: string,
+): Promise<boolean> {
+  try {
+    const teams = await listAccessibleVercelTeams(token);
+    return teams.some((team) => team.teamSlug === slug);
+  } catch (error) {
+    console.error("[hasAccessToVercelTeamSlug] failed:", error);
+    return false;
+  }
+}
+
 async function listProjectsForScope(params: {
   token: string;
   repoUrl: string;