fixes three related pagination bugs in the command's org user fetch logic.

[cs-raj]

Summary

Port of fix/DX-3943 to v1-dev. Fixes three related pagination bugs in the export-to-csv command's org user fetch logic.

Problem

Bug 1 — Org owners only got the first page of users
getOrgUsers had a special branch for is_owner === true that called
getInvitations() with no parameters and resolved immediately. Owners
with more than config.limit users silently received a truncated list.

Bug 2 — Wrong access-denied guard
The guard for non-owners checked !organization.getInvitations (whether
a method existed on the object) instead of !organization.is_owner.
This was always falsy and the check was effectively dead.

Bug 3 — Last page items dropped in pagination loop
getUsers stopped paginating when users.items.length === 0. But the
actual final page (a partial page with fewer items than the limit) was
fetched, its items ignored, and then an extra empty-page round-trip was
made before stopping.

Changes

• src/utils/api-client.ts

  • Removed the is_owner === true early-exit branch; owners now go
    through the same paginated getUsers path as admins.
  • Changed access-denied guard from !organization.getInvitations →
    !organization.is_owner.
  • Changed stop condition in getUsers from !users.items.length →
    users.items.length < params.limit, and correctly appends the
    partial last page's items before returning.
  • Changed hardcoded limit: 100 → limit: config.limit.

• test/unit/utils/api-client.test.ts

  • Added getOrgUsers test suite with three cases: pagination for
    owners, pagination for admins, and access-denied rejection.

Test plan

• getOrgUsers returns all pages for org owners (not just page 1)
• getOrgUsers returns all pages for org admins
• getOrgUsers rejects with ERROR_ADMIN_ACCESS_DENIED for users with neither role
• Run npm run test:unit — all api-client tests pass

[github-actions]

🔒 Security Scan Results

ℹ️ Note: Only vulnerabilities with available fixes (upgrades or patches) are counted toward thresholds.

Check Type	Count (with fixes)	Without fixes	Threshold	Result
🔴 Critical Severity	0	0	10	✅ Passed
🟠 High Severity	0	74	25	✅ Passed
🟡 Medium Severity	49	100	500	✅ Passed
🔵 Low Severity	0	0	1000	✅ Passed

⏱️ SLA Breach Summary

⚠️ Warning: The following vulnerabilities have exceeded their SLA thresholds (days since publication).

Severity	Breaches (with fixes)	Breaches (no fixes)	SLA Threshold (with/no fixes)	Status
🔴 Critical	0	0	15 / 30 days	✅ Passed
🟠 High	0	0	30 / 120 days	✅ Passed
🟡 Medium	4	0	90 / 365 days	❌ Failed
🔵 Low	0	0	180 / 365 days	✅ Passed

🟡 Medium Severity - SLA Breached Issues (with fixes)

Showing 4 issue(s) that have exceeded the 90-day SLA threshold:

1. Regular Expression Denial of Service (ReDoS)

   • ID: SNYK-JS-YARN-12143051
   • Package: yarn@1.22.22
   • Published: 300 days ago (SLA: 90 days)
   • CVSS Score: 4.8
   • CVE: CVE-2025-9308

2. Regular Expression Denial of Service (ReDoS)

   • ID: SNYK-JS-YARN-12143051
   • Package: yarn@1.22.22
   • Published: 300 days ago (SLA: 90 days)
   • CVSS Score: 4.8
   • CVE: CVE-2025-9308

3. Regular Expression Denial of Service (ReDoS)

   • ID: SNYK-JS-YARN-12143051
   • Package: yarn@1.22.22
   • Published: 300 days ago (SLA: 90 days)
   • CVSS Score: 4.8
   • CVE: CVE-2025-9308

4. Regular Expression Denial of Service (ReDoS)

   • ID: SNYK-JS-YARN-12143051
   • Package: yarn@1.22.22
   • Published: 300 days ago (SLA: 90 days)
   • CVSS Score: 4.8
   • CVE: CVE-2025-9308

ℹ️ Vulnerabilities Without Available Fixes (Informational Only)

The following vulnerabilities were detected but do not have fixes available (no upgrade or patch). These are excluded from failure thresholds:

• Critical without fixes: 0
• High without fixes: 74
• Medium without fixes: 100
• Low without fixes: 0

❌ BUILD FAILED - Security checks failed

Please review and fix the security vulnerabilities before merging.