RBAC: address PR review — batch trigger AND, fallback resilience, picker tightening

#1 Batch trigger AND semantics (security): `api.v[12].tasks.batch` now uses
`everyResource(...)` so a JWT scoped to taskA can no longer submit a batch
that also includes taskB / taskC. Added an `everyResource` helper to
`apiBuilder` (Symbol-marked wrapper that flips `ability.can` to `every`).
Multi-key OR semantics still apply for single-resource arrays (a run carries
multiple identifiers). Updated the e2e test to assert AND behaviour.

#3 Realtime stream resource (correctness): `findResource` for
`realtime.v1.streams.$runId.$streamId` now selects `taskIdentifier`,
`runTags`, and `realtimeStreamsVersion` — fields the auth resource
builder + handler read but findResource was returning undefined for.

#4 projectCreated optional chaining (crash bug): added the missing
`?.` between v3Subscription and plan so a missing subscription no longer
throws and aborts project creation.

#5 RBAC plugin loader logging: distinguish "plugin itself missing" from
"plugin found but a transitive dep failed to resolve" by inspecting the
ERR_MODULE_NOT_FOUND error message for the plugin's own module specifier.
The transitive-dep case now logs at error level (matches the comment's
stated behaviour). Removed the orphan log line that contradicted it.

#6 account.tokens picker source mismatch: the picker now sources roles
from the same plan-tier-filtered list (`systemRoles().filter(available)`)
as the default-role calculation. Added server-side roleId revalidation
in the create action so a hand-crafted POST can't bind a PAT to an
unavailable role.

Author: matt-aitken

apps/webapp/app/routes/account.tokens/route.tsx

@@ -58,33 +58,45 @@ export const meta: MetaFunction = () => {
 
 // PATs aren't org-scoped, but the RBAC plugin's allRoles is org-keyed
 // (a plugin may also expose org-defined custom roles alongside the
-// global system roles). To get the canonical system roles (Owner /
-// Admin / Member / Viewer), we hand allRoles any orgId the user
-// belongs to and filter down to the rows the plugin marks as system
-// roles. This is a UI-only convenience — the chosen role becomes a
-// global TokenRole that applies wherever the PAT is used. Custom
-// (org-defined) roles are out of scope for v1: their org-binding
-// semantics for a multi-org user's PAT need a separate design pass.
+// global system roles). The picker shows the assignable system role
+// catalogue for the user's primary org — joining `allRoles` (for the
+// full Role with permissions) against `systemRoles` (for the per-org
+// `available` flag, which gates roles by plan tier). This is a UI-only
+// convenience — the chosen role becomes a global TokenRole that
+// applies wherever the PAT is used. Custom (org-defined) roles are
+// out of scope for v1: their org-binding semantics for a multi-org
+// user's PAT need a separate design pass.
 async function loadSystemRolesForUser(userId: string) {
   const orgMember = await prisma.orgMember.findFirst({
     where: { userId },
     select: { organizationId: true },
     orderBy: { createdAt: "asc" },
   });
   if (!orgMember) {
-    return { roles: [], userRoleId: null as string | null, orgId: null as string | null };
+    return {
+      roles: [],
+      userRoleId: null as string | null,
+      orgId: null as string | null,
+    };
   }
 
-  const allRoles = await rbac.allRoles(orgMember.organizationId);
-  const systemRoles = allRoles.filter((r) => r.isSystem);
+  const [allRoles, systemRoles, userRole] = await Promise.all([
+    rbac.allRoles(orgMember.organizationId),
+    rbac.systemRoles(orgMember.organizationId),
+    rbac.getUserRole({ userId, organizationId: orgMember.organizationId }),
+  ]);
 
-  const userRole = await rbac.getUserRole({
-    userId,
-    organizationId: orgMember.organizationId,
-  });
+  // Restrict the picker to system roles the plan permits assigning —
+  // anything else would be a noisy create-time failure (or, with a
+  // permissive fallback, a token bound to a role this org isn't
+  // allowed to issue).
+  const availableIds = new Set(
+    (systemRoles ?? []).filter((r) => r.available).map((r) => r.id)
+  );
+  const roles = allRoles.filter((r) => r.isSystem && availableIds.has(r.id));
 
   return {
-    roles: systemRoles,
+    roles,
     userRoleId: userRole?.id ?? null,
     orgId: orgMember.organizationId,
   };
@@ -158,10 +170,27 @@ export const action: ActionFunction = async ({ request }) => {
   switch (submission.value.action) {
     case "create": {
       try {
+        // Revalidate the submitted roleId against the plan-allowed set
+        // — the loader filters the picker, but a hand-crafted POST can
+        // still submit any string. Empty / undefined is fine: that
+        // means "no role" and createPersonalAccessToken just doesn't
+        // write a TokenRole.
+        const submittedRoleId = submission.value.roleId;
+        if (submittedRoleId) {
+          const { roles } = await loadSystemRolesForUser(userId);
+          const allowed = new Set(roles.map((r) => r.id));
+          if (!allowed.has(submittedRoleId)) {
+            return json(
+              { errors: { body: "Selected role isn't available on this plan" } },
+              { status: 400 }
+            );
+          }
+        }
+
         const tokenResult = await createPersonalAccessToken({
           name: submission.value.tokenName,
           userId,
-          roleId: submission.value.roleId,
+          roleId: submittedRoleId,
         });
 
         return json({ ...submission, payload: { token: tokenResult } });

apps/webapp/app/routes/api.v1.tasks.batch.ts

@@ -7,7 +7,10 @@ import {
 import { env } from "~/env.server";
 import { AuthenticatedEnvironment, getOneTimeUseToken } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { resolveIdempotencyKeyTTL } from "~/utils/idempotencyKeys.server";
 import { ServiceValidationError } from "~/v3/services/baseService.server";
 import {
@@ -30,11 +33,17 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: env.BATCH_TASK_PAYLOAD_MAXIMUM_SIZE,
     authorization: {
       action: "batchTrigger",
+      // Each item in the batch is a distinct task — every one must be
+      // authorized, not just any one of them. `everyResource` flips
+      // the auth check to AND semantics so a JWT scoped to taskA can't
+      // submit a batch that also includes taskB / taskC.
       resource: (_, __, ___, body) =>
-        Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
-          type: "tasks",
-          id,
-        })),
+        everyResource(
+          Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
+            type: "tasks",
+            id,
+          }))
+        ),
     },
     corsStrategy: "all",
   },

apps/webapp/app/routes/api.v2.tasks.batch.ts

@@ -9,7 +9,10 @@ import { env } from "~/env.server";
 import { RunEngineBatchTriggerService } from "~/runEngine/services/batchTrigger.server";
 import { AuthenticatedEnvironment, getOneTimeUseToken } from "~/services/apiAuth.server";
 import { logger } from "~/services/logger.server";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import {
   handleRequestIdempotency,
   saveRequestIdempotency,
@@ -32,11 +35,17 @@ const { action, loader } = createActionApiRoute(
     maxContentLength: env.BATCH_TASK_PAYLOAD_MAXIMUM_SIZE,
     authorization: {
       action: "batchTrigger",
+      // Each item in the batch is a distinct task — every one must be
+      // authorized, not just any one of them. `everyResource` flips
+      // the auth check to AND semantics so a JWT scoped to taskA can't
+      // submit a batch that also includes taskB / taskC.
       resource: (_, __, ___, body) =>
-        Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
-          type: "tasks",
-          id,
-        })),
+        everyResource(
+          Array.from(new Set(body.items.map((i) => i.task))).map((id) => ({
+            type: "tasks",
+            id,
+          }))
+        ),
     },
     corsStrategy: "all",
   },

apps/webapp/app/routes/realtime.v1.streams.$runId.$streamId.ts

@@ -86,7 +86,12 @@ export const loader = createLoaderApiRoute(
           friendlyId: params.runId,
           runtimeEnvironmentId: auth.environment.id,
         },
-        include: {
+        select: {
+          id: true,
+          friendlyId: true,
+          taskIdentifier: true,
+          runTags: true,
+          realtimeStreamsVersion: true,
           batch: {
             select: {
               friendlyId: true,

apps/webapp/app/services/projectCreated.server.ts

@@ -22,7 +22,7 @@ export async function projectCreated(
     });
   } else {
     const plan = await getCurrentPlan(organization.id);
-    if (plan?.v3Subscription.plan?.limits.hasStagingEnvironment) {
+    if (plan?.v3Subscription?.plan?.limits?.hasStagingEnvironment) {
       await createEnvironment({ organization, project, type: "STAGING" });
       await createEnvironment({
         organization,

apps/webapp/app/services/routeBuilders/apiBuilder.server.ts

@@ -59,6 +59,47 @@ async function authenticateRequestForApiBuilder(
 
 type AnyZodSchema = z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>;
 
+// Most route auth checks pass an array of resources to ability.can() with
+// "any-element-passes" semantics — a single record carries multiple
+// identifiers (a run is addressable by friendlyId / batch / tags / task) so a
+// JWT scoped to *any* of them grants access to the row.
+//
+// Batch operations are different: each item in the array is a *distinct*
+// resource and authorization must hold for every one of them. Wrapping the
+// array via `everyResource` flips the auth check from `some` to `every`. The
+// marker is a Symbol so it can't collide with arbitrary RbacResource fields.
+const EVERY_RESOURCE_MARKER = Symbol.for("@trigger.dev/rbac.everyResource");
+
+type EveryResourceAuth = {
+  readonly [EVERY_RESOURCE_MARKER]: true;
+  readonly resources: readonly RbacResource[];
+};
+
+export function everyResource(resources: RbacResource[]): EveryResourceAuth {
+  return { [EVERY_RESOURCE_MARKER]: true, resources };
+}
+
+function isEveryResource(value: unknown): value is EveryResourceAuth {
+  return (
+    typeof value === "object" &&
+    value !== null &&
+    (value as Record<symbol, unknown>)[EVERY_RESOURCE_MARKER] === true
+  );
+}
+
+type AuthResource = RbacResource | RbacResource[] | EveryResourceAuth;
+
+function checkAuth(
+  ability: RbacAbility,
+  action: string,
+  resource: AuthResource
+): boolean {
+  if (isEveryResource(resource)) {
+    return resource.resources.every((r) => ability.can(action, r));
+  }
+  return ability.can(action, resource);
+}
+
 type ApiKeyRouteBuilderOptions<
   TParamsSchema extends AnyZodSchema | undefined = undefined,
   TSearchParamsSchema extends AnyZodSchema | undefined = undefined,
@@ -97,7 +138,7 @@ type ApiKeyRouteBuilderOptions<
       headers: THeadersSchema extends z.ZodFirstPartySchemaTypes | z.ZodDiscriminatedUnion<any, any>
         ? z.infer<THeadersSchema>
         : undefined
-    ) => RbacResource | RbacResource[];
+    ) => AuthResource;
   };
 };
 
@@ -233,7 +274,7 @@ export function createLoaderApiRoute<
           parsedHeaders
         );
 
-        if (!ability.can(action, $authResource)) {
+        if (!checkAuth(ability, action, $authResource)) {
           return await wrapResponse(
             request,
             json(
@@ -484,7 +525,7 @@ type ApiKeyActionRouteBuilderOptions<
       // externalId for sessions) read it here so a JWT minted for either form
       // authorizes both URL forms.
       resource: TResource | undefined
-    ) => RbacResource | RbacResource[];
+    ) => AuthResource;
   };
   maxContentLength?: number;
   body?: TBodySchema;
@@ -700,7 +741,7 @@ export function createActionApiRoute<
           resource
         );
 
-        if (!ability.can(action, $resource)) {
+        if (!checkAuth(ability, action, $resource)) {
           return await wrapResponse(
             request,
             json(
@@ -807,7 +848,7 @@ type MultiMethodApiRouteOptions<
   corsStrategy?: "all" | "none";
   authorization?: {
     action: string;
-    resource: (params: InferZod<TParamsSchema>) => RbacResource | RbacResource[];
+    resource: (params: InferZod<TParamsSchema>) => AuthResource;
   };
   maxContentLength?: number;
   methods: Partial<
@@ -938,7 +979,7 @@ export function createMultiMethodApiRoute<
         const { action, resource } = authorization;
         const $resource = resource(parsedParams);
 
-        if (!ability.can(action, $resource)) {
+        if (!checkAuth(ability, action, $resource)) {
           return await wrapResponse(
             request,
             json(

apps/webapp/test/auth-api.e2e.full.test.ts

@@ -387,9 +387,11 @@ describe("API", () => {
   // Trigger task routes (TRI-8733). The single-task route uses
   // action: "trigger" with a single resource { type: "tasks", id };
   // batch v1/v2 use action: "batchTrigger" with a body-derived array
-  // [{type:"tasks", id}, ...]; v3 batches use a collection-level
-  // resource { type: "tasks" } (no id — items are validated per-row
-  // when streamed).
+  // [{type:"tasks", id}, ...] under AND semantics — every task in the
+  // batch must be authorized, not just any one (otherwise a JWT scoped
+  // to one task could submit a batch with arbitrary other tasks).
+  // v3 batches use a collection-level resource { type: "tasks" }
+  // (no id — items are validated per-row when streamed).
   //
   // ACTION_ALIASES (from packages/core/src/v3/jwt.ts) maps write→trigger
   // and write→batchTrigger so write:tasks scopes also satisfy these
@@ -619,10 +621,11 @@ describe("API", () => {
       expect(res.status).not.toBe(403);
     });
 
-    it("JWT with batchTrigger:tasks:taskA + body has [taskA, taskB]: auth passes (any-match)", async () => {
-      // Multi-key resource semantics: when the route's resource is an
-      // array, ANY scope matching ANY array element grants access.
-      // Locks in the legacy contract from TRI-8719.
+    it("JWT with batchTrigger:tasks:taskA + body has [taskA, taskB]: 403 (every-task semantics)", async () => {
+      // Batch trigger uses AND semantics — every task in the body must
+      // be authorized, not just any one of them. A JWT scoped to only
+      // taskA cannot submit a batch that also includes taskB, otherwise
+      // the caller would be triggering tasks they have no scope for.
       const server = getTestServer();
       const seed = await seedTestEnvironment(server.prisma);
       const jwt = await generateJWT({
@@ -639,6 +642,28 @@ describe("API", () => {
         headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
         body: JSON.stringify(buildBody(["taskA", "taskB"])),
       });
+      expect(res.status).toBe(403);
+    });
+
+    it("JWT with batchTrigger:tasks:taskA + body has [taskA] only: auth passes", async () => {
+      // Per-task scope grants per-task access — a batch containing
+      // only the authorized task is allowed.
+      const server = getTestServer();
+      const seed = await seedTestEnvironment(server.prisma);
+      const jwt = await generateJWT({
+        secretKey: seed.apiKey,
+        payload: {
+          pub: true,
+          sub: seed.environment.id,
+          scopes: ["batchTrigger:tasks:taskA"],
+        },
+        expirationTime: "15m",
+      });
+      const res = await server.webapp.fetch(path, {
+        method: "POST",
+        headers: { Authorization: `Bearer ${jwt}`, "Content-Type": "application/json" },
+        body: JSON.stringify(buildBody(["taskA"])),
+      });
       expect(res.status).not.toBe(401);
       expect(res.status).not.toBe(403);
     });

internal-packages/rbac/src/index.ts

@@ -59,8 +59,8 @@ class LazyController implements RoleBaseAccessController {
     if (options?.forceFallback) {
       return new RoleBaseAccessFallback(prisma).create(helpers);
     }
+    const moduleName = "@triggerdotdev/plugins/rbac";
     try {
-      const moduleName = "@triggerdotdev/plugins/rbac";
       const module = await import(moduleName);
       const plugin: RoleBasedAccessControlPlugin = module.default;
       console.log("RBAC: using plugin implementation");
@@ -71,15 +71,28 @@ class LazyController implements RoleBaseAccessController {
       // — silently swallowing the error here is what produced "why is
       // the fallback being used?" mysteries before.
       //
-      // 1. Module-not-found — expected when no plugin is installed.
+      // 1. The plugin itself is absent (no install) — expected.
       //    Logged at info level only when RBAC_LOG_FALLBACK=1 so
       //    production logs stay quiet.
       // 2. Anything else (transitive dep missing, init error, syntax
       //    error in the plugin's dist, etc.) — a real bug. Always
       //    logged loudly so it surfaces in CI / production logs.
+      //
+      // Node throws ERR_MODULE_NOT_FOUND for both cases — the *plugin*
+      // module being absent and a *transitive* dep of the plugin
+      // being absent. Disambiguate by checking whether the missing
+      // specifier in the error message is the plugin's own moduleName.
       const code = (err as NodeJS.ErrnoException | undefined)?.code;
-      const isModuleNotFound = code === "ERR_MODULE_NOT_FOUND" || code === "MODULE_NOT_FOUND";
-      if (!isModuleNotFound) {
+      const message = err instanceof Error ? err.message : String(err);
+      const isModuleNotFound =
+        code === "ERR_MODULE_NOT_FOUND" || code === "MODULE_NOT_FOUND";
+      const isPluginItselfMissing =
+        isModuleNotFound && message.includes(moduleName);
+
+      if (!isPluginItselfMissing) {
+        // Either the error wasn't a missing-module error at all, or the
+        // plugin was found but a transitive dep failed to resolve.
+        // Either way: a real problem worth surfacing.
         console.error(
           "RBAC: plugin found but failed to load; falling back to default implementation",
           err
@@ -88,8 +101,6 @@ class LazyController implements RoleBaseAccessController {
         console.log(
           "RBAC: no plugin installed (ERR_MODULE_NOT_FOUND); using fallback"
         );
-      } else {
-        console.log(`RBAC: using fallback implementation. ${err}`);
       }
       return new RoleBaseAccessFallback(prisma).create(helpers);
     }