Address PR review: fallback grace window + multi-table query AND + UX

Five real-bug fixes from CodeRabbit + Devin review of #3499:

#1 personalAccessToken.server.ts: FALLBACK_NOT_INSTALLED_ERROR string
   was 'RBAC fallback not installed' but the OSS fallback actually
   returns 'RBAC plugin not installed'. The mismatch made every PAT
   creation with a roleId hit the compensating-delete branch on
   self-hosters with no plugin installed — including the dashboard
   PAT-creation flow. Aligns the constant with the canonical string.

#2 internal-packages/rbac/src/fallback.ts: authenticateBearer skipped
   the revoked-API-key grace window (RevokedApiKey table), so a
   freshly-rotated env API key would 401 immediately on the new auth
   path. Mirrors findEnvironmentByApiKey's fallback-to-RevokedApiKey
   logic so the auth-cross-cutting e2e tests pass.

#3 api.v1.query.ts: multi-table queries built a plain RbacResource
   array, which checkAuth treats as 'any element passes'. A JWT
   scoped to one detected table could submit a query that also reads
   another table it isn't scoped to. Wrap with everyResource — same
   AND-semantics fix as the batch trigger routes.

#4 account.tokens/route.tsx: defaultRoleId could land on a custom or
   plan-blocked role when userRoleId wasn't in the picker's assignable
   set. The action's submit-revalidation would then 400 until the user
   manually changed the dropdown. Clamp the default to roles the picker
   actually renders.

#5 settings.team/route.tsx: the role Select used defaultValue, so a
   failed set-role submit left the attempted role visible while the
   server kept the old one. Switch to a controlled value bound to
   currentRoleId.

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx

@@ -595,7 +595,11 @@ function RolePicker({
 
   const picker = (
     <Select
-      defaultValue={currentRoleId ?? ""}
+      // Controlled — keeps the dropdown in sync with the persisted
+      // role even after a failed set-role fetcher submit (the server
+      // kept the old role; without `value` the UI would show the
+      // attempted change).
+      value={currentRoleId ?? ""}
       items={roles}
       variant="tertiary/small"
       disabled={!canManageMembers || isSubmitting}

apps/webapp/app/routes/account.tokens/route.tsx

@@ -118,9 +118,15 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     // user isn't a member of any org or no RBAC plugin is installed,
     // the picker is hidden anyway, so defaultRoleId is just a
     // placeholder.
-    const sys = orgId ? await rbac.systemRoles(orgId) : null;
-    const lowestAvailable = (sys ?? []).filter((r) => r.available).at(-1)?.id ?? "";
-    const defaultRoleId = userRoleId ?? lowestAvailable;
+    // Clamp to roles the picker actually renders (`roles` already
+    // joins systemRoles ∩ assignableRoleIds). If userRoleId points at
+    // a custom or plan-blocked role, the hidden form value would
+    // otherwise post a roleId the action's revalidation rejects with
+    // 400. Fall through to the most-restrictive assignable role.
+    const assignableIds = new Set(roles.map((r) => r.id));
+    const lowestAssignable = roles.at(-1)?.id ?? "";
+    const defaultRoleId =
+      userRoleId && assignableIds.has(userRoleId) ? userRoleId : lowestAssignable;
 
     return typedjson({
       personalAccessTokens,

apps/webapp/app/routes/api.v1.query.ts

@@ -1,7 +1,10 @@
 import { json } from "@remix-run/server-runtime";
 import { QueryError } from "@internal/clickhouse";
 import { z } from "zod";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  createActionApiRoute,
+  everyResource,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { executeQuery, type QueryScope } from "~/services/queryService.server";
 import { logger } from "~/services/logger.server";
 import { rowsToCSV } from "~/utils/dataExport";
@@ -34,10 +37,14 @@ const { action, loader } = createActionApiRoute(
     findResource: async () => 1,
     authorization: {
       action: "read",
+      // A multi-table query reads from every detected table. Wrap with
+      // everyResource so a JWT scoped to one table can't pass auth for
+      // a query that also reads tables it isn't scoped to (would be the
+      // same OR-loophole the batch trigger route had pre-fix).
       resource: (_, __, ___, body) => {
         const tables = detectTables(body.query);
         return tables.length > 0
-          ? tables.map((id) => ({ type: "query", id }))
+          ? everyResource(tables.map((id) => ({ type: "query", id })))
           : { type: "query", id: "all" };
       },
     },

apps/webapp/app/services/personalAccessToken.server.ts

@@ -22,7 +22,11 @@ export const PAT_LAST_ACCESSED_THROTTLE_MS = 5 * 60 * 1000;
 // the PAT is still valid; auth just falls through to legacy permissive
 // behaviour. Any other error is treated as a real failure and triggers
 // the compensating delete below.
-const FALLBACK_NOT_INSTALLED_ERROR = "RBAC fallback not installed";
+// Must match the OSS fallback's exact error string (see
+// `internal-packages/rbac/src/fallback.ts`'s `setTokenRole`). The
+// match is how we detect "no plugin installed" and skip the
+// compensating delete.
+const FALLBACK_NOT_INSTALLED_ERROR = "RBAC plugin not installed";
 
 type CreatePersonalAccessTokenOptions = {
   name: string;

internal-packages/rbac/src/fallback.ts

@@ -80,15 +80,30 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
       };
     }
 
-    const env = await this.prisma.runtimeEnvironment.findFirst({
+    const include = {
+      project: true,
+      organization: true,
+      orgMember: { select: { userId: true } },
+    } as const;
+    let env = await this.prisma.runtimeEnvironment.findFirst({
       where: { apiKey: rawToken },
-      include: {
-        project: true,
-        organization: true,
-        orgMember: { select: { userId: true } },
-      },
+      include,
     });
 
+    // Revoked API key grace window — mirrors `findEnvironmentByApiKey`
+    // in apps/webapp/app/models/runtimeEnvironment.server.ts. Recently
+    // rotated keys keep working until their `expiresAt`; without this
+    // branch a customer who rotates an env API key gets immediate 401s
+    // on the new auth path. The PR's e2e suite covers this in
+    // auth-cross-cutting.e2e.full.test.ts ("revoked key within grace").
+    if (!env) {
+      const revoked = await this.prisma.revokedApiKey.findFirst({
+        where: { apiKey: rawToken, expiresAt: { gt: new Date() } },
+        include: { runtimeEnvironment: { include } },
+      });
+      env = revoked?.runtimeEnvironment ?? null;
+    }
+
     if (!env || env.project.deletedAt !== null) {
       return { ok: false, status: 401, error: "Invalid API key" };
     }