chore(webapp): collapse RBAC server-changes note and reword comments

matt-aitken · matt-aitken · commit fd6d0bf645df · 2026-06-18T11:30:56.000+01:00
Combine the two RBAC server-changes notes into a single entry that lists the
new permission boundaries. Reword the run cancel/replay comments to refer to
the RBAC plugin generically.
diff --git a/.server-changes/rbac-permission-enforcement.md b/.server-changes/rbac-permission-enforcement.md
@@ -3,4 +3,4 @@ area: webapp
 type: feature
 ---
 
-Enforce role-based permissions across the dashboard and API. Roles without access to a resource (environment variables, API keys, deployments, integrations, members, billing) can no longer read or change it, and gated pages now show a permission-denied panel instead of redirecting away.
+Enforce role-based permissions across the dashboard and API. New permission boundaries cover: runs (cancel, replay, bulk actions), deployments (rollback, promote, cancel), prompt versions, organization members (invite, resend, revoke), billing and seat purchases, integrations (GitHub and Vercel), and environment variables and API keys (restricted by environment tier). Roles without access can no longer read or change these, gated controls are disabled with a tooltip, and gated pages show a permission-denied panel instead of redirecting away. Behaviour is unchanged in the default configuration, where permissions stay permissive.
diff --git a/.server-changes/rbac-route-permission-enforcement.md b/.server-changes/rbac-route-permission-enforcement.md
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.integrations.vercel.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.integrations.vercel.tsx
@@ -412,4 +412,4 @@ export default function VercelIntegrationPage() {
       </PageBody>
     </PageContainer>
   );
-}
+}
diff --git a/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts b/apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts
@@ -37,7 +37,7 @@ async function resolveRunOrganizationId(runParam: string): Promise<string | null
   // Replica lag with the buffer entry already drained: the run can exist in
   // the primary while both lookups above miss. Fall back to the primary so the
   // RBAC scope is never resolved without an org (which would let the role check
-  // run unscoped under the enterprise plugin).
+  // run unscoped under the RBAC plugin).
   const primaryRun = await prisma.taskRun.findFirst({
     where: { friendlyId: runParam },
     select: { project: { select: { organizationId: true } } },
diff --git a/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts b/apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts
@@ -274,7 +274,7 @@ async function resolveRunOrganizationId(runParam: string): Promise<string | null
   // Replica lag with the buffer entry already drained: the run can exist in
   // the primary while both lookups above miss. Fall back to the primary so the
   // RBAC scope is never resolved without an org (which would let the role check
-  // run unscoped under the enterprise plugin).
+  // run unscoped under the RBAC plugin).
   const primaryRun = await prisma.taskRun.findFirst({
     where: { friendlyId: runParam },
     select: { project: { select: { organizationId: true } } },
