feat(webapp): consolidate auth path + add comprehensive auth tests

.changeset/plugin-auth-path.md

@@ -0,0 +1,5 @@
+---
+"@trigger.dev/plugins": patch
+---
+
+The public interfaces for a plugin system. Initially consolidated authentication and authorization interfaces.

.github/workflows/e2e-webapp-auth-full.yml

@@ -0,0 +1,116 @@
+name: "🛡️ E2E Tests: Webapp Auth (full)"
+
+# Comprehensive RBAC auth test suite — see TRI-8731. Runs separately from
+# the smoke e2e-webapp.yml because it covers every route family with a
+# pass/fail matrix and would otherwise dominate per-PR CI time.
+#
+# Triggered:
+#   - Manually via workflow_dispatch.
+#   - Nightly via schedule.
+#   - On pull requests touching auth-relevant files only (paths filter).
+
+permissions:
+  contents: read
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 4 * * *" # 04:00 UTC daily
+  pull_request:
+    paths:
+      - "apps/webapp/app/services/routeBuilders/**"
+      - "apps/webapp/app/services/rbac.server.ts"
+      - "apps/webapp/app/services/apiAuth.server.ts"
+      - "apps/webapp/app/services/personalAccessToken.server.ts"
+      - "apps/webapp/app/services/sessionStorage.server.ts"
+      - "apps/webapp/app/routes/api.v*.**"
+      - "apps/webapp/app/routes/realtime.v*.**"
+      - "apps/webapp/test/**/*.e2e.full.test.ts"
+      - "apps/webapp/test/setup/global-e2e-full-setup.ts"
+      - "apps/webapp/test/helpers/sharedTestServer.ts"
+      - "apps/webapp/test/helpers/seedTestSession.ts"
+      - "apps/webapp/vitest.e2e.full.config.ts"
+      - "internal-packages/rbac/**"
+      - "packages/plugins/**"
+      - ".github/workflows/e2e-webapp-auth-full.yml"
+
+jobs:
+  e2eAuthFull:
+    name: "🛡️ E2E Auth Tests (full)"
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+    steps:
+      - name: 🔧 Disable IPv6
+        run: |
+          sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
+          sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+
+      - name: 🔧 Configure docker address pool
+        run: |
+          CONFIG='{
+            "default-address-pools" : [
+              {
+                "base" : "172.17.0.0/12",
+                "size" : 20
+              },
+              {
+                "base" : "192.168.0.0/16",
+                "size" : 24
+              }
+            ]
+          }'
+          mkdir -p /etc/docker
+          echo "$CONFIG" | sudo tee /etc/docker/daemon.json
+
+      - name: 🔧 Restart docker daemon
+        run: sudo systemctl restart docker
+
+      - name: ⬇️ Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+        with:
+          version: 10.33.2
+
+      - name: ⎔ Setup node
+        uses: buildjet/setup-node@v4
+        with:
+          node-version: 20.20.0
+          cache: "pnpm"
+
+      - name: 🐳 Login to DockerHub
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: 🐳 Skipping DockerHub login (no secrets available)
+        if: ${{ !env.DOCKERHUB_USERNAME }}
+        run: echo "DockerHub login skipped because secrets are not available."
+
+      - name: 🐳 Pre-pull testcontainer images
+        if: ${{ env.DOCKERHUB_USERNAME }}
+        run: |
+          docker pull postgres:14
+          docker pull redis:7.2
+          docker pull testcontainers/ryuk:0.11.0
+
+      - name: 📥 Download deps
+        run: pnpm install --frozen-lockfile
+
+      - name: 📀 Generate Prisma Client
+        run: pnpm run generate
+
+      - name: 🏗️ Build Webapp
+        run: pnpm run build --filter webapp
+
+      - name: 🛡️ Run Webapp Full Auth E2E Tests
+        run: cd apps/webapp && pnpm exec vitest run --config vitest.e2e.full.config.ts --reporter=default
+        env:
+          WEBAPP_TEST_VERBOSE: "1"

.server-changes/plugin-auth-path.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Webapp now supports a plugin system. Initially consolidates authentication and authorization paths.

apps/webapp/app/components/navigation/OrganizationSettingsSideMenu.tsx

@@ -4,6 +4,7 @@ import {
   Cog8ToothIcon,
   CreditCardIcon,
   LockClosedIcon,
+  ShieldCheckIcon,
   UserGroupIcon,
 } from "@heroicons/react/20/solid";
 import { ArrowLeftIcon } from "@heroicons/react/24/solid";
@@ -14,6 +15,7 @@ import { useFeatures } from "~/hooks/useFeatures";
 import { type MatchedOrganization } from "~/hooks/useOrganizations";
 import { cn } from "~/utils/cn";
 import {
+  organizationRolesPath,
   organizationSettingsPath,
   organizationSlackIntegrationPath,
   organizationTeamPath,
@@ -128,6 +130,18 @@ export function OrganizationSettingsSideMenu({
             to={organizationTeamPath(organization)}
             data-action="team"
           />
+          {isManagedCloud && (
+            <>
+              <SideMenuItem
+                name="Roles"
+                icon={ShieldCheckIcon}
+                activeIconColor="text-sky-500"
+                inactiveIconColor="text-sky-500"
+                to={organizationRolesPath(organization)}
+                data-action="roles"
+              />
+            </>
+          )}
           <SideMenuItem
             name="Settings"
             icon={Cog8ToothIcon}

apps/webapp/app/components/primitives/Select.tsx

@@ -460,7 +460,15 @@ export function SelectItem({
   ...props
 }: SelectItemProps) {
   const combobox = Ariakit.useComboboxContext();
-  const render = combobox ? <Ariakit.ComboboxItem render={props.render} /> : undefined;
+  // In a Combobox context we wrap the caller's render in ComboboxItem
+  // so combobox keyboard nav still works. Outside a Combobox we pass
+  // the render through verbatim — without this, callers like
+  // SelectLinkItem (which uses render to swap in a <Link>) get their
+  // render prop silently dropped, which is why those rows looked
+  // clickable but didn't navigate.
+  const render = combobox
+    ? <Ariakit.ComboboxItem render={props.render} />
+    : props.render;
   const ref = React.useRef<HTMLDivElement>(null);
   const select = Ariakit.useSelectContext();
   const selectValue = select?.useState("value");

apps/webapp/app/env.server.ts

@@ -1512,6 +1512,9 @@ const EnvironmentSchema = z
     // Private connections
     PRIVATE_CONNECTIONS_ENABLED: z.string().optional(),
     PRIVATE_CONNECTIONS_AWS_ACCOUNT_IDS: z.string().optional(),
+
+    // Force RBAC to not use the plugin
+    RBAC_FORCE_FALLBACK: BoolEnv.default(false),
   })
   .and(GithubAppEnvSchema)
   .and(S2EnvSchema)

apps/webapp/app/models/member.server.ts

@@ -1,6 +1,8 @@
 import { type Prisma, prisma } from "~/db.server";
 import { createEnvironment } from "./organization.server";
 import { customAlphabet } from "nanoid";
+import { logger } from "~/services/logger.server";
+import { rbac } from "~/services/rbac.server";
 
 const tokenValueLength = 40;
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
@@ -86,10 +88,19 @@ export async function inviteMembers({
   slug,
   emails,
   userId,
+  rbacRoleId,
 }: {
   slug: string;
   emails: string[];
   userId: string;
+  /**
+   * Optional RBAC role to attach to the invite. When set, accepted
+   * invites trigger `rbac.setUserRole(rbacRoleId)` after the OrgMember
+   * is created.
+   *
+   * `OrgMemberInvite.role` is still set if the plugin isn't installed.
+   */
+  rbacRoleId?: string | null;
 }) {
   const org = await prisma.organization.findFirst({
     where: { slug, members: { some: { userId } } },
@@ -107,6 +118,7 @@ export async function inviteMembers({
         organizationId: org.id,
         inviterId: userId,
         role: "MEMBER",
+        rbacRoleId: rbacRoleId ?? null,
       } satisfies Prisma.OrgMemberInviteCreateManyInput)
   );
 
@@ -163,7 +175,7 @@ export async function acceptInvite({
   user: { id: string; email: string };
   inviteId: string;
 }) {
-  return await prisma.$transaction(async (tx) => {
+  const result = await prisma.$transaction(async (tx) => {
     // 1. Delete the invite and get the invite details
     const invite = await tx.orgMemberInvite.delete({
       where: {
@@ -207,8 +219,32 @@ export async function acceptInvite({
       },
     });
 
-    return { remainingInvites, organization: invite.organization };
+    return {
+      remainingInvites,
+      organization: invite.organization,
+      inviteRole: invite.role,
+      rbacRoleId: invite.rbacRoleId,
+    };
   });
+
+  // If the invite carried an explicit RBAC role. Errors are logged, not fatal.
+  if (result.rbacRoleId) {
+    const roleResult = await rbac.setUserRole({
+      userId: user.id,
+      organizationId: result.organization.id,
+      roleId: result.rbacRoleId,
+    });
+    if (!roleResult.ok) {
+      logger.error("acceptInvite: skipped RBAC role assignment", {
+        organizationId: result.organization.id,
+        userId: user.id,
+        rbacRoleId: result.rbacRoleId,
+        reason: roleResult.error,
+      });
+    }
+  }
+
+  return { remainingInvites: result.remainingInvites, organization: result.organization };
 }
 
 export async function declineInvite({

apps/webapp/app/models/project.server.ts

@@ -4,7 +4,7 @@ import { $replica, prisma } from "~/db.server";
 import type { Prisma, Project } from "@trigger.dev/database";
 import { type Organization, createEnvironment } from "./organization.server";
 import { env } from "~/env.server";
-import { projectCreated } from "~/services/platform.v3.server";
+import { projectCreated } from "~/services/projectCreated.server";
 export type { Project } from "@trigger.dev/database";
 
 const externalRefGenerator = customAlphabet("abcdefghijklmnopqrstuvwxyz", 20);

apps/webapp/app/presenters/TeamPresenter.server.ts

@@ -1,4 +1,5 @@
 import { getTeamMembersAndInvites } from "~/models/member.server";
+import { rbac } from "~/services/rbac.server";
 import { getCurrentPlan, getLimit, getPlans } from "~/services/platform.v3.server";
 import { BasePresenter } from "./v3/basePresenter.server";
 
@@ -13,11 +14,30 @@ export class TeamPresenter extends BasePresenter {
       return;
     }
 
-    const [baseLimit, currentPlan, plans] = await Promise.all([
-      getLimit(organizationId, "teamMembers", 100_000_000),
-      getCurrentPlan(organizationId),
-      getPlans(),
-    ]);
+    const [baseLimit, currentPlan, plans, roles, assignableRoleIds, memberRoleMap] =
+      await Promise.all([
+        getLimit(organizationId, "teamMembers", 100_000_000),
+        getCurrentPlan(organizationId),
+        getPlans(),
+        // RBAC role catalogue (system roles + any org-defined custom
+        // roles). The default fallback returns []; an installed plugin
+        // may return the seeded system roles plus any custom roles.
+        rbac.allRoles(organizationId),
+        // Plan-gated subset — the Teams page disables dropdown options not
+        // in this set. Server-side enforcement is independent (setUserRole
+        // rejects a plan-gated assignment regardless of UI state).
+        rbac.getAssignableRoleIds(organizationId),
+        // Per-member current role in a single round-trip.
+        rbac.getUserRoles(
+          result.members.map((m) => m.user.id),
+          organizationId
+        ),
+      ]);
+
+    const memberRoles = result.members.map((m) => ({
+      userId: m.user.id,
+      role: memberRoleMap.get(m.user.id) ?? null,
+    }));
 
     const canPurchaseSeats =
       currentPlan?.v3Subscription?.plan?.limits.teamMembers.canExceed === true;
@@ -38,6 +58,9 @@ export class TeamPresenter extends BasePresenter {
       seatPricing,
       maxSeatQuota,
       planSeatLimit,
+      roles,
+      assignableRoleIds,
+      memberRoles,
     };
   }
 }