RBAC: force-fallback flag + env var + e2e fallback wiring (TRI-8715)

Adds a `forceFallback` option to the RBAC loader so tests (and any other
consumer that sets RBAC_FORCE_FALLBACK=1) pin authentication to the OSS
fallback regardless of whether the enterprise plugin is installed.

- internal-packages/rbac: LazyController and RoleBaseAccess.create now accept
  RbacCreateOptions.forceFallback. When true, load() skips the dynamic import
  of @triggerdotdev/plugins/rbac and constructs RoleBaseAccessFallback
  directly.
- apps/webapp env: new RBAC_FORCE_FALLBACK BoolEnv, threaded into
  app/services/rbac.server.ts.
- testcontainers webapp: set RBAC_FORCE_FALLBACK=1 so e2e tests exercise the
  fallback deterministically.
- api-auth.e2e.test.ts: covers the fallback wiring end-to-end via the existing
  /admin/concurrency route, which already uses rbac.authenticateSession +
  ability.canSuper().

Author: matt-aitken

.server-changes/rbac-force-fallback.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+RBAC plugin: add RBAC_FORCE_FALLBACK env var so tests can pin the loader to the OSS fallback without depending on whether the enterprise plugin is installed.

apps/webapp/app/env.server.ts

@@ -1454,6 +1454,11 @@ const EnvironmentSchema = z
     // Private connections
     PRIVATE_CONNECTIONS_ENABLED: z.string().optional(),
     PRIVATE_CONNECTIONS_AWS_ACCOUNT_IDS: z.string().optional(),
+
+    // Force the RBAC plugin loader to use the OSS fallback, bypassing the enterprise plugin.
+    // Set to "1"/"true" in tests so auth behavior is deterministic regardless of whether
+    // @triggerdotdev/plugins/rbac is installed in the environment.
+    RBAC_FORCE_FALLBACK: BoolEnv.default(false),
   })
   .and(GithubAppEnvSchema)
   .and(S2EnvSchema);

apps/webapp/app/services/rbac.server.ts

@@ -1,5 +1,6 @@
 import { prisma } from "~/db.server";
 import plugin from "@trigger.dev/rbac";
+import { env } from "~/env.server";
 import { getUserId } from "./session.server";
 
 async function getSessionUserId(request: Request): Promise<string | null> {
@@ -9,4 +10,8 @@ async function getSessionUserId(request: Request): Promise<string | null> {
 
 // plugin.create() is synchronous — returns a lazy controller that loads the enterprise plugin
 // on first call. Top-level await is not used because CJS output format does not support it.
-export const rbac = plugin.create(prisma, { getSessionUserId });
+export const rbac = plugin.create(
+  prisma,
+  { getSessionUserId },
+  { forceFallback: env.RBAC_FORCE_FALLBACK }
+);

apps/webapp/test/api-auth.e2e.test.ts

@@ -119,3 +119,16 @@ describe("JWT bearer auth — baseline behavior", () => {
     expect(res.status).toBe(401);
   });
 });
+
+// Exercises the RBAC plugin loader end-to-end. The test server boots with
+// RBAC_FORCE_FALLBACK=1 (see internal-packages/testcontainers/src/webapp.ts), which makes
+// rbac.server.ts select the OSS fallback over the enterprise plugin. /admin/concurrency uses
+// rbac.authenticateSession internally; an unauthenticated request must flow through
+// LazyController → RoleBaseAccessFallback → redirect("/login").
+describe("RBAC plugin — fallback wiring", () => {
+  it("unauthenticated dashboard route redirects to /login via the OSS fallback", async () => {
+    const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe("/login");
+  });
+});

internal-packages/rbac/src/index.ts

@@ -11,16 +11,29 @@ export type { RoleBaseAccessController };
 
 type RbacHelpers = { getSessionUserId: (request: Request) => Promise<string | null> };
 
+export type RbacCreateOptions = {
+  // When true, skip loading the enterprise plugin and use the OSS fallback directly.
+  // Useful for tests that need deterministic auth behavior without the enterprise plugin.
+  forceFallback?: boolean;
+};
+
 // Loads the enterprise plugin lazily; falls back to the OSS implementation if not installed.
 // Synchronous create() avoids top-level await (not supported in the webapp's CJS build).
 class LazyController implements RoleBaseAccessController {
   private readonly _init: Promise<RoleBaseAccessController>;
 
-  constructor(prisma: PrismaClient, helpers: RbacHelpers) {
-    this._init = this.load(prisma, helpers);
+  constructor(prisma: PrismaClient, helpers: RbacHelpers, options?: RbacCreateOptions) {
+    this._init = this.load(prisma, helpers, options);
   }
 
-  private async load(prisma: PrismaClient, helpers: RbacHelpers): Promise<RoleBaseAccessController> {
+  private async load(
+    prisma: PrismaClient,
+    helpers: RbacHelpers,
+    options?: RbacCreateOptions
+  ): Promise<RoleBaseAccessController> {
+    if (options?.forceFallback) {
+      return new RoleBaseAccessFallback(prisma).create(helpers);
+    }
     try {
       const moduleName = "@triggerdotdev/plugins/rbac";
       const module = await import(moduleName);
@@ -98,8 +111,12 @@ class LazyController implements RoleBaseAccessController {
 
 class RoleBaseAccess {
   // Synchronous — returns a lazy controller that loads the enterprise plugin on first call.
-  create(prisma: PrismaClient, helpers: RbacHelpers): RoleBaseAccessController {
-    return new LazyController(prisma, helpers);
+  create(
+    prisma: PrismaClient,
+    helpers: RbacHelpers,
+    options?: RbacCreateOptions
+  ): RoleBaseAccessController {
+    return new LazyController(prisma, helpers, options);
   }
 }
 

internal-packages/testcontainers/src/webapp.ts

@@ -81,6 +81,9 @@ export async function startWebapp(
       RUN_ENGINE_TTL_SYSTEM_DISABLED: "true",     // disables TTL expiry system (BoolEnv)
       RUN_ENGINE_TTL_CONSUMERS_DISABLED: "true",  // disables TTL consumers (BoolEnv)
       RUN_REPLICATION_ENABLED: "0",
+      // Force the RBAC plugin to use the OSS fallback in e2e tests so auth behavior is
+      // deterministic regardless of whether the enterprise plugin is installed.
+      RBAC_FORCE_FALLBACK: "1",
       NODE_PATH: nodePath,
     },
     stdio: ["ignore", "pipe", "pipe"],