RBAC: pre-migration JWT behaviour tests for TRI-8719 risks (TRI-8716)

Lock in the legacy checkAuthorization behaviours that TRI-8719 must
preserve once it swaps in rbac.authenticateBearer + ability.can.

Three tests in a new describe block 'JWT bearer auth — behaviours to
preserve through TRI-8719':

- Custom action route: type-level write:tasks JWT on
  POST /api/v1/tasks/:taskId/trigger (action: trigger) → auth passes
  today via exact superScope match. Must keep passing after TRI-8719
  via the ACTION_ALIASES map (trigger ← write).
- Multi-key resource: read:tags:<tag> JWT on /api/v1/runs/:runId/trace
  where the seeded run has that tag → auth passes today because
  legacy checks each resource key. Must keep passing after TRI-8719
  via ability.can's array-resource form.
- Multi-key resource: read:batch:<friendlyId> JWT on
  /api/v1/runs/:runId/trace where the seeded run is in that batch →
  same rationale as the tags case.

Dropped the planned empty-resource test: researching it surfaced that
legacy checkAuthorization denies empty-resource requests BEFORE the
super-scope check runs, so api.v1.batches.ts and idempotencyKeys reset
currently reject all JWTs despite allowJWT: true. TRI-8719's plan
(adding explicit { type: 'runs' }) is an intentional improvement, not
a preservation — documented in the TRI-8719 description comment.

New helper test/helpers/seedTestRun.ts seeds a minimal TaskRun (and,
optionally, an associated BatchTaskRun) that ApiRetrieveRunPresenter's
findRun can resolve for multi-key resource tests. The tests only
assert 'auth passes' (!== 401, !== 403) — the handler's downstream
behaviour (which may fail in a worker-less test env) isn't relevant
to the auth-layer contract.

Author: matt-aitken

apps/webapp/test/api-auth.e2e.test.ts

@@ -12,6 +12,7 @@ import { startTestServer } from "@internal/testcontainers/webapp";
 import { generateJWT } from "@trigger.dev/core/v3/jwt";
 import { seedTestEnvironment } from "./helpers/seedTestEnvironment";
 import { seedTestPAT, seedTestUser } from "./helpers/seedTestPAT";
+import { seedTestRun } from "./helpers/seedTestRun";
 import { seedTestWaitpoint } from "./helpers/seedTestWaitpoint";
 
 vi.setConfig({ testTimeout: 180_000 });
@@ -344,6 +345,70 @@ describe("JWT bearer auth — resource-scoped scopes", () => {
   });
 });
 
+// Pre-migration coverage for the three behavioural constraints captured in TRI-8719.
+// Each test locks in an observable current behaviour that the migration must preserve:
+// - custom actions (trigger/batchTrigger/update) satisfied by write:* scopes
+// - multi-key resource callbacks (runs/tags/batch/tasks) — any key match grants access
+// - empty resource callbacks relying on superScopes
+describe("JWT bearer auth — behaviours to preserve through TRI-8719", () => {
+  it("custom action: type-level write:tasks scope satisfies action=\"trigger\" (auth passes)", async () => {
+    const { environment } = await seedTestEnvironment(server.prisma);
+    // Current SDK + MCP JWTs for task-trigger use type-level scope, e.g. write:tasks.
+    // Legacy checkAuthorization passes via exact superScope match ["write:tasks", "admin"].
+    // After TRI-8719, the ACTION_ALIASES map must keep this working: trigger action is
+    // satisfied by a scope whose action is write.
+    const jwt = await generateTestJWT(environment, { scopes: ["write:tasks"] });
+    const res = await server.webapp.fetch("/api/v1/tasks/nonexistent-task/trigger", {
+      method: "POST",
+      headers: { Authorization: `Bearer ${jwt}`, "content-type": "application/json" },
+      body: JSON.stringify({}),
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("multi-key resource: read:tags:<tag> scope grants access to a run carrying that tag (auth passes)", async () => {
+    const { environment, project } = await seedTestEnvironment(server.prisma);
+    const { runFriendlyId } = await seedTestRun(server.prisma, {
+      environmentId: environment.id,
+      projectId: project.id,
+      runTags: ["my-resource-scoped-tag"],
+    });
+    const jwt = await generateTestJWT(environment, {
+      scopes: ["read:tags:my-resource-scoped-tag"],
+    });
+    const res = await server.webapp.fetch(`/api/v1/runs/${runFriendlyId}/trace`, {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  it("multi-key resource: read:batch:<friendlyId> scope grants access to a run in that batch (auth passes)", async () => {
+    const { environment, project } = await seedTestEnvironment(server.prisma);
+    const { runFriendlyId, batchFriendlyId } = await seedTestRun(server.prisma, {
+      environmentId: environment.id,
+      projectId: project.id,
+      withBatch: true,
+    });
+    const jwt = await generateTestJWT(environment, {
+      scopes: [`read:batch:${batchFriendlyId}`],
+    });
+    const res = await server.webapp.fetch(`/api/v1/runs/${runFriendlyId}/trace`, {
+      headers: { Authorization: `Bearer ${jwt}` },
+    });
+    expect(res.status).not.toBe(401);
+    expect(res.status).not.toBe(403);
+  });
+
+  // Empty-resource routes (api.v1.batches.ts, api.v1.idempotencyKeys.$key.reset.ts)
+  // currently DENY all JWTs because legacy checkAuthorization's empty-resource check
+  // fires before the superScope check. TRI-8719's plan to add explicit { type: "runs" }
+  // changes this to "JWTs with read:runs or write:runs now work on these routes" — an
+  // intentional improvement, not a preserved behaviour. See TRI-8719 description for
+  // the note; there's nothing to lock in with a test here.
+});
+
 // Edge cases where auth-path DB state should cause 401 even with a valid-looking token.
 describe("API bearer auth — environment/project edge cases", () => {
   it("valid API key whose project is soft-deleted: 401", async () => {

apps/webapp/test/helpers/seedTestRun.ts

@@ -0,0 +1,61 @@
+import type { PrismaClient, TaskRun } from "@trigger.dev/database";
+import { customAlphabet, nanoid } from "nanoid";
+
+const idGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", 21);
+
+export interface SeededRun {
+  run: TaskRun;
+  runFriendlyId: string; // `run_...`
+  batchFriendlyId?: string; // `batch_...` when { withBatch: true }
+}
+
+// Minimum-viable TaskRun for auth-layer e2e tests — enough fields for
+// ApiRetrieveRunPresenter.findRun to return it and for the authorization.resource
+// callback to populate `runs`, `tags`, `batch`, `tasks` keys.
+export async function seedTestRun(
+  prisma: PrismaClient,
+  opts: {
+    environmentId: string;
+    projectId: string;
+    runTags?: string[];
+    withBatch?: boolean;
+  }
+): Promise<SeededRun> {
+  const runInternalId = idGenerator();
+  const runFriendlyId = `run_${runInternalId}`;
+
+  let batchInternalId: string | undefined;
+  if (opts.withBatch) {
+    batchInternalId = idGenerator();
+    await prisma.batchTaskRun.create({
+      data: {
+        id: batchInternalId,
+        friendlyId: `batch_${batchInternalId}`,
+        runtimeEnvironmentId: opts.environmentId,
+      },
+    });
+  }
+
+  const run = await prisma.taskRun.create({
+    data: {
+      id: runInternalId,
+      friendlyId: runFriendlyId,
+      taskIdentifier: "test-task",
+      payload: "{}",
+      payloadType: "application/json",
+      traceId: nanoid(32),
+      spanId: nanoid(16),
+      queue: "task/test-task",
+      runtimeEnvironmentId: opts.environmentId,
+      projectId: opts.projectId,
+      runTags: opts.runTags ?? [],
+      batchId: batchInternalId,
+    },
+  });
+
+  return {
+    run,
+    runFriendlyId,
+    batchFriendlyId: batchInternalId ? `batch_${batchInternalId}` : undefined,
+  };
+}