RBAC plugin: authenticateAuthorize* accepts array resources

Widen check.resource on the convenience methods to RbacResource |
RbacResource[] so they match RbacAbility.can. Previously the interface
declared only RbacResource on these methods, which left an
inconsistency — anyone wanting to pass an array of resources had to
call authenticateBearer + ability.can manually instead of using the
convenience method.

Surfaced when reviewing the cloud enterprise controller (TRI-8720),
which had unilaterally widened its implementation to RbacResource[]
and would have failed type-check if any caller routed an array
through the typed interface.

Updated:

- packages/plugins/src/rbac.ts — RoleBaseAccessController interface.
- internal-packages/rbac/src/fallback.ts — RoleBaseAccessFallback
  matches.
- LazyController already uses Parameters<...> and tracks the
  interface, so it picks up the change automatically.

@trigger.dev/plugins gets a minor bump (changeset added).

Verification:

- pnpm run typecheck across @trigger.dev/plugins, @trigger.dev/rbac,
  webapp — clean.
- pnpm run test --filter @internal/rbac — 31 unit tests pass.
- e2e suite unaffected (no signature change at runtime — pure type
  widening).

Author: matt-aitken

.changeset/rbac-authenticate-authorize-arrays.md

@@ -0,0 +1,5 @@
+---
+"@trigger.dev/plugins": minor
+---
+
+RBAC plugin: `RoleBaseAccessController.authenticateAuthorizeBearer` and `authenticateAuthorizeSession` now accept `RbacResource | RbacResource[]` for `check.resource`, matching `RbacAbility.can`. This was an inconsistency — abilities accepted arrays but the convenience methods didn't, so callers wanting the array form had to call `authenticateBearer` + `ability.can` manually.

internal-packages/rbac/src/fallback.ts

@@ -131,7 +131,7 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
 
   async authenticateAuthorizeBearer(
     request: Request,
-    check: { action: string; resource: RbacResource },
+    check: { action: string; resource: RbacResource | RbacResource[] },
     options?: { allowJWT?: boolean }
   ): Promise<BearerAuthResult> {
     const auth = await this.authenticateBearer(request, options);
@@ -145,7 +145,7 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
   async authenticateAuthorizeSession(
     request: Request,
     context: { organizationId?: string; projectId?: string },
-    check: { action: string; resource: RbacResource }
+    check: { action: string; resource: RbacResource | RbacResource[] }
   ): Promise<SessionAuthResult> {
     const auth = await this.authenticateSession(request, context);
     if (!auth.ok) return auth;

packages/plugins/src/rbac.ts

@@ -79,17 +79,19 @@ export interface RoleBaseAccessController {
     context: { organizationId?: string; projectId?: string }
   ): Promise<SessionAuthResult>;
 
-  // Convenience: authenticate + ability.can() check in one call; returns ok:false if check fails
+  // Convenience: authenticate + ability.can() check in one call; returns ok:false if check fails.
+  // resource accepts the same single-or-array shape as RbacAbility.can — array form means
+  // "grant access if any element passes".
   authenticateAuthorizeBearer(
     request: Request,
-    check: { action: string; resource: RbacResource },
+    check: { action: string; resource: RbacResource | RbacResource[] },
     options?: { allowJWT?: boolean }
   ): Promise<BearerAuthResult>;
 
   authenticateAuthorizeSession(
     request: Request,
     context: { organizationId?: string; projectId?: string },
-    check: { action: string; resource: RbacResource }
+    check: { action: string; resource: RbacResource | RbacResource[] }
   ): Promise<SessionAuthResult>;
 
   // Role introspection (enterprise: DB-backed; OSS: returns [])