RBAC: migrate apiBuilder to rbac.authenticateBearer + ability.can (TRI-8719 Phase B)

Swap all three apiBuilder call sites (loader, action, multi-method) from
authenticateApiRequestWithFailure + checkAuthorization to a single RBAC
plugin bridge. 30 route files migrated in lockstep — drop the
authorization.superScopes option, convert resource callbacks to return
RbacResource or RbacResource[] in the new shape.

Infrastructure:

- apiBuilder: new authenticateRequestForApiBuilder helper funnels all
  three builders through rbac.authenticateBearer and follow-up
  findEnvironmentById to rebuild the legacy ApiAuthenticationResultSuccess
  shape handlers still expect (no handler-facing changes).
- @internal/rbac: re-export RbacAbility, RbacResource from
  @trigger.dev/plugins so webapp only depends on @trigger.dev/rbac.

Route-file changes (Risk mitigations from the ticket):

- Custom actions (trigger, batchTrigger, update) unchanged at the route
  level — the ACTION_ALIASES wrapper from Phase A handles them
  transparently.
- Multi-key runs routes (api.v3.runs.$runId, realtime.v1.runs.$runId,
  realtime.v1.streams.$runId.$streamId, api.v1.runs.$runId.events /
  .spans.$spanId / .trace, realtime.v1.streams.$runId.input.$streamId
  second block, plus the batch-array routes) now return
  RbacResource[] — any resource match grants access. Undefined batch
  ids are filtered out to avoid accidentally matching a type-level
  read:batch scope with no id.
- Empty-resource routes (api.v1.batches, api.v1.idempotencyKeys.$key.reset)
  now return { type: 'runs' } — JWTs with read:runs / write:runs start
  working where they were previously denied by the legacy
  empty-resource short-circuit. Intentional improvement, strict
  superset of today's accept set.
- Search-params routes (realtime.v1.runs, api.v1.runs) return an array
  with a collection-level { type: 'runs' } plus any filtered tag/task
  entries so JWTs that work today continue to work.

Verification:

- pnpm run typecheck --filter webapp: clean.
- pnpm run test --filter @internal/rbac: 31 unit tests pass (wrapper +
  array-resource semantics).
- E2E suite (test/api-auth.e2e.test.ts): all 31 tests pass on the new
  code path — the three pre-migration 'behaviours to preserve' tests
  (type-level write:tasks triggers a task, read:tags:<tag> reaches a
  run with that tag, read:batch:<id> reaches a run in that batch) are
  still green post-swap.

Packaging:

- .changeset/rbac-plugin-array-resources.md: minor bump for
  @trigger.dev/plugins (array-resource overload on RbacAbility.can).
- .server-changes/rbac-apibuilder-migration.md: webapp-only note.

Author: matt-aitken

.changeset/rbac-plugin-array-resources.md

@@ -0,0 +1,5 @@
+---
+"@trigger.dev/plugins": minor
+---
+
+RBAC plugin: `RbacAbility.can(action, resource)` now accepts either a single `RbacResource` or `RbacResource[]`. Array form means "grant access if any resource in the array passes", matching the multi-key authorisation semantics expected by routes that touch multiple resources (e.g. a run that also carries a batch id, tags, and a task identifier — a JWT scoped to any of them grants access).

.server-changes/rbac-apibuilder-migration.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Migrate `apiBuilder.server.ts` to `rbac.authenticateBearer` + `ability.can` (TRI-8719). All 30 API routes that used `authorization.superScopes` now rely on the RBAC plugin's scope-algebra plus an `ACTION_ALIASES` compatibility map (`trigger`/`batchTrigger`/`update` satisfied by `write:*` scopes). Two intentional improvements: empty-resource routes (`/api/v1/batches`, `/api/v1/idempotencyKeys/:key/reset`) now accept JWTs (previously denied by the legacy empty-resource short-circuit); id-scoped `write:tasks:*` scopes now grant `POST /api/v1/tasks/:taskId/trigger` (previously denied by literal superScope mismatch). Both are strict supersets of the current accept set — no JWT regresses.

apps/webapp/app/routes/api.v1.batches.$batchId.ts

@@ -25,8 +25,7 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (batch) => ({ batch: batch.friendlyId }),
-      superScopes: ["read:runs", "read:all", "admin"],
+      resource: (batch) => ({ type: "batch", id: batch.friendlyId }),
     },
   },
   async ({ resource: batch }) => {

apps/webapp/app/routes/api.v1.deployments.ts

@@ -72,8 +72,7 @@ export const loader = createLoaderApiRoute(
     corsStrategy: "none",
     authorization: {
       action: "read",
-      resource: () => ({ deployments: "list" }),
-      superScopes: ["read:deployments", "read:all", "admin"],
+      resource: () => ({ type: "deployments", id: "list" }),
     },
     findResource: async () => 1, // This is a dummy function, we don't need to find a resource
   },

apps/webapp/app/routes/api.v1.idempotencyKeys.$key.reset.ts

@@ -21,8 +21,7 @@ export const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "write",
-      resource: () => ({}),
-      superScopes: ["write:runs", "admin"],
+      resource: () => ({ type: "runs" }),
     },
   },
   async ({ params, body, authentication }) => {

apps/webapp/app/routes/api.v1.prompts.$slug.override.reactivate.ts

@@ -22,8 +22,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "update",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {

apps/webapp/app/routes/api.v1.prompts.$slug.override.ts

@@ -40,8 +40,7 @@ const { action, loader } = createMultiMethodApiRoute({
   corsStrategy: "all",
   authorization: {
     action: "update",
-    resource: (params) => ({ prompts: params.slug }),
-    superScopes: ["admin"],
+    resource: (params) => ({ type: "prompts", id: params.slug }),
   },
   methods: {
     POST: {

apps/webapp/app/routes/api.v1.prompts.$slug.promote.ts

@@ -22,8 +22,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "update",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {

apps/webapp/app/routes/api.v1.prompts.$slug.ts

@@ -37,8 +37,7 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (_resource, params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (_resource, params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ searchParams, resource: prompt }) => {
@@ -98,8 +97,7 @@ const { action } = createActionApiRoute(
     corsStrategy: "all",
     authorization: {
       action: "read",
-      resource: (params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ body, params, authentication }) => {

apps/webapp/app/routes/api.v1.prompts.$slug.versions.ts

@@ -27,8 +27,7 @@ export const loader = createLoaderApiRoute(
     },
     authorization: {
       action: "read",
-      resource: (_resource, params) => ({ prompts: params.slug }),
-      superScopes: ["read:prompts", "admin"],
+      resource: (_resource, params) => ({ type: "prompts", id: params.slug }),
     },
   },
   async ({ resource: prompt }) => {