RBAC: dashboardLoader / dashboardAction + migrate admin pages (TRI-8717)

Add a session-auth route builder analogous to apiBuilder.server.ts that
routes dashboard auth through rbac.authenticateSession and runs the
ability check (canSuper or can) before the handler runs. Routes that
only need a logged-in user (no authorisation) keep using requireUser /
requireUserId — the builder is opt-in for routes with explicit auth.

Builder shape:

  dashboardLoader({ authorization: { requireSuper: true } }, async ({ user, ability }) => ...)
  dashboardLoader({ authorization: { action, resource } }, ...)
  dashboardAction(...)

Auth failure throws a redirect Response so the success-path return type
stays narrow (useTypedLoaderData<typeof loader>() picks up the handler's
TypedJsonResponse). Optional context callback feeds organizationId /
projectId to authenticateSession when needed (enterprise-only — fallback
ignores context today).

Migrated 14 platform admin routes from
`requireUser` + `if (!user.admin)` to dashboardLoader / dashboardAction
with requireSuper: true:

  admin.tsx
  admin._index.tsx
  admin.concurrency.tsx
  admin.feature-flags.tsx
  admin.notifications.tsx
  admin.orgs.tsx
  admin.data-stores.tsx
  admin.back-office.tsx
  admin.back-office._index.tsx
  admin.back-office.orgs.$orgId.tsx
  admin.llm-models._index.tsx
  admin.llm-models.$modelId.tsx
  admin.llm-models.new.tsx
  admin.llm-models.missing._index.tsx
  admin.llm-models.missing.$model.tsx

Routes that have admin-only sub-features (e.g. show-extra-fields-if-admin
on otherwise public routes) stay on requireUser. Migration of those is a
separate concern — they don't gate access on admin, they just branch
display.

Behavioural change: action handlers that previously threw
`new Response('Unauthorized', { status: 403 })` on non-admins now redirect
to / along with the loader. Uniform behaviour, but XHR fetchers that
expected a 403 status would now follow the redirect instead. The admin
pages migrated here don't appear to have XHR fetchers that depend on the
403, but worth flagging.

Verification:
- pnpm run typecheck --filter webapp: clean.
- pnpm run test --filter @internal/rbac: 31 unit tests pass.
- E2E suite: all 31 tests pass — including the
  /admin/concurrency redirect test (now exercising the new builder).

Author: matt-aitken

.server-changes/rbac-dashboard-builder.md

@@ -0,0 +1,6 @@
+---
+area: webapp
+type: improvement
+---
+
+Add `dashboardLoader` / `dashboardAction` route builders that route session auth through the RBAC plugin (`rbac.authenticateSession` + `ability.canSuper()` / `ability.can`) and migrate the platform admin pages onto them. Routes that only need a logged-in user with no authorisation continue to use `requireUser` / `requireUserId` — the builder is opt-in for routes with explicit auth checks. Migrated routes: `admin.tsx`, `admin._index.tsx`, `admin.concurrency.tsx`, `admin.feature-flags.tsx`, `admin.notifications.tsx`, `admin.orgs.tsx`, `admin.data-stores.tsx`, `admin.back-office.tsx` (+ children), `admin.llm-models.*` (5 routes). Behavioural change: actions that previously threw `403 Unauthorized` on non-admins now redirect to `/` along with the loader — uniform with the builder's behaviour.

apps/webapp/app/routes/admin._index.tsx

@@ -1,7 +1,5 @@
 import { MagnifyingGlassIcon } from "@heroicons/react/20/solid";
 import { Form } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect } from "@remix-run/server-runtime";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
 import { Button, LinkButton } from "~/components/primitives/Buttons";
@@ -22,7 +20,7 @@ import {
 import { useUser } from "~/hooks/useUser";
 import { adminGetUsers, redirectWithImpersonation } from "~/models/admin.server";
 import { commitImpersonationSession, setImpersonationId } from "~/services/impersonation.server";
-import { requireUserId } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder.server";
 import { createSearchParams } from "~/utils/searchParams";
 
 export const SearchParams = z.object({
@@ -32,30 +30,34 @@ export const SearchParams = z.object({
 
 export type SearchParams = z.infer<typeof SearchParams>;
 
-export const loader = async ({ request, params }: LoaderFunctionArgs) => {
-  const userId = await requireUserId(request);
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async ({ user, request }) => {
+    const searchParams = createSearchParams(request.url, SearchParams);
+    if (!searchParams.success) {
+      throw new Error(searchParams.error);
+    }
+    const result = await adminGetUsers(user.id, searchParams.params.getAll());
 
-  const searchParams = createSearchParams(request.url, SearchParams);
-  if (!searchParams.success) {
-    throw new Error(searchParams.error);
+    return typedjson(result);
   }
-  const result = await adminGetUsers(userId, searchParams.params.getAll());
-
-  return typedjson(result);
-};
+);
 
 const FormSchema = z.object({ id: z.string() });
 
-export async function action({ request }: ActionFunctionArgs) {
-  if (request.method.toLowerCase() !== "post") {
-    return new Response("Method not allowed", { status: 405 });
-  }
+export const action = dashboardAction(
+  { authorization: { requireSuper: true } },
+  async ({ request }) => {
+    if (request.method.toLowerCase() !== "post") {
+      return new Response("Method not allowed", { status: 405 });
+    }
 
-  const payload = Object.fromEntries(await request.formData());
-  const { id } = FormSchema.parse(payload);
+    const payload = Object.fromEntries(await request.formData());
+    const { id } = FormSchema.parse(payload);
 
-  return redirectWithImpersonation(request, id, "/");
-}
+    return redirectWithImpersonation(request, id, "/");
+  }
+);
 
 export default function AdminDashboardRoute() {
   const user = useUser();

apps/webapp/app/routes/admin.back-office._index.tsx

@@ -1,17 +1,15 @@
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson } from "remix-typedjson";
+import { typedjson } from "remix-typedjson";
 import { LinkButton } from "~/components/primitives/Buttons";
 import { Header2 } from "~/components/primitives/Headers";
 import { Paragraph } from "~/components/primitives/Paragraph";
-import { requireUser } from "~/services/session.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder.server";
 
-export async function loader({ request }: LoaderFunctionArgs) {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    return typedjson({});
   }
-  return typedjson({});
-}
+);
 
 export default function BackOfficeIndex() {
   return (

apps/webapp/app/routes/admin.back-office.orgs.$orgId.tsx

@@ -1,5 +1,4 @@
 import { Form, useNavigation, useSearchParams } from "@remix-run/react";
-import type { ActionFunctionArgs, LoaderFunctionArgs } from "@remix-run/server-runtime";
 import { useEffect, useState } from "react";
 import { redirect, typedjson, useTypedActionData, useTypedLoaderData } from "remix-typedjson";
 import { z } from "zod";
@@ -19,7 +18,7 @@ import {
 } from "~/services/authorizationRateLimitMiddleware.server";
 import { logger } from "~/services/logger.server";
 import { type Duration } from "~/services/rateLimiter.server";
-import { requireUser } from "~/services/session.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder.server";
 
 const SAVED_QUERY_KEY = "saved";
 const SAVED_QUERY_VALUE = "1";
@@ -98,39 +97,38 @@ function describeRateLimit(
   };
 }
 
-export async function loader({ request, params }: LoaderFunctionArgs) {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
-  }
-
-  const orgId = params.orgId;
-  if (!orgId) {
-    throw new Response(null, { status: 404 });
-  }
+const ParamsSchema = z.object({
+  orgId: z.string(),
+});
 
-  const org = await prisma.organization.findFirst({
-    where: { id: orgId },
-    select: {
-      id: true,
-      slug: true,
-      title: true,
-      createdAt: true,
-      apiRateLimiterConfig: true,
-    },
-  });
-
-  if (!org) {
-    throw new Response(null, { status: 404 });
-  }
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ params }) => {
+    const { orgId } = params;
+
+    const org = await prisma.organization.findFirst({
+      where: { id: orgId },
+      select: {
+        id: true,
+        slug: true,
+        title: true,
+        createdAt: true,
+        apiRateLimiterConfig: true,
+      },
+    });
+
+    if (!org) {
+      throw new Response(null, { status: 404 });
+    }
 
-  const effective = resolveEffectiveRateLimit(org.apiRateLimiterConfig);
+    const effective = resolveEffectiveRateLimit(org.apiRateLimiterConfig);
 
-  return typedjson({
-    org,
-    effective,
-  });
-}
+    return typedjson({
+      org,
+      effective,
+    });
+  }
+);
 
 const SetRateLimitSchema = z.object({
   intent: z.literal("set-rate-limit"),
@@ -144,64 +142,59 @@ const SetRateLimitSchema = z.object({
   maxTokens: z.coerce.number().int().min(1),
 });
 
-export async function action({ request, params }: ActionFunctionArgs) {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
-  }
-
-  const orgId = params.orgId;
-  if (!orgId) {
-    throw new Response(null, { status: 404 });
-  }
-
-  const formData = await request.formData();
-  const submission = SetRateLimitSchema.safeParse(Object.fromEntries(formData));
-  if (!submission.success) {
-    return typedjson(
-      { errors: submission.error.flatten().fieldErrors },
-      { status: 400 }
-    );
-  }
+export const action = dashboardAction(
+  { authorization: { requireSuper: true }, params: ParamsSchema },
+  async ({ user, params, request }) => {
+    const { orgId } = params;
+
+    const formData = await request.formData();
+    const submission = SetRateLimitSchema.safeParse(Object.fromEntries(formData));
+    if (!submission.success) {
+      return typedjson(
+        { errors: submission.error.flatten().fieldErrors },
+        { status: 400 }
+      );
+    }
 
-  const existing = await prisma.organization.findFirst({
-    where: { id: orgId },
-    select: { apiRateLimiterConfig: true },
-  });
-  if (!existing) {
-    throw new Response(null, { status: 404 });
-  }
+    const existing = await prisma.organization.findFirst({
+      where: { id: orgId },
+      select: { apiRateLimiterConfig: true },
+    });
+    if (!existing) {
+      throw new Response(null, { status: 404 });
+    }
 
-  const built = RateLimitTokenBucketConfig.safeParse({
-    type: "tokenBucket",
-    refillRate: submission.data.refillRate,
-    interval: submission.data.interval,
-    maxTokens: submission.data.maxTokens,
-  });
-  if (!built.success) {
-    return typedjson(
-      { errors: built.error.flatten().fieldErrors },
-      { status: 400 }
+    const built = RateLimitTokenBucketConfig.safeParse({
+      type: "tokenBucket",
+      refillRate: submission.data.refillRate,
+      interval: submission.data.interval,
+      maxTokens: submission.data.maxTokens,
+    });
+    if (!built.success) {
+      return typedjson(
+        { errors: built.error.flatten().fieldErrors },
+        { status: 400 }
+      );
+    }
+    const next = built.data;
+
+    await prisma.organization.update({
+      where: { id: orgId },
+      data: { apiRateLimiterConfig: next as any },
+    });
+
+    logger.info("admin.backOffice.rateLimit", {
+      adminUserId: user.id,
+      orgId,
+      previous: existing.apiRateLimiterConfig,
+      next,
+    });
+
+    return redirect(
+      `/admin/back-office/orgs/${orgId}?${SAVED_QUERY_KEY}=${SAVED_QUERY_VALUE}`
     );
   }
-  const next = built.data;
-
-  await prisma.organization.update({
-    where: { id: orgId },
-    data: { apiRateLimiterConfig: next as any },
-  });
-
-  logger.info("admin.backOffice.rateLimit", {
-    adminUserId: user.id,
-    orgId,
-    previous: existing.apiRateLimiterConfig,
-    next,
-  });
-
-  return redirect(
-    `/admin/back-office/orgs/${orgId}?${SAVED_QUERY_KEY}=${SAVED_QUERY_VALUE}`
-  );
-}
+);
 
 export default function BackOfficeOrgPage() {
   const { org, effective } = useTypedLoaderData<typeof loader>();

apps/webapp/app/routes/admin.back-office.tsx

@@ -1,15 +1,13 @@
 import { Outlet } from "@remix-run/react";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson } from "remix-typedjson";
-import { requireUser } from "~/services/session.server";
+import { typedjson } from "remix-typedjson";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder.server";
 
-export async function loader({ request }: LoaderFunctionArgs) {
-  const user = await requireUser(request);
-  if (!user.admin) {
-    return redirect("/");
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    return typedjson({});
   }
-  return typedjson({});
-}
+);
 
 export default function BackOfficeLayout() {
   return (

apps/webapp/app/routes/admin.concurrency.tsx

@@ -1,22 +1,19 @@
 import { InformationCircleIcon } from "@heroicons/react/20/solid";
-import type { LoaderFunctionArgs } from "@remix-run/server-runtime";
-import { redirect, typedjson, useTypedLoaderData } from "remix-typedjson";
+import { typedjson, useTypedLoaderData } from "remix-typedjson";
 import { Header1 } from "~/components/primitives/Headers";
 import { InfoPanel } from "~/components/primitives/InfoPanel";
 import { Paragraph } from "~/components/primitives/Paragraph";
-import { rbac } from "~/services/rbac.server";
+import { dashboardLoader } from "~/services/routeBuilders/dashboardBuilder.server";
 import { concurrencyTracker } from "~/v3/services/taskRunConcurrencyTracker.server";
 
-export const loader = async ({ request }: LoaderFunctionArgs) => {
-  const auth = await rbac.authenticateSession(request, {});
-  if (!auth.ok) return redirect("/login");
-  if (!auth.ability.canSuper()) return redirect("/");
-
-  const deployedConcurrency = await concurrencyTracker.globalConcurrentRunCount(true);
-  const devConcurrency = await concurrencyTracker.globalConcurrentRunCount(false);
-
-  return typedjson({ deployedConcurrency, devConcurrency });
-};
+export const loader = dashboardLoader(
+  { authorization: { requireSuper: true } },
+  async () => {
+    const deployedConcurrency = await concurrencyTracker.globalConcurrentRunCount(true);
+    const devConcurrency = await concurrencyTracker.globalConcurrentRunCount(false);
+    return typedjson({ deployedConcurrency, devConcurrency });
+  }
+);
 
 export default function AdminDashboardRoute() {
   const { deployedConcurrency, devConcurrency } = useTypedLoaderData<typeof loader>();