RBAC: rbac.systemRoleIds() instead of duplicating role-id constants

Adds a new `systemRoleIds(): Promise<SystemRoleIds | null>` method on
the `RoleBaseAccessController` interface. Returns
`{ owner, admin, developer, member }` from any installed plugin and
`null` from the default fallback (matches the `allRoles → []`
semantics — there are no seeded roles to refer to in OSS).

Drops the `SYSTEM_ROLE_IDS` constant from `~/services/rbac.server` so
consumers can't reach for hardcoded role-id strings. Updates the four
sites that used it:

  - `models/member.server.ts` (invite flow's legacy-role mapping)
  - `routes/account.tokens` (PAT default)
  - `routes/_app.orgs.$organizationSlug.settings.roles` (Roles page
    comparison grid column ordering + plan-tier badges)
  - `routes/_app.orgs.$organizationSlug.invite` (role picker)

The Roles page and invite route both pass the IDs through their
loaders rather than referencing them at module top level — which was
the root cause of the "Invite a team member button hard-refreshes the
dashboard" bug: importing a `.server.ts` symbol from client-rendered
code left a dangling client-bundle reference.

Verified: typecheck clean, 162/162 OSS e2e.full, 7/7 cloud
enterprise e2e.full.

Author: matt-aitken

.changeset/rbac-system-role-ids-method.md

@@ -0,0 +1,5 @@
+---
+"@trigger.dev/plugins": patch
+---
+
+RBAC plugin: new `systemRoleIds(): Promise<SystemRoleIds | null>` method on `RoleBaseAccessController`. Returns `{ owner, admin, developer, member }` with the seed-migration role IDs when a plugin is loaded; returns `null` when no plugin is installed (matches the `allRoles → []` semantics — there are no seeded roles to refer to). Lets consumers (invite flow, PAT defaults, Roles page comparison grid) get the canonical IDs without duplicating constants in the consuming app.

apps/webapp/app/models/member.server.ts

@@ -2,7 +2,7 @@ import { type Prisma, prisma } from "~/db.server";
 import { createEnvironment } from "./organization.server";
 import { customAlphabet } from "nanoid";
 import { logger } from "~/services/logger.server";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
+import { rbac } from "~/services/rbac.server";
 
 const tokenValueLength = 40;
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
@@ -111,8 +111,12 @@ export async function inviteMembers({
   }
 
   // The legacy enum is the source of truth without the plugin installed.
+  // Owner/Admin RBAC ids → "ADMIN"; everything else → "MEMBER". Pull
+  // the canonical IDs off the plugin so we don't duplicate them here;
+  // null means no plugin → default to "MEMBER" (legacy two-option flow).
+  const ids = await rbac.systemRoleIds();
   const legacyRole: "ADMIN" | "MEMBER" =
-    rbacRoleId === SYSTEM_ROLE_IDS.owner || rbacRoleId === SYSTEM_ROLE_IDS.admin
+    ids && (rbacRoleId === ids.owner || rbacRoleId === ids.admin)
       ? "ADMIN"
       : "MEMBER";
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -33,7 +33,7 @@ import { inviteMembers } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
 import { scheduleEmail } from "~/services/email.server";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
+import { rbac } from "~/services/rbac.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath, v3BillingPath } from "~/utils/pathBuilder";
 import { PurchaseSeatsModal } from "../_app.orgs.$organizationSlug.settings.team/route";
@@ -68,12 +68,28 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   // Inviter's own role drives the "below their level" filter on the
   // dropdown. Plus assignable role IDs already encode the org's plan
   // tier — the intersection is what we offer.
-  const [inviterRole, assignableRoleIds] = await Promise.all([
+  const [inviterRole, assignableRoleIds, systemRoleIds] = await Promise.all([
     rbac.getUserRole({ userId, organizationId: organization.id }),
     rbac.getAssignableRoleIds(organization.id),
+    rbac.systemRoleIds(),
   ]);
 
-  return typedjson({ ...result, inviterRoleId: inviterRole?.id ?? null, assignableRoleIds });
+  // Build the dropdown's offerable set server-side: roles that are
+  // (a) assignable on the current plan AND (b) strictly below the
+  // inviter's own level. The client just renders these — it doesn't
+  // need to know about the system-role ID constants or the ladder.
+  const assignableSet = new Set(assignableRoleIds);
+  const offerableRoleIds = systemRoleIds
+    ? result.roles
+        .filter(
+          (r) =>
+            assignableSet.has(r.id) &&
+            isStrictlyBelow(systemRoleIds, inviterRole?.id ?? null, r.id)
+        )
+        .map((r) => r.id)
+    : [];
+
+  return typedjson({ ...result, offerableRoleIds });
 };
 
 // Sentinel for "no RBAC role attached to invite" — the runtime
@@ -87,14 +103,22 @@ const NO_RBAC_ROLE = "__no_rbac_role__";
 // Admins can pick Developer or Member, Developer/Member can't invite
 // at all. Custom roles are out of scope for this rule (TRI-8747's
 // follow-up will handle them).
-const ROLE_LEVEL: Record<string, number> = {
-  [SYSTEM_ROLE_IDS.owner]: 4,
-  [SYSTEM_ROLE_IDS.admin]: 3,
-  [SYSTEM_ROLE_IDS.developer]: 2,
-  [SYSTEM_ROLE_IDS.member]: 1,
-};
+function buildRoleLevel(ids: {
+  owner: string;
+  admin: string;
+  developer: string;
+  member: string;
+}): Record<string, number> {
+  return {
+    [ids.owner]: 4,
+    [ids.admin]: 3,
+    [ids.developer]: 2,
+    [ids.member]: 1,
+  };
+}
 
-function canInviteAtRole(
+function isStrictlyBelow(
+  ids: { owner: string; admin: string; developer: string; member: string },
   inviterRoleId: string | null,
   invitedRoleId: string
 ): boolean {
@@ -104,8 +128,9 @@ function canInviteAtRole(
   // would have already failed earlier if the inviter wasn't allowed
   // to invite at all.
   if (!inviterRoleId) return true;
-  const inviter = ROLE_LEVEL[inviterRoleId];
-  const invited = ROLE_LEVEL[invitedRoleId];
+  const level = buildRoleLevel(ids);
+  const inviter = level[inviterRoleId];
+  const invited = level[invitedRoleId];
   // Custom roles aren't in the level table — refuse.
   if (inviter === undefined || invited === undefined) return false;
   return invited < inviter;
@@ -143,7 +168,7 @@ export const action: ActionFunction = async ({ request, params }) => {
   // Resolve the RBAC role choice. NO_RBAC_ROLE / undefined / unknown
   // role → don't pass one through; the runtime fallback handles it.
   // Validation: the chosen role must be in the org's assignable set
-  // (which already enforces plan-tier gating + inviter's level).
+  // (plan-tier) and strictly below the inviter's own level.
   let resolvedRbacRoleId: string | null = null;
   const submittedRbacRoleId = submission.value.rbacRoleId;
   if (
@@ -157,24 +182,37 @@ export const action: ActionFunction = async ({ request, params }) => {
     if (!org) {
       return json({ errors: { body: "Organization not found" } }, { status: 404 });
     }
-    const [inviterRole, assignableRoleIds] = await Promise.all([
+    const [inviterRole, assignableRoleIds, systemRoleIds] = await Promise.all([
       rbac.getUserRole({ userId, organizationId: org.id }),
       rbac.getAssignableRoleIds(org.id),
+      rbac.systemRoleIds(),
     ]);
-    const assignable = new Set(assignableRoleIds);
-    if (!assignable.has(submittedRbacRoleId)) {
-      return json(
-        { errors: { body: "You can't invite someone with this role on your current plan" } },
-        { status: 400 }
-      );
-    }
-    if (!canInviteAtRole(inviterRole?.id ?? null, submittedRbacRoleId)) {
-      return json(
-        { errors: { body: "You can only invite members at or below your own role" } },
-        { status: 403 }
-      );
+    if (!systemRoleIds) {
+      // No plugin installed but the form somehow submitted a role id —
+      // ignore it (fall through to legacy behaviour rather than 400).
+      resolvedRbacRoleId = null;
+    } else {
+      const assignable = new Set(assignableRoleIds);
+      if (!assignable.has(submittedRbacRoleId)) {
+        return json(
+          { errors: { body: "You can't invite someone with this role on your current plan" } },
+          { status: 400 }
+        );
+      }
+      if (
+        !isStrictlyBelow(
+          systemRoleIds,
+          inviterRole?.id ?? null,
+          submittedRbacRoleId
+        )
+      ) {
+        return json(
+          { errors: { body: "You can only invite members at or below your own role" } },
+          { status: 403 }
+        );
+      }
+      resolvedRbacRoleId = submittedRbacRoleId;
     }
-    resolvedRbacRoleId = submittedRbacRoleId;
   }
 
   try {
@@ -220,27 +258,24 @@ export default function Page() {
     maxSeatQuota,
     planSeatLimit,
     roles,
-    inviterRoleId,
-    assignableRoleIds,
+    offerableRoleIds,
   } = useTypedLoaderData<typeof loader>();
   const [total, setTotal] = useState(limits.used);
   const organization = useOrganization();
   const lastSubmission = useActionData();
 
-  // Filter the role catalogue down to what THIS inviter can actually
-  // assign — intersection of (assignable on this plan) and (strictly
-  // below inviter's level). With no plugin installed, roles is [] and
-  // we hide the whole picker.
-  const assignable = new Set(assignableRoleIds);
-  const offerable = roles.filter(
-    (r) => assignable.has(r.id) && canInviteAtRole(inviterRoleId, r.id)
-  );
+  // The loader filtered the catalogue to roles this inviter can
+  // actually assign (plan tier × strict-below-my-level). With no plugin
+  // installed, offerableRoleIds is [] and the picker hides entirely.
+  const offerableSet = new Set(offerableRoleIds);
+  const offerable = roles.filter((r) => offerableSet.has(r.id));
   const showRolePicker = offerable.length > 0;
 
-  // Default to Member when offered (or the lowest-tier offered role).
+  // Default to the lowest-tier offered role (the loader returns roles
+  // in its allRoles order, which the plugin emits Owner→Member; the
+  // last entry is the most restrictive).
   const defaultRoleId = showRolePicker
-    ? offerable.find((r) => r.id === SYSTEM_ROLE_IDS.member)?.id ??
-      offerable[offerable.length - 1].id
+    ? offerable[offerable.length - 1].id
     : NO_RBAC_ROLE;
   const [selectedRoleId, setSelectedRoleId] = useState(defaultRoleId);
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx

@@ -31,7 +31,7 @@ import {
 import { cn } from "~/utils/cn";
 import { $replica } from "~/db.server";
 import { useOrganization } from "~/hooks/useOrganizations";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
+import { rbac } from "~/services/rbac.server";
 import {
   dashboardLoader,
 } from "~/services/routeBuilders/dashboardBuilder";
@@ -72,13 +72,20 @@ export const loader = dashboardLoader(
       throw new Response("Not Found", { status: 404 });
     }
 
-    const [roles, assignableRoleIds, allPermissions] = await Promise.all([
-      rbac.allRoles(orgId),
-      rbac.getAssignableRoleIds(orgId),
-      rbac.allPermissions(orgId),
-    ]);
+    const [roles, assignableRoleIds, allPermissions, systemRoleIds] =
+      await Promise.all([
+        rbac.allRoles(orgId),
+        rbac.getAssignableRoleIds(orgId),
+        rbac.allPermissions(orgId),
+        rbac.systemRoleIds(),
+      ]);
 
-    return typedjson({ roles, assignableRoleIds, allPermissions });
+    return typedjson({
+      roles,
+      assignableRoleIds,
+      allPermissions,
+      systemRoleIds,
+    });
   }
 );
 
@@ -87,19 +94,6 @@ type LoaderRole = LoaderData["roles"][number];
 type LoaderPermission = LoaderData["allPermissions"][number];
 type RolePermission = LoaderRole["permissions"][number];
 
-// Display order for the system roles. Custom roles render afterwards
-// in whatever order rbac.allRoles returns them.
-const SYSTEM_ROLE_ORDER: ReadonlyArray<{ id: string; name: string }> = [
-  { id: SYSTEM_ROLE_IDS.owner, name: "Owner" },
-  { id: SYSTEM_ROLE_IDS.admin, name: "Admin" },
-  { id: SYSTEM_ROLE_IDS.developer, name: "Developer" },
-  { id: SYSTEM_ROLE_IDS.member, name: "Member" },
-];
-
-const SYSTEM_ROLE_ID_SET: ReadonlySet<string> = new Set(
-  SYSTEM_ROLE_ORDER.map((r) => r.id)
-);
-
 // Permission name → display group. The wire-format Permission only
 // carries `name` and `description`, so this lives client-side.
 const PERMISSION_GROUP_BY_NAME: Record<string, string> = {
@@ -148,7 +142,7 @@ const GROUP_ORDER = [
 ] as const;
 
 export default function Page() {
-  const { roles, assignableRoleIds, allPermissions } =
+  const { roles, assignableRoleIds, allPermissions, systemRoleIds } =
     useTypedLoaderData<typeof loader>();
   const organization = useOrganization();
   const plan = useCurrentPlan();
@@ -163,13 +157,25 @@ export default function Page() {
   const assignable = new Set(assignableRoleIds);
 
   // Column ordering: Owner / Admin / Developer / Member, then any
-  // custom roles in the order rbac.allRoles returned them.
-  const systemColumns = SYSTEM_ROLE_ORDER.flatMap((meta) => {
+  // custom roles in the order rbac.allRoles returned them. systemRoleIds
+  // is null when no plugin is installed — there are no system roles to
+  // pin; fall through to whatever order rbac.allRoles returns.
+  const systemRoleOrder: ReadonlyArray<{ id: string; name: string }> =
+    systemRoleIds
+      ? [
+          { id: systemRoleIds.owner, name: "Owner" },
+          { id: systemRoleIds.admin, name: "Admin" },
+          { id: systemRoleIds.developer, name: "Developer" },
+          { id: systemRoleIds.member, name: "Member" },
+        ]
+      : [];
+  const systemRoleIdSet = new Set(systemRoleOrder.map((r) => r.id));
+  const systemColumns = systemRoleOrder.flatMap((meta) => {
     const role = rolesById.get(meta.id);
     return role ? [{ role, fallbackName: meta.name }] : [];
   });
   const customColumns = roles
-    .filter((r) => !SYSTEM_ROLE_ID_SET.has(r.id))
+    .filter((r) => !systemRoleIdSet.has(r.id))
     .map((role) => ({ role, fallbackName: role.name }));
   const columns = [...systemColumns, ...customColumns];
 
@@ -212,6 +218,7 @@ export default function Page() {
                           <PlanBadge
                             roleId={role.id}
                             assignable={assignable}
+                            systemRoleIds={systemRoleIds}
                           />
                         </div>
                       </TableHeaderCell>
@@ -286,9 +293,11 @@ function EmptyState() {
 function PlanBadge({
   roleId,
   assignable,
+  systemRoleIds,
 }: {
   roleId: string;
   assignable: ReadonlySet<string>;
+  systemRoleIds: { developer: string; member: string } | null;
 }) {
   // Roles the org's plan doesn't permit get a small upgrade-tier hint
   // in the column header. The cell rendering is identical regardless
@@ -297,8 +306,8 @@ function PlanBadge({
   // System role gating: Owner+Admin always available; Member/Developer
   // only on Pro+; custom roles only on Enterprise.
   if (
-    roleId === SYSTEM_ROLE_IDS.member ||
-    roleId === SYSTEM_ROLE_IDS.developer
+    systemRoleIds &&
+    (roleId === systemRoleIds.member || roleId === systemRoleIds.developer)
   ) {
     return <Badge variant="extra-small">Pro</Badge>;
   }

apps/webapp/app/routes/account.tokens/route.tsx

@@ -37,7 +37,7 @@ import {
 import { SimpleTooltip } from "~/components/primitives/Tooltip";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { prisma } from "~/db.server";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
+import { rbac } from "~/services/rbac.server";
 import {
   type CreatedPersonalAccessToken,
   type ObfuscatedPersonalAccessToken,
@@ -96,9 +96,11 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     // Default the role picker to the user's own role in their primary
     // org so a freshly-created PAT isn't more privileged than the
     // person creating it. Falls back to Member if they don't have one
-    // (new user, or no RBAC plugin installed so no role assignments
-    // exist).
-    const defaultRoleId = userRoleId ?? SYSTEM_ROLE_IDS.member;
+    // (new user). When no RBAC plugin is installed, systemRoleIds()
+    // returns null and the picker is hidden anyway, so defaultRoleId
+    // is just a placeholder in that branch.
+    const ids = await rbac.systemRoleIds();
+    const defaultRoleId = userRoleId ?? ids?.member ?? "";
 
     return typedjson({
       personalAccessTokens,

apps/webapp/app/services/rbac.server.ts

@@ -16,15 +16,3 @@ export const rbac = plugin.create(
   { getSessionUserId },
   { forceFallback: env.RBAC_FORCE_FALLBACK }
 );
-
-// Stable IDs for the four built-in system roles. They never change —
-// anything that needs a default role at creation time keys off these.
-// The default fallback's setUserRole returns
-// `{ ok: false, error: "RBAC plugin not installed" }` and is safe to
-// call with these ids; it just no-ops.
-export const SYSTEM_ROLE_IDS = {
-  owner: "sys_role_owner",
-  admin: "sys_role_admin",
-  developer: "sys_role_developer",
-  member: "sys_role_member",
-} as const;

internal-packages/rbac/src/fallback.ts

@@ -157,6 +157,12 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
     return auth;
   }
 
+  async systemRoleIds() {
+    // No plugin installed → no seeded roles. Callers handle null by
+    // hiding role-picker UI / skipping role assignment writes.
+    return null;
+  }
+
   async allPermissions(): Promise<Permission[]> {
     return [];
   }

internal-packages/rbac/src/index.ts

@@ -138,6 +138,10 @@ class LazyController implements RoleBaseAccessController {
     return auth;
   }
 
+  async systemRoleIds() {
+    return (await this.c()).systemRoleIds();
+  }
+
   async allPermissions(
     ...args: Parameters<RoleBaseAccessController["allPermissions"]>
   ): Promise<Permission[]> {