RBAC: scrub "enterprise" / "OSS" / cloud-side references from comments

matt-aitken · matt-aitken · commit 71901dd71467 · 2026-04-29T14:04:42.000+01:00
Code comments throughout the OSS-facing RBAC surface mentioned the enterprise plugin, CASL, the cloud webapp, the cloud-side test suite, and specific cloud file paths. Two reasons not to keep that: - Reputation: comments framing the OSS code as "the OSS path" vs "the enterprise path" pollute the public repo with implementation framing that shouldn't be there. - Implementation leakage: enterprise/cloud comments give away structural details about the closed-source plugin (where its data lives, what library it uses, which Linear tickets track it). Rewrites use neutral language — "the loaded RBAC plugin (if any)", "the default fallback", "an installed plugin" — and drop references to specific cloud-side files / TRI-IDs / CASL. Plan-tier names ("Enterprise" as a public product tier in the Roles page upsell, `planCode === "enterprise"` checks, `<TierEnterprise />` in pre-existing files) are intentionally left as-is — they're the public marketing name for a paid tier, not implementation detail. Removed `.server-changes/rbac-userrole-default-assignment.md` — documented a feature that was reverted in d2bf617 (upfront UserRole inserts on create-org / acceptInvite). Verified: 162/162 OSS e2e.full pass, 31/31 OSS rbac unit pass.
diff --git a/.changeset/rbac-assignable-role-ids.md b/.changeset/rbac-assignable-role-ids.md
@@ -2,4 +2,4 @@
 "@trigger.dev/plugins": patch
 ---
 
-RBAC plugin: new `getAssignableRoleIds(organizationId)` method on `RoleBaseAccessController`. Returns the subset of `allRoles(organizationId)` IDs that may be assigned right now — used by the Teams page UI to disable role-dropdown options outside the org's plan tier. OSS fallback returns `[]` (permissive — `allRoles` already returns `[]` so there's nothing to gate); the enterprise plugin queries its plan client and returns the plan-allowed system roles plus all custom roles. Server-side enforcement (rejecting an actual `setUserRole` to a plan-gated role) is unchanged and remains the source of truth — this method is purely a UI affordance.
+RBAC plugin: new `getAssignableRoleIds(organizationId)` method on `RoleBaseAccessController`. Returns the subset of `allRoles(organizationId)` IDs that may be assigned right now — used by the Teams page UI to disable role-dropdown options that aren't currently assignable. The default fallback returns `[]` (permissive — `allRoles` already returns `[]` so there's nothing to gate); a plugin may apply its own gating policy and return the assignable subset. Server-side enforcement (rejecting an actual `setUserRole` to a non-assignable role) is unchanged and remains the source of truth — this method is purely a UI affordance.
diff --git a/.server-changes/rbac-pat-role-selection.md b/.server-changes/rbac-pat-role-selection.md
@@ -4,13 +4,12 @@ type: feature
 ---
 
 RBAC: PAT creation flow now lets users pick a system role at create
-time, persisted as an enterprise.TokenRole row (TRI-8749). Defaults to
-the caller's own role so a PAT can't be more privileged than the
-person creating it. Custom (org-defined) roles are out of scope for
-v1 — only the four global system roles are offered, and the binding
-is global to the PAT regardless of which org the request later
-targets. Compensating-delete pattern on TokenRole insert failure
-keeps the two writes (Prisma PAT row + Drizzle TokenRole row)
-consistent without cross-ORM transaction wrestling. OSS path is a
-no-op: when the RBAC plugin isn't installed the dropdown is hidden,
-no roleId is submitted, and the PAT works exactly as before.
+time, persisted via the RBAC plugin's `setTokenRole`. Defaults to the
+caller's own role so a PAT can't be more privileged than the person
+creating it. Custom (org-defined) roles are out of scope for v1 — only
+the four global system roles are offered, and the binding is global to
+the PAT regardless of which org the request later targets. A
+compensating-delete on `setTokenRole` failure keeps the PAT row and
+the role row consistent without cross-store transaction wrestling.
+With no RBAC plugin installed the dropdown is hidden, no roleId is
+submitted, and the PAT works exactly as before.
diff --git a/.server-changes/rbac-userrole-default-assignment.md b/.server-changes/rbac-userrole-default-assignment.md
diff --git a/apps/webapp/app/models/member.server.ts b/apps/webapp/app/models/member.server.ts
@@ -215,8 +215,8 @@ export async function acceptInvite({
     };
   });
 
-  // No upfront RBAC UserRole insert — the enterprise plugin's
-  // getUserRole derives the new member's role from the legacy
+  // No upfront RBAC UserRole insert — the loaded RBAC plugin (if any)
+  // is responsible for deriving the new member's role from the legacy
   // OrgMember.role write inside the transaction above (ADMIN → Owner,
   // MEMBER → Admin) until an Owner explicitly changes their role on
   // the Teams page. Keeps the invite path tight and consistent with
diff --git a/apps/webapp/app/models/organization.server.ts b/apps/webapp/app/models/organization.server.ts
@@ -82,12 +82,12 @@ export async function createOrganization(
     },
   });
 
-  // No upfront RBAC UserRole insert — the enterprise plugin's
-  // getUserRole derives the creator's role from the legacy
+  // No upfront RBAC UserRole insert — the loaded RBAC plugin (if any)
+  // is responsible for deriving the creator's role from the legacy
   // OrgMember.role = "ADMIN" write above (which maps to Owner) until an
   // Owner explicitly changes someone's role on the Teams page. Keeps
-  // the create-org path tight and lets the fallback path stay the
-  // single source of truth for "who has what role" by default.
+  // the create-org path tight and lets the plugin stay the single
+  // source of truth for "who has what role" by default.
   return { ...organization };
 }
 
diff --git a/apps/webapp/app/presenters/TeamPresenter.server.ts b/apps/webapp/app/presenters/TeamPresenter.server.ts
@@ -19,9 +19,9 @@ export class TeamPresenter extends BasePresenter {
         getLimit(organizationId, "teamMembers", 100_000_000),
         getCurrentPlan(organizationId),
         getPlans(),
-        // RBAC role catalogue (system roles + any org-defined custom roles).
-        // OSS fallback returns []; on cloud the enterprise plugin returns
-        // the seeded system roles plus the org's custom roles.
+        // RBAC role catalogue (system roles + any org-defined custom
+        // roles). The default fallback returns []; an installed plugin
+        // may return the seeded system roles plus any custom roles.
         rbac.allRoles(organizationId),
         // Plan-gated subset — the Teams page disables dropdown options not
         // in this set. Server-side enforcement is independent (setUserRole
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx
@@ -221,10 +221,9 @@ function RoleCard({
   );
 }
 
-// Permission name-prefix → display group. Mirrors PERMISSION_METADATA's
-// groupings server-side (cloud/enterprise/plugins/src/rbac/permissions.ts)
-// but lives client-side because the wire-format Permission only carries
-// `name` and `description`. Keep in lockstep.
+// Permission name-prefix → display group. Lives client-side because
+// the wire-format Permission only carries `name` and `description` —
+// the RBAC plugin doesn't ship grouping metadata over the wire.
 const PERMISSION_GROUP_BY_NAME: Record<string, string> = {
   "read:runs": "Runs",
   "write:runs": "Runs",
@@ -283,9 +282,8 @@ function groupPermissions(
   );
 }
 
-// "Create role" upsell shown to non-Enterprise plans. Enterprise sees
-// nothing here for now — the actual create-role UI is a follow-up
-// (depends on TRI-8747's controller-level CRUD already in place).
+// "Create role" upsell shown to non-Enterprise plans. Enterprise plans
+// don't see this — the actual create-role UI is a follow-up.
 function CreateRoleUpsell() {
   const [open, setOpen] = useState(false);
   return (
diff --git a/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx b/apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx
@@ -581,9 +581,8 @@ function RolePicker({
 }) {
   const fetcher = useFetcher<{ ok: boolean; error?: string } | { ok: true }>();
   const assignable = new Set(assignableRoleIds);
-  // OSS deployments return [] (allRoles also returns []) — when there
-  // are no roles to pick from, render nothing rather than an empty
-  // dropdown.
+  // With no RBAC plugin installed, the loader returns no roles —
+  // render nothing rather than an empty dropdown.
   if (roles.length === 0) return null;
 
   const isSubmitting = fetcher.state === "submitting";
diff --git a/apps/webapp/app/routes/account.tokens/route.tsx b/apps/webapp/app/routes/account.tokens/route.tsx
@@ -56,12 +56,13 @@ export const meta: MetaFunction = () => {
   ];
 };
 
-// PATs aren't org-scoped, but role/permission catalogues are seeded
-// per-org in enterprise's allRoles. To get the canonical system roles
-// (Owner/Admin/Member/Viewer — orgId IS NULL on those rows), we hand
-// allRoles any orgId the user belongs to and filter down to system
+// PATs aren't org-scoped, but the RBAC plugin's allRoles is org-keyed
+// (a plugin may also expose org-defined custom roles alongside the
+// global system roles). To get the canonical system roles (Owner /
+// Admin / Member / Viewer), we hand allRoles any orgId the user
+// belongs to and filter down to the rows the plugin marks as system
 // roles. This is a UI-only convenience — the chosen role becomes a
-// global TokenRole row that applies wherever the PAT is used. Custom
+// global TokenRole that applies wherever the PAT is used. Custom
 // (org-defined) roles are out of scope for v1: their org-binding
 // semantics for a multi-org user's PAT need a separate design pass.
 async function loadSystemRolesForUser(userId: string) {
@@ -95,7 +96,8 @@ export const loader = async ({ request }: LoaderFunctionArgs) => {
     // Default the role picker to the user's own role in their primary
     // org so a freshly-created PAT isn't more privileged than the
     // person creating it. Falls back to Member if they don't have one
-    // (new user, OSS path with no role assignments yet).
+    // (new user, or no RBAC plugin installed so no role assignments
+    // exist).
     const defaultRoleId = userRoleId ?? SYSTEM_ROLE_IDS.member;
 
     return typedjson({
@@ -123,10 +125,9 @@ const CreateTokenSchema = z.discriminatedUnion("action", [
       .string({ required_error: "You must enter a name" })
       .min(2, "Your name must be at least 2 characters long")
       .max(50),
-    // Optional — when the RBAC plugin isn't installed (OSS), the UI
-    // hides the dropdown and submits no roleId; the action passes that
-    // through and createPersonalAccessToken just doesn't write a
-    // TokenRole row.
+    // Optional — when no RBAC plugin is installed the UI hides the
+    // dropdown and submits no roleId; the action passes that through
+    // and createPersonalAccessToken just doesn't write a TokenRole.
     roleId: z.string().optional(),
   }),
   z.object({
@@ -284,10 +285,11 @@ function CreatePersonalAccessToken({
     ? (lastSubmission?.payload?.token as CreatedPersonalAccessToken)
     : undefined;
 
-  // OSS path: rbac.allRoles returns []; we hide the dropdown entirely
-  // rather than showing an empty Select. createPersonalAccessToken's
-  // roleId is optional, so omitting it produces a working PAT with no
-  // explicit role attached (matches pre-RBAC behaviour).
+  // With no RBAC plugin installed, rbac.allRoles returns []; hide the
+  // dropdown entirely rather than showing an empty Select.
+  // createPersonalAccessToken's roleId is optional, so omitting it
+  // produces a working PAT with no explicit role attached (matches
+  // pre-RBAC behaviour).
   const showRolePicker = roles.length > 0;
   const [selectedRoleId, setSelectedRoleId] = useState(defaultRoleId);
 
diff --git a/apps/webapp/app/services/personalAccessToken.server.ts b/apps/webapp/app/services/personalAccessToken.server.ts
@@ -11,9 +11,9 @@ const tokenValueLength = 40;
 //lowercase only, removed 0 and l to avoid confusion
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
 
-// The OSS fallback's setTokenRole returns this exact string when no
-// enterprise plugin is loaded. We treat that as "no role attached" —
-// the PAT is still valid; auth just falls through to legacy permissive
+// The default fallback's setTokenRole returns this exact string when
+// no RBAC plugin is loaded. We treat that as "no role attached" — the
+// PAT is still valid; auth just falls through to legacy permissive
 // behaviour. Any other error is treated as a real failure and triggers
 // the compensating delete below.
 const FALLBACK_NOT_INSTALLED_ERROR = "RBAC plugin not installed";
@@ -351,25 +351,25 @@ export async function createPersonalAccessToken({
     },
   });
 
-  // Persist the role choice in enterprise.TokenRole. This lives on a
-  // different schema (Drizzle, not Prisma) — co-transactional inserts
-  // across the two ORMs are awkward, so we use a compensating-delete
-  // pattern: if setTokenRole fails, roll back the PAT row by deleting
-  // it. The auth path treats "no role" as permissive (matches OSS
-  // fallback) so a brief orphan window between the two writes is
-  // harmless. The compensating delete narrows that window from "until
-  // manual cleanup" to "until the request returns".
+  // Persist the role choice via the RBAC plugin's setTokenRole. The
+  // plugin may store this in a separate datastore from Prisma (e.g.
+  // Drizzle on a different schema), so co-transactional inserts are
+  // awkward — we use a compensating-delete pattern instead: if
+  // setTokenRole fails, roll back the PAT row by deleting it. The auth
+  // path treats "no role" as permissive (matches the default fallback)
+  // so a brief orphan window between the two writes is harmless. The
+  // compensating delete narrows that window from "until manual cleanup"
+  // to "until the request returns".
   if (roleId) {
     const roleResult = await rbac.setTokenRole({
       tokenId: personalAccessToken.id,
       roleId,
     });
     if (!roleResult.ok) {
-      // The OSS fallback always returns ok=false with this exact
-      // message. That isn't a failure — there's no enterprise plugin
-      // to write to, so the PAT just runs without an explicit role
-      // (matches the pre-RBAC behaviour). Don't compensating-delete
-      // in that case.
+      // The default fallback always returns ok=false with this exact
+      // message. That isn't a failure — there's no plugin to write to,
+      // so the PAT just runs without an explicit role (matches the
+      // pre-RBAC behaviour). Don't compensating-delete in that case.
       if (roleResult.error === FALLBACK_NOT_INSTALLED_ERROR) {
         logger.debug("createPersonalAccessToken: no RBAC plugin, skipping role assignment", {
           patId: personalAccessToken.id,
diff --git a/apps/webapp/app/services/rbac.server.ts b/apps/webapp/app/services/rbac.server.ts
@@ -8,18 +8,18 @@ async function getSessionUserId(request: Request): Promise<string | null> {
   return id ?? null;
 }
 
-// plugin.create() is synchronous — returns a lazy controller that loads the enterprise plugin
-// on first call. Top-level await is not used because CJS output format does not support it.
+// plugin.create() is synchronous — returns a lazy controller that resolves
+// any installed RBAC plugin on first call. Top-level await is not used
+// because CJS output format does not support it.
 export const rbac = plugin.create(
   prisma,
   { getSessionUserId },
   { forceFallback: env.RBAC_FORCE_FALLBACK }
 );
 
-// Stable IDs for the system roles seeded by the enterprise/db migration
-// (cloud/enterprise/db/drizzle/migrations/0000_legal_titanium_man.sql).
-// They never change — anything that needs to set a default role at
-// creation time keys off these. The OSS fallback's setUserRole returns
+// Stable IDs for the four built-in system roles. They never change —
+// anything that needs a default role at creation time keys off these.
+// The default fallback's setUserRole returns
 // `{ ok: false, error: "RBAC plugin not installed" }` and is safe to
 // call with these ids; it just no-ops.
 export const SYSTEM_ROLE_IDS = {
diff --git a/apps/webapp/app/services/routeBuilders/dashboardBuilder.ts b/apps/webapp/app/services/routeBuilders/dashboardBuilder.ts
@@ -47,8 +47,9 @@ export type DashboardLoaderOptions<TParams, TSearchParams> = {
   params?: TParams;
   searchParams?: TSearchParams;
   // Optional: provides organizationId / projectId to rbac.authenticateSession
-  // when the route's ability check needs it (enterprise-only — fallback
-  // currently ignores context).
+  // when the route's ability check needs it. The default fallback
+  // ignores context; an installed plugin may use it to scope the
+  // returned ability.
   context?: (
     params: InferZod<TParams>,
     request: Request
diff --git a/apps/webapp/test/api-auth.e2e.test.ts b/apps/webapp/test/api-auth.e2e.test.ts
@@ -123,13 +123,15 @@ describe("JWT bearer auth — baseline behavior", () => {
   });
 });
 
-// Exercises the RBAC plugin loader end-to-end. The test server boots with
-// RBAC_FORCE_FALLBACK=1 (see internal-packages/testcontainers/src/webapp.ts), which makes
-// rbac.server.ts select the OSS fallback over the enterprise plugin. /admin/concurrency uses
-// rbac.authenticateSession internally; an unauthenticated request must flow through
-// LazyController → RoleBaseAccessFallback → redirect("/login").
+// Exercises the RBAC plugin loader end-to-end. The test server boots
+// with RBAC_FORCE_FALLBACK=1 (see internal-packages/testcontainers/src/webapp.ts),
+// which makes rbac.server.ts use the default fallback regardless of
+// whether a plugin is installed in node_modules. /admin/concurrency
+// uses rbac.authenticateSession internally; an unauthenticated request
+// must flow through LazyController → RoleBaseAccessFallback →
+// redirect("/login").
 describe("RBAC plugin — fallback wiring", () => {
-  it("unauthenticated dashboard route redirects to /login via the OSS fallback", async () => {
+  it("unauthenticated dashboard route redirects to /login via the fallback", async () => {
     const res = await server.webapp.fetch("/admin/concurrency", { redirect: "manual" });
     expect(res.status).toBe(302);
     const location = res.headers.get("location") ?? "";
diff --git a/internal-packages/rbac/src/fallback.ts b/internal-packages/rbac/src/fallback.ts
@@ -165,10 +165,10 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
     return [];
   }
 
-  // Permissive — the OSS path has no plan gating. The Teams page UI
-  // uses this to decide which role options to render as disabled; in
-  // the OSS deployment all roles are assignable (allRoles() returns []
-  // anyway, so the practical effect is "no roles to gate").
+  // Permissive — the default fallback applies no gating. The Teams
+  // page UI uses this to decide which role options to render as
+  // disabled; with no plugin installed allRoles() returns [] anyway,
+  // so the practical effect is "no roles to gate".
   async getAssignableRoleIds(): Promise<string[]> {
     return [];
   }
diff --git a/internal-packages/rbac/src/index.ts b/internal-packages/rbac/src/index.ts
@@ -63,30 +63,30 @@ class LazyController implements RoleBaseAccessController {
       const moduleName = "@triggerdotdev/plugins/rbac";
       const module = await import(moduleName);
       const plugin: RoleBasedAccessControlPlugin = module.default;
-      console.log("RBAC: using enterprise plugin implementation");
+      console.log("RBAC: using plugin implementation");
       return plugin.create(helpers);
     } catch (err) {
-      // The dynamic import either succeeded (enterprise tier) or failed
-      // for one of two distinct reasons. Distinguishing them is critical
-      // for debugging — silently swallowing the error here is what
-      // produced "why is the fallback being used?" mysteries before.
+      // The dynamic import either succeeded or failed for one of two
+      // distinct reasons. Distinguishing them is critical for debugging
+      // — silently swallowing the error here is what produced "why is
+      // the fallback being used?" mysteries before.
       //
-      // 1. Module-not-found — expected for OSS deployments where the
-      //    cloud plugin isn't installed. Logged at info level only when
-      //    RBAC_LOG_FALLBACK=1 so production OSS logs stay quiet.
+      // 1. Module-not-found — expected when no plugin is installed.
+      //    Logged at info level only when RBAC_LOG_FALLBACK=1 so
+      //    production logs stay quiet.
       // 2. Anything else (transitive dep missing, init error, syntax
       //    error in the plugin's dist, etc.) — a real bug. Always
       //    logged loudly so it surfaces in CI / production logs.
       const code = (err as NodeJS.ErrnoException | undefined)?.code;
       const isModuleNotFound = code === "ERR_MODULE_NOT_FOUND" || code === "MODULE_NOT_FOUND";
       if (!isModuleNotFound) {
         console.error(
-          "RBAC: enterprise plugin found but failed to load; falling back to OSS implementation",
+          "RBAC: plugin found but failed to load; falling back to default implementation",
           err
         );
       } else if (process.env.RBAC_LOG_FALLBACK === "1") {
         console.log(
-          "RBAC: enterprise plugin not installed (ERR_MODULE_NOT_FOUND); using OSS fallback"
+          "RBAC: no plugin installed (ERR_MODULE_NOT_FOUND); using fallback"
         );
       } else {
         console.log(`RBAC: using fallback implementation. ${err}`);
@@ -210,7 +210,8 @@ class LazyController implements RoleBaseAccessController {
 }
 
 class RoleBaseAccess {
-  // Synchronous — returns a lazy controller that loads the enterprise plugin on first call.
+  // Synchronous — returns a lazy controller that resolves any installed
+  // plugin on first call.
   create(
     prisma: PrismaClient,
     helpers: RbacHelpers,
diff --git a/internal-packages/testcontainers/src/webapp.ts b/internal-packages/testcontainers/src/webapp.ts
diff --git a/packages/plugins/src/rbac.ts b/packages/plugins/src/rbac.ts
