RBAC: extend Permission + RbacResource for CASL conditional rules (TRI-8893)

Pairs with the cloud-side CASL refactor that switches role storage to
packed CASL rules + introduces conditional rules (e.g. Member's prod
env-var restrictions). Two interface changes here:

  - Permission gains optional `inverted` and `conditions` fields. The
    Roles page renders `inverted: true` rules as ✗ and `conditions`
    (e.g. `{ envType: "PRODUCTION" }`) as a tier badge.

  - RbacResource gains an open-ended `[key: string]: unknown` index so
    routes can pass condition-relevant fields alongside `type` / `id`
    (e.g. `{ type: "envvars", envType: env.type }`). The plugin's
    CASL-backed matcher reads these off the resource object.

Roles page UI: TableHeader gains an "Allowed" column rendering ✓/✗
per rule, and conditional rules show a `(production only)` /
`(non-production only)` Badge next to the permission name. Group order
gains a leading "All" for Owner/Admin's wildcard rules and an
"Environment" group for the new envvars/apiKeys catalogue pairs.

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.roles/route.tsx

@@ -179,30 +179,49 @@ function RoleCard({
       <Table containerClassName="border-t-0">
         <TableHeader>
           <TableRow>
+            <TableHeaderCell hiddenLabel>Allowed</TableHeaderCell>
             <TableHeaderCell>Permission</TableHeaderCell>
             <TableHeaderCell>Description</TableHeaderCell>
           </TableRow>
         </TableHeader>
         <TableBody>
           {role.permissions.length === 0 ? (
-            <TableBlankRow colSpan={2}>
+            <TableBlankRow colSpan={3}>
               <Paragraph variant="small" className="text-text-dimmed">
                 This role has no permissions assigned.
               </Paragraph>
             </TableBlankRow>
           ) : (
             grouped.flatMap(({ group, permissions }) => [
               <TableRow key={`${group}-header`}>
-                <TableCell colSpan={2} className="bg-charcoal-800">
+                <TableCell colSpan={3} className="bg-charcoal-800">
                   <Header3 className="text-xs uppercase tracking-wide text-text-dimmed">
                     {group}
                   </Header3>
                 </TableCell>
               </TableRow>,
-              ...permissions.map((permission) => (
-                <TableRow key={`${role.id}-${permission.name}`}>
+              ...permissions.map((permission, idx) => (
+                <TableRow key={`${role.id}-${permission.name}-${idx}`}>
+                  <TableCell className="w-8 text-center">
+                    {permission.inverted ? (
+                      <span className="text-error" aria-label="Denied">
+                        ✗
+                      </span>
+                    ) : (
+                      <span className="text-success" aria-label="Allowed">
+                        ✓
+                      </span>
+                    )}
+                  </TableCell>
                   <TableCell>
-                    <code className="text-xs">{permission.name}</code>
+                    <div className="flex items-center gap-2">
+                      <code className="text-xs">{permission.name}</code>
+                      {permission.conditions ? (
+                        <Badge variant="extra-small">
+                          {formatConditions(permission.conditions)}
+                        </Badge>
+                      ) : null}
+                    </div>
                   </TableCell>
                   <TableCell>
                     <Paragraph variant="small">
@@ -234,6 +253,7 @@ const PERMISSION_GROUP_BY_NAME: Record<string, string> = {
   "write:tasks": "Tasks",
   "trigger:tasks": "Tasks",
   "batchTrigger:tasks": "Tasks",
+  "deploy:tasks": "Tasks",
   "read:waitpoints": "Waitpoints",
   "write:waitpoints": "Waitpoints",
   "read:inputStreams": "Realtime",
@@ -245,12 +265,26 @@ const PERMISSION_GROUP_BY_NAME: Record<string, string> = {
   "read:query": "Query",
   "read:tokens": "Tokens",
   "write:tokens": "Tokens",
+  "read:envvars": "Environment",
+  "write:envvars": "Environment",
+  "read:apiKeys": "Environment",
+  "write:apiKeys": "Environment",
   "read:members": "Organisation",
   "manage:members": "Organisation",
   "manage:billing": "Organisation",
+  // System-role meta pairs ("manage:all", "read:all", …) — collapse to
+  // a single "All" group at the top.
+  "manage:all": "All",
+  "read:all": "All",
+  "write:all": "All",
+  "trigger:all": "All",
+  "batchTrigger:all": "All",
+  "update:all": "All",
+  "deploy:all": "All",
 };
 
 const GROUP_ORDER = [
+  "All",
   "Runs",
   "Tasks",
   "Waitpoints",
@@ -259,10 +293,22 @@ const GROUP_ORDER = [
   "Prompts",
   "Query",
   "Tokens",
+  "Environment",
   "Organisation",
   "Other",
 ];
 
+// Render a CASL conditions object into a tier badge label. Only one
+// condition key is recognised today (envType); extending this requires
+// adding a new branch when ALLOWED_CONDITIONS grows.
+function formatConditions(conditions: Record<string, unknown>): string {
+  if (typeof conditions.envType === "string") {
+    const t = conditions.envType.toLowerCase();
+    return `${t} only`;
+  }
+  return JSON.stringify(conditions);
+}
+
 function groupPermissions(
   permissions: LoaderPermission[]
 ): { group: string; permissions: LoaderPermission[] }[] {

packages/plugins/src/rbac.ts

@@ -1,6 +1,12 @@
 export type Permission = {
+  // `<action>:<subject>` — display name, derived from the ability rule.
   name: string;
   description: string;
+  // Inverted rules (CASL `cannot`) surface as ✗ in the Roles page.
+  inverted?: boolean;
+  // CASL conditions (e.g. `{ envType: "PRODUCTION" }`) — when present,
+  // the Roles page renders a tier badge alongside the permission row.
+  conditions?: Record<string, unknown>;
 };
 
 export type Role = {
@@ -19,6 +25,12 @@ export type RbacSubject =
 export type RbacResource = {
   type: string;
   id?: string;
+  // Extra fields a route may pass for condition-based ability checks —
+  // e.g. `envType` for env-tier-scoped rules ("Member can read envvars
+  // unless envType === 'PRODUCTION'"). The plugin's ability matcher
+  // (CASL) reads these off the resource object; routes that don't use
+  // conditional rules can keep passing `{ type, id? }`.
+  [key: string]: unknown;
 };
 
 export type RbacEnvironment = {