RBAC: drop upfront UserRole inserts from org-creation and invite flows

The enterprise plugin's getUserRole now derives a user's role from the
legacy public.OrgMember.role column whenever no explicit UserRole row
exists (separate cloud commit). That makes the upfront UserRole writes
in createOrganization and acceptInvite redundant — the role display
and ability checks both work from day one based on OrgMember alone.

Removed:
  - The rbac.setUserRole call + SYSTEM_ROLE_IDS import from
    apps/webapp/app/models/organization.server.ts (createOrganization)
  - The rbac.setUserRole call + SYSTEM_ROLE_IDS import from
    apps/webapp/app/models/member.server.ts (acceptInvite)

A UserRole row is now only ever inserted when an Owner explicitly
changes someone's role on the Teams page. Everyone else's role is
derived live from OrgMember.role.

Author: matt-aitken

apps/webapp/app/models/member.server.ts

@@ -2,7 +2,6 @@ import { type Prisma, prisma } from "~/db.server";
 import { createEnvironment } from "./organization.server";
 import { customAlphabet } from "nanoid";
 import { logger } from "~/services/logger.server";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
 
 const tokenValueLength = 40;
 const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", tokenValueLength);
@@ -216,32 +215,12 @@ export async function acceptInvite({
     };
   });
 
-  // 5. Assign the corresponding RBAC role for the new member. Done
-  // outside the transaction because rbac runs against a separate
-  // postgres-js connection (Drizzle, not Prisma) — calling it inside
-  // the tx would mix transaction boundaries. The legacy OrgMember.role
-  // → RBAC mapping matches the backfill migration (TRI-8854):
-  //   ADMIN  → Owner
-  //   MEMBER → Member
-  // In practice every invite is created with role=MEMBER (see
-  // inviteMembers above — there's no UI to invite someone as ADMIN),
-  // so the ADMIN branch is defensive cover for direct DB writes.
-  // OSS fallback returns ok=false; we log + continue (legacy
-  // OrgMember.role is the source of truth for OSS auth).
-  const roleId =
-    result.inviteRole === "ADMIN" ? SYSTEM_ROLE_IDS.owner : SYSTEM_ROLE_IDS.member;
-  const roleResult = await rbac.setUserRole({
-    userId: user.id,
-    organizationId: result.organization.id,
-    roleId,
-  });
-  if (!roleResult.ok) {
-    logger.debug("acceptInvite: skipped RBAC role assignment", {
-      organizationId: result.organization.id,
-      userId: user.id,
-      reason: roleResult.error,
-    });
-  }
+  // No upfront RBAC UserRole insert — the enterprise plugin's
+  // getUserRole derives the new member's role from the legacy
+  // OrgMember.role write inside the transaction above (ADMIN → Owner,
+  // MEMBER → Admin) until an Owner explicitly changes their role on
+  // the Teams page. Keeps the invite path tight and consistent with
+  // the create-org path's behaviour.
 
   return { remainingInvites: result.remainingInvites, organization: result.organization };
 }

apps/webapp/app/models/organization.server.ts

@@ -12,8 +12,6 @@ import slug from "slug";
 import { prisma, type PrismaClientOrTransaction } from "~/db.server";
 import { env } from "~/env.server";
 import { featuresForUrl } from "~/features.server";
-import { logger } from "~/services/logger.server";
-import { rbac, SYSTEM_ROLE_IDS } from "~/services/rbac.server";
 import { createApiKeyForEnv, createPkApiKeyForEnv, envSlug } from "./api-key.server";
 import { getDefaultEnvironmentConcurrencyLimit } from "~/services/platform.v3.server";
 export type { Organization };
@@ -84,26 +82,12 @@ export async function createOrganization(
     },
   });
 
-  // Assign the creator the Owner system role so the new Teams page UI
-  // shows them as an Owner from the moment the org exists. Mirrors the
-  // legacy `OrgMember.role = "ADMIN"` write above (TRI-8854: legacy
-  // ADMIN maps to new Owner, not new Admin — the new Admin role
-  // excludes billing + member management). On the OSS deployment the
-  // fallback's setUserRole returns ok=false and we just log; the legacy
-  // OrgMember.role write is the source of truth for OSS auth.
-  const roleResult = await rbac.setUserRole({
-    userId,
-    organizationId: organization.id,
-    roleId: SYSTEM_ROLE_IDS.owner,
-  });
-  if (!roleResult.ok) {
-    logger.debug("createOrganization: skipped RBAC role assignment", {
-      organizationId: organization.id,
-      userId,
-      reason: roleResult.error,
-    });
-  }
-
+  // No upfront RBAC UserRole insert — the enterprise plugin's
+  // getUserRole derives the creator's role from the legacy
+  // OrgMember.role = "ADMIN" write above (which maps to Owner) until an
+  // Owner explicitly changes someone's role on the Teams page. Keeps
+  // the create-org path tight and lets the fallback path stay the
+  // single source of truth for "who has what role" by default.
   return { ...organization };
 }