fix(rbac,webapp): pass userId through plugin context, drop session-cookie helper

Background. The RBAC plugin contract took a `helpers.getSessionUserId(request)`
callback at create time. The OSS rbac.server module wired it up by statically
importing `getUserId` from `~/services/session.server`, which transitively
loaded the entire remix-auth pipeline:

  rbac.server.ts
    → session.server.ts → auth.server.ts
    → emailAuth.server.tsx (throws on missing MAGIC_LINK_SECRET at module load)
    → email.server.ts → commonWorker.server.ts (V1 services)
    → marqs/index.server.ts and taskRunConcurrencyTracker.server.ts
      (throw on missing REDIS_HOST/REDIS_PORT at module load)

Any module that pulled `rbac` in — including PAT-only call sites that have
no session-cookie path at all — therefore inherited a hard dependency on
the entire dashboard auth chain and the V1 queue. Webapp tests that mock
`~/env.server` to a stripped object (e.g. personalAccessToken.test.ts) hit
the module-load throws before their assertions ran.

Contract change (packages/plugins/src/rbac.ts).
- `authenticateSession` and `authenticateAuthorizeSession` now take
  `userId: string | null` in their `context` argument.
- `RoleBasedAccessControlPlugin.create()` no longer takes a helpers arg.
- The plugin treats `userId === null` as "no authenticated user"
  (same shape `helpers.getSessionUserId === null` returned).

OSS fallback (internal-packages/rbac/src/fallback.ts) reads
`context.userId` directly. LazyController (internal-packages/rbac/src/index.ts)
drops the helpers parameter through.

Webapp (apps/webapp/app/services/rbac.server.ts) drops the session.server
import entirely. dashboardBuilder.server.ts — the only `authenticateSession`
caller — resolves userId via session.server itself before calling rbac.

Side change (apps/webapp/app/services/scheduleEmail.server.ts new file).
Moved `scheduleEmail` out of email.server.ts to break a parallel chain:
email.server.ts → commonWorker → V1 services → marqs. email.server is
now just the SMTP/Resend client, as it should have been. Three caller
files updated: routes/invite-resend.tsx, routes/_app.orgs.$organizationSlug.invite/route.tsx,
services/mfa/multiFactorAuthentication.server.ts.

Verified locally with `REDIS_HOST="" REDIS_PORT="" pnpm vitest run
test/services/personalAccessToken.test.ts test/engine/triggerTask.test.ts`
— both files pass (11/11) with the env mocked stripped, which was the
CI failure mode on shards 1/2/4/5/6/7. Webapp + plugins + rbac
typecheck clean.

Cloud-repo plugin update is in a coordinated branch (rbac-packages on
APIHero/cloud) — same contract change in
enterprise/plugins/src/rbac/{index,controller,controller.integration.test}.ts.

Changeset: minor for `@trigger.dev/plugins` (contract change).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -32,7 +32,7 @@ import { useOrganization } from "~/hooks/useOrganizations";
 import { inviteMembers } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
 import { TeamPresenter } from "~/presenters/TeamPresenter.server";
-import { scheduleEmail } from "~/services/email.server";
+import { scheduleEmail } from "~/services/scheduleEmail.server";
 import { rbac } from "~/services/rbac.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath, v3BillingPath } from "~/utils/pathBuilder";

apps/webapp/app/routes/invite-resend.tsx

@@ -4,7 +4,7 @@ import { env } from "process";
 import { z } from "zod";
 import { resendInvite } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
-import { scheduleEmail } from "~/services/email.server";
+import { scheduleEmail } from "~/services/scheduleEmail.server";
 import { requireUserId } from "~/services/session.server";
 import { acceptInvitePath, organizationTeamPath } from "~/utils/pathBuilder";
 

apps/webapp/app/services/email.server.ts

@@ -4,7 +4,6 @@ import type { SendEmailOptions } from "remix-auth-email-link";
 import { redirect } from "remix-typedjson";
 import { env } from "~/env.server";
 import type { AuthUser } from "./authUser";
-import { commonWorker } from "~/v3/commonWorker.server";
 import { logger } from "./logger.server";
 import { singleton } from "~/utils/singleton";
 import { assertEmailAllowed } from "~/utils/email";
@@ -92,15 +91,6 @@ export async function sendPlainTextEmail(options: SendPlainTextOptions) {
   return client.sendPlainText(options);
 }
 
-export async function scheduleEmail(data: DeliverEmail, delay?: { seconds: number }) {
-  const availableAt = delay ? new Date(Date.now() + delay.seconds * 1000) : undefined;
-  await commonWorker.enqueue({
-    job: "scheduleEmail",
-    payload: data,
-    availableAt,
-  });
-}
-
 export async function sendEmail(data: DeliverEmail) {
   return client.send(data);
 }

apps/webapp/app/services/mfa/multiFactorAuthentication.server.ts

@@ -7,7 +7,7 @@ import { createHash } from "@better-auth/utils/hash";
 import { createOTP } from "@better-auth/utils/otp";
 import { base32 } from "@better-auth/utils/base32";
 import { z } from "zod";
-import { scheduleEmail } from "../email.server";
+import { scheduleEmail } from "../scheduleEmail.server";
 
 const generateRandomString = createRandomStringGenerator("A-Z", "0-9");
 

apps/webapp/app/services/rbac.server.ts

@@ -2,12 +2,6 @@ import { $replica, prisma } from "~/db.server";
 import type { PrismaClient } from "@trigger.dev/database";
 import plugin from "@trigger.dev/rbac";
 import { env } from "~/env.server";
-import { getUserId } from "./session.server";
-
-async function getSessionUserId(request: Request): Promise<string | null> {
-  const id = await getUserId(request);
-  return id ?? null;
-}
 
 // plugin.create() is synchronous — returns a lazy controller that resolves
 // any installed RBAC plugin on first call. Top-level await is not used
@@ -17,10 +11,19 @@ async function getSessionUserId(request: Request): Promise<string | null> {
 // they don't pile up on the primary. Writes (role mutations) still go
 // through the primary. Same separation findEnvironmentByApiKey used
 // before this PR moved bearer auth into the RBAC plugin.
+//
+// Session-cookie userId resolution lives at the call site (see
+// dashboardBuilder.server.ts), not here. Statically importing
+// `~/services/session.server` from this module dragged the entire
+// remix-auth pipeline (auth.server → emailAuth/gitHubAuth/googleAuth,
+// each validating their secret at module load) into anything that
+// transitively imported `rbac` — including PAT auth callers that have
+// no session-cookie path at all. Passing userId through the
+// `authenticateSession` context decouples the plugin host from the
+// host's session implementation.
 export const rbac = plugin.create(
   // $replica is structurally a PrismaClient minus `$transaction` — the
   // RBAC fallback only uses `findFirst` on it, so the cast is safe.
   { primary: prisma, replica: $replica as PrismaClient },
-  { getSessionUserId },
   { forceFallback: env.RBAC_FORCE_FALLBACK }
 );

apps/webapp/app/services/routeBuilders/dashboardBuilder.server.ts

@@ -6,6 +6,7 @@
 import { json, redirect } from "@remix-run/server-runtime";
 import type { RbacAbility } from "@trigger.dev/rbac";
 import { rbac } from "~/services/rbac.server";
+import { getUserId } from "~/services/session.server";
 import type {
   AuthorizationOption,
   DashboardLoaderOptions,
@@ -85,7 +86,15 @@ export async function authenticateAndAuthorize<
   const ctx = (options.context
     ? await options.context(parsedParams, request)
     : ({} as TContext)) as TContext;
-  const auth = await rbac.authenticateSession(request, ctx);
+  // Resolve userId from the session cookie *here* (the dashboard
+  // request boundary) and feed it into the rbac plugin context. The
+  // plugin no longer takes a `helpers.getSessionUserId` callback —
+  // statically importing session.server from rbac.server dragged the
+  // entire remix-auth strategy chain (each strategy validates its
+  // secret at module load) into anything that pulled `rbac` in,
+  // including PAT-only callers.
+  const userId = (await getUserId(request)) ?? null;
+  const auth = await rbac.authenticateSession(request, { ...ctx, userId });
   if (!auth.ok) {
     if (auth.reason === "unauthenticated") {
       return { ok: false, response: loginRedirectFor(request, options.loginRedirect) };

apps/webapp/app/services/scheduleEmail.server.ts

@@ -0,0 +1,16 @@
+import type { DeliverEmail } from "emails";
+import { commonWorker } from "~/v3/commonWorker.server";
+
+// Lives outside email.server.ts so that the SMTP/Resend client module
+// stays a leaf dependency. Pulling commonWorker from email.server poisoned
+// every consumer of the auth chain (auth → emailAuth → email) with the
+// V1+V2 worker tree, which transitively loads marqs and trips Redis-env
+// guards in any vitest file whose import graph reaches it.
+export async function scheduleEmail(data: DeliverEmail, delay?: { seconds: number }) {
+  const availableAt = delay ? new Date(Date.now() + delay.seconds * 1000) : undefined;
+  await commonWorker.enqueue({
+    job: "scheduleEmail",
+    payload: data,
+    availableAt,
+  });
+}

internal-packages/rbac/src/fallback.ts

@@ -46,21 +46,16 @@ export class RoleBaseAccessFallback {
     this.clients = resolvePrismaClients(prisma);
   }
 
-  create(
-    helpers: { getSessionUserId: (request: Request) => Promise<string | null> }
-  ): RoleBaseAccessFallbackController {
-    return new RoleBaseAccessFallbackController(this.clients, helpers);
+  create(): RoleBaseAccessFallbackController {
+    return new RoleBaseAccessFallbackController(this.clients);
   }
 }
 
 class RoleBaseAccessFallbackController implements RoleBaseAccessController {
   private readonly prisma: PrismaClient; // alias for primary — used by writes
   private readonly replica: PrismaClient;
 
-  constructor(
-    clients: FallbackPrismaClients,
-    private readonly helpers: { getSessionUserId: (request: Request) => Promise<string | null> }
-  ) {
+  constructor(clients: FallbackPrismaClients) {
     this.prisma = clients.primary;
     this.replica = clients.replica;
   }
@@ -212,13 +207,12 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
   }
 
   async authenticateSession(
-    request: Request,
-    context: { organizationId?: string; projectId?: string }
+    _request: Request,
+    context: { userId: string | null; organizationId?: string; projectId?: string }
   ): Promise<SessionAuthResult> {
-    const userId = await this.helpers.getSessionUserId(request);
-    if (!userId) return { ok: false, reason: "unauthenticated" };
+    if (!context.userId) return { ok: false, reason: "unauthenticated" };
 
-    const user = await this.replica.user.findFirst({ where: { id: userId } });
+    const user = await this.replica.user.findFirst({ where: { id: context.userId } });
     if (!user) return { ok: false, reason: "unauthenticated" };
 
     const subject: RbacSubject = {
@@ -251,7 +245,7 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
 
   async authenticateAuthorizeSession(
     request: Request,
-    context: { organizationId?: string; projectId?: string },
+    context: { userId: string | null; organizationId?: string; projectId?: string },
     check: { action: string; resource: RbacResource | RbacResource[] }
   ): Promise<SessionAuthResult> {
     const auth = await this.authenticateSession(request, context);

internal-packages/rbac/src/index.ts

@@ -12,8 +12,6 @@ import type { PrismaClient } from "@trigger.dev/database";
 import { RoleBaseAccessFallback } from "./fallback.js";
 export type { RoleBaseAccessController, RbacAbility, RbacResource } from "@trigger.dev/plugins";
 
-type RbacHelpers = { getSessionUserId: (request: Request) => Promise<string | null> };
-
 // Either a single PrismaClient (used for both writes and reads — fine
 // for callers that don't have a separate replica), or `{primary, replica}`
 // where reads on the auth hot path go to the replica. The fallback
@@ -53,24 +51,23 @@ export function withActionAliases(underlying: RbacAbility): RbacAbility {
 class LazyController implements RoleBaseAccessController {
   private readonly _init: Promise<RoleBaseAccessController>;
 
-  constructor(prisma: RbacPrismaInput, helpers: RbacHelpers, options?: RbacCreateOptions) {
-    this._init = this.load(prisma, helpers, options);
+  constructor(prisma: RbacPrismaInput, options?: RbacCreateOptions) {
+    this._init = this.load(prisma, options);
   }
 
   private async load(
     prisma: RbacPrismaInput,
-    helpers: RbacHelpers,
     options?: RbacCreateOptions
   ): Promise<RoleBaseAccessController> {
     if (options?.forceFallback) {
-      return new RoleBaseAccessFallback(prisma).create(helpers);
+      return new RoleBaseAccessFallback(prisma).create();
     }
     const moduleName = "@triggerdotdev/plugins/rbac";
     try {
       const module = await import(moduleName);
       const plugin: RoleBasedAccessControlPlugin = module.default;
       console.log("RBAC: using plugin implementation");
-      return plugin.create(helpers);
+      return plugin.create();
     } catch (err) {
       // The dynamic import either succeeded or failed for one of two
       // distinct reasons. Distinguishing them is critical for debugging
@@ -108,7 +105,7 @@ class LazyController implements RoleBaseAccessController {
           "RBAC: no plugin installed (ERR_MODULE_NOT_FOUND); using fallback"
         );
       }
-      return new RoleBaseAccessFallback(prisma).create(helpers);
+      return new RoleBaseAccessFallback(prisma).create();
     }
   }
 
@@ -246,10 +243,9 @@ class RoleBaseAccess {
   // plugin on first call.
   create(
     prisma: RbacPrismaInput,
-    helpers: RbacHelpers,
     options?: RbacCreateOptions
   ): RoleBaseAccessController {
-    return new LazyController(prisma, helpers, options);
+    return new LazyController(prisma, options);
   }
 }
 

packages/plugins/src/rbac.ts

@@ -122,10 +122,16 @@ export interface RoleBaseAccessController {
   // options.allowJWT: when true, accepts PUBLIC_JWT tokens in addition to environment API keys
   authenticateBearer(request: Request, options?: { allowJWT?: boolean }): Promise<BearerAuthResult>;
 
-  // Dashboard loaders/actions (session cookie): one DB query → user + pre-built ability
+  // Dashboard loaders/actions (session cookie): one DB query → user + pre-built ability.
+  // The caller resolves `userId` from the session cookie and passes it in.
+  // (`null` means "no authenticated user"; the plugin returns `{ ok: false,
+  // reason: "unauthenticated" }`.) The plugin used to take a
+  // `helpers.getSessionUserId(request)` callback at create-time; pulling the
+  // userId resolution into the caller drops a static module-load coupling
+  // from the plugin's host module to the host's session-cookie code.
   authenticateSession(
     request: Request,
-    context: { organizationId?: string; projectId?: string }
+    context: { userId: string | null; organizationId?: string; projectId?: string }
   ): Promise<SessionAuthResult>;
 
   // PAT-authenticated routes (Authorization: Bearer tr_pat_…). The token
@@ -154,7 +160,7 @@ export interface RoleBaseAccessController {
 
   authenticateAuthorizeSession(
     request: Request,
-    context: { organizationId?: string; projectId?: string },
+    context: { userId: string | null; organizationId?: string; projectId?: string },
     check: { action: string; resource: RbacResource | RbacResource[] }
   ): Promise<SessionAuthResult>;
 
@@ -251,7 +257,5 @@ export type RoleMutationResult =
 export type RoleAssignmentResult = { ok: true } | { ok: false; error: string };
 
 export interface RoleBasedAccessControlPlugin {
-  create(
-    helpers: { getSessionUserId: (request: Request) => Promise<string | null> }
-  ): RoleBaseAccessController | Promise<RoleBaseAccessController>;
+  create(): RoleBaseAccessController | Promise<RoleBaseAccessController>;
 }