fix(rbac,webapp): isUsingPlugin() on the controller — drop sentinel-string coupling

The PAT-creation flow needed to know "is a real RBAC plugin loaded, or
just the OSS fallback?" so it could skip the compensating-delete
rollback path when the fallback returns ok:false from setTokenRole
(no plugin → no role table to write to → that's not a failure).
Previous implementation stringly-typed it: the fallback returned
`{ ok: false, error: "RBAC plugin not installed" }`, and the webapp's
PAT module compared `roleResult.error === FALLBACK_NOT_INSTALLED_ERROR`
to detect the case. If the fallback's error string ever drifted, PAT
creation would blow up with a compensating-delete on every install
without an enterprise plugin.

Replace with an explicit capability method on the controller:
  RoleBaseAccessController.isUsingPlugin(): Promise<boolean>

OSS fallback returns false; cloud plugin returns true. LazyController
delegates. The webapp gates the rbac.setTokenRole call on
`await rbac.isUsingPlugin()`, skipping it when the fallback is in
use. No string magic, decoupled from any specific error message,
and the capability is generally useful — UI surfaces that gate
role-pickers / admin-only sections on plugin presence can use the
same method.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matt-aitken

apps/webapp/app/services/personalAccessToken.server.ts

@@ -17,17 +17,6 @@ const tokenGenerator = customAlphabet("123456789abcdefghijkmnopqrstuvwxyz", toke
 // staleness is fine.
 export const PAT_LAST_ACCESSED_THROTTLE_MS = 5 * 60 * 1000;
 
-// The OSS fallback's setTokenRole returns this exact string when no
-// enterprise plugin is loaded. We treat that as "no role attached" —
-// the PAT is still valid; auth just falls through to legacy permissive
-// behaviour. Any other error is treated as a real failure and triggers
-// the compensating delete below.
-// Must match the OSS fallback's exact error string (see
-// `internal-packages/rbac/src/fallback.ts`'s `setTokenRole`). The
-// match is how we detect "no plugin installed" and skip the
-// compensating delete.
-const FALLBACK_NOT_INSTALLED_ERROR = "RBAC plugin not installed";
-
 type CreatePersonalAccessTokenOptions = {
   name: string;
   userId: string;
@@ -380,34 +369,34 @@ export async function createPersonalAccessToken({
   // so a brief orphan window between the two writes is harmless. The
   // compensating delete narrows that window from "until manual cleanup"
   // to "until the request returns".
-  if (roleId) {
+  //
+  // Skip the call entirely when no RBAC plugin is loaded — the OSS
+  // fallback has no TokenRole table to write to. Gating on
+  // `rbac.isUsingPlugin()` (rather than parsing the fallback's error
+  // string) keeps the OSS-vs-cloud branch explicit and decoupled from
+  // any specific error message.
+  if (roleId && (await rbac.isUsingPlugin())) {
     const roleResult = await rbac.setTokenRole({
       tokenId: personalAccessToken.id,
       roleId,
     });
     if (!roleResult.ok) {
-      // The default fallback always returns ok=false with this exact
-      // message. That isn't a failure — there's no plugin to write to,
-      // so the PAT just runs without an explicit role (matches the
-      // pre-RBAC behaviour). Don't compensating-delete in that case.
-      if (roleResult.error === FALLBACK_NOT_INSTALLED_ERROR) {
-        logger.debug("createPersonalAccessToken: no RBAC plugin, skipping role assignment", {
-          patId: personalAccessToken.id,
-          userId,
-        });
-      } else {
-        await prisma.personalAccessToken
-          .delete({ where: { id: personalAccessToken.id } })
-          .catch((err) => {
-            logger.error("Failed to compensating-delete PAT after TokenRole insert failed", {
-              patId: personalAccessToken.id,
-              roleResultError: roleResult.error,
-              deleteError: err instanceof Error ? err.message : String(err),
-            });
+      await prisma.personalAccessToken
+        .delete({ where: { id: personalAccessToken.id } })
+        .catch((err) => {
+          logger.error("Failed to compensating-delete PAT after TokenRole insert failed", {
+            patId: personalAccessToken.id,
+            roleResultError: roleResult.error,
+            deleteError: err instanceof Error ? err.message : String(err),
           });
-        throw new Error(`Failed to assign role to access token: ${roleResult.error}`);
-      }
+        });
+      throw new Error(`Failed to assign role to access token: ${roleResult.error}`);
     }
+  } else if (roleId) {
+    logger.debug("createPersonalAccessToken: no RBAC plugin, skipping role assignment", {
+      patId: personalAccessToken.id,
+      userId,
+    });
   }
 
   return {

internal-packages/rbac/src/fallback.ts

@@ -60,6 +60,10 @@ class RoleBaseAccessFallbackController implements RoleBaseAccessController {
     this.replica = clients.replica;
   }
 
+  async isUsingPlugin(): Promise<boolean> {
+    return false;
+  }
+
   async authenticateBearer(
     request: Request,
     options?: { allowJWT?: boolean }

internal-packages/rbac/src/index.ts

@@ -113,6 +113,10 @@ class LazyController implements RoleBaseAccessController {
     return this._init;
   }
 
+  async isUsingPlugin(): Promise<boolean> {
+    return (await this.c()).isUsingPlugin();
+  }
+
   async authenticateBearer(...args: Parameters<RoleBaseAccessController["authenticateBearer"]>) {
     const result = await (await this.c()).authenticateBearer(...args);
     return result.ok ? { ...result, ability: withActionAliases(result.ability) } : result;

packages/plugins/src/rbac.ts

@@ -118,6 +118,13 @@ export type PatAuthResult =
     };
 
 export interface RoleBaseAccessController {
+  // True when a real RBAC plugin is loaded (i.e. cloud); false when the
+  // OSS fallback is in use. Hosts gate behaviour that's only meaningful
+  // when the plugin is present (e.g. skipping role-attachment writes,
+  // hiding role-pickers in the UI, branching on whether ability checks
+  // are authoritative or permissive).
+  isUsingPlugin(): Promise<boolean>;
+
   // API routes (Bearer token): one DB query → identity + pre-built ability
   // options.allowJWT: when true, accepts PUBLIC_JWT tokens in addition to environment API keys
   authenticateBearer(request: Request, options?: { allowJWT?: boolean }): Promise<BearerAuthResult>;