apiBuilder: require explicit anyResource() / everyResource() at multi-resource sites

Bare RbacResource[] in `authorization.resource` is now a type error.
Multi-resource auth must wrap with one of:

  - anyResource(...): succeed if any element passes (the existing default;
    used when one record carries multiple identifiers — runs by friendlyId
    / batch / tags / task — so a JWT scoped to any one grants access)
  - everyResource(...): succeed only if every element passes (existing
    helper; used by batch operations and the multi-table query route)

The OR-loophole class of bug CodeRabbit caught on api.v1.query — a JWT
scoped to one of N detected tables was authorized for the whole multi-
table query — was patchable per-route with everyResource. The Symbol
marker stayed invisible: future authors would still default to bare
arrays. Tightening AuthResource flushed out 11 routes that were silently
on the OR path; each is wrapped explicitly now.

Also inline the unrelated private `anyResource` helper in
internal-packages/rbac/src/ability.ts so the public name is unambiguous.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: matt-aitken

apps/webapp/app/routes/api.v1.runs.$runId.events.ts

@@ -1,7 +1,10 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { ApiRetrieveRunPresenter } from "~/presenters/v3/ApiRetrieveRunPresenter.server";
 import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 
@@ -30,7 +33,7 @@ export const loader = createLoaderApiRoute(
         if (run.batch?.friendlyId) {
           resources.push({ type: "batch", id: run.batch.friendlyId });
         }
-        return resources;
+        return anyResource(resources);
       },
     },
   },

apps/webapp/app/routes/api.v1.runs.$runId.spans.$spanId.ts

@@ -3,7 +3,10 @@ import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import { z } from "zod";
 import { $replica } from "~/db.server";
 import { extractAISpanData } from "~/components/runs/v3/ai";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
 
@@ -37,7 +40,7 @@ export const loader = createLoaderApiRoute(
         if (run.batchId) {
           resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
         }
-        return resources;
+        return anyResource(resources);
       },
     },
   },

apps/webapp/app/routes/api.v1.runs.$runId.trace.ts

@@ -2,7 +2,10 @@ import { json } from "@remix-run/server-runtime";
 import { BatchId } from "@trigger.dev/core/v3/isomorphic";
 import { z } from "zod";
 import { $replica } from "~/db.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 import { resolveEventRepositoryForStore } from "~/v3/eventRepository/index.server";
 import { getTaskEventStoreTableForRun } from "~/v3/taskEventStore.server";
 
@@ -35,7 +38,7 @@ export const loader = createLoaderApiRoute(
         if (run.batchId) {
           resources.push({ type: "batch", id: BatchId.toFriendlyId(run.batchId) });
         }
-        return resources;
+        return anyResource(resources);
       },
     },
   },

apps/webapp/app/routes/api.v1.runs.ts

@@ -4,7 +4,10 @@ import {
   ApiRunListSearchParams,
 } from "~/presenters/v3/ApiRunListPresenter.server";
 import { logger } from "~/services/logger.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 export const loader = createLoaderApiRoute(
   {
@@ -15,10 +18,10 @@ export const loader = createLoaderApiRoute(
       action: "read",
       resource: (_, __, searchParams) => {
         const taskFilter = searchParams["filter[taskIdentifier]"] ?? [];
-        return [
+        return anyResource([
           { type: "runs" },
           ...taskFilter.map((id) => ({ type: "tasks", id })),
-        ];
+        ]);
       },
     },
     findResource: async () => 1, // This is a dummy function, we don't need to find a resource

apps/webapp/app/routes/api.v1.sessions.$session.end-and-continue.ts

@@ -8,7 +8,10 @@ import { $replica, prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { swapSessionRun } from "~/services/realtime/sessionRunManager.server";
 import { resolveSessionByIdOrExternalId } from "~/services/realtime/sessions.server";
-import { createActionApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createActionApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   session: z.string(),
@@ -52,7 +55,7 @@ const { action, loader } = createActionApiRoute(
           ids.add(session.friendlyId);
           if (session.externalId) ids.add(session.externalId);
         }
-        return [...ids].map((id) => ({ type: "sessions", id }));
+        return anyResource([...ids].map((id) => ({ type: "sessions", id })));
       },
     },
   },

apps/webapp/app/routes/api.v1.sessions.$session.ts

@@ -11,6 +11,7 @@ import {
   serializeSessionWithFriendlyRunId,
 } from "~/services/realtime/sessions.server";
 import {
+  anyResource,
   createActionApiRoute,
   createLoaderApiRoute,
 } from "~/services/routeBuilders/apiBuilder.server";
@@ -35,10 +36,10 @@ export const loader = createLoaderApiRoute(
       // / `admin` bypass via the JWT ability's wildcard branches.
       resource: (session) =>
         session.externalId
-          ? [
+          ? anyResource([
               { type: "sessions", id: session.friendlyId },
               { type: "sessions", id: session.externalId },
-            ]
+            ])
           : { type: "sessions", id: session.friendlyId },
     },
   },

apps/webapp/app/routes/api.v1.sessions.ts

@@ -20,6 +20,7 @@ import {
 import { serializeSession } from "~/services/realtime/sessions.server";
 import { SessionsRepository } from "~/services/sessionsRepository/sessionsRepository.server";
 import {
+  anyResource,
   createActionApiRoute,
   createLoaderApiRoute,
 } from "~/services/routeBuilders/apiBuilder.server";
@@ -47,10 +48,10 @@ export const loader = createLoaderApiRoute(
       // grants access (the array gets OR semantics).
       resource: (_, __, searchParams) => {
         const taskFilter = asArray(searchParams["filter[taskIdentifier]"]) ?? [];
-        return [
+        return anyResource([
           ...taskFilter.map((id) => ({ type: "tasks" as const, id })),
           { type: "sessions" as const },
-        ];
+        ]);
       },
     },
     findResource: async () => 1,
@@ -135,10 +136,11 @@ const { action } = createActionApiRoute(
       // per-task check exactly as before. `admin` / `write:all` bypass
       // via the JWT ability's wildcard branches.
       action: "write",
-      resource: (_params, _searchParams, _headers, body) => [
-        { type: "tasks", id: body.taskIdentifier },
-        { type: "sessions" },
-      ],
+      resource: (_params, _searchParams, _headers, body) =>
+        anyResource([
+          { type: "tasks", id: body.taskIdentifier },
+          { type: "sessions" },
+        ]),
     },
     corsStrategy: "all",
   },

apps/webapp/app/routes/api.v3.runs.$runId.ts

@@ -1,7 +1,10 @@
 import { json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { ApiRetrieveRunPresenter } from "~/presenters/v3/ApiRetrieveRunPresenter.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
@@ -27,7 +30,7 @@ export const loader = createLoaderApiRoute(
         if (run.batch?.friendlyId) {
           resources.push({ type: "batch", id: run.batch.friendlyId });
         }
-        return resources;
+        return anyResource(resources);
       },
     },
   },

apps/webapp/app/routes/realtime.v1.runs.$runId.ts

@@ -3,7 +3,10 @@ import { z } from "zod";
 import { $replica } from "~/db.server";
 import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { realtimeClient } from "~/services/realtimeClientGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const ParamsSchema = z.object({
   runId: z.string(),
@@ -40,7 +43,7 @@ export const loader = createLoaderApiRoute(
         if (run.batch?.friendlyId) {
           resources.push({ type: "batch", id: run.batch.friendlyId });
         }
-        return resources;
+        return anyResource(resources);
       },
     },
   },

apps/webapp/app/routes/realtime.v1.runs.ts

@@ -1,7 +1,10 @@
 import { z } from "zod";
 import { getRequestAbortSignal } from "~/services/httpAsyncStorage.server";
 import { realtimeClient } from "~/services/realtimeClientGlobal.server";
-import { createLoaderApiRoute } from "~/services/routeBuilders/apiBuilder.server";
+import {
+  anyResource,
+  createLoaderApiRoute,
+} from "~/services/routeBuilders/apiBuilder.server";
 
 const SearchParamsSchema = z.object({
   tags: z
@@ -21,10 +24,11 @@ export const loader = createLoaderApiRoute(
     findResource: async () => 1, // This is a dummy value, it's not used
     authorization: {
       action: "read",
-      resource: (_, __, searchParams) => [
-        { type: "runs" },
-        ...(searchParams.tags ?? []).map((tag) => ({ type: "tags", id: tag })),
-      ],
+      resource: (_, __, searchParams) =>
+        anyResource([
+          { type: "runs" },
+          ...(searchParams.tags ?? []).map((tag) => ({ type: "tags", id: tag })),
+        ]),
     },
   },
   async ({ searchParams, authentication, request, apiVersion }) => {