…Client from public interface

- Replace buildBearerAbility/buildSessionAbility with authenticateBearer/authenticateSession
- Add RbacEnvironment, RbacUser, BearerAuthResult, SessionAuthResult types
- Remove PrismaClient from @trigger.dev/plugins interface (no Prisma crossing repo boundary)
- Remove @trigger.dev/database dependency and api-extractor from plugins package
- Switch plugins build to tsup --dts, delete api-extractor.json and tsconfig.dts.json
- OSS fallback imports PrismaClient from @trigger.dev/database directly
- OSS loader passes helpers-only to enterprise plugin, (prisma, helpers) to fallback
- Add rbac.server.ts singleton to webapp
- PoC: migrate admin.concurrency route to rbac.authenticateSession + canSuper()

…wJWT option, buildJwtAbility

Adds a `forceFallback` option to the RBAC loader so tests (and any other
consumer that sets RBAC_FORCE_FALLBACK=1) pin authentication to the OSS
fallback regardless of whether the enterprise plugin is installed.

- internal-packages/rbac: LazyController and RoleBaseAccess.create now accept
  RbacCreateOptions.forceFallback. When true, load() skips the dynamic import
  of @triggerdotdev/plugins/rbac and constructs RoleBaseAccessFallback
  directly.
- apps/webapp env: new RBAC_FORCE_FALLBACK BoolEnv, threaded into
  app/services/rbac.server.ts.
- testcontainers webapp: set RBAC_FORCE_FALLBACK=1 so e2e tests exercise the
  fallback deterministically.
- api-auth.e2e.test.ts: covers the fallback wiring end-to-end via the existing
  /admin/concurrency route, which already uses rbac.authenticateSession +
  ability.canSuper().

Close the coverage gap identified in the TRI-8716 audit before TRI-8719
swaps apiBuilder.server.ts to rbac.authenticateBearer. All new tests run
against the legacy authenticateApiRequestWithFailure /
authenticateApiRequestWithPersonalAccessToken path and must stay green
after the migration.

- Action requests (createActionApiRoute) via POST /api/v1/idempotencyKeys/:key/reset:
  * Valid private API key → passes auth (400 on zod body validation, not 401/403).
  * Missing Authorization → 401.
  * Invalid API key → 401.
- JWT on the same action route (allowJWT: true, superScopes write:runs, admin):
  * JWT with matching scope → passes auth.
  * JWT with read-only scope → 403.
- Personal access tokens (createLoaderPATApiRoute) via GET /api/v1/projects/:ref/runs:
  * Missing Authorization → 401.
  * API key (tr_dev_*) on PAT-only route → 401.
  * Wrong-prefix or malformed PAT → 401.
  * Well-formed but unknown PAT → 401.
  * Revoked PAT → 401.
  * Valid PAT on unknown project → 404 (auth passes).
- Edge case: valid API key whose project.deletedAt is set → 401.

Also fix the TRI-8715 redirect assertion: the webapp sends clients to
/login?redirectTo=... so compare by pathname rather than exact string.

New helper test/helpers/seedTestPAT.ts seeds a User + PersonalAccessToken
row using the same hashing/encryption scheme the webapp uses (shared
test ENCRYPTION_KEY), so the webapp subprocess can authenticate against
the seeded token.

otu and realtime.skipColumns propagation are deferred: they're only
observable via real trigger / realtime-stream flows, which need
workers/streams enabled and are out of scope for a coverage PR. The
migration preserves those fields via BearerAuthResult.jwt; dedicated
coverage can ride with TRI-8719 if needed.

Close the resource-scoped JWT coverage gap before TRI-8719 swaps
apiBuilder to rbac.authenticateBearer. Target:
POST /api/v1/waitpoints/tokens/:waitpointFriendlyId/complete — allowJWT,
resource: { waitpoints: params.waitpointFriendlyId }, superScopes:
[write:waitpoints, admin].

New helper test/helpers/seedTestWaitpoint.ts seeds a Waitpoint in
COMPLETED status so the handler short-circuits once auth passes, keeping
the 200 assertion independent of run-engine workers.

7 new tests exercise the legacy checkAuthorization scope algebra that
the migration must preserve:

- scope matches exact resource id → 200
- scope targets a different id of the same type → 403
- type-level scope (no id) grants all resources of that type → 200
- read-only scope on a write route → 403
- scope targets a different resource type → 403
- admin super-scope → 200 (legacy super-scope listing)
- unrelated type scope with no super-scope match → 403

Without these, the only JWT coverage was coarse type-level allow/deny
against routes whose resource callbacks returned () => 1 or () => ({}),
leaving resource-id matching entirely untested end-to-end.

Lock in the legacy checkAuthorization behaviours that TRI-8719 must
preserve once it swaps in rbac.authenticateBearer + ability.can.

Three tests in a new describe block 'JWT bearer auth — behaviours to
preserve through TRI-8719':

- Custom action route: type-level write:tasks JWT on
  POST /api/v1/tasks/:taskId/trigger (action: trigger) → auth passes
  today via exact superScope match. Must keep passing after TRI-8719
  via the ACTION_ALIASES map (trigger ← write).
- Multi-key resource: read:tags:<tag> JWT on /api/v1/runs/:runId/trace
  where the seeded run has that tag → auth passes today because
  legacy checks each resource key. Must keep passing after TRI-8719
  via ability.can's array-resource form.
- Multi-key resource: read:batch:<friendlyId> JWT on
  /api/v1/runs/:runId/trace where the seeded run is in that batch →
  same rationale as the tags case.

Dropped the planned empty-resource test: researching it surfaced that
legacy checkAuthorization denies empty-resource requests BEFORE the
super-scope check runs, so api.v1.batches.ts and idempotencyKeys reset
currently reject all JWTs despite allowJWT: true. TRI-8719's plan
(adding explicit { type: 'runs' }) is an intentional improvement, not
a preservation — documented in the TRI-8719 description comment.

New helper test/helpers/seedTestRun.ts seeds a minimal TaskRun (and,
optionally, an associated BatchTaskRun) that ApiRetrieveRunPresenter's
findRun can resolve for multi-key resource tests. The tests only
assert 'auth passes' (!== 401, !== 403) — the handler's downstream
behaviour (which may fail in a worker-less test env) isn't relevant
to the auth-layer contract.

Foundational changes before swapping apiBuilder to rbac.authenticateBearer.
No behaviour change yet — apiBuilder is still on the legacy path.

Array resources:
- @trigger.dev/plugins RbacAbility.can now accepts RbacResource | RbacResource[].
  Array form means 'grant access if any element passes', preserving the
  legacy checkAuthorization multi-key semantic once TRI-8719 completes.
- internal-packages/rbac ability.ts: permissive/super/deny pass through
  unchanged; buildJwtAbility iterates the array and short-circuits on
  first match.

Action alias wrapper (internal-packages/rbac/src/index.ts):
- ACTION_ALIASES map + withActionAliases function. Wraps an underlying
  RbacAbility so that can(action, resource) retries with alias actions
  when the direct check fails. Currently: trigger, batchTrigger, update
  are all satisfied by a scope whose action is write — matching legacy
  superScope behaviour for route.action values that don't align with
  scope prefixes.
- LazyController wraps the ability it gets from authenticateBearer /
  authenticateSession. authenticateAuthorize* stop delegating to the
  underlying's own Authorize methods (that would bypass the wrapper)
  and instead do the inline ability.can check against the wrapped
  ability.

The enterprise plugin (TRI-8720) does not need to know about aliases —
the wrapper applies uniformly regardless of which ability came back.

Tests:
- ability.test.ts: +4 tests for array resource form (31 total in file).
- loader.test.ts: +11 tests for withActionAliases (direct match, alias
  retry for trigger/batchTrigger/update, id-scoped retry, admin passes,
  array form retry, canSuper delegation).
- Unit suite: 31 tests, all passing.
- Webapp typecheck: clean.

…I-8719 Phase B)

Swap all three apiBuilder call sites (loader, action, multi-method) from
authenticateApiRequestWithFailure + checkAuthorization to a single RBAC
plugin bridge. 30 route files migrated in lockstep — drop the
authorization.superScopes option, convert resource callbacks to return
RbacResource or RbacResource[] in the new shape.

Infrastructure:

- apiBuilder: new authenticateRequestForApiBuilder helper funnels all
  three builders through rbac.authenticateBearer and follow-up
  findEnvironmentById to rebuild the legacy ApiAuthenticationResultSuccess
  shape handlers still expect (no handler-facing changes).
- @internal/rbac: re-export RbacAbility, RbacResource from
  @trigger.dev/plugins so webapp only depends on @trigger.dev/rbac.

Route-file changes (Risk mitigations from the ticket):

- Custom actions (trigger, batchTrigger, update) unchanged at the route
  level — the ACTION_ALIASES wrapper from Phase A handles them
  transparently.
- Multi-key runs routes (api.v3.runs.$runId, realtime.v1.runs.$runId,
  realtime.v1.streams.$runId.$streamId, api.v1.runs.$runId.events /
  .spans.$spanId / .trace, realtime.v1.streams.$runId.input.$streamId
  second block, plus the batch-array routes) now return
  RbacResource[] — any resource match grants access. Undefined batch
  ids are filtered out to avoid accidentally matching a type-level
  read:batch scope with no id.
- Empty-resource routes (api.v1.batches, api.v1.idempotencyKeys.$key.reset)
  now return { type: 'runs' } — JWTs with read:runs / write:runs start
  working where they were previously denied by the legacy
  empty-resource short-circuit. Intentional improvement, strict
  superset of today's accept set.
- Search-params routes (realtime.v1.runs, api.v1.runs) return an array
  with a collection-level { type: 'runs' } plus any filtered tag/task
  entries so JWTs that work today continue to work.

Verification:

- pnpm run typecheck --filter webapp: clean.
- pnpm run test --filter @internal/rbac: 31 unit tests pass (wrapper +
  array-resource semantics).
- E2E suite (test/api-auth.e2e.test.ts): all 31 tests pass on the new
  code path — the three pre-migration 'behaviours to preserve' tests
  (type-level write:tasks triggers a task, read:tags:<tag> reaches a
  run with that tag, read:batch:<id> reaches a run in that batch) are
  still green post-swap.

Packaging:

- .changeset/rbac-plugin-array-resources.md: minor bump for
  @trigger.dev/plugins (array-resource overload on RbacAbility.can).
- .server-changes/rbac-apibuilder-migration.md: webapp-only note.

Add a session-auth route builder analogous to apiBuilder.server.ts that
routes dashboard auth through rbac.authenticateSession and runs the
ability check (canSuper or can) before the handler runs. Routes that
only need a logged-in user (no authorisation) keep using requireUser /
requireUserId — the builder is opt-in for routes with explicit auth.

Builder shape:

  dashboardLoader({ authorization: { requireSuper: true } }, async ({ user, ability }) => ...)
  dashboardLoader({ authorization: { action, resource } }, ...)
  dashboardAction(...)

Auth failure throws a redirect Response so the success-path return type
stays narrow (useTypedLoaderData<typeof loader>() picks up the handler's
TypedJsonResponse). Optional context callback feeds organizationId /
projectId to authenticateSession when needed (enterprise-only — fallback
ignores context today).

Migrated 14 platform admin routes from
`requireUser` + `if (!user.admin)` to dashboardLoader / dashboardAction
with requireSuper: true:

  admin.tsx
  admin._index.tsx
  admin.concurrency.tsx
  admin.feature-flags.tsx
  admin.notifications.tsx
  admin.orgs.tsx
  admin.data-stores.tsx
  admin.back-office.tsx
  admin.back-office._index.tsx
  admin.back-office.orgs.$orgId.tsx
  admin.llm-models._index.tsx
  admin.llm-models.$modelId.tsx
  admin.llm-models.new.tsx
  admin.llm-models.missing._index.tsx
  admin.llm-models.missing.$model.tsx

Routes that have admin-only sub-features (e.g. show-extra-fields-if-admin
on otherwise public routes) stay on requireUser. Migration of those is a
separate concern — they don't gate access on admin, they just branch
display.

Behavioural change: action handlers that previously threw
`new Response('Unauthorized', { status: 403 })` on non-admins now redirect
to / along with the loader. Uniform behaviour, but XHR fetchers that
expected a 403 status would now follow the redirect instead. The admin
pages migrated here don't appear to have XHR fetchers that depend on the
403, but worth flagging.

Verification:
- pnpm run typecheck --filter webapp: clean.
- pnpm run test --filter @internal/rbac: 31 unit tests pass.
- E2E suite: all 31 tests pass — including the
  /admin/concurrency redirect test (now exercising the new builder).

Mirror the changeset consolidation: collapse five per-feature RBAC
server-change files into one OSS-friendly entry covering the plugin
system + auth/authz consolidation work.

UserRole is the source of truth for cloud; OSS doesn't need the legacy
enum to carry the level. Drops the role-name lookup from member.server,
which was the last place OSS had to know about specific role names.

Previously the picker filtered to roles strictly below the inviter,
which meant Owners couldn't invite other Owners. Switch to at-or-below
so peer-level invites (Owner inviting Owner, Admin inviting Admin)
work — matches the existing user-facing copy and matches how most
team-management UIs behave.

Adds a batch variant of getUserRole that returns a Map<userId, Role | null>
in one round-trip. Used by TeamPresenter to drop the N+1 it had been
documenting as a future optimisation. Org-scoped only — project-scoped
reads still go through getUserRole (less common, not worth complicating
the API for).

Adds an optional `group` field to Permission so the plugin labels and
orders permission sections rather than the OSS hardcoding a name → group
map. Section order on the Roles page now follows the order permissions
appear in `allPermissions()` — first group seen, first rendered. Drops
the previous PERMISSION_GROUP_BY_NAME / GROUP_ORDER constants from the
webapp.

…mantics

The 6 session routes merged via PR #3417 were authored against the
pre-RBAC apiBuilder API: `authorization.resource` returned shapes like
`{ sessions: 'abc' }`, with a parallel `superScopes: [...]` whitelist
for broad-scope bypass. Post-TRI-8719, that shape doesn't typecheck and
`superScopes` is dead code.

Convert each resource callback to the canonical `{ type, id? }` shape.
For the two routes whose resource type is `tasks` but whose old
superScopes included `<action>:sessions` (list and create), use a
multi-key array `[{ type: 'tasks', id }, { type: 'sessions' }]` so a
JWT scoped `<action>:sessions` (no id) still passes — preserving the
exact allow-set the old superScopes mechanism granted. `*:all` and
`admin*` were already handled by the JWT ability's wildcard branches.

Drop the now-dead `superScopes` field from all 9 entries.

Adds e2e coverage in `auth-api.e2e.full.test.ts` (34 new tests, ~9
sub-describes) that locks in: per-task narrowing, `<action>:sessions`
type-only equivalence to the old superScope, `*:all` and `admin*`
bypass, wrong-action / wrong-id rejection. Plus a new
`seedTestApiSession` helper for inserting Session rows via Prisma —
distinct from the existing `seedTestSession` (cookie-session helper
for dashboard tests).

Adds RoleBaseAccessController.authenticatePat — PATs identify the user;
the effective ability is min(user's role in target org, max-role cap).
The user's actual membership is the floor (auto-narrows on demotion or
removal); the cap is set at PAT creation as a deliberate ceiling.

OSS-side:
- @trigger.dev/plugins gains the PatAuthResult type + authenticatePat
  on the controller interface.
- Fallback validates the PAT (prefix, hashed lookup, revoked check) and
  returns a permissive ability — preserves the pre-RBAC behaviour where
  PATs were pure user-identity tokens. Self-hosters see no change.
- LazyController delegates with the existing withActionAliases wrapper.

apiBuilder:
- createLoaderPATApiRoute accepts an optional context callback to
  derive { organizationId?, projectId? } and an optional authorization
  block. When either is declared, rbac.authenticatePat runs and the
  ability flows into the handler. Routes that don't opt in stay on the
  legacy permissive path.
- api.v1.projects.$projectRef.runs.ts opts in: context resolves
  projectRef -> organizationId, authorization is read on type runs.

UI:
- account.tokens picker reframed as 'Maximum role' with a hint
  explaining the cap-vs-floor model. Underlying TokenRole storage
  unchanged; semantic flip from 'bound role' to 'max role cap'.

The role chosen at PAT creation now actually constrains the token
(previously TokenRole was written but never read at request time).

The workflow pinned pnpm 10.23.0; root package.json declares 10.33.2.
pnpm/action-setup v4+ now rejects the conflict (root + workflow are
both 'specified versions' as far as the action is concerned), failing
the job before it can run any tests. Bump to v5.0.0 of the action and
match the 10.33.2 pin already used by unit-tests-webapp.yml and
release.yml.

The webapp unit-test config excluded *.e2e.test.ts (smoke matrix) but
not *.e2e.full.test.ts. The full auth suite needs a globalSetup that
spawns a webapp + Postgres container, which only the dedicated
vitest.e2e.full.config.ts provides. CI's unit-test shards were picking
up the e2e-full files via the include glob and failing immediately
with 'globalSetup didn't provide baseUrl/databaseUrl'.

Five real-bug fixes from CodeRabbit + Devin review of #3499:

#1 personalAccessToken.server.ts: FALLBACK_NOT_INSTALLED_ERROR string
   was 'RBAC fallback not installed' but the OSS fallback actually
   returns 'RBAC plugin not installed'. The mismatch made every PAT
   creation with a roleId hit the compensating-delete branch on
   self-hosters with no plugin installed — including the dashboard
   PAT-creation flow. Aligns the constant with the canonical string.

#2 internal-packages/rbac/src/fallback.ts: authenticateBearer skipped
   the revoked-API-key grace window (RevokedApiKey table), so a
   freshly-rotated env API key would 401 immediately on the new auth
   path. Mirrors findEnvironmentByApiKey's fallback-to-RevokedApiKey
   logic so the auth-cross-cutting e2e tests pass.

#3 api.v1.query.ts: multi-table queries built a plain RbacResource
   array, which checkAuth treats as 'any element passes'. A JWT
   scoped to one detected table could submit a query that also reads
   another table it isn't scoped to. Wrap with everyResource — same
   AND-semantics fix as the batch trigger routes.

#4 account.tokens/route.tsx: defaultRoleId could land on a custom or
   plan-blocked role when userRoleId wasn't in the picker's assignable
   set. The action's submit-revalidation would then 400 until the user
   manually changed the dropdown. Clamp the default to roles the picker
   actually renders.

#5 settings.team/route.tsx: the role Select used defaultValue, so a
   failed set-role submit left the attempted role visible while the
   server kept the old one. Switch to a controlled value bound to
   currentRoleId.

Locks in the everyResource(...) wrap added in 5547e66. Two new tests:
JWT scoped to one of multiple detected tables → 403; JWT scoped to all
detected tables → auth passes. Mirrors the every-task lock-in for the
batch trigger routes.

…-resource sites

Bare RbacResource[] in `authorization.resource` is now a type error.
Multi-resource auth must wrap with one of:

  - anyResource(...): succeed if any element passes (the existing default;
    used when one record carries multiple identifiers — runs by friendlyId
    / batch / tags / task — so a JWT scoped to any one grants access)
  - everyResource(...): succeed only if every element passes (existing
    helper; used by batch operations and the multi-table query route)

The OR-loophole class of bug CodeRabbit caught on api.v1.query — a JWT
scoped to one of N detected tables was authorized for the whole multi-
table query — was patchable per-route with everyResource. The Symbol
marker stayed invisible: future authors would still default to bare
arrays. Tightening AuthResource flushed out 11 routes that were silently
on the OR path; each is wrapped explicitly now.

Also inline the unrelated private `anyResource` helper in
internal-packages/rbac/src/ability.ts so the public name is unambiguous.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

#1 internal-packages/rbac/src/ability.ts (severity: 🔴 silent privilege
   escalation): buildJwtAbility was treating any scope starting with
   `admin:` as a universal wildcard. Pre-RBAC, the legacy
   checkAuthorization string-matched superScopes — `admin:sessions` only
   granted access to routes that explicitly listed it. After the JWT-
   ability split, the same scope was returning true for every action on
   every resource. Restrict the bypass to bare `admin` (no second
   segment); `admin:<type>` now flows through normal matching as
   action="admin" against resources of that type. Adds 2 regression
   tests in ability.test.ts.

#2 apps/webapp/app/services/routeBuilders/apiBuilder.server.ts (status
   discard): authenticateRequestForApiBuilder hardcoded `status: 401`
   even though BearerAuthResult.status is `401 | 403`. A plugin
   returning 403 (e.g. suspended account, IP block) would silently get
   downgraded to 401 — semantically wrong (401 = "who are you?", 403 =
   "you're not allowed") and confusing for client retry logic. Plumb
   result.status through.

#3 apps/webapp/app/services/routeBuilders/apiBuilder.server.ts
   (everyResource([]) vacuous truth): [].every() returns true, so
   everyResource([]) was passing auth for any token. Not exploitable
   today (Zod rejects empty bodies before auth), but the auth layer
   should never grant on empty input. Same defensive guard added to
   anyResource() for symmetry — only PERMISSIVE_ABILITY would have
   granted there, but the pattern shouldn't depend on the ability's
   choice.

#4 internal-packages/rbac/src/fallback.ts (PREVIEW env regression): the
   fallback's authenticateBearer looked up environments by apiKey only,
   skipping the branch-aware resolution that findEnvironmentByApiKey
   does for PREVIEW envs. Self-hosters using preview/branch envs would
   either fail or operate against the parent env. Mirror the legacy
   path: read x-trigger-branch, include matching child env, and pivot
   the resolved env to the child (apiKey/orgMember/organization/project
   inherited from parent). sanitizeBranchName inlined here because
   internal-packages can't import webapp code; comment notes the
   duplication.

All four flagged by Devin's PR review. Cloud plugin's buildJwtAbility
gets the same #1 fix in a sibling commit on this PR's cloud branch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…core/v3/utils/gitBranch

Both helpers were originally in apps/webapp/app/v3/gitBranch.ts.
internal-packages/rbac needed sanitizeBranchName for the PREVIEW-env
branch resolution added in 8246234, and copy-pasting the function into
the fallback was a smell. Moves the canonical home into core (no
internal-package can import webapp code), and updates the four webapp
call sites + the rbac fallback to import from
@trigger.dev/core/v3/utils/gitBranch.

`sanitizeBranchName`'s input type is widened slightly to
`string | null | undefined` so callers passing `Headers.get(...)` (which
returns `string | null`) don't need a `?? undefined` workaround. The
existing webapp callers all pass `string | undefined`; the new union is
backwards-compatible.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…minate redundant findEnvironmentById

Plugins now return the full env shape they fetched. The apiBuilder bridge passes it straight through to handlers — no follow-up findEnvironmentById round-trip.

@trigger.dev/core/v3/auth/environment (new) defines the slim AuthenticatedEnvironment structurally, independent of @trigger.dev/database. @trigger.dev/plugins re-exports it plus sanitizeBranchName so cloud's workspace-linked plugin imports from one surface.

Internal-packages/rbac/src/fallback.ts drops toRbacEnvironment stripping. apiBuilder.server.ts bridge drops findEnvironmentById. Model finders coerce to slim shape. Various downstream signature updates accept slim AE.

Net: single DB call per API request.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…orts fix

Four issues flagged on PR #3499:

1. (apps/webapp/app/models/runtimeEnvironment.server.ts) toAuthenticated()
   was documented as coercing Prisma's Decimal `concurrencyLimitBurstFactor`
   to a number but actually passed it through unchanged. Slim AE accepts
   `number | DecimalLike`, so it compiled, but at runtime any consumer
   doing arithmetic would get NaN. Now calls `.toNumber()` explicitly.

2. (internal-packages/rbac/src/fallback.ts) Same issue in the fallback's
   toAuthenticatedEnvironment — was a typed identity function. Now coerces
   the burst factor to number via the same union-narrowing pattern used
   by the EnvironmentQueuePresenter.

3 + 4. (internal-packages/rbac/src/fallback.ts, apps/webapp/app/services/rbac.server.ts)
   The fallback was using the primary PrismaClient for read-only auth-path
   queries (env lookup, revoked-key grace, session user lookup, PAT
   lookup). Pre-PR, findEnvironmentByApiKey used $replica for these.
   Shifting auth-path reads from replica to primary is a real perf
   regression on high-traffic deployments.

   RoleBaseAccessFallback now accepts either a single PrismaClient or
   `{ primary, replica }`. The webapp passes both — `prisma` for writes
   (role mutations) and `$replica` for the read-only authenticate*
   paths. The fallback's role-mutation methods are no-op stubs in the
   plugin-not-installed case, so writes only need the primary
   nominally; the type kept for symmetry.

5. (packages/core/package.json) Two new subpath exports added in this PR
   — `v3/auth/environment` and `v3/utils/gitBranch` — were missing from
   the `typesVersions` block. attw flagged "resolution failed" on both,
   failing the `check-exports` CI job. Added the entries.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Webapp's vitest config sets `pool: "forks"` and the test script uses
`--no-file-parallelism`, so every test file in a shard executes
sequentially in the same forked Node process. globalThis persists
across files even though vitest clears the module cache between them.

Two places call `provider.register()`:
- `~/v3/tracer.server.ts` via the `setupTelemetry` singleton — sets the
  OTel global APIs (trace/context/propagation).
- `test/utils/tracing.ts#createInMemoryTracing()` — also calls
  `provider.register()` to make `trace.getTracer("test-tracer")`
  return its in-memory provider's tracer.

Once the webapp's tracer.server.ts has been loaded by any test in the
shard, the globals are set. The next test that calls
createInMemoryTracing fails with `@opentelemetry/api: Attempted
duplicate registration of API: trace/context/propagation`. Failed test
stack pointed at `runsBackfiller.test.ts:30` calling
`createInMemoryTracing()` after triggerTask.test.ts (which loads
tracer.server.ts via `~/runEngine/services/triggerTask.server`) ran
first in shard 6.

The same shape failure cascades through the rest of the shard's tests
because the consumer keeps trying and tracer.server.ts can't be
re-singleton'd cleanly after the cache eviction.

Why now: this PR's slim-AuthenticatedEnvironment refactor changed the
import graph so that triggerTask test's transitive imports actually
reach tracer.server.ts in CI's shard 6 distribution. It worked before
because the shard's tests didn't co-load both register() callers. But
the latent issue was always there — fixing the test util is the right
layer.

Fix: drop `provider.register()` from createInMemoryTracing. The
exporter still receives spans because the consumer uses the tracer
returned from `provider.getTracer(...)` directly (provider-scoped, not
global). Tests that genuinely need the global must register their own
provider explicitly and clean up — but none of the current callers
do.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

…t") that collides with OTel auto-instrumentation

The previous fix in this PR (lazy-load `expect` inside assertNonNullable
via require("vitest")) was intended to keep the module importable from
contexts where vitest isn't initialized at module-load time (a vitest
globalSetup, where the worker doesn't exist yet).

But require() inside the function body collides with OTel's
`@opentelemetry/instrumentation`, which uses `require-in-the-middle`
to hook every Node `require()` call. vitest is ESM-only, so once OTel's
been touched in the same process, the next `require("vitest")` call
throws "Vitest cannot be imported in a CommonJS module using require()".

That instrumentation runs as soon as the run-engine — or any code that
loads its OTel-traced internals — is imported. That's:
- Every run-engine internal test (run-queue, heartbeats, pendingVersion)
  uses assertNonNullable.
- Every webapp test that transitively reaches RunEngine (triggerTask,
  runsBackfiller, plus any test that imports services using engine
  internals) does too.

Each shard ran ~7/8 failing because some early test loaded run-engine,
require-in-the-middle armed, then the next assertNonNullable call
exploded — cascading the rest of the shard's tests via vitest's
fail-fast on uncaught errors in the same process.

Fix: replace the vitest.expect call with a plain throw. Vitest still
gets a useful failure (the message shows in the stack trace) without
the require() hazard. The test that PR #3438 originally needed this
for (a globalSetup that imported assertNonNullable before workers
existed) still works — there's no top-level vitest import any more.

Verified: triggerTask.test.ts (which previously failed locally with
the require-in-the-middle error) now passes 8/8.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>