feat(rbac): Add RBAC service and API routers

[jordan-umusu]

Summary by cubic

Adds a full RBAC system with service layer, REST APIs, and DB models for scopes, roles, groups, and role assignments. Seeds default scopes/roles and computes effective user scopes for access checks and the UI.

• New Features

  • DB: Add RBAC tables; remove role from memberships/invitations; link roles via assignments.
  • Seeding: Seed system scopes and preset roles per org at startup; seed registry scopes during registry sync.
  • Service/API: Implement RBACService with CRUD and effective scope calculation; add EE routers for scopes/roles/groups/assignments and an OSS user scopes endpoint; protect routes with OrgUserRole and scope checks.
  • Auth/Audit: Add scope-based authorization (ScopeDeniedError) and rbac_* audit resources; expose RBAC feature flag.
  • Frontend: Generate TS schemas/types/services; update invites/members UI to use role_slug/role_name.

• Migration

  • Run: uv run alembic upgrade head
  • Notes: Creates RBAC tables and drops role columns from membership/invitation tables with data migration to Role-based assignments.

^{Written for commit ac3b77b. Summary will update on new commits.}

[jordan-umusu]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat(rbac): Test suite #2036
• feat(rbac): Add rbac frontend #1988
• feat(rbac): Add @require_scope decorators to all API endpoints #1987
• feat(rbac): Add RBAC service and API routers #1986 👈 (View in Graphite)
• feat(rbac): Seed registry scopes during sync #1985
• feat(rbac): RBAC auth layer #1984
• feat(rbac): Add database schema for RBAC tables #1983
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[jordan-umusu]

@cubic review

[cubic-dev-ai]

@cubic review

@jordan-umusu I have started the AI code review. It will take a few minutes to complete.

[jordan-umusu]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

tracecat/alembic/versions/55c5d2499eee_add_rbac_tables.py

Lines 311 to 315 in ac3b77b

	sa.UniqueConstraint(
	"user_id",
	"organization_id",
	name=op.f("uq_user_role_assignment_user_id_organization_id"),
	),

Allow multiple role assignments per org

The new user_role_assignment table enforces a unique constraint on (user_id, organization_id), which prevents a user from having more than one assignment within the same org. That makes it impossible to add a workspace-specific role for a user who already has an org-level role (the common case), e.g. accepting a workspace invitation will attempt to insert a workspace assignment and will hit a uniqueness violation. If the intent is “one role per workspace plus an optional org-wide assignment,” this constraint should be removed or replaced with a (user_id, workspace_id) unique plus the existing partial index for workspace_id IS NULL.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cubic-dev-ai]

4 issues found across 22 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="tracecat/db/models.py">

<violation number="1" location="tracecat/db/models.py:475">
P2: The new bidirectional relationship is incomplete: User.role_assignments specifies back_populates="user", but UserRoleAssignment.user does not define the reciprocal back_populates. This can lead to SQLAlchemy warnings and unsynchronized relationship state when assigning roles. Add back_populates="role_assignments" on UserRoleAssignment.user (or remove back_populates here if you want a unidirectional relationship).</violation>
</file>

<file name="packages/tracecat-ee/tracecat_ee/rbac/router.py">

<violation number="1" location="packages/tracecat-ee/tracecat_ee/rbac/router.py:166">
P1: This will raise `TypeError: got multiple values for keyword argument 'scopes'` at runtime. When SQLAlchemy loads `r.scopes`, it's stored in `r.__dict__`, so the unpacked dict already contains `scopes`, conflicting with the explicit `scopes=` argument. Use explicit attribute mapping like `get_role` does.</violation>
</file>

<file name="tests/unit/test_rbac_service.py">

<violation number="1" location="tests/unit/test_rbac_service.py:55">
P2: OrganizationMembership no longer accepts a `role` argument. This fixture will raise a TypeError on instantiation, so the test setup fails before the RBAC service is exercised. Remove the role parameter or assign roles via the RBAC assignment tables.</violation>
</file>

<file name="packages/tracecat-ee/tracecat_ee/rbac/service.py">

<violation number="1" location="packages/tracecat-ee/tracecat_ee/rbac/service.py:380">
P1: Security: The comment states this should verify user belongs to the organization, but the query only checks if the user exists globally. This could allow adding users from other organizations to groups. Consider joining with an org membership table to verify the user belongs to `self.organization_id`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ef01108209

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[cubic-dev-ai]

3 issues found across 17 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/tracecat-ee/tracecat_ee/rbac/service.py">

<violation number="1" location="packages/tracecat-ee/tracecat_ee/rbac/service.py:628">
P1: Security: Missing organization membership verification. This only checks if the user exists globally, but doesn't verify they belong to the current organization. This could allow role assignment to users outside the organization. The `add_group_member` method correctly checks `OrganizationMembership` - this should follow the same pattern.</violation>
</file>

<file name="tracecat/db/models.py">

<violation number="1" location="tracecat/db/models.py:481">
P2: Duplicate `role_assignments` relationship overrides the earlier attribute definition. Remove the duplicate block to avoid confusion and accidental overrides if parameters diverge later.</violation>
</file>

<file name="tracecat/organization/router.py">

<violation number="1" location="tracecat/organization/router.py:146">
P3: `scalar_one_or_none()` drops the RoleModel columns from a multi-column select, leaving the joins/columns unused and misleading. Either select only `User` or switch back to `result.tuples().one_or_none()` to match the multi-column query.

(Based on your team's feedback about using result.tuples() for multi-column selects.) [FEEDBACK_USED]</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[daryllimyt]

naming consistency with db model i.e. GroupRoleAssignment*

[daryllimyt]

does this have to be wrapped in a list?

[daryllimyt]

wrong type?

[daryllimyt]

wrong type?

[daryllimyt]

nit: prefer to check existence explicitly instead of fetch and discard

[daryllimyt]

if you have ScopeRead inherit from Schema it comes with a Schema.list_adapter() classmethod that lets us do this but with a single TypeAdapter call

[daryllimyt]

does this overwrite /users/me in the fastapi users router?

[daryllimyt]

maybe DBRole is more consistent with how we did DBChatMessage