fix(webapp): use EntitlementResult for production entitlement validation

Replace the invalid @trigger.dev/platform/v3 import so billing limit typecheck passes in CI.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: kathiekiwi

apps/webapp/app/components/billing/BillingAlertsSection.tsx

@@ -53,8 +53,7 @@ export const billingAlertsSchema = z.object({
     const values = typeof i === "string" ? [i] : Array.isArray(i) ? i : [];
     return values
       .filter((v) => v !== "")
-      .map((v) => Number(v))
-      .filter((n) => Number.isFinite(n));
+      .map((v) => Number(v));
   }, z.number().array().refine(thresholdValuesAreUnique, "Each alert must be unique")),
 });
 

apps/webapp/app/components/billing/OrgBanner.tsx

@@ -9,6 +9,7 @@ import {
   useOptionalOrganization,
   useOrganization,
   useBillingLimit,
+  useCanManageBilling,
 } from "~/hooks/useOrganizations";
 import { useOptionalProject, useProject } from "~/hooks/useProject";
 import { useShowSelfServe } from "~/hooks/useShowSelfServe";
@@ -17,7 +18,7 @@ import { v3BillingLimitsPath, v3BillingPath, v3QueuesPath } from "~/utils/pathBu
 
 function getUpgradeResetDate(): Date {
   const nextMonth = new Date();
-  nextMonth.setUTCMonth(nextMonth.getMonth() + 1);
+  nextMonth.setUTCMonth(nextMonth.getUTCMonth() + 1);
   nextMonth.setUTCDate(1);
   nextMonth.setUTCHours(0, 0, 0, 0);
   return nextMonth;
@@ -129,18 +130,23 @@ function LimitGraceBanner() {
 
 function NoLimitConfiguredBanner() {
   const organization = useOrganization();
+  const canManageBilling = useCanManageBilling();
 
   return (
     <AnimatedOrgBannerBar
       show
       variant="warning"
       action={
-        <LinkButton variant="tertiary/small" to={v3BillingLimitsPath(organization)}>
-          Configure billing limit
-        </LinkButton>
+        canManageBilling ? (
+          <LinkButton variant="tertiary/small" to={v3BillingLimitsPath(organization)}>
+            Configure billing limit
+          </LinkButton>
+        ) : undefined
       }
     >
-      Protect your organization from unexpected usage spikes.
+      {canManageBilling
+        ? "Protect your organization from unexpected usage spikes."
+        : "Billing limits are not configured for this organization. Contact an organization administrator to configure them."}
     </AnimatedOrgBannerBar>
   );
 }

apps/webapp/app/components/billing/billingAlertsFormat.ts

@@ -18,7 +18,7 @@ export type BillingLimitMode = "plan" | "custom" | "none";
 
 export function getBillingLimitMode(billingLimit: BillingLimitResult): BillingLimitMode {
   if (!billingLimit.isConfigured) {
-    return "plan";
+    return "none";
   }
   return billingLimit.mode;
 }
@@ -240,14 +240,16 @@ export function normalizeBillingAlertsFromApi(apiAlerts: {
   // Platform API stores amount in cents.
   let amountDollars = rawAmount / 100;
 
-  // Legacy percentage alerts sometimes stored plan dollars directly (e.g. 100 for $100).
-  // Never apply to absolute dollar alerts — those use a fixed $1 base (100 cents).
+  // Legacy percentage alerts sometimes stored plan dollars directly (e.g. 100 for $100)
+  // with whole-number percents (10, 50, 80). New saves store cents and fractional levels
+  // (0.75, 0.9) via thresholdsToAlertPayload — never treat those as legacy dollars.
   if (
     rawAmount !== ABSOLUTE_ALERT_BASE_CENTS &&
     Number.isFinite(rawAmount) &&
     rawAmount >= 10 &&
     rawAmount / 100 < 10 &&
-    alertLevels.length > 0
+    alertLevels.length > 0 &&
+    !usesFractionAlertLevelFormat(alertLevels)
   ) {
     amountDollars = rawAmount;
   }
@@ -311,11 +313,8 @@ export function storedAlertsToThresholds(
     return [];
   }
 
-  // Legacy percentage alerts keep their saved base amount even if billing limit changed.
-  if (
-    percentageAlertAmountMatches(amountCents, effectiveLimitCents, planLimitCents) ||
-    amountCents > 0
-  ) {
+  // Saved percentage alerts keep their thresholds whenever a positive base amount is stored.
+  if (amountCents > 0) {
     return uiThresholds.slice(0, MAX_PERCENTAGE_ALERTS);
   }
 

apps/webapp/app/components/billing/selectOrgBanner.ts

@@ -31,14 +31,16 @@ export function selectOrgBanner(input: {
     if (status === "grace") {
       return OrgBannerKind.LimitGrace;
     }
-  } else if (billingLimit && !billingLimit.isConfigured && showSelfServe) {
-    return OrgBannerKind.NoLimitConfigured;
   }
 
   if (hasExceededFreeTier) {
     return OrgBannerKind.Upgrade;
   }
 
+  if (billingLimit && !billingLimit.isConfigured && showSelfServe) {
+    return OrgBannerKind.NoLimitConfigured;
+  }
+
   if (showEnvironmentWarning) {
     return OrgBannerKind.EnvironmentWarning;
   }

apps/webapp/app/hooks/useOrganizations.ts

@@ -95,3 +95,11 @@ export function useBillingLimit(matches?: UIMatch[]) {
   });
   return data?.billingLimit;
 }
+
+export function useCanManageBilling(matches?: UIMatch[]) {
+  const data = useTypedMatchesData<typeof orgLoader>({
+    id: "routes/_app.orgs.$organizationSlug",
+    matches,
+  });
+  return data?.canManageBilling === true;
+}

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.queues/route.tsx

@@ -183,24 +183,22 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   }
 
   switch (action) {
-    case "environment-pause":
+    case "environment-pause": {
       const pauseService = new PauseEnvironmentService();
-      {
-        const result = await pauseService.call(environment, "paused");
-        if (!result.success) {
-          return redirectWithErrorMessage(redirectPath, request, result.error);
-        }
+      const result = await pauseService.call(environment, "paused");
+      if (!result.success) {
+        return redirectWithErrorMessage(redirectPath, request, result.error);
       }
       return redirectWithSuccessMessage(redirectPath, request, "Environment paused");
-    case "environment-resume":
+    }
+    case "environment-resume": {
       const resumeService = new PauseEnvironmentService();
-      {
-        const result = await resumeService.call(environment, "resumed");
-        if (!result.success) {
-          return redirectWithErrorMessage(redirectPath, request, result.error);
-        }
+      const result = await resumeService.call(environment, "resumed");
+      if (!result.success) {
+        return redirectWithErrorMessage(redirectPath, request, result.error);
       }
       return redirectWithSuccessMessage(redirectPath, request, "Environment resumed");
+    }
     case "queue-pause":
     case "queue-resume": {
       const friendlyId = formData.get("friendlyId");

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.billing-limits/route.tsx

@@ -3,8 +3,6 @@ import type { MetaFunction } from "@remix-run/react";
 import {
   json,
   redirect,
-  type ActionFunction,
-  type LoaderFunctionArgs,
 } from "@remix-run/server-runtime";
 import { tryCatch } from "@trigger.dev/core";
 import { typedjson, useTypedLoaderData } from "remix-typedjson";
@@ -43,6 +41,7 @@ import { NavBar, PageAccessories, PageTitle } from "~/components/primitives/Page
 import { prisma } from "~/db.server";
 import { featuresForRequest } from "~/features.server";
 import { useScrollContainerToTop } from "~/hooks/useScrollContainerToTop";
+import { resolveOrgIdFromSlug } from "~/models/organization.server";
 import {
   commitSession,
   getSession,
@@ -59,6 +58,7 @@ import {
   setBillingAlert,
   setBillingLimit,
 } from "~/services/platform.v3.server";
+import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import type { BillingLimitResult } from "~/services/billingLimit.schemas";
 import {
   getAlertsResetRequested,
@@ -77,15 +77,31 @@ import {
   v3BillingLimitsPath,
   v3BillingPath,
 } from "~/utils/pathBuilder";
-import { requireUserId } from "~/services/session.server";
+
+const billingLimitsAuthorization = {
+  action: "manage" as const,
+  resource: { type: "billing" as const },
+};
 
 export const meta: MetaFunction = () => {
   return [{ title: `Billing limits | Trigger.dev` }];
 };
 
-export async function loader({ params, request }: LoaderFunctionArgs) {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = OrganizationParamsSchema.parse(params);
+export const loader = dashboardLoader(
+  {
+    params: OrganizationParamsSchema,
+    context: async (params) => {
+      const organizationId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: {
+      ...billingLimitsAuthorization,
+      message: "With your current role, you can't manage billing limits.",
+    },
+  },
+  async ({ params, request, user }) => {
+  const userId = user.id;
+  const { organizationSlug } = params;
 
   const { isManagedCloud } = featuresForRequest(request);
   if (!isManagedCloud) {
@@ -131,9 +147,9 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
   firstDayOfMonth.setUTCHours(0, 0, 0, 0);
 
   const firstDayOfNextMonth = new Date();
-  firstDayOfNextMonth.setUTCMonth(firstDayOfNextMonth.getUTCMonth() + 1);
   firstDayOfNextMonth.setUTCDate(1);
   firstDayOfNextMonth.setUTCHours(0, 0, 0, 0);
+  firstDayOfNextMonth.setUTCMonth(firstDayOfNextMonth.getUTCMonth() + 1);
 
   const [usage, queuedRunCount, billingLimitPauseEnvCount] = await Promise.all([
     getCachedUsage(organization.id, { from: firstDayOfMonth, to: firstDayOfNextMonth }),
@@ -166,7 +182,8 @@ export async function loader({ params, request }: LoaderFunctionArgs) {
     submittedResumeMode,
     suggestedNewLimitDollars,
   });
-}
+  }
+);
 
 type LoaderData = {
   billingLimit: BillingLimitResult;
@@ -182,9 +199,18 @@ type LoaderData = {
   suggestedNewLimitDollars: number;
 };
 
-export const action: ActionFunction = async ({ request, params }) => {
-  const userId = await requireUserId(request);
-  const { organizationSlug } = OrganizationParamsSchema.parse(params);
+export const action = dashboardAction(
+  {
+    params: OrganizationParamsSchema,
+    context: async (params) => {
+      const organizationId = await resolveOrgIdFromSlug(params.organizationSlug);
+      return organizationId ? { organizationId } : {};
+    },
+    authorization: billingLimitsAuthorization,
+  },
+  async ({ request, params, user }) => {
+  const userId = user.id;
+  const { organizationSlug } = params;
 
   const organization = await prisma.organization.findFirst({
     where: { slug: organizationSlug, members: { some: { userId } } },
@@ -476,7 +502,8 @@ export const action: ActionFunction = async ({ request, params }) => {
   }
 
   return json({ error: "Unknown form intent" }, { status: 400 });
-};
+  }
+);
 
 export default function Page() {
   const {

apps/webapp/app/routes/_app.orgs.$organizationSlug/route.tsx

@@ -10,6 +10,8 @@ import { OrganizationsPresenter } from "~/presenters/OrganizationsPresenter.serv
 import { RegionsPresenter, type Region } from "~/presenters/v3/RegionsPresenter.server";
 import { getImpersonationId } from "~/services/impersonation.server";
 import { getCachedUsage, getBillingLimit, getCurrentPlan } from "~/services/platform.v3.server";
+import { rbac } from "~/services/rbac.server";
+import { canManageBilling } from "~/services/routeBuilders/permissions.server";
 import { requireUser } from "~/services/session.server";
 import { telemetry } from "~/services/telemetry.server";
 import { organizationPath } from "~/utils/pathBuilder";
@@ -97,6 +99,12 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const shouldLoadRegions =
     !!projectParam && !!environment && environment.type !== "DEVELOPMENT";
 
+  const sessionAuth = await rbac.authenticateSession(request, {
+    userId: user.id,
+    organizationId: organization.id,
+  });
+  const userCanManageBilling = sessionAuth.ok ? canManageBilling(sessionAuth.ability) : false;
+
   const [plan, usage, billingLimit, customDashboards, regions] = await Promise.all([
     getCurrentPlan(organization.id),
     getCachedUsage(organization.id, { from: firstDayOfMonth, to: firstDayOfNextMonth }),
@@ -173,6 +181,7 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
       limit: dashboardLimit,
     },
     widgetLimitPerDashboard,
+    canManageBilling: userCanManageBilling,
   });
 };
 

apps/webapp/app/routes/admin.api.v1.orgs.$organizationId.billing-limit.hit.ts

@@ -1,7 +1,8 @@
 import { type ActionFunctionArgs, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { prisma } from "~/db.server";
-import { BillingLimitHitWebhookBodySchema } from "~/services/billingLimit.schemas";
+import { BillingLimitHitWebhookBodySchema, type BillingLimitHitWebhookBody } from "~/services/billingLimit.schemas";
+import { logger } from "~/services/logger.server";
 import { requireAdminApiRequest } from "~/services/personalAccessToken.server";
 import { bustBillingLimitCaches } from "~/services/platform.v3.server";
 import {
@@ -24,7 +25,17 @@ export async function action({ request, params }: ActionFunctionArgs) {
   }
 
   const { organizationId } = ParamsSchema.parse(params);
-  const body = BillingLimitHitWebhookBodySchema.parse(await request.json());
+
+  let body: BillingLimitHitWebhookBody;
+  try {
+    body = BillingLimitHitWebhookBodySchema.parse(await request.json());
+  } catch (error) {
+    logger.error("Invalid billing limit hit webhook payload", {
+      error,
+      organizationId,
+    });
+    return json({ error: "Invalid request body" }, { status: 400 });
+  }
 
   const organization = await prisma.organization.findFirst({
     where: { id: organizationId },

apps/webapp/app/runEngine/validators/validateProductionEntitlement.server.ts

@@ -1,10 +1,10 @@
-import type { ReportUsageResult } from "@trigger.dev/platform/v3";
+import type { EntitlementResult } from "~/services/billingLimit.schemas";
 import { OutOfEntitlementError } from "~/v3/outOfEntitlementError.server";
 import type { EntitlementValidationParams, EntitlementValidationResult } from "../types";
 
 export type GetEntitlementFn = (
   organizationId: string
-) => Promise<ReportUsageResult | undefined>;
+) => Promise<EntitlementResult | undefined>;
 
 export async function validateProductionEntitlement(
   params: EntitlementValidationParams,