fix team permissions (stack-auth#1016)

<!--

Make sure you've read the CONTRIBUTING.md guidelines:
https://github.com/stack-auth/stack-auth/blob/dev/CONTRIBUTING.md

-->


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Enhanced permission definition management system with improved
handling for permission configurations, ensuring better system
reliability and consistency.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: ArvindParekh <aruparekh@gmail.com>

Author: BilalG1

apps/backend/prisma/seed.ts

@@ -1,7 +1,7 @@
 /* eslint-disable no-restricted-syntax */
 import { usersCrudHandlers } from '@/app/api/latest/users/crud';
 import { overrideEnvironmentConfigOverride } from '@/lib/config';
-import { grantTeamPermission, updatePermissionDefinition } from '@/lib/permissions';
+import { ensurePermissionDefinition, grantTeamPermission } from '@/lib/permissions';
 import { createOrUpdateProjectWithLegacyConfig, getProject } from '@/lib/projects';
 import { DEFAULT_BRANCH_ID, getSoleTenancyFromProjectBranch } from '@/lib/tenancies';
 import { getPrismaClientForTenancy, globalPrismaClient } from '@/prisma-client';
@@ -203,30 +203,28 @@ export async function seed() {
     }
   });
 
-  await updatePermissionDefinition(
+  await ensurePermissionDefinition(
     globalPrismaClient,
     internalPrisma,
     {
-      oldId: "team_member",
+      id: "team_member",
       scope: "team",
       tenancy: internalTenancy,
       data: {
-        id: "team_member",
         description: "1",
         contained_permission_ids: ["$read_members"],
       }
     }
   );
   const updatedInternalTenancy = await getSoleTenancyFromProjectBranch("internal", DEFAULT_BRANCH_ID);
-  await updatePermissionDefinition(
+  await ensurePermissionDefinition(
     globalPrismaClient,
     internalPrisma,
     {
-      oldId: "team_admin",
+      id: "team_admin",
       scope: "team",
       tenancy: updatedInternalTenancy,
       data: {
-        id: "team_admin",
         description: "2",
         contained_permission_ids: ["$read_members", "$remove_members", "$update_team"],
       }

apps/backend/src/lib/permissions.tsx

@@ -334,6 +334,45 @@ export async function updatePermissionDefinition(
   };
 }
 
+export async function ensurePermissionDefinition(
+  globalTx: PrismaTransaction,
+  sourceOfTruthTx: PrismaTransaction,
+  options: {
+    scope: "team" | "project",
+    tenancy: Tenancy,
+    id: string,
+    data: {
+      description?: string,
+      contained_permission_ids?: string[],
+    },
+  }
+) {
+  const existingPermission = getOrUndefined(options.tenancy.config.rbac.permissions, options.id);
+
+  if (existingPermission) {
+    return await updatePermissionDefinition(globalTx, sourceOfTruthTx, {
+      scope: options.scope,
+      tenancy: options.tenancy,
+      oldId: options.id,
+      data: {
+        id: options.id,
+        description: options.data.description,
+        contained_permission_ids: options.data.contained_permission_ids,
+      },
+    });
+  } else {
+    return await createPermissionDefinition(globalTx, {
+      scope: options.scope,
+      tenancy: options.tenancy,
+      data: {
+        id: options.id,
+        description: options.data.description,
+        contained_permission_ids: options.data.contained_permission_ids,
+      },
+    });
+  }
+}
+
 export async function deletePermissionDefinition(
   globalTx: PrismaTransaction,
   sourceOfTruthTx: PrismaTransaction,