MostUsing
diff --git a/‎coderd/apidoc/docs.go
+42 b/‎coderd/apidoc/docs.go
+42
diff --git a/‎coderd/apidoc/swagger.json
+40 b/‎coderd/apidoc/swagger.json
+40
diff --git a/‎coderd/coderd.go
-7 b/‎coderd/coderd.go
-7
diff --git a/‎coderd/roles.go
-47 b/‎coderd/roles.go
-47
diff --git a/‎docs/api/members.md
+35-3 b/‎docs/api/members.md
+35-3
diff --git a/‎docs/api/schemas.md
+40 b/‎docs/api/schemas.md
+40
diff --git a/‎enterprise/coderd/coderd.go
+10-10 b/‎enterprise/coderd/coderd.go
+10-10
@@ -464,7 +464,6 @@ func New(options *Options) *API {
 		TemplateScheduleStore:       options.TemplateScheduleStore,
 		UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore,
 		AccessControlStore:          options.AccessControlStore,
-		CustomRoleHandler:           atomic.Pointer[CustomRoleHandler]{},
 		Experiments:                 experiments,
 		healthCheckGroup:            &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
 		Acquirer: provisionerdserver.NewAcquirer(
@@ -476,8 +475,6 @@ func New(options *Options) *API {
 		dbRolluper: options.DatabaseRolluper,
 	}
 
-	var customRoleHandler CustomRoleHandler = &agplCustomRoleHandler{}
-	api.CustomRoleHandler.Store(&customRoleHandler)
 	api.AppearanceFetcher.Store(&appearance.DefaultFetcher)
 	api.PortSharer.Store(&portsharing.DefaultPortSharer)
 	buildInfo := codersdk.BuildInfoResponse{
@@ -887,8 +884,6 @@ func New(options *Options) *API {
 					r.Get("/", api.listMembers)
 					r.Route("/roles", func(r chi.Router) {
 						r.Get("/", api.assignableOrgRoles)
-						r.With(httpmw.RequireExperiment(api.Experiments, codersdk.ExperimentCustomRoles)).
-							Patch("/", api.patchOrgRoles)
 					})
 
 					r.Route("/{user}", func(r chi.Router) {
@@ -1340,8 +1335,6 @@ type API struct {
 	// passed to dbauthz.
 	AccessControlStore *atomic.Pointer[dbauthz.AccessControlStore]
 	PortSharer         atomic.Pointer[portsharing.PortSharer]
-	// CustomRoleHandler is the AGPL/Enterprise implementation for custom roles.
-	CustomRoleHandler atomic.Pointer[CustomRoleHandler]
 
 	HTTPAuth *HTTPAuthorizer
 
 
@@ -1,7 +1,6 @@
 package coderd
 
 import (
-	"context"
 	"net/http"
 
 	"github.com/google/uuid"
@@ -16,52 +15,6 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 )
 
-// CustomRoleHandler handles AGPL/Enterprise interface for handling custom
-// roles. Ideally only included in the enterprise package, but the routes are
-// intermixed with AGPL endpoints.
-type CustomRoleHandler interface {
-	PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.PatchRoleRequest) (codersdk.Role, bool)
-}
-
-type agplCustomRoleHandler struct{}
-
-func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, _ *http.Request, _ uuid.UUID, _ codersdk.PatchRoleRequest) (codersdk.Role, bool) {
-	httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-		Message: "Creating and updating custom roles is an Enterprise feature. Contact sales!",
-	})
-	return codersdk.Role{}, false
-}
-
-// patchRole will allow creating a custom organization role
-//
-// @Summary Upsert a custom organization role
-// @ID upsert-a-custom-organization-role
-// @Security CoderSessionToken
-// @Produce json
-// @Param organization path string true "Organization ID" format(uuid)
-// @Tags Members
-// @Success 200 {array} codersdk.Role
-// @Router /organizations/{organization}/members/roles [patch]
-func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
-	var (
-		ctx          = r.Context()
-		handler      = *api.CustomRoleHandler.Load()
-		organization = httpmw.OrganizationParam(r)
-	)
-
-	var req codersdk.PatchRoleRequest
-	if !httpapi.Read(ctx, rw, r, &req) {
-		return
-	}
-
-	updated, ok := handler.PatchOrganizationRole(ctx, rw, r, organization.ID, req)
-	if !ok {
-		return
-	}
-
-	httpapi.Write(ctx, rw, http.StatusOK, updated)
-}
-
 // AssignableSiteRoles returns all site wide roles that can be assigned.
 //
 // @Summary Get site member roles
 
@@ -261,6 +261,16 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Delete("/organizations/{organization}", api.deleteOrganization)
 		})
 
+		r.Group(func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				api.RequireFeatureMW(codersdk.FeatureCustomRoles),
+				httpmw.RequireExperiment(api.AGPL.Experiments, codersdk.ExperimentCustomRoles),
+				httpmw.ExtractOrganizationParam(api.Database),
+			)
+			r.Patch("/organizations/{organization}/members/roles", api.patchOrgRoles)
+		})
+
 		r.Route("/organizations/{organization}/groups", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
@@ -795,16 +805,6 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		api.AGPL.PortSharer.Store(&ps)
 	}
 
-	if initial, changed, enabled := featureChanged(codersdk.FeatureCustomRoles); shouldUpdate(initial, changed, enabled) {
-		var handler coderd.CustomRoleHandler = &enterpriseCustomRoleHandler{API: api, Enabled: enabled}
-		api.AGPL.CustomRoleHandler.Store(&handler)
-	}
-
-	if initial, changed, enabled := featureChanged(codersdk.FeatureMultipleOrganizations); shouldUpdate(initial, changed, enabled) {
-		var handler coderd.CustomRoleHandler = &enterpriseCustomRoleHandler{API: api, Enabled: enabled}
-		api.AGPL.CustomRoleHandler.Store(&handler)
-	}
-
 	// External token encryption is soft-enforced
 	featureExternalTokenEncryption := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
 	featureExternalTokenEncryption.Enabled = len(api.ExternalTokenEncryption) > 0