raystack / frontier / 25906455387
42%
main: 42%

LAST BUILD BRANCH: fix/sanitize-internal-error-responses
DEFAULT BRANCH: main
Ran
Jobs 1
Files 277
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 42.49% (+0.2%) from 42.275%
25906455387

Pull #1618

github

AmanGIT07 
feat(membership): add ListResourcesByPrincipal with schema-derived inheritance

Adds membership.Service.ListResourcesByPrincipal(principal, resourceType,
filter) — a policy-driven replacement for org/project/group.ListByUser
that reads from Postgres policies instead of SpiceDB relations.

Why: today's ListByUser methods call relation.LookupResources, which
reads the SpiceDB membership permission (member + owner). When a user's
role on an org/group is demoted, the policy is updated but the direct
SpiceDB owner/member relation lingers — so demoted users keep appearing
in listings. Policy-driven listing makes Postgres policies the single
source of truth.

Highlights:

- internal/bootstrap/schema/inheritance.go (new) — Inheritance struct
  with ProjectDirectVisibility and OrganizationToProjectInherit lists
  extracted from base_schema.zed at MigrateSchema time. Walks both
  granted-> and pat_granted-> arrows; errors loudly on non-Union rewrites.
- internal/bootstrap/service.go — populateInheritance runs after the
  effective schema is finalized. inheritance pointer is threaded through
  DI so membership reads the canonical lists without drift.
- core/membership/service.go — ListResourcesByPrincipal (top-level,
  PAT-aware) plus listResourcesForPrincipal (per-principal core).
  Three project branches: direct project policies gated by
  ProjectDirectVisibility, group expansion, org inheritance gated by
  OrganizationToProjectInherit and batched via project.Filter.OrgIDs.
- core/project/filter.go — adds OrgIDs []string for the batched
  cross-org expansion (avoids N+1 for users in many orgs).
- core/membership/service_test.go — 16 table-driven cases including
  stale-relation regression, NonInherited, group expansion, OrgID
  narrowing, PAT all-projects scope, no-PAT short-circuit, and
  PAT-narrows-user-access.

No callers migrate in this commit — purely additive. Org/group/project
listing migrations follow in subsequent commits.

Co-Authored-By: Claude Opu... (continued)
Pull Request #1618: feat(membership): add ListResourcesByPrincipal with schema-derived inheritance

215 of 315 new or added lines in 5 files covered. (68.25%)

16168 of 38051 relevant lines covered (42.49%)

11.9 hits per line

Uncovered Changes

Lines Coverage File
51
80.61
 -1.06% core/membership/service.go
20
11.07
 -0.93% internal/bootstrap/service.go
18
76.32
 internal/bootstrap/schema/inheritance.go
7
0.0
 0.0% cmd/serve.go
4
51.59
 -0.57% internal/store/postgres/project_repository.go
Jobs
ID Job ID Ran Files Coverage
1 25906455387.1 277
42.49
 GitHub Action Run
Source Files on build 25906455387