raystack / frontier / 26031121262

43%

main: 42%

Pull #1618

github

refactor(membership): hardcode inheritance perms, drop AST walker

Replaces the runtime SpiceDB-AST-walker-extracted inheritance map with
two small hardcoded constants in internal/bootstrap/schema/schema.go and
a regex-based drift test that scans base_schema.zed at build time.

Why the simpler approach is the right one:

- The two permission lists never change in normal feature work. If they
  ever do, it's a major authz rewrite — at that point a hardcoded list
  is the least of the maintainer's worries.
- The AST walker required importing SpiceDB compiler internals into app
  code. Vendor-internal imports make upgrades harder and tie us to a
  specific SpiceDB version.
- ~150 lines of recursive proto-tree traversal in inheritance.go were a
  maintenance liability for anyone debugging future schema issues.
- The regex drift guard is ~80 lines, fails loudly when arrows change,
  and rejects non-Union expressions (intersection/exclusion) since those
  would silently break filterByRolePermissions's any-of semantics.

Changes:

- internal/bootstrap/schema/schema.go — new ProjectDirectVisibilityPerms
  and OrganizationProjectInheritPerms vars.
- internal/bootstrap/schema/inheritance_perms_test.go — drift guard
  (renamed from inheritance_test.go).
- internal/bootstrap/schema/inheritance.go — deleted.
- internal/bootstrap/service.go — populateInheritance, inheritance
  pointer field, panic guard, compiler import all removed.
- core/membership/service.go — inheritance field and constructor param
  removed; helpers reference the new schema constants directly.
- core/membership/service_test.go — inheritance arg dropped from all
  NewService call sites.
- cmd/serve.go — shared &schema.Inheritance{} allocation and the args
  to both constructors removed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

155 of 209 new or added lines in 2 files covered. (74.16%)

16124 of 37925 relevant lines covered (42.52%)

11.93 hits per line