Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: raystack/frontier
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: raystack/frontier
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: feat/membership-handler
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 6 commits
  • 19 files changed
  • 2 contributors

Commits on Apr 14, 2026

  1. feat: add membership package with AddOrganizationMember

    Introduce core/membership package that manages policy + relation
    together for org membership operations. AddOrganizationMember
    validates org/user/role, creates policy + explicit relation, and
    emits audit records.
    
    - Validates org exists and is enabled, user exists and is enabled,
      role is org-scoped (global or org-specific)
    - Rejects if user is already a member
    - Creates policy and matching explicit relation (owner role -> owner
      relation, everything else -> member relation)
    - Audit logging via both structured records and event auditor
    - 12 unit tests covering all error and success paths
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 14, 2026
    Configuration menu
    Copy the full SHA
    98d72e3 View commit details
    Browse the repository at this point in the history
  2. fix: add compensating policy cleanup when relation creation fails

    If createRelation fails after createPolicy succeeds, attempt to
    delete the orphaned policy. Log a warning if the cleanup also fails
    so the orphan can be investigated.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 14, 2026
    Configuration menu
    Copy the full SHA
    9e2a6a4 View commit details
    Browse the repository at this point in the history
  3. fix: reject non-user principal types upfront in AddOrganizationMember

    Validate principalType is app/user before any service calls. Prevents
    invalid membership data if a caller passes a serviceuser or group
    principal type.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 14, 2026
    Configuration menu
    Copy the full SHA
    9250d2d View commit details
    Browse the repository at this point in the history
  4. fix: gofmt alignment in errors.go

    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 14, 2026
    Configuration menu
    Copy the full SHA
    ed58462 View commit details
    Browse the repository at this point in the history

Commits on Apr 15, 2026

  1. feat: add AddOrganizationMembers RPC handler with superadmin auth

    Wire the membership package into the AddOrganizationMembers AdminService
    RPC. Batch endpoint accepts list of {user_id, role_id} pairs and returns
    per-member success/error results.
    
    - Handler iterates members, calls membershipService.AddOrganizationMember
    - Domain errors (already member, invalid role, etc.) returned as-is
    - Internal errors masked with generic message and logged server-side
    - Authorization: IsSuperUser (AdminService)
    - Proto regenerated from proton branch with new RPC
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 15, 2026
    Configuration menu
    Copy the full SHA
    458c938 View commit details
    Browse the repository at this point in the history
  2. fix: always check org scope on roles, remove stale comment

    Rohil pointed out that the previous check let custom roles created
    for an org pass even if they weren't scoped to the org namespace.
    Now we check schema.OrganizationNamespace scope first, before
    deciding if the role is platform-wide or org-specific.
    
    Also remove stale 'replacePolicy deletes...' comment on createPolicy.
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
    whoAbhishekSah and claude committed Apr 15, 2026
    Configuration menu
    Copy the full SHA
    5ea5a1b View commit details
    Browse the repository at this point in the history
Loading