feat: move SetOrganizationMemberRole to membership package

[whoAbhishekSah]

Summary

Moves the existing SetOrganizationMemberRole RPC implementation from core/organization into core/membership. Also fixes the known leak where demoting an org owner to viewer left the org#owner direct relation in place.

What changes

New in core/membership/

• SetOrganizationMemberRole(ctx, orgID, principalID, principalType, roleID) — handles the full role-change flow
• Private helpers: validateMinOwnerConstraint, replacePolicy, replaceRelation
• Skips write when role is unchanged (existing optimization carried over)

Removed from core/organization/

• SetMemberRole
• validateSetMemberRoleRequest
• getUserOrgPolicies
• validateMinOwnerConstraint
• replaceUserOrgPolicies

Handler

• SetOrganizationMemberRole RPC handler now calls membershipService.SetOrganizationMemberRole with schema.UserPrincipal
• Error mapping updated to membership package error types (membership.ErrNotMember, membership.ErrInvalidOrgRole, membership.ErrLastOwnerRole)

Bug fix — relation cleanup

Previously, org.SetMemberRole replaced policies but never touched the explicit org#owner or org#member relations. So demoting an owner to viewer left the owner relation in place, continuing to grant owner permissions via SpiceDB.

Now replaceRelation deletes both owner and member relations for the principal before creating the new one matching the target role. Verified by the should succeed demoting owner to viewer with multiple owners test.

Edge cases handled

• Principal type must be app/user (serviceusers bound at creation, not changed via this RPC)
• Org does not exist or is disabled → error
• User does not exist or is disabled → error
• Role does not exist → error
• Role is not org-scoped → error
• User is not a member → ErrNotMember
• Role is unchanged → early return (no writes)
• Min-owner constraint — can't demote the last owner

Test plan

• 6 new unit tests in core/membership/ covering all edge cases above
• Handler tests updated to use membership service mock

Related

• Parent issue: #1478
• Prior PR (AddOrganizationMember): #1537

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Apr 16, 2026 5:30am

[coderabbitai]

Warning

Rate limit exceeded

@whoAbhishekSah has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 49 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 44 minutes and 49 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3f1e93c5-3a44-4d7e-848e-3ac9aad24920

📥 Commits

Reviewing files that changed from the base of the PR and between 899deed and b24631e.

📒 Files selected for processing (2)

• core/membership/service.go
• core/membership/service_test.go

📝 Walkthrough

Walkthrough

This PR moves organization member role-update logic from core/organization to core/membership by adding Service.SetOrganizationMemberRole(principalType-aware), removing the old organization method, updating interfaces and mocks, and rewiring the API handler and tests to call the membership service.

Changes

Cohort / File(s)	Summary
Core Membership Service core/membership/service.go, core/membership/service_test.go	Added SetOrganizationMemberRole(ctx, orgID, principalID, principalType, roleID) with validation, owner-minimum checks, atomic policy replacement, relation replacement, and audit recording; comprehensive tests for control-flow paths.
Core Organization Service Removal core/organization/service.go, core/organization/service_test.go	Removed SetMemberRole and its helper functions and tests, deleting prior org-scoped role-update implementation and related test coverage.
API Interface Updates internal/api/v1beta1connect/interfaces.go	Removed OrganizationService.SetMemberRole(...); added MembershipService.SetOrganizationMemberRole(...) with principal-type parameter.
API Mock Generation internal/api/v1beta1connect/mocks/membership_service.go, internal/api/v1beta1connect/mocks/organization_service.go	Added autogenerated MembershipService mock exposing SetOrganizationMemberRole; removed SetMemberRole mock from OrganizationService.
API Handler and Tests internal/api/v1beta1connect/organization.go, internal/api/v1beta1connect/organization_test.go	Handler switched to membershipService.SetOrganizationMemberRole(...) and updated error mappings; tests updated to use the new membership mock and membership-scoped errors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Centralize membership management into a dedicated package to fix leaky relations #1478: Centralize membership role-update logic into the membership package — this PR moves SetMemberRole to core/membership.
• Add SetOrganizationMemberRole RPC to replace client-side policy manipulation #1459: Add server-side SetOrganizationMemberRole with atomic policy replacement and min-owner enforcement — behavior implemented here.

Possibly related PRs

• feat: add SetOrganizationMemberRole RPC #1471: Implements the same "set organization member role" feature and API rename/move — strong overlap in intent and API surface.
• feat: add membership package and AddOrganizationMembers RPC #1537: Adds/extends core/membership service foundations that this PR builds upon (membership-side role management).
• feat: add audit logging to SetOrganizationMemberRole RPC #1519: Related changes to audit/event naming tied to organization member role-change flows adjusted here.

Suggested reviewers

• rohilsurana
• AmanGIT07
• rsbh

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 24493841489

Warning

Build has drifted: This PR's base is out of sync with its target branch, so coverage data may include unrelated changes.
Quick fix: rebase this PR. Learn more →

Coverage decreased (-0.03%) to 41.698%

Details

• Coverage decreased (-0.03%) from the base build.
• Patch coverage: 40 uncovered changes across 2 files (119 of 159 lines covered, 74.84%).
• 46 coverage regressions across 7 files.

Uncovered Changes

File	Changed	Covered	%
core/membership/service.go	153	115	75.16%
internal/api/v1beta1connect/organization.go	6	4	66.67%

Coverage Regressions

46 previously-covered lines in 7 files lost coverage.

File	Lines Losing Coverage	Coverage
internal/store/postgres/org_pats_repository.go	18	78.33%
internal/api/v1beta1connect/user_pat.go	10	79.94%
internal/store/postgres/userpat_repository.go	7	14.9%
core/aggregates/orgpats/service.go	4	92.0%
core/organization/service.go	4	37.87%
internal/api/v1beta1connect/organization_pats.go	2	90.91%
internal/store/postgres/userpat.go	1	89.47%

---

Coverage Stats

Relevant Lines:	36661
Covered Lines:	15287
Line Coverage:	41.7%
Coverage Strength:	11.86 hits per line

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

core/membership/service_test.go (1)

276-428: Add a regression for relation-replacement failures.

This suite only covers the success path for deleting old relations and creating the new one. A case where RelationService.Delete or Create fails during SetOrganizationMemberRole would lock in the owner-demotion fix and catch the partial-update paths in this new flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7017a580-65f7-4314-aa5d-0fccb1f9afc1

📥 Commits

Reviewing files that changed from the base of the PR and between 08d63db and bc494ac.

📒 Files selected for processing (9)

• core/membership/service.go
• core/membership/service_test.go
• core/organization/service.go
• core/organization/service_test.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/membership_service.go
• internal/api/v1beta1connect/mocks/organization_service.go
• internal/api/v1beta1connect/organization.go
• internal/api/v1beta1connect/organization_test.go

💤 Files with no reviewable changes (3)

• core/organization/service_test.go
• core/organization/service.go
• internal/api/v1beta1connect/mocks/organization_service.go

[coderabbitai]

♻️ Duplicate comments (2)

core/membership/service.go (2)

185-188: ⚠️ Potential issue | 🔴 Critical

Retry can silently skip relation repair after a partial failure.

If Line 194 succeeds and Line 199 fails, a retry hits the no-op at Line 186 and returns early, leaving policy/relation inconsistent.

Suggested fix

-	// skip if the user already has exactly this role
-	if len(existing) == 1 && existing[0].RoleID == roleID {
-		return nil
-	}
+	// keep policy no-op optimization, but still repair relation state
+	if len(existing) == 1 && existing[0].RoleID == roleID {
+		relationName := orgRoleToRelation(fetchedRole)
+		return s.replaceRelation(ctx, orgID, schema.OrganizationNamespace, principalID, principalType, relationName)
+	}

Also applies to: 194-200

---

203-204: ⚠️ Potential issue | 🟠 Major

Audit record write failures are being dropped in the role-change path.

Line 344 ignores AuditRecordRepository.Create errors, so callers get success even when audit persistence fails.

Suggested fix

-	s.auditOrgMemberRoleChanged(ctx, org, usr, roleID)
-	return nil
+	if err := s.auditOrgMemberRoleChanged(ctx, org, usr, roleID); err != nil {
+		return err
+	}
+	return nil
 }
 
-func (s *Service) auditOrgMemberRoleChanged(ctx context.Context, org organization.Organization, usr user.User, roleID string) {
-	s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
+func (s *Service) auditOrgMemberRoleChanged(ctx context.Context, org organization.Organization, usr user.User, roleID string) error {
+	if _, err := s.auditRecordRepository.Create(ctx, auditrecord.AuditRecord{
 		Event: pkgAuditRecord.OrganizationMemberRoleChangedEvent,
 		Resource: auditrecord.Resource{
 			ID:   org.ID,
@@
-		OccurredAt: time.Now(),
-	})
+		OccurredAt: time.Now(),
+	}); err != nil {
+		return fmt.Errorf("create audit record: %w", err)
+	}
@@
 	audit.GetAuditor(ctx, org.ID).LogWithAttrs(audit.OrgMemberRoleChangedEvent, audit.Target{
 		ID:   usr.ID,
 		Type: schema.UserPrincipal,
 	}, map[string]string{
 		"role_id": roleID,
 	})
+	return nil
 }

Based on learnings: In core/organization/service.go (SetMemberRole method), returning an audit error after the business operation has already succeeded is an intentional design choice.

Also applies to: 343-363

🧹 Nitpick comments (1)

core/membership/service.go (1)

258-260: Comment text in replaceRelation is outdated.

Line 260 says delete errors are ignored, but the implementation only ignores relation.ErrNotExist and fails on other errors.

Suggested fix

-// on the resource, then creates a new relation with the given name. Delete errors
-// are ignored because the relation may not exist.
+// on the resource, then creates a new relation with the given name. Delete errors
+// are ignored only when they are relation.ErrNotExist.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2245ba2d-333b-413b-aa99-ccb4bf25fa8a

📥 Commits

Reviewing files that changed from the base of the PR and between bc494ac and 899deed.

📒 Files selected for processing (2)

• core/membership/service.go
• core/membership/service_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• core/membership/service_test.go