refactor: restructure PAT scopes to use role-resource type pairing

[AmanGIT07]

Description:

Summary

• Replace flat role_ids[] + project_ids[] with structured repeated PATScope scopes in Create, Update, Get, List, and PAT response
• Each scope entry pairs a role with its resource type (app/organization or app/project) and optional resource IDs
• Add ErrScopeMismatch error for role-resource type compatibility validation
• Breaking change: Yes (But the RPCs are not being used as they are in development)

PATScope structure

message PATScope {
  string role_id = 1;
  string resource_type = 2;        // "app/organization" or "app/project"
  repeated string resource_ids = 3; // specific resources; empty = all
}

Example

{
   "scopes": [
     {"role_id": "org-viewer-id", "resource_type": "app/organization"},
     {"role_id": "proj-viewer-id", "resource_type": "app/project", "resource_ids": ["proj-1"]}
   ]
 }

Changes

• Proto: New PATScope message in models.proto. PAT, CreateCurrentUserPATRequest, UpdateCurrentUserPATRequest use repeated PATScope scopes (old fields reserved)
• Model: PATScope struct replaces RoleIDs/ProjectIDs on PAT model
• Service: validateScopes validates role-resource type compatibility. createPolicies creates policies from scopes. enrichWithScope reconstructs scopes from policies grouped by role+resource type
• Handler: protoScopesToModel/modelScopesToProto conversion helpers
• Errors: Added ErrScopeMismatch for role-resource type mismatch
• Tests: Updated all service, handler, and e2e tests for new structure

Test

✅ Manual: verified per-project role assignment works (different roles on different projects)
✅ Manual: Create, Update, Get, List return correct scopes with resource IDs
✅ E2E: make e2e-test (pat_test.go updated)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Mar 25, 2026 11:15am

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ffa9323e-de27-4c47-af43-3fa0813b20b8

📥 Commits

Reviewing files that changed from the base of the PR and between 72e5e2a and 97edb26.

⛔ Files ignored due to path filters (2)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/frontier.pb.validate.go is excluded by !proto/**

📒 Files selected for processing (2)

• Makefile
• internal/api/v1beta1connect/user_pat.go

🚧 Files skipped from review as they are similar to previous changes (1)

• Makefile

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • PATs now use a scopes-based model combining role, resource type, and resource IDs for finer permission expression.
  • PAT create/update APIs accept scopes instead of separate role/project ID lists.

• Bug Fixes / Behavior Changes

  • Validation now enforces role-to-scope compatibility and surfaces clear errors when a role doesn't support the specified scope.

• Chores

  • Updated Proton revision used for protobuf generation.

Walkthrough

Refactors PATs from role/project ID lists to scope-based PATScope objects, adds scope validation and a new ErrScopeMismatch error, updates service, API handlers, tests, and replaces the Proton commit hash in the Makefile.

Changes

Cohort / File(s)	Summary
Build Configuration Makefile	Updated PROTON_COMMIT from dcca57385227df0690df54d66f73b3baacfc580d to 9c069b5e749972014da7784f5c3802745a6e903e.
Errors & Models core/userpat/errors/errors.go, core/userpat/models/pat.go	Added exported ErrScopeMismatch. Introduced PATScope type and replaced PAT fields RoleIDs/ProjectIDs with Scopes []PATScope.
Service Layer core/userpat/service.go	Reworked Create/Update to accept Scopes []PATScope; added validateScopes; refactored policy creation/replacement to derive policies from scopes; updated captureOldScope and enrichWithScope to operate on PATScope values.
Service Tests core/userpat/service_test.go	Updated tests to use Scopes inputs; added/adjusted mocks (notably RoleService.Get and PolicyService.List) and scope-matrix cases.
API Handler internal/api/v1beta1connect/user_pat.go	Handlers now convert protobuf Scopes ↔ model scopes via new helpers; map ErrScopeMismatch to connect.CodeInvalidArgument; remove RoleIds/ProjectIds handling.
API Tests internal/api/v1beta1connect/user_pat_test.go	Replaced request/response RoleIds/RoleIDs usages with Scopes protobuf objects and updated fixtures/mocks accordingly.
E2E Tests test/e2e/regression/pat_test.go	Changed createPAT signature and all regression tests to pass scopes []*frontierv1beta1.PATScope (with RoleId, ResourceType, optional ResourceIds).

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: implement GetCurrentUserPAT RPC #1450: Touches PAT handling (models, service enrichment, policy listing/mocks) and overlaps core userpat components modified here.
• feat: CreateCurrentUserPAT RPC implementation #1401: Earlier PR introducing the original PAT role/project ID model being refactored to scopes in this change.
• feat: implement UpdateCurrentUserPAT RPC #1467: Modifies PAT update flow on the same service/handler surface now converted to scope-based handling.

Suggested reviewers

• whoAbhishekSah
• rohilsurana

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Pull Request Test Coverage Report for Build 23538167499

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 107 of 152 (70.39%) changed or added relevant lines in 2 files are covered.
• 3 unchanged lines in 1 file lost coverage.
• Overall coverage decreased (-0.005%) to 41.233%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/v1beta1connect/user_pat.go	39	43	90.7%
core/userpat/service.go	68	109	62.39%

Files with Coverage Reduction	New Missed Lines	%
core/userpat/service.go	3	81.97%

Totals
Change from base Build 23531460663:	-0.005%
Covered Lines:	14724
Relevant Lines:	35709

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

core/userpat/service_test.go (1)

1161-1167: Round-trip the scope matrix through enrichment.

This harness verifies the policyService.Create set, but it never asserts the PAT.Scopes returned from Create/Get. Because of that, reconstruction bugs like org scopes gaining resource_ids or unstable ordering would still pass. Please add a returned-scope assertion for at least one mixed org+project case.

Also applies to: 1186-1235

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5b692cfe-50e2-4bc3-aa5f-e15a3f8d2503

📥 Commits

Reviewing files that changed from the base of the PR and between 9dba632 and 72e5e2a.

⛔ Files ignored due to path filters (4)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/frontier.pb.validate.go is excluded by !proto/**
• proto/v1beta1/models.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/models.pb.validate.go is excluded by !proto/**

📒 Files selected for processing (8)

• Makefile
• core/userpat/errors/errors.go
• core/userpat/models/pat.go
• core/userpat/service.go
• core/userpat/service_test.go
• internal/api/v1beta1connect/user_pat.go
• internal/api/v1beta1connect/user_pat_test.go
• test/e2e/regression/pat_test.go