feat: implement SetProjectMemberRole RPC

[whoAbhishekSah]

Summary

• Add SetProjectMemberRole RPC for atomic role assignment on project members
• Enforces minimum-owner constraint (cannot remove last project owner)
• Validates role is valid for project scope
• Authorization checks update permission on the project

Closes #1461 (partially - RemoveProjectMember will be a separate PR)

Proton PR: raystack/proton#456

Test plan

• Unit tests for service layer pass
• E2E tests for role assignment, validation, and owner constraint
• Verify authorization interceptor enforces update permission

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Mar 30, 2026 4:18am

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cbf9c0fa-760d-48a1-b685-6a56bb922692

📥 Commits

Reviewing files that changed from the base of the PR and between cdfc3a9 and 174be71.

📒 Files selected for processing (1)

• pkg/server/connect_interceptors/authorization.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/server/connect_interceptors/authorization.go

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added a SetProjectMemberRole endpoint to change project member roles with validation and authorization.

• Bug Fixes

  • Improved validation, explicit error mapping, and membership checks for role assignment flows.

• Tests

  • Added comprehensive tests and new mocks covering role retrieval, principal lookup, policy listing, deletion, and creation.

• Chores

  • Updated Proton commit used for protobuf generation.

Walkthrough

Adds a server-side RPC to set a project member's role and implements end-to-end support: service logic, Connect handler, interface/mocks, tests, domain errors, authorization entry, and updates Makefile PROTON_COMMIT.

Changes

Cohort / File(s)	Summary
Build config Makefile	Updated PROTON_COMMIT hash used by make proto.
Server wiring cmd/serve.go	Passed new roleService into project.NewService(...) when assembling API dependencies.
Domain errors core/project/errors.go, internal/api/v1beta1connect/errors.go	Added errors: ErrInvalidProjectRole, ErrNotOrgMember, ErrInvalidPrincipalType (API errors file adds ErrInvalidProjectRole).
Project service implementation core/project/service.go	Added RoleService interface and roleService dependency; implemented Service.SetMemberRole(...) plus helpers validatePrincipal and validateProjectRole; added required service method signatures (Get/Delete/Get).
Service tests core/project/service_test.go	Added mocks.RoleService to test harness, adapted existing NewService calls, and added TestService_SetMemberRole with table-driven scenarios and mock expectations.
Core mocks core/project/mocks/... role_service.go, policy_service.go, group_service.go, serviceuser_service.go	Added autogenerated RoleService mock and typed mock methods/expecters: PolicyService.Delete, GroupService.Get, ServiceuserService.Get, plus helpers for configuring calls/returns.
API interface & mocks internal/api/v1beta1connect/interfaces.go, internal/api/v1beta1connect/mocks/project_service.go	Added ProjectService.SetMemberRole(...) to Connect interface and corresponding mock expecter/call helpers.
API handler internal/api/v1beta1connect/project.go	Added ConnectHandler.SetProjectMemberRole(...) with request validation, service invocation, structured logging, and domain→Connect error mapping.
Authorization interceptor pkg/server/connect_interceptors/authorization.go	Added authorization validation entry for FrontierService/SetProjectMemberRole, checking update on the project resource.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: implement SearchOrganizationPATs admin RPC #1482: also updates the PROTON_COMMIT Makefile variable (same Build/proto input change).
• feat: implement UpdateCurrentUserPAT RPC #1467: also changes PROTON_COMMIT used by make proto.
• feat: implement CheckCurrentUserPATTitle RPC #1469: also updates PROTON_COMMIT hash for protobuf generation.

Suggested reviewers

• rsbh

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	❓ Inconclusive	Proton commit update in Makefile appears related to protobuf generation for the RPC, but PR description references proton PR #456 without explicit confirmation of what changes are needed.	Verify that the Proton commit hash f51485d9a328b15f0a8d0dc14fcb405438e7ba93 includes the SetProjectMemberRole RPC proto definition from raystack/proton#456.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All core requirements from issue #1461 have been implemented: SetProjectMemberRole RPC handles both add and role change as atomic operations, validates project role scopes, enforces authorization with update permission, and includes unit tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core/project/service_test.go (1)

23-35: ⚠️ Potential issue | 🟠 Major

Add direct unit tests for SetMemberRole behavior (currently missing).

This update wires new dependencies, but the new project-member role mutation path is not covered here. Please add focused tests for role validation, non-member handling, and last-owner protection to reduce regression risk in the new RPC path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 56252940-859b-4c10-83dd-9b50d88a457e

📥 Commits

Reviewing files that changed from the base of the PR and between d05d9e5 and b32bbf7.

⛔ Files ignored due to path filters (3)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/frontier.pb.validate.go is excluded by !proto/**
• proto/v1beta1/frontierv1beta1connect/frontier.connect.go is excluded by !proto/**

📒 Files selected for processing (12)

• Makefile
• cmd/serve.go
• core/project/errors.go
• core/project/mocks/policy_service.go
• core/project/mocks/role_service.go
• core/project/service.go
• core/project/service_test.go
• internal/api/v1beta1connect/errors.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/project_service.go
• internal/api/v1beta1connect/project.go
• pkg/server/connect_interceptors/authorization.go

[coveralls]

Pull Request Test Coverage Report for Build 23633134429

Details

• 64 of 111 (57.66%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.05%) to 41.284%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
cmd/serve.go	0	1	0.0%
pkg/server/connect_interceptors/authorization.go	0	4	0.0%
core/project/service.go	64	70	91.43%
internal/api/v1beta1connect/project.go	0	36	0.0%

Totals
Change from base Build 23540166648:	0.05%
Covered Lines:	14787
Relevant Lines:	35818

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

core/project/service.go (1)

360-363: ⚠️ Potential issue | 🟠 Major

The last-owner invariant is gone.

Demoting the only direct owner now succeeds and leaves the project with zero project-scoped owners. That regresses the owner-constraint behavior this RPC is supposed to preserve; if org-level fallback is intentionally replacing that invariant, the contract/tests need to change too.

Also applies to: 377-390

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7a3f72ab-6cdf-4e25-beb2-3c66806bc560

📥 Commits

Reviewing files that changed from the base of the PR and between b32bbf7 and fc069d7.

📒 Files selected for processing (3)

• core/project/errors.go
• core/project/service.go
• internal/api/v1beta1connect/project.go

🚧 Files skipped from review as they are similar to previous changes (2)

• core/project/errors.go
• internal/api/v1beta1connect/project.go

[coderabbitai]

♻️ Duplicate comments (1)

core/project/service.go (1)

362-402: ⚠️ Potential issue | 🟠 Major

Use the resolved project ID (prj.ID) consistently.

Lines 380 and 396 use the raw projectID parameter instead of prj.ID. Since s.Get() at line 366 resolves both UUIDs and names, passing a project name will cause the policy filter and create operations to use the name string instead of the canonical UUID.

🐛 Proposed fix

 	existingPolicies, err := s.policyService.List(ctx, policy.Filter{
-		ProjectID:     projectID,
+		ProjectID:     prj.ID,
 		PrincipalID:   principalID,
 		PrincipalType: principalType,
 	})
@@
 	_, err = s.policyService.Create(ctx, policy.Policy{
 		RoleID:        newRoleID,
-		ResourceID:    projectID,
+		ResourceID:    prj.ID,
 		ResourceType:  schema.ProjectNamespace,
 		PrincipalID:   principalID,
 		PrincipalType: principalType,
 	})

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c2d62ec5-29b5-4805-9f36-2c26ab203e72

📥 Commits

Reviewing files that changed from the base of the PR and between fc069d7 and 1d15a38.

⛔ Files ignored due to path filters (2)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/frontier.pb.validate.go is excluded by !proto/**

📒 Files selected for processing (9)

• Makefile
• core/project/errors.go
• core/project/mocks/group_service.go
• core/project/mocks/serviceuser_service.go
• core/project/service.go
• core/project/service_test.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/project_service.go
• internal/api/v1beta1connect/project.go

🚧 Files skipped from review as they are similar to previous changes (3)

• Makefile
• internal/api/v1beta1connect/project.go
• core/project/errors.go

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

core/project/service_test.go (1)

59-60: Remove redundant _ = roleService no-op assignments.

These lines add noise and can be dropped since roleService is passed to project.NewService(...) in the same scope.

Also applies to: 77-78, 122-123, 140-141

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d83355dc-3728-44ea-b279-794bb4b06969

📥 Commits

Reviewing files that changed from the base of the PR and between 1d15a38 and cdfc3a9.

📒 Files selected for processing (3)

• core/project/service.go
• core/project/service_test.go
• pkg/server/connect_interceptors/authorization.go

✅ Files skipped from review due to trivial changes (1)

• pkg/server/connect_interceptors/authorization.go

🚧 Files skipped from review as they are similar to previous changes (1)

• core/project/service.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing unit case for minimum-owner protection invariant.

TestService_SetMemberRole covers many paths, but it doesn’t assert the “cannot remove/downgrade the last project owner” rule. That invariant is central to this RPC; please add an explicit negative test for it to prevent silent regressions.