feat: implement SearchOrganizationPATs admin RPC

Makefile

@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "9c069b5e749972014da7784f5c3802745a6e903e"
+PROTON_COMMIT := "eeb82738610b07efaf8f8205c3b00f8b774cf31e"
 
 admin-app:
 	@echo " > generating admin build"

cmd/serve.go

@@ -13,6 +13,7 @@ import (
 
 	"github.com/raystack/frontier/core/aggregates/orgbilling"
 	"github.com/raystack/frontier/core/aggregates/orginvoices"
+	"github.com/raystack/frontier/core/aggregates/orgpats"
 	"github.com/raystack/frontier/core/aggregates/orgprojects"
 	"github.com/raystack/frontier/core/aggregates/orgserviceuser"
 	"github.com/raystack/frontier/core/aggregates/orgserviceusercredentials"
@@ -465,6 +466,9 @@ func buildAPIDependencies(
 	projectService := project.NewService(projectRepository, relationService, userService, policyService,
 		authnService, serviceUserService, groupService)
 
+	orgPATsRepository := postgres.NewOrgPATsRepository(dbc)
+	orgPATsService := orgpats.NewService(orgPATsRepository, projectService)
+
 	resourcePGRepository := postgres.NewResourceRepository(dbc)
 	resourceService := resource.NewService(
 		resourcePGRepository,
@@ -607,6 +611,7 @@ func buildAPIDependencies(
 		OrgBillingService:                orgBillingService,
 		OrgInvoicesService:               orgInvoicesService,
 		OrgTokensService:                 orgTokensService,
+		OrgPATsService:                   orgPATsService,
 		OrgUsersService:                  orgUserService,
 		OrgProjectsService:               orgProjectsService,
 		OrgServiceUserCredentialsService: orgServiceUserCredentialsService,

core/aggregates/orgpats/service.go

@@ -0,0 +1,129 @@
+package orgpats
+
+import (
+	"context"
+	"time"
+
+	"github.com/raystack/frontier/core/authenticate"
+	"github.com/raystack/frontier/core/project"
+	patmodels "github.com/raystack/frontier/core/userpat/models"
+	"github.com/raystack/frontier/internal/bootstrap/schema"
+	"github.com/raystack/frontier/pkg/utils"
+	"github.com/raystack/salt/rql"
+)
+
+type Repository interface {
+	Search(ctx context.Context, orgID string, query *rql.Query) (OrganizationPATs, error)
+}
+
+type ProjectService interface {
+	ListByUser(ctx context.Context, principal authenticate.Principal, flt project.Filter) ([]project.Project, error)
+}
+
+type Service struct {
+	repository     Repository
+	projectService ProjectService
+}
+
+func NewService(repository Repository, projectService ProjectService) *Service {
+	return &Service{
+		repository:     repository,
+		projectService: projectService,
+	}
+}
+
+type CreatedBy struct {
+	ID    string
+	Title string
+	Email string
+}
+
+type AggregatedPAT struct {
+	ID         string
+	Title      string
+	CreatedBy  CreatedBy
+	Scopes     []patmodels.PATScope
+	CreatedAt  time.Time
+	ExpiresAt  time.Time
+	LastUsedAt *time.Time
+	UserID     string
+}
+
+// PATSearchFields is used for RQL validation — flat struct with rql tags.
+type PATSearchFields struct {
+	ID             string     `rql:"name=id,type=string"`
+	Title          string     `rql:"name=title,type=string"`
+	CreatedByTitle string     `rql:"name=created_by_title,type=string"`
+	CreatedByEmail string     `rql:"name=created_by_email,type=string"`
+	CreatedAt      time.Time  `rql:"name=created_at,type=datetime"`
+	ExpiresAt      time.Time  `rql:"name=expires_at,type=datetime"`
+	LastUsedAt     *time.Time `rql:"name=last_used_at,type=datetime"`
+}
+
+type OrganizationPATs struct {
+	PATs       []AggregatedPAT
+	Pagination utils.Page
+}
+
+func (s *Service) Search(ctx context.Context, orgID string, query *rql.Query) (OrganizationPATs, error) {
+	result, err := s.repository.Search(ctx, orgID, query)
+	if err != nil {
+		return OrganizationPATs{}, err
+	}
+
+	if err := s.resolveAllProjectsScope(ctx, orgID, result.PATs); err != nil {
+		return OrganizationPATs{}, err
+	}
+
+	return result, nil
+}
+
+// resolveAllProjectsScope populates ResourceIDs for all-projects scopes by calling SpiceDB.
+// Groups PATs by user_id to minimize SpiceDB calls.
+func (s *Service) resolveAllProjectsScope(ctx context.Context, orgID string, pats []AggregatedPAT) error {
+	// Collect users that have all-projects scopes
+	type allProjectsRef struct {
+		patIdx   int
+		scopeIdx int
+	}
+	userRefs := make(map[string][]allProjectsRef)
+
+	for i, pat := range pats {
+		for j, sc := range pat.Scopes {
+			if sc.ResourceType == schema.ProjectNamespace && len(sc.ResourceIDs) == 0 {
+				userRefs[pat.UserID] = append(userRefs[pat.UserID], allProjectsRef{i, j})
+			}
+		}
+	}
+
+	if len(userRefs) == 0 {
+		return nil
+	}
+
+	// One SpiceDB call per unique user
+	for userID, refs := range userRefs {
+		principal := authenticate.Principal{
+			ID:   userID,
+			Type: schema.UserPrincipal,
+		}
+		projects, err := s.projectService.ListByUser(ctx, principal, project.Filter{OrgID: orgID})
+		if err != nil {
+			return err
+		}
+
+		projectIDs := make([]string, 0, len(projects))
+		for _, p := range projects {
+			projectIDs = append(projectIDs, p.ID)
+		}
+
+		// Copy per PAT to avoid slice aliasing — multiple PATs from the same user
+		// would otherwise share the same underlying array.
+		for _, ref := range refs {
+			idsCopy := make([]string, len(projectIDs))
+			copy(idsCopy, projectIDs)
+			pats[ref.patIdx].Scopes[ref.scopeIdx].ResourceIDs = idsCopy
+		}
+	}
+
+	return nil
+}