Skip to content

fix: remove unused user and org relations from app/pat schema#1741

Merged
whoAbhishekSah merged 1 commit into
mainfrom
remove-unused-app-pat-relations
Jul 8, 2026
Merged

fix: remove unused user and org relations from app/pat schema#1741
whoAbhishekSah merged 1 commit into
mainfrom
remove-unused-app-pat-relations

Conversation

@whoAbhishekSah

@whoAbhishekSah whoAbhishekSah commented Jul 8, 2026

Copy link
Copy Markdown
Member

What

The app/pat definition in the base SpiceDB schema declared two relations, user and org, that are never used. This removes them.

Why they are unused

  • Nothing writes them. When a PAT is created, its owning user and org are saved as columns on the pat Postgres table (user_id, org_id). The code never writes an app/pat#user or app/pat#org tuple. The only SpiceDB writes for a PAT are its role scopes, where the PAT is the subject (the bearer of a role).
  • Nothing reads them. No permission refers to pat->user or pat->org.
  • Listing does not need them. Listing PATs by user or org is a plain SQL query on the pat table.

Impact

None on access. These relations sit in no permission rule, so removing them cannot change any permission check. app/pat stays valid as a subject type (like app/user {}), so it still appears as app/pat:* in role relations and as a bearer on rolebindings.

Closes #1740

🤖 Generated with Claude Code

@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Jul 8, 2026 6:06am

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7d251c56-d1ea-4500-b08a-81fa1e7bda28

📥 Commits

Reviewing files that changed from the base of the PR and between 6609ed0 and 20308e3.

📒 Files selected for processing (2)
  • internal/bootstrap/schema/base_schema.zed
  • internal/bootstrap/testdata/compiled_schema.zed
🚧 Files skipped from review as they are similar to previous changes (2)
  • internal/bootstrap/schema/base_schema.zed
  • internal/bootstrap/testdata/compiled_schema.zed

📝 Walkthrough

Summary by CodeRabbit

  • Bug Fixes
    • Simplified access-token (app/pat) records by removing their links to user and organization.
    • Updated the compiled schema to reflect the new, reduced access-token structure so schema outputs match runtime behavior.

Walkthrough

The app/pat schema definition in both the source schema and compiled test schema was changed from including user and org relations to an empty definition.

Changes

Schema cleanup

Layer / File(s) Summary
Remove user and org relations from app/pat
internal/bootstrap/schema/base_schema.zed, internal/bootstrap/testdata/compiled_schema.zed
The app/pat definition is changed from declaring user: app/user and org: app/organization relations to an empty definition in both schema files.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related Issues

Fixes: #1740

Suggested Labels

schema, cleanup

Suggested Reviewers

None

Poem

A rabbit hopped through schema's floor,
Found relations no one wore,
"user" and "org" — unused, unread,
So off they went, the rabbit said.
Now app/pat stands lean and bare,
Clean and tidy, past compare! 🐇

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The PR removes the unused user and org relations from app/pat in the schema and compiled testdata, matching the linked issue exactly.
Out of Scope Changes check ✅ Passed The only code changes are the requested schema cleanup in base_schema.zed and compiled_schema.zed; no unrelated changes are present.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coveralls

coveralls commented Jul 8, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28921410391

Coverage remained the same at 44.879%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 37621
Covered Lines: 16884
Line Coverage: 44.88%
Coverage Strength: 12.49 hits per line

💛 - Coveralls

@whoAbhishekSah

Copy link
Copy Markdown
Member Author

Manual E2E test — PAT flow

Ran the full PAT lifecycle against a local server that already has this change live (zed schema read shows definition app/pat {}, matching the committed diff).

Setup

  • Fresh org pat1741-*
  • patuser1 → org owner (created the org)
  • patuser2 → org viewer (added via CreatePolicy)
  • Each user acted with its own session cookie

Results

Area Check Result
Create CheckCurrentUserPATTitle (free, then taken, case-insensitive) ✅ true → false
Create CreateCurrentUserPAT user1 (manager scope) + user2 (viewer scope) ✅ tokens issued
Create duplicate title 409 conflict
Listing ListRolesForPAT (org scope) ✅ owner/manager/viewer returned
Listing SearchCurrentUserPATs ✅ each user sees only their own PAT
Get GetCurrentUserPAT own used_at populated after use
Auth PAT bearer resolves to owning user GetCurrentUser returns the owner
Scope: read GetOrganization via both PATs ✅ both 200 (both roles have get)
Scope: write UpdateOrganization: manager vs viewer 200 vs 403
Update UpdateCurrentUserPAT downgrade manager → viewer ✅ same token loses update (403), keeps get (200)
Update RegenerateCurrentUserPAT ✅ token rotated, old → 401, new → 200, scope preserved
Isolation user2 get/update/delete user1's PAT ✅ all 404
Delete DeleteCurrentUserPAT ✅ token → 401, Search → 0
SpiceDB bearer app/pat:<id> rolebinding tuples present, removed on delete
Auth invalid token unauthenticated

Conclusion

No functional impact. The removed relations were not in any permission path. app/pat still works as a subject type — rolebindings carry bearer app/pat:<id>, scoped permissions enforce correctly (manager could update the org, viewer was denied), and create/update/regenerate/delete all cascade through SpiceDB as before.

The app/pat definition declared `user` and `org` relations that are
never used. A PAT stores its owning user and org as columns on the pat
Postgres table, not as SpiceDB tuples, and no permission reads
`pat->user` or `pat->org`. Listing PATs by user or org is a SQL query.

Replace the block with an empty definition. app/pat stays valid as a
subject type, so it can still appear as `app/pat:*` in role relations
and as a bearer on rolebindings. Update the generator test fixture to
match.

No access impact: these relations sit in no permission rule.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@whoAbhishekSah whoAbhishekSah changed the title Remove unused user and org relations from app/pat schema fix: remove unused user and org relations from app/pat schema Jul 8, 2026
@whoAbhishekSah whoAbhishekSah merged commit 545ee21 into main Jul 8, 2026
8 checks passed
@whoAbhishekSah whoAbhishekSah deleted the remove-unused-app-pat-relations branch July 8, 2026 06:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Remove unused user and org relations from app/pat schema definition

3 participants