feat: add AddOrganizationMembers RPC handler with superadmin auth

Wire the membership package into the AddOrganizationMembers AdminService
RPC. Batch endpoint accepts list of {user_id, role_id} pairs and returns
per-member success/error results.

- Handler iterates members, calls membershipService.AddOrganizationMember
- Domain errors (already member, invalid role, etc.) returned as-is
- Internal errors masked with generic message and logged server-side
- Authorization: IsSuperUser (AdminService)
- Proto regenerated from proton branch with new RPC

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: whoAbhishekSah

Makefile

@@ -4,7 +4,7 @@ TAG := $(shell git rev-list --tags --max-count=1)
 VERSION := $(shell git describe --tags ${TAG})
 .PHONY: build check fmt lint test test-race vet test-cover-html help install proto admin-app compose-up-dev
 .DEFAULT_GOAL := build
-PROTON_COMMIT := "ac2df1932fcddcd7f7ff1af0ded07b14d73b781b"
+PROTON_COMMIT := "f7c40abb4fb97717bb523a8ce6225b45baab1ca7"
 
 admin-app:
 	@echo " > generating admin build"

cmd/serve.go

@@ -92,6 +92,7 @@ import (
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/raystack/frontier/config"
 	"github.com/raystack/frontier/core/group"
+	"github.com/raystack/frontier/core/membership"
 	"github.com/raystack/frontier/core/namespace"
 	"github.com/raystack/frontier/core/organization"
 	"github.com/raystack/frontier/core/policy"
@@ -420,6 +421,8 @@ func buildAPIDependencies(
 	organizationService := organization.NewService(organizationRepository, relationService, userService,
 		authnService, policyService, preferenceService, auditRecordRepository, roleService)
 
+	membershipService := membership.NewService(policyService, relationService, roleService, organizationService, userService, auditRecordRepository)
+
 	orgKycRepository := postgres.NewOrgKycRepository(dbc)
 	orgKycService := kyc.NewService(orgKycRepository)
 
@@ -620,6 +623,7 @@ func buildAPIDependencies(
 		UserProjectsService:              userProjectsService,
 		AuditRecordService:               auditRecordService,
 		UserPATService:                   userPATService,
+		MembershipService:                membershipService,
 	}
 	return dependencies, nil
 }

internal/api/api.go

@@ -31,6 +31,7 @@ import (
 	"github.com/raystack/frontier/core/group"
 	"github.com/raystack/frontier/core/invitation"
 	"github.com/raystack/frontier/core/kyc"
+	"github.com/raystack/frontier/core/membership"
 	"github.com/raystack/frontier/core/metaschema"
 	"github.com/raystack/frontier/core/namespace"
 	"github.com/raystack/frontier/core/organization"
@@ -101,4 +102,5 @@ type Deps struct {
 
 	AuditRecordService *auditrecord.Service
 	UserPATService     *userpat.Service
+	MembershipService  *membership.Service
 }

internal/api/v1beta1connect/interfaces.go

@@ -407,6 +407,10 @@ type AuditRecordService interface {
 	Export(ctx context.Context, query *rql.Query) (io.Reader, string, error)
 }
 
+type MembershipService interface {
+	AddOrganizationMember(ctx context.Context, orgID, principalID, principalType, roleID string) error
+}
+
 type UserPATService interface {
 	ValidateExpiry(expiresAt time.Time) error
 	Create(ctx context.Context, req userpat.CreateRequest) (models.PAT, string, error)

internal/api/v1beta1connect/organization.go

@@ -6,6 +6,7 @@ import (
 	"connectrpc.com/connect"
 	grpczap "github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
 	"github.com/raystack/frontier/core/audit"
+	"github.com/raystack/frontier/core/membership"
 	"github.com/raystack/frontier/core/organization"
 	"github.com/raystack/frontier/core/policy"
 	"github.com/raystack/frontier/core/project"
@@ -569,6 +570,65 @@ func (h *ConnectHandler) SetOrganizationMemberRole(ctx context.Context, request
 	return connect.NewResponse(&frontierv1beta1.SetOrganizationMemberRoleResponse{}), nil
 }
 
+func (h *ConnectHandler) AddOrganizationMembers(ctx context.Context, request *connect.Request[frontierv1beta1.AddOrganizationMembersRequest]) (*connect.Response[frontierv1beta1.AddOrganizationMembersResponse], error) {
+	errorLogger := NewErrorLogger()
+	orgID := request.Msg.GetOrgId()
+
+	var results []*frontierv1beta1.OrgMemberResult
+	for _, member := range request.Msg.GetMembers() {
+		result := &frontierv1beta1.OrgMemberResult{
+			UserId: member.GetUserId(),
+		}
+
+		if err := h.membershipService.AddOrganizationMember(ctx, orgID, member.GetUserId(), schema.UserPrincipal, member.GetRoleId()); err != nil {
+			result.Success = false
+			result.Error = toClientError(err)
+			if !isDomainError(err) {
+				errorLogger.LogServiceError(ctx, request, "AddOrganizationMembers", err,
+					zap.String("org_id", orgID),
+					zap.String("user_id", member.GetUserId()),
+					zap.String("role_id", member.GetRoleId()))
+			}
+		} else {
+			result.Success = true
+		}
+
+		results = append(results, result)
+	}
+
+	return connect.NewResponse(&frontierv1beta1.AddOrganizationMembersResponse{
+		Results: results,
+	}), nil
+}
+
+// isDomainError returns true if the error is a known domain error safe to expose to clients.
+func isDomainError(err error) bool {
+	knownErrors := []error{
+		membership.ErrAlreadyMember,
+		membership.ErrInvalidOrgRole,
+		organization.ErrNotExist,
+		organization.ErrDisabled,
+		user.ErrNotExist,
+		user.ErrDisabled,
+		role.ErrNotExist,
+		role.ErrInvalidID,
+	}
+	for _, known := range knownErrors {
+		if errors.Is(err, known) {
+			return true
+		}
+	}
+	return false
+}
+
+// toClientError returns a client-safe error message.
+func toClientError(err error) string {
+	if isDomainError(err) {
+		return err.Error()
+	}
+	return ErrInternalServerError.Error()
+}
+
 func (h *ConnectHandler) EnableOrganization(ctx context.Context, request *connect.Request[frontierv1beta1.EnableOrganizationRequest]) (*connect.Response[frontierv1beta1.EnableOrganizationResponse], error) {
 	errorLogger := NewErrorLogger()
 

internal/api/v1beta1connect/v1beta1connect.go

@@ -61,6 +61,7 @@ type ConnectHandler struct {
 	userProjectsService              UserProjectsService
 	auditRecordService               AuditRecordService
 	userPATService                   UserPATService
+	membershipService                MembershipService
 }
 
 func NewConnectHandler(deps api.Deps, authConf authenticate.Config) *ConnectHandler {
@@ -111,6 +112,7 @@ func NewConnectHandler(deps api.Deps, authConf authenticate.Config) *ConnectHand
 		userProjectsService:              deps.UserProjectsService,
 		auditRecordService:               deps.AuditRecordService,
 		userPATService:                   deps.UserPATService,
+		membershipService:                deps.MembershipService,
 	}
 }
 

pkg/server/connect_interceptors/authorization.go

@@ -1016,6 +1016,9 @@ var authorizationValidationMap = map[string]func(ctx context.Context, handler *v
 	"/raystack.frontier.v1beta1.AdminService/AdminCreateOrganization": func(ctx context.Context, handler *v1beta1connect.ConnectHandler, req connect.AnyRequest) error {
 		return handler.IsSuperUser(ctx, req)
 	},
+	"/raystack.frontier.v1beta1.AdminService/AddOrganizationMembers": func(ctx context.Context, handler *v1beta1connect.ConnectHandler, req connect.AnyRequest) error {
+		return handler.IsSuperUser(ctx, req)
+	},
 	"/raystack.frontier.v1beta1.AdminService/SearchOrganizationUsers": func(ctx context.Context, handler *v1beta1connect.ConnectHandler, req connect.AnyRequest) error {
 		return handler.IsSuperUser(ctx, req)
 	},