fix(group): resolve PAT to user before owner wiring on group create

[AmanGIT07]

Summary

CreateGroup writes the Postgres row before calling membership.OnGroupCreated. For PAT-authenticated principals, OnGroupCreated → SetGroupMemberRole → validateGroupPrincipal rejects the app/pat principal type and returns ErrInvalidPrincipalType. The error propagates to the caller, but groups.repository.Create is not rolled back, leaving an orphan row with no SpiceDB hierarchy and no owner policy. Resolve the PAT to its underlying user via principal.ResolveSubject() before invoking OnGroupCreated, mirroring core/project/service.go:Create.

Changes

• core/group/service.go:Create — call principal.ResolveSubject() and pass the resolved subjectID, subjectType to OnGroupCreated. PAT collapses to its underlying user; user/service-user principals pass through unchanged.
• core/group/service_test.go — add TestService_Create subtest covering the PAT case; asserts the membership service receives (userID, app/user) rather than (patID, app/pat).

Test Plan

• go test -race ./core/group/... ./core/membership/... — green
• golangci-lint run ./core/group/... — 0 issues
• TestService_Create — all 4 subtests pass (including the new PAT case)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	May 29, 2026 7:48am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6df23a0a-8e90-447b-ad1d-3c9702faee54

📥 Commits

Reviewing files that changed from the base of the PR and between b2e858e and 65b0f73.

📒 Files selected for processing (2)

• core/group/service.go
• core/group/service_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• core/group/service.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Group ownership now correctly attributes ownership to the underlying user account instead of the authentication token when created via personal access tokens.
  • Improved failure handling during group creation: failed membership assignment now triggers cleanup of the created group and surfaces clearer combined rollback error messages.

Walkthrough

Service.Create now resolves authenticated principals to their underlying subject via ResolveSubject() before passing ownership identity to membershipService.OnGroupCreated. A test validates this behavior for PAT principals, ensuring the underlying user ID is attributed as the group owner instead of the token identity.

Changes

Principal resolution in group ownership

Layer / File(s)	Summary
Principal resolution in group creation core/group/service.go	Service.Create resolves the authenticated principal to its underlying subject and passes the resolved subjectID/subjectType to membershipService.OnGroupCreated instead of the original principal's ID/Type.
PAT principal resolution and rollback tests core/group/service_test.go	Adds a TestService_Create subtest verifying PAT principals resolve to their underlying user ID for OnGroupCreated, and expands rollback-failure assertions to require combined error fragments including rollback delete errors.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Bug: CreateGroup via PAT creates an orphan group row #1645: Implements resolving principals via principal.ResolveSubject() before calling membershipService.OnGroupCreated to prevent orphaned groups created with PATs.

Possibly related PRs

• raystack/frontier#1551: Related change that also updates ownership attribution by resolving PAT principals to underlying users for downstream hooks.

Suggested reviewers

• rohilsurana
• whoAbhishekSah

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2f2545f0-e0c7-493b-8a5f-02d49ba1c962

📥 Commits

Reviewing files that changed from the base of the PR and between e399d9c and b2e858e.

📒 Files selected for processing (2)

• core/group/service.go
• core/group/service_test.go

[coveralls]

Coverage Report for CI Build 26625095931

Coverage increased (+0.005%) to 42.852%

Details

• Coverage increased (+0.005%) from the base build.
• Patch coverage: 5 of 5 lines across 1 file are fully covered (100%).
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	37849
Covered Lines:	16219
Line Coverage:	42.85%
Coverage Strength:	12.0 hits per line

---

💛 - Coveralls