refactor(schema): remove dead membership permission, drop + member from get

[rohilsurana]

Summary

Phase 2 of the SpiceDB schema cleanup (parent: #1478). Removes the dead membership permission entirely and drops + member from visibility permissions, so stale member relations no longer grant access.

Changes to base_schema.zed

Organization:

• Removed permission membership = member + owner — zero consumers in Go code, frontend code, or other schema permissions. Verified: the MembershipPermission constant exists in both schema.go (Go) and web/sdk/utils/index.ts (frontend) but is never imported or referenced by any caller in either codebase.
• permission get — removed + member. Visibility now requires granted->app_organization_get (policy-backed via rolebinding) or + owner (direct owner relation). A stale member relation without a backing policy no longer grants visibility.

Group:

• Removed permission membership = member + owner — same reasoning.
• permission get — removed + member. Group visibility now requires a rolebinding or owner relation.

Kept as-is:

• + owner on all org/group permissions — functionally equivalent to app_organization_administer (membership service maps owner role -> owner relation). Removing it from ~20 permissions is a separate, larger change.
• member and owner relations — still actively written by Go code. The relations aren't going away; what changed is that get no longer resolves through member.

Also removed

• schema.MembershipPermission constant ("membership") from Go — zero callers since PR refactor(serviceuser): list org service users via membership policies #1694.
• Regenerated testdata/compiled_schema.zed from the compiler (not manually edited).

Note: The matching frontend constant (web/sdk/utils/index.ts:83) is left for a separate SDK cleanup — it's dead code (never imported) and changing it here would touch the SDK build/release pipeline.

Deployment note

Requires that MigrateServiceUserOrgPolicies has run — without it, pre-policy service users that only have a member relation would lose org/group visibility. The backfill runs automatically on frontier serve.

Test plan

• go build ./... passes
• make lint clean
• internal/bootstrap tests pass (golden schema regenerated from compiler)
• Verified zero callers of MembershipPermission / 'membership' in Go and frontend
• e2e regression (CI)
• Manual verification: auth check on org.get and group.get still passes for policy-backed members

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Jun 15, 2026 8:21am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 99a50869-b96b-418a-aefb-83402a417ac7

📥 Commits

Reviewing files that changed from the base of the PR and between 36ed818 and 4ce4b80.

📒 Files selected for processing (3)

• internal/bootstrap/schema/base_schema.zed
• internal/bootstrap/schema/schema.go
• internal/bootstrap/testdata/compiled_schema.zed

💤 Files with no reviewable changes (1)

• internal/bootstrap/schema/schema.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Updated authorization permission model for organizations and groups to restrict access levels. Removed member-based permissions from read access operations, now limited to platform administrators and designated owners.

• Chores

  • Removed synthetic permission definitions and updated internal permission configuration.

Walkthrough

Removes the membership synthetic permission (member + owner) from app/organization and app/group SpiceDB definitions, strips the member term from their get permission expressions, deletes the exported MembershipPermission Go constant, and updates the compiled schema snapshot to match.

Changes

Membership Permission Removal

Layer / File(s)	Summary
Source schema: remove membership and member from get internal/bootstrap/schema/base_schema.zed	Removes permission membership = member + owner and removes + member from the get permission expression in both app/organization and app/group.
Go constant: delete MembershipPermission internal/bootstrap/schema/schema.go	Deletes the exported MembershipPermission = "membership" constant.
Compiled schema snapshot update internal/bootstrap/testdata/compiled_schema.zed	Updates the compiled snapshot to reflect the removed membership permission and the stripped member term from get in both app/group and app/organization.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Centralize membership management into a dedicated package to fix leaky relations #1478: This PR directly executes the SpiceDB schema cleanup (Phase 2) described in that issue by removing the membership synthetic permission and member relation contributions from app/organization and app/group.

Suggested reviewers

• whoAbhishekSah

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 27533381130

Coverage remained the same at 43.631%

Details

• Coverage remained the same as the base build.
• Patch coverage: No coverable lines changed in this PR.
• No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

---

Coverage Stats

Relevant Lines:	37036
Covered Lines:	16159
Line Coverage:	43.63%
Coverage Strength:	12.39 hits per line

---

💛 - Coveralls