refactor(schema): remove member relation from app/organization

[rohilsurana]

Summary

Removes the member relation from app/organization in the SpiceDB schema. After the parent PR (#1700) dropped + member from org.get, this relation had zero schema consumers — no permission resolved through it. This PR completes the removal by also stopping Go code from writing it.

Stacked on #1700.

Schema change

 definition app/organization {
     relation platform: app/platform
     relation granted: app/rolebinding
     relation pat_granted: app/rolebinding
-    relation member: app/user | app/group#member | app/serviceuser
     relation owner: app/user | app/serviceuser

Go changes (core/membership)

• orgRoleToRelation — non-owner roles now return "" (was "member"). Only the owner role produces an owner relation.
• AddOrganizationMember — skips SpiceDB relation write when the role doesn't map to a relation (non-owner adds create only the policy+rolebinding, which is sufficient for all granted-> permissions).
• SetOrganizationMemberRole — uses new replaceOrRemoveRelation helper: deletes old owner relation (if any), creates new only if non-empty. Demoting an owner to viewer now removes the owner relation with no replacement.
• removeRelations — parameterized with explicit relation names. Org sweeps only [owner]; group sweeps [owner, member] (group member relation is still live).
• linkGroupToOrg / unlinkGroupFromOrg — removed the org#member@group#member tuple write/delete. This tuple made group members resolve as org members via the member relation — no longer needed since + member is gone from all org permissions.

Existing SpiceDB tuples

Old org#member@user and org#member@group#member tuples remain in SpiceDB but are harmless — no permission definition references them, so they're unreachable by any Check or LookupSubjects call.

Test plan

• go build ./... passes
• make lint clean
• go test -race ./core/membership/... -count=2 passes (17 test expectations updated)
• Golden schema regenerated from compiler
• e2e regression (CI)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Jun 15, 2026 10:01am

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 06b7588f-954c-4d9b-8ce5-86009920ae26

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 27538676235

Coverage increased (+0.002%) to 43.633%

Details

• Coverage increased (+0.002%) from the base build.
• Patch coverage: 9 uncovered changes across 1 file (33 of 42 lines covered, 78.57%).
• 2 coverage regressions across 1 file.

Uncovered Changes

File	Changed	Covered	%
core/membership/service.go	42	33	78.57%

Coverage Regressions

2 previously-covered lines in 1 file lost coverage.

File	Lines Losing Coverage	Coverage
core/membership/service.go	2	82.28%

---

Coverage Stats

Relevant Lines:	37027
Covered Lines:	16156
Line Coverage:	43.63%
Coverage Strength:	12.39 hits per line

---

💛 - Coveralls