Add high-level RPCs for project member management to remove client-side policy manipulation #1461
Description
Problem
Project member management in the SDK relies entirely on raw policy CRUD. Unlike org members (which have removeOrganizationUser, createOrganizationInvitation), projects have no high-level RPCs for adding members, role changes, or member removal.
Current SDK flows that directly manipulate policies:
Add member: createPolicyForProject(projectId, principal, roleId) — policy-level RPC, client formats principal string
Change role: listPolicies → deletePolicy x N → createPolicy — same non-atomic pattern as org (see #1459)
Remove member: listPolicies → deletePolicy x N — no removeProjectMember RPC exists at all
The SDK enforces one role per user per project in all cases — add always assigns one role, change deletes all then creates one.
New RPCs needed
SetProjectMemberRole
rpc SetProjectMemberRole(SetProjectMemberRoleRequest) returns (SetProjectMemberRoleResponse);
message SetProjectMemberRoleRequest {
string project_id = 1;
string user_id = 2;
string role_id = 3;
}Handles both add and role change:
- No existing policies → creates one (add member)
- Existing policies → deletes old, creates new (role change)
Replaces createPolicyForProject + the deletePolicy x N → createPolicy pattern.
RemoveProjectMember
rpc RemoveProjectMember(RemoveProjectMemberRequest) returns (RemoveProjectMemberResponse);
message RemoveProjectMemberRequest {
string project_id = 1;
string user_id = 2;
}Replaces listPolicies → deletePolicy x N. Equivalent of removeOrganizationUser but for projects.
Authorization
Both RPCs should check update on the project in the interceptor — matching the SDK's existing batchCheckPermission pre-check and consistent with createPolicyForProject which already checks update on project.
Target state
| Operation | Current (policy from client) | Target (server-side) |
|---|---|---|
| List members | listProjectUsers |
No change |
| Add member | createPolicyForProject |
SetProjectMemberRole |
| Change role | listPolicies → deletePolicy x N → createPolicy |
SetProjectMemberRole |
| Remove member | listPolicies → deletePolicy x N |
RemoveProjectMember |
SDK stops using createPolicyForProject, listPolicies, deletePolicy, and createPolicy for project member management entirely.
Related: #1459 (same pattern for org members)