fix(project): make org immutable via UpdateProject

[AmanGIT07]

Description:

Summary

Closes #1584. UpdateProject no longer allows re-parenting a project to a different organization. Parent org becomes structurally immutable through this RPC.

Changes

• Proto (raystack/proton): split ProjectRequestBody — new UpdateProjectRequestBody (no org_id, tag 4 reserved). ProjectRequestBody retained for CreateProject.
• Repo (internal/store/postgres/project_repository.go): drop org_id from UpdateByID / UpdateByName SET clauses. Remove unreachable ErrForeignKeyViolation → organization.ErrNotExist branches.
• Handler (internal/api/v1beta1connect/project.go): stop reading org_id from request body; auditor org now sourced from the updated project
  (updatedProject.Organization.ID) instead of caller-supplied.
• CLI (cmd/project.go): frontier project edit body parses into UpdateProjectRequestBody.
• Tests: handler and repo tests updated; obsolete org_id FK-error cases removed.

Technical Details

• Wire compatibility: server JSON codec sets DiscardUnknown: true (pkg/server/codecs.go:46) and proto3 binary ignores unknown fields, so legacy clients still sending
  org_id continue to work — the field is silently dropped server-side. Not a client-side breaking change.
• Auth: IsAuthorized(project, update) already inherits through SpiceDB's org→project graph; with org_id gone from the request there's no destination-org to authorize.
• Audit: event type, target, and dispatch unchanged; auditor's org context moved from caller-supplied to project-truth (correctness improvement on same code path).

Follow-ups (not in this PR)

• core/group/service.go::Update + internal/store/postgres/group_repository.go have the identical re-parenting shape — worth a separate ticket.
• Three SDK files (web/sdk/admin/.../rename-project.tsx, web/sdk/react/views-new/.../edit-project-dialog.tsx, web/sdk/react/views/.../project-general.tsx) still send
  orgId in the body. Safe today (server drops it); cleanup once @raystack/proton bumps in web/sdk/package.json.

Test Plan

• make lint clean
• go test ./core/... ./internal/api/... ./cmd/... passes
• Manual: edit project title/metadata via API → succeeds, org_id unchanged in Postgres
• Manual: send request body with org_id set to a different org → silently ignored, project remains in original org, SpiceDB tuple unchanged
• E2E suite passes

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	May 12, 2026 9:14am

[coderabbitai]

Warning

Rate limit exceeded

@AmanGIT07 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 55 minutes and 13 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5aabd370-4899-45b4-9aa7-eedada479098

📥 Commits

Reviewing files that changed from the base of the PR and between 527d72d and e496af1.

⛔ Files ignored due to path filters (2)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go, !proto/**
• proto/v1beta1/frontierv1beta1connect/frontier.connect.go is excluded by !proto/**

📒 Files selected for processing (1)

• Makefile

📝 Walkthrough

Walkthrough

This PR makes project organization immutable in the UpdateProject RPC by removing organization from the update request contract, handler logic, and repository SQL operations. UpdateProject can no longer change a project's parent organization. Request body type alignment, handler refactoring, repository enforcement, and all test suites are coordinated to ensure org_id cannot be modified.

Changes

Project Organization Immutability

Layer / File(s)	Summary
Proton dependency update Makefile	PROTON_COMMIT hash updated to fetch new raystack/proton version.
Request body type and handler refactoring cmd/project.go, internal/api/v1beta1connect/project.go	editProjectCommand uses UpdateProjectRequestBody instead of ProjectRequestBody. UpdateProject handler removes org_id from early auditor initialization, stops sending Organization field in service.Update payload, and defers audit logging to use organization from the returned project state.
Repository enforcement of immutability internal/store/postgres/project_repository.go	UpdateByID and UpdateByName remove org_id from SQL UPDATE SET clause, preventing organization mutations. Error handling for foreign key violations on org_id removed since column is no longer written.
Handler test updates internal/api/v1beta1connect/project_test.go	TestHandler_UpdateProject refactored to construct updateInput without Organization and updateBody with only Name and Metadata. Test cases adjusted to expect service calls without Organization field and request bodies without OrgId.
Repository test updates internal/store/postgres/project_repository_test.go	TestUpdateByID and TestUpdateByName replaced organization-ID error scenarios with invalid ID/name error assertions.
E2E regression test update test/e2e/regression/api_test.go	TestProjectAPI case 6 adjusted to send UpdateProjectRequestBody with only Name instead of ProjectRequestBody including OrgId.

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR successfully implements all primary objectives from issue #1584: makes org immutable via UpdateProject by removing org_id from UpdateProjectRequestBody [proto changes], preventing org updates in the repository layer [project_repository.go], sourcing auditor org from updatedProject instead of request [project.go handler], and updating all call sites accordingly [CLI, handler tests, repo tests, E2E tests].
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the PR objectives: proto definition split, repository layer immutability enforcement, handler auditor sourcing, CLI request body parsing, and comprehensive test updates—no unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coveralls]

Coverage Report for CI Build 25725078679

Coverage decreased (-0.01%) to 42.034%

Details

• Coverage decreased (-0.01%) from the base build.
• Patch coverage: 1 uncovered change across 1 file (6 of 7 lines covered, 85.71%).
• 4 coverage regressions across 1 file.

Uncovered Changes

File	Changed	Covered	%
cmd/project.go	1	0	0.0%

Coverage Regressions

4 previously-covered lines in 1 file lost coverage.

File	Lines Losing Coverage	Coverage
internal/store/postgres/project_repository.go	4	52.16%

---

Coverage Stats

Relevant Lines:	37277
Covered Lines:	15669
Line Coverage:	42.03%
Coverage Strength:	11.9 hits per line

---

💛 - Coveralls