From 94688fe26f8fa683094ba85cee7ad3808a6fe0d4 Mon Sep 17 00:00:00 2001
From: Abhishek Sah <abhi.sah.97@gmail.com>
Date: Fri, 19 Jun 2026 14:27:10 +0530
Subject: [PATCH] feat(bootstrap): grant project-create to org member role
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add app_organization_projectcreate to the predefined organization viewer
("Member") role so org members can create projects, not just read the org.

Also remove a duplicate PredefinedRoles entry titled "Group Viewer" that
reused the same Name (RoleOrganizationViewer / app_organization_viewer). It
defined no distinct role — MigrateRoles reconciled the same role twice, last
write winning — so removing it has no functional effect beyond dropping a
redundant pass and makes the role single-sourced.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 internal/bootstrap/schema/schema.go | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/internal/bootstrap/schema/schema.go b/internal/bootstrap/schema/schema.go
index 21b59937e..6d4a0fb23 100644
--- a/internal/bootstrap/schema/schema.go
+++ b/internal/bootstrap/schema/schema.go
@@ -344,14 +344,7 @@ var PredefinedRoles = []RoleDefinition{
 		Name:  RoleOrganizationViewer,
 		Permissions: []string{
 			"app_organization_get",
-		},
-		Scopes: []string{OrganizationNamespace},
-	},
-	{
-		Title: "Group Viewer",
-		Name:  RoleOrganizationViewer,
-		Permissions: []string{
-			"app_organization_get",
+			"app_organization_projectcreate",
 		},
 		Scopes: []string{OrganizationNamespace},
 	},