feat: implement GetCurrentUserPAT RPC

[AmanGIT07]

Summary

• Add GetCurrentUserPAT RPC handler that retrieves a single PAT by ID for the authenticated user
• Service layer verifies PAT ownership (returns not-found if PAT belongs to a different user) and enriches the response with role_ids and project_ids
• Accepts both session and PAT authentication (checks principal.User != nil instead of principal type)

Manual Tests

• Call with valid PAT ID via session auth → returns PAT with role_ids/project_ids
• Call with another user's PAT ID → returns not found
• Call with PAT auth → works

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
frontier	Ready	Preview, Comment	Mar 17, 2026 8:05am

[coderabbitai]

Warning

Rate limit exceeded

@AmanGIT07 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 40 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 292f4000-37df-4346-92eb-59005c4e498d

📥 Commits

Reviewing files that changed from the base of the PR and between 641988b and 16d97ba.

📒 Files selected for processing (5)

• core/userpat/service.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/user_pat_service.go
• internal/api/v1beta1connect/user_pat.go
• pkg/server/connect_interceptors/authorization.go

📝 Walkthrough

Walkthrough

This PR adds a Get method to retrieve a specific Personal Access Token by user ID and PAT ID. Changes include service layer implementation with scope enrichment for RoleIDs and ProjectIDs from SpiceDB policies, API interface and handler updates with error mapping, and corresponding test coverage across layers.

Changes

Cohort / File(s)	Summary
Build Configuration Makefile	Updated PROTON_COMMIT hash from e5878c3 to 2416855, affecting protobuf artifact fetching during proto generation.
Mock Generation core/userpat/mocks/policy_service.go, internal/api/v1beta1connect/mocks/user_pat_service.go	Added mock methods (List and Get respectively) with testify mock infrastructure, including Call types, Expecter methods, and fluent configuration methods (Run, Return, RunAndReturn).
Model Updates core/userpat/models/pat.go	Added RoleIDs and ProjectIDs fields to PAT struct with JSON serialization tags.
Service Layer core/userpat/service.go, core/userpat/service_test.go	Implemented Service.Get method with ownership verification and scope enrichment via internal enrichWithScope helper; added PolicyService.List method; comprehensive test coverage for Get scenarios including disabled feature, not found, ownership checks, and enrichment failures.
API Interface & Handler internal/api/v1beta1connect/interfaces.go, internal/api/v1beta1connect/user_pat.go, internal/api/v1beta1connect/user_pat_test.go	Added UserPATService.Get interface method; implemented GetCurrentUserPAT handler with error mapping to Connect error codes (PermissionDenied, InvalidArgument, NotFound, FailedPrecondition, Internal); updated transformPATToPB to populate RoleIds and ProjectIds fields; added handler test suite covering authentication, permissions, and field transformation.
Authorization pkg/server/connect_interceptors/authorization.go	Added GetCurrentUserPAT to authorizationSkipEndpoints map to bypass authorization checks.
Generated Code proto/v1beta1/frontier.pb.validate.go, proto/v1beta1/frontierv1beta1connect/frontier.connect.go	Added validation methods (Validate and ValidateAll) for protobuf messages with error types and multi-error aggregation; wired ListCurrentUserPATs and GetCurrentUserPAT RPC procedures with client and handler implementations in Connect framework.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

Possibly related PRs

• feat: PAT authentication chain, token validation, and error handling #1442 — Directly related PAT codepath modifications including endpoint additions, model/validator changes, and Connect handler wiring.
• feat: CreateCurrentUserPAT RPC implementation #1401 — Implements PAT functionality across the same layers (RPC handlers, frontier.connect.go, API interfaces/mocks, core/userpat service and mocks).
• feat: enforce PAT scope on permission checks #1446 — Adds PAT Get/GetByID methods and wiring in core/userpat service and API handlers with mock support.

Suggested reviewers

• rohilsurana
• rsbh

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can generate a title for your PR based on the changes.

Add @coderabbitai placeholder anywhere in the title of your PR and CodeRabbit will replace it with a title based on the changes in the PR. You can change the placeholder by changing the reviews.auto_title_placeholder setting.

[coveralls]

Pull Request Test Coverage Report for Build 23184366935

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 52 of 67 (77.61%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.1%) to 40.689%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
internal/api/v1beta1connect/user_pat.go	36	38	94.74%
core/userpat/service.go	16	29	55.17%

Totals
Change from base Build 23181375541:	0.1%
Covered Lines:	14268
Relevant Lines:	35066

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

core/userpat/service_test.go (1)

1360-1362: Assert enriched scope fields in the success path.

The success case only verifies PAT ID. Please also assert RoleIDs/ProjectIDs so regressions in scope enrichment are caught.

internal/api/v1beta1connect/user_pat_test.go (1)

394-514: Add a PAT-auth happy-path test case.

Please add a case where principal type is PAT (or non-user) with principal.User populated, and assert success. That locks in the intended auth behavior for this RPC.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4f79baed-8949-4473-b27e-8d742413a559

📥 Commits

Reviewing files that changed from the base of the PR and between 79323c0 and 641988b.

⛔ Files ignored due to path filters (2)

• proto/v1beta1/frontier.pb.go is excluded by !**/*.pb.go
• proto/v1beta1/models.pb.go is excluded by !**/*.pb.go

📒 Files selected for processing (12)

• Makefile
• core/userpat/mocks/policy_service.go
• core/userpat/models/pat.go
• core/userpat/service.go
• core/userpat/service_test.go
• internal/api/v1beta1connect/interfaces.go
• internal/api/v1beta1connect/mocks/user_pat_service.go
• internal/api/v1beta1connect/user_pat.go
• internal/api/v1beta1connect/user_pat_test.go
• pkg/server/connect_interceptors/authorization.go
• proto/v1beta1/frontier.pb.validate.go
• proto/v1beta1/frontierv1beta1connect/frontier.connect.go