feat(iam): add user groups for policy attachment

[poyrazK]

Summary

• Implements IAM User Groups (GitHub issue IAM: Implement user groups and group-based policy attachment #608) — adds user groups as a new IAM primitive for organizing users and assigning policies collectively
• Adds groups, user_groups, and group_policies database tables via migration 114
• Adds Group, UserGroup, and GroupPolicy domain models
• Adds group CRUD operations, membership management (add/remove user from group), and group-policy attachment/detachment at the repository, service, and handler layers
• Integrates group policies into the RBAC authorization flow via checkGroupIAMPolicies() — group policies are evaluated after user-attached and role-attached policies
• Adds HTTP endpoints: POST/GET/PUT/DELETE /iam/groups, POST/DELETE/GET /iam/groups/:id/members/:userId, POST/DELETE/GET /iam/groups/:id/policies/:policyId

Test plan

• Run migration: goose postgres \"postgres://...\" up
• Create a group: POST /iam/groups with {\"name\": \"engineering\"}
• Add user to group: POST /iam/groups/{id}/members/{userId}
• Attach policy to group: POST /iam/groups/{id}/policies/{policyId}
• Verify user inherits group-attached policy permissions via RBAC authorization
• Remove user from group and verify access is revoked
• Run existing tests: go test ./internal/core/services/... ./internal/repositories/postgres/... (note: mocks will need regeneration for new interface methods)

[coderabbitai]

Warning

Rate limit exceeded

@poyrazK has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 23 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2bb3fdc7-539d-4f20-85ff-3fe245bccaa0

📥 Commits

Reviewing files that changed from the base of the PR and between f907852 and 69a7d70.

📒 Files selected for processing (9)

• internal/api/setup/router.go
• internal/core/domain/group.go
• internal/core/ports/iam.go
• internal/core/services/iam.go
• internal/core/services/rbac.go
• internal/handlers/iam_handler.go
• internal/repositories/postgres/iam_repo.go
• internal/repositories/postgres/migrations/114_create_user_groups_and_group_policies.down.sql
• internal/repositories/postgres/migrations/114_create_user_groups_and_group_policies.up.sql

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release/iam-user-groups

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.