refactor(device-set): group RPCs + remove generic collection membership (3/4)

[flesher]

Part 3 of 4 — Group RPCs + Generic Collection-Membership Removal

1. Summary

Replaces the legacy generic device-membership surface (AddDevicesToDeviceSet / RemoveDevicesFromDeviceSet in device_set/v1, plus AddDevicesToCollection / RemoveDevicesFromCollection in collection/v1) with type-specific RPCs: AddDevicesToGroup / RemoveDevicesFromGroup for many-to-many group membership, and the existing atomic AssignDevicesToRack for racks. After this PR, every device-membership operation in the fleet hierarchy is type-checked at the proto layer, atomic where atomicity matters (racks), and additive where the data model allows it (groups). No generic backdoor that bypasses the orphan-window guarantees the earlier PRs in this series introduced.

Stack

	PR	Status
	#463 — atomic reparent foundation (1/4)	merged
	#464 — atomic cross-site reparent (2/4)	merged
→	#466 — group RPCs + generic membership removal (3/4)	this PR
	#468 — bulk SQL + concurrency hardening (4/4)	parallel-mergeable

Diff is relative to main (no longer stacked on #464 after #464 merged).

Required context from upstream:

• AssignDevicesToRack (introduced in refactor(reparent): atomic reparent foundation (1/4) #463) — atomic single-RPC rack reparent. This PR migrates RackOverviewPage drag flow to it and removes the last legacy callers in MinerReparentPicker indirectly (after feat(sites): atomic cross-site reparent (2/4) #464 collapsed the cross-site path).
• DeviceSelector shape (common.v1) — already exists. This PR adopts it on AssignDevicesToRack and the new group RPCs.

Out of scope, lands elsewhere:

• Bulk SQL N+1 elimination + concurrency hardening for the hierarchy RPCs — perf(reparent): bulk SQL + concurrency hardening (4/4) #468 (sibling).
• Lock-order alignment between AssignDevicesToSite force-clear and AssignDevicesToRack (resolves the 40P01 deadlock window into a true lock-order serialization) — filed as a follow-up, mentioned in feat(sites): atomic cross-site reparent (2/4) #464.

2. How it works

Pre-PR device-membership shape (generic, runtime-checked):

• AddDevicesToDeviceSet(device_set_id, device_selector) and RemoveDevicesFromDeviceSet(device_set_id, device_selector) accept either a rack OR a group. The service inspects the collection type at runtime and branches.
• A duplicate generic pair lives on collection/v1 (AddDevicesToCollection / RemoveDevicesFromCollection) for legacy reasons — the wire surface predates the device_set renaming.
• AssignDevicesToRack(target_rack_id, repeated string device_identifiers) — added in refactor(reparent): atomic reparent foundation (1/4) #463 — handles rack membership atomically but the legacy generic surface still allows a caller to bypass it.

Post-PR device-membership shape (type-specific):

• AddDevicesToGroup(target_group_id, DeviceSelector) — additive (many-to-many between miner and group). Service does an org-scoped GetCollection inside the tx, rejects non-COLLECTION_TYPE_GROUP targets with InvalidArgument, then calls the existing store-level AddDevicesToCollection (kept as shared infrastructure).
• RemoveDevicesFromGroup(target_group_id, DeviceSelector) — same type guard, calls store-level RemoveDevicesFromCollection.
• AssignDevicesToRack — request shape now DeviceSelector device_selector instead of repeated string device_identifiers. Handler accepts only the device_list variant; all_devices is rejected at the translate layer with InvalidArgument. Identifier validation is enforced by a shared ValidateDeviceIdentifiers helper (caps: 10k items, 256 chars per identifier, no empty strings).
• Legacy AddDevicesToDeviceSet / RemoveDevicesFromDeviceSet (device_set/v1) — removed from the proto, removed from the wire-permissions map, removed from the handler.
• Legacy AddDevicesToCollection / RemoveDevicesFromCollection (collection/v1) — removed from the proto, removed from the wire-permissions map, removed from the handler. Store-level methods stay as shared infrastructure used by the new group RPCs and by AssignDevicesToRack internally.
• Service.AddDevicesToCollection / Service.RemoveDevicesFromCollection (the in-process Go-facing methods that the gRPC handlers used to call, and that fleetimport called directly) — also removed. fleetimport migrates to the type-specific Service methods.

fleetimport migration:

• Group imports (existing-group adds + group create-race adds) → Service.AddDevicesToGroup.
• Rack imports (existing-rack adds + rack create-race adds) → Service.AssignDevicesToRack. Importer accumulates devicesAssigned from NewlyAssignedCount (Go-only field added to AssignDevicesToRackResult) rather than AssignedCount, so idempotent re-imports report only newly-added rows — matches the old AddDevicesToCollection.AddedCount semantics.

Client UI migration:

• RackOverviewPage drag flow → assignDevicesToRack (was addDevicesToDeviceSet). Atomic-replace semantics correct: a single-miner drag from one rack to another now atomically clears the prior rack row + adds the new one.
• MinerActionModalStack group-add flow → addDevicesToGroup (was addDevicesToDeviceSet).
• useDeviceSets hook drops addDevicesToDeviceSet / removeDevicesFromDeviceSet, adds addDevicesToGroup / removeDevicesFromGroup.

gRPC reflection:

DeviceSetService is now in reflectEnabledServices (server/cmd/fleetd/main.go). Agents using grpcurl -list can discover AssignDevicesToRack, AddDevicesToGroup, RemoveDevicesFromGroup. The auth interceptor chain remains the security boundary; reflection only exposes service shape.

Auth posture: unchanged from pre-PR. The new group RPCs and AssignDevicesToRack are all gated on PermRackManage (no separate PermGroupManage exists in the catalog; the legacy pair was on the same permission). Catalog split for groups is filed as a future-work follow-up.

3. Diagrams

Device-membership surface — before and after

flowchart TB
    subgraph Pre["Pre-PR: generic + runtime type-check"]
        A1["AssignDevicesToRack<br/>(rack-specific, atomic)<br/>device_set/v1"] -.->|"can also be used<br/>but caller may bypass"| A4
        A2["AddDevicesToDeviceSet<br/>generic; runtime branches on type<br/>device_set/v1"] --> A4["store.AddDevicesToCollection"]
        A3["AddDevicesToCollection<br/>duplicate generic surface<br/>collection/v1"] --> A4
        A5["RemoveDevicesFromDeviceSet<br/>device_set/v1"] --> A6["store.RemoveDevicesFromCollection"]
        A7["RemoveDevicesFromCollection<br/>collection/v1"] --> A6
    end
    subgraph Post["Post-PR: type-specific at the proto layer"]
        B1["AssignDevicesToRack<br/>rack-only; DeviceSelector<br/>device_set/v1"] --> B4["store.AddDevicesToCollection<br/>+ store.RemoveDevicesFromAnyRack<br/>(shared infrastructure)"]
        B2["AddDevicesToGroup<br/>group-only; type-checked<br/>device_set/v1"] --> B4
        B3["RemoveDevicesFromGroup<br/>group-only; type-checked<br/>device_set/v1"] --> B5["store.RemoveDevicesFromCollection"]
    end

Loading

AddDevicesToGroup request flow

sequenceDiagram
    participant Client
    participant Handler as deviceset.Handler
    participant Auth as middleware.RequirePermission
    participant Svc as collection.Service
    participant Resolver as deviceresolver
    participant Store as collectionStore
    participant DB

    Client->>Handler: AddDevicesToGroup target_group_id, DeviceSelector
    Handler->>Auth: PermRackManage
    Auth-->>Handler: ok
    Handler->>Resolver: resolveExplicitDevices selector
    Resolver->>Resolver: ValidateDeviceIdentifiers caps + non-empty
    Resolver-->>Handler: identifiers
    Handler->>Svc: AddDevicesToGroup orgID, target_group_id, identifiers
    Svc->>DB: BEGIN
    Svc->>Store: GetCollection orgID, target_group_id
    alt collection is not GROUP
        Svc-->>Handler: InvalidArgument
        Svc->>DB: ROLLBACK
    else collection is GROUP
        Svc->>Store: AddDevicesToCollection
        Store->>DB: INSERT ... ON CONFLICT DO NOTHING
        Svc->>DB: COMMIT
        Svc-->>Handler: added_count
    end
    Handler-->>Client: response

Loading

Removed wire surface

flowchart LR
    subgraph Removed["Removed wire RPCs"]
        D1["AddDevicesToDeviceSet"]
        D2["RemoveDevicesFromDeviceSet"]
        D3["AddDevicesToCollection"]
        D4["RemoveDevicesFromCollection"]
    end
    subgraph Replacements["Replacement RPCs"]
        R1["AddDevicesToGroup"]
        R2["RemoveDevicesFromGroup"]
        R3["AssignDevicesToRack"]
        R4["AssignDevicesToRack<br/>target_rack_id unset"]
    end
    D1 -->|group target| R1
    D1 -->|rack target| R3
    D2 -->|group target| R2
    D2 -->|rack clear| R4
    D3 -->|group target| R1
    D3 -->|rack target| R3
    D4 -->|group target| R2
    D4 -->|rack clear| R4

Loading

4. Areas of the code involved

Area	What changed	Why it matters for review
proto/device_set/v1/device_set.proto (modified)	Removed AddDevicesToDeviceSet / RemoveDevicesFromDeviceSet RPCs + messages. Added AddDevicesToGroup / RemoveDevicesFromGroup RPCs + messages. Swapped AssignDevicesToRack.device_identifiers (repeated string, tag 2) → device_selector (common.v1.DeviceSelector, tag 2).	Breaking wire change. Tag 2 reuse is intentional — these RPCs aren't live for external consumers and client+server deploy atomically; cached-bundle window is the only blast radius.
proto/collection/v1/collection.proto (modified)	Removed AddDevicesToCollection / RemoveDevicesFromCollection RPCs + messages. collection/v1 keeps Create/Get/Update/Delete/List/Stats/Slot/Zone/Type/SaveRack — only the membership-mutation pair is gone.	Wire-only removal. Store-level methods of the same name are retained as shared infrastructure.
server/generated/grpc/** (modified)	Proto regen.	Generated — skip.
client/src/protoFleet/api/generated/** (modified)	Proto regen.	Generated — skip.
server/cmd/fleetd/main.go (modified)	Added device_setv1connect.DeviceSetServiceName to reflectEnabledServices.	Agents using gRPC reflection can now discover AssignDevicesToRack, AddDevicesToGroup, RemoveDevicesFromGroup. Auth boundary unchanged.
server/internal/handlers/middleware/rpc_permissions.go (modified)	Removed legacy entries (AddDevicesToCollection, RemoveDevicesFromCollection, AddDevicesToDeviceSet, RemoveDevicesFromDeviceSet). Added entries for AddDevicesToGroup, RemoveDevicesFromGroup, both on PermRackManage.	Security boundary. Reviewer should confirm the new entries match sibling RPCs' permission and that no legacy entry was missed.
server/internal/handlers/deviceset/handler.go (modified)	Removed legacy handlers. Added AddDevicesToGroup / RemoveDevicesFromGroup handlers (auth-gated, then service call). Updated AssignDevicesToRack handler to plumb the selector through and surface the translate-layer error for non-device_list variants.	Thin shim; the work is in the translate layer + service.
server/internal/handlers/deviceset/translate.go (modified)	toAssignDevicesToRackParams now extracts identifiers from DeviceSelector.device_list, rejects all_devices and unset variants, and calls ValidateDeviceIdentifiers. Added toAddDevicesToGroupParams / toRemoveDevicesFromGroupParams.	Input validation boundary. Reviewer should confirm caps + empty-string rejection.
server/internal/handlers/deviceset/handler_test.go (modified)	Tests for the new group RPCs (happy path, rack-target rejection, permission gate), AssignDevicesToRack selector-variant rejection, ValidateDeviceIdentifiers boundary cases (empty string, over-length, over-cap list), cross-org isolation for AddDevicesToGroup.	Locks the wire-visible status codes for each rejection path.
server/internal/handlers/collection/handler.go (modified)	Removed AddDevicesToCollection / RemoveDevicesFromCollection handler funcs. Handler now matches the trimmed-down collection/v1 interface.	Wire-handler removal; verify the interface is satisfied.
server/internal/domain/collection/service.go (modified)	Removed Service.AddDevicesToCollection / Service.RemoveDevicesFromCollection. Added Service.AddDevicesToGroup / Service.RemoveDevicesFromGroup with inline GetCollection + type guard (rejects non-GROUP). Added NewlyAssignedCount to AssignDevicesToRackResult (Go-only, no proto change) so re-import callers can read newly-inserted count instead of final-membership count.	Core domain logic. Reviewer should focus on (a) the type guard inside the tx, (b) NewlyAssignedCount semantics matching pre-PR AddedCount.
server/internal/domain/collection/service_test.go (modified)	Tests for the new Service methods + NewlyAssignedCount exposure.	Service-level coverage.
server/internal/domain/deviceresolver/resolver.go (modified)	Added shared ValidateDeviceIdentifiers helper with MaxDeviceIdentifiers=10000 and MaxDeviceIdentifierLen=256. Wired into resolveExplicitDevices so every consumer of the device-selector resolver inherits the validation.	Validation surface. Previously enforced by buf.validate on the old repeated string proto rules; now lives in code since DeviceSelector.device_list doesn't carry those constraints.
server/internal/domain/fleetimport/importer.go (modified)	CollectionManager interface swapped from generic AddDevicesToCollection to AddDevicesToGroup + AssignDevicesToRack. Four call sites migrated (existing-group, group create-race, existing-rack, rack create-race). devicesAssigned accumulator now uses NewlyAssignedCount for rack adds so idempotent re-imports don't overstate.	Behavior parity. Re-import counts must match pre-PR semantics; locked by a new test.
server/internal/domain/fleetimport/importer_rack_assign_test.go (new)	TestImporter_RackReimport_UsesNewlyAssignedCount — fake CollectionManager returns AssignedCount=3, NewlyAssignedCount=1; assertion confirms only the newly-assigned count flows to devicesAssigned.	Regression pin on the re-import semantic.
server/internal/domain/foremanimport/service_test.go (modified)	Updated fakeCollectionManager to match the new CollectionManager interface (AddDevicesToGroup, AssignDevicesToRack).	Mirror update; no production behavior.
client/src/protoFleet/api/useDeviceSets.ts (modified)	Removed addDevicesToDeviceSet / removeDevicesFromDeviceSet hooks. Added addDevicesToGroup / removeDevicesFromGroup hooks mirroring assignDevicesToRack (signal support, error handling, bigint counts). assignDevicesToRack hook now constructs DeviceSelector { deviceList: { identifiers: [...] } } internally so callers still pass string[].	API-surface change; verify caller migration is complete.
client/src/protoFleet/features/fleetManagement/pages/RackOverviewPage.tsx (modified)	Drag-flow single-miner add → assignDevicesToRack({ targetRackId, deviceIdentifiers: [minerId] }).	Atomic-replace semantics correct for single-miner add.
client/src/protoFleet/features/fleetManagement/pages/RackOverviewPage.test.tsx (modified)	Mock updated from addDevicesToDeviceSet to assignDevicesToRack.	Mirror update.
client/src/protoFleet/features/fleetManagement/components/MinerActionsMenu/MinerActionModalStack.tsx (modified)	Group-add flow → addDevicesToGroup({ targetGroupId, deviceIdentifiers, allDevices }).	Caller migration to new group RPC.

5. Key technical decisions & trade-offs

• Type-specific RPCs over generic with runtime branch. Forces the type check to the proto layer where wrong-target attempts return InvalidArgument at the wire boundary, not after the server has set up a transaction. Alternative — keep the generic surface and add a feature flag — was rejected because it preserves the bypass path that PRs refactor(reparent): atomic reparent foundation (1/4) #463/feat(sites): atomic cross-site reparent (2/4) #464 worked to close.
• Tag 2 reuse on AssignDevicesToRack over reserving the old tag and adding device_selector at tag 3. Accepted because the RPC isn't live for external consumers and client+server deploy atomically; the blast radius is bounded to the deploy-window stale-bundle case. If this becomes a public API later, mark reserved 2; and migrate.
• NewlyAssignedCount added as a Go-only field on the service result struct over extending the proto response. Importer's the only caller that cares about the distinction today; adding a wire field would also require client work that no UI surfaces consume. If a second caller needs it, promote to proto.
• Group RPCs additive (no replace semantics) because groups are many-to-many between miner and group — a miner can belong to multiple groups simultaneously. Rack RPCs are replace-semantics (AssignDevicesToRack) because rack membership is one-per-miner. The atomic replace doesn't apply when there's no prior-state conflict to close.
• Store-level AddDevicesToCollection / RemoveDevicesFromCollection retained even though the wire and service methods are gone. These are shared infrastructure: Service.AddDevicesToGroup, Service.AssignDevicesToRack, and fleetimport all use them. Renaming for cosmetic alignment was rejected as out-of-scope churn.
• Validation moved from proto buf.validate rules to a Go helper. DeviceSelector.device_list doesn't carry the per-item rules the old repeated string device_identifiers had (min_len, max_len, max_items). ValidateDeviceIdentifiers is called at the resolver layer so every device-selector consumer inherits the caps. Alternative — add the rules to common.v1.DeviceIdentifierList — would touch a shared message and require coordinating with other consumers; deferred.
• all_devices selector variant rejected on AssignDevicesToRack only, not on the new group RPCs. Bulk-adding every paired device to a single rack is never the intended operation; bulk-adding to a group is. Per the security review, this is bounded by the org-scoped resolver — all_devices on AddDevicesToGroup enumerates only the caller's own org devices.
• PermRackManage reused for group RPCs, not a new PermGroupManage. The catalog doesn't currently distinguish the two; matching the legacy pair's permission preserves the pre-PR posture. A separate PermGroupManage is filed as a follow-up if groups gain reach beyond a rack-manager's intended blast radius.

6. Testing & validation

Handler-layer tests (server/internal/handlers/deviceset/handler_test.go):

• TestAddDevicesToGroup_HappyPath, _RejectsRackTarget, _PermissionRequired, _RejectsCrossOrgTarget — new group RPC coverage.
• TestRemoveDevicesFromGroup_HappyPath, _RejectsRackTarget, _PermissionRequired — mirror.
• TestAssignDevicesToRack_RejectsAllDevicesSelector, _RejectsEmptyIdentifier, _RejectsOverlongIdentifier, _RejectsOversizedList — selector + validation boundary cases.
• Existing TestAssignDevicesToRack_HappyPathAssigns / _UnassignBranch updated to use the new DeviceSelector shape.

Service-layer tests (server/internal/domain/collection/service_test.go):

• AddDevicesToGroup / RemoveDevicesFromGroup happy path + type guard + collection-not-found.
• AssignDevicesToRack updated to verify NewlyAssignedCount reflects only newly-inserted rows.

fleetimport tests (server/internal/domain/fleetimport/importer_rack_assign_test.go):

• TestImporter_RackReimport_UsesNewlyAssignedCount — fake CollectionManager returns mismatched AssignedCount vs NewlyAssignedCount; asserts the importer uses the latter.

Client tests:

• RackOverviewPage.test.tsx updated mock from addDevicesToDeviceSet to assignDevicesToRack.

Verification:

• go build ./... clean.
• go test ./server/internal/handlers/deviceset/... ./server/internal/domain/collection/... ./server/internal/domain/fleetimport/... ./server/internal/domain/deviceresolver/... ./server/internal/handlers/middleware/... — all pass.
• npx tsc --noEmit (client) — clean.
• npm run lint — clean.
• golangci-lint run -c server/.golangci.yaml ./internal/domain/fleetimport/... — clean.

Explicitly NOT covered:

• Real-Postgres integration test for the new group RPCs — only mock-driven service + handler tests. A focused integration test confirming cross-org isolation against a real DB would close the security-review-surfaced gap on the GetCollection(orgID, ...) org-scoped predicate end-to-end.
• addDevicesToCollection / removeDevicesFromCollection removal regression is verified by the build (no remaining Go callers; client grep clean for the four removed identifiers). No explicit "wire-RPC is gone" test, since GitHub Actions' build + targeted tests catch missed references.

Co-Authored-By: Claude Opus 4.7 noreply@anthropic.com

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (7324718fb6540c92ccd9c49e5f15b1168cae9614...6616fad5294dab3c52a911eda271d17f789560e8, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: MEDIUM

Findings

[MEDIUM] RPC Rename And Removal Break Existing Clients

• Category: Protobuf
• Location: proto/device_set/v1/device_set.proto:32
• Description: The PR removes AddDevicesToDeviceSet / RemoveDevicesFromDeviceSet and replaces them with AddDevicesToGroup / RemoveDevicesFromGroup. It also removes the legacy DeviceCollectionService add/remove RPCs. Connect/gRPC method names are part of the API path, so existing clients calling the old methods will receive unimplemented/404-style failures.
• Impact: Existing SDKs, automations, or a rolling deploy with old frontend/new backend or new frontend/old backend can no longer mutate group/rack membership. That is a reliability and compatibility regression for a public protobuf API.
• Recommendation: Keep the old RPCs as deprecated aliases for at least one compatibility window, forwarding group operations to the new group paths and preserving auth checks. If this is intentionally breaking, move it behind an explicit versioned API change and document deployment ordering.

[MEDIUM] Rack Assignment Audit Can Report Unrelated Site Changes

• Category: Reliability
• Location: server/internal/domain/collection/service.go:990
• Description: AssignDevicesToRack now builds cascade audit metadata by calling GetDeviceSiteIDsByMembership for every current member of the target rack, then buildDeviceSiteChanges over that full set. The actual cascade update immediately after is limited to params.DeviceIdentifiers, so the audit metadata can include unrelated rack members that were not touched by this assignment.
• Impact: Activity logs can falsely claim unrelated devices had implicit site changes, or set site_cascade metadata based on stale rack members even when the requested assignment did not cascade those devices. That weakens the audit trail for site/rack moves.
• Recommendation: Filter priors to the requested identifiers before calling buildDeviceSiteChanges, or add a store query that returns site IDs only for params.DeviceIdentifiers in the target rack. Base total_affected and device_site_changes on the same device set passed to CascadeAddedDeviceSites.

Notes

No changed shell-out, Nmap/mDNS, plugin, Docker, Rust, frontend XSS, or pool/wallet rewrite logic stood out in the reviewed diff. I did not run tests; this was a read-only diff review.

---

_{Generated by Codex Security Review |
Triggered by: @flesher |
Review workflow run}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9266fb5d45

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 24720f12db

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9fdfa4af5c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[Copilot]

Pull request overview

This PR (3/4) continues the device-set refactor by replacing the legacy “generic collection membership” RPC surface with type-specific DeviceSetService RPCs, migrating remaining server and client call sites, and tightening rack assignment to use common.v1.DeviceSelector (explicit list only).

Changes:

• Introduces type-specific group membership RPCs (AddDevicesToGroup, RemoveDevicesFromGroup) and removes legacy add/remove RPCs from collection.v1 and device_set.v1.
• Refactors rack assignment (AssignDevicesToRack) to accept common.v1.DeviceSelector and rejects all_devices at the handler boundary; adds server-side identifier list validation.
• Migrates client flows (rack drag/slot flow + miner group actions) and importer paths to the new RPCs, plus updates reflection and permissions wiring.

Reviewed changes

Copilot reviewed 18 out of 24 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
server/internal/handlers/middleware/rpc_permissions.go	Removes legacy RPC permission entries; adds permissions for new group RPC procedures.
server/internal/handlers/deviceset/translate.go	Translates DeviceSelector → identifier list for rack assignment; rejects unsupported selector variants.
server/internal/handlers/deviceset/handler.go	Switches handler endpoints to AddDevicesToGroup/RemoveDevicesFromGroup; threads selector-based rack assignment translation errors.
server/internal/handlers/deviceset/handler_test.go	Adds handler tests for selector rejection/validation and new group RPC behavior + permission checks.
server/internal/handlers/collection/handler.go	Deletes legacy collection membership RPC handlers.
server/internal/domain/foremanimport/service_test.go	Updates fakes to match new type-specific collection manager interface.
server/internal/domain/fleetimport/importer.go	Migrates importer group adds and rack assignment to new type-specific methods; uses NewlyAssignedCount.
server/internal/domain/fleetimport/importer_rack_assign_test.go	Adds coverage ensuring rack re-import uses NewlyAssignedCount semantics.
server/internal/domain/deviceresolver/resolver.go	Centralizes identifier-list validation (count + per-item bounds) for explicit selectors.
server/internal/domain/collection/service.go	Adds group-specific add/remove APIs; extends rack assignment result with NewlyAssignedCount.
server/internal/domain/collection/service_test.go	Updates tests to cover group add/remove flows and rack-target rejection.
server/generated/grpc/device_set/v1/device_setv1connect/device_set.connect.go	Generated — updates connect stubs/procedure constants for new RPCs.
server/generated/grpc/collection/v1/collectionv1connect/collection.connect.go	Generated — removes connect stubs/procedure constants for legacy RPCs.
server/cmd/fleetd/main.go	Adds DeviceSetService to reflection-enabled services list.
proto/device_set/v1/device_set.proto	Defines new group RPCs; updates rack assignment request to DeviceSelector (explicit list only).
proto/collection/v1/collection.proto	Removes legacy generic add/remove membership RPCs/messages.
client/src/protoFleet/features/fleetManagement/pages/RackOverviewPage.tsx	Migrates rack drag/slot flow to assignDevicesToRack.
client/src/protoFleet/features/fleetManagement/pages/RackOverviewPage.test.tsx	Updates mocks for the new hook surface.
client/src/protoFleet/features/fleetManagement/components/MinerActionsMenu/MinerActionModalStack.tsx	Migrates group operation flow to addDevicesToGroup.
client/src/protoFleet/api/useDeviceSets.ts	Adds new group hooks + selector-based rack assignment; integrates AbortSignal handling.
client/src/protoFleet/api/generated/device_set/v1/device_set_pb.ts	Generated — reflects proto changes for new RPCs and selector field changes.
client/src/protoFleet/api/generated/collection/v1/collection_pb.ts	Generated — reflects removal of legacy membership RPCs.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5eac3bf611

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".