Module group_sync 

JWT group-to-role membership sync logic.

This module computes the diff between a user’s current role memberships and their JWT group claims, producing Op::GrantRole and Op::RevokeRole operations. Only memberships granted by the MZ_JWT_SYNC_ROLE_ID sentinel are managed; manually-granted memberships are never touched.

Structs

GroupSyncDiff

Result of computing the group-to-role membership sync diff.

Functions

compute_group_sync_diff

Computes the grant/revoke operations needed to sync a user’s role memberships with their JWT group claims.