From 7f4d1620d2262765d1da9a9dba54e0fb02b31a77 Mon Sep 17 00:00:00 2001
From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 00:29:48 +0000
Subject: [PATCH] fix: emit base team-member grant for users with elevated
 roles

When a team member holds a non-default role (e.g., maintainer), the
GitHub API filters them out of the member role query. This means
maintainers only received a grant on the maintainer entitlement, never
on the base team-member entitlement, causing under-counted membership.

Now, when processing maintainer role results, we also emit a
team-member grant for each user so the membership view matches
GitHub's own model where every maintainer is also a member.

Fixes: CXH-1513
---
 pkg/connector/team.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/connector/team.go b/pkg/connector/team.go
index d4399f95..19c7e081 100644
--- a/pkg/connector/team.go
+++ b/pkg/connector/team.go
@@ -236,6 +236,13 @@ func (o *teamResourceType) Grants(ctx context.Context, resource *v2.Resource, op
 					Id: fmt.Sprintf("team-grant:%s:%d:%s", resource.Id.Resource, user.GetID(), rId),
 				}),
 			))
+			if rId == teamRoleMaintainer {
+				rv = append(rv, grant.NewGrant(resource, teamRoleMember, ur.Id,
+					grant.WithAnnotation(&v2.V1Identifier{
+						Id: fmt.Sprintf("team-grant:%s:%d:%s", resource.Id.Resource, user.GetID(), teamRoleMember),
+					}),
+				))
+			}
 		}
 	default:
 		ctxzap.Extract(ctx).Warn("Unknown GitHub Role Name",