feat(auth): add inGroup() method for owner authorization

[cheruvian]

Problem

Currently, owner-based authorization and group-based authorization are separate strategies that work with OR logic. There's no way to require that a user must be both the owner AND a member of a specific group to access a resource (AND logic).

Issue number, if available: aws-amplify/amplify-category-api#3381

Changes

Add inGroup() method to owner authorization rules that allows requiring group membership in addition to owner matching:

• Add inGroup(...groups: string[]) method to owner(), ownerDefinedIn(), and ownersDefinedIn()
• Groups specified via inGroup() are passed to the transformer via the groups field on owner rules
• The transformer interprets groups on an owner rule as AND logic (must be owner AND in group)

Example usage:

.authorization((allow) => allow.owner().inGroup('AdminGroup'))

Corresponding docs PR, if applicable: TBD

Validation

• Added comprehensive unit tests for inGroup() with various combinations (552 tests passed)
• Snapshot tests verify correct GraphQL schema output with groups on owner rules
• Tests cover: single group, multiple groups, chaining with operations/identityClaim, different owner field definitions

Checklist

• If this PR includes a functional change to the runtime or type-level behavior of the code, I have added or updated automated test coverage for this change.
• If this PR requires a docs update, I have linked to that docs PR above.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[changeset-bot]

🦋 Changeset detected

Latest commit: c99ebac

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@aws-amplify/data-schema	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR