Commit 5556220
feat(rbac,cli): RoleBinding typed nullable FKs + credential bind subcommand (#1581)
## Summary
- **RoleBinding model refactor**: replaces polymorphic `scope_id string`
with typed nullable FK columns (`user_id *string`, `project_id`,
`agent_id`, `session_id`, `credential_id`). Exactly one FK is non-null
per row; `user_id` is independently nullable (credential→project
bindings set both `credential_id` and `project_id` with `user_id=NULL`).
- **DB migration** (`202505130001`): drops `scope_id`, makes `user_id`
nullable, adds the four typed FK columns with indexes. Safe on fresh and
existing DBs via `IF EXISTS` guards.
- **`acpctl credential bind`**: new CLI subcommand that resolves a
credential by name, then creates a `RoleBinding` with
`scope=credential`, `credential_id`, and `project_id`.
- **Spec reconciliation**: spec coverage matrix, Agent ERD,
ScheduledSession fields, RBAC routes, and status header updated to match
implementation.
- **NetworkPolicy**: runner pods can now receive ingress from any source
(required for operator→runner calls).
## Changed components
| Component | Change |
|---|---|
| `ambient-api-server` plugins/roleBindings | model, migration, handler,
presenter, openapi schema, generated types |
| `ambient-sdk` (Go, Python, TS) | typed FK fields on RoleBinding;
`user_id` nullable; `scope_id` removed |
| `ambient-cli` credential/create/get | `credential bind` command; typed
FK flags; `*string` UserID handling |
| `specs/api/ambient-model.spec.md` | coverage matrix, Agent ERD,
ScheduledSession, RBAC routes, status |
| `components/manifests` | NetworkPolicy runner ingress rules |
## Test plan
- [ ] `cd components/ambient-api-server && go build ./... && go vet
./...` passes
- [ ] `cd components/ambient-cli && go build ./... && go vet ./...`
passes
- [ ] `plugins/roleBindings` integration test: create binding with
`scope=project`, `project_id` set, `user_id` null
- [ ] `acpctl credential bind <name> --project <project>` creates a
RoleBinding with `scope=credential`
- [ ] Existing role-binding list/get/create/delete commands unaffected
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added `credential bind` CLI command for binding credentials to
projects.
* **Improvements**
* Role bindings now target resources via dedicated identifiers
(project/agent/session/credential) instead of a single scope ID.
* CLI role-binding commands use dedicated flags (e.g., --project-id-fk,
--agent-id-fk, --session-id-fk, --credential-id-fk).
* SDKs/CLI builders updated to accept optional target identifiers and
optional user IDs.
* **UI**
* Role binding list output shows "TARGET" column for the chosen target
identifier.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Ambient Code Bot <bot@ambient-code.local>1 parent 450aabf commit 5556220
98 files changed
Lines changed: 888 additions & 512 deletions
File tree
- components
- ambient-api-server
- openapi
- pkg/api/openapi
- plugins/roleBindings
- ambient-cli/cmd/acpctl
- create
- credential
- get
- ambient-sdk
- generator
- templates
- go
- python
- ts
- go-sdk
- client
- types
- python-sdk/ambient_platform
- ts-sdk/src
- specs/api
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 35 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
219 | 219 | | |
220 | 220 | | |
221 | 221 | | |
222 | | - | |
223 | 222 | | |
224 | 223 | | |
225 | 224 | | |
226 | | - | |
227 | | - | |
228 | 225 | | |
229 | 226 | | |
230 | 227 | | |
231 | 228 | | |
232 | | - | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
| 239 | + | |
| 240 | + | |
| 241 | + | |
| 242 | + | |
| 243 | + | |
| 244 | + | |
| 245 | + | |
| 246 | + | |
233 | 247 | | |
| 248 | + | |
| 249 | + | |
234 | 250 | | |
235 | 251 | | |
236 | 252 | | |
| |||
247 | 263 | | |
248 | 264 | | |
249 | 265 | | |
250 | | - | |
251 | | - | |
252 | 266 | | |
253 | 267 | | |
254 | 268 | | |
255 | 269 | | |
256 | | - | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
257 | 284 | | |
| 285 | + | |
258 | 286 | | |
259 | 287 | | |
260 | 288 | | |
| |||
0 commit comments