Skip to content

Commit 5556220

Browse files
markturanskyclaudeAmbient Code Bot
authored
feat(rbac,cli): RoleBinding typed nullable FKs + credential bind subcommand (#1581)
## Summary - **RoleBinding model refactor**: replaces polymorphic `scope_id string` with typed nullable FK columns (`user_id *string`, `project_id`, `agent_id`, `session_id`, `credential_id`). Exactly one FK is non-null per row; `user_id` is independently nullable (credential→project bindings set both `credential_id` and `project_id` with `user_id=NULL`). - **DB migration** (`202505130001`): drops `scope_id`, makes `user_id` nullable, adds the four typed FK columns with indexes. Safe on fresh and existing DBs via `IF EXISTS` guards. - **`acpctl credential bind`**: new CLI subcommand that resolves a credential by name, then creates a `RoleBinding` with `scope=credential`, `credential_id`, and `project_id`. - **Spec reconciliation**: spec coverage matrix, Agent ERD, ScheduledSession fields, RBAC routes, and status header updated to match implementation. - **NetworkPolicy**: runner pods can now receive ingress from any source (required for operator→runner calls). ## Changed components | Component | Change | |---|---| | `ambient-api-server` plugins/roleBindings | model, migration, handler, presenter, openapi schema, generated types | | `ambient-sdk` (Go, Python, TS) | typed FK fields on RoleBinding; `user_id` nullable; `scope_id` removed | | `ambient-cli` credential/create/get | `credential bind` command; typed FK flags; `*string` UserID handling | | `specs/api/ambient-model.spec.md` | coverage matrix, Agent ERD, ScheduledSession, RBAC routes, status | | `components/manifests` | NetworkPolicy runner ingress rules | ## Test plan - [ ] `cd components/ambient-api-server && go build ./... && go vet ./...` passes - [ ] `cd components/ambient-cli && go build ./... && go vet ./...` passes - [ ] `plugins/roleBindings` integration test: create binding with `scope=project`, `project_id` set, `user_id` null - [ ] `acpctl credential bind <name> --project <project>` creates a RoleBinding with `scope=credential` - [ ] Existing role-binding list/get/create/delete commands unaffected 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Added `credential bind` CLI command for binding credentials to projects. * **Improvements** * Role bindings now target resources via dedicated identifiers (project/agent/session/credential) instead of a single scope ID. * CLI role-binding commands use dedicated flags (e.g., --project-id-fk, --agent-id-fk, --session-id-fk, --credential-id-fk). * SDKs/CLI builders updated to accept optional target identifiers and optional user IDs. * **UI** * Role binding list output shows "TARGET" column for the chosen target identifier. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Ambient Code Bot <bot@ambient-code.local>
1 parent 450aabf commit 5556220

98 files changed

Lines changed: 888 additions & 512 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

components/ambient-api-server/openapi/openapi.roleBindings.yaml

Lines changed: 35 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -219,18 +219,34 @@ components:
219219
- $ref: 'openapi.yaml#/components/schemas/ObjectReference'
220220
- type: object
221221
required:
222-
- user_id
223222
- role_id
224223
- scope
225224
properties:
226-
user_id:
227-
type: string
228225
role_id:
229226
type: string
230227
scope:
231228
type: string
232-
scope_id:
229+
enum: [global, project, agent, session, credential]
230+
user_id:
231+
type: string
232+
nullable: true
233+
description: Nullable — set when the binding is user-specific
234+
project_id:
235+
type: string
236+
nullable: true
237+
description: Nullable — set when scope=project or when binding a credential to a project
238+
agent_id:
239+
type: string
240+
nullable: true
241+
description: Nullable — set when scope=agent
242+
session_id:
243+
type: string
244+
nullable: true
245+
description: Nullable — set when scope=session
246+
credential_id:
233247
type: string
248+
nullable: true
249+
description: Nullable — set when scope=credential
234250
# NEW SCHEMA START
235251
RoleBindingList:
236252
# NEW SCHEMA END
@@ -247,14 +263,26 @@ components:
247263
# NEW SCHEMA END
248264
type: object
249265
properties:
250-
user_id:
251-
type: string
252266
role_id:
253267
type: string
254268
scope:
255269
type: string
256-
scope_id:
270+
enum: [global, project, agent, session, credential]
271+
user_id:
272+
type: string
273+
nullable: true
274+
project_id:
275+
type: string
276+
nullable: true
277+
agent_id:
278+
type: string
279+
nullable: true
280+
session_id:
281+
type: string
282+
nullable: true
283+
credential_id:
257284
type: string
285+
nullable: true
258286
parameters:
259287
id:
260288
name: id

0 commit comments

Comments
 (0)