docs(cli): list valid --privilege values in service-account help

claude · claude · commit f8af370f6f16 · 2026-06-25T15:59:50.000Z
The --privilege flag is required and validated only server-side, so a typo (e.g. --privilege membr) failed with a round-trip error giving no hint of the accepted values. List them in the flag help, mirroring the --type flag's validEnvTypesList pattern: a single-source-of-truth constant (validServiceAccountPrivilegesList = "admin, member, snapshotter, reader") embedded as "One of: [...]". Shared by create and update service-account. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01SWQ362qtJBoP3ncxRck9qu
diff --git a/cmd/kosli/root.go b/cmd/kosli/root.go
@@ -94,6 +94,11 @@ The ^.kosli_ignore^ will be treated as part of the artifact like any other file,
 	// the server is the authority on which types are actually accepted
 	validEnvTypesList = "K8S, ECS, S3, lambda, server, docker, azure-apps, cloud-run, logical"
 
+	// single source of truth for the service account privilege list shown in
+	// flag help texts; the server is the authority on which privileges are
+	// actually accepted
+	validServiceAccountPrivilegesList = "admin, member, snapshotter, reader"
+
 	// flags
 	apiTokenFlag                    = "The Kosli API token."
 	artifactName                    = "[optional] Artifact display name, if different from file, image or directory name."
@@ -121,7 +126,7 @@ The ^.kosli_ignore^ will be treated as part of the artifact like any other file,
 	ignoreCaseFlag                  = "[optional] Perform case-insensitive matching for --name. By default matching is case sensitive."
 	serviceAccountNameFlag          = "The name of the service account whose API keys are managed."
 	serviceAccountDescriptionFlag   = "[optional] A description for the service account."
-	serviceAccountPrivilegeFlag     = "The privilege granted to the service account."
+	serviceAccountPrivilegeFlag     = "The privilege granted to the service account. One of: [" + validServiceAccountPrivilegesList + "]."
 	serviceAccountAssumeYesFlag     = "[optional] Skip the confirmation prompt and delete the service account without asking. (alias: --yes)"
 	apiKeyDescriptionFlag           = "A description for the API key."
 	apiKeyExpiresAtFlag             = "[optional] When the API key expires. Accepts an epoch timestamp or a date like '2026-06-04', '2026-06-04 15:04:05', or an RFC3339 timestamp. Defaults to no expiry."
