Add CREATE OR MODIFY USER ROLE (additive upsert)

CREATE OR MODIFY USER ROLE creates the role if it doesn't exist, or
additively adds the specified module roles to an existing role without
removing any that are already assigned.

Grammar: moved createUserRoleStatement into createStatement to share
the CREATE (OR MODIFY)? prefix with other create statements.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ako

mdl/ast/ast_security.go

@@ -21,11 +21,12 @@ type DropModuleRoleStmt struct {
 
 func (s *DropModuleRoleStmt) isStatement() {}
 
-// CreateUserRoleStmt represents: CREATE USER ROLE Name (ModuleRole, ...) [MANAGE ALL ROLES]
+// CreateUserRoleStmt represents: CREATE [OR MODIFY] USER ROLE Name (ModuleRole, ...) [MANAGE ALL ROLES]
 type CreateUserRoleStmt struct {
 	Name           string
 	ModuleRoles    []QualifiedName
 	ManageAllRoles bool
+	CreateOrModify bool // If true, adds module roles to existing role instead of failing
 }
 
 func (s *CreateUserRoleStmt) isStatement() {}

mdl/executor/cmd_security_write.go

@@ -158,7 +158,7 @@ func (e *Executor) execDropModuleRole(s *ast.DropModuleRoleStmt) error {
 	return nil
 }
 
-// execCreateUserRole handles CREATE USER ROLE Name (ModuleRoles) [MANAGE ALL ROLES].
+// execCreateUserRole handles CREATE [OR MODIFY] USER ROLE Name (ModuleRoles) [MANAGE ALL ROLES].
 func (e *Executor) execCreateUserRole(s *ast.CreateUserRoleStmt) error {
 	if e.writer == nil {
 		return fmt.Errorf("not connected to a project in write mode")
@@ -169,20 +169,28 @@ func (e *Executor) execCreateUserRole(s *ast.CreateUserRoleStmt) error {
 		return fmt.Errorf("failed to read project security: %w", err)
 	}
 
-	// Check if role already exists
-	for _, ur := range ps.UserRoles {
-		if ur.Name == s.Name {
-			return fmt.Errorf("user role already exists: %s", s.Name)
-		}
-	}
-
 	// Build qualified module role names
 	var moduleRoleNames []string
 	for _, mr := range s.ModuleRoles {
 		qn := mr.Module + "." + mr.Name
 		moduleRoleNames = append(moduleRoleNames, qn)
 	}
 
+	// Check if role already exists
+	for _, ur := range ps.UserRoles {
+		if ur.Name == s.Name {
+			if !s.CreateOrModify {
+				return fmt.Errorf("user role already exists: %s", s.Name)
+			}
+			// Additive: ensure specified module roles are present
+			if err := e.writer.AlterUserRoleModuleRoles(ps.ID, s.Name, true, moduleRoleNames); err != nil {
+				return fmt.Errorf("failed to update user role: %w", err)
+			}
+			fmt.Fprintf(e.output, "Modified user role: %s\n", s.Name)
+			return nil
+		}
+	}
+
 	if err := e.writer.AddUserRole(ps.ID, s.Name, moduleRoleNames, s.ManageAllRoles); err != nil {
 		return fmt.Errorf("failed to create user role: %w", err)
 	}

mdl/grammar/MDLParser.g4

@@ -95,6 +95,7 @@ createStatement
       | createNavigationStatement
       | createBusinessEventServiceStatement
       | createWorkflowStatement
+      | createUserRoleStatement
       )
     ;
 
@@ -284,7 +285,6 @@ moveStatement
 securityStatement
     : createModuleRoleStatement
     | dropModuleRoleStatement
-    | createUserRoleStatement
     | alterUserRoleStatement
     | dropUserRoleStatement
     | grantEntityAccessStatement
@@ -312,7 +312,7 @@ dropModuleRoleStatement
     ;
 
 createUserRoleStatement
-    : CREATE USER ROLE identifierOrKeyword
+    : USER ROLE identifierOrKeyword
       LPAREN moduleRoleList RPAREN
       (MANAGE ALL ROLES)?
     ;