Document category-based redis ACLs (#4946)

Update documentation around embedded authorization server redis configuration to use category-based ACLs.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tgrunnagle

docs/redis-storage.md

@@ -205,19 +205,19 @@ Create a ConfigMap or init container to provision the ACL file. The ACL user nee
 
 ```
 # /data/users.acl
-user toolhive-auth on ><your-secure-password> ~thv:auth:* &* +GET +SET +SETNX +DEL +EXISTS +EXPIRE +PEXPIRE +PTTL +MGET +SADD +SREM +SMEMBERS +EVAL +MULTI +EXEC +EVALSHA +PING
+user toolhive-auth on ><your-secure-password> ~thv:auth:* &* +@read +@write +@keyspace +@scripting +@transaction +@connection
 ```
 
 This ACL entry:
 - `on` — Enables the user
 - `><your-secure-password>` — Sets the password
 - `~thv:auth:*` — Allows access to all keys with the `thv:auth:` prefix
 - `&*` — Allows access to all Pub/Sub channels; required by the go-redis Sentinel client to receive `+switch-master` failover notifications. In a multi-tenant Redis deployment, consider restricting this to specific channels if your Redis version supports it.
-- `+GET +SET +DEL ...` — Grants only the commands used by the ToolHive auth server
+- `+@read +@write +@keyspace +@scripting +@transaction +@connection` — Grants command categories used by the ToolHive auth server
 
-> **Development / quick-start only:** You can replace the explicit command list with `+@all` to allow all commands, but this is not recommended for production environments.
+> **Development / quick-start only:** You can replace the category grants with `+@all` to allow all commands, but this is not recommended for production environments.
 
-> **Security note:** The auth server uses `GET`, `SET`, `SETNX`, `DEL`, `EXISTS`, `EXPIRE`, `PEXPIRE`, `PTTL`, `MGET`, `SADD`, `SREM`, `SMEMBERS`, `EVAL`, `EVALSHA`, `MULTI`, `EXEC`, and `PING`. Restrict the ACL to this set to follow the principle of least privilege.
+> **Security note:** The auth server uses commands from the `@read`, `@write`, `@keyspace`, `@scripting`, `@transaction`, and `@connection` categories. These categories cover the specific commands the server needs (`GET`, `SET`, `DEL`, `EXPIRE`, `EVAL`, `MULTI`/`EXEC`, `PING`, etc.) while following the principle of least privilege at the category level.
 
 ### Step 4: Create the ToolHive Auth Config
 

examples/operator/redis-storage/redis-credentials.yaml

@@ -6,7 +6,7 @@
 # External Secrets Operator, or Vault) instead of plaintext manifests.
 #
 # The corresponding Redis ACL entry should be:
-#   user toolhive-auth on ><password> ~thv:auth:* &* +GET +SET +SETNX +DEL +EXISTS +EXPIRE +SADD +SREM +SMEMBERS +EVAL +MULTI +EXEC +EVALSHA +PING
+#   user toolhive-auth on ><password> ~thv:auth:* &* +@read +@write +@keyspace +@scripting +@transaction +@connection
 # (see sentinel-service.yaml for the full ACL Secret that provisions this into Redis)
 apiVersion: v1
 kind: Secret

examples/operator/redis-storage/sentinel-service.yaml

@@ -33,15 +33,16 @@
 # The ACL entry grants the toolhive-auth user access to:
 #   ~thv:auth:*  — keys with the ToolHive auth prefix
 #   &*           — all Pub/Sub channels (required for Sentinel failover notifications)
-#   +GET +SET …  — only the commands the auth server uses (principle of least privilege)
+#   +@read +@write +@keyspace +@scripting +@transaction +@connection
+#                — command categories the auth server uses (principle of least privilege)
 apiVersion: v1
 kind: Secret
 metadata:
   name: redis-acl
   namespace: redis
 type: Opaque
 stringData:
-  users.acl: "user toolhive-auth on ><your-redis-password> ~thv:auth:* &* +GET +SET +SETNX +DEL +EXISTS +EXPIRE +PEXPIRE +PTTL +MGET +SADD +SREM +SMEMBERS +EVAL +MULTI +EXEC +EVALSHA +PING"
+  users.acl: "user toolhive-auth on ><your-redis-password> ~thv:auth:* &* +@read +@write +@keyspace +@scripting +@transaction +@connection"
 ---
 # Headless Service gives Redis pods stable, individually addressable DNS names:
 #   redis-0.redis.redis.svc.cluster.local