Skip to content

feat(rbac): port RBAC read access and rbac-dot from Go CLI#14

Draft
beengud wants to merge 1 commit into
mainfrom
feat/rbac
Draft

feat(rbac): port RBAC read access and rbac-dot from Go CLI#14
beengud wants to merge 1 commit into
mainfrom
feat/rbac

Conversation

@beengud

@beengud beengud commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Closes #9

Ports the RBAC read surface and the rbac-dot relationship graph from the deprecated Go Observe CLI into the TypeScript CLI, grouped under observe rbac.

Ported surface

  • observe rbac dot --user <id> — GraphViz DOT of a single user's transitive group membership (mirrors plotUserGroupsDot / recursivePlotGroups).
  • observe rbac dot --all — full-connectivity DOT across all users, groups, and statements, laid out in three clusters with the same node shapes, cluster colors, and edge weights as the Go output (mirrors plotFullConnectivityDot / dotStmtName). Pipe to dot, e.g. observe rbac dot --all | dot -Tsvg -o rbac.svg.
  • observe rbac group list / observe rbac group get <id> (optional --members) — read-only group + member access.
  • observe rbac statement list — read-only statement access.

List/get commands support --format json|csv (JSON default); dot emits DOT text. Scope is READ + DOT only; no mutations.

GraphQL ops live in src/gql/rbac/ (validated against the published SDL), commands in src/commands/rbac/. Route registered in src/app.ts (after datastream-token, before cli).

Field-name corrections vs the Go source

  • The Go CLI flattened subject.* / object.* into struct fields (SubjectUser, ObjectObjectId, ...) via a query remap. The published schema exposes them as nested RbacSubject / RbacObject objects, so the ported queries select subject { userId groupId all } and object { objectId folderId workspaceId type name owner all } and the DOT builder reads the nested shape.
  • User / member / subject IDs are the UserId scalar (string), not int64 as in the Go structs. DOT node IDs and membership comparisons use strings accordingly.
  • RbacStatement.role is the RbacRole enum, not a free-form string.
  • Users are read via currentCustomer.users { id, label, email, status, role } (aliased label -> name); currentCustomer is nullable in the SDL, so the wrapper guards it.

Verification

  • Scoped codegen against the published SDL (src/gql/rbac/**): ✔ Generate.
  • Scoped tsc --noEmit: zero errors in src/commands/rbac and src/gql/rbac non-test sources (only the documented bun:test / ImportMeta noise remains, which is expected).
  • bun test src/commands/rbac/: 18 pass / 0 fail across 3 files.
  • eslint + prettier clean on the new sources.

🤖 Generated with Claude Code

Adds read-only `observe rbac` commands ported from the deprecated Go CLI:
- `rbac dot --user <id>` / `rbac dot --all`: GraphViz DOT graphs of the
  relationships between users, groups, and statements (mirrors
  cmd_rbac_dot.go).
- `rbac group list` / `rbac group get <id>` (with optional --members),
  and `rbac statement list`: read-only listing/getting with --format json|csv.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
beengud pushed a commit that referenced this pull request Jul 1, 2026
…d commands

Migrate board, folder, opal, fleet, schema, worksheet, and dataset command
files from direct buildCommand/buildRouteMap to the defineCommand/defineRoutes
wrappers introduced upstream in #14 (OBSERVE_CLI_EXPERIMENTAL gating). Drop-in
replacements; no behavior change. Aligns our ported commands with the new
house convention (AGENTS.md) and reduces future rebase friction.
beengud added a commit that referenced this pull request Jul 1, 2026
Migrate ported commands from buildCommand/buildRouteMap to the defineCommand/defineRoutes wrappers (upstream #14). Drop-in, no behavior change. Gitignore *.bun-build artifacts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Port RBAC support + rbac-dot from the Go fork

2 participants