mcpctl

michal/mcpctl

Fork 0

Commit Graph

Author	SHA1	Message	Date
Michal	604bd76d60	fix: RBAC name-scoped access — CUID resolution + list filtering Some checks failed CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build (pull_request) Has been cancelled Details CI / package (pull_request) Has been cancelled Details Two bugs fixed: - GET /api/v1/servers/:cuid now resolves CUID→name before RBAC check, so name-scoped bindings match correctly - List endpoints now filter responses via preSerialization hook using getAllowedScope(), so name-scoped users only see their resources Also adds fulldeploy.sh orchestrator script. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 12:26:37 +00:00
Michal	ec1dfe7438	fix: migrate legacy admin role to granular roles at startup Some checks failed CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build (pull_request) Has been cancelled Details CI / package (pull_request) Has been cancelled Details - Add migrateAdminRole() that runs on mcpd boot - Converts { role: 'admin', resource: X } → edit + run bindings - Adds operation bindings for wildcard admin (impersonate, logs, etc.) - Add tests verifying unknown/legacy roles are denied by canAccess Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 11:31:15 +00:00
Michal	dcda93d179	feat: granular RBAC with resource/operation bindings, users, groups Some checks failed CI / lint (pull_request) Has been cancelled Details CI / typecheck (pull_request) Has been cancelled Details CI / test (pull_request) Has been cancelled Details CI / build (pull_request) Has been cancelled Details CI / package (pull_request) Has been cancelled Details - Replace admin role with granular roles: view, create, delete, edit, run - Two binding types: resource bindings (role+resource+optional name) and operation bindings (role:run + action like backup, logs, impersonate) - Name-scoped resource bindings for per-instance access control - Remove role from project members (all permissions via RBAC) - Add users, groups, RBAC CRUD endpoints and CLI commands - describe user/group shows all RBAC access (direct + inherited) - create rbac supports --subject, --binding, --operation flags - Backup/restore handles users, groups, RBAC definitions - mcplocal project-based MCP endpoint discovery - Full test coverage for all new functionality Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 11:05:19 +00:00

Author

SHA1

Message

Date

Michal

604bd76d60

fix: RBAC name-scoped access — CUID resolution + list filtering

CI / lint (pull_request) Has been cancelled

Details

CI / typecheck (pull_request) Has been cancelled

Details

CI / test (pull_request) Has been cancelled

Details

CI / build (pull_request) Has been cancelled

Details

CI / package (pull_request) Has been cancelled

Details

Two bugs fixed:
- GET /api/v1/servers/:cuid now resolves CUID→name before RBAC check,
  so name-scoped bindings match correctly
- List endpoints now filter responses via preSerialization hook using
  getAllowedScope(), so name-scoped users only see their resources

Also adds fulldeploy.sh orchestrator script.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-23 12:26:37 +00:00

Michal

ec1dfe7438

fix: migrate legacy admin role to granular roles at startup

CI / lint (pull_request) Has been cancelled

Details

CI / typecheck (pull_request) Has been cancelled

Details

CI / test (pull_request) Has been cancelled

Details

CI / build (pull_request) Has been cancelled

Details

CI / package (pull_request) Has been cancelled

Details

- Add migrateAdminRole() that runs on mcpd boot
- Converts { role: 'admin', resource: X } → edit + run bindings
- Adds operation bindings for wildcard admin (impersonate, logs, etc.)
- Add tests verifying unknown/legacy roles are denied by canAccess

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-23 11:31:15 +00:00

Michal

dcda93d179

feat: granular RBAC with resource/operation bindings, users, groups

CI / lint (pull_request) Has been cancelled

Details

CI / typecheck (pull_request) Has been cancelled

Details

CI / test (pull_request) Has been cancelled

Details

CI / build (pull_request) Has been cancelled

Details

CI / package (pull_request) Has been cancelled

Details

- Replace admin role with granular roles: view, create, delete, edit, run
- Two binding types: resource bindings (role+resource+optional name) and
  operation bindings (role:run + action like backup, logs, impersonate)
- Name-scoped resource bindings for per-instance access control
- Remove role from project members (all permissions via RBAC)
- Add users, groups, RBAC CRUD endpoints and CLI commands
- describe user/group shows all RBAC access (direct + inherited)
- create rbac supports --subject, --binding, --operation flags
- Backup/restore handles users, groups, RBAC definitions
- mcplocal project-based MCP endpoint discovery
- Full test coverage for all new functionality

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-23 11:05:19 +00:00

3 Commits