michal/mcpctl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: RBAC name-scoped access — CUID resolution + list filtering #23

Merged
michal merged 1 commits from fix/rbac-name-scoped-access into main 2026-02-23 12:27:49 +00:00
Conversation 0 Commits 1 Files Changed 7 +736 -1
michal commented 2026-02-23 12:26:51 +00:00
Owner
Copy Link

Summary

  • Fix: GET by CUID now resolves to human name before RBAC check (fixes 403 on name-scoped bindings)
  • Fix: List endpoints now filter responses via preSerialization hook so name-scoped users only see their resources
  • Add getAllowedScope() method to RbacService
  • Add 14 integration tests reproducing both bugs
  • Add fulldeploy.sh orchestrator script

Test plan

  • 437 mcpd tests pass (including 14 new integration + getAllowedScope unit tests)
  • 270 CLI tests pass
  • Manual: mcpctl get servers as name-scoped user shows only permitted server
  • Manual: mcpctl get server my-home-assistant -o yaml returns 200
## Summary - Fix: GET by CUID now resolves to human name before RBAC check (fixes 403 on name-scoped bindings) - Fix: List endpoints now filter responses via preSerialization hook so name-scoped users only see their resources - Add `getAllowedScope()` method to RbacService - Add 14 integration tests reproducing both bugs - Add `fulldeploy.sh` orchestrator script ## Test plan - [x] 437 mcpd tests pass (including 14 new integration + getAllowedScope unit tests) - [x] 270 CLI tests pass - [ ] Manual: `mcpctl get servers` as name-scoped user shows only permitted server - [ ] Manual: `mcpctl get server my-home-assistant -o yaml` returns 200
michal added 1 commit 2026-02-23 12:26:52 +00:00
fix: RBAC name-scoped access — CUID resolution + list filtering
Some checks failed
CI / lint (pull_request) Has been cancelled
Details
CI / typecheck (pull_request) Has been cancelled
Details
CI / test (pull_request) Has been cancelled
Details
CI / build (pull_request) Has been cancelled
Details
CI / package (pull_request) Has been cancelled
Details
604bd76d60 
Two bugs fixed:
- GET /api/v1/servers/:cuid now resolves CUID→name before RBAC check,
  so name-scoped bindings match correctly
- List endpoints now filter responses via preSerialization hook using
  getAllowedScope(), so name-scoped users only see their resources

Also adds fulldeploy.sh orchestrator script.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
michal merged commit 5844d6c73f into main 2026-02-23 12:27:49 +00:00
michal deleted branch fix/rbac-name-scoped-access 2026-02-23 12:27:49 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michal
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: michal/mcpctl#23
Delete Branch "fix/rbac-name-scoped-access"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?