feat(cli)!: migrate create rbac bindings to --roleBindings kv syntax

BREAKING: `mcpctl create rbac` no longer accepts `--binding` or `--operation`. Use `--roleBindings` instead with key:value pairs: # resource binding --roleBindings role:view,resource:servers --roleBindings role:view,resource:servers,name:my-ha # operation binding (role:run is implied by action:) --roleBindings action:logs The on-disk YAML shape (`roleBindings: [{role, resource, name?}]` or `{role:'run', action}`) is unchanged, so Git backups and existing `apply -f` files continue to work. Only the command-line input format changes. The parser is extracted to src/cli/src/commands/rbac-bindings.ts so the upcoming `mcpctl create mcptoken --bind <kv>` verb can reuse it. Completions, tests, and the new parser unit test all pass (406/406). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 01:03:57 +01:00
parent 2ddb493bb0
commit efcfeeab65
7 changed files with 158 additions and 38 deletions
--- a/docs/mcptoken-implementation.md
+++ b/docs/mcptoken-implementation.md
@@ -48,9 +48,39 @@ Before starting the feature, we flushed your in-flight changes to main so they w
 - The mcpd **auth middleware** does not yet dispatch on the token prefix. A raw `mcpctl_pat_…` bearer sent to any `/api/v1/*` endpoint (other than `/introspect`) is still rejected as an invalid session. That's intentional — PR 3 extends `middleware/auth.ts` to recognize both session bearers and McpToken bearers.
 - No CLI yet. Tokens can be created only via `POST /api/v1/mcptokens` for now.

-## PR 2 — RBAC CLI migration
+## PR 2 — RBAC CLI migration ✅

-_(blocked by PR 1 — parser is reused by PR 3)_
+Migrated `mcpctl create rbac` from positional flag syntax to the key=value form you asked for.
+
+Before:
+```
+mcpctl create rbac developers \
+  --subject User:alice@test.com \
+  --binding edit:servers \
+  --binding view:servers:my-ha \
+  --operation logs
+```
+After:
+```
+mcpctl create rbac developers \
+  --subject User:alice@test.com \
+  --roleBindings role:edit,resource:servers \
+  --roleBindings role:view,resource:servers,name:my-ha \
+  --roleBindings action:logs
+```
+
+| # | Step | Status |
+|---|---|---|
+| 1 | New shared parser at `src/cli/src/commands/rbac-bindings.ts` exporting `parseRoleBinding(entry)` | ✅ |
+| 2 | `src/cli/src/commands/create.ts` — old `--binding`/`--operation` flags replaced with one repeatable `--roleBindings <kv>`. Uses the new parser. | ✅ |
+| 3 | Tests in `src/cli/tests/commands/create.test.ts` rewritten to the new form (8 RBAC tests updated) | ✅ |
+| 4 | New dedicated unit test `src/cli/tests/commands/rbac-bindings.test.ts` — 9 cases covering unscoped / name-scoped / action / trim / empty-value / unknown-key / action-conflict / missing-role rejections | ✅ |
+| 5 | Shell completions regenerated via `pnpm completions:generate` — both `completions/mcpctl.{bash,fish}` now offer `--roleBindings`, no longer `--binding`/`--operation` | ✅ |
+| 6 | Nothing in `docs/` or `README.md` referenced the old flags | ✅ |
+
+Full CLI suite still 406/406 green. On-disk YAML shape (`roleBindings: [...]`) is unchanged, so backups and existing `apply -f` files keep working.
+
+The extracted `parseRoleBinding` helper is what PR 3's `mcpctl create mcptoken --bind <kv>` flag will reuse.

 ## PR 3 — CLI mcptoken verbs + mcpd auth dispatch + audit