feat: add CLI commands for RBAC groups and roles by Vukotije · Pull Request #4208 · superplanehq/superplane

Vukotije · 2026-04-17T15:36:10Z

Summary

Adds superplane groups subcommand tree with full CRUD plus nested groups members (list/add/remove).
Adds superplane roles subcommand tree with full CRUD (list/get/create/update/delete) mirroring the UI Roles settings.
Group create/update accept either inline flags (--display-name, --description, --role) or -f YAML (kind: Group).
Role create/update accept -f YAML (kind: Role) supporting the full spec.permissions[] array and optional spec.inheritedRole.
Fully independent of the members CLI PR — builds and tests pass against main on its own.

Test plan

go test ./pkg/cli/commands/groups/... ./pkg/cli/commands/roles/...
go build ./cmd/cli/...
superplane groups list and groups create engineers --display-name Engineers --role org_admin
superplane groups members add engineers <user-id> and remove
superplane roles create -f role.yaml with permissions array
superplane roles update -f role.yaml
superplane roles delete <name>

Add superplane groups and superplane roles subcommand trees covering every CRUD action the UI settings pages expose: - groups list / get / create (inline flags or -f) / update / delete - groups members list / add / remove - roles list / get / create -f / update -f / delete Group create/update accept either inline flags (--display-name, --description, --role) or a -f YAML file with apiVersion: v1, kind: Group. Roles follow the same YAML resource pattern with kind: Role, supporting the full spec.permissions[] array plus spec.inheritedRole. Includes httptest-based coverage of request paths, methods, query params, and body shapes — including the PATCH /users/remove route and the PUT role update endpoint. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

superplanehq-integration · 2026-04-17T15:36:13Z

👋 Commands for maintainers:

/sp start - Start an ephemeral machine (takes ~30s)
/sp stop - Stop a running machine (auto-executed on pr close)

The -f path of groups create and roles create previously sent the request without checking that metadata.name was populated in the YAML file, producing a generic server-side error. Match the validation the corresponding update commands already perform so users get an actionable client-side message. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

- Fix misleading --file descriptions on groups and roles create/update. Implementation only calls os.ReadFile on a single path — no directory or URL support. Update help text to match reality. - Add tests for the groups update command covering inline partial updates (only changed fields reach the wire), inline full updates, file-based updates, metadata.name validation on file path, positional+file conflict, missing identifier, and no-flag-change refusal. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

The helper was duplicated verbatim between members and groups — same logic, same error messages — originally because the two packages were split into independent PRs so each had to build on its own. Now that both are on main, consolidate into core.SplitUserIdentifier so a bug fix or behavior tweak only has to land once. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

Previously passing --display-name, --description, or --role alongside --file on groups create or update silently ignored the inline flag and used only the file contents. The user got no indication their input was dropped. Treat the combination as an error, matching the existing positional+--file conflict. Add tests for both create and update. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

Vukotije · 2026-04-17T21:52:08Z

@forestileao finished implementing those, take a look.

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 2340d38. Configure here.}

The helper was copy-pasted verbatim across groups, roles, members, and secrets. Consolidate it into core.OrganizationDomainType() to match the treatment SplitUserIdentifier already received and keep domain-scoping policy in one place. Net: 25 files touched, -37/+29 lines, four identical definitions removed. No behavior change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

…nType These helpers moved into pkg/cli/core in the preceding dedup commits, but the calling tests live in pkg/cli/commands/{members,groups}/ — Go coverage is per-package so those calls do not count toward core's percentage. Add a dedicated users_test.go inside core covering all SplitUserIdentifier branches (including trim and ambiguous-input error) and OrganizationDomainType, lifting pkg/cli/core coverage from 15.7% back above the 17.2% baseline. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Vukotije <vukanradojevicc@gmail.com>

Merge branch 'main' into feat/cli-rbac

845dd26

cursor bot reviewed Apr 17, 2026

View reviewed changes

Comment thread pkg/cli/commands/groups/create.go

Vukotije requested a review from forestileao April 17, 2026 15:53