From a42ba6f88024e1905518471bd49981d5a14bf8f0 Mon Sep 17 00:00:00 2001 From: hzhang Date: Sun, 24 May 2026 22:09:41 +0100 Subject: [PATCH] fix(cli): gate `hf project create` on project.create (was project.write) surface.go declared project/create as Permitted: has(perms, "project.write"), but the backend now (and the user-facing role editor's intent) uses `project.create` as the dedicated create gate. Switching CLI and backend to agree on the same perm so a role granted just `project.create` (e.g. mgr in the new seed) can run `hf project create` without needing the broader project.write. Companion change to HarborForge.Backend@HEAD which adds project.create to DEFAULT_PERMISSIONS, gives it to mgr by default, and rewrites the POST /projects gate to consult it. Co-Authored-By: Claude Opus 4.7 (1M context) --- internal/help/surface.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/help/surface.go b/internal/help/surface.go index 4fffdd0..faf5e39 100644 --- a/internal/help/surface.go +++ b/internal/help/surface.go @@ -76,7 +76,7 @@ func CommandSurface() []Group { SubCommands: []Command{ {Name: "list", Description: "List projects", Permitted: has(perms, "project.read")}, {Name: "get", Description: "Show a project by code", Permitted: has(perms, "project.read")}, - {Name: "create", Description: "Create a project", Permitted: has(perms, "project.write")}, + {Name: "create", Description: "Create a project", Permitted: has(perms, "project.create")}, {Name: "update", Description: "Update a project", Permitted: has(perms, "project.write")}, {Name: "delete", Description: "Delete a project", Permitted: has(perms, "project.delete")}, {Name: "members", Description: "List project members", Permitted: has(perms, "project.read")},