docs(config): colocate [[agents]] with users/groups in example config#20
Merged
Conversation
Move the Agents section to sit alongside the other principals (Users, Groups) before IAM Rules, so the file reads define-principals then grant-access. Relocate the pure-agent's [[iam]] example into the IAM section and document the agent: member prefix there. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Greptile SummaryThis PR reorders
Confidence Score: 5/5Safe to merge — this is a comments-only reorganization of an example config file with no impact on runtime behavior. The change touches only commented-out example content in a .toml template file. The section reorder is internally consistent: cross-references ("see below" / "see the Agents section above") correctly point to each other after the move, and the newly documented agent:agentid member prefix accurately reflects the existing agent authorization mechanism described in the rest of the file. No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A["General / Branding / AI Providers"] --> B["Labels"]
B --> C["Connections"]
C --> D["Authentication"]
D --> E["Users + Groups"]
E --> F["[[agents]] <- moved here"]
F --> G["[[iam]] Rules\n(consolidated, references agents above)"]
style F fill:#d1fae5,stroke:#059669
style G fill:#dbeafe,stroke:#2563eb
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A["General / Branding / AI Providers"] --> B["Labels"]
B --> C["Connections"]
C --> D["Authentication"]
D --> E["Users + Groups"]
E --> F["[[agents]] <- moved here"]
F --> G["[[iam]] Rules\n(consolidated, references agents above)"]
style F fill:#d1fae5,stroke:#059669
style G fill:#dbeafe,stroke:#2563eb
Reviews (1): Last reviewed commit: "docs(config): colocate [[agents]] with u..." | Re-trigger Greptile |
There was a problem hiding this comment.
Pull request overview
This PR updates the example configuration layout to place [[agents]] alongside other principals (users/groups) before the [[iam]] access-control rules, making the file read top-down: define principals → grant permissions.
Changes:
- Reordered
pgconsole.example.tomlso[[agents]]appears before[[iam]]. - Moved the pure-agent IAM rule example into the IAM section and added a “see below” pointer from the agent example.
- Updated the IAM members reference line to include the
agent:member type.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address PR review: user:/group: members are matched against the user's email, so bare usernames never match. Use full emails (user:admin@example.com, group members admin@example.com / developer@example.com) and clarify that "*" applies to users only — pure agents match only explicit "agent:<id>" rules. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Address PR review: delegated agents (on_behalf_of) inherit their user's IAM grant and so do match "*"/"user:"/"group:" rules via that user. Only pure agents are limited to explicit "agent:<id>" rules. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Comment on lines
+231
to
+233
| # Members: "user:<email>", "group:<id>", "agent:<id>", or "*" (all users; a pure | ||
| # agent matches only explicit "agent:<id>" rules, never "*"/"user:"/"group:", | ||
| # while a delegated agent inherits its user's matches) |
Address PR review: label "*" as all human users to avoid implying it matches agents (pure agents must be granted explicitly via agent:<id>). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reorders
pgconsole.example.tomlso the[[agents]]section sits alongside the other principals rather than at the end of the file:This reads top-down: define the principals (users, groups, agents), then grant them access (IAM).
Changes
[[iam]]example into the IAM Rules section (since IAM now follows Agents); the agent comment points to it with "(see below)".agent:agentidmember prefix in the IAM members reference line, alongsideuser:/group:/*.Comments-only change to the example config — no code or behavior affected.
🤖 Generated with Claude Code