feat(agent): add group-based SCM tools access control

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
-configured_endpoints: 159
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-d62ef4b9187c1f3d36f428abc4b31d8a09ffd36e93d39b8136c60c8f463c838e.yml
-openapi_spec_hash: d7f01b6f24e88eb46d744ecd28061f26
-config_hash: 26e4a10dfc6ec809322e60d889d15414
+configured_endpoints: 160
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-a19818e87979929d5484f97ec50318899c659c73733b4a700a41f28687ee2632.yml
+openapi_spec_hash: f2d83905d1ed19d50c2f4641ecf29204
+config_hash: e84bdcd3fab4b185dd3dd79f70ea527d

api.md

@@ -316,11 +316,13 @@ Response Types:
 
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembership">GroupMembership</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipNewResponse">GroupMembershipNewResponse</a>
+- <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipGetResponse">GroupMembershipGetResponse</a>
 - <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipDeleteResponse">GroupMembershipDeleteResponse</a>
 
 Methods:
 
 - <code title="post /gitpod.v1.GroupService/CreateMembership">client.Groups.Memberships.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipService.New">New</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipNewParams">GroupMembershipNewParams</a>) (<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipNewResponse">GroupMembershipNewResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
+- <code title="post /gitpod.v1.GroupService/GetMembership">client.Groups.Memberships.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipService.Get">Get</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipGetParams">GroupMembershipGetParams</a>) (<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipGetResponse">GroupMembershipGetResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="post /gitpod.v1.GroupService/ListMemberships">client.Groups.Memberships.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipService.List">List</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, params <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipListParams">GroupMembershipListParams</a>) (<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go/packages/pagination">pagination</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go/packages/pagination#MembersPage">MembersPage</a>[<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembership">GroupMembership</a>], <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 - <code title="post /gitpod.v1.GroupService/DeleteMembership">client.Groups.Memberships.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipService.Delete">Delete</a>(ctx <a href="https://pkg.go.dev/context">context</a>.<a href="https://pkg.go.dev/context#Context">Context</a>, body <a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipDeleteParams">GroupMembershipDeleteParams</a>) (<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go">gitpod</a>.<a href="https://pkg.go.dev/github.com/gitpod-io/gitpod-sdk-go#GroupMembershipDeleteResponse">GroupMembershipDeleteResponse</a>, <a href="https://pkg.go.dev/builtin#error">error</a>)</code>
 

groupmembership.go

@@ -67,6 +67,36 @@ func (r *GroupMembershipService) New(ctx context.Context, body GroupMembershipNe
 	return
 }
 
+// Gets a specific membership by group ID and subject.
+//
+// Use this method to:
+//
+// - Check if a user or service account is a member of a group
+// - Verify group membership for access control
+//
+// ### Examples
+//
+// - Check user membership:
+//
+//	Checks if a user is a member of a specific group.
+//
+//	```yaml
+//	groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
+//	subject:
+//	  id: "f53d2330-3795-4c5d-a1f3-453121af9c60"
+//	  principal: PRINCIPAL_USER
+//	```
+//
+// ### Authorization
+//
+// All organization members can check group membership (transparency model).
+func (r *GroupMembershipService) Get(ctx context.Context, body GroupMembershipGetParams, opts ...option.RequestOption) (res *GroupMembershipGetResponse, err error) {
+	opts = slices.Concat(r.Options, opts)
+	path := "gitpod.v1.GroupService/GetMembership"
+	err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, body, &res, opts...)
+	return
+}
+
 // Lists all memberships of a group.
 //
 // Use this method to:
@@ -216,6 +246,28 @@ func (r groupMembershipNewResponseJSON) RawJSON() string {
 	return r.raw
 }
 
+type GroupMembershipGetResponse struct {
+	// The membership if found, nil if subject is not a member
+	Member GroupMembership                `json:"member"`
+	JSON   groupMembershipGetResponseJSON `json:"-"`
+}
+
+// groupMembershipGetResponseJSON contains the JSON metadata for the struct
+// [GroupMembershipGetResponse]
+type groupMembershipGetResponseJSON struct {
+	Member      apijson.Field
+	raw         string
+	ExtraFields map[string]apijson.Field
+}
+
+func (r *GroupMembershipGetResponse) UnmarshalJSON(data []byte) (err error) {
+	return apijson.UnmarshalRoot(data, r)
+}
+
+func (r groupMembershipGetResponseJSON) RawJSON() string {
+	return r.raw
+}
+
 type GroupMembershipDeleteResponse = interface{}
 
 type GroupMembershipNewParams struct {
@@ -228,6 +280,16 @@ func (r GroupMembershipNewParams) MarshalJSON() (data []byte, err error) {
 	return apijson.MarshalRoot(r)
 }
 
+type GroupMembershipGetParams struct {
+	// Subject to check membership for
+	Subject param.Field[shared.SubjectParam] `json:"subject,required"`
+	GroupID param.Field[string]              `json:"groupId" format:"uuid"`
+}
+
+func (r GroupMembershipGetParams) MarshalJSON() (data []byte, err error) {
+	return apijson.MarshalRoot(r)
+}
+
 type GroupMembershipListParams struct {
 	Token    param.Field[string] `query:"token"`
 	PageSize param.Field[int64]  `query:"pageSize"`

groupmembership_test.go

@@ -43,6 +43,35 @@ func TestGroupMembershipNewWithOptionalParams(t *testing.T) {
 	}
 }
 
+func TestGroupMembershipGetWithOptionalParams(t *testing.T) {
+	t.Skip("Prism tests are disabled")
+	baseURL := "http://localhost:4010"
+	if envURL, ok := os.LookupEnv("TEST_API_BASE_URL"); ok {
+		baseURL = envURL
+	}
+	if !testutil.CheckTestServer(t, baseURL) {
+		return
+	}
+	client := gitpod.NewClient(
+		option.WithBaseURL(baseURL),
+		option.WithBearerToken("My Bearer Token"),
+	)
+	_, err := client.Groups.Memberships.Get(context.TODO(), gitpod.GroupMembershipGetParams{
+		Subject: gitpod.F(shared.SubjectParam{
+			ID:        gitpod.F("f53d2330-3795-4c5d-a1f3-453121af9c60"),
+			Principal: gitpod.F(shared.PrincipalUser),
+		}),
+		GroupID: gitpod.F("d2c94c27-3b76-4a42-b88c-95a85e392c68"),
+	})
+	if err != nil {
+		var apierr *gitpod.Error
+		if errors.As(err, &apierr) {
+			t.Log(string(apierr.DumpRequest(true)))
+		}
+		t.Fatalf("err should be nil: %s", err.Error())
+	}
+}
+
 func TestGroupMembershipListWithOptionalParams(t *testing.T) {
 	t.Skip("Prism tests are disabled")
 	baseURL := "http://localhost:4010"

organizationpolicy.go

@@ -106,17 +106,21 @@ type AgentPolicy struct {
 	McpDisabled bool `json:"mcpDisabled,required"`
 	// scm_tools_disabled controls whether SCM (Source Control Management) tools are
 	// disabled for agents
-	ScmToolsDisabled bool            `json:"scmToolsDisabled,required"`
-	JSON             agentPolicyJSON `json:"-"`
+	ScmToolsDisabled bool `json:"scmToolsDisabled,required"`
+	// scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+	// Empty means no restriction (all users can use SCM tools if not disabled).
+	ScmToolsAllowedGroupID string          `json:"scmToolsAllowedGroupId"`
+	JSON                   agentPolicyJSON `json:"-"`
 }
 
 // agentPolicyJSON contains the JSON metadata for the struct [AgentPolicy]
 type agentPolicyJSON struct {
-	CommandDenyList  apijson.Field
-	McpDisabled      apijson.Field
-	ScmToolsDisabled apijson.Field
-	raw              string
-	ExtraFields      map[string]apijson.Field
+	CommandDenyList        apijson.Field
+	McpDisabled            apijson.Field
+	ScmToolsDisabled       apijson.Field
+	ScmToolsAllowedGroupID apijson.Field
+	raw                    string
+	ExtraFields            map[string]apijson.Field
 }
 
 func (r *AgentPolicy) UnmarshalJSON(data []byte) (err error) {
@@ -401,6 +405,9 @@ type OrganizationPolicyUpdateParamsAgentPolicy struct {
 	// mcp_disabled controls whether MCP (Model Context Protocol) is disabled for
 	// agents
 	McpDisabled param.Field[bool] `json:"mcpDisabled"`
+	// scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+	// Empty means no restriction (all users can use SCM tools if not disabled).
+	ScmToolsAllowedGroupID param.Field[string] `json:"scmToolsAllowedGroupId"`
 	// scm_tools_disabled controls whether SCM (Source Control Management) tools are
 	// disabled for agents
 	ScmToolsDisabled param.Field[bool] `json:"scmToolsDisabled"`

organizationpolicy_test.go

@@ -54,9 +54,10 @@ func TestOrganizationPolicyUpdateWithOptionalParams(t *testing.T) {
 	_, err := client.Organizations.Policies.Update(context.TODO(), gitpod.OrganizationPolicyUpdateParams{
 		OrganizationID: gitpod.F("b0e12f6c-4c67-429d-a4a6-d9838b5da047"),
 		AgentPolicy: gitpod.F(gitpod.OrganizationPolicyUpdateParamsAgentPolicy{
-			CommandDenyList:  gitpod.F([]string{"string"}),
-			McpDisabled:      gitpod.F(true),
-			ScmToolsDisabled: gitpod.F(true),
+			CommandDenyList:        gitpod.F([]string{"string"}),
+			McpDisabled:            gitpod.F(true),
+			ScmToolsAllowedGroupID: gitpod.F("scmToolsAllowedGroupId"),
+			ScmToolsDisabled:       gitpod.F(true),
 		}),
 		AllowedEditorIDs:                gitpod.F([]string{"string"}),
 		AllowLocalRunners:               gitpod.F(true),

project.go

@@ -1055,6 +1055,9 @@ type ProjectListParamsFilter struct {
 	// runner_ids filters the response to only projects that use environment classes
 	// from these runners
 	RunnerIDs param.Field[[]string] `json:"runnerIds" format:"uuid"`
+	// runner_kinds filters the response to only projects that use environment classes
+	// from runners of these kinds
+	RunnerKinds param.Field[[]RunnerKind] `json:"runnerKinds"`
 	// search performs case-insensitive search across project name, project ID, and
 	// repository name
 	Search param.Field[string] `json:"search"`

project_test.go

@@ -171,9 +171,10 @@ func TestProjectListWithOptionalParams(t *testing.T) {
 		Token:    gitpod.F("token"),
 		PageSize: gitpod.F(int64(0)),
 		Filter: gitpod.F(gitpod.ProjectListParamsFilter{
-			ProjectIDs: gitpod.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}),
-			RunnerIDs:  gitpod.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}),
-			Search:     gitpod.F("search"),
+			ProjectIDs:  gitpod.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}),
+			RunnerIDs:   gitpod.F([]string{"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"}),
+			RunnerKinds: gitpod.F([]gitpod.RunnerKind{gitpod.RunnerKindUnspecified}),
+			Search:      gitpod.F("search"),
 		}),
 		Pagination: gitpod.F(gitpod.ProjectListParamsPagination{
 			Token:    gitpod.F("token"),