feat(agent): add group-based SCM tools access control

stainless-app[bot] · stainless-app[bot] · commit 9f8d2f902fc2 · 2025-12-17T12:11:20.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
-configured_endpoints: 159
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-d62ef4b9187c1f3d36f428abc4b31d8a09ffd36e93d39b8136c60c8f463c838e.yml
-openapi_spec_hash: d7f01b6f24e88eb46d744ecd28061f26
-config_hash: 26e4a10dfc6ec809322e60d889d15414
+configured_endpoints: 160
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-a19818e87979929d5484f97ec50318899c659c73733b4a700a41f28687ee2632.yml
+openapi_spec_hash: f2d83905d1ed19d50c2f4641ecf29204
+config_hash: e84bdcd3fab4b185dd3dd79f70ea527d
diff --git a/api.md b/api.md
@@ -275,11 +275,13 @@ Types:
 
 - <code><a href="./src/resources/groups/memberships.ts">GroupMembership</a></code>
 - <code><a href="./src/resources/groups/memberships.ts">MembershipCreateResponse</a></code>
+- <code><a href="./src/resources/groups/memberships.ts">MembershipRetrieveResponse</a></code>
 - <code><a href="./src/resources/groups/memberships.ts">MembershipDeleteResponse</a></code>
 
 Methods:
 
 - <code title="post /gitpod.v1.GroupService/CreateMembership">client.groups.memberships.<a href="./src/resources/groups/memberships.ts">create</a>({ ...params }) -> MembershipCreateResponse</code>
+- <code title="post /gitpod.v1.GroupService/GetMembership">client.groups.memberships.<a href="./src/resources/groups/memberships.ts">retrieve</a>({ ...params }) -> MembershipRetrieveResponse</code>
 - <code title="post /gitpod.v1.GroupService/ListMemberships">client.groups.memberships.<a href="./src/resources/groups/memberships.ts">list</a>({ ...params }) -> GroupMembershipsMembersPage</code>
 - <code title="post /gitpod.v1.GroupService/DeleteMembership">client.groups.memberships.<a href="./src/resources/groups/memberships.ts">delete</a>({ ...params }) -> unknown</code>
 
diff --git a/src/resources/groups/groups.ts b/src/resources/groups/groups.ts
@@ -10,6 +10,8 @@ import {
   MembershipDeleteParams,
   MembershipDeleteResponse,
   MembershipListParams,
+  MembershipRetrieveParams,
+  MembershipRetrieveResponse,
   Memberships,
 } from './memberships';
 import * as RoleAssignmentsAPI from './role-assignments';
@@ -528,9 +530,11 @@ export declare namespace Groups {
     Memberships as Memberships,
     type GroupMembership as GroupMembership,
     type MembershipCreateResponse as MembershipCreateResponse,
+    type MembershipRetrieveResponse as MembershipRetrieveResponse,
     type MembershipDeleteResponse as MembershipDeleteResponse,
     type GroupMembershipsMembersPage as GroupMembershipsMembersPage,
     type MembershipCreateParams as MembershipCreateParams,
+    type MembershipRetrieveParams as MembershipRetrieveParams,
     type MembershipListParams as MembershipListParams,
     type MembershipDeleteParams as MembershipDeleteParams,
   };
diff --git a/src/resources/groups/index.ts b/src/resources/groups/index.ts
@@ -18,8 +18,10 @@ export {
   Memberships,
   type GroupMembership,
   type MembershipCreateResponse,
+  type MembershipRetrieveResponse,
   type MembershipDeleteResponse,
   type MembershipCreateParams,
+  type MembershipRetrieveParams,
   type MembershipListParams,
   type MembershipDeleteParams,
   type GroupMembershipsMembersPage,
diff --git a/src/resources/groups/memberships.ts b/src/resources/groups/memberships.ts
@@ -48,6 +48,48 @@ export class Memberships extends APIResource {
     return this._client.post('/gitpod.v1.GroupService/CreateMembership', { body, ...options });
   }
 
+  /**
+   * Gets a specific membership by group ID and subject.
+   *
+   * Use this method to:
+   *
+   * - Check if a user or service account is a member of a group
+   * - Verify group membership for access control
+   *
+   * ### Examples
+   *
+   * - Check user membership:
+   *
+   *   Checks if a user is a member of a specific group.
+   *
+   *   ```yaml
+   *   groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
+   *   subject:
+   *     id: "f53d2330-3795-4c5d-a1f3-453121af9c60"
+   *     principal: PRINCIPAL_USER
+   *   ```
+   *
+   * ### Authorization
+   *
+   * All organization members can check group membership (transparency model).
+   *
+   * @example
+   * ```ts
+   * const membership = await client.groups.memberships.retrieve(
+   *   {
+   *     subject: {
+   *       id: 'f53d2330-3795-4c5d-a1f3-453121af9c60',
+   *       principal: 'PRINCIPAL_USER',
+   *     },
+   *     groupId: 'd2c94c27-3b76-4a42-b88c-95a85e392c68',
+   *   },
+   * );
+   * ```
+   */
+  retrieve(body: MembershipRetrieveParams, options?: RequestOptions): APIPromise<MembershipRetrieveResponse> {
+    return this._client.post('/gitpod.v1.GroupService/GetMembership', { body, ...options });
+  }
+
   /**
    * Lists all memberships of a group.
    *
@@ -172,6 +214,13 @@ export interface MembershipCreateResponse {
   member?: GroupMembership;
 }
 
+export interface MembershipRetrieveResponse {
+  /**
+   * The membership if found, nil if subject is not a member
+   */
+  member?: GroupMembership;
+}
+
 /**
  * Empty response
  */
@@ -186,6 +235,15 @@ export interface MembershipCreateParams {
   subject?: Shared.Subject;
 }
 
+export interface MembershipRetrieveParams {
+  /**
+   * Subject to check membership for
+   */
+  subject: Shared.Subject;
+
+  groupId?: string;
+}
+
 export interface MembershipListParams extends MembersPageParams {
   /**
    * Body param:
@@ -228,9 +286,11 @@ export declare namespace Memberships {
   export {
     type GroupMembership as GroupMembership,
     type MembershipCreateResponse as MembershipCreateResponse,
+    type MembershipRetrieveResponse as MembershipRetrieveResponse,
     type MembershipDeleteResponse as MembershipDeleteResponse,
     type GroupMembershipsMembersPage as GroupMembershipsMembersPage,
     type MembershipCreateParams as MembershipCreateParams,
+    type MembershipRetrieveParams as MembershipRetrieveParams,
     type MembershipListParams as MembershipListParams,
     type MembershipDeleteParams as MembershipDeleteParams,
   };
diff --git a/src/resources/organizations/policies.ts b/src/resources/organizations/policies.ts
@@ -111,6 +111,12 @@ export interface AgentPolicy {
    * disabled for agents
    */
   scmToolsDisabled: boolean;
+
+  /**
+   * scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+   * Empty means no restriction (all users can use SCM tools if not disabled).
+   */
+  scmToolsAllowedGroupId?: string;
 }
 
 /**
@@ -411,6 +417,12 @@ export namespace PolicyUpdateParams {
      */
     mcpDisabled?: boolean | null;
 
+    /**
+     * scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+     * Empty means no restriction (all users can use SCM tools if not disabled).
+     */
+    scmToolsAllowedGroupId?: string | null;
+
     /**
      * scm_tools_disabled controls whether SCM (Source Control Management) tools are
      * disabled for agents
diff --git a/src/resources/projects/projects.ts b/src/resources/projects/projects.ts
@@ -23,6 +23,7 @@ import {
   ProjectPolicy,
   ProjectRole,
 } from './policies';
+import * as RunnersAPI from '../runners/runners';
 import { APIPromise } from '../../core/api-promise';
 import { PagePromise, ProjectsPage, type ProjectsPageParams } from '../../core/pagination';
 import { RequestOptions } from '../../internal/request-options';
@@ -821,6 +822,12 @@ export namespace ProjectListParams {
      */
     runnerIds?: Array<string>;
 
+    /**
+     * runner_kinds filters the response to only projects that use environment classes
+     * from runners of these kinds
+     */
+    runnerKinds?: Array<RunnersAPI.RunnerKind>;
+
     /**
      * search performs case-insensitive search across project name, project ID, and
      * repository name
diff --git a/tests/api-resources/groups/memberships.test.ts b/tests/api-resources/groups/memberships.test.ts
@@ -20,6 +20,26 @@ describe('resource memberships', () => {
     expect(dataAndResponse.response).toBe(rawResponse);
   });
 
+  // Prism tests are disabled
+  test.skip('retrieve: only required params', async () => {
+    const responsePromise = client.groups.memberships.retrieve({ subject: {} });
+    const rawResponse = await responsePromise.asResponse();
+    expect(rawResponse).toBeInstanceOf(Response);
+    const response = await responsePromise;
+    expect(response).not.toBeInstanceOf(Response);
+    const dataAndResponse = await responsePromise.withResponse();
+    expect(dataAndResponse.data).toBe(response);
+    expect(dataAndResponse.response).toBe(rawResponse);
+  });
+
+  // Prism tests are disabled
+  test.skip('retrieve: required and optional params', async () => {
+    const response = await client.groups.memberships.retrieve({
+      subject: { id: 'f53d2330-3795-4c5d-a1f3-453121af9c60', principal: 'PRINCIPAL_USER' },
+      groupId: 'd2c94c27-3b76-4a42-b88c-95a85e392c68',
+    });
+  });
+
   // Prism tests are disabled
   test.skip('list', async () => {
     const responsePromise = client.groups.memberships.list({});
diff --git a/tests/api-resources/organizations/policies.test.ts b/tests/api-resources/organizations/policies.test.ts
@@ -47,7 +47,12 @@ describe('resource policies', () => {
   test.skip('update: required and optional params', async () => {
     const response = await client.organizations.policies.update({
       organizationId: 'b0e12f6c-4c67-429d-a4a6-d9838b5da047',
-      agentPolicy: { commandDenyList: ['string'], mcpDisabled: true, scmToolsDisabled: true },
+      agentPolicy: {
+        commandDenyList: ['string'],
+        mcpDisabled: true,
+        scmToolsAllowedGroupId: 'scmToolsAllowedGroupId',
+        scmToolsDisabled: true,
+      },
       allowedEditorIds: ['string'],
       allowLocalRunners: true,
       defaultEditorId: 'defaultEditorId',
