name: zed-spicedb-check description: Run Zed permission checks against SpiceDB in Kessel stage. Use when checking RBAC permissions in SpiceDB, verifying group membership, workspace access for users, or running zed permission check/lookup-resources against stage.

Zed SpiceDB Check (Stage)

Use this skill to run Zed permission checks against SpiceDB in the Kessel stage environment.

Prerequisites

1. Check for config.env: Verify .cursor/skills/config.env exists with ZED_SPICEDB_VAULT_URL (optional, for vault link).

2. Get SpiceDB PSK token: The token is in Vault. Read ZED_SPICEDB_VAULT_URL from .cursor/skills/config.env for the vault link, or use: Vault - Kessel Stage SpiceDB PSK

3. Export the token (do not store in config.env): export ZED_SPICEDB_PSK="<token_from_vault>"

4. oc CLI: Logged into the stage OpenShift cluster

Setup (run once per session)

Step 0: Check if logged in to the cluster

oc whoami

If this fails with "Unauthorized" or "You must be logged in to the server", you need to log in first. The stage cluster login link is in .cursor/skills/config.env as OPENSHIFT_STAGE_CONSOLE. Open that URL in your browser, click your username (top right) → Copy login command, then run the copied command in your terminal.

Step 1: Login and port-forward

# Login to stage cluster (if Step 0 showed you are not logged in)
# Get the login command from OPENSHIFT_STAGE_CONSOLE in config.env (browser → Copy login command)

oc project kessel-stage
oc port-forward svc/kessel-relations-spicedb 50051:50051

Keep the port-forward running in a separate terminal.

Step 2: Configure Zed context

Export the PSK and set the Zed context:

# Export the token (get from Vault - do not commit)
export ZED_SPICEDB_PSK="<token_from_vault>"

zed context set kessel-stage2 localhost:50051 "$ZED_SPICEDB_PSK" --insecure
zed context use kessel-stage2

Step 3: Verify it works

zed permission check rbac/group:a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d member rbac/principal:redhat/12345678
zed permission lookup-resources rbac/group member rbac/principal:redhat/87654321

Common Commands

Check if principal is member of group

zed permission check rbac/group:<group_uuid> member rbac/principal:redhat/<user_id>

Lookup groups a principal is member of

zed permission lookup-resources rbac/group member rbac/principal:redhat/<user_id>

Check workspace access permission for user

zed permission check rbac/workspace:<workspace_uuid> view rbac/principal:redhat/<user_id>

Example:

zed permission check rbac/workspace:f7e8d9c0-b1a2-4e3d-8c7b-6a5f4e3d2c1b view rbac/principal:redhat/11223344

Resource ID format

• Group: rbac/group:<uuid> (e.g. rbac/group:a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d)
• Workspace: rbac/workspace:<uuid> (e.g. rbac/workspace:f7e8d9c0-b1a2-4e3d-8c7b-6a5f4e3d2c1b)
• Principal: rbac/principal:redhat/<user_id> (e.g. rbac/principal:redhat/12345678)

Config Reference

Variables in .cursor/skills/config.env: