Description

• Migrate API keys from a singlescope column toscopes api_key_scope[] and addallow_list text[] supporting entries likeworkspace:<uuid>,template:*, or*:*.
• Default/backfill existing rows toscopes=['all'] andallow_list=['*:*'] to maintain backward compatibility.
• Extend the existingapi_key_scope enum with the new low-level scope names introduced in this RFC (e.g.,workspace:read,template:read,api_key:create, etc.).

Key files/areas

• SQL migrations incoderd/database/migrations/ (both up/down).
• Generated models incoderd/database/models.go (viamake gen).
• Reference low-level scope names fromcoderd/rbac/policy/policy.go (RBACPermissions) when updatingapi_key_scope enum values.

Acceptance criteria

• Runningmake gen succeeds; compiled models expose[]APIKeyScope (or[]string) and[]string allow_list.
• Existing installations upgrade without breaking token usage; no data loss.
• Add a down migration returning to the old schema.
• Enum updated with new low-level scope values when enum array is selected; down migration accounts for removed enum variants if needed.
• api_key_scope enum includes all known<resource>:<action> frompolicy.RBACPermissions (public and internal). The public catalog exposed to users is a filtered subset defined in the low‑level catalog task; document how to update the enum when RBAC evolves.