Description

• Support optional allow-lists that restrict the scope of application to specific resources. Accept values*:*,<resource_type>:*, and<resource_type>:<uuid>.
• Normalize/validate on input; store as strings inallow_list column.

Progress

• PRfeat: scope allow_list to includeresource_type #19748 (feat: scope allow_list to includeresource_type) added a typed{type,id} representation in RBAC and updatedpolicy.rego to enforce typed allow-lists, including wildcards(*,*) and(type,*), with unit tests.

Remaining work

• Implement parsing/normalization from user-provided strings (e.g.,workspace:<uuid>,template:*,*:*) into the typed representation with validation and helpful errors.
• Enforce size limits and deduplication; normalize wildcard forms.
• Integrate parsing in API handlers and CLI/UI; persist normalized string form in DB.
• Document the final format in admin and API docs.

Key files/areas

• Parsing/validation helpers incoderd/rbac/ (new package or file, e.g.,allowlist.go).
• Reuse/refactor existing allow-list mechanics from workspace agent tokens where practical.

Acceptance criteria

• Unit tests cover parsing, normalization, wildcard handling, and invalid input rejection.
• Large lists are rejected or capped by a sane limit (config or constant).