Route all commands through SpiceDB gating

Author: atoniolo76

cmd/connect.go

@@ -4,13 +4,15 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"os/exec"
 	"strings"
 
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 
 	"github.com/spf13/cobra"
 )
@@ -64,17 +66,18 @@ var connectCmd = &cobra.Command{
 				instanceName = target
 			} else {
 				// For SSH, try to resolve to IP first, fallback to name
-				apiToken := remote.GetAPIToken()
-				if apiToken != "" {
-					httpClient := remote.NewHTTPClient()
-					instance, err := remote.ResolveInstance(httpClient, apiToken, target)
-					if err == nil {
-						// Found instance, use IP for SSH
-						instanceName = instance.IP
-					} else {
-						// Not found, assume it's an SSH config entry name
-						instanceName = target
+			apiToken := remote.GetAPIToken()
+			if apiToken != "" {
+				httpClient := remote.NewHTTPClient()
+				instance, err := remote.ResolveInstance(httpClient, apiToken, target)
+				if err == nil {
+					if checkErr := spicedb.Check(context.Background(), "resource", instance.ID, "ssh"); checkErr != nil {
+						log.Fatalf("Permission denied: %v", checkErr)
 					}
+					instanceName = instance.IP
+				} else {
+					instanceName = target
+				}
 				} else {
 					// No API token, assume SSH config entry
 					instanceName = target

cmd/kill.go

@@ -4,12 +4,14 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"net/http"
 	"strings"
 
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 
 	"github.com/spf13/cobra"
 )
@@ -130,13 +132,24 @@ Use --all to terminate every running resource for the selected provider.`,
 			resolvedNames = append(resolvedNames, displayName)
 		}
 
+		ctx := context.Background()
+		for _, id := range instanceIDs {
+			if err := spicedb.Check(ctx, "resource", id, "delete"); err != nil {
+				log.Fatalf("Permission denied for %s: %v", id, err)
+			}
+		}
+
 		fmt.Printf("Terminating %s(s): %s\n", resType, strings.Join(resolvedNames, ", "))
 
 		resp, err := cloudProvider.TerminateInstance(httpClient, apiToken, instanceIDs)
 		if err != nil {
 			log.Fatalf("Error terminating %s(s): %v", resType, err)
 		}
 
+		for _, id := range instanceIDs {
+			spicedb.DeleteResource(ctx, id)
+		}
+
 		// Lambda manages state via API, but we still clean up any leftover config refs
 		if provider == "lambda" {
 			for _, id := range instanceIDs {

cmd/launch.go

@@ -4,6 +4,7 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
@@ -12,6 +13,7 @@ import (
 
 	"github.com/atoniolo76/gotoni/pkg/db"
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 
 	"github.com/spf13/cobra"
 )
@@ -264,6 +266,10 @@ Examples:
 			fmt.Println("Note: Modal provider uses Volumes instead of filesystems. Use --volume flag for Modal.")
 		}
 
+		if err := spicedb.CheckCreate(context.Background()); err != nil {
+			log.Fatalf("Permission denied: %v", err)
+		}
+
 		fmt.Printf("\nLaunching instance...\n")
 		if provider == "orgo" {
 			// Orgo provider - use project-based launch
@@ -313,6 +319,12 @@ Examples:
 			}
 		}
 
+		if launchErr == nil {
+			for _, inst := range launchedInstances {
+				spicedb.WriteResourceOwnership(context.Background(), inst.ID)
+			}
+		}
+
 		// Save SSH key to database (so we can look up file paths later)
 		// Note: Instance state is managed by Lambda API, not local DB
 		if launchErr == nil {

cmd/list.go

@@ -4,12 +4,14 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"strings"
 
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 
 	"github.com/spf13/cobra"
 )
@@ -70,6 +72,16 @@ var listCmd = &cobra.Command{
 			log.Fatalf("Error listing running instances: %v", err)
 		}
 
+		if allowed := spicedb.ViewableResourceIDs(context.Background()); allowed != nil {
+			filtered := runningInstances[:0]
+			for _, inst := range runningInstances {
+				if allowed[inst.ID] {
+					filtered = append(filtered, inst)
+				}
+			}
+			runningInstances = filtered
+		}
+
 		if len(runningInstances) == 0 {
 			fmt.Println("No running instances found.")
 			return

cmd/open.go

@@ -4,10 +4,12 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"log"
 	"strings"
 
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 	"github.com/spf13/cobra"
 )
 
@@ -54,8 +56,11 @@ Requirements:
 			apiToken := remote.GetAPIToken()
 			if apiToken != "" {
 				httpClient := remote.NewHTTPClient()
-				_, err := remote.ResolveInstance(httpClient, apiToken, target)
+				inst, err := remote.ResolveInstance(httpClient, apiToken, target)
 				if err == nil {
+					if checkErr := spicedb.Check(context.Background(), "resource", inst.ID, "ssh"); checkErr != nil {
+						log.Fatalf("Permission denied: %v", checkErr)
+					}
 					instanceName = target
 				} else {
 					instanceName = target

cmd/run.go

@@ -4,12 +4,14 @@ Copyright © 2025 ALESSIO TONIOLO
 package cmd
 
 import (
+	"context"
 	"fmt"
 	"log"
 	"os"
 	"strings"
 
 	"github.com/atoniolo76/gotoni/pkg/remote"
+	"github.com/atoniolo76/gotoni/pkg/spicedb"
 
 	"github.com/spf13/cobra"
 )
@@ -129,6 +131,10 @@ Examples:
 			instanceID = instanceDetails.ID
 		}
 
+		if err := spicedb.Check(context.Background(), "resource", instanceID, "ssh"); err != nil {
+			log.Fatalf("Permission denied: %v", err)
+		}
+
 		// Execute command based on provider
 		if provider == "orgo" || provider == "modal" {
 			// Use provider's ExecuteBashCommand