feat(agent): add group-based SCM tools access control

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
-configured_endpoints: 159
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-d62ef4b9187c1f3d36f428abc4b31d8a09ffd36e93d39b8136c60c8f463c838e.yml
-openapi_spec_hash: d7f01b6f24e88eb46d744ecd28061f26
-config_hash: 26e4a10dfc6ec809322e60d889d15414
+configured_endpoints: 160
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-a19818e87979929d5484f97ec50318899c659c73733b4a700a41f28687ee2632.yml
+openapi_spec_hash: f2d83905d1ed19d50c2f4641ecf29204
+config_hash: e84bdcd3fab4b185dd3dd79f70ea527d

api.md

@@ -281,12 +281,17 @@ Methods:
 Types:
 
 ```python
-from gitpod.types.groups import GroupMembership, MembershipCreateResponse
+from gitpod.types.groups import (
+    GroupMembership,
+    MembershipCreateResponse,
+    MembershipRetrieveResponse,
+)
 ```
 
 Methods:
 
 - <code title="post /gitpod.v1.GroupService/CreateMembership">client.groups.memberships.<a href="./src/gitpod/resources/groups/memberships.py">create</a>(\*\*<a href="src/gitpod/types/groups/membership_create_params.py">params</a>) -> <a href="./src/gitpod/types/groups/membership_create_response.py">MembershipCreateResponse</a></code>
+- <code title="post /gitpod.v1.GroupService/GetMembership">client.groups.memberships.<a href="./src/gitpod/resources/groups/memberships.py">retrieve</a>(\*\*<a href="src/gitpod/types/groups/membership_retrieve_params.py">params</a>) -> <a href="./src/gitpod/types/groups/membership_retrieve_response.py">MembershipRetrieveResponse</a></code>
 - <code title="post /gitpod.v1.GroupService/ListMemberships">client.groups.memberships.<a href="./src/gitpod/resources/groups/memberships.py">list</a>(\*\*<a href="src/gitpod/types/groups/membership_list_params.py">params</a>) -> <a href="./src/gitpod/types/groups/group_membership.py">SyncMembersPage[GroupMembership]</a></code>
 - <code title="post /gitpod.v1.GroupService/DeleteMembership">client.groups.memberships.<a href="./src/gitpod/resources/groups/memberships.py">delete</a>(\*\*<a href="src/gitpod/types/groups/membership_delete_params.py">params</a>) -> object</code>
 

src/gitpod/resources/groups/memberships.py

@@ -16,10 +16,16 @@
 )
 from ...pagination import SyncMembersPage, AsyncMembersPage
 from ..._base_client import AsyncPaginator, make_request_options
-from ...types.groups import membership_list_params, membership_create_params, membership_delete_params
+from ...types.groups import (
+    membership_list_params,
+    membership_create_params,
+    membership_delete_params,
+    membership_retrieve_params,
+)
 from ...types.shared_params.subject import Subject
 from ...types.groups.group_membership import GroupMembership
 from ...types.groups.membership_create_response import MembershipCreateResponse
+from ...types.groups.membership_retrieve_response import MembershipRetrieveResponse
 
 __all__ = ["MembershipsResource", "AsyncMembershipsResource"]
 
@@ -108,6 +114,69 @@ def create(
             cast_to=MembershipCreateResponse,
         )
 
+    def retrieve(
+        self,
+        *,
+        subject: Subject,
+        group_id: str | Omit = omit,
+        # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
+        # The extra values given here take precedence over values defined on the client or passed to this method.
+        extra_headers: Headers | None = None,
+        extra_query: Query | None = None,
+        extra_body: Body | None = None,
+        timeout: float | httpx.Timeout | None | NotGiven = not_given,
+    ) -> MembershipRetrieveResponse:
+        """
+        Gets a specific membership by group ID and subject.
+
+        Use this method to:
+
+        - Check if a user or service account is a member of a group
+        - Verify group membership for access control
+
+        ### Examples
+
+        - Check user membership:
+
+          Checks if a user is a member of a specific group.
+
+          ```yaml
+          groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
+          subject:
+            id: "f53d2330-3795-4c5d-a1f3-453121af9c60"
+            principal: PRINCIPAL_USER
+          ```
+
+        ### Authorization
+
+        All organization members can check group membership (transparency model).
+
+        Args:
+          subject: Subject to check membership for
+
+          extra_headers: Send extra headers
+
+          extra_query: Add additional query parameters to the request
+
+          extra_body: Add additional JSON properties to the request
+
+          timeout: Override the client-level default timeout for this request, in seconds
+        """
+        return self._post(
+            "/gitpod.v1.GroupService/GetMembership",
+            body=maybe_transform(
+                {
+                    "subject": subject,
+                    "group_id": group_id,
+                },
+                membership_retrieve_params.MembershipRetrieveParams,
+            ),
+            options=make_request_options(
+                extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout
+            ),
+            cast_to=MembershipRetrieveResponse,
+        )
+
     def list(
         self,
         *,
@@ -323,6 +392,69 @@ async def create(
             cast_to=MembershipCreateResponse,
         )
 
+    async def retrieve(
+        self,
+        *,
+        subject: Subject,
+        group_id: str | Omit = omit,
+        # Use the following arguments if you need to pass additional parameters to the API that aren't available via kwargs.
+        # The extra values given here take precedence over values defined on the client or passed to this method.
+        extra_headers: Headers | None = None,
+        extra_query: Query | None = None,
+        extra_body: Body | None = None,
+        timeout: float | httpx.Timeout | None | NotGiven = not_given,
+    ) -> MembershipRetrieveResponse:
+        """
+        Gets a specific membership by group ID and subject.
+
+        Use this method to:
+
+        - Check if a user or service account is a member of a group
+        - Verify group membership for access control
+
+        ### Examples
+
+        - Check user membership:
+
+          Checks if a user is a member of a specific group.
+
+          ```yaml
+          groupId: "d2c94c27-3b76-4a42-b88c-95a85e392c68"
+          subject:
+            id: "f53d2330-3795-4c5d-a1f3-453121af9c60"
+            principal: PRINCIPAL_USER
+          ```
+
+        ### Authorization
+
+        All organization members can check group membership (transparency model).
+
+        Args:
+          subject: Subject to check membership for
+
+          extra_headers: Send extra headers
+
+          extra_query: Add additional query parameters to the request
+
+          extra_body: Add additional JSON properties to the request
+
+          timeout: Override the client-level default timeout for this request, in seconds
+        """
+        return await self._post(
+            "/gitpod.v1.GroupService/GetMembership",
+            body=await async_maybe_transform(
+                {
+                    "subject": subject,
+                    "group_id": group_id,
+                },
+                membership_retrieve_params.MembershipRetrieveParams,
+            ),
+            options=make_request_options(
+                extra_headers=extra_headers, extra_query=extra_query, extra_body=extra_body, timeout=timeout
+            ),
+            cast_to=MembershipRetrieveResponse,
+        )
+
     def list(
         self,
         *,
@@ -463,6 +595,9 @@ def __init__(self, memberships: MembershipsResource) -> None:
         self.create = to_raw_response_wrapper(
             memberships.create,
         )
+        self.retrieve = to_raw_response_wrapper(
+            memberships.retrieve,
+        )
         self.list = to_raw_response_wrapper(
             memberships.list,
         )
@@ -478,6 +613,9 @@ def __init__(self, memberships: AsyncMembershipsResource) -> None:
         self.create = async_to_raw_response_wrapper(
             memberships.create,
         )
+        self.retrieve = async_to_raw_response_wrapper(
+            memberships.retrieve,
+        )
         self.list = async_to_raw_response_wrapper(
             memberships.list,
         )
@@ -493,6 +631,9 @@ def __init__(self, memberships: MembershipsResource) -> None:
         self.create = to_streamed_response_wrapper(
             memberships.create,
         )
+        self.retrieve = to_streamed_response_wrapper(
+            memberships.retrieve,
+        )
         self.list = to_streamed_response_wrapper(
             memberships.list,
         )
@@ -508,6 +649,9 @@ def __init__(self, memberships: AsyncMembershipsResource) -> None:
         self.create = async_to_streamed_response_wrapper(
             memberships.create,
         )
+        self.retrieve = async_to_streamed_response_wrapper(
+            memberships.retrieve,
+        )
         self.list = async_to_streamed_response_wrapper(
             memberships.list,
         )

src/gitpod/types/groups/__init__.py

@@ -9,7 +9,9 @@
 from .membership_create_params import MembershipCreateParams as MembershipCreateParams
 from .membership_delete_params import MembershipDeleteParams as MembershipDeleteParams
 from .membership_create_response import MembershipCreateResponse as MembershipCreateResponse
+from .membership_retrieve_params import MembershipRetrieveParams as MembershipRetrieveParams
 from .role_assignment_list_params import RoleAssignmentListParams as RoleAssignmentListParams
+from .membership_retrieve_response import MembershipRetrieveResponse as MembershipRetrieveResponse
 from .role_assignment_create_params import RoleAssignmentCreateParams as RoleAssignmentCreateParams
 from .role_assignment_delete_params import RoleAssignmentDeleteParams as RoleAssignmentDeleteParams
 from .role_assignment_create_response import RoleAssignmentCreateResponse as RoleAssignmentCreateResponse

src/gitpod/types/groups/membership_retrieve_params.py

@@ -0,0 +1,17 @@
+# File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+from __future__ import annotations
+
+from typing_extensions import Required, Annotated, TypedDict
+
+from ..._utils import PropertyInfo
+from ..shared_params.subject import Subject
+
+__all__ = ["MembershipRetrieveParams"]
+
+
+class MembershipRetrieveParams(TypedDict, total=False):
+    subject: Required[Subject]
+    """Subject to check membership for"""
+
+    group_id: Annotated[str, PropertyInfo(alias="groupId")]

src/gitpod/types/groups/membership_retrieve_response.py

@@ -0,0 +1,13 @@
+# File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+from typing import Optional
+
+from ..._models import BaseModel
+from .group_membership import GroupMembership
+
+__all__ = ["MembershipRetrieveResponse"]
+
+
+class MembershipRetrieveResponse(BaseModel):
+    member: Optional[GroupMembership] = None
+    """The membership if found, nil if subject is not a member"""

src/gitpod/types/organizations/agent_policy.py

@@ -1,6 +1,6 @@
 # File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
 
-from typing import List
+from typing import List, Optional
 
 from pydantic import Field as FieldInfo
 
@@ -29,3 +29,9 @@ class AgentPolicy(BaseModel):
     scm_tools_disabled controls whether SCM (Source Control Management) tools are
     disabled for agents
     """
+
+    scm_tools_allowed_group_id: Optional[str] = FieldInfo(alias="scmToolsAllowedGroupId", default=None)
+    """
+    scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+    Empty means no restriction (all users can use SCM tools if not disabled).
+    """

src/gitpod/types/organizations/policy_update_params.py

@@ -131,6 +131,12 @@ class AgentPolicy(TypedDict, total=False):
     agents
     """
 
+    scm_tools_allowed_group_id: Annotated[Optional[str], PropertyInfo(alias="scmToolsAllowedGroupId")]
+    """
+    scm_tools_allowed_group_id restricts SCM tools access to members of this group.
+    Empty means no restriction (all users can use SCM tools if not disabled).
+    """
+
     scm_tools_disabled: Annotated[Optional[bool], PropertyInfo(alias="scmToolsDisabled")]
     """
     scm_tools_disabled controls whether SCM (Source Control Management) tools are

src/gitpod/types/project_list_params.py

@@ -2,10 +2,12 @@
 
 from __future__ import annotations
 
+from typing import List
 from typing_extensions import Annotated, TypedDict
 
 from .._types import SequenceNotStr
 from .._utils import PropertyInfo
+from .runner_kind import RunnerKind
 
 __all__ = ["ProjectListParams", "Filter", "Pagination"]
 
@@ -31,6 +33,12 @@ class Filter(TypedDict, total=False):
     from these runners
     """
 
+    runner_kinds: Annotated[List[RunnerKind], PropertyInfo(alias="runnerKinds")]
+    """
+    runner_kinds filters the response to only projects that use environment classes
+    from runners of these kinds
+    """
+
     search: str
     """
     search performs case-insensitive search across project name, project ID, and