[Phase 2] Convert ClusterRoles to namespace-scoped Roles

[jeremyeder]

Epic: #1
Phase: 2 - RBAC Conversion
Dependencies: #4 (tests passing)
Estimate: 6 hours

Description

Convert the 3 ambient-project ClusterRoles to namespace-scoped Roles that can be deployed to vteam--test1.

Critical Issues Addressed

• ✅ ClusterRole dependencies in operator (Epic: MPP Deployment - Single-Namespace vTeam Implementation #1)

Implementation Tasks

1. Extract ClusterRole Definitions

Extract rules from:

• components/manifests/rbac/ambient-project-admin-clusterrole.yaml
• components/manifests/rbac/ambient-project-edit-clusterrole.yaml
• components/manifests/rbac/ambient-project-view-clusterrole.yaml

2. Create Namespace-Scoped Roles

New file: vteam-mpp-deployment/roles/ambient-project-admin.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ambient-project-admin
  namespace: vteam--test1
rules:
# Copy all rules from ClusterRole
- apiGroups: ["vteam.ambient-code"]
  resources: ["agenticsessions", "projectsettings", "rfeworkflows"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["vteam.ambient-code"]
  resources: ["agenticsessions/status", "projectsettings/status", "rfeworkflows/status"]
  verbs: ["get", "update", "patch"]
# ... rest of rules ...

Repeat for ambient-project-edit and ambient-project-view.

3. Document Role Mapping

Create table showing ClusterRole → Role conversion:

Original ClusterRole	New Namespace Role	Scope Change
ambient-project-admin	ambient-project-admin (Role)	cluster-wide → vteam--test1
ambient-project-edit	ambient-project-edit (Role)	cluster-wide → vteam--test1
ambient-project-view	ambient-project-view (Role)	cluster-wide → vteam--test1

Acceptance Criteria

• 3 Role YAML files created
• All rules copied accurately from ClusterRoles
• Namespace set to vteam--test1
• Documentation updated
• Files reviewed for accuracy

Files Changed

• vteam-mpp-deployment/roles/ambient-project-admin.yaml (new)
• vteam-mpp-deployment/roles/ambient-project-edit.yaml (new)
• vteam-mpp-deployment/roles/ambient-project-view.yaml (new)

Branch

feature/mpp-single-namespace-mode

[jeremyeder]

@claude begin implementation.

[claude]

Claude finished @jeremyeder's task —— View job • claude/issue-5-20251002-1938 • Create PR ➔

---

Implementation Complete ✓

Successfully converted ClusterRoles to namespace-scoped Roles for vteam--test1:

• Read source ClusterRole definitions
• Create vteam-mpp-deployment/roles directory if needed
• Create ambient-project-admin.yaml Role
• Create ambient-project-edit.yaml Role
• Create ambient-project-view.yaml Role
• Commit and push changes
• Provide PR creation link

Summary

Created 3 namespace-scoped Role files in vteam-mpp-deployment/roles/:

1. ambient-project-admin.yaml - Full CRUD permissions for AgenticSessions, ProjectSettings, RFEWorkflows, Secrets, ConfigMaps, ServiceAccounts, RBAC resources, Jobs, Pods, Namespaces, and OpenShift Projects
2. ambient-project-edit.yaml - Session management permissions with full CRUD for AgenticSessions and RFEWorkflows, read-only ProjectSettings, and limited permissions for provisioning
3. ambient-project-view.yaml - Read-only permissions for AgenticSessions, ProjectSettings, RFEWorkflows, Jobs, and Pods

All rules have been accurately copied from the original ClusterRole definitions and scoped to the vteam--test1 namespace.

---

Job Run | Branch: claude/issue-5-20251002-1938