Reword OAuth service query docs/comments to read-only#263
Merged
Conversation
The OAuth audience change makes the Query API read-only for service queries, so the four places describing OAuth `cloud service query` as following the user's console role (implying read + write) are now inaccurate. Reword them to read-only: - README.md note under "OAuth login (read-only)" - README.md "Query API auth modes" OAuth bullet (reframed: the read/write contrast against API-key mode collapses, so it now states read-only and points to API key auth for writes) - run_query_bearer doc comment in clickhouse-cloud-api client.rs - Query subcommand after_help "CONTEXT FOR AGENTS" block in cli.rs Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #262.
Once the OAuth audience returns read-only for the service query endpoints, four places that described OAuth
cloud service queryas following the user's console role (implying read and write) are inaccurate. This reword fixes them to state read-only:README.md(OAuth login note) — "your console role's permissions" → "read-only access".README.md("Query API auth modes" OAuth bullet) — reframed: the read/write contrast against API-key mode collapses under a read-only audience, so the bullet now states read-only SQL access (SELECT/reads only, no INSERT/DDL/writes) and points to API key auth for writes.crates/clickhouse-cloud-api/src/client.rs(run_query_bearerdoc comment) — "SQL permissions follow the user's console role" → "grants read-only SQL access".crates/clickhousectl/src/cloud/cli.rs(Queryafter_help"CONTEXT FOR AGENTS" block) — "permissions follow your console role" → "read-only access (SELECT only, no writes)".Everything else in these files already states OAuth is read-only and only becomes more accurate.
Docs/comments only — no behavior change.
cargo build,cargo clippy --all-targets, andcargo test -p clickhousectlall pass.🤖 Generated with Claude Code
Note
Low Risk
Comment and README edits only; no code paths or authentication logic changed.
Overview
Updates documentation and comments only so OAuth
cloud service queryis described as read-only SQL, matching the Query API’s read-only OAuth audience (closes #262).README.md — The OAuth login note no longer says SQL follows your console role’s permissions; it says read-only access. In Query API auth modes, the OAuth bullet no longer implies SQL-console / role-based read+write; it states read-only access (SELECT and other reads; no INSERT, DDL, or writes) and directs users to API key auth for writes.
run_query_bearer(clickhouse-cloud-api) — Doc comment reframed from “permissions follow the user's console role” to read-only SQL access.cloud service queryCLIafter_help— Agent context text updated the same way (read-only, SELECT only, no writes).No runtime or auth behavior changes.
Reviewed by Cursor Bugbot for commit e17b4fc. Bugbot is set up for automated code reviews on this repo. Configure here.