@habeetat/cli 0.1.0-dev.20260606080502.37cebd8 → 0.1.0-dev.20260618151449.8ee92f3

package/dist/bin.js

@@ -13175,6 +13175,15 @@ VALUES ('default', 'nhp-backend-scope', 'nhp-backend-resource', 'nhp:all', 'Full
 ON CONFLICT (id) DO UPDATE
 SET resource_id = EXCLUDED.resource_id, name = EXCLUDED.name, description = EXCLUDED.description;
 
+-- Group scopes (enforced by the SDK ScopeGuard on /sdk/v1/groups). Without
+-- these the groups:read scope-gate is unsatisfiable for any client.
+INSERT INTO scopes (tenant_id, id, resource_id, name, description)
+VALUES
+  ('default', 'nhp-scope-groups-read', 'nhp-backend-resource', 'groups:read', 'Read tenant groups via the SDK'),
+  ('default', 'nhp-scope-groups-write', 'nhp-backend-resource', 'groups:write', 'Manage tenant groups via the SDK')
+ON CONFLICT (id) DO UPDATE
+SET resource_id = EXCLUDED.resource_id, name = EXCLUDED.name, description = EXCLUDED.description;
+
 -- Launcher SPA
 INSERT INTO applications (tenant_id, id, name, secret, description, type, oidc_client_metadata, custom_client_metadata, is_third_party)
 VALUES (
@@ -13238,6 +13247,13 @@ BEGIN
     INSERT INTO applications_roles (tenant_id, id, application_id, role_id)
     VALUES ('default', 'ar_m2m_${m2mAppId}', '${m2mAppId}', v_role_id)
     ON CONFLICT DO NOTHING;
+
+    -- Grant groups:read to the backend M2M client so SDK consumers reusing it
+    -- can call /sdk/v1/groups. (Per-app scopes via app manifests come later
+    -- with vendor onboarding.)
+    INSERT INTO roles_scopes (tenant_id, id, role_id, scope_id)
+    VALUES ('default', 'rs_m2m_groups_read', v_role_id, 'nhp-scope-groups-read')
+    ON CONFLICT DO NOTHING;
 END $$;
 
 -- Update admin-console redirect URIs