RedHatInsights/zed-spicedb-check
.cursor/skills/zed/SKILL.md
Run Zed permission checks against SpiceDB in Kessel stage. Use when checking RBAC permissions in SpiceDB, verifying group membership, workspace access for users, or running zed permission check/lookup-resources against stage.
$ install --global
skillsauthnpx skillsauth add RedHatInsights/insights-rbac zed-spicedb-checkInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:50 PM1.8s1 file scanned
SKILL.md
- name:
- zed-spicedb-check
- description:
- Run Zed permission checks against SpiceDB in Kessel stage. Use when checking RBAC permissions in SpiceDB, verifying group membership, workspace access for users, or running zed permission check/lookup-resources against stage.
Zed SpiceDB Check (Stage)
Use this skill to run Zed permission checks against SpiceDB in the Kessel stage environment.
Prerequisites
-
Check for config.env: Verify
.cursor/skills/config.envexists withZED_SPICEDB_VAULT_URL(optional, for vault link). -
Get SpiceDB PSK token: The token is in Vault. Read
ZED_SPICEDB_VAULT_URLfrom.cursor/skills/config.envfor the vault link, or use: Vault - Kessel Stage SpiceDB PSK -
Export the token (do not store in config.env):
export ZED_SPICEDB_PSK="<token_from_vault>" -
oc CLI: Logged into the stage OpenShift cluster
Setup (run once per session)
Step 0: Check if logged in to the cluster
oc whoami
If this fails with "Unauthorized" or "You must be logged in to the server", you need to log in first. The stage cluster login link is in .cursor/skills/config.env as OPENSHIFT_STAGE_CONSOLE. Open that URL in your browser, click your username (top right) → Copy login command, then run the copied command in your terminal.
Step 1: Login and port-forward
# Login to stage cluster (if Step 0 showed you are not logged in)
# Get the login command from OPENSHIFT_STAGE_CONSOLE in config.env (browser → Copy login command)
oc project kessel-stage
oc port-forward svc/kessel-relations-spicedb 50051:50051
Keep the port-forward running in a separate terminal.
Step 2: Configure Zed context
Export the PSK and set the Zed context:
# Export the token (get from Vault - do not commit)
export ZED_SPICEDB_PSK="<token_from_vault>"
zed context set kessel-stage2 localhost:50051 "$ZED_SPICEDB_PSK" --insecure
zed context use kessel-stage2
Step 3: Verify it works
zed permission check rbac/group:a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d member rbac/principal:redhat/12345678
zed permission lookup-resources rbac/group member rbac/principal:redhat/87654321
Common Commands
Check if principal is member of group
zed permission check rbac/group:<group_uuid> member rbac/principal:redhat/<user_id>
Lookup groups a principal is member of
zed permission lookup-resources rbac/group member rbac/principal:redhat/<user_id>
Check workspace access permission for user
zed permission check rbac/workspace:<workspace_uuid> view rbac/principal:redhat/<user_id>
Example:
zed permission check rbac/workspace:f7e8d9c0-b1a2-4e3d-8c7b-6a5f4e3d2c1b view rbac/principal:redhat/11223344
Resource ID format
- Group:
rbac/group:<uuid>(e.g.rbac/group:a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d) - Workspace:
rbac/workspace:<uuid>(e.g.rbac/workspace:f7e8d9c0-b1a2-4e3d-8c7b-6a5f4e3d2c1b) - Principal:
rbac/principal:redhat/<user_id>(e.g.rbac/principal:redhat/12345678)
Config Reference
Variables in .cursor/skills/config.env:
| Variable | Description |
|----------|-------------|
| OPENSHIFT_STAGE_CONSOLE | Stage cluster web console URL — use to get "Copy login command" for oc login |
| ZED_SPICEDB_VAULT_URL | Vault URL to obtain the SpiceDB PSK token |
| ZED_SPICEDB_PSK | The PSK token — use export, do not store in config.env |
Related Skills
RedHatInsights/relationship-query
development
VerifiedTrustedCommunity
Query relationships in SpiceDB/Kessel via the RBAC relations API
11SKILL.mdUpdated Apr 16, 2026
RedHatInsights/local-dev
development
VerifiedTrustedCommunity
How to run unit tests, linting, and type checking for local development
11SKILL.mdUpdated Apr 16, 2026
RedHatInsights/gabi-sql-query
data-ai
VerifiedTrustedCommunity
Run SQL queries against RBAC database in stage or prod using gabi
11SKILL.mdUpdated Apr 16, 2026
steipete/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
356,423SKILL.mdUpdated Apr 13, 2026