From 47c85d0985a157552edd08e1c20f91f2135fac66 Mon Sep 17 00:00:00 2001
From: glifocat <glifocat@gmail.com>
Date: Sun, 10 May 2026 20:30:15 +0200
Subject: [PATCH] fix(cli-scope): add scopeField to ResourceDef for fail-closed
 group scope

---
 src/cli/crud.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/cli/crud.ts b/src/cli/crud.ts
index 9c7ed99..f2bb82b 100644
--- a/src/cli/crud.ts
+++ b/src/cli/crud.ts
@@ -52,6 +52,12 @@ export interface ResourceDef {
   description: string;
   /** Primary key column name. */
   idColumn: string;
+  /**
+   * Column that carries the agent group ID for group-scope enforcement.
+   * Required on every resource in the CLI whitelist (groups, sessions,
+   * destinations, members). When absent, post-handler filtering fails closed.
+   */
+  scopeField?: string;
   columns: ColumnDef[];
   /** Which standard CRUD operations are enabled. */
   operations: {