feat: add connect_as field for service database credentials

[rshoemaker]

Summary

• Services now specify which database_users entry to connect as via the new required connect_as field on ServiceSpec, replacing the auto-created svc_*_ro/svc_*_rw service accounts for MCP
• Validates connect_as references an existing database_users entry, and that allow_writes: true requires db_owner: true
• MCP config resource reads credentials from the spec instead of ServiceUserRole state
• ServiceUserRole creation is disconnected for MCP (PostgREST/RAG still use it until they adopt connect_as)
• State migration (v2.0.0) removes swarm.service_user_role resources and dependency references from existing deployments
• E2E fixtures updated with connect_as

Test plan

• Unit tests pass (976 tests)
• Manual testing: RW mode (connect_as: "app", allow_writes: true) — reads and writes succeed
• Manual testing: RO mode (connect_as: "app_read_only", allow_writes: false) — reads succeed, writes rejected with read-only transaction
• Manual testing: config swap via update-database without container restart (SIGHUP reload)
• Manual testing: pg_read_all_data covers spock schema, admin-created tables, other-user tables, custom schemas
• Golden tests regenerated
• State migration tested (removes service_user_role resources + dependency refs)
• E2E tests against Lima fixture
• Verify PostgREST/RAG provisioning is unaffected

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds connect_as to ServiceSpec, validates it against DatabaseUsers (including MCP write-owner rules), propagates it through API conversion and DB models, resolves credentials into service instances, replaces role-derived MCP credentials with explicit connect-as credentials, updates orchestrator resource wiring, tests, and golden fixtures.

Changes

Cohort / File(s)	Summary
API Schema & Conversion api/apiv1/design/database.go, server/internal/api/apiv1/convert.go	Added connect_as/ConnectAs to ServiceSpec and wired it in API↔database conversions.
API Validation & Tests server/internal/api/apiv1/validate.go, server/internal/api/apiv1/validate_test.go	validateServiceSpec now accepts DatabaseUsers; added validateConnectAs (existence + MCP db_owner when writes allowed); tests updated/added.
Database Model & Instance server/internal/database/spec.go, server/internal/database/service_instance.go	Added ConnectAs string to DB ServiceSpec; ServiceInstanceSpec gains ConnectAsUsername and ConnectAsPassword; Clone() copies field.
Workflows (plan update) server/internal/workflows/plan_update.go	getServiceResources resolves serviceSpec.ConnectAs against spec.DatabaseUsers, sets resolved username/password on instance or returns not-found error.
Orchestrator & MCP Config server/internal/orchestrator/swarm/mcp_config_resource.go, server/internal/orchestrator/swarm/orchestrator.go, server/internal/orchestrator/swarm/service_instance*.go	Replaced RO/RW credential fields with connect_as_username/connect_as_password (resource version bump); removed MCP-specific ServiceUserRole creation/dependencies; wired resolved credentials into MCP config and instance resources; added ServiceType on instance resources.
Operations Golden Tests & Helpers server/internal/database/operations/golden_test/.../*.json, server/internal/database/operations/helpers_test.go	Removed expected create/delete steps for swarm.service_user_role in golden fixtures; deleted serviceUserRoleResource test stub and removed related dependencies in helpers.
E2E Tests e2e/service_provisioning_test.go	Updated controlplane.ServiceSpec literals to include ConnectAs: "admin" across test cases.

Poem

🐰 I hop through lines of spec and tree,
tucked connect_as beneath a leaf for glee.
A username found, a secret snug and true,
MCP drops roles and wears credentials new.
Carrot code—cozy, small, and through.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a connect_as field for service database credentials, which aligns with the core PR objective.
Description check	✅ Passed	The PR description includes Summary, Changes, Testing, and Checklist sections; however, the Changelog and Breaking Changes sections are not explicitly completed.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/PLAT-539/service_connect_as

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 1 medium

Results:
1 new issue

Category	Results
Complexity	1 medium

View in Codacy

🟢 Metrics 13 complexity · -2 duplication

Metric	Results
Complexity	13
Duplication	-2

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@server/internal/orchestrator/swarm/mcp_config_resource.go`:
- Around line 55-60: Remove the connect_as credential paths from
MCPConfigResource.DiffIgnore so changes to "/connect_as_username" and
"/connect_as_password" will be detected and trigger Update; additionally, adjust
Refresh logic (related to MCPConfigResource.Refresh) to only check for the
existence of "config.yaml" and avoid rewriting runtime-owned files
("tokens.yaml" and "users.yaml") so those files remain runtime-managed while
config.yaml presence is used as the sole refresh existence check.

In `@server/internal/orchestrator/swarm/service_instance_spec.go`:
- Around line 93-96: The MCP branch in populateCredentials returns early without
clearing existing credentials, which can leave stale secrets in s.Credentials;
modify populateCredentials so that when s.ServiceSpec.ServiceType == "mcp" you
explicitly reset/clear s.Credentials (e.g., set to nil or an empty credentials
struct) before returning, ensuring old credentials are not carried forward.

In `@server/internal/resource/migrations/2_0_0.go`:
- Around line 19-35: The migration currently deletes all swarm.service_user_role
entries; instead restrict deletions to MCP-owned role state only: in
Version_2_0_0.Run, when iterating state.Resources for serviceUserRoleType and
when filtering data.Dependencies, check each resource's ownership/metadata
(e.g., an owner/managedBy field on the resource or data.Metadata) and only
remove resources and dependency edges where that ownership indicates MCP (e.g.,
managedBy == "mcp"); leave non-MCP service_user_role resources and their
dependency edges untouched so ServiceUserRole resolution in ServiceInstanceSpec
and rag_config_resource continues to work.

In `@server/internal/workflows/plan_update.go`:
- Around line 126-138: The planner currently copies the referenced user's
ConnectAsPassword from spec.DatabaseUsers into the service without validating
it; if the referenced database.User has an empty password the plan will succeed
but service DB auth will fail. Update the lookup block that handles
serviceSpec.ConnectAs in plan_update.go (where connectAsUser is resolved from
spec.DatabaseUsers) to reject empty secrets: after finding database.User (type
database.User) check that its Password (or ConnectAsPassword field used when
assigning to the service) is non-empty and return an error like "connect_as user
%q has empty password" if empty; apply the same validation for the additional
occurrence noted around lines 154-156 so the planner never copies an empty
ConnectAsPassword into the service spec.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ab39b018-ec33-43a9-9704-06e8bac3b037

📥 Commits

Reviewing files that changed from the base of the PR and between 93f273f and d2d43c5.

⛔ Files ignored due to path filters (9)

• api/apiv1/gen/control_plane/service.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/encode_decode.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/client/types.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/encode_decode.go is excluded by !**/gen/**
• api/apiv1/gen/http/control_plane/server/types.go is excluded by !**/gen/**
• api/apiv1/gen/http/openapi.json is excluded by !**/gen/**
• api/apiv1/gen/http/openapi.yaml is excluded by !**/gen/**
• api/apiv1/gen/http/openapi3.json is excluded by !**/gen/**
• api/apiv1/gen/http/openapi3.yaml is excluded by !**/gen/**

📒 Files selected for processing (26)

• api/apiv1/design/database.go
• e2e/service_provisioning_test.go
• server/internal/api/apiv1/convert.go
• server/internal/api/apiv1/validate.go
• server/internal/api/apiv1/validate_test.go
• server/internal/database/operations/golden_test/TestUpdateDatabase/add_service_to_existing_database.json
• server/internal/database/operations/golden_test/TestUpdateDatabase/remove_service_from_existing_database.json
• server/internal/database/operations/golden_test/TestUpdateDatabase/single_node_with_service_from_empty.json
• server/internal/database/operations/helpers_test.go
• server/internal/database/service_instance.go
• server/internal/database/spec.go
• server/internal/orchestrator/swarm/mcp_config_resource.go
• server/internal/orchestrator/swarm/orchestrator.go
• server/internal/orchestrator/swarm/service_instance.go
• server/internal/orchestrator/swarm/service_instance_spec.go
• server/internal/resource/migrations/2_0_0.go
• server/internal/resource/migrations/2_0_0_test.go
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/empty.json
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/no_nodes.json
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/populate_n3_with_n1_source.json
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/single_node_with_replicas.json
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/three_nodes.json
• server/internal/resource/migrations/golden_test/TestVersion_1_0_0/with_restore_config.json
• server/internal/resource/migrations/provide.go
• server/internal/resource/state.go
• server/internal/workflows/plan_update.go

💤 Files with no reviewable changes (4)

• server/internal/database/operations/golden_test/TestUpdateDatabase/remove_service_from_existing_database.json
• server/internal/database/operations/golden_test/TestUpdateDatabase/add_service_to_existing_database.json
• server/internal/database/operations/golden_test/TestUpdateDatabase/single_node_with_service_from_empty.json
• server/internal/database/operations/helpers_test.go

[tsivaprasad]

Looks Good