Module access_control 

systemprompt admin access-control — DB → YAML export channel and catalog/lint inspector.

Subcommands:

• export-yaml — read role/department rules from access_control_rules and print them as a YAML snippet matching AccessControlConfig. Stdout-only — never writes a file. The operator pastes the output into the committed YAML baseline and redeploys. Per-user overrides (rule_type='user') are operational state and intentionally excluded.

• lint — read the live access_control_entities and access_control_rules tables, then report unknown entities (rules pointing at no catalog row — only possible if the FK was bypassed manually, e.g. mid-migration) and unreachable rules (catalog rows with default_included=false and zero grant rows — entity exists but no user can ever reach it). Exits non-zero on any finding so it can gate CI.

Structs

ExportYamlArgs

LintArgs

Enums

AccessControlCommands

Functions

execute