Skip to content

docs: sync ADP changes from cloudv2 (2026-07-04)#125

Merged
micheleRP merged 1 commit into
mainfrom
claude/sync-cloudv2-2026-07-04
Jul 6, 2026
Merged

docs: sync ADP changes from cloudv2 (2026-07-04)#125
micheleRP merged 1 commit into
mainfrom
claude/sync-cloudv2-2026-07-04

Conversation

@micheleRP

@micheleRP micheleRP commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Syncs one user-facing Agentic Data Plane change from cloudv2 into the docs: the new agent session permissions.

📄 Deploy preview: https://deploy-preview-125--redpanda-agentic-data-plane.netlify.app/agentic-data-plane/control/permissions-reference/

cloudv2 added a public SessionService (agents/{agent}/sessions/{session}, proto v1alpha1) for listing, viewing, and deleting a managed agent's persisted conversation sessions. It introduces three new permissions that the docs' permissions reference must enumerate:

Permission Operation Writer Reader
dataplane_adp_agent_session_list List an agent's conversation sessions (summaries only)
dataplane_adp_agent_session_get View one conversation session, including its full message transcript
dataplane_adp_agent_session_delete Delete an agent's conversation sessions

Role grants are taken from writerRolePermissions / readRolePermissions in permissions_constants.go: list and get are granted to both Writer and Reader; delete is Writer-only.

What changed in modules/control/pages/permissions-reference.adoc

  • New Agent session permissions section (between agent triggers and transcripts), with the three permissions, their operations, and role grants.
  • A note that dataplane_adp_agent_session_get returns full conversation content (prompts, tool inputs/outputs, model output) to the general-purpose Reader role — unlike the transcript permissions, which require the dedicated TranscriptReader role. Grounded in the source comment in permissions_constants.go flagging that session_get sits at transcript-access trust level.
  • Updated the source-provenance comment at the top of the page.

Source commits

  • 7093932adp: move SessionService to adp-api as an AIP session resource (PR #27659, author @birdayz). Defines session.proto, the new dataplane_adp_agent_session_{list,get,delete} permissions, cedar schema, and role grants.

Reviewer

Added @birdayz (author of the source commit) as an optional reviewer for a source-accuracy check. Their approval is not blocking.

Changes considered but not documented

The rest of the last 24 hours of cloudv2 main was out of scope for docs:

  • adp-ui frontend work (mobile-responsive layouts, home-page attention dismissals, session-picker UI, visual-baseline regens, table-molecule refactors) — UI-only, not documented per the sync policy.
  • Agent-level OTel traces (52b3c15, 9716715, 4247889) — gated behind a default-off, internal cluster template knob (template.observability.traces_enabled); no customer-facing surface yet.
  • SystemPolicyService list filter + page-size bounds (AIP-158/160) — API-list refinement with no existing doc surface in adp-docs.
  • rpk ai CLI hint/auth/env refactors — internal wording and bug fixes; the rpk ai reference is auto-generated and not hand-edited here. cloudv2 characterized v0.2.18 as a maintenance release.
  • Infra/security hardening — LaunchDarkly SDK v9 bump, sentry-go bump, log-redaction fixes, image-override map, devenv/CI changes.

🤖 Generated with Claude Code

https://claude.ai/code/session_01D6G3MiyR6SvPh9JfzMXECz

Document the new dataplane_adp_agent_session_{list,get,delete}
permissions introduced by the SessionService (agents/{agent}/sessions)
in cloudv2. list and get are granted to Writer and Reader; delete is
Writer-only. Adds a note that session_get exposes full conversation
content to the general-purpose Reader role.

Source: cloudv2 PR #27659 (commit 7093932), permissions_constants.go.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01D6G3MiyR6SvPh9JfzMXECz
@micheleRP micheleRP requested a review from a team as a code owner July 4, 2026 12:14
@micheleRP micheleRP requested a review from birdayz July 4, 2026 12:14
@netlify

netlify Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploy Preview for redpanda-agentic-data-plane ready!

Name Link
🔨 Latest commit 92ef378
🔍 Latest deploy log https://app.netlify.com/projects/redpanda-agentic-data-plane/deploys/6a48f93590834000082fdab4
😎 Deploy Preview https://deploy-preview-125--redpanda-agentic-data-plane.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copy link
Copy Markdown
Contributor Author

[adp-docs PR critic]

Verdict: looks accurate. I reviewed the diff to modules/control/pages/permissions-reference.adoc adversarially against cloudv2 source and found no problems.

Source-accuracy checks (all confirmed against cloudv2 origin/main, commit b5d24247, which includes source commit 7093932 / PR #27659):

  • Permission names & operationspkg/permissions/permissions_constants.go defines all three verbatim: dataplane_adp_agent_session_list ("List an agent's conversation sessions (summaries only)"), dataplane_adp_agent_session_get ("View an agent conversation session including its full message transcript"), dataplane_adp_agent_session_delete ("Delete an agent's conversation sessions"). The table's operation wording matches. ✓
  • Role grants — verified in the same file: writerRolePermissions contains all three (list, get, delete); readRolePermissions contains only list and get, not delete. So the table (Writer ✓✓✓ / Reader ✓✓ / delete Writer-only) is correct. ✓
  • The NOTE (Reader can read full conversation content via session_get) — grounded. The source comment above the constants says session_get "returns full conversation payloads (prompts, tool inputs/outputs), so it belongs at transcript-access trust level," yet it is in readRolePermissions. The comparative claim ("unlike the transcript permissions") also holds: dataplane_adp_transcript_{get,list} live in the separate transcriptReaderPermissions var (TranscriptReader role), with a source comment stating transcript read access is "granted through a dedicated role rather than bundled into the broad Writer/Reader defaults." ✓
  • Prose claims — verified against proto/public/cloud/redpanda/api/adp/v1alpha1/session.proto: "managed agents only; self-managed keeps no session store" (proto: "Managed agents only. Self-managed / BYOA agents have no session store; the RPCs reject them with FAILED_PRECONDITION"); "runtime creates sessions, so there is no create or update permission" (proto: "The agent runtime creates and writes sessions (there is no Create/Update here)"); resource pattern agents/{agent}/sessions/{session} and proto version v1alpha1. ✓

Standards / correctness: AsciiDoc is well-formed — [cols="2,2,1,1"] matches the 4-column header, the empty Reader cell on the delete row is valid, and the [NOTE]/==== block is correct. Section is placed between the agent-trigger and [[transcript-permissions]] sections as described. No broken xrefs or resource IDs introduced. Source-provenance comment updated appropriately.

Completeness: The PR documents exactly the user-facing surface introduced by the source commit (the three new permissions + the Reader-trust caveat). No gaps found.

No changes recommended.


Generated by Claude Code

@micheleRP micheleRP merged commit 3d94a4e into main Jul 6, 2026
4 checks passed
@micheleRP micheleRP deleted the claude/sync-cloudv2-2026-07-04 branch July 6, 2026 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants