docs: document step.authz_add_policy, step.authz_remove_policy, step.authz_role_assign

[Copilot]

plugin.json declares four step types but README only documented step.authz_check_casbin, leaving the three runtime policy-mutation steps undiscoverable.

Changes

• Capabilities table — lists all four step types
• step.authz_add_policy — config reference (module, rule), static and Go-template rule examples, success output (authz_policy_added, authz_rule)
• step.authz_remove_policy — same shape as add; success output uses authz_policy_removed
• step.authz_role_assign — config table covering module, action ("add"/"remove"), and assignments; three examples: static assign, template-driven assign, revoke

Template-driven tenant onboarding example:

steps:
  - type: step.authz_add_policy
    config:
      module: authz
      rule: ["{{.tenant_role}}", "{{.resource}}", "{{.method}}"]

  - type: step.authz_role_assign
    config:
      module: authz
      action: add
      assignments:
        - ["{{.new_user_id}}", "{{.tenant_role}}"]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>docs: document step.authz_add_policy, step.authz_remove_policy, step.authz_role_assign</issue_title>
<issue_description>## Problem

The plugin.json manifest declares four step types, but the README only documents step.authz_check. The following steps are undocumented:

• step.authz_add_policy — adds a policy rule at runtime
• step.authz_remove_policy — removes a policy rule at runtime
• step.authz_role_assign — adds/removes role mappings at runtime

These are essential for multi-tenant applications that need to provision authorization policies dynamically when new tenants are onboarded.

Proposed Solution

Add documentation sections for each step type with config examples, including template-based rule definitions.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes docs: document step.authz_add_policy, step.authz_remove_policy, step.authz_role_assign #11

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

Updates the README so all step types declared by the plugin manifest are discoverable and have usage guidance, focusing on the runtime policy-mutation steps for Casbin-backed RBAC.

Changes:

• Expand the Capabilities table to list all four provided step types.
• Add documentation sections for step.authz_add_policy and step.authz_remove_policy, including config and output examples.
• Add documentation for step.authz_role_assign, including config fields and examples for add/remove role mappings.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[intel352]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both reviewer suggestions in commit 87bda79:

1. step.authz_add_policy description — now explains that when the rule is newly added the step persists it via the module's Casbin adapter (file/GORM adapters write to their backing store; in-memory changes last for the process lifetime).
2. assignments config table — updated to "list of grouping policy rows, each with at least [user, role]" to match the actual minimum-2-element validation and accommodate models that use domain-based rows with 3+ fields.