Sync cloud-sdk-go v0.14.1

[anekkanti]

Sync cloud-sdk-go v0.14.1

Keeps cloud-cli pinned to the current state of the cloud-sdk-go
releasecandidate/v0.14.1 branch and exposes the new SDK API surface in the
CLI. Runs before the SDK RC is merged so the downstream CLI work can be
reviewed alongside the SDK candidate.

Source candidates

• SDK RC PR: Sync cloud-api v0.17.1 cloud-sdk-go#57 — Sync cloud-api v0.17.1
  (Sync cloud-api v0.17.1 cloud-sdk-go#57)
• Originating cloud-api tag: v0.17.1
• SDK RC branch releasecandidate/v0.14.1 @ e6c2bafd1bf5e2fcbdbfcb7ff1086cabcbb47b7a

Dependency bump

• go.temporal.io/cloud-sdk: v0.13.0 → v0.14.1-0.20260616191445-e6c2bafd1bf5
• Pinned to the exact RC commit e6c2bafd1bf5e2fcbdbfcb7ff1086cabcbb47b7a
  (go get go.temporal.io/cloud-sdk@e6c2bafd1bf5e2fcbdbfcb7ff1086cabcbb47b7a), then go mod tidy.
• Shared dependencies were checked against the SDK's go.mod on the RC branch
  (e.g. go.temporal.io/api, the genproto modules). cloud-cli already
  requires versions at or above everything the SDK declares, so MVS keeps the
  existing (higher) versions — no alignment downgrade was needed and no drift
  was introduced.

SDK changes detected (v0.13.0 → RC)

Purely additive — no removed, renamed, or signature-changed symbols.

New RPCs on CloudService (all read-only, paginated):

• GetUserNamespaceAssignments(namespace, page_size, page_token) → users []UserNamespaceAssignment
• GetServiceAccountNamespaceAssignments(namespace, page_size, page_token) → service_accounts []ServiceAccountNamespaceAssignment
• GetUserGroupNamespaceAssignments(namespace, page_size, page_token) → groups []UserGroupNamespaceAssignment

New identity message types (each: id, name/email/display_name, namespace_access, inherited_access, resource_version):

• identity/v1.UserNamespaceAssignment
• identity/v1.ServiceAccountNamespaceAssignment
• identity/v1.UserGroupNamespaceAssignment

New enum value:

• region/v1.Region_CloudProvider: CLOUD_PROVIDER_AZURE = 3. No CLI code
  change required — cloud-provider values render automatically via the existing
  RegisterEnumToStringConverter[...Region_CloudProvider] registration in
  commands.go, so cloud region get/list will display Azure regions once the
  SDK is bumped.

CLI changes

Existing commands updated: none. (No wrapped SDK method changed signature or
gained fields; the only field-level additions are on the brand-new assignment
types.)

New commands added (read-only, mirroring existing list conventions; each
takes the standard required --namespace/-n, optional --page-size,
--page-token, and --api-key/--server):

• cloud namespace user list — wraps GetUserNamespaceAssignments
• cloud namespace service-account list — wraps GetServiceAccountNamespaceAssignments
• cloud namespace user-group list — wraps GetUserGroupNamespaceAssignments

Implemented in temporalcloudcli/commands.namespace.access.go with unit tests in
commands.namespace.access_test.go. commands.yml, the generated
commands.gen.go, and the regenerated cloudservice mock are updated
accordingly. make all (gen + build + mocks + test) passes.

Backward compatibility

No backward-incompatible changes were made — additions only. No existing
command, subcommand, flag, positional argument, default, type, or output was
removed, renamed, or changed. All new flags are optional with safe defaults
(empty/zero), so existing invocations behave identically. Nothing had to be
skipped for compatibility reasons.

RC pseudo-version note

This pins an RC pseudo-version (v0.14.1-0.20260616191445-e6c2bafd1bf5),
not a published tag. Once cloud-sdk-go v0.14.1 is released, the dependency
should be re-pinned to the tagged version. That is a separate, human-driven
follow-up and is out of scope for this PR.

---

Note

Low Risk
Read-only, additive CLI and dependency bump with no changes to existing command behavior; identity listing is operationally sensitive but does not modify access.

Overview
Bumps go.temporal.io/cloud-sdk from v0.13.0 to the v0.14.1 RC commit and wires up the new read-only Get*NamespaceAssignments RPCs in the CLI.

Under temporal cloud namespace, three new list subcommands let operators see who has access to a namespace (direct and inherited): user, service-account, and user-group. Each supports --namespace, pagination via --page-size / --page-token, and prints Id, Email (or equivalent), and NamespaceAccess through the existing printer. Handlers live in commands.namespace.access.go; commands.yml, generated commands.gen.go, and the cloudservice mock are updated to match.

No existing commands or flags change; SDK surface is additive only (including Azure region enum support via existing enum rendering, with no extra CLI work in this diff).

^{Reviewed by Cursor Bugbot for commit b851fc2. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes using default effort and found 2 potential issues.

^{Reviewed by Cursor Bugbot for commit b851fc2. Configure here.}

[cursor]

Wrong table fields for identities

Medium Severity

In default (non-JSON) output, PrintResourceList only renders struct fields named in Fields. The service-account and user-group list handlers request Email, but those assignment types expose Name and DisplayName instead (as in the unit tests and SDK shape). Table views omit the primary identifier column and only show id and access.

Additional Locations (1)

• temporalcloudcli/commands.namespace.access.go#L90-L93

 

^{Reviewed by Cursor Bugbot for commit b851fc2. Configure here.}

[cursor]

Inherited access hidden in tables

Medium Severity

All three namespace assignment list commands document direct and inherited access, and the API returns InheritedAccess, but table Fields omit it. Rows with inherited-only access (e.g. email with no NamespaceAccess in tests) show a blank permission column with no indication the access is inherited.

Additional Locations (2)

• temporalcloudcli/commands.namespace.access.go#L62-L65
• temporalcloudcli/commands.namespace.access.go#L90-L93

 

^{Reviewed by Cursor Bugbot for commit b851fc2. Configure here.}