Add namespaces support (CRUD, RBAC, namespace-scoped users)

[jfrancoa]

Summary

End-to-end CLI surface for the Weaviate namespaces feature (server >= 1.38.0, paired with weaviate-python-client PR #2033 / branch jose/namespaces):

• CRUD: create namespace --name <ns>, get namespace --name <ns> | --all, delete namespace --name <ns>. All commands support --json. Backed by a new NamespaceManager.
• RBAC: manage_namespaces:<name>[,<name>...] parses through parse_permission → Permissions.namespaces(...). The bare manage_namespaces wildcard is rejected so every grant names an explicit namespace. get role (text and JSON) now renders namespaces_permissions.
• Namespace-scoped DB users: create user --user_name <u> --namespace <ns> forwards the new namespace kwarg. UserManager.create_user only sends the kwarg when set, so the CLI keeps working against non-namespaced clusters and older clients. get user text and JSON output (single user and --all) surface the namespace when present.
• Skills: operating-weaviate-cli gains a Namespaces section + references/namespaces.md; references/rbac.md documents manage_namespaces. contributing-to-weaviate-cli lists the new namespace_manager.py module.

Tests

• New test/unittests/test_managers/test_namespace_manager.py (15 tests) — happy paths, errors, JSON output, missing-name validation.
• New parse_permission cases for single namespace, multi-namespace, and wildcard rejection in test_utils.py.
• New create_user tests covering namespace forwarding (and the absence of the kwarg when not provided), plus print_db_user namespace rendering tests.
• make test → 323 passed (was 308). make lint passes.

Note on requirements-dev.txt

weaviate-client is temporarily pinned to the jose/namespaces branch of the python client so the new weaviate.namespaces module resolves and CI can run. Revert to a normal version pin (weaviate-client>=4.21.x or whatever ships) once weaviate-python-client #2033 merges and a release is cut.

Test plan

• make lint passes
• make test passes
• CI green against the python-client branch
• Manual smoke: weaviate-cli create namespace --name demo_ns --json against a Weaviate 1.38.0+ cluster
• Manual smoke: weaviate-cli create user --user_name u1 --namespace demo_ns --json
• Manual smoke: weaviate-cli create role --role_name r1 -p manage_namespaces:demo_ns --json and weaviate-cli get role --role_name r1 --json

Closes #168

🤖 Generated with Claude Code

[orca-security-eu]

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0   0   0   0	View in Orca
Passed	SAST	0   0   0   0	View in Orca
Passed	Secrets	0   0   0   0	View in Orca
Passed	Vulnerabilities	0   0   0   0	View in Orca

[Copilot]

Pull request overview

This PR adds end-to-end CLI support for Weaviate “namespaces” (CRUD commands, RBAC permission parsing/rendering, and namespace-scoped DB user creation/output), plus accompanying unit tests and docs updates.

Changes:

• Introduces NamespaceManager and new CLI commands: create/get/delete namespace (with --json support).
• Extends RBAC permission parsing/output to support manage_namespaces:<name>[,<name>...] and renders namespaces_permissions in role output.
• Adds optional --namespace to create user and surfaces the namespace in get user outputs (text + JSON), with unit tests.

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
weaviate_cli/utils.py	Adds manage_namespaces permission parsing + _create_permission support for namespaces.
weaviate_cli/managers/user_manager.py	Adds namespace forwarding on user creation; prints namespace in user outputs.
weaviate_cli/managers/role_manager.py	Renders namespaces_permissions in role JSON/text output.
weaviate_cli/managers/namespace_manager.py	New manager implementing namespace CRUD and printing.
weaviate_cli/defaults.py	Adds defaults dataclasses for namespace commands and create-user namespace default.
weaviate_cli/commands/get.py	Adds get namespace subcommand; includes namespace in get user --all JSON.
weaviate_cli/commands/delete.py	Adds delete namespace subcommand.
weaviate_cli/commands/create.py	Adds create namespace subcommand; adds --namespace to create user.
test/unittests/test_utils.py	Adds unit tests for manage_namespaces parsing + wildcard rejection.
test/unittests/test_managers/test_user_manager.py	Adds tests for namespace kwarg forwarding and namespace rendering.
test/unittests/test_managers/test_namespace_manager.py	New unit tests for NamespaceManager CRUD + output modes.
requirements-dev.txt	Temporarily pins weaviate-client to a Git branch for namespaces support.
.claude/skills/operating-weaviate-cli/SKILL.md	Documents namespace commands, namespace-scoped users, and RBAC permission usage.
.claude/skills/operating-weaviate-cli/references/rbac.md	Documents manage_namespaces permission.
.claude/skills/operating-weaviate-cli/references/namespaces.md	New reference page for namespaces feature.
.claude/skills/contributing-to-weaviate-cli/SKILL.md	Updates contributor docs to include namespace commands/manager module.
.claude/skills/contributing-to-weaviate-cli/references/architecture.md	Adds namespace_manager.py to the manager list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jfrancoa]

@copilot review

[Copilot]

@copilot review

Addressed the two remaining unresolved review comments in commits 111edc8 and c1ed26b:

1. namespace_manager.py import guard — The top-level from weaviate.namespaces.models import Namespace is now wrapped in try/except ImportError. If the module isn't present, _NAMESPACE_SUPPORT = False is set and the CLI imports cleanly. NamespaceManager.__init__ then raises a clear RuntimeError only when a namespace command is actually invoked, rather than crashing the entire CLI at startup.

2. requirements-dev.txt SHA pin — Pinned to the specific commit SHA f2babd27 instead of the moving jose/namespaces branch, with a TODO comment linking to weaviate-python-client PR #2033 for when a released version becomes available.

All 324 unit tests pass and lint is clean.