5 files changed, 21 insertions, 19 deletions

diff --git a/README.md b/README.md
index 76ac488..848a46e 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,8 @@ access_id,friendly_name,hash
 
 Special prefixes for friendly names:
 - `uid:` - Regular users (default if no prefix)
-- `aid:bot:` - Bot accounts
+- `aid:` - Special accounts with the following types:
+  - `bot+` - Bot accounts (e.g. bot+argo)
 
 ## Configuration
 
diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go
index 3156b67..f57fa53 100644
--- a/internal/authz/middleware.go
+++ b/internal/authz/middleware.go
@@ -60,7 +60,7 @@ func Authentication(authMap *SafeTokenMap, identityMap *IdentityMap, next http.H
 		// Store the friendly name with appropriate prefix in context
 		friendlyName, _ := identityMap.GetName(accessID)
 		prefix := "uid:" // default to user
-		if strings.HasPrefix(string(friendlyName), "bot:") {
+		if strings.HasPrefix(string(friendlyName), "bot+") {
 			prefix = "aid:"
 		}
 		urn := prefix + string(friendlyName)
diff --git a/internal/authz/model_test.go b/internal/authz/model_test.go
index 07493d3..e8eb376 100644
--- a/internal/authz/model_test.go
+++ b/internal/authz/model_test.go
@@ -117,7 +117,7 @@ func TestSafeTokenMap(t *testing.T) {
 		defer os.Remove(tmpfile.Name())
 
 		// Write test data
-		testData := "access123,tester,testhash\naccess456,bot:deploy,hash2\n"
+		testData := "access123,tester,testhash\naccess456,bot+deploy,hash2\n"
 		if _, err := tmpfile.Write([]byte(testData)); err != nil {
 			t.Fatalf("Failed to write test data: %v", err)
 		}
diff --git a/manifests/base/cm.yaml b/manifests/base/cm.yaml
index 00c0a19..dcf1787 100644
--- a/manifests/base/cm.yaml
+++ b/manifests/base/cm.yaml
@@ -3,24 +3,24 @@ data:
   policy.csv: |
     g, role:admin, role:maintainers
     g, uid:admin, role:admin
-    g, uid:grumps, role:maintainers
-    g, uid:argo, role:bots
+    g, uid:maintainer, role:maintainers
+    g, aid:bot+argo, role:bots
     g, anon, role:anon
   auth_model.ini: |
-    [request_definition]                                    
-    r = sub, obj, act                                       
-                                                            
-    [policy_definition]                                     
-    p = sub, obj, act                                       
-                                                            
-    [role_definition]                                       
-    g = _, _                                                
-                                                            
-    [policy_effect]                                         
-    e = some(where (p.eft == allow))                        
-                                                            
-    [matchers]                                              
-    m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act 
+    [request_definition]
+    r = sub, obj, act
+
+    [policy_definition]
+    p = sub, obj, act
+
+    [role_definition]
+    g = _, _
+
+    [policy_effect]
+    e = some(where (p.eft == allow))
+
+    [matchers]
+    m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
 kind: ConfigMap
 metadata:
   name: go-git-server-policy
diff --git a/policy.csv b/policy.csv
index c3c632c..0296a6e 100644
--- a/policy.csv
+++ b/policy.csv
@@ -1,3 +1,4 @@
 g, role:admin, role:maintainers
 g, uid:admin, role:admin
 g, uid:maintainer, role:maintainers
+g, aid:bot+argo, role:bots