I am wondering what the goal of making ros2cli “security-enabled” is - maybe you can clarify?
If you grant e.g. the ros2 topic echo command access to subscribe to a specific topic what make this permission specific to the cli tool? Isn’t that conceptionally equivalent of allowing “everyone” to subscribe to that topic. If not, any other entity could simply invoke the command line tool and “get” the information from there since the tool is designed to “output” the requested information.
So I would argue that instead of giving ros2cli any kind of explicit permission you could grant the same permission to any entity (which would make the need to identify the command line tool obsolete.