access

Defines a strictly-typed TypeScript configuration layer (src/config/) that serves as a single source of truth for identity and access control across GitHub, Google Workspace, and Discord. The configuration uses a declarative model where members, roles, and repository access levels are expressed as TypeScript objects, which are then validated for schema correctness and referential integrity before being transformed into platform-specific resources via Pulumi providers. This approach enables peer review of all access changes through Pull Requests and prevents configuration drift across multiple platforms.

Automatically provisions and synchronizes GitHub teams and repository permissions by translating declarative configuration into github.Team and github.TeamMembership Pulumi resources. The system reads member and role definitions from the configuration layer, maps them to GitHub team structures, and uses the GitHub Pulumi provider to create/update teams, manage memberships, and enforce repository access levels. Changes are previewed via pulumi preview before being applied, enabling safe deployments with rollback capability.

Automatically provisions @modelcontextprotocol.io email accounts and manages Google Workspace groups by translating configuration into googleworkspace.User and googleworkspace.Group Pulumi resources. The system reads member definitions with Google Workspace prefixes from configuration, creates user accounts with standardized email addresses, and manages group memberships. Validation ensures that Google Workspace prefixes are globally unique across the configuration to prevent email conflicts. The Pulumi provider handles API interactions with Google Workspace, including account creation, group assignment, and lifecycle management.

Automatically synchronizes Discord server roles with organizational membership by translating role definitions into Discord role assignments via Pulumi. The system reads member and role definitions from configuration, maps them to Discord roles, and uses the Discord Pulumi provider to assign/revoke roles. This ensures that Discord server roles remain aligned with the authoritative organizational structure defined in configuration, preventing manual role management drift.

Validates all configuration changes before deployment by running a suite of validation scripts (scripts/validate-config.ts) that enforce schema correctness, referential integrity, and business rules. The validation layer checks that all member IDs exist, roles are correctly assigned, Google Workspace prefixes are globally unique, and repository access configurations reference valid teams and repositories. Validation runs automatically in CI/CD (GitHub Actions) on Pull Requests, preventing invalid configurations from being merged. The system uses TypeScript's strict type system to catch errors at compile time, supplemented by runtime validation for cross-entity constraints.

Manages Pulumi infrastructure state using a Google Cloud Storage (GCS) backend instead of local state files, enabling safe multi-user deployments and state recovery. The Pulumi project is configured (Pulumi.yaml) to use a GCS bucket as the remote state backend, which stores the current state of all provisioned resources (GitHub teams, Google Workspace users, Discord roles). This enables multiple team members to deploy changes safely without state conflicts, provides automatic backups, and allows state inspection and recovery if deployments fail. The GCS backend is authenticated via Google Cloud SDK credentials.

Automatically deploys infrastructure changes to GitHub, Google Workspace, and Discord when configuration is merged to the main branch using GitHub Actions workflows. The CI/CD pipeline (defined in .github/workflows/) runs pulumi up on the main branch, which applies all pending infrastructure changes. Pull Requests trigger pulumi preview to show what changes will be deployed, enabling reviewers to understand the impact before approving. The workflow is authenticated via GitHub secrets containing Pulumi credentials, Google Cloud credentials, and platform-specific API tokens, ensuring secure credential management without exposing secrets in the repository.

Maintains a centralized member registry and role definitions that serve as the authoritative source for all identity and access decisions across platforms. The member registry (src/config/members.ts) defines individual members with platform-specific identifiers (GitHub username, Google Workspace prefix, Discord user ID), while role definitions (src/config/roles.ts) map abstract roles (e.g., 'maintainer', 'contributor') to platform-specific team/group assignments. This separation enables role-based access control where members are assigned to roles, and roles are automatically translated into platform-specific permissions. The system uses TypeScript types to ensure that all member references are valid and all role assignments are correctly structured.

Defines and enforces repository access levels by mapping GitHub teams to repositories with specific permission levels (read, write, admin). The repository access configuration (src/config/repositories.ts) specifies which teams have access to which repositories and at what permission level. This configuration is translated into GitHub team repository permissions via Pulumi, ensuring that repository access is managed declaratively and subject to peer review. The system validates that all referenced teams and repositories exist before deployment, preventing access configuration errors.

Provides a reproducible development environment using Nix and devenv (defined in devenv.nix) that ensures all contributors have consistent tooling and dependencies. The environment includes Node.js 22, Google Cloud SDK, Pulumi CLI, and other required tools, eliminating 'works on my machine' problems. Contributors can enter the environment with a single command (nix flake enter or devenv enter), which automatically installs all dependencies without requiring manual package installation. This approach ensures that all contributors use the same versions of tools, reducing debugging time and improving collaboration.