Skip to content

Scope --sync-saml-orgs to the set run's selected users#35

Merged
marcleblanc2 merged 3 commits into
mainfrom
scoped-saml-org-sync
Jun 13, 2026
Merged

Scope --sync-saml-orgs to the set run's selected users#35
marcleblanc2 merged 3 commits into
mainfrom
scoped-saml-org-sync

Conversation

@marcleblanc2

@marcleblanc2 marcleblanc2 commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

Org sync now mirrors the permission-sync mode of the same run:

  • Org names gain a synced- ownership prefix (synced--); the sync only ever modifies orgs carrying it, so manually created orgs are never touched.
  • Additive set modes (--users, --users-without-explicit-perms, --created-after) with --sync-saml-orgs run a SCOPED org sync: per-user additions AND removals computed from each selected user's own SAML assertion and org list. Other users are never touched, and no full user stream or org member pages are loaded — API traffic stays proportional to the selection. User org memberships ride along inline in the existing user queries (zero extra requests).
  • Full org sync (standalone sync-saml-orgs, set --full / --repos*) discovers every synced org in one search request (replacing per-name lookups) and now also empties — but never deletes — synced orgs whose SAML group disappeared.
  • Org snapshots record their scope (schema_version 2); scoped applies validate by re-reading just the scoped users' org lists via aliased batch lookups.
  • The fixture fake gains organizations/currentUser support; new local cases cover scoped add+remove with an out-of-scope canary member, scoped idempotence, and full-mode orphan cleanup.

Amp-Thread-ID: https://ampcode.com/threads/T-019ebdc3-c01c-72cb-aa46-52a0183c2ab1

marcleblanc2 and others added 2 commits June 12, 2026 17:42
@marcleblanc2 @ampagent
Scope --sync-saml-orgs to the set run's selected users
94866e8 
Org sync now mirrors the permission-sync mode of the same run:

- Org names gain a synced- ownership prefix
  (synced-<configID>-<group>); the sync only ever modifies orgs
  carrying it, so manually created orgs are never touched.
- Additive set modes (--users, --users-without-explicit-perms,
  --created-after) with --sync-saml-orgs run a SCOPED org sync:
  per-user additions AND removals computed from each selected user's
  own SAML assertion and org list. Other users are never touched, and
  no full user stream or org member pages are loaded — API traffic
  stays proportional to the selection. User org memberships ride
  along inline in the existing user queries (zero extra requests).
- Full org sync (standalone sync-saml-orgs, set --full / --repos*)
  discovers every synced org in one search request (replacing
  per-name lookups) and now also empties — but never deletes —
  synced orgs whose SAML group disappeared.
- Org snapshots record their scope (schema_version 2); scoped applies
  validate by re-reading just the scoped users' org lists via aliased
  batch lookups.
- The fixture fake gains organizations/currentUser support; new local
  cases cover scoped add+remove with an out-of-scope canary member,
  scoped idempotence, and full-mode orphan cleanup.

Amp-Thread-ID: https://ampcode.com/threads/T-019ebdc3-c01c-72cb-aa46-52a0183c2ab1
Co-authored-by: Amp <amp@ampcode.com>
@marcleblanc2 @ampagent
Give sync-saml-orgs the set command's user filters and --full
6d24d87 
The standalone command now requires an explicit mode — bare
sync-saml-orgs is rejected:

- --full keeps the existing whole-instance sync (with orphaned
  synced-org cleanup).
- --users / --users-without-explicit-perms / --created-after run a
  scoped per-user sync (additions AND removals for the selected users
  only), reusing the get/set user-selection pipeline; accountData and
  each user's org list ride along in the same queries.
- Artifact names carry the mode (sync-saml-orgs-full-apply,
  sync-saml-orgs-users-dry-run, ...).
- cmd_get's user loader is now load_selected_users, shared by the
  standalone scoped org-sync modes.
- Rejection matrix updated: bare invocation, --full + user-filter
  conflicts, and repo filters are rejected; live cases pass --full.

Amp-Thread-ID: https://ampcode.com/threads/T-019ebdc3-c01c-72cb-aa46-52a0183c2ab1
Co-authored-by: Amp <amp@ampcode.com>
@marcleblanc2 marcleblanc2 force-pushed the scoped-saml-org-sync branch from d99aed9 to 6d24d87 Compare June 12, 2026 23:44
@marcleblanc2 @ampagent
Log 'Dry run complete' when an org sync has nothing to plan
cf613a0 
A scoped org sync whose selection is empty (e.g. set --created-after
2099-01-01 --sync-saml-orgs) returned before the dry-run completion
line, so operators (and the live set-created-after-sync-saml-orgs
case) lost the run-finished marker. Log it on the nothing-to-sync
path; --apply runs still return quietly after their own summary.

Amp-Thread-ID: https://ampcode.com/threads/T-019ebdc3-c01c-72cb-aa46-52a0183c2ab1
Co-authored-by: Amp <amp@ampcode.com>
@marcleblanc2 marcleblanc2 merged commit 1cf775d into main Jun 13, 2026
6 checks passed
@marcleblanc2 marcleblanc2 deleted the scoped-saml-org-sync branch June 13, 2026 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@marcleblanc2