Service-layer auth enforcement: Google sync actions (#419)

[peterdrier]

Summary

Phase 3b of the authorization transition plan. Pushes authorization checks into IGoogleSyncService and ISyncSettingsService so external Google Workspace API calls can never be made without a prior privilege check, regardless of call path. Mirrors the nobodies-collective#418 precedent exactly (resource-based handler + ClaimsPrincipal threaded through service methods, SystemPrincipal for jobs).

Automated by /execute-sprint batch 3.

Design

• New GoogleSyncOperationRequirement with two operation classes: Preview (read-only Google API — list groups, check drift) and Execute (mutations — add/remove members, provision, remediate).
• New GoogleSyncAuthorizationHandler:
  • SystemPrincipal → always succeeds (background jobs).
  • Admin → always succeeds for both Preview and Execute.
  • TeamsAdmin/Board → Preview-only (they can view the sync dashboard but not mutate).
  • Everyone else → denied.
• Every IGoogleSyncService method with external side effects now takes a ClaimsPrincipal and calls IAuthorizationService.AuthorizeAsync at the top of the method, before touching any Google client. Unauthorized callers raise UnauthorizedAccessException.
• SyncResourcesByTypeAsync and SyncSingleResourceAsync pick their requirement from the SyncAction argument so a Preview action only needs Preview privilege.
• ISyncSettingsService.UpdateModeAsync is also guarded, since sync settings gate every downstream sync job.
• GoogleAdminService.LinkGroupToTeamAsync and TeamResourceService.SetRestrictInheritedAccessAsync accept and forward a ClaimsPrincipal so the chain stays typed end-to-end.
• All background jobs (SystemTeamSyncJob, GoogleResourceReconciliationJob, GoogleResourceProvisionJob, ProcessGoogleSyncOutboxJob, SuspendNonCompliantMembersJob) pass SystemPrincipal.Instance.
• Controllers still carry their [Authorize(Policy = PolicyNames.AdminOnly)] (and analogous) attributes — defense in depth, per .claude/DESIGN_RULES.md.

Acceptance criteria

• Google sync service methods enforce authorization internally
• External Google API calls never made without prior auth check (guard runs before any await Get*ServiceAsync() / HTTP call)
• Background sync jobs use system-level context (SystemPrincipal.Instance)
• Unit tests verify unauthorized callers throw before reaching the Google API
• Controllers still authorize before calling the service (attributes preserved on every action)

Tests

• GoogleSyncAuthorizationHandlerTests — 18 cases covering SystemPrincipal, Admin, TeamsAdmin/Board Preview-only, and denial matrix for every other admin role.
• GoogleWorkspaceSyncServiceTests — 21 cases: one per guarded public method asserting UnauthorizedAccessException is thrown for an unprivileged principal and that IAuthorizationService.AuthorizeAsync is invoked exactly once; Preview-vs-Execute requirement selection; null-principal ArgumentNullException.
• SyncSettingsServiceTests — new ThrowsUnauthorized_WhenAuthorizationFails case.
• Existing job and service tests updated for the new signatures.
• Full Humans.Application.Tests suite: 997 passed, 0 failed.
• Integration tests pre-existing Docker/testcontainers infra failures, unrelated to this change.

Test plan

• Smoke test on preview: admin can trigger sync; non-admin hitting a direct route gets a 403 (still via controller attribute).
• Verify scheduled reconciliation and system team sync jobs still run and complete on preview after deploy.
• Verify sync settings changes by admin still work and are audited.

Closes nobodies-collective#419

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2834de5007

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid execute-only sync call in TeamsAdmin edit path

This action is still authorized for TeamsAdminBoardOrAdmin, but the new EnsureTeamGroupAsync(id, User) call now requires the Execute requirement (Admin/system only), so TeamsAdmin/Board edits deterministically throw UnauthorizedAccessException before any Google-group logic runs. In EditTeam, that exception is caught after UpdateTeamAsync has already persisted changes, so non-admin editors now get a spurious failure on every edit and prefix changes can be saved without the corresponding group sync being applied.

Useful? React with 👍 / 👎.

[peterdrier]

Confirmed — fixed in 19cabd9.

The handler was too coarse: it had only Preview (read-only) and Execute (everything else, Admin+system only). Per the docs/sections/Teams.md invariant, TeamsAdmin is explicitly authorized to "link/unlink Google resources on all teams" but cannot "execute sync actions" — so the two responsibilities needed separate tiers.

Changes:

• Added a TeamResource requirement that TeamsAdmin + Board + Admin + system can satisfy
• Moved EnsureTeamGroupAsync and ProvisionTeamGroupAsync (called internally by the former) to use TeamResource
• Execute stays Admin/system-only for workspace-wide sync actions (SyncResourcesByTypeAsync, UpdateDriveFolderPathsAsync, RemediateGroupSettingsAsync, etc.)
• Added 5 handler tests for the new tier (TeamsAdmin/Board/Admin/system allowed, other admin roles denied)

The EditTeam and CreateTeam paths now satisfy the service-layer auth check for TeamsAdmin/Board editors, so the UpdateTeamAsync-then-catch silent drop you flagged no longer happens.