[EPIC] - GitHub Permission Visualization UI

[uwe-mayer]

Problem Statement

Users have no visual way to understand what GitHub permissions are deployed for their team. RepoGuard manages GitHub team permissions based on Greenhouse Teams, but there is no UI to see which GitHub teams exist, what repositories they have access to, and whether the sync state is healthy.

Related Epics

This Epic is part of a cross-repo initiative to visualize permissions end-to-end:

• [EPIC] - Permission Management UI Plugin greenhouse#1977 — Permission Management UI: Profiles, Access Levels, CCRNs (config/definition layer)
• [EPIC] - Team Visualization in the Organizational UI greenhouse#1978 — Team & K8s Permission Visualization: Team members (SCIM) + deployed TeamRoles/TeamRoleBindings
• This issue — GitHub Permission Visualization: RepoGuard CRs, GitHub team sync state

Context

RepoGuard deploys GitHub permissions (team memberships, repository access) based on Greenhouse Teams. The Permission Manager defines Access Levels with CCRNs that describe GitHub resources (e.g., repository access). The deployment chain is:

1. Permission Manager defines an Access Level with a GitHub CCRN (config intent)
2. Greenhouse creates a (technical) Team representing the group
3. RepoGuard syncs that Team to a GitHub team with the appropriate repository permissions

Currently there is no way to visualize:

• Which GitHub teams are managed by RepoGuard
• What repositories each GitHub team has access to
• Whether the sync between Greenhouse Teams and GitHub teams is healthy
• The mapping from Permission Manager Access Levels to actual GitHub permissions

Solution Approach

Build a UI (Greenhouse plugin or standalone view) that reads RepoGuard CRDs from the Kubernetes API server and visualizes:

• Managed GitHub teams and their repository access
• Sync status between Greenhouse Teams and GitHub teams
• Link back to the source Permission Manager Profile/Access Level (via [EPIC] - Permission Management UI Plugin greenhouse#1977)

User Stories

US1: View GitHub Team Permissions

As a developer or manager,
I want to see which GitHub teams are managed and what repository access they have,
So that I understand my GitHub permissions without checking GitHub directly.

Acceptance Criteria (preliminary):

• UI shows all RepoGuard-managed GitHub teams
• Each GitHub team shows its repository access (repos + permission level)
• Teams can be searched/filtered by name or repository

US2: View Sync Status

As a platform engineer,
I want to see whether GitHub team permissions are in sync with the desired state,
So that I can identify and troubleshoot drift or sync failures.

Acceptance Criteria (preliminary):

• Sync status is visible per managed GitHub team
• Failed or out-of-sync resources are highlighted
• Link to the source Greenhouse Team that drives the GitHub team

US3: Trace Permissions Back to Source

As a auditor or manager,
I want to trace a GitHub permission back to the Permission Manager Profile that defines it,
So that I can understand the full provenance of a permission grant.

Acceptance Criteria (preliminary):

• Each managed GitHub team links back to its source Greenhouse Team
• Where applicable, link to the Permission Manager Profile/Access Level (via [EPIC] - Permission Management UI Plugin greenhouse#1977)

Dependencies

• Permission Manager CRDs published in the open source (for tracing back to source Profiles)

[uwe-mayer]

Routing to refinement. The problem statement and user stories are clear, but this is a planning placeholder. The acceptance criteria are preliminary and will be refined once the dependency (Permission Manager CRDs published in the open source) is resolved and the exact RepoGuard CRD surface for visualization is defined.