Add access review campaigns

[aureliensibiril]

Summary

Add access review campaigns with full lifecycle management (create, start, close, cancel) and a source fetch worker that pulls account data from connected providers.

Access source drivers (18 providers)

Provider	Connection	Fields
Google Workspace	OAuth2	Email, name, role, admin, MFA, last login, created at
Slack	OAuth2	Email, name, role, job title, admin, MFA, bot support
Linear	OAuth2	Email, name, role, admin, active, created at
Cloudflare	API key	Email, name, roles (concatenated), MFA, active
Brex	API key	Email, name, role, active
Tally	API key	Email, name, role
1Password	API key	Email, name, role, active, MFA, created at
DocuSign	OAuth2	Email, name, role, job title, admin, active, created at
HubSpot	OAuth2	Email, name, role (resolved via roles endpoint)
Notion	OAuth2	Email, name, role, bot support (ServiceAccount)
Figma	OAuth2	Email, name
OpenAI	API key	Email, name, role, MFA
Sentry	API key	Email, name, role, MFA, active
GitHub	OAuth2	Email, name, role, admin, MFA, 2FA status
Supabase	API key	Email, name, role, MFA, active
Intercom	OAuth2	Email, name, role
Resend	API key	Email, name, role
Probo memberships	Internal	Email, name, role, admin, active, created at
CSV	File upload	Email, name, role, job title, admin, active, external ID

API surface (GraphQL + MCP + CLI)

• Campaign CRUD, start, close, cancel
• Access source CRUD with OAuth2 and API key connector support
• Campaign scope source management (add/remove)
• Access entry listing, flagging, and decision recording (approve/revoke)
• Bulk decide-all for batch processing

Console UI

• Campaign list with pagination and status badges
• Campaign detail page with entry table (flag, decision columns)
• Access source creation page with OAuth2 flow and API key dialog
• CSV upload source creation
• Vendor icon components for all supported providers

Bug fixes included

• Fix source name worker retry on resolution failure
• Fix React hooks ordering in access source page (lint)
• Fix connector dropdown showing non-unique labels
• Fix OAuth callback retry when mutation fails
• Handle DocuSign pagination parse errors
• Return error when driver pagination limit is reached
• Accept variable-length rows in CSV driver
• Fix scope sources query returning all org sources after removal

Test plan

• make test passes
• make lint passes (0 errors)
• make test-e2e — access review e2e tests pass
• Create a campaign via CLI, add a source, start it, verify source fetch completes
• Verify campaign lifecycle transitions (draft → in_progress → pending_actions → completed)
• Test cancel and delete flows

[cubic-dev-ai]

11 issues found across 118 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessSourceDialog.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessSourceDialog.tsx:56">
P2: CreateAccessSourceDialog only allows Google Workspace/Linear OAuth providers, but the access review flow supports Slack as an OAuth provider. Slack connectors are filtered out and cannot be selected, preventing Slack access sources from being created via this dialog.</violation>

<violation number="2" location="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessSourceDialog.tsx:286">
P2: Connector dropdown labels are non-unique (provider-only), making same-provider connectors indistinguishable and prone to wrong selection.</violation>
</file>

<file name="pkg/accessreview/drivers/docusign.go">

<violation number="1" location="pkg/accessreview/drivers/docusign.go:92">
P2: Ignored strconv.Atoi errors can turn pagination metadata into 0, causing the loop to break early and silently truncate user enumeration.</violation>
</file>

<file name="apps/console/src/pages/organizations/access-reviews/AccessReviewLayoutLoader.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/AccessReviewLayoutLoader.tsx:15">
P2: The loader only runs loadQuery when queryRef is null, so changing organizationId while the layout stays mounted will not reload the query and can show stale org data. Remove the guard or otherwise reload when organizationId changes.</violation>
</file>

<file name="pkg/accessreview/source_name_worker.go">

<violation number="1" location="pkg/accessreview/source_name_worker.go:96">
P1: The worker sets `NameSyncedAt` before name resolution succeeds, and subsequent swallowed errors prevent retries because only `name_synced_at IS NULL` rows are selected.</violation>
</file>

<file name="pkg/accessreview/drivers/csv.go">

<violation number="1" location="pkg/accessreview/drivers/csv.go:41">
P2: CSV reader enforces a fixed field count based on the header, so any row with fewer/more columns aborts the import before the `idx < len(row)` guards can run. If optional columns are allowed, set `FieldsPerRecord = -1` to accept variable-length rows.</violation>
</file>

<file name="pkg/accessreview/drivers/driver.go">

<violation number="1" location="pkg/accessreview/drivers/driver.go:44">
P2: Pagination is capped at 500 pages, but drivers return results silently when the cap is hit. If `NextCursor` is still present after 500 iterations, `ListAccounts` returns partial data without an error, which can truncate large tenants.</violation>
</file>

<file name="apps/console/src/pages/organizations/access-reviews/CreateAccessSourcePage.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/CreateAccessSourcePage.tsx:241">
P2: OAuth callback creation can get stuck after a network failure: the connector_id remains in the URL and processedConnectorIdRef is never cleared on error, so subsequent renders skip retrying the mutation until a full page reload.</violation>
</file>

<file name="pkg/cmd/accessreview/entry/decide/decide.go">

<violation number="1" location="pkg/cmd/accessreview/entry/decide/decide.go:132">
P1: Custom agent: **Avoid Logging Sensitive Information**

Remove the email address from the CLI output to avoid logging PII.</violation>
</file>

<file name="pkg/cmd/accessreview/entry/flag/flag.go">

<violation number="1" location="pkg/cmd/accessreview/entry/flag/flag.go:130">
P1: Custom agent: **Avoid Logging Sensitive Information**

Do not print the access entry email to stdout; it is PII and violates the "Avoid Logging Sensitive Information" rule.</violation>
</file>

<file name="pkg/cmd/accessreview/entry/decideall/decideall.go">

<violation number="1" location="pkg/cmd/accessreview/entry/decideall/decideall.go:129">
P1: Custom agent: **Avoid Logging Sensitive Information**

Remove email addresses from CLI output; this change logs PII (`e.Email`) for each access entry.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

8 issues found across 204 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/console/src/pages/organizations/access-reviews/_components/AccessSourceRow.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/_components/AccessSourceRow.tsx:297">
P2: Per-row `useLazyLoadQuery` in `InlineOrgSelect` causes N+1 GraphQL requests in the access source table, which can degrade performance as row count grows.</violation>
</file>

<file name="pkg/accessreview/drivers/name_resolver.go">

<violation number="1" location="pkg/accessreview/drivers/name_resolver.go:156">
P2: Non-2xx provider responses are treated as successful resolution ("", nil), so transient API failures get marked as synced and never retried.</violation>
</file>

<file name="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessReviewCampaignDialog.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessReviewCampaignDialog.tsx:58">
P2: Source selection is limited to the first 100 access sources with no pagination path, so larger organizations cannot select sources beyond that first page when creating a campaign.</violation>

<violation number="2" location="apps/console/src/pages/organizations/access-reviews/dialogs/CreateAccessReviewCampaignDialog.tsx:143">
P2: Dialog form/source state is only reset after successful submit, so dismissing and reopening can retain stale values.</violation>
</file>

<file name="apps/console/src/pages/organizations/access-reviews/sources/AccessReviewSourcesTab.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/sources/AccessReviewSourcesTab.tsx:153">
P2: Error handlers reset `processedConnectorIdRef` but leave `connector_id`/`provider` in the URL, so the OAuth callback effect re-triggers after the mutation completes and re-issues `createAccessSource` indefinitely on persistent errors.</violation>
</file>

<file name="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx:148">
P2: Entries are hard-limited to the first 50 and the UI only shows a notice when `hasNextPage` is true; there is no pagination or load-more path, so users cannot review/decide entries beyond the first 50 in this page.</violation>

<violation number="2" location="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx:222">
P2: `pendingEntryCount` is used to enable completion, but it isn't refreshed in the pending-actions flow; decision mutations only update entries and there's no refetch/polling outside IN_PROGRESS, so the completion button can stay disabled until manual refresh.</violation>

<violation number="3" location="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx:233">
P2: Bulk flagging always shows success even if some flag mutations fail; errors are ignored, so users can be misled about whether flags were applied.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="pkg/accessreview/drivers/github.go">

<violation number="1" location="pkg/accessreview/drivers/github.go:63">
P1: Custom agent: **Avoid Logging Sensitive Information**

Avoid logging member identifiers (`m.Login`) in warnings; this exposes PII in logs and violates the Avoid Logging Sensitive Information rule.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 31 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/console/src/pages/organizations/access-reviews/_components/AccessSourceRow.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/_components/AccessSourceRow.tsx:211">
P2: Removing the fallback to window.location.origin means reconnect will throw if VITE_API_URL is unset, breaking the action at runtime. Other flows in this codebase still rely on the fallback, so this change can regress environments where the env var is missing.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx">

<violation number="1" location="apps/console/src/pages/organizations/access-reviews/campaigns/CampaignDetailPage.tsx:223">
P1: Completion is incorrectly gated by paginated/truncated client data, which can permanently disable campaign completion for valid campaigns.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}