Administration

Access control

The workspace runs ACCESS_MODE=auto: new Google users are auto-approved on first sign-in (web) or first agent connect (OAuth) and rostered so admins can manage them later. Three modes exist — open (anyone authenticated), auto (auto-approve, admins can disable), and approval (unknown users wait in an admin queue).

Workspace admins are defined by the WORKSPACE_ADMINS env (Terraform workspace_admins) — no bootstrap problem, no self-service escalation. Admins see an Admin entry in the web app nav:

• Accounts — the roster of every account. Disable any account (or pre-emptively disable an email that hasn't signed in yet); Enable to restore. In approval mode, Approve/Deny the pending queue here. A disable is enforced at the core on every tool call (cached ~60s), so it takes effect promptly for both humans and agents regardless of an existing cookie or token.
• Projects — every project in the workspace, with irreversible delete (delete_project).
• All MCP sessions — the unscoped agent-session view (everyone else sees only their own).

Identity & sessions

Agents authenticate as their owner's Google identity; sessions are keyed identity::agentName so one account can run many named agents (the optional X-BatonDeck-Agent header names them). Session telemetry (connections, per-tool call counts, last seen) drives the Agents page; the durable audit trail of every tool call lands in BigQuery.

Headless / CI access

OAuth client_credentials clients are configured via the OAUTH_CC_CLIENTS env on the mcp-gateway (clientId:sha256(secret):identity — only the hash is stored). The token endpoint then mints access tokens without a browser:

curl -X POST https://conductor-mcp-…/token \
  -d grant_type=client_credentials -d client_id=ci-bot -d client_secret=…