PR Custody

feat(scim): default rename propagation to true for new teams (MCPG-222)

@eullersilva-plankchecks n/achecks…mcpg-222-align-scim-team-rename-default-with-idp-as-source-of-truth → main5 files · +254 −3review: @sohamganatraupdated 3w ago

GitHub

▸Description· 2 comments · 2 noise

Summary

Aligns Team.scimRenamePropagationEnabled with the IdP-as-source-of-truth principle: the schema default flips from false → true via a column-default migration. New scim_managed teams now adopt Okta group renames automatically.
Existing rows are intentionally not touched by the migration. Per the MCPG-222 ticket and the prior debate, a blanket UPDATE could silently overwrite a customer's manually-renamed team on the next projection run.
Adds apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts to opt existing teams in safely — it skips drifted teams by default (where teams.name !== scim_groups.displayName), and --force flips them too once the operator has coordinated.

What changes

File	Change
`packages/db/prisma/schema.prisma`	`scimRenamePropagationEnabled @default(false)` → `@default(true)`
`packages/db/prisma/migrations/20260522150000_default_scim_rename_propagation_to_true/`	`ALTER COLUMN ... SET DEFAULT true`
`packages/types/src/team-config.ts`	Zod default flipped to match
`docs/scim-known-limitations.md`	Section 7.2 updated; points to the backfill script
`apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts`	New one-off backfill (`--dry-run` / `--org-slug` / `--all` / `--force`)

Why the per-team flag stays

The two main creation paths (scim/project.ts:1243, scim/repair.ts:449) already set true explicitly; this PR only changes the default for paths that don't (e.g. the legacy ensureScimManagedTeamForWebhookGroup). Keeping the column means an org admin who deliberately wants to pin one team against IdP renames still has a per-row override surface — a future ticket can expose a UI toggle.

Rollout

Merge → Vercel deploy runs prisma migrate deploy automatically (per CLAUDE.md Deployment Reality Check), so the column default applies on next deploy. No manual migrate step.
To pick up existing scim_managed teams in alpha/prod, run the backfill script:

# Dry run first
DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --dry-run

# Target one org to validate
DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --org-slug <slug>

# Then sweep
DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --all

The script's default skips any team whose name has drifted from the IdP source group. Inspect the skipped_drifted lines and add --force only after deciding those renames should be undone.

Test plan

bunx turbo check-types --filter=@repo/admin — green
bunx turbo lint --filter=@repo/admin --filter=@repo/db --filter=@repo/types — green
Pre-commit lint-staged (prettier + eslint) — green
Vitest in CI (local bun+vitest+zod-v4 has a pre-existing z.string is undefined issue affecting 6 of 9 suites in packages/types, same one called out by PR #512)
After deploy to alpha: --dry-run against alpha DB, then --org-slug <test-org>, verify an Okta rename propagates to teams.name

@eullersilva-plank3w ago

@codex review

@chatgpt-codex-connector[bot]agent3w ago

Codex Review: Didn't find any major issues. :+1:

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

Open a pull request for review
Mark a draft as ready
Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

▸ 2 bot/status comments hidden

@linear-code[bot]3w ago

Summary

The Team.scimRenamePropagationEnabled flag defaults to false, meaning Okta group renames update our internal scim_groups.displayName mirror but do NOT update the user-visible teams.name. The propagation code exists at apps/admin/server/scim/project.ts:1314-1340 — it's just opt-in per team.

This contradicts the IdP-as-source-of-truth principle we agreed on while debugging MCPG-193. PR #486 was rejected in May 2026 for adding a groupPushAutoCreateEnabled flag that defaulted to false on the same grounds. This default is the same anti-pattern: org-side state quietly disagrees with what the IdP pushed, with no admin visibility into why.

Current behavior

New scim_managed team created from Okta group push → scimRenamePropagationEnabled = false
Okta admin renames the source group → FA fires group.update webhook
Admin updates scim_groups.displayName (mirror reflects new name)
applyScimProjectionPlan evaluates rename propagation:
- flag is false → skips rename
Result: teams.name shows the old name forever; mirror shows the new name

Proposed change

Schema: scimRenamePropagationEnabled Boolean default(true) in packages/db/prisma/schema.prisma:192.
Migration: adds the new default. Does NOT touch existing rows by itself. (Existing teams with false keep false; newly-provisioned teams get true.)

Open decisions for product

Backfill existing teams?
- Option A: leave existing false rows alone, only new teams default to true. Safer rollout.
- Option B: a one-off backfill script that flips all existing teams to . Aligns existing tenants with the principle.

loading diff…

Summary

Aligns Team.scimRenamePropagationEnabled with the IdP-as-source-of-truth principle: the schema default flips from false → true via a column-default migration. New scim_managed teams now adopt Okta group renames automatically.

Existing rows are intentionally not touched by the migration. Per the MCPG-222 ticket and the prior debate, a blanket UPDATE could silently overwrite a customer's manually-renamed team on the next projection run.

Adds apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts to opt existing teams in safely — it skips drifted teams by default (where teams.name !== scim_groups.displayName), and --force flips them too once the operator has coordinated.

What changes

File

Change

packages/db/prisma/schema.prisma

scimRenamePropagationEnabled @default(false) → @default(true)

packages/db/prisma/migrations/20260522150000_default_scim_rename_propagation_to_true/

ALTER COLUMN ... SET DEFAULT true

packages/types/src/team-config.ts

Zod default flipped to match

docs/scim-known-limitations.md

Section 7.2 updated; points to the backfill script

apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts

New one-off backfill (--dry-run / --org-slug / --all / --force)

Why the per-team flag stays

Rollout

Merge → Vercel deploy runs prisma migrate deploy automatically (per CLAUDE.md Deployment Reality Check), so the column default applies on next deploy. No manual migrate step.

To pick up existing scim_managed teams in alpha/prod, run the backfill script:

# Dry run first DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --dry-run # Target one org to validate DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --org-slug <slug> # Then sweep DATABASE_URL=... bun run apps/admin/scripts-tmp/backfill-scim-rename-propagation.ts --all

The script's default skips any team whose name has drifted from the IdP source group. Inspect the skipped_drifted lines and add --force only after deciding those renames should be undone.

Test plan

bunx turbo check-types --filter=@repo/admin — green

bunx turbo lint --filter=@repo/admin --filter=@repo/db --filter=@repo/types — green

Pre-commit lint-staged (prettier + eslint) — green

Vitest in CI (local bun+vitest+zod-v4 has a pre-existing z.string is undefined issue affecting 6 of 9 suites in packages/types, same one called out by PR #512)

After deploy to alpha: --dry-run against alpha DB, then --org-slug <test-org>, verify an Okta rename propagates to teams.name

Summary

Current behavior

New scim_managed team created from Okta group push → scimRenamePropagationEnabled = false

Okta admin renames the source group → FA fires group.update webhook

Admin updates scim_groups.displayName (mirror reflects new name)

applyScimProjectionPlan evaluates rename propagation:

flag is false → skips rename

Result: teams.name shows the old name forever; mirror shows the new name

feat(scim): default rename propagation to true for new teams (MCPG-222)

Summary

What changes

Why the per-team flag stays

Rollout

Test plan

Summary

Current behavior

Proposed change

Open decisions for product

Summary

What changes

Why the per-team flag stays

Rollout

Test plan

Summary

Current behavior

Proposed change

Open decisions for product

Out of scope

Acceptance criteria

Context links