project gus workspace admin api access plan 20260715T130249

Justin asked whether Forge could get API access to manage the Gus Workspace (gusthebass.com) directly, e.g. to create the admin@ Google Group. Finding: Forge's existing Google Directory admin scopes (admin.directory.user, .group, .group.member, .alias, .domain, .orgunit) via forge_google_user.py only work within the org that issued the token (currently [email protected]'s org). The Google Directory API is org-scoped, so it cannot reach gusthebass.com, which is a separate Google Workspace org with its own super admin ([email protected]).

Proposed fix (not yet built): add a third account, gus, to forge_google_user.py with the same 6 Directory scopes, authenticated as [email protected]. Requires (1) a forge-script code change (routed through the plan gate per doctrine) and (2) one-time OAuth consent where Justin signs in as the Gus org's super admin and authorizes the Forge Agent client. If the Gus Workspace blocks third-party OAuth apps by default, it needs allowlisting in Gus Admin console > Security > API controls > App access control.

Why: this is the concrete unblock for automating Gus Outdoor/Gus The Bass Workspace admin tasks (Groups, aliases, users) and explains why Forge's existing business Google token can't already do it.

How to apply: before assuming Forge can manage gusthebass.com via the existing business Google account, check whether the gus account has been added to forge_google_user.py yet — if not, this plan is still pending Justin's go-ahead and consent.

[auto-memory session dc0439e9-232a-4ece-9f5c-ba8976b9a69b, confidence 0.70, mode staged]