{"id":50454023,"url":"https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab","last_synced_at":"2026-06-01T01:05:34.056Z","repository":{"id":360572951,"uuid":"1250772365","full_name":"mizcausevic-dev/gcp-iam-policy-diff-lab","owner":"mizcausevic-dev","description":"GCP IAM policy drift lab for binding changes, org-policy posture, and public-access risk review.","archived":false,"fork":false,"pushed_at":"2026-05-27T00:47:56.000Z","size":496,"stargazers_count":0,"open_issues_count":10,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-27T02:22:25.309Z","etag":null,"topics":["cloud-security","gcp","google-cloud","iam-policy","org-policy","typescript"],"latest_commit_sha":null,"homepage":"https://gcp.kineticgain.com/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mizcausevic-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-27T00:38:11.000Z","updated_at":"2026-05-27T00:38:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab","commit_stats":null,"previous_names":["mizcausevic-dev/gcp-iam-policy-diff-lab"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/mizcausevic-dev/gcp-iam-policy-diff-lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Fgcp-iam-policy-diff-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Fgcp-iam-policy-diff-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Fgcp-iam-policy-diff-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Fgcp-iam-policy-diff-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mizcausevic-dev","download_url":"https://codeload.github.com/mizcausevic-dev/gcp-iam-policy-diff-lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mizcausevic-dev%2Fgcp-iam-policy-diff-lab/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33755379,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-security","gcp","google-cloud","iam-policy","org-policy","typescript"],"created_at":"2026-06-01T01:05:33.981Z","updated_at":"2026-06-01T01:05:34.051Z","avatar_url":"https://github.com/mizcausevic-dev.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gcp-iam-policy-diff-lab\n\n[![CI](https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab/actions/workflows/ci.yml/badge.svg)](https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab/actions/workflows/ci.yml)\n[![License: AGPL v3](https://img.shields.io/badge/License-AGPL_v3-blue.svg)](./LICENSE)\n[![Deploy](https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab/actions/workflows/pages.yml/badge.svg)](https://github.com/mizcausevic-dev/gcp-iam-policy-diff-lab/actions/workflows/pages.yml)\n\nOperator control plane for GCP IAM policy snapshots, public-binding drift, privileged role changes, org-policy mismatches, and remediation sequencing.\n\n## Why this exists\n\n- GCP IAM snapshots become dangerous when they stay trapped in raw exports instead of one operator-readable surface.\n- Public bindings, privileged roles, and org-policy drift need to stay visible together before audits, incidents, or rollout windows drift.\n- Recruiters looking for `GCP / IAM / org policy / cloud security` proof should see a real identity-and-guardrail dashboard, not a keyword page.\n- This repo turns IAM policy diff data into a control plane for public bindings, role drift, stale snapshots, and policy-cleanup posture.\n\n## Why this matters (KG Embedded tie-back)\n\nThis repo demonstrates the GCP identity-and-guardrail control-plane primitive for cloud operations: public bindings, privileged role drift, snapshot hygiene, and remediation packets in one operator surface. Kinetic Gain Embedded extends this pattern into productized in-app dashboards where platform, IAM, and security teams need evidence-rich surfaces without exposing raw admin backends or cloud credentials. See [kineticgain.com/embedded](https://kineticgain.com/embedded).\n\n## What it shows\n\n- `policy-lane` visibility for public bindings, basic-role drift, token creator grants, and snapshot hygiene in one dashboard\n- `binding-risks` detection for `allUsers` exposure, `roles/editor` drift, service-account token creator grants, org-policy mismatch, and stale diff windows\n- remediation packets for public cleanup, role replacement, token-creator review, and snapshot refresh\n- offline-safe analysis of captured GCP IAM snapshot diffs\n- recruiter-facing GCP IAM / cloud security proof that complements the Microsoft and AWS admin lanes\n\n## Routes\n\n- `/`\n- `/policy-lane`\n- `/binding-risks`\n- `/drift-posture`\n- `/verification`\n- `/docs`\n\n## API\n\n- `/api/dashboard/summary`\n- `/api/policy-lane`\n- `/api/binding-risks`\n- `/api/drift-posture`\n- `/api/verification`\n- `/api/sample`\n\n## Screenshots\n\n![Overview](./screenshots/01-overview-proof.png)\n![Policy lane](./screenshots/02-policy-lane-proof.png)\n![Binding risks](./screenshots/03-binding-risks-proof.png)\n![Drift posture](./screenshots/04-drift-posture-proof.png)\n\n## CLI\n\n```powershell\nnpx gcp-iam-policy-diff fixtures/gcp-policy-diff.json `\n    --format json|markdown|summary `\n    --now 2026-05-30T00:00:00Z `\n    --stale-diff-after-hours 24 `\n    --fail-on-high `\n    --out report.md\n```\n\nInput shape:\n\n```json\n{\n  \"snapshots\": [ ... ],\n  \"diffs\": [ ... ]\n}\n```\n\n## Local Development\n\n```powershell\ncd gcp-iam-policy-diff-lab\nnpm install\nnpm run dev\n```\n\nOpen:\n- [http://127.0.0.1:5515/](http://127.0.0.1:5515/)\n- [http://127.0.0.1:5515/policy-lane](http://127.0.0.1:5515/policy-lane)\n- [http://127.0.0.1:5515/binding-risks](http://127.0.0.1:5515/binding-risks)\n- [http://127.0.0.1:5515/drift-posture](http://127.0.0.1:5515/drift-posture)\n- [http://127.0.0.1:5515/verification](http://127.0.0.1:5515/verification)\n\n## Validation\n\n- `npm run lint`\n- `npm run typecheck`\n- `npm run coverage`\n- `npm run build`\n- `npm run demo`\n- `npm run smoke`\n- `npm run prerender`\n- `npm run render:assets`\n\n## Production status\n\n| Aspect | Status |\n|--------|--------|\n| CI | Node 20 + 22 matrix — lint · typecheck · coverage · build · demo · smoke · prerender · `npm audit` |\n| License | [AGPL-3.0-or-later](./LICENSE) |\n| Deploy | Static prerender -\u003e **https://gcp.kineticgain.com/** |\n| Data posture | Synthetic sample data only; no live GCP credentials, project tokens, or production policy exports |\n\n## Docs\n\n- [Kinetic Gain Embedded tie-back](./docs/KINETIC_GAIN_EMBEDDED.md)\n- [Changelog](./CHANGELOG.md)\n\n## Composes with\n\n- [**`entra-access-review-control-plane`**](https://github.com/mizcausevic-dev/entra-access-review-control-plane) — Microsoft Entra access reviews\n- [**`intune-device-compliance-ops`**](https://github.com/mizcausevic-dev/intune-device-compliance-ops) — Intune device compliance\n- [**`aws-iam-access-analyzer-console`**](https://github.com/mizcausevic-dev/aws-iam-access-analyzer-console) — AWS IAM analyzer posture\n\nTogether they form a broader recruiter-facing cloud admin lane: Microsoft tenant governance plus AWS and GCP identity/perimeter proof.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizcausevic-dev%2Fgcp-iam-policy-diff-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmizcausevic-dev%2Fgcp-iam-policy-diff-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmizcausevic-dev%2Fgcp-iam-policy-diff-lab/lists"}