cbusillo · shiny-code-bot · Jun 1, 2026 · Jun 1, 2026
diff --git a/docs/operations.md b/docs/operations.md
@@ -148,6 +148,13 @@ DB-backed GitHub-human grants for `product_config.plan` and
 Leave those variables unset to skip reconciliation; do not hard-code human
 logins or product-specific operator grants in source.
 
+The deploy workflow also reconciles its own `authz_policy_grant.write` grants
+for product/context `launchplane`, covering both manual dispatches and automatic
+CI-success deploys. Those grants are a staged migration path for authz policy
+maintenance; authz grant routes can be narrowed to policy-admin authority after
+the DB-backed grants are present, without relying on Launchplane self-deploy
+authority for future grant reconciliation.
+
 Routine local-operator product-config grants are scoped, not wildcard, and the
 deploy reconciliation skips them unless explicit product/context scopes are
 configured. Set `LAUNCHPLANE_LOCAL_OPERATOR_PRODUCT_CONFIG_SCOPES_JSON` only for

diff --git a/scripts/deploy/ensure-authz-grants.sh b/scripts/deploy/ensure-authz-grants.sh
@@ -614,6 +614,17 @@ post_grant \
   deploy:merge-train-runner-schedule-grant \
   merge-train-runner-schedule \
   schedule
+post_launchplane_service_grant \
+  deploy-launchplane.yml \
+  authz_policy_grant.write \
+  deploy:authz-policy-grant-maintenance-dispatch \
+  authz-policy-grant-maintenance-dispatch
+post_launchplane_service_grant \
+  deploy-launchplane.yml \
+  authz_policy_grant.write \
+  deploy:authz-policy-grant-maintenance-run \
+  authz-policy-grant-maintenance-run \
+  workflow_run
 post_grant \
   "$GITHUB_REPOSITORY" \
   merge-train-policy-import.yml \

diff --git a/tests/test_product_onboarding.py b/tests/test_product_onboarding.py
@@ -594,6 +594,17 @@ def test_deploy_authz_grants_seed_local_admin_self_deploy_authority(self) -> Non
         self.assertIn("local-admin-self-deploy", script_text)
         self.assertIn("launchplane_service_deploy.execute", script_text)
 
+    def test_deploy_authz_grants_stage_dedicated_policy_grant_authority(self) -> None:
+        script_text = Path("scripts/deploy/ensure-authz-grants.sh").read_text(encoding="utf-8")
+
+        self.assertIn("deploy-launchplane.yml", script_text)
+        self.assertIn("authz_policy_grant.write", script_text)
+        self.assertIn("deploy:authz-policy-grant-maintenance-dispatch", script_text)
+        self.assertIn("authz-policy-grant-maintenance-dispatch", script_text)
+        self.assertIn("deploy:authz-policy-grant-maintenance-run", script_text)
+        self.assertIn("authz-policy-grant-maintenance-run", script_text)
+        self.assertIn("workflow_run", script_text)
+
     def test_reusable_odoo_prod_promotion_fails_on_each_result_status(self) -> None:
         workflow_text = Path(".github/workflows/reusable-odoo-prod-promotion.yml").read_text(
             encoding="utf-8"