Add access review API with source drivers

[gearnode]

Summary

• Introduces the access review feature: backend API (GraphQL schema, resolvers, services) and frontend pages for managing access reviews, sources, and campaigns
• Adds access source drivers for multiple providers: Google Workspace, Slack, Linear, 1Password, HubSpot, DocuSign, Notion, Figma, CSV, and Probo memberships
• Includes a review engine with incremental diffing, campaign lifecycle management (create, start, validate, close, cancel), and a background worker for source fetching

Test plan

• Verify access review pages load in the console
• Test creating and configuring access sources with different providers
• Test campaign lifecycle: create, start, validate, close
• Verify source fetching works for configured connectors
• Run existing test suite to check for regressions

---

Summary by cubic

Implements the Access Review system (ENG-136) end‑to‑end: data model and SQL migration, GraphQL API and console, and a worker/engine that snapshots accounts and flags risky access. Adds the API_KEY connector protocol, new source drivers, routes for access reviews, and e2e coverage for the full review lifecycle.

• New Features

  • Data layer and migration: SQL enums/tables/indexes for reviews, campaigns, sources, entries; core types for decisions, flags, MFA status, auth method, connector provider/protocol.
  • GraphQL API for reviews, sources, campaigns, and entries with pagination; mutations for initializing/cancelling campaigns, updating identity source, source CRUD, bulk decisions, and campaign stats; new permissions and console routes; connectors listing; Linear OAuth initiation.
  • Console UI: Access Reviews page with source list and create/delete (OAuth, API_KEY, or CSV), identity source picker, Relay pagination; new routes access-reviews, access-reviews/sources/new, and access-reviews/sources/new/csv; sidebar link gated by core:access-review:get.
  • Review engine and worker with per‑source snapshotting, removed‑account detection, anomaly flags (inactive accounts, missing MFA, admin roles, unknown entries), incremental tags, stale‑row recovery, bounded concurrency, and campaign finalization; wired into probod.
  • Source drivers for Google Workspace, Slack, Linear, Figma, 1Password, HubSpot, DocuSign, Notion, Brex, Tally, Cloudflare, Sentry, OpenAI, CSV, and Probo memberships; added Linear OAuth initiation and the API_KEY connector protocol.
  • MCP tools for access review operations (list/get sources, campaigns, entries; record decisions; initialize/cancel campaigns) and e2e tests for source CRUD, campaign lifecycle, entry pagination, and decisions.

• Refactors

  • Centralized access entry queries in pkg/coredata; added campaign row locking; moved driver resolution/baseline loading/external HTTP calls outside write transactions; fixed organization ID resolution in console and MCP resolvers; updated policies to include access review resources; connector service helper to list all connectors; added console connectors(filter) field and safe redirects/provider enums for Linear.
  • Lint/build fixes: switched configs to eslint.config.ts in apps and packages to work with @probo/eslint-config; added // @ts-nocheck to config files; updated tsconfig.node.json includes; corrected React hook deps, removed stale disables, and added missing Relay fields/connection metadata; filtered inactive memberships; corrected OpenAI users limit and removed PII from driver errors.

^{Written for commit 2e2d66e. Summary will update on new commits.}