Support GitHub organization admin access

[Pigbibi]

Summary

• request GitHub OAuth read:org scope and authorize users by GitHub organization membership
• add ALLOWED_GITHUB_ORGS and STRATEGY_SWITCH_ADMIN_ORGS alongside login-based allow/admin lists
• extend /admin to manage allowed/admin users and orgs through KV
• document QuantStrategyLab as the preferred admin organization while keeping login-based break-glass admin support

Verification

• node --check --input-type=module < web/strategy-switch-console/worker.js
• node --check --input-type=module < web/strategy-switch-console/page_asset.js
• sed -n '/<script>/,/<\\/script>/p' docs/index.html | sed '1d;$d' | node --check --input-type=commonjs
• python3 -m json.tool web/strategy-switch-console/account-options.example.json >/dev/null
• python3 -m py_compile scripts/sync_strategy_switch_page_asset.py scripts/build_runtime_switch.py scripts/runtime_settings.py tests/test_runtime_settings.py
• timeout 120 python3 scripts/runtime_settings.py validate
• timeout 180 python3 -m unittest discover -s tests -v
• Worker smoke test: STRATEGY_SWITCH_ADMIN_ORGS=QuantStrategyLab org member can access /admin and save KV config
• npx wrangler@3 deploy worker.js --name qsl-strategy-switch-console --compatibility-date 2026-06-09 --dry-run --outdir /tmp/qsl-strategy-switch-console-worker-org

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 84172ea36b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Re-check org membership before authorizing sessions

When access is granted through STRATEGY_SWITCH_ADMIN_ORGS or ALLOWED_GITHUB_ORGS, this stores the matching org names in the signed session cookie and readSession() later trusts that cached list for the full 8-hour TTL. If a user is removed from the GitHub org, they can continue to access /admin or dispatch switches until their existing cookie expires because the Worker no longer asks GitHub whether they are still a member; unlike login allowlist changes, org revocation does not take effect immediately. Consider revalidating org membership when evaluating org-based authorization or otherwise invalidating these sessions on revocation-sensitive paths.

Useful? React with 👍 / 👎.