Use autogroup:admin and dst:* for admin grants

The previous commit incorrectly assumed autogroup:admin and dst:["*"]
didn't work. The actual issue was that tagging gilbert converted it
from a user-owned device to a tagged device, losing user identity.

Now that gilbert remains untagged, autogroup:admin works correctly.
This simplifies the policy and allows future admins to inherit access.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

pulumi/policy.hujson

@@ -11,18 +11,11 @@
 	},
 
 	// ============== Access Grants ==============
-	// Note: autogroup:admin doesn't work reliably - use specific emails
-	// Note: dst: ["*"] doesn't work reliably - use explicit tags
 	"grants": [
-		// --- Erich: full access to all infrastructure ---
+		// --- Admins: full access to all infrastructure ---
 		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:homelab", "tag:nas"],
-			"ip":  ["*"],
-		},
-		{
-			"src": ["blume.erich@gmail.com"],
-			"dst": ["tag:grafana", "tag:kiwix", "tag:forge", "tag:devpi", "tag:loki", "tag:pg", "tag:feed"],
+			"src": ["autogroup:admin"],
+			"dst": ["*"],
 			"ip":  ["*"],
 		},
 
@@ -77,18 +70,18 @@
 			"dst":    ["autogroup:self"],
 			"users":  ["autogroup:nonroot"],
 		},
-		// Erich can SSH to homelab (for ansible)
+		// Admins can SSH to homelab (for ansible)
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:homelab"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",
 		},
-		// Erich can SSH to NAS
+		// Admins can SSH to NAS
 		{
 			"action": "check",
-			"src":    ["blume.erich@gmail.com"],
+			"src":    ["autogroup:admin"],
 			"dst":    ["tag:nas"],
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",