Another question I’d like to ask is how can we control who has access to production environments ? Pulumi’s plans (up to enterprise) don’t allow per-stack permissions and it seems to be the same for ESC : are you planning to allow per-environment permissions for non-enterprise accounts ?

Currently you can use the same RBAC features to manage access to environments as for stacks - available in Pulumi Enterprise as you note - configured through giving Teams certain levels of access to environments and then adding users to Teams. Definitely looking at richer RBAC controls for both environments and stacks, as well as some more controls for Team users. Can you share any more on what you are trying to accomplish?

Sure ! So I have frontend and backend devs For frontend devs I’d like for then to have access to preview environment variables (API keys, DNS, Cognito stuff, etc) For backend devs I’d like for them to access Stripe credentials, database credentials etc. This allows them to run Svelte or Django locally and code their features In both cases, I don’t want junior devs to have access to production environment variables I could of course not define a production environment in ESC… but then I don’t benefit from composition and it kinda defeats the purpose of having a system in the first place (Also, it defeats the purpose of linking to Pulumi via pulumiConfig)

I'd definitely love some permissions management in the Team plan. It's an essential best practice security and least privilege management tool, and I would guess most business cannot afford to go from a few hundred a year on the Team plan to $10,000/year minimum on the Enterprise plan for this functionality