fix: ignoreChanges on all user-managed fields for GWS users

After creation/import we only care that the user exists and is in the
right groups. All profile settings (name, recovery info, password,
org unit, etc.) are left to users and admins to manage directly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dsp

src/google.ts

@@ -89,7 +89,39 @@ MEMBERS.forEach((member) => {
         name: { familyName: member.lastName!, givenName: member.firstName! },
         orgUnitPath: mcpOrgUnit.orgUnitPath,
       },
-      { import: primaryEmail, dependsOn: [mcpOrgUnit], ignoreChanges: ['recoveryEmail', 'recoveryPhone'] }
+      {
+        import: primaryEmail,
+        dependsOn: [mcpOrgUnit],
+        ignoreChanges: [
+          'recoveryEmail',
+          'recoveryPhone',
+          'password',
+          'hashFunction',
+          'changePasswordAtNextLogin',
+          'orgUnitPath',
+          'archived',
+          'suspended',
+          'isAdmin',
+          'includeInGlobalAddressList',
+          'ipAllowlist',
+          'addresses',
+          'aliases',
+          'customSchemas',
+          'emails',
+          'externalIds',
+          'ims',
+          'keywords',
+          'languages',
+          'locations',
+          'organizations',
+          'phones',
+          'posixAccounts',
+          'relations',
+          'sshPublicKeys',
+          'websites',
+          'name',
+        ],
+      }
     );
     provisionedUsersByEmail[primaryEmail] = user;
   } else {
@@ -112,7 +144,38 @@ MEMBERS.forEach((member) => {
         changePasswordAtNextLogin: true,
         orgUnitPath: mcpOrgUnit.orgUnitPath,
       },
-      { dependsOn: [mcpOrgUnit] }
+      {
+        dependsOn: [mcpOrgUnit],
+        ignoreChanges: [
+          'recoveryEmail',
+          'recoveryPhone',
+          'password',
+          'hashFunction',
+          'changePasswordAtNextLogin',
+          'orgUnitPath',
+          'archived',
+          'suspended',
+          'isAdmin',
+          'includeInGlobalAddressList',
+          'ipAllowlist',
+          'addresses',
+          'aliases',
+          'customSchemas',
+          'emails',
+          'externalIds',
+          'ims',
+          'keywords',
+          'languages',
+          'locations',
+          'organizations',
+          'phones',
+          'posixAccounts',
+          'relations',
+          'sshPublicKeys',
+          'websites',
+          'name',
+        ],
+      }
     );
     provisionedUsersByEmail[primaryEmail] = user;