[Backend] Add service account & access token exceptions for Merge Request Approval Policies

Overview

Implement backend support to allow designated service accounts and access tokens to bypass merge request approval policies while maintaining comprehensive audit trails and security controls.

Core Backend Requirements

1. Database Schema Extensions

• Extend approval policy configuration to support exception rules for:
  • Service accounts (by user ID)
  • Instance-level access tokens
  • Group-level access tokens
  • Project-level access tokens
• Add audit logging tables for bypass events with context tracking

2. Policy Evaluation Engine Updates

• Modify approval policy evaluation logic to check for service account/token exceptions
• Implement token-based authentication validation in approval bypass flow
• Add scope validation (project/group/instance level permissions)
• Ensure exception rules are evaluated before standard approval requirements

3. API Enhancements

• Extend approval policy CRUD APIs to support exception configuration
• Add validation for service account and token existence/permissions
• Implement endpoints for managing exception rules (add/remove/list)
• Update merge request approval status APIs to reflect bypass scenarios

4. Audit & Compliance Features

• Generate detailed audit logs for all bypass events including:
  • Service account/token identifier
  • Timestamp and context
  • Affected merge request and approval policy
  • Reason/justification (if provided)
• Integrate with existing audit event framework
• Ensure compliance with security governance requirements

5. Permission & Security Controls

• Implement minimum required permissions model for service accounts
• Add token scope validation (branch-specific, project-specific access)
• Maintain separation between human user restrictions and automation exceptions
• Validate service account legitimacy and active status

Technical Considerations

• Backward compatibility with existing approval policies
• Performance optimization for policy evaluation with exception rules
• Integration with protected branch settings and push rules
• Support for GitOps workflows and CI/CD automation scenarios

Acceptance Criteria

• Service accounts can bypass approval policies when configured as exceptions
• Access tokens (Instance/Group/Project) can bypass approvals within their scope
• All bypass events generate comprehensive audit trails
• Exception configuration is manageable via API and UI
• No impact on existing approval policy functionality for human users