Role-based permissions DAP - API (controller/GraphQL) extension

Summary

This issue extends the existing GitLab Duo settings API endpoints to support DAP (Duo Agent Platform) role-based permissions configuration. It provides the backend API infrastructure for administrators to configure which roles can perform DAP actions.

Background

As part of the DAP role-based permissions epic (#19743 (closed)), we need to extend existing AJAX and HTTP POST requests that update GitLab Duo settings. These settings exist on two pages that need to be extended:

  • Self-Managed: /admin/gitlab_duo/configuration
  • GitLab.com: /groups/:group/-/settings/gitlab_duo/configuration

Requirements

We need to find out, how the AI settings and the namespace settings table currently get updated. It could be via a classic Rails controller or via GraphQL. Depending on the current state the following possible changes apply:

Model Integration

  • Expose DAP permission attributes through Ai::Setting model
  • Expose DAP permission attributes through Ai::NamespaceSetting model
  • Use existing update mechanisms for both models (could be controller or GraphQL)
  • Ensure proper serialization of permission data

Attributes

  • minimum_access_level_execute
  • minimum_access_level_execute_async
  • minimum_access_level_manage
  • minimum_access_level_enable_on_projects

GraphQL Extensions

  • Add DAP permission fields to existing Duo settings types
  • Implement mutations for updating DAP permissions
  • Add proper authorization checks
  • Support both instance and namespace contexts

API Specification

Validation Rules

  • Validate role names against allowed enum values
  • Ensure manage permission is limited to owner+ or maintainer+ roles (TBD)
  • Prevent invalid permission configurations
  • Return appropriate error messages for validation failures

Technical Implementation

  • Extend existing Duo settings controllers or GraphQL endpoints
  • Add DAP permission parameters to strong parameters
  • Implement permission validation logic
  • Add proper error handling and responses
  • Update API documentation

Acceptance Criteria

  • Instance-level DAP permissions can be read and updated via API (controller or GraphQL)
  • Group-level DAP permissions can be read and updated via API (controller or GraphQL)
  • GraphQL mutations or controllers support DAP permission updates
  • Proper authorization prevents unauthorized access
  • Validation ensures only valid role configurations
  • API (controller or GraphQL) documentation is updated with new endpoints
  • Integration tests cover all API (controller or GraphQL) endpoints

Related Issues

  • Parent Epic: #19743 (closed) - [Backend] Role-based permissions controls for DAP
  • Depends on: #578551 (closed) - Role-based permissions DAP - Model implementation
  • Related: #19742 (closed) - [Frontend] Role-based permissions controls DAP

Notes

This API extension will be consumed by the frontend epic #19742 (closed) to provide the user interface for configuring DAP permissions.

Edited by Lukas Wanko