Duo Agent Platform on GitLab.com should only allow instance wide or top level group runners

Background can be found at https://gitlab.com/gitlab-org/gitlab/-/issues/578791 .

Problem

Duo Agent Platform jobs can currently use runners that are not instance-level or top-level group runners. This can lead to inconsistent execution environments, reduced control over security and compliance, and difficulty enforcing organization-wide policies on where Duo Agent Platform workloads run.

Desired Outcome

Duo Agent Platform uses only instance-level or top-level group runners for its jobs. Configuration and enforcement ensure that Duo Agent Platform workloads cannot be scheduled on project-level or otherwise unauthorized runners, maintaining consistent, policy-compliant execution environments.