Allow Guest+ to execute foreground flows (Software Development Flow)

Summary

As part of the DAP permissions [Backend] Role-based permissions controls for DAP (&19743), we need to loosen permissions for foreground flows from Developer+ to Guest+.

Background

Currently, foreground flows require Developer+ permissions. However, this restriction exists only for historical reasons - no technical or security reason requires Developer+ access for foreground execution.

By allowing Guest+ to execute foreground flows, we can create a unified "Execute foreground" permission that covers:

Agentic Chat (foreground)
- Foundational agents (foreground)
- Custom agents (foreground)
Foreground flows: Software Development Flow in the IDE.

Implementation

Update the policy files to allow Guest+ access for foreground flow execution:

ee/app/policies/ee/project_policy.rb
ee/app/policies/ai/duo_workflows/workflow_policy.rb

Ensure all foreground flows check the same policy when they start running.

Spike issue: #582055 (closed)
Related MR: (will be linked once custom agents MR is created)

Edited Dec 09, 2025 by 🤖 GitLab Bot 🤖

Allow Guest+ to execute foreground flows (Software Development Flow)

Summary

Background

Implementation

Related