Add foreground execute permission check for agentic chat on GitLab.com

Katherine Richardsrequested to merge
kr/check-foreground-execute-permission-for-agentic-chat into master

What does this MR do and why?

This change adds the role-based foreground execute permission check for Agentic Chat on GitLab.com.

For group or project members, the role-based permission check compares the user's role in the activity context against the TLG's minimum access level setting.

When the user is not a member in the activity context (ie, using Agentic Chat as a non member on a public group or project), Agentic Chat access requires that the user meets the minimum access level setting on their default duo namespace current namespace's minimum access level setting.

In the global (non namespace) context, such as /dashboard/todos, Agentic Chat access requires that the user meets the minimum access level setting on their default duo namespace.

Implementation for Self-managed: Add foreground execute permission check for Age... (!219838 - merged)

References

Screenshots or screen recordings

Example: Foreground execution requires Guest role (default) Example: Foreground execution requires Developer role

WebUI

Agentic Chat is enabled for Guest

Screenshot 2026-01-14 at 4.45.21 PM.png

Agentic Chat is unavailable for Guest

Screenshot 2026-01-14 at 4.35.48 PM.png

IDE

Agentic Chat is enabled for Guest

Screenshot 2026-01-14 at 5.00.50 PM.png

Agentic Chat is unavailable for Guest

Screenshot 2026-01-14 at 5.16.28 PM.png
Example: Foreground execution requires Guest role (default) Example: Foreground execution requires Developer role

Global context

Agentic Chat is available for Guest in global context

Screenshot 2026-01-27 at 11.29.31 AM.png

Agentic Chat is unavailable for Guest in global context

Screenshot 2026-01-27 at 11.36.09 AM.png

How to set up and validate locally

  1. Set up DAP for local dev

    1. Additionally, see prerequisites

  2. Start GDK in SaaS mode: export GITLAB_SIMULATE_SAAS=1

  3. Create a top level group with a project and DAP enabled for the top level group

  4. Enable the feature flag for the top level group: Feature.enable(:dap_group_customizable_permissions, root_namespace)

  5. Update the minimum access level for foreground execution

    root_namespace = Group.find 1000000
group.ai_settings.update!(minimum_access_level_execute: ::Gitlab::Access::DEVELOPER)

WebUI testing steps:

  1. Create a new user and add them as a member with Guest access in the group created in step 3
  2. Sign in as this new user and verify these scenarios
    1. Agentic Chat is unavailable in the group created in step 3
    2. Agentic Chat is unavailable in the project created in step 3
    3. Agentic Chat is unavailable from global pages, such as http://gdk.test:3000/dashboard/todos

IDE testing steps:

  1. Set up DAP in your IDE
    1. Create a new IDE profile for your Guest user
  2. Using the Guest's IDE profile, open the project created in step 3
  3. Verify Agentic Chat is unavailable for the user

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Katherine Richards

Merge request reports