Use prevent_all for job token scope
What does this MR do and why?
Replace the explicit role-level prevent list for job token scope with prevent_all and exceptions, gated behind the use_prevent_all_for_job_token_scope feature flag.
Also fix condition naming (user_confirmed? to user_confirmed), add a guard for non-user actors in has_merge_requests_allowing_pushes, and add confirmed? to PolicyActor.
We're moving away from role-access permissions (e.g. guest_access, reporter_access) entirely. The new model treats a role as a container of permissions, evaluated directly: "does this user have a role with permission X?" rather than through intermediary role-level checks that transitively grant or deny permissions. When permissions are controlled through these intermediates, it becomes unclear which specific permissions end up allowed or denied. This MR is a step toward that transition: replacing the explicit role-level prevent list with prevent_all + exceptions makes the allowed permissions explicit and unambiguous, and cleans up the policy files in preparation for the new permission model.
References
Related to #523522
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.