## Summary This issue integrates DAP (Duo Agent Platform) role-based `Manage` permission checks into custom agent management operations. It ensures that only users with appropriate permissions (maintainer+ by default) can create, duplicate, edit, enable, and delete custom agents. ## Background As part of the DAP role-based permissions epic (#19743), we need to enforce the `Manage` permission across all DAP administrative operations. Custom agents are a core DAP resource that requires proper access controls for management operations. The `Manage` permission controls: - **Create**: Creating new custom agents - **Duplicate**: Duplicating existing custom agents - **Edit**: Modifying custom agent configurations - **Enable**: Enabling or disabling custom agents - **Delete**: Removing custom agents The `Manage` permission is limited to maintainer+ roles by design. ## Requirements ### Permission Check Integration - [ ] Identify all entry points for custom agent management operations - [ ] Integrate `DapPermissionService.can_user_perform_action?` checks for `:manage` action - [ ] Ensure permission checks occur before any management operation - [ ] Handle permission denial gracefully with appropriate error messages - [ ] Enforce maintainer+ minimum role requirement ### Management Operations to Protect #### Create Operations - [ ] Creating new custom agents via UI - [ ] Creating custom agents via API/GraphQL - [ ] Importing custom agents - [ ] Cloning/duplicating custom agents #### Edit Operations - [ ] Updating agent configuration - [ ] Modifying agent settings - [ ] Changing agent permissions - [ ] Updating agent metadata #### Enable/Disable Operations - [ ] Enabling custom agents - [ ] Disabling custom agents - [ ] Toggling agent availability #### Delete Operations - [ ] Deleting custom agents - [ ] Bulk deletion operations - [ ] Archiving agents (if applicable) ## Technical Implementation ### Locations to Update Based on the codebase analysis from issue #578370, identify and update all locations where custom agents are managed. This may include: - Agent management controllers - GraphQL mutations for agent CRUD operations - API endpoints for agent management - Admin interfaces for agent configuration - Bulk operation handlers ### Permission Check Pattern ```ruby # Before any manage operation on custom agent unless DapPermissionService.can_user_perform_action?(current_user, namespace, :manage) return error_response('Insufficient permissions to manage custom agents. Maintainer role or higher required.') end # Perform management operation perform_agent_management_operation(agent, params) ``` ## Acceptance Criteria - [ ] All custom agent management operations have permission checks - [ ] Users without `Manage` permission receive clear error messages - [ ] Error messages indicate maintainer+ role requirement - [ ] Permission checks are performant (use caching from DapPermissionService) - [ ] UI elements for management are hidden/disabled for users without permission - [ ] Integration tests verify permission enforcement - [ ] Tests cover both allowed and denied scenarios - [ ] Audit logging captures management operations and permission checks ## Testing Scenarios - [ ] User with maintainer role can manage custom agents (default config) - [ ] User with owner role can manage custom agents (default config) - [ ] User with developer role cannot manage custom agents - [ ] User with reporter role cannot manage custom agents - [ ] Custom permission configuration is respected (maintainer+ only) - [ ] Instance-level and namespace-level permissions work correctly - [ ] All CRUD operations (create, read, update, delete) respect permissions - [ ] Bulk operations respect permissions - [ ] UI appropriately reflects permission state ## User Experience - [ ] Management UI elements are hidden for users without permission - [ ] Clear messaging when users attempt unauthorized operations - [ ] Guidance on how to request access or who can perform operations - [ ] Consistent permission enforcement across UI, API, and GraphQL ## Related Issues - Parent Epic: #19743 - [Backend] Role-based permissions controls for DAP - Depends on: #578557 - Role-based permissions DAP - Manage permission - Related: #578560 - Manage permission for custom flows - Related: #578556 - Run permission service ## Notes The `Manage` permission for custom agents is a critical security control. Only maintainer+ users should be able to create or modify agents, as these can execute code and access resources within projects.