## TL;DR Replace the `admin_project` gate on `duo_sast_vr_workflow_enabled` so any user with `update_sast_vr_setting` (Security Manager, Maintainer, Owner) can flip it via REST and the controller path. We also want to add the new feature flag called `update_sast_vr_setting_permission`. We want to add all logic behind this flag. The UI rendering is dependent on seperate work from ~"group::authorization" ## Acceptance Criteria - [ ] A user with `security_manager` role can update `duo_sast_vr_workflow_enabled` via `PUT /projects/:id` REST endpoint without holding `admin_project`. - [ ] The same user cannot modify any other project setting through the same endpoint. - [ ] A user without the new ability still receives 403 when attempting to update `duo_sast_vr_workflow_enabled`. - [ ] Existing Maintainer/Owner functionality continues to work unchanged. - [ ] All controller, REST, and Service layer paths consistently enforce the ability. - [x] Add `update_sast_vr_setting_permission` feature flag. ## Implementation Details Related files and places: - `ee/app/controllers/ee/projects_controller.rb` - `ee/lib/ee/api/helpers/projects_helpers.rb` - `Projects::UpdateService` / `Projects::UpdatePolicy` ## Estimate