## TL;DR Verify or add audit-log entries for every enable/disable/lock change of SAST VR, and update `ProjectSettingsUpdate` GraphQL mutation to use the new ability for the SAST VR attribute. ## Acceptance Criteria - [ ] Toggling `duo_sast_vr_workflow_enabled` at project level emits an audit event with actor, target, before/after. - [ ] If `audit_changes` already covers the attribute via existing setting hooks, this is verified by a spec; if not, a custom audit hook is added. - [ ] `Mutations::Projects::ProjectSettingsUpdate` permits updating `duo_sast_vr_workflow_enabled` for a user with `update_sec_ai_workflow_settings`, even if they lack `admin_project`. - [ ] Other attributes in the same mutation continue to require `admin_project`. ## Implementation Details - Audit: investigate whether `ProjectSetting` and `NamespaceSetting` already pipe attribute changes through `Audit::Events`. The existing `duo_features_enabled` toggle is a good comparison point — if it audits, the new attribute likely will too. - `ee/app/graphql/mutations/projects/project_settings_update.rb`: - Either add `argument :duo_sast_vr_workflow_enabled` and switch the top-level `authorize :admin_project` to per-attribute checks inside `resolve`, - Or split into a dedicated mutation `ProjectSastVrSettingUpdate` with `authorize :update_sec_ai_workflow_settings`. ## Estimate