Secret Detection False Positive Detection - Add permission AppSec Team to enable FP
## TL;DR Extend the Security Manager permission model to allow Security Managers to toggle Secret Detection False Positive Detection settings at the project level, without requiring Maintainer/Owner roles. We want to replicate the same pattern established for SAST VR (https://gitlab.com/groups/gitlab-org/-/work_items/21971 and https://gitlab.com/gitlab-org/gitlab/-/merge_requests/239266) and SAST FP Detection (https://gitlab.com/groups/gitlab-org/-/work_items/22422). ## Scope ### In Scope * Extend `update_sec_ai_workflow_settings` permission to cover `duo_secret_detection_fp_enabled` setting ### Out of Scope * Group/subgroup/organization/instance level configuration (covered by [&21766](https://gitlab.com/groups/gitlab-org/-/work_items/21766)) * Custom roles support for the permission * Changes to the Vulnerability Details page FP detection action button * New permissions or roles beyond what was established for SAST VR * Redesigning the GitLab role model ## Phase This is Iteration 3 of the parent epic, following the SAST FP Detection permission work in Iteration 2. **Epic Phase:** Phase 3 **Parent Epic:** https://gitlab.com/groups/gitlab-org/-/work_items/21725 ## Problem Statement Security Managers can now toggle SAST Vulnerability Resolution settings (per [&21971](https://gitlab.com/groups/gitlab-org/-/work_items/21971)) and SAST False Positive Detection (per [&22422](https://gitlab.com/groups/gitlab-org/-/work_items/22422)), but they still cannot enable/disable Secret Detection False Positive Detection without Maintainer/Owner access. With this epic we are creating the permission for them to do this. ## Proposed Approach Replicate the exact pattern established in [gitlab!239266](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/239266) and the SAST FP Detection work. ## Feature Flag - [X] Required **Flag name:** `update_secret_detection_fp_setting_permission` **Default state:** Disabled **Rollout plan:** Gradual rollout following the same pattern as SAST FP Detection. ## Success Criteria - [ ] Security Manager can update `duo_secret_detection_fp_enabled` via REST `PUT /projects/:id` without Maintainer/Owner - [ ] Security Manager can update `duo_secret_detection_fp_enabled` via GraphQL `projectSettingsUpdate` mutation without Maintainer/Owner - [ ] Users without the permission receive 403/404 error - [ ] Audit event is recorded on setting change ## Dependencies - Reference: [&22422](https://gitlab.com/groups/gitlab-org/-/work_items/22422) (SAST FP Detection pattern) ## Resources - Reference MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/239266 - Parent epic: https://gitlab.com/groups/gitlab-org/-/work_items/21725
epic