From 9ac45511b77ea92088bef51d7e796a7839d47d87 Mon Sep 17 00:00:00 2001
From: Jaanus Sellin <sellinjaanus@gmail.com>
Date: Thu, 20 Nov 2025 13:22:57 +0200
Subject: [PATCH] feat: now safeguard impact metrics are not editable or
 deletable (#11006)

---
 .../component/impact-metrics/ChartItem.tsx    | 34 ++++++++++---------
 .../src/component/impact-metrics/types.ts     |  1 +
 .../src/openapi/models/eventSchemaType.ts     |  2 ++
 .../models/impactMetricsConfigSchema.ts       |  3 ++
 .../models/impactMetricsConfigSchemaMode.ts   | 17 ++++++++++
 frontend/src/openapi/models/index.ts          |  4 +++
 .../models/oidcSettingsResponseSchema.ts      |  4 +--
 .../openapi/models/oidcSettingsSchemaOneOf.ts |  4 +--
 .../models/oidcSettingsSchemaOneOfFour.ts     |  4 +--
 .../models/resumeMilestoneProgressions401.ts  | 14 ++++++++
 .../models/resumeMilestoneProgressions403.ts  | 14 ++++++++
 .../models/resumeMilestoneProgressions404.ts  | 14 ++++++++
 12 files changed, 93 insertions(+), 22 deletions(-)
 create mode 100644 frontend/src/openapi/models/impactMetricsConfigSchemaMode.ts
 create mode 100644 frontend/src/openapi/models/resumeMilestoneProgressions401.ts
 create mode 100644 frontend/src/openapi/models/resumeMilestoneProgressions403.ts
 create mode 100644 frontend/src/openapi/models/resumeMilestoneProgressions404.ts

diff --git a/frontend/src/component/impact-metrics/ChartItem.tsx b/frontend/src/component/impact-metrics/ChartItem.tsx
index 5bf66945aa..e68c8af714 100644
--- a/frontend/src/component/impact-metrics/ChartItem.tsx
+++ b/frontend/src/component/impact-metrics/ChartItem.tsx
@@ -104,22 +104,24 @@ export const ChartItem: FC<ChartItemProps> = ({
                     {getConfigDescription(config)}
                 </Typography>
             </StyledChartTitle>
-            <StyledChartActions>
-                <PermissionIconButton
-                    onClick={() => onEdit(config)}
-                    permission={permission}
-                    projectId={projectId}
-                >
-                    <Edit />
-                </PermissionIconButton>
-                <PermissionIconButton
-                    onClick={() => onDelete(config.id)}
-                    permission={permission}
-                    projectId={projectId}
-                >
-                    <Delete />
-                </PermissionIconButton>
-            </StyledChartActions>
+            {config.mode !== 'read' && (
+                <StyledChartActions>
+                    <PermissionIconButton
+                        onClick={() => onEdit(config)}
+                        permission={permission}
+                        projectId={projectId}
+                    >
+                        <Edit />
+                    </PermissionIconButton>
+                    <PermissionIconButton
+                        onClick={() => onDelete(config.id)}
+                        permission={permission}
+                        projectId={projectId}
+                    >
+                        <Delete />
+                    </PermissionIconButton>
+                </StyledChartActions>
+            )}
         </StyledHeader>
 
         <StyledChartContent>
diff --git a/frontend/src/component/impact-metrics/types.ts b/frontend/src/component/impact-metrics/types.ts
index 932b666467..ac0b3b6d84 100644
--- a/frontend/src/component/impact-metrics/types.ts
+++ b/frontend/src/component/impact-metrics/types.ts
@@ -20,6 +20,7 @@ export type AggregationMode =
 export type DisplayChartConfig = ChartConfig & {
     type: 'counter' | 'gauge' | 'histogram' | 'unknown';
     displayName: string; // e.g. my_metric with unleash_counter stripped
+    mode?: 'read' | 'write';
 };
 
 export type LayoutItem = {
diff --git a/frontend/src/openapi/models/eventSchemaType.ts b/frontend/src/openapi/models/eventSchemaType.ts
index 3e1321f6fa..8e908e8325 100644
--- a/frontend/src/openapi/models/eventSchemaType.ts
+++ b/frontend/src/openapi/models/eventSchemaType.ts
@@ -150,6 +150,8 @@ export const EventSchemaType = {
     'banner-created': 'banner-created',
     'banner-updated': 'banner-updated',
     'banner-deleted': 'banner-deleted',
+    'safeguard-changed': 'safeguard-changed',
+    'safeguard-deleted': 'safeguard-deleted',
     'project-environment-added': 'project-environment-added',
     'project-environment-removed': 'project-environment-removed',
     'default-strategy-updated': 'default-strategy-updated',
diff --git a/frontend/src/openapi/models/impactMetricsConfigSchema.ts b/frontend/src/openapi/models/impactMetricsConfigSchema.ts
index 9971eca44b..382bb73211 100644
--- a/frontend/src/openapi/models/impactMetricsConfigSchema.ts
+++ b/frontend/src/openapi/models/impactMetricsConfigSchema.ts
@@ -5,6 +5,7 @@
  */
 import type { ImpactMetricsConfigSchemaAggregationMode } from './impactMetricsConfigSchemaAggregationMode.js';
 import type { ImpactMetricsConfigSchemaLabelSelectors } from './impactMetricsConfigSchemaLabelSelectors.js';
+import type { ImpactMetricsConfigSchemaMode } from './impactMetricsConfigSchemaMode.js';
 import type { ImpactMetricsConfigSchemaTimeRange } from './impactMetricsConfigSchemaTimeRange.js';
 import type { ImpactMetricsConfigSchemaType } from './impactMetricsConfigSchemaType.js';
 import type { ImpactMetricsConfigSchemaYAxisMin } from './impactMetricsConfigSchemaYAxisMin.js';
@@ -23,6 +24,8 @@ export interface ImpactMetricsConfigSchema {
     labelSelectors: ImpactMetricsConfigSchemaLabelSelectors;
     /** The Prometheus metric series to query. It includes both unleash prefix and metric type and display name */
     metricName: string;
+    /** The access mode for this impact metric configuration: "read" when referenced by a safeguard, "write" otherwise. */
+    mode?: ImpactMetricsConfigSchemaMode;
     /** The time range for the metric data. */
     timeRange: ImpactMetricsConfigSchemaTimeRange;
     /**
diff --git a/frontend/src/openapi/models/impactMetricsConfigSchemaMode.ts b/frontend/src/openapi/models/impactMetricsConfigSchemaMode.ts
new file mode 100644
index 0000000000..2674410307
--- /dev/null
+++ b/frontend/src/openapi/models/impactMetricsConfigSchemaMode.ts
@@ -0,0 +1,17 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+/**
+ * The access mode for this impact metric configuration: "read" when referenced by a safeguard, "write" otherwise.
+ */
+export type ImpactMetricsConfigSchemaMode =
+    (typeof ImpactMetricsConfigSchemaMode)[keyof typeof ImpactMetricsConfigSchemaMode];
+
+// eslint-disable-next-line @typescript-eslint/no-redeclare
+export const ImpactMetricsConfigSchemaMode = {
+    read: 'read',
+    write: 'write',
+} as const;
diff --git a/frontend/src/openapi/models/index.ts b/frontend/src/openapi/models/index.ts
index 14cc552d20..6e06cc1642 100644
--- a/frontend/src/openapi/models/index.ts
+++ b/frontend/src/openapi/models/index.ts
@@ -949,6 +949,7 @@ export * from './impactMetricsConfigListSchema.js';
 export * from './impactMetricsConfigSchema.js';
 export * from './impactMetricsConfigSchemaAggregationMode.js';
 export * from './impactMetricsConfigSchemaLabelSelectors.js';
+export * from './impactMetricsConfigSchemaMode.js';
 export * from './impactMetricsConfigSchemaTimeRange.js';
 export * from './impactMetricsConfigSchemaType.js';
 export * from './impactMetricsConfigSchemaYAxisMin.js';
@@ -1283,6 +1284,9 @@ export * from './resetUserPassword401.js';
 export * from './resetUserPassword403.js';
 export * from './resetUserPassword404.js';
 export * from './resourceLimitsSchema.js';
+export * from './resumeMilestoneProgressions401.js';
+export * from './resumeMilestoneProgressions403.js';
+export * from './resumeMilestoneProgressions404.js';
 export * from './reviveFeature400.js';
 export * from './reviveFeature401.js';
 export * from './reviveFeature403.js';
diff --git a/frontend/src/openapi/models/oidcSettingsResponseSchema.ts b/frontend/src/openapi/models/oidcSettingsResponseSchema.ts
index 9f187f579c..d20201be23 100644
--- a/frontend/src/openapi/models/oidcSettingsResponseSchema.ts
+++ b/frontend/src/openapi/models/oidcSettingsResponseSchema.ts
@@ -32,10 +32,10 @@ export interface OidcSettingsResponseSchema {
     enabled?: boolean;
     /** Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/how-to/how-to-set-up-group-sso-sync) */
     enableGroupSyncing?: boolean;
+    /** Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. */
+    enablePkce?: boolean;
     /** Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active */
     enableSingleSignOut?: boolean;
-    /** Enable Proof Key for Code Exchange (PKCE) when performing the OIDC authorization code flow. */
-    enablePkce?: boolean;
     /** Specifies the path in the OIDC token response to read which groups the user belongs to from. */
     groupJsonPath?: string;
     /** The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. */
diff --git a/frontend/src/openapi/models/oidcSettingsSchemaOneOf.ts b/frontend/src/openapi/models/oidcSettingsSchemaOneOf.ts
index 012952c7ff..4d3769e3c4 100644
--- a/frontend/src/openapi/models/oidcSettingsSchemaOneOf.ts
+++ b/frontend/src/openapi/models/oidcSettingsSchemaOneOf.ts
@@ -29,10 +29,10 @@ export type OidcSettingsSchemaOneOf = {
     enabled: boolean;
     /** Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/how-to/how-to-set-up-group-sso-sync) */
     enableGroupSyncing?: boolean;
+    /** Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. */
+    enablePkce?: boolean;
     /** Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active */
     enableSingleSignOut?: boolean;
-    /** Enable Proof Key for Code Exchange (PKCE) when performing the OIDC authorization code flow. */
-    enablePkce?: boolean;
     /** Specifies the path in the OIDC token response to read which groups the user belongs to from. */
     groupJsonPath?: string;
     /** The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. */
diff --git a/frontend/src/openapi/models/oidcSettingsSchemaOneOfFour.ts b/frontend/src/openapi/models/oidcSettingsSchemaOneOfFour.ts
index 7f47464bbc..7b7b4670f1 100644
--- a/frontend/src/openapi/models/oidcSettingsSchemaOneOfFour.ts
+++ b/frontend/src/openapi/models/oidcSettingsSchemaOneOfFour.ts
@@ -29,10 +29,10 @@ export type OidcSettingsSchemaOneOfFour = {
     enabled?: boolean;
     /** Should we enable group syncing. Refer to the documentation [Group syncing](https://docs.getunleash.io/how-to/how-to-set-up-group-sso-sync) */
     enableGroupSyncing?: boolean;
+    /** Enable PKCE (Proof Key for Code Exchange) for enhanced security. Recommended for public clients and provides additional protection against authorization code interception attacks. */
+    enablePkce?: boolean;
     /** Support Single sign out when user clicks logout in Unleash. If `true` user is signed out of all OpenID Connect sessions against the clientId they may have active */
     enableSingleSignOut?: boolean;
-    /** Enable Proof Key for Code Exchange (PKCE) when performing the OIDC authorization code flow. */
-    enablePkce?: boolean;
     /** Specifies the path in the OIDC token response to read which groups the user belongs to from. */
     groupJsonPath?: string;
     /** The signing algorithm used to sign our token. Refer to the [JWT signatures](https://jwt.io/introduction) documentation for more information. */
diff --git a/frontend/src/openapi/models/resumeMilestoneProgressions401.ts b/frontend/src/openapi/models/resumeMilestoneProgressions401.ts
new file mode 100644
index 0000000000..fb37a6c9cf
--- /dev/null
+++ b/frontend/src/openapi/models/resumeMilestoneProgressions401.ts
@@ -0,0 +1,14 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+export type ResumeMilestoneProgressions401 = {
+    /** The ID of the error instance */
+    id?: string;
+    /** A description of what went wrong. */
+    message?: string;
+    /** The name of the error kind */
+    name?: string;
+};
diff --git a/frontend/src/openapi/models/resumeMilestoneProgressions403.ts b/frontend/src/openapi/models/resumeMilestoneProgressions403.ts
new file mode 100644
index 0000000000..7e08c62eb2
--- /dev/null
+++ b/frontend/src/openapi/models/resumeMilestoneProgressions403.ts
@@ -0,0 +1,14 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+export type ResumeMilestoneProgressions403 = {
+    /** The ID of the error instance */
+    id?: string;
+    /** A description of what went wrong. */
+    message?: string;
+    /** The name of the error kind */
+    name?: string;
+};
diff --git a/frontend/src/openapi/models/resumeMilestoneProgressions404.ts b/frontend/src/openapi/models/resumeMilestoneProgressions404.ts
new file mode 100644
index 0000000000..b52cdff5ff
--- /dev/null
+++ b/frontend/src/openapi/models/resumeMilestoneProgressions404.ts
@@ -0,0 +1,14 @@
+/**
+ * Generated by Orval
+ * Do not edit manually.
+ * See `gen:api` script in package.json
+ */
+
+export type ResumeMilestoneProgressions404 = {
+    /** The ID of the error instance */
+    id?: string;
+    /** A description of what went wrong. */
+    message?: string;
+    /** The name of the error kind */
+    name?: string;
+};