feat(rbac): org-level agents-access gating alongside site-wide toggle

[johnstcn]

Problem

The agents-access role is currently site-wide only. A deployment admin can enable/disable agents for the entire instance, but org admins have no control over whether their org uses agents.

In multi-org deployments, some orgs may want agents while others do not. There is no way to express this today.

Proposal

Add a two-tier gating model:

1. Site-wide gate (existing): agents-access role as a global kill switch. Stays as-is.
2. Org-wide gate (new): org-level permission on ResourceChat with ActionCreate. Org admin controls whether members of their org can create chats scoped to it.

Composition: site gate must pass first, then org gate. A member needs both to create a chat in a given org.

Implementation sketch

• Add an org-scoped role or permission for agents access (ByOrgID permissions instead of User)
• Update role assignment UI/API to allow org admins to toggle it
• Update handler-level gates (postChats, promoteChatQueuedMessage, postChatToolResults) to check per-org after the site-wide check passes
• Consider: should the org gate be opt-in (orgs must enable) or opt-out (enabled by default, orgs can disable)?

Context

Discussed during review of coder/coder#23827 (chat org-scoping). The site-wide role was kept as-is — org-level gating was agreed to be out of scope for that PR.

🤖