Per-agent identity RBAC and developer pre-flight checks

[therealjohn]

Fixes #7637

Switches agent identity RBAC from the shared project-level identity to per-agent identities, adds developer RBAC pre-flight checks before deploy, and provides an opt-out mechanism for CI/CD.

Changes

Per-agent identity RBAC (postdeploy)

• Identity lookup changed from {account}-{project}-AgentIdentity (shared) to {account}-{project}-{agentName}-AgentIdentity (per deployed agent)
• Removed Cognitive Services OpenAI User and Monitoring Metrics Publisher role assignments — only Azure AI User is assigned, scoped to the Foundry Project
• postdeployHandler now collects agent names from AGENT_{SERVICE_KEY}_NAME env vars and iterates per-agent

Developer RBAC pre-flight checks (predeploy)

• Verifies the developer has Azure AI User (or Owner/Contributor/Azure AI Developer) on the Foundry Project scope
• Verifies the developer has ACR push access (Owner/Contributor/AcrPush/Container Registry Tasks Contributor/Container Registry Repository Contributor) on the Container Registry
• Returns structured errors with az role assignment create commands on failure

Skip mechanism

• Set AZD_AGENT_SKIP_ROLE_ASSIGNMENTS=true (via azd env set or OS env) to skip both pre-flight checks and post-deploy role assignments — useful for CI/CD where RBAC is pre-configured

[Copilot]

Pull request overview

Updates the azure.ai.agents extension’s RBAC handling to use per-agent identities (instead of a shared project identity) and adds a pre-deploy developer permission check for hosted agent deployments, with an opt-out flag for CI/CD scenarios.

Changes:

• Adds a developer RBAC pre-flight check to validate Foundry Project and ACR permissions before deploying hosted agents.
• Switches post-deploy RBAC assignment from a single shared identity to per-agent identities, scoped to the Foundry Project.
• Introduces AZD_AGENT_SKIP_ROLE_ASSIGNMENTS to skip both the pre-flight checks and post-deploy role assignments.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
cli/azd/extensions/azure.ai.agents/internal/project/developer_rbac_check.go	Implements developer RBAC pre-flight checks for Foundry Project + ACR permissions.
cli/azd/extensions/azure.ai.agents/internal/project/developer_rbac_check_test.go	Adds unit tests around role constants/lists and ACR login server normalization behavior.
cli/azd/extensions/azure.ai.agents/internal/project/agent_identity_rbac.go	Updates RBAC assignment to per-agent identities and adds the skip mechanism.
cli/azd/extensions/azure.ai.agents/internal/project/agent_identity_rbac_test.go	Updates tests for per-agent identity naming, project scope parsing, and skip flag parsing.
cli/azd/extensions/azure.ai.agents/internal/exterrors/codes.go	Adds new structured error codes for RBAC-related failures.
cli/azd/extensions/azure.ai.agents/internal/cmd/listen.go	Runs developer pre-flight checks in predeploy and performs per-agent RBAC setup in postdeploy.