Add include_all label scope UI to policies and reports (#41565)

[juan-fdz-hawa]

Related issue: Resolves #41565

Surfaces the new include_all label scope on the policy and report (query) edit forms via a "Custom" target dropdown.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• QA'd all new/changed functionality manually

Summary by CodeRabbit

• New Features

  • Added a premium-gated "Include all" label scope to Policy and Report custom-target dropdowns.
  • Targeting UI now supports three label scopes: have any, have all (premium), and exclude any; save flows include scope fields only for premium tiers.
  • Policy and query edit/live pages persist and display "Include all" selections when present.

• Tests

  • Updated tests to cover the new "Include all" scope, save payloads, and clear-label behavior.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[codecov]

Codecov Report

❌ Patch coverage is 82.65306% with 17 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.79%. Comparing base (56a8bc0) to head (f601b88).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
...policies/edit/components/PolicyForm/PolicyForm.tsx	67.85%	9 Missing ⚠️
frontend/context/policy.tsx	28.57%	4 Missing and 1 partial ⚠️
...es/edit/components/EditQueryForm/EditQueryForm.tsx	90.00%	2 Missing ⚠️
...components/SaveNewQueryModal/SaveNewQueryModal.tsx	93.33%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #44503   +/-   ##
=======================================
  Coverage   66.79%   66.79%           
=======================================
  Files        2637     2637           
  Lines      212132   212183   +51     
  Branches     9555     9565   +10     
=======================================
+ Hits       141688   141726   +38     
- Misses      57578    57591   +13     
  Partials    12866    12866           

Flag	Coverage Δ
frontend	54.81% <82.65%> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a premium-gated “Include all” label-scope across policy and query UIs and persists it end-to-end. Introduces lastEditedQueryLabelsIncludeAll state and setter in PolicyContext, extends interfaces (IPolicy, IPolicyFormData, ISchedulableQuery, ICreateQueryRequestBody) to include labels_include_all, updates policy and query pages/forms to choose a single active label scope (include-any / include-all / exclude-any), render that scope, and include only the active scope in premium save payloads; helper modules now generate custom target options conditionally based on premium tier.

Possibly related PRs

• Add include_all label scope to policies and reports #44305: Implements the same labels_include_all backend API, datastore, and schema support that pairs with these frontend additions.
• UI: Remove experimental conditional_access_bypass_enabled policy setting in favor of critical #40924: Modifies the same frontend/services/entities/team_policies.ts create/update payload wiring, aligning service-layer handling of label-scope fields.
• Fleet UI: Update label target copies #43763: Changes the UI custom-target dropdown options and help text, overlapping with the frontend target-option and help-text updates in this change.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding UI controls for an 'include_all' label scope to policies and reports via a dropdown interface.
Description check	✅ Passed	The description matches the template structure with a related issue reference and completed checklist items. While some optional checklist sections are omitted, the critical items (changes file and manual QA) are marked as complete.
Linked Issues check	✅ Passed	The PR addresses all three coding requirements from issue #41565: adds 'Include all' to policy form dropdown, adds dropdown to query form, and implements GitOps mode disabling.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing the label scope UI feature. No unrelated modifications to business logic, unrelated components, or extraneous functionality are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 41565-policyreport-labels-frontend

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@changes/41565-policy-report-new-scopes-frontend`:
- Around line 1-2: Update the two release-note bullets to correct grammar and
clarity: change the first bullet from "Added a \"Custom\" target dropdown
reports, with a \"Include all\" option for premium users." to "Added a
\"Custom\" target dropdown to reports, with an \"Include all\" option for
premium users." and change the second bullet so it uses "an" correctly (e.g.,
"Added \"Include all\" to the \"Custom\" target dropdown on Policies for premium
users only.")—locate the exact strings "Added a \"Custom\" target dropdown
reports, with a \"Include all\" option for premium users." and "Added \"Include
All\" to \"Custom\" target dropdown on Policies for premium users only." and
replace them with the improved wording.

In `@frontend/pages/policies/details/PolicyDetailsPage/PolicyDetailsPage.tsx`:
- Around line 135-137: The policy details page is storing labels_include_all
(setLastEditedQueryLabelsIncludeAll) but the UI still only renders
labels_include_any / labels_exclude_any; update the PolicyDetailsPage render
logic to read and display the labels_include_all state (e.g.,
lastEditedQuery.labels_include_all or the state variable
setLastEditedQueryLabelsIncludeAll) alongside the other label scopes so policies
using include-all show correct targeting info—add a UI entry for the include-all
scope in the labels section where labels_include_any / labels_exclude_any are
rendered.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 52a841a2-dcbf-40cb-a47d-50ec28827868

📥 Commits

Reviewing files that changed from the base of the PR and between e477605 and 3e6a8d5.

📒 Files selected for processing (15)

• changes/41565-policy-report-new-scopes-frontend
• frontend/context/policy.tsx
• frontend/interfaces/policy.ts
• frontend/interfaces/schedulable_query.ts
• frontend/pages/policies/details/PolicyDetailsPage/PolicyDetailsPage.tsx
• frontend/pages/policies/edit/EditPolicyPage.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tests.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx
• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx
• frontend/pages/policies/helpers.tsx
• frontend/pages/policies/live/LivePolicyPage/LivePolicyPage.tsx
• frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx
• frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx
• frontend/pages/queries/helpers.tsx
• frontend/services/entities/team_policies.ts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx (1)

283-296: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Disable the modal target selector in GitOps mode.

disableOptions only tracks the autofill loading state here, so this new label-scope control stays interactive in the save modal while GitOps mode is on. The edit form already disables the same selector via gitOpsModeEnabled; please thread that flag into this modal and include it in the disable condition too.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx`
around lines 283 - 296, The TargetLabelSelector in SaveNewPolicyModal remains
interactive in GitOps mode because disableOptions only reflects autofill
loading; thread the existing gitOpsModeEnabled flag into this modal
(SaveNewPolicyModal) and update the TargetLabelSelector disable condition to
include it (i.e. pass disableOptions={disableOptions || gitOpsModeEnabled} or
equivalent). Locate the TargetLabelSelector usage in SaveNewPolicyModal and add
the gitOpsModeEnabled prop usage so the selector is disabled when
gitOpsModeEnabled is true.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx`:
- Around line 283-296: The TargetLabelSelector in SaveNewPolicyModal remains
interactive in GitOps mode because disableOptions only reflects autofill
loading; thread the existing gitOpsModeEnabled flag into this modal
(SaveNewPolicyModal) and update the TargetLabelSelector disable condition to
include it (i.e. pass disableOptions={disableOptions || gitOpsModeEnabled} or
equivalent). Locate the TargetLabelSelector usage in SaveNewPolicyModal and add
the gitOpsModeEnabled prop usage so the selector is disabled when
gitOpsModeEnabled is true.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ade471fd-fc04-493c-95bf-1d87207a3dbf

📥 Commits

Reviewing files that changed from the base of the PR and between 12a9f9e and a921a80.

📒 Files selected for processing (2)

• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx
• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx (1)

184-215: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Omit the inactive scope from the save payload.

labels_include_any and labels_include_all are both emitted here, with the inactive one set to []. That still serializes both scopes and can make the backend infer intent from empty arrays instead of a single active field.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx`
around lines 184 - 215, The payload currently always includes both
labels_include_any and labels_include_all (one as an empty array) from
SaveNewQueryModal.tsx, which can confuse the backend; update labelsForScope
(used to compute labelsIncludeAny/labelsIncludeAll) to return undefined for the
inactive scope (not []). Then change the saveQuery payload construction in the
SaveNewQueryModal component to only include labels_include_any or
labels_include_all when their computed value is defined (omit the inactive key
entirely) so the request contains only the active label scope.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx`:
- Around line 296-333: The effect in PolicyForm that sets
selectedTargetType/selectedCustomTarget/selectedLabels leaves
selectedCustomTarget unchanged when no label scope is active, causing the wrong
custom scope to persist; update the useEffect so that when no customTarget is
determined you explicitly clear selectedCustomTarget (e.g.,
setSelectedCustomTarget(undefined) or an empty string) and set selectedLabels to
an empty object, keeping the existing logic that sets activeLabels when a
customTarget exists; apply the same fix to the other matching effect that also
assigns selectedCustomTarget/selectedLabels.

In `@frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx`:
- Around line 240-253: When building the payload passed to updateQueryData,
don't always serialize both labels_include_any and labels_include_all; instead
include only the active scope key. Use getLabelsForScope to compute the labels
for the active scope and conditionally attach either labels_include_any or
labels_include_all (based on the state that tracks the active scope, e.g.,
selected label-scope variable) to the object you pass into updateQueryData,
omitting the inactive key entirely.
- Around line 735-747: EditQueryForm renders TargetLabelSelector without passing
the disableOptions prop so scope controls remain editable in GitOps mode; update
the TargetLabelSelector invocation inside EditQueryForm to include
disableOptions={gitOpsModeEnabled} (same guard used by PolicyForm) so when
gitOpsModeEnabled is true the selector options are disabled and scope control is
locked down. Ensure you reference the existing selectedTargetType,
selectedCustomTarget, and other props remain unchanged and only add the
disableOptions prop to TargetLabelSelector.

---

Outside diff comments:
In
`@frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx`:
- Around line 184-215: The payload currently always includes both
labels_include_any and labels_include_all (one as an empty array) from
SaveNewQueryModal.tsx, which can confuse the backend; update labelsForScope
(used to compute labelsIncludeAny/labelsIncludeAll) to return undefined for the
inactive scope (not []). Then change the saveQuery payload construction in the
SaveNewQueryModal component to only include labels_include_any or
labels_include_all when their computed value is defined (omit the inactive key
entirely) so the request contains only the active label scope.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c537b205-c112-4a26-8a7f-51063cf4c886

📥 Commits

Reviewing files that changed from the base of the PR and between a921a80 and ef4fde8.

📒 Files selected for processing (15)

• changes/41565-policy-report-new-scopes-frontend
• frontend/context/policy.tsx
• frontend/interfaces/policy.ts
• frontend/interfaces/schedulable_query.ts
• frontend/pages/policies/details/PolicyDetailsPage/PolicyDetailsPage.tsx
• frontend/pages/policies/edit/EditPolicyPage.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tests.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx
• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx
• frontend/pages/policies/helpers.tsx
• frontend/pages/policies/live/LivePolicyPage/LivePolicyPage.tsx
• frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx
• frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx
• frontend/pages/queries/helpers.tsx
• frontend/services/entities/team_policies.ts

✅ Files skipped from review due to trivial changes (3)

• changes/41565-policy-report-new-scopes-frontend
• frontend/interfaces/policy.ts
• frontend/pages/queries/helpers.tsx

🚧 Files skipped from review as they are similar to previous changes (2)

• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tests.tsx

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@frontend/pages/policies/edit/EditPolicyPage.tsx`:
- Around line 174-176: The component hydrates labels_include_all into state via
setLastEditedQueryLabelsIncludeAll(returnedQuery.labels_include_all || []), but
the teardown only resets critical/platform state so the include-all draft can
leak into other editor flows; update the component cleanup (the unmount/effect
cleanup in EditPolicyPage) to also reset the include-all draft by calling
setLastEditedQueryLabelsIncludeAll([]) (or the appropriate PolicyContext reset
helper) so labels_include_all is cleared when the editor unmounts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 67f372cf-7261-4a3a-9cd6-62543638910f

📥 Commits

Reviewing files that changed from the base of the PR and between ef4fde8 and 695cf83.

📒 Files selected for processing (15)

• changes/41565-policy-report-new-scopes-frontend
• frontend/context/policy.tsx
• frontend/interfaces/policy.ts
• frontend/interfaces/schedulable_query.ts
• frontend/pages/policies/details/PolicyDetailsPage/PolicyDetailsPage.tsx
• frontend/pages/policies/edit/EditPolicyPage.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tests.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx
• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx
• frontend/pages/policies/helpers.tsx
• frontend/pages/policies/live/LivePolicyPage/LivePolicyPage.tsx
• frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx
• frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx
• frontend/pages/queries/helpers.tsx
• frontend/services/entities/team_policies.ts

✅ Files skipped from review due to trivial changes (4)

• frontend/pages/policies/live/LivePolicyPage/LivePolicyPage.tsx
• changes/41565-policy-report-new-scopes-frontend
• frontend/interfaces/schedulable_query.ts
• frontend/interfaces/policy.ts

🚧 Files skipped from review as they are similar to previous changes (8)

• frontend/services/entities/team_policies.ts
• frontend/pages/policies/details/PolicyDetailsPage/PolicyDetailsPage.tsx
• frontend/pages/queries/helpers.tsx
• frontend/pages/queries/edit/components/SaveNewQueryModal/SaveNewQueryModal.tsx
• frontend/pages/policies/edit/components/SaveNewPolicyModal/SaveNewPolicyModal.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tests.tsx
• frontend/pages/queries/edit/components/EditQueryForm/EditQueryForm.tsx
• frontend/pages/policies/edit/components/PolicyForm/PolicyForm.tsx

[nulmete]

Haven't tested locally but code LGTM 👍
I have a few non-blocking comments.

[nulmete]

Worth defining a common type for selectedCustomTarget and scope? I see that these can be one of these: "labelsIncludeAny", "labelsIncludeAll" or "labelsExcludeAny".

(Maybe we could reuse it in other places, not sure -- I see that we also declare these values when setting up the dropdown options in one of the helpers.tsx file above. If IDropdownOption accepted a generic we could get some stronger typing there instead of plain strings.)

[nulmete]

nit: related to my comment above, we could type this as useState here, where T would be the type I suggested introducing (omitting excludeAny, though).

[nulmete]

nit: do we need the string[] | undefined explicit return type? I think the type should be inferred by TS.

Suggested change

	const labelsForScope = (scope: string): string[] | undefined => {
	const labelsForScope = (scope: string) => {

[nulmete]

nit: is there any opportunity for reusability between this file and the one in the policies directory?

AFAICS, the only things that change are:

• The entity in the helpText ("Report" vs "Policy")
• The exported function (though in policies we export "getCustomTargetOptions" and here "getQueryCustomTargetOptions"). Should we keep the generic one and introduce a 2nd "entity" argument?