From d4a2210c78c71d44ea8ad659d28e7e3aa4b43b32 Mon Sep 17 00:00:00 2001
From: Chris Huber <chubes@extrachill.com>
Date: Sun, 29 Mar 2026 20:49:59 +0000
Subject: [PATCH] feat: add datamachine_can_access_agent filter to
 PermissionHelper

Allows plugins to grant or deny agent access based on custom logic
(e.g. team membership, organization roles, subscription status).

Filter receives: $can_access, $agent_id, $user_id, $minimum_role.
Return true to grant access, false to deny.
---
 inc/Abilities/PermissionHelper.php | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/inc/Abilities/PermissionHelper.php b/inc/Abilities/PermissionHelper.php
index cd0cfe2d..f60dce47 100644
--- a/inc/Abilities/PermissionHelper.php
+++ b/inc/Abilities/PermissionHelper.php
@@ -460,7 +460,23 @@ public static function can_access_agent( int $agent_id, string $minimum_role = '
 
 		// Check explicit access grants.
 		$access_repo = new \DataMachine\Core\Database\Agents\AgentAccess();
-		return $access_repo->user_can_access( $agent_id, $user_id, $minimum_role );
+		$can_access  = $access_repo->user_can_access( $agent_id, $user_id, $minimum_role );
+
+		/**
+		 * Filter whether a user can access an agent.
+		 *
+		 * Allows plugins to grant or deny agent access based on custom logic
+		 * (e.g. team membership, organization roles, subscription status).
+		 * Returning true from this filter overrides the default access check.
+		 *
+		 * @since 0.62.0
+		 *
+		 * @param bool   $can_access   Whether the user can access the agent.
+		 * @param int    $agent_id     Agent ID.
+		 * @param int    $user_id      User ID.
+		 * @param string $minimum_role Minimum role required.
+		 */
+		return apply_filters( 'datamachine_can_access_agent', $can_access, $agent_id, $user_id, $minimum_role );
 	}
 
 	/**