Skip to content

[Due for payment 2026-05-29] Prevent agent owners from removing their own copilot access #90251

Description

@puneetlath

Part of the Custom workflow agents project

Main issue: https://github.com/Expensify/Expensify/issues/614622
Doc section: https://expensify.enterprise.slack.com/docs/T03SC9DTT/F0AKV1FPD41?focus_section_id=temp:C:PDZ17b0eea43a604c59bbeb6e9f4

Feature Description

When the owner co-pilots into an agent account, the Security page lists their own delegate row with a three-dot menu containing Remove. Removing themselves would orphan the agent. Hide that menu for this specific row.

In src/pages/settings/Security/SecuritySettingsPage.tsx, when isAgentAccount && delegate.email === ownerEmail, omit the three-dot popover trigger entirely from the delegate row. All other delegate rows behave as today.

The owner's accountID for the comparison comes from the agent's private_agentOwnerID NVP (already loaded for agent-account flows).

Manual Test Steps

  1. As an agent owner, copilot into the agent account.
  2. Go to Account > Security.
  3. Verify your own delegate row has no three-dot menu (so you cannot remove yourself).
  4. Add another copilot to the agent account (accountB)
  5. Verify the accountB row still shows the three-dot menu with Remove.
  6. Return to your owner account; verify the Security page on a regular (non-agent) account is unchanged.
  7. Sign into accountB
  8. Copilot into the agent account
  9. Verify you are not able to remove the owner as a copilot
  10. Verify you are able to remove yourself as a copilot

Automated Tests

  • A test that asserts the three-dot menu is not rendered for the owner's row when on an agent account, and is rendered otherwise.
Issue OwnerCurrent Issue Owner: @ShridharGoel

Metadata

Metadata

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions