fix(devices): address cubic review on device-import display (#3308)

[tofikwest]

Addresses the cubic findings on the Production Deploy PR #3308 (all on the device-import display work from #3305).

Fixes

• P1 — API RBAC. api/people/agent-devices (and its twin api/people/fleet-hosts) only checked for an active session, so any authenticated member of an org could fetch all org device + integration data regardless of role. Both now use requireApiPermission(req, 'member', 'read') — the same contract as the People area (requireRoutePermission('people')).
• P2 — CSV consistency. The export marked Fleet devices as not_tracked/n/a because it used source === 'device_agent' directly. Switched to the shared isComplianceTracked() so the CSV matches the rest of the UI (only integration imports are untracked).
• P3 — DRY. Moved the duplicated device presentation helpers (PLATFORM_LABELS, CHECK_FIELDS, formatTimeAgo, isDeviceOnline, stale + not-tracked copy) into lib/device-source, and extracted a shared NotTrackedBadge — used by both the list (DeviceListCells) and details (DeviceDetails) views so copy/labels/thresholds can't drift.
• P3 — Source filter. The filter keyed options off the display label, so two providers sharing a name would merge. Now keyed by a stable sourceKey (device_agent / fleet / integration:<slug>), label shown separately.

Notes

• fleet-hosts wasn't flagged (not in feat(devices): show integration-imported devices in People tab + Intune/JumpCloud device sync #3305's diff) but has the identical RBAC gap next to the fixed route, so it's guarded here too.
• Tests: devices suite + the agent-devices route test (81 total) pass; typecheck clean on all changed files.

🤖 Generated with Claude Code

---

Summary by cubic

Tightened API access and fixed device-import display issues. RBAC now matches People permissions, CSV tracking is consistent with the UI, and the source filter no longer merges providers.

• Bug Fixes

  • Enforce RBAC on agent-devices and fleet-hosts (member:read) instead of session-only access.
  • Use shared isComplianceTracked in CSV so only integration imports are "not_tracked"/"n/a"; Fleet now exports real checks.
  • Key the source filter by a stable source id (e.g., integration:kandji) to prevent merging providers with the same display name.

• Refactors

  • Centralized device presentation helpers and copy in lib/device-source and added a shared NotTrackedBadge used by list and details.

^{Written for commit 9056d1b. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	Jun 30, 2026 8:38pm
comp-framework-editor	Ready	Preview, Comment	Jun 30, 2026 8:38pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
portal	Skipped		Jun 30, 2026 8:38pm

[cubic-dev-ai]

No issues found across 9 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[claudfuen]

🎉 This PR is included in version 3.94.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀