From the WIP brief:

We propose adding a preflight check to OLMv1 that verifies whether the provided ServiceAccount for a ClusterExtension has all required permissions for managing extension content. If permissions are missing, the preflight check will output a clear and actionable list of deficiencies, reducing installation failures and allowing users to resolve issues proactively
See https://docs.google.com/document/d/1W7ThVE7yAd43IW1KETAB9x8pQqIRu7Dqs7jZi5QjQaM for in-depth summary

We've identified the following separable tasks:

Feature Gate Implementation
• implement feature-gate, setup conditional we can use everywhere

Preflight Framework Updates
• make a space for this preflight to be called and make sure it shares calling pattern with the existing CRDUpgradeSafety preflight

Helm Dry-Run Handling
• fast fail Get check for helm dry run ability to run
• process Helm dry-run results, probably just get as []error

Permission Verification
• do the doc Step 1 permission verification as well as escalate/bind checking

Permissions and Validation Checks
• SelfSubjectRulesReview runner

Testing
• unit test suites for each of the above
• two (2) new e2e for this work: happy path and common failure path