Issue Summary

Forge apps without sharing enabled are silently excluded from Data Security Policy "Custom app controls" list, with no documentation explaining the requirement.

Steps to Reproduce

Step 1: As an org admin, enable a Data Security Policy that blocks apps by default (using overrides + Custom app controls to allow specific apps per project/scope).

Step 2: Develop a custom Forge app intended for internal use only on your own site, and install it directly via the Forge CLI per the guidance at https://developer.atlassian.com/platform/forge/distribute-your-apps/ (which states sharing is not required for self-install on your own site).

Step 3: Navigate to the Data Security Policy in the admin UI and open the Custom app controls list to try to allow the new Forge app

Expected Results

Any Forge app installed on the site (whether sharing is enabled or not) appears in the Custom app controls list so admins can manage it through the UI.

OR, at minimum, the requirement that "sharing must be enabled for the Forge app to appear in Custom app controls" is clearly documented on:

▪  https://support.atlassian.com/security-and-access-policies/docs/app-access-rule-coverage-summary/
▪  https://developer.atlassian.com/platform/forge/distribute-your-apps/
▪  The Custom app controls UI itself (e.g. an inline note or empty-state hint)

Actual Results

• A newly installed Forge app does not appear in the Custom app controls list at all, so there is no way via the UI to allow it under a Data Security Policy that blocks apps by default.
•  The app only becomes visible in the Custom app controls list after sharing is enabled for the Forge app via the developer console.
•  The Forge distribution docs actively suggest sharing is unnecessary for single-site internal use ("If you want to use your Forge app on your own Atlassian site, you can install it directly using the Forge CLI without enabling sharing"), which directly contradicts what's needed for Data Security Policy management.
•  After allowing the app via the REST API, the policy works correctly, but the app still does not appear in the UI policy view, leaving admins uncertain whether subsequent UI edits to the policy will overwrite their API-applied configuration.

Workaround

Enable sharing for the Forge app in the developer console (even when the app is only intended for internal use on a single site and there is no intention to list or distribute it).

Once sharing is enabled, the app immediately appears in the Data Security Policy Custom app controls list and can be managed via the UI like any other app.