Bug: Enabling Duo composite identity disables Automate tab for users and changes Duo Feature Flag values

Summary

When the "GitLab Duo Agent Platform composite identity" button is enabled in Admin Settings on a fresh GitLab instance, the duo_workflow and duo_workflow_in_ci feature flags are set to conditional state instead of on. This blocks DAP features (Automate tab, Issue-to-MR button) for all users except the Duo Developer service account.

Steps to reproduce

1. Create a fresh GitLab 18.5+ instance

2. Verify duo_workflow and duo_workflow_in_ci flags are in off state via Rails console:

   Feature.get(:duo_workflow)
   # => state=:off
   Feature.get(:duo_workflow_in_ci)
   # => state=:off

3. Navigate to Admin > GitLab Duo

4. Enable "GitLab Duo Agent Platform composite identity"

5. Check feature flag state via Rails console:

   Feature.get(:duo_workflow)
   # => state=:conditional, enabled_gate_names=[:actor]
   Feature.get(:duo_workflow_in_ci)
   # => state=:conditional, enabled_gate_names=[:actor]

6. Attempt to access Automate tab in a project

What is the current bug behavior?

• Automate tab is hidden
• Issue-to-MR button is not visible
• Feature flags are in conditional state with only Duo Developer user (ID 64) as actor
• DAP features are inaccessible to regular users

What is the expected correct behavior?

• Automate tab is visible and functional
• Issue-to-MR button is available
• Feature flag state does not change at all
• DAP feature accessibility to users is unaffected before/after the change

Root cause

The Ai::DuoWorkflows::OnboardingService calls Feature.enable(:duo_workflow, duo_workflow_service_account) which enables the feature flag conditionally for a specific actor (the Duo Developer user) rather than globally. This appears to affect Automate availability for other users.

File: ee/app/services/ai/duo_workflows/onboarding_service.rb

Workaround

Manually enable the feature flags via Rails console:

Feature.enable(:duo_workflow)
Feature.enable(:duo_workflow_in_ci)

Note: this workaround is unavailable for GitLab Dedicated

Impact

This affects:

• GitLab Dedicated / GitLab Dedicated for Government
• Any fresh installations where the Agent Platform is enabled
• Users cannot access some DAP features

Related

• RFH Issue: https://gitlab.com/gitlab-com/request-for-help/-/issues/3808