Bug: Enabling Duo Agent Platform sets feature flags to conditional state, blocking user access

Summary

When the "GitLab Duo Agent Platform composite identity" button is enabled in Admin Settings on a fresh GitLab instance, the duo_workflow and duo_workflow_in_ci feature flags are set to conditional state instead of on. This blocks DAP features (Automate tab, Issue-to-MR button) for all users except the Duo Developer service account.

Steps to reproduce

1. Create a fresh GitLab 18.5+ instance
2. Verify duo_workflow and duo_workflow_in_ci flags are in off state via Rails console:

   Feature.get(:duo_workflow)
   # => state=:off
   Feature.get(:duo_workflow_in_ci)
   # => state=:off

3. Navigate to Admin > GitLab Duo
4. Enable "GitLab Duo Agent Platform composite identity"
5. Check feature flag state via Rails console:

   Feature.get(:duo_workflow)
   # => state=:conditional, enabled_gate_names=[:actor]
   Feature.get(:duo_workflow_in_ci)
   # => state=:conditional, enabled_gate_names=[:actor]

6. Attempt to access Automate tab in a project

What is the current bug behavior?

• Automate tab is hidden
• Issue-to-MR button is not visible
• Feature flags are in conditional state with only Duo Developer user (ID 64) as actor
• DAP features are inaccessible to regular users

What is the expected correct behavior?

• Automate tab is visible and functional
• Issue-to-MR button is available
• Feature flag state does not change at all
• DAP feature accessibility to users is unaffected before/after the change

Root cause

The Ai::DuoWorkflows::OnboardingService calls Feature.enable(:duo_workflow, duo_workflow_service_account) which enables the feature flag conditionally for a specific actor (the Duo Developer user) rather than globally. This appears to affect Automate availability for other users.

File: ee/app/services/ai/duo_workflows/onboarding_service.rb

Workaround

Manually enable the feature flags via Rails console:

Feature.enable(:duo_workflow)
Feature.enable(:duo_workflow_in_ci)

Note: this workaround is unavailable for GitLab Dedicated

Impact

This affects:

• GitLab Dedicated / GitLab Dedicated for Government
• Any fresh installations where the Agent Platform is enabled
• Users cannot access some DAP features

Related

• RFH Issue: https://gitlab.com/gitlab-com/request-for-help/-/issues/3808