Allow custom agents and flows to be used as automatic MR reviewers instead of foundational agents

Problem to Solve

Currently, teams can only use GitLab's foundational code review agent (or MR review instructions) as the automatic reviewer for merge requests. Organizations need the ability to replace the foundational MR review agent with their own custom agents and flows that are tailored to their specific review requirements and standards.

This creates a significant gap for organizations that want to:

• Use their own specialized review agents instead of the foundational agent
• Implement custom review logic that matches their development practices
• Leverage domain-specific agents (security-focused, performance-focused, standards-focused, etc.)
• Compose multiple custom agents into a single review flow
• Run multiple agents in parallel for comprehensive, multi-perspective reviews
• Maintain consistency with their existing custom agent ecosystem

Intended Users

• Development teams wanting to use custom agents for MR review instead of foundational agents
• Security teams needing specialized vulnerability assessment agents for code review
• Platform teams building standardized review workflows for their organization
• Enterprise customers with specific compliance and quality requirements
• Organizations that have already invested in custom agents and want to use them for MR review

User Experience Goal

Teams should be able to:

1. Create custom agents with specialized review capabilities
2. Compose these agents into custom flows for MR review
3. Configure a custom agent or flow as the automatic reviewer for a project or group
4. Have the custom agent/flow execute automatically on MR creation/update (just like the foundational agent does today)
5. See results from their custom agent/flow in the MR interface
6. Optionally run multiple custom agents in parallel for comprehensive reviews

Proposal

Core Capability

Enable custom agents and flows to be configured as the automatic MR reviewer at the project or group level, replacing or supplementing the foundational code review agent.

Configuration

Teams should be able to:

• Select a custom agent or flow as the automatic reviewer in project/group settings
• Configure trigger conditions (auto-review on MR creation, on updates, etc.)
• Choose execution model:
  • Single custom agent (replaces foundational agent)
  • Multiple custom agents in parallel (comprehensive review)
  • Combination of foundational + custom agents
• Set review scope (which files, which types of changes, etc.)

Example Scenarios

Scenario 1: Replace Foundational Agent

Project Settings → Automatic MR Review
  Current: GitLab Foundational Code Review Agent
  Desired: Custom "Security-First Code Review" Agent
  
Result: When MR is created, custom agent reviews instead of foundational agent

Scenario 2: Multiple Custom Agents in Parallel

Project Settings → Automatic MR Review
  Agents:
    - Custom "Security Vulnerability Scanner" (parallel)
    - Custom "Code Quality Enforcer" (parallel)
    - Custom "Performance Analyzer" (parallel)
  
Result: All three agents review simultaneously, results appear in MR

Scenario 3: Foundational + Custom Agents

Project Settings → Automatic MR Review
  Agents:
    - GitLab Foundational Code Review (general quality)
    - Custom "Security Vulnerability Scanner" (parallel)
  
Result: Both agents review, providing comprehensive feedback

Benefits

1. Flexibility: Organizations can use agents that match their specific needs
2. Customization: Teams can implement review logic tailored to their practices
3. Specialization: Support for domain-specific agents (security, performance, compliance)
4. Consistency: Custom agents enforce organizational standards consistently
5. Reusability: Custom agents created for other purposes can be leveraged for MR review
6. Control: Teams choose which agents review their code
7. Parallel Efficiency: Multiple agents can review simultaneously for comprehensive feedback

Permissions and Security

• Custom agents should respect existing GitLab permissions (developers can only configure agents they have access to)
• Agents should only have access to data they're explicitly granted (code, issues, MRs within their scope)
• Execution should be audited and tracked like other AI operations
• Organizations should be able to control which custom agents are allowed to run as MR reviewers
• Agents should not be able to modify code unless explicitly configured to do so

Implementation Considerations

1. Triggering: Custom agents should be triggered the same way as foundational agents (auto-review on MR events)
2. Results Display: Custom agent results should appear in the MR interface alongside or instead of foundational agent results
3. Configuration: Should be configurable at project and/or group level
4. Backwards Compatibility: Existing foundational agent configurations should continue to work
5. Parallel Execution: Support for running multiple agents simultaneously
6. Error Handling: Graceful handling of agent failures without blocking MR workflow

Documentation

Documentation should cover:

• How to configure a custom agent as the automatic MR reviewer
• How to compose multiple agents into a review flow
• Configuration options for parallel execution
• Integration with existing MR review workflows
• Best practices for custom review agents
• Examples of common custom agents (security, quality, performance)
• Troubleshooting and monitoring custom agent execution

Testing

• Unit tests for custom agent execution in MR context
• Integration tests for parallel agent execution
• End-to-end tests for complete review workflows
• Performance tests to ensure custom agents don't degrade MR experience
• Security tests to verify proper permission enforcement
• Backwards compatibility tests with existing foundational agent configurations

Availability

• GitLab.com (SaaS)
• Self-Managed
• Dedicated

Related Issues

• #579957 - Create "Database reviewer Agent" (similar concept for specialized agents)
• #538421 - Duo Agents Platform GA Scoping Issue (foundational DAP architecture)
• #581914 - Support config-based default questions for agents
• #582132 - Build agent-referenced workflows efficiently
• #577946 - Implement approval rules for agent and flow modifications
• #583831 (closed) - MCP Client GA (enables custom agents to access external systems)

Open Questions

1. Should custom agents be able to modify code (push commits) or only provide feedback?
2. How should we handle conflicts or contradictory feedback from multiple agents?
3. Should there be a way to weight or prioritize certain agents' feedback?
4. How should we handle agent failures in a parallel execution model?
5. Should custom agents be able to trigger other agents or flows?
6. Should this be configurable at the project level, group level, or both?
7. Should there be a way to gradually roll out a custom agent (e.g., run in parallel with foundational agent first)?