Duo sidebar absent for user with Agentic Chat access but without Classic Chat access

Summary

When Governance feature is used to grant a user access to Duo Agentic Chat but blocks access to Duo Classic Chat, the chat UI is completely hidden/disabled, preventing the user from accessing Duo Agentic Chat.

Steps to reproduce

  1. Create a user that is part of a group with access to Duo Agentic Platform
  2. Ensure the user is NOT part of a group with access to Duo Classic Chat
  3. Configure feature access controls so that:
    • User has access to "Duo Agentic Platform"
    • User does NOT have access to "Duo Classic Chat"
  4. Duo side bar will disappear, preventing entry to Duo chat.

Example Project

Testing was performed locally using:

  • Root group: "GitLab Duo"
  • Subgroup: "Duo Users" (controls Classic Chat access)
  • Subgroup: "Duo Agentic Users" (controls Agentic Platform access)
  • Test user was member of "Duo Agentic Users" but not "Duo Users"

What is the current bug behavior?

When a user has access to Duo Agentic Chat but not Duo Classic Chat:

  • The Duo sidebar is not shown
  • The user cannot access Duo Agentic Chat despite having proper permissions

This affects both the web interface and IDE (VS Code) extension.

What is the expected correct behavior?

The chat UI should be visible if the user has access to EITHER Duo Classic Chat OR Duo Agentic Chat.

Specifically:

  • If user has access to Agentic Chat but not Classic Chat: Show chat UI with only Agentic Chat option
  • If user has access to Classic Chat but not Agentic Chat: Show chat UI with only Classic Chat option
  • If user has access to both: Show both options
  • Only hide chat UI completely if user has access to neither

Relevant logs and/or screenshots

!219780 (comment 3057464795)

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 
Testing was performed on GDK (GitLab Development Kit) running master branch

Possible fixes

The issue appears to be in the visibility check for the chat UI. Currently, it only checks if the user has access to Classic Chat, but it should use an OR condition to also check for Agentic Chat access.

Patch release information for backports

It is suggested to put this in the 18.8.4 patch release

Priority: High - This is confusing for users and prevents legitimate access to Duo Agentic Chat functionality when configured with granular access controls.