Gating external triggers execution based on Duo add-on

Jeff Parkrequested to merge
jpark/main/dap-external-trigger-execution into master

What does this MR do and why?

As part of the work to move Duo to usage billing, we want to gate Duo Chat external triggers with the new DAP monetization strategy.

This change implements the second part of scenario 3 in described here: https://gitlab.com/gitlab-org/gitlab/-/issues/581209#note_2911560535. This change is behind a WIP feature flag.

After this change, for both self managed and SaaS instances, when the feature flag is on, we will see the following behavior for each of the 4 external triggers on classic chat

Add-on tier Can View External Trigger UI? Can Execute External Trigger?
Core

  • explain_code
Pro

  • explain_code
Enterprise

  • explain_code
  • explain_vulnerability
  • troubleshoot_job_with_ai
  • summarize_comments

We want to ensure that the following Duo external triggers are only available for their respective add-on tiers. These permissions do not differ from what is currently offered for classic chat.

This change focuses on adding a different upsell message to be shown to customers if they do not have access to an external trigger for classic chat because of their add-on tier. If they are using agentic chat, they will have access and will be subject to usage based billing. This change also adds a check for duo core on self managed to properly show the UI for self managed customers.

References

https://gitlab.com/gitlab-org/gitlab/-/work_items/582068 https://gitlab.com/gitlab-org/gitlab/-/work_items/581209

Screenshots or screen recordings

Screenshot 2025-12-04 at 19.32.12.png

Screenshot 2025-12-05 at 13.04.02.png

How to set up and validate locally

  • check out this branch and turn on the dap_external_trigger_usage_billing flag
  • set export GITLAB_SIMULATE_SAAS=1 in <gdk-root>/env.runit file and do a gdk restart. You are now testing in SaaS mode.
    • to test a Duo Core account:
      • create a new account in gdk or use an existing account that does not have duo core/pro/ultimate
      • as an admin, add this user to your group
      • as an admin, turn duo on for your group in the group settings and configure to turn on features for Duo Core. Do not give this user an enterprise seat.
      • using the account with only Duo Core, try an external trigger like View Summary on an issue page or Explain Code on a code file in your repository.
      • Ensure you can see the UI to start the trigger
      • When you click this trigger, ensure that the Duo Chat window opens and you can see the error saying This feature is not available...
    • to test a Duo Enterprise account (root should do):
      • ensure that the root user has an enterprise seat in the GitLab Duo group settings.
      • view summary of the same issue
      • ensure you see a summary of the comments
  • set export GITLAB_SIMULATE_SAAS=0 in <gdk-root>/env.runit file and do a gdk restart. You are now testing in self-managed mode.
    • to test a Duo Core account:
      • turn duo on in the instance admin settings and configure to enable GitLab Duo Core available to all users. Do not give this user an enterprise seat.
      • test as above
    • to test a Duo Enterprise account
      • ensure that the root user has an enterprise seat in the GItLab Duo instance admin settings
      • testa s above.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jeff Park

Merge request reports