Add AI audit events ingestion API for Duo Workflows

Andrew Jungrequested to merge
andrew-jung/ai-audit-events-api into master

What does this MR do and why?

Adds POST /api/v4/ai/duo_workflows/workflows/:id/audit_events, the API DWS uses to send us AI audit events. Up to 500 CloudEvents per request, authed with the same ai_workflows OAuth token DWS already uses elsewhere. Events go to ClickHouse if it's globally enabled, otherwise to Postgres ai_audit_events, with a line in audit_json.log either way. The 11 allowed event names match the gateway enum exactly; unknowns reject the whole batch with a 400, and the gateway doesn't retry 400s so a bad batch fails once and stops. Behind :duo_workflow_audit_events (beta, off by default).

How to validate locally

How to test

Real path: vulnerability flow trigger → DWS → back to this endpoint. Assumes GDK has local checkouts of gitlab and gitlab-ai-gateway.

  1. In gitlab-ai-gateway/.env:

    AIGW_AUDIT_EVENT__ENABLED=true

  2. The gateway has a placeholder version gate at duo_workflow_service/audit_events/client.py:17 that blocks every real GitLab version. Temporarily set it to Version("0.0.0").

  3. gdk restart duo-workflow-service gitlab-ai-gateway

  4. In gdk rails c:

    Feature.enable(:duo_workflow_audit_events)
Feature.enable(:duo_workflow_use_composite_identity)
Feature.enable(:ai_flow_triggers_use_composite_identity)

  5. Go to Secure > Vulnerability Report on a project with at least one SAST finding. Open the finding and click "Resolve with AI" or "Check for false positive". Wait for the CI workflow to finish.

  6. Check Postgres:

    gdk psql -c "select event_name, workflow_id, created_at \
             from ai_audit_events order by id desc limit 10;"
tail log/audit_json.log | grep -m5 ai_

  7. To verify the ClickHouse path, flip the setting and re-run:

    ApplicationSetting.current.update!(use_clickhouse_for_analytics: true)

    Then:

    gdk clickhouse-client -q \
  "select event_name, workflow_id, created_at \
   from gitlab_clickhouse_main_dev.ai_audit_events \
   order by created_at desc limit 10"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Jung

Merge request reports