Add 'third_party_agent_token_created' audit event

What does this MR do and why?

Add 'third_party_agent_token_created' audit event:

  • external agent name (Amazon Q, Claude, etc.)
  • token scope and expiration in audit event
  • associated workflow/session

References

Screenshots or screen recordings

Before After

How to set up and validate locally

In rails console:

user = User.first # or root user
project = Project.find(<id>) # gitlab duo enabled project

result = Ai::ThirdPartyAgents::TokenService.new(
  current_user: user,
  project: project,
  agent_name: 'Amazon Q Developer Agent',
  workflow_id: 123
).direct_access_token

AuditEvent.last

Example:

 id: 20124,
 author_id: 1,
 entity_id: 1,
 entity_type: "User",
 details:
  {:token_expires_at=>1773783251, :token_scopes=>["complete_code", "ai_gateway_model_provider_proxy"], :agent_name=>"Amazon Q Developer Agent", :workflow_id=>123, :project_id=>30, :namespace_id=>1000000, :event_name=>"third_party_agent_token_created", :author_name=>"Administrator", :author_class=>"User", :target_id=>1, :target_type=>"User", :target_details=>"Administrator", :custom_message=>"Generated third-party agent access token", :ip_address=>"172.16.123.1", :entity_path=>"root"},
 ip_address: #<IPAddr: IPv4:172.16.123.1/255.255.255.255>,
 author_name: "Administrator",
 entity_path: "root",
 target_details: "Administrator",
 created_at: "2026-03-17 20:34:11.312341000 +0000",
 target_type: "User",
 target_id: 1>

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Jung

Merge request reports

Loading