Emit audit events on AI Tool Rule create and update

Jean van der Waltrequested to merge
601301-emit-audit-events into master

What does this MR do and why?

Adds Audit Events on AI Tool Rule create and update.

How to validate locally

  1. Enable the feature flag in the Rails console:
   Feature.enable(:gitlab_duo_governance_settings)
   Feature.enable(:agent_artifacts_page)
  1. Open the GraphQL explorer at http://gitlab.localdev:3000/-/graphql-explorer and create a tool rule:
   mutation {
     updateAiToolRule(input: {
       fullPath: "gitlab-duo"
       toolId: "find_files"
       webAccess: DENY
       localAccess: ASK
     }) {
       toolRule { id webAccess }
       errors
     }
   }

  1. Navigate to the group audit log at http://gitlab.localdev:3000/groups/gitlab-duo/-/audit_events

    Expected: An audit event appears with tool name find_files and web_access=deny.

  2. Run the mutation again to update the rule:

   mutation {
     updateAiToolRule(input: {
       fullPath: "gitlab-duo"
       toolId: "find_files"
       webAccess: ALLOW
       localAccess: DENY
     }) {
       toolRule { id webAccess }
       errors
     }
   }

  1. Check the audit log again.

    Expected: A second audit event appears with details showing web_access deny->allow.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #601301

Edited by Jean van der Walt

Merge request reports