Add composite identity checks for commit

What does this MR do and why?

When a service account makes a commit, the system now checks if the commit's author information matches the real human user that the service account is linked to, rather than just checking the service account itself. This allows DAP agents to make commits using the identity of the developer they're helping, while still maintaining security controls.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. In GDK enable Settings → Repository → Push rules → "Reject unverified users"
  2. Click on Generate MR with Duo
  3. You should see the agent struggling to push to the branch directly and trying workarounds
  4. Pull from this branch and try again
  5. You should be able to see a successful push
  6. You could also try steps from #594997 (closed)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #594997 (closed)

Merge request reports

Loading