## Summary The DAP Code Review Flow does not trigger or execute on GitLab Self-Managed and GitLab Dedicated, while Classic Duo Enterprise Code Review with `@GitLabDuo` works correctly. Users with DAP access (`duo_agent_platform` feature) receive "requires GitLab Duo Enterprise" error when attempting to use the Code Review flow. ## Environment | Field | Value | |-------|-------| | **Instance Type** | GitLab Self-Managed / GitLab Dedicated | | **Version** | 18.8.2-ee | | **License** | Ultimate with Duo Enterprise add-on | | **Testing Period** | 2026-01-31 and 2026-02-01 | ## Steps to Reproduce 1. Configure a GitLab Self-Managed or Dedicated instance with Duo Agent Platform enabled 2. Create a user with `duo_agent_platform` access (via `duo_namespace_access_rules`) 3. Open a Merge Request with code changes 4. Attempt to trigger Code Review via: - `/assign_reviewer @GitLabDuo` quick action - `/assign_reviewer @duo-code-review-duo-foundry` quick action - Automate > Flows UI - Auto Duo Code Review setting at group level ## Expected Behavior Users with DAP access should be able to trigger the Code Review flow and receive automated code review comments on their MRs. ## Actual Behavior All Code Review trigger methods fail: | Trigger Method | Result | |----------------|--------| | `/assign_reviewer @GitLabDuo` | Requires Duo Enterprise seat | | `/assign_reviewer @duo-code-review-duo-foundry` | Assigns service account but doesn't trigger flow | | Automate > Flows UI | Flows list is empty (no Code Review flow visible) | | Automate > Triggers | Cannot create trigger for Code Review flow | | Auto Duo Code Review setting | Does not trigger DAP flow (see details below) | **Error message:** > "You don't have access to GitLab Duo Code Review. This feature requires GitLab Duo Enterprise. Contact your administrator to upgrade your account." ### Automatic Code Review Setting Not Respected The group-level "Automatic Duo Code Review" setting does not trigger the DAP Code Review flow: **Setting location:** Group > Settings > GitLab Duo > "Automatic Duo Code Review" **Configuration tested:** - Setting enabled at the group level - MR author has `duo_agent_platform` access via `duo_namespace_access_rules` - MR is created/updated in a project within the group **Expected behavior:** When "Automatic Duo Code Review" is enabled and a user with DAP access creates or updates an MR, the DAP Code Review flow should automatically trigger and post review comments. **Actual behavior:** - No automatic code review is triggered - The MR receives no review comments from the DAP Code Review flow - Manual trigger attempts result in "requires GitLab Duo Enterprise" error - The setting appears to have no effect for DAP users **Note:** When a user has a Duo Enterprise **seat** assigned (separate from DAP access), Classic Code Review with `@GitLabDuo` works - but this is the legacy flow, not the DAP Code Review flow. ## What Works (Classic Duo Enterprise) Classic Duo Enterprise Code Review with `@GitLabDuo` works correctly when: - User has a Duo Enterprise seat assigned - Posts review comments correctly (7 findings observed on test MR) This confirms the infrastructure (AI Gateway, etc.) is functional. ## Settings Verified Instance-level settings confirmed as enabled: - `duo_features_enabled: true` - `duo_availability: default_on` - `duo_agent_platform_enabled: true` - `duo_remote_flows_enabled: true` - `duo_foundational_flows_enabled: true` - `duo_workflow_oauth_application_id` configured Group-level settings: - "Automatic Duo Code Review" enabled Service account for Code Review exists and is active. ## Test Users All 4 test users with different access levels received the same error: | User | DAP Access | Classic Access | Code Review Result | |------|------------|----------------|-------------------| | User A (Full access) | Yes | Yes | Blocked | | User B (DAP only) | Yes | No | Blocked | | User C (Classic only) | No | Yes | Blocked (expected) | | User D (No access) | No | No | Blocked (expected) | **Key finding:** Even users with full DAP access are blocked from using Code Review flow. ## Workaround Use Classic Duo Enterprise Code Review (requires Duo Enterprise seat assignment, which is separate from DAP access). ## Other DAP Features That Work For comparison, these DAP features work correctly for users with `duo_agent_platform` access: - Fix Pipeline flow (button visible, sessions created) - Agentic Chat with agent selector - AI Catalogue (Agents/Flows tabs) - Automate > Agents menu - Automate > Sessions menu ## Diagnosis The Code Review flow appears to require Duo Enterprise **seat assignment** rather than (or in addition to) `duo_agent_platform` feature access via `duo_namespace_access_rules`. This may be: 1. **By design** - Code Review always requires seat assignment regardless of DAP access 2. **Missing configuration** - Code Review flow is not registered/available on Self-Managed/Dedicated 3. **Access control bug** - Code Review should honor DAP access rules but doesn't ## Related - Known Duo Chat visibility bug: https://gitlab.com/gitlab-org/gitlab/-/issues/587150