## Release notes Group owners can now restrict the AI Catalog to show only agents owned within their namespace — blocking external public agents from being visible or enabled by any user. Previously, the AI Catalog surfaced public agents from any GitLab user, including external contributors. Maintainers could enable these agents with no admin-level approval, creating supply chain risk since external authors could update agent skill YAML at any time. With this new setting in your group's GitLab Duo configuration, external public agents are hidden from the catalog entirely when the restriction is active. The setting is also reflected in audit logs, giving you a clear record of when and how the restriction is applied. https://docs.gitlab.com/user/duo_agent_platform/ai_catalog **Problem** The AI Catalog today surfaces public agents created by any GitLab user — including external community contributors outside the customer's namespace. Maintainers can enable these agents with no admin-level approval gate, creating supply chain risk: the external author can update the agent's skill YAML and customers have no reliable way to review or pin the version they are consuming. **Proposed Solution** * Add an TLG-level toggle that restricts the AI Catalog to only show agents owned within the customer's namespace (i.e. GitLab foundational agents + internally-created agents). When enabled, external public agents are hidden from the catalog entirely and cannot be enabled by any user. * Location of proposed toggle: [https://gitlab.com/groups/\\[YOUR-GROUP-NAME\\]/-/settings/gitlab_duo/configuration](https://gitlab.com/groups/gl-demo-ultimate-rkolosovskiy/-/settings/gitlab_duo/configuration) {width=900 height=535} **Acceptance Criteria** * An admin can restrict the AI Catalog to namespace-owned and GitLab foundational agents only * External public agents are not visible or invocable when the restriction is active * The setting is reflected in audit logs * Backend permissions updated to enforce rules: `execute_ai_catalog_item` (execute item) and `admin_ai_catalog_item_consumer` (enable item)