Shola Quadri activity https://gitlab.com/squadri 2026-03-16T13:10:37Z tag:gitlab.com,2026-03-16:5208249553 Shola Quadri commented on merge request !18106 at GitLab.com / Content Sites / handbook 2026-03-16T13:10:37Z squadri Shola Quadri

question

In this scenario, where the service account isn't coupled with the user's permission scope, are there risks of the agents escalating privileges or accessing data beyond necessary? If so, should we consider implementing guardrails to mitigate this?

 tag:gitlab.com,2026-03-16:5207806975 Shola Quadri commented on merge request !4840 at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway 2026-03-16T11:31:53Z squadri Shola Quadri

@vij

Thanks! I think the second suggestion (mix of propagate non-propagated claims) might have been missed in the addition: a92b2835

But in the interest of moving the MR along, I'm happy to approve and we could add the additional test later! 🚀

@eduardobonet could you take over the maintainer review for this, please?

 tag:gitlab.com,2026-03-16:5207806685 Shola Quadri approved merge request !4840: fix: do not drop extra skip_usage_cutoff claim at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Cod... 2026-03-16T11:31:48Z squadri Shola Quadri

What does this merge request do and why?

GitLab team members using IDE plugins to trigger Duo Workflows via the direct_access endpoint intermittently have skip_usage_cutoff set to false, despite being valid team members. The same users show true on other requests milliseconds apart.

Root cause

The direct_access endpoint flow involves two tokens:

  1. Rails → AIGW/DWS (gRPC GenerateToken): Rails sends a Cloud Connector token containing skip_usage_cutoff: true as an extra claim
  2. AIGW/DWS → Rails → IDE Plugin: DWS generates a new workflow token and returns it
  3. IDE Plugin → AIGW/DWS → AIGW (LLM calls): The IDE uses the DWS-generated token, which AIGW checks for skip_usage_cutoff

In step 2, the GenerateToken handler was building extra_claims with only gitlab_instance_uid, discarding all other incoming claims including skip_usage_cutoff.

Fix

Propagate skip_usage_cutoff extra claim from user.claims.extra into the DWS-generated token

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Merge request checklist

  • Tests added for new functionality. If not, please raise an issue to follow up.
  • Documentation added/updated, if needed.
  • If this change requires executor implementation: verified that issues/MRs exist for both Go executor and Node executor or confirmed that changes are backward-compatible and don't break existing executor functionality.
 tag:gitlab.com,2026-03-13:5200692007 Shola Quadri commented on issue #27962 at GitLab.com / GitLab Infrastructure Team / Production Engineering 2026-03-13T10:32:23Z squadri Shola Quadri

Update 2026-03-13

Closing this - complete with gitlab-com/runbooks!10247 (merged)

cc: @mnohr @changzhengliu

 tag:gitlab.com,2026-03-13:5200691480 Shola Quadri closed issue #27962: Review and adjust alert thresholds for ai-assisted main stage during weekends at GitLab.com / GitLab Infrastructure Team / ... 2026-03-13T10:32:16Z squadri Shola Quadri tag:gitlab.com,2026-03-12:5198203279 Shola Quadri commented on merge request !4840 at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway 2026-03-12T17:53:31Z squadri Shola Quadri

@vij thanks for your work on this! I left a comment for your consideration! Have a look and let me know what you think!

🏓

 tag:gitlab.com,2026-03-12:5198200639 Shola Quadri commented on merge request !4840 at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway 2026-03-12T17:52:50Z squadri Shola Quadri

suggestion

I'm not deeply familiar w/ the cloud connector domain but looking at the code, we iterate over the _PROPAGATED_EXTRA_CLAIMS rather than incoming_extra, which means non-propagated keys are silently excluded. Two gaps I think are worth covering in the tests:

  1. Verifying that extra keys outside of _PROPAGATED_EXTRA_CLAIMS are explicitly excluded from the output
  2. Verifying that when extra contains a mix of propagated and non-propagated claims, only the allowed claims are propagated

I think right now, the behaviour is implicitly tested through what is present but not through what shouldn't be and testing these edge cases more explicitly could help us guard against regressions if the iteration logic changes.

WDYT?

 tag:gitlab.com,2026-03-12:5197908408 Shola Quadri commented on issue #584271 at GitLab.org / GitLab 2026-03-12T16:35:11Z squadri Shola Quadri

Async Status Update 2025-03-12

Progress & Status: What progress have you made? What's the current state?

  • I've gotten the MR to add item_id to duo_workflows_workflows merged.
  • Addressed several feedback on the backfill MR. This MR has now gotten final approved and MWPS set in progress, but pipeline is failing due to a seemingly unrelated reason, so will try to get this sorted and have MWPS re-set.
  • Opened the final feature implementation MR for review and addressed some feedback

Next Steps: What are your planned next actions?

  • Get pipeline issues resolved and have MWPS reset on the backfill MR
  • Await follow up feedback for the feature implementation MR

Blockers: Are you blocked or need assistance with this?

  • Not a major blocker but the first reviewer @wanpol for the feature implementation is on PTO until next Wednesday (18th April). Since there's ongoing discussions from the initial review, I think it makes sense to wait until their return but this means, this Issue won't make it into 18.10 as I was hoping for.

How confident are you that this will make it to the current milestone?

  • Not confident (See blocker above)
  • Slightly confident
  • Very confident

/cc @mnohr @jordanjanes

 tag:gitlab.com,2026-03-12:5197003140 Shola Quadri commented on merge request !4319 at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway 2026-03-12T13:22:20Z squadri Shola Quadri

@igor.drozdov thanks for the context. Looks like the MWPS failed due to a pipeline failure, I've rebased. Hopefully that should fix it!

Could you reset MWPS when the pipeline passes? 🙏🏾

 tag:gitlab.com,2026-03-12:5196997263 Shola Quadri pushed to project branch renovate/gitmatch-0.x at gitlab-renovate-forks / AI Gateway 2026-03-12T13:21:08Z squadri Shola Quadri

Shola Quadri (3e091b63) at 12 Mar 13:21

chore(deps): update dependency gitmatch to ^0.3.0

... and 370 more commits

tag:gitlab.com,2026-03-12:5196960655 Shola Quadri pushed new project branch renovate/gitmatch-0.x at GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway 2026-03-12T13:13:45Z squadri Shola Quadri

Shola Quadri (7efa1fc4) at 12 Mar 13:13

chore(deps): update dependency gitmatch to ^0.3.0

 tag:gitlab.com,2026-03-12:5196798531 Shola Quadri commented on merge request !226130 at GitLab.org / GitLab 2026-03-12T12:38:33Z squadri Shola Quadri

@hsilva5 thanks, lgtm!

 tag:gitlab.com,2026-03-12:5196797184 Shola Quadri approved merge request !226130: Resolve "Remove `additional_snowplow_tracking` feature flag" at GitLab.org / GitLab 2026-03-12T12:38:16Z squadri Shola Quadri

What does this MR do and why?

Removes the feature flag `additional_snowplow_tracking`. Feature was never enabled in any environment, so default behaviour is set to false.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #510635

 tag:gitlab.com,2026-03-12:5196783688 Shola Quadri pushed to project branch 584271/sq/backfill-service_acct_id-on-duo_workflows_workflows-table at GitLab.org / GitLab 2026-03-12T12:35:04Z squadri Shola Quadri

Shola Quadri (95602408) at 12 Mar 12:35

Updates query to match foundational workflows via reference

... and 1324 more commits

tag:gitlab.com,2026-03-12:5196467768 Shola Quadri pushed to project branch 548271/sq/update-flows-agent-tracking-to-consmr-service-acct at GitLab.org / GitLab 2026-03-12T11:19:23Z squadri Shola Quadri

Shola Quadri (a053b70a) at 12 Mar 11:19

Removes current_user fallback and renames methods arg

... and 720 more commits

tag:gitlab.com,2026-03-12:5196394677 Shola Quadri pushed to project branch 548271/sq/update-flows-agent-tracking-to-consmr-service-acct at GitLab.org / GitLab 2026-03-12T11:01:33Z squadri Shola Quadri

Shola Quadri (306588c4) at 12 Mar 11:01

Removes current_user fallback and renames methods arg

... and 2 more commits

tag:gitlab.com,2026-03-11:5193735166 Shola Quadri pushed to project branch 548271/sq/update-flows-agent-tracking-to-consmr-service-acct at GitLab.org / GitLab 2026-03-11T18:02:30Z squadri Shola Quadri

Shola Quadri (e9a4d2ca) at 11 Mar 18:02

Removes current_user fallback and renames methods arg

... and 484 more commits

tag:gitlab.com,2026-03-11:5193719805 Shola Quadri commented on merge request !10247 at GitLab.com / Runbooks 2026-03-11T17:58:11Z squadri Shola Quadri

Hi @reprazent following this discussion, would you mind reviewing this, please?

 tag:gitlab.com,2026-03-11:5193716708 Shola Quadri commented on issue #27962 at GitLab.com / GitLab Infrastructure Team / Production Engineering 2026-03-11T17:57:16Z squadri Shola Quadri

Async Status Update 2025-03-11

Progress & Status: What progress have you made? What's the current state?

  • I found the root cause for this as part of my investigations and proposed some fix approaches w/ feedback from the Observability team. I've now opened a fix MR that's awaiting review.

Next Steps: What are your planned next actions?

  • Get fix MR reviewed & merged

Blockers: Are you blocked or need assistance with this?

  • N/A

How confident are you that this will make it to the current milestone?

  • Not confident
  • Slightly confident
  • Very confident

/cc @mnohr @jordanjanes