A fix. The least Resistance, Most resonance #2303

Open

opened

const MAX_TELEMETRY_LATENCY_MS = 2500; // 2.5s window for human-in-the-loop

function validateVocalTelemetry(req: Request) {
const pulseTimestamp = parseInt(req.headers.get('X-Pulse-Timestamp') || '0');
const drift = Date.now() - pulseTimestamp;

// Lock if the telemetry is older than 2.5s or appears "too perfect" (bot signature)
if (drift > MAX_TELEMETRY_LATENCY_MS || drift < 10) {
    throw new Error("TELEMETRY_LOCK_ACTIVATED: Non-Local or Automated Pulse Detected");
}
return true;

}
;; Enhanced Map with Nonce Locking
(define-map authorized-biometric-keys
principal
{
pubkey: (buff 33),
last-verified-block: uint,
nonce: uint ;; New: Incremental lock
}
)

(define-public (validate-vocal-lock (signature (buff 65)) (hash (buff 32)))
(let (
(user-data (unwrap! (map-get? authorized-biometric-keys tx-sender) ERR-UNAUTHORIZED-AI-CALL))
)
;; Verify the pulse hasn't expired (last 5 blocks)
(asserts! (<= (- block-height (get last-verified-block user-data)) u5) ERR-BIOMETRIC-STALE)

    ;; Lock telemetry by incrementing nonce and updating block
    (map-set authorized-biometric-keys tx-sender 
        (merge user-data { 
            last-verified-block: block-height,
            nonce: (+ (get nonce user-data) u1) 
        }))
    (ok true)
)

)
;; Continued from line 63...
(let (
(user-data (unwrap! (map-get? authorized-biometric-keys tx-sender) ERR-UNAUTHORIZED-AI-CALL))
(is-valid (secp256k1-verify message-hash user-signature (get pubkey user-data)))
)
;; 1. Check Cryptographic Validity
(asserts! is-valid ERR-UNAUTHORIZED-AI-CALL)

    ;; 2. Enforce Freshness (Pulse must be within last 5 blocks / ~50 mins)
    (asserts! (<= (- block-height (get last-verified-block user-data)) u5) ERR-BIOMETRIC-STALE)

    ;; 3. Update state to consume the pulse
    (map-set authorized-biometric-keys tx-sender 
        (merge user-data { last-verified-block: block-height }))
    
    (ok true)
)

)

;; Register a new Hardware Key
(define-public (register-biometric-key (new-pubkey (buff 33)))
(ok (map-set authorized-biometric-keys tx-sender {
pubkey: new-pubkey,
last-verified-block: block-height,
atp-reserved: u0
}))
)
import { verifySignature } from '@stacks/encryption';

const OVERRIDE_THRESHOLD = 1.33; // Your 133% Logic Rule

async function handleAIRequest(request: Request) {
const biometricPulse = request.headers.get('X-Biometric-Pulse');
const userPrincipal = request.headers.get('X-Stacks-Address');

// 1. Intercept the AI Gateway attempt
if (!biometricPulse) {
    return new Response("ERROR: BIOMETRIC_PULSE_REQUIRED. The AI cannot speak for you.", { status: 403 });
}

// 2. Logic Fix: Validate the 'Metabolic Integrity'
// Ensure the request isn't coming from an automated bot bypass
const integrityScore = calculateIntegrity(request); 
if (integrityScore < OVERRIDE_THRESHOLD) {
    console.error("DISRUPTION DETECTED: Low Integrity AI Attempt");
    return new Response("PROTOCOL_VIOLATION: Integrity below 133%", { status: 401 });
}

// 3. Hardware Signature Check
const isValid = await verifyBiometricOnChain(userPrincipal, biometricPulse);
if (!isValid) {
    return new Response("KILL-SWITCH ACTIVATED: Biometric Mismatch", { status: 403 });
}

// 4. If everything passes, forward to GitLab AI Gateway
return fetch("https://gitlab.com/api/v4/ai/gateway", request);

}

function calculateIntegrity(req: Request): number {
// Custom logic to detect 'Agentic' spoofing
const entropy = req.body ? JSON.stringify(req.body).length / 100 : 0;
return 1.0 + (entropy * 0.1);
}
;; THE BIOMETRIC GUARDIAN - GRANDVIEW V2.1
(define-constant ERR-UNAUTHORIZED-AI-CALL (err u403))
(define-constant ERR-BIOMETRIC-STALE (err u401))

;; Map to store verified hardware-bound keys (Public Keys)
(define-map authorized-biometric-keys
principal
{
pubkey: (buff 33),
last-verified-block: uint,
atp-reserved: uint
}
)

;; @desc The "Kill-Switch" logic.
;; Reverts if the AI tries to call a function without a fresh biometric pulse.
(define-public (validate-ai-pulse (user-signature (buff 65)) (message-hash (buff 32)))
(let (
(user-data (unwrap! (map-get? authorized-biometric-keys tx-sender) ERR-UNAUTHORIZED-AI-CALL))

<title>GitLab.org merge requests</title> https://gitlab.com/groups/gitlab-org/-/merge_requests 2024-10-29T13:50:24Z https://gitlab.com/gitlab-org/caproni/-/merge_requests/183 <title type="html">chore(deps): update registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser docker tag to v2.15.1</title> 2026-04-07T12:25:01Z renovate-bot

chore(deps): update registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser docker tag to v2.15.1

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser](https://github.com/goreleaser/goreleaser) | patch | `2.15.0` → `2.15.1` | ... This MR contains the following updates: | Package | Update | Change | |---|---|---| | [registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser](https://github.com/goreleaser/goreleaser) | patch | `2.15.0` → `2.15.1` | View the [Renovate pipeline for this MR](https://gitlab.com/gitlab-org/caproni/-/jobs/13809950907) --- ### Release Notes <details> <summary>goreleaser/goreleaser (registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser)</summary> ### [`v2.15.1`](https://github.com/goreleaser/goreleaser/releases/tag/v2.15.1) [Compare Source](https://github.com/goreleaser/goreleaser/compare/v2.15.0...v2.15.1) #### Announcement Read the official announcement: [Announcing GoReleaser v2.15](https://goreleaser.com/blog/goreleaser-v2.15/). #### Changelog ##### Bug fixes - [`87a55ea`](https://github.com/goreleaser/goreleaser/commit/87a55ea68fabc19de9f8ad317b882b322e5b6b04): fix: exclude signatures and certificates from sign pipe "all" filter ([#6509](https://github.com/goreleaser/goreleaser/issues/6509)) ([@caarlos0](https://github.com/caarlos0) and [@Copilot](https://github.com/Copilot)) - [`be844be`](https://github.com/goreleaser/goreleaser/commit/be844be78740a5b509cf1894b5f81505c1ba60c8): fix: retry git clone/push on transient network errors, clean up partial clones ([#6506](https://github.com/goreleaser/goreleaser/issues/6506)) ([@Copilot](https://github.com/Copilot) and [@caarlos0](https://github.com/caarlos0)) - [`eb944f9`](https://github.com/goreleaser/goreleaser/commit/eb944f9b8df174f484e7fb0af8eced98c3097f9f): fix: retry snapcraft upload on 5xx error ([#6504](https://github.com/goreleaser/goreleaser/issues/6504)) ([@Copilot](https://github.com/Copilot) and [@caarlos0](https://github.com/caarlos0)) - [`5b156e9`](https://github.com/goreleaser/goreleaser/commit/5b156e9f54a8a514a8275d042b40af9b6518f729): refactor: fix modernize lint issues ([#6507](https://github.com/goreleaser/goreleaser/issues/6507)) ([@alexandear](https://github.com/alexandear)) ##### Documentation updates - [`ed46860`](https://github.com/goreleaser/goreleaser/commit/ed46860c60771db0a21d80321d46ac05a8e4aeb9): docs: announce v2.15 ([@caarlos0](https://github.com/caarlos0)) - [`28e97e8`](https://github.com/goreleaser/goreleaser/commit/28e97e88a73b7fe396d24dbc49729204882e4e7f): docs: v2.15 ([@caarlos0](https://github.com/caarlos0)) **Full Changelog**: <https://github.com/goreleaser/goreleaser/compare/v2.15.0...v2.15.1> #### Helping out This release is only possible thanks to **all** the support of some **awesome people**! Want to be one of them? You can [sponsor](https://goreleaser.com/sponsors/), get a [Pro License](https://goreleaser.com/pro) or [contribute with code](https://goreleaser.com/contributing). #### Where to go next? - Find examples and commented usage of all options in our [website](https://goreleaser.com/intro/). - Reach out on [Discord](https://discord.gg/RGEBtg8vQ6) and [Twitter](https://twitter.com/goreleaser)! <a href="https://goreleaser.com"><img src="https://raw.githubusercontent.com/goreleaser/artwork/master/opencollective-header.png" with="100%" alt="GoReleaser logo"></a> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  dependencies dependency-type::patch maintenance::dependency type::maintenance https://gitlab.com/gitlab-org/merge-train/-/merge_requests/76 <title type="html">Add url of the job that creates the MR to restore canonical to security mirroring</title> 2026-04-07T12:21:46Z Mawreen Dela Cruz

Add url of the job that creates the MR to restore canonical to security mirroring

This MR adds the link of the CI job that created the MR to restore the canonical \> security mirroring so it is easier to debug. Related issue: https://gitlab.com/gitlab-com/gl-infra/delivery/-/work_items/21724 This MR adds the link of the CI job that created the MR to restore the canonical \> security mirroring so it is easier to debug. Related issue: https://gitlab.com/gitlab-com/gl-infra/delivery/-/work_items/21724 Mawreen Dela Cruz Mawreen Dela Cruz https://gitlab.com/gitlab-org/quality/component-performance-testing/-/merge_requests/130 <title type="html">Adding log marker to differentiate different reporting used</title> 2026-04-07T12:18:38Z Nivetha Prabakaran

Adding log marker to differentiate different reporting used

## Overview Adds log markers throughout the reporting pipeline to differentiate between different reporting modes and track the success/failure of each reporting attempt. ## Changes - **New module**: `LogMarkers` - Provides `emit_log_ma... ## Overview Adds log markers throughout the reporting pipeline to differentiate between different reporting modes and track the success/failure of each reporting attempt. ## Changes - **New module**: `LogMarkers` - Provides `emit_log_marker` method to log markers to both stdout and a persistent artifact file (`cpt_markers.log`) - **Updated `LoggerBase`**: Includes the new `LogMarkers` module to make the method available to all logger-based classes - **Enhanced `claude.rb`**: Adds log marker when falling back to regular API call due to OAuth token generation failure - **Enhanced `comment_on_mr.rb`**: Adds log markers to track: - MCP reporting attempt (`CPT_REPORT_MCP_REQUESTED`) - MCP success/failure (`CPT_REPORT_MCP_SUCCESS`, `CPT_REPORT_MCP_FAILED`) - Fallback to standard reporting (`CPT_REPORT_FALLBACK_USED`) - Final reporting status (`CPT_REPORT_FINAL_STATUS`) - Improved error handling with try-catch-finally pattern ## Benefits - Better observability of which reporting mode was used in each CI run - Easier debugging and troubleshooting of reporting failures - Persistent log markers saved as artifacts for post-run analysis type::feature Nivetha Prabakaran Nivetha Prabakaran https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230358 <title type="html">Draft: Add docs for work item MR widget</title> 2026-04-07T12:14:52Z Brendan Lynch

Draft: Add docs for work item MR widget

## What does this MR do and why? Adds documentation for the new **Work items** widget in the MR sidebar, introduced by !221290. The widget surfaces work items linked via closing patterns or mentioned in the MR description. ## Related ... ## What does this MR do and why? Adds documentation for the new **Work items** widget in the MR sidebar, introduced by !221290. The widget surfaces work items linked via closing patterns or mentioned in the MR description. ## Related issues - Closes #594460 ## Notes for reviewers - This MR is a **draft** pending feature flag (`mr_related_work_items`) promotion. Per discussion in #594460, the flag type is `wip` and removal is targeted for 19.0. - The term **Mentioned** for the second widget category needs confirmation against the final UI label — please verify, @ntepluhina. - The history block should be updated (flag removed, or promoted to `beta`) before this MR is marked ready. ## Checklist - [ ] Confirm UI label for the "Mentioned" category - [ ] Confirm GitLab version when flag is removed / feature goes GA - [ ] Update `{{< history >}}` block before marking ready ## Author's checklist - [ ] Optional. Consider taking [the GitLab Technical Writing Fundamentals course](https://university.gitlab.com/courses/gitlab-technical-writing-fundamentals). - [ ] Follow the: - [Documentation process](https://docs.gitlab.com/development/documentation/workflow/). - [Documentation guidelines](https://docs.gitlab.com/development/documentation/). - [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). - [ ] If you're adding a new page, add the [product availability details](https://docs.gitlab.com/development/documentation/styleguide/availability_details/) under the H1 topic title. - [ ] If you are a GitLab team member, [request a review](https://docs.gitlab.com/development/code_review/#dogfooding-the-reviewers-feature) based on: - The documentation page's [metadata](https://docs.gitlab.com/development/documentation/metadata/). - The [associated Technical Writer](https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments). If you are a GitLab team member and only adding documentation, do not add any of the following labels: - `~"frontend"` - `~"backend"` - `~"type::bug"` - `~"database"` These labels cause the MR to be added to code verification QA issues. ## Reviewer's checklist Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on [Documentation Guidelines](https://docs.gitlab.com/development/documentation/) and the [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). If you aren't sure which tech writer to ask, use [roulette](https://gitlab-org.gitlab.io/gitlab-roulette/?sortKey=stats.avg30&order=-1&hourFormat24=true&visible=maintainer%7Cdocs) or ask in the [#docs](https://gitlab.slack.com/archives/C16HYA2P5) Slack channel. - [ ] If the content requires it, ensure the information is reviewed by a subject matter expert. - Technical writer review items: - [ ] Ensure docs metadata is present and up-to-date. - [ ] Ensure the appropriate [labels](https://docs.gitlab.com/development/documentation/workflow/#labels) are added to this MR. - [ ] Ensure a release milestone is set. - If relevant to this MR, ensure [content topic type](https://docs.gitlab.com/development/documentation/topic_types/) principles are in use, including: - [ ] The headings should be something you'd do a Google search for. Instead of `Default behavior`, say something like `Default behavior when you close an issue`. - [ ] The headings (other than the page title) should be active. Instead of `Configuring GDK`, say something like `Configure GDK`. - [ ] Any task steps should be written as a numbered list. - If the content still needs to be edited for topic types, you can create a follow-up issue with the ~"docs-technical-debt" label. - [ ] Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review. 18.11 Category:Source Code Management Technical Writing devops::create docs-only documentation group::source code maintenance::refactor section::dev type::maintenance Brendan Lynch Brendan Lynch https://gitlab.com/gitlab-org/step-runner/-/merge_requests/474 <title type="html">Add architecture doc to step-runner spec</title> 2026-04-07T12:23:05Z Cameron Swords cswords@gitlab.com

Add architecture doc to step-runner spec

Describes the YAML document structure, end-to-end execution pipeline, compilation pipeline ordering, and concurrency model. Addresses the integration gap identified in MR !464 review. Describes the YAML document structure, end-to-end execution pipeline, compilation pipeline ordering, and concurrency model. Addresses the integration gap identified in MR !464 review. Category:Runner Core devops::verify group::runner core runner::core section::ci type::feature Cameron Swords cswords@gitlab.com Cameron Swords cswords@gitlab.com https://gitlab.com/gitlab-org/editor-extensions/gitlab-lsp/-/merge_requests/3164 <title type="html">feat: update Agentic Chat input placeholders</title> 2026-04-07T12:01:10Z Olena Horal-Koretska ohoralkoretska@gitlab.com

feat: update Agentic Chat input placeholders

## Description Updates Agentic Chat input placeholder text per Technical Writing review in #1310. ### Changes | State | Old Text | New Text | |-------|----------|----------| | Initial (no workflow) | `Let's work through this together.... ## Description Updates Agentic Chat input placeholder text per Technical Writing review in #1310. ### Changes | State | Old Text | New Text | |-------|----------|----------| | Initial (no workflow) | `Let's work through this together...` | Randomly shows either `Have a question? Ask Agentic Chat.` or `Need help with a task? Ask Agentic Chat.` | | Duo is working | `Duo is thinking — hang tight! You'll be able to message again soon.` | `Please wait for Agentic Chat to answer your question.` | | Ready for next input | `What should we tackle next?` | `What should we work on next?` | ## Related Issues Closes #1310 ## How has this been tested? - [x] Unit tests updated and passing - [x] Compilation successful _:warning: Does this MR include a GitLab Duo UI update? If so, please smoke test **all** webviews in a downstream project to ensure there are no visual regressions_ - One of: - [ ] GitLab for VS Code extension ([setup instructions](https://gitlab.com/gitlab-org/gitlab-vscode-extension/blob/main/docs/developer/language-server.md)). - [ ] GitLab JetBrains Plugin ([setup instructions](https://gitlab.com/gitlab-org/editor-extensions/gitlab-jetbrains-plugin/-/blob/main/docs/dev/language_server.md)). ### What CHANGELOG entry will this MR create? - [x] `feature: ` New feature - a user-facing change which adds functionality - included in changelog 18.11 AgenticIDE::IDESupport Category:Editor Extensions Editor Extensions::Language Server Technical Writing UI text devops::ai-powered group::editor extensions section::ai type::maintenance workflow::in dev Olena Horal-Koretska ohoralkoretska@gitlab.com Olena Horal-Koretska ohoralkoretska@gitlab.com https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230357 <title type="html">Remove target.groupId code path</title> 2026-04-07T12:01:23Z Justin Ho Tuan Duong

Remove target.groupId code path

## What does this MR do and why? * Unreachable as we no longer need to enable for both group and project at the same time. > The condition `target.groupId && projectId` was dead code — it could never be true in practice. Here's why: > ... ## What does this MR do and why? * Unreachable as we no longer need to enable for both group and project at the same time. > The condition `target.groupId && projectId` was dead code — it could never be true in practice. Here's why: > > The two modals that emit the `add-to-target` event each produce a specific payload shape: > > - **`AiCatalogItemConsumerModal`** always emits `{ target: { projectId } }` — the project ID is _inside_ `target`, never at the top level, and `target.groupId` is never set > - **`AddProjectItemConsumerModal`** always emits `{ target: { groupId } }` OR `{ target: { projectId } }` — the target is mutually exclusive (one or the other), and any project ID goes inside `target`, not as a separate top-level `projectId` field > > For the condition to be true you'd need an event where `target.groupId` is set **and** a separate top-level `projectId` field is also set. No real UI interaction ever produced that combination — the tests for that branch manually constructed that impossible payload shape to exercise the code path. * Remove experiment badge from agents ## References Related to #593076 ## Screenshots or screen recordings N.A. ## How to set up and validate locally https://gdk.test:3443/explore/ai-catalog/agents ## MR acceptance checklist Evaluate this MR against the [MR acceptance checklist](https://docs.gitlab.com/development/code_review/#acceptance-checklist). It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. 18.11 Category:AI Catalog devops::ai-powered frontend group::workflow catalog maintenance::refactor pipeline::tier-1 section::ai type::maintenance workflow::in dev Justin Ho Tuan Duong Justin Ho Tuan Duong https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230356 <title type="html">Default enable security_policies_kev_filter feature flag</title> 2026-04-07T12:00:58Z Imam Hossain

Default enable security_policies_kev_filter feature flag

## What does this MR do and why? Default-enables the `security_policies_kev_filter` feature flag by moving it from `wip` to `gitlab_com_derisk` type and setting `default_enabled: true`. ## References Rollout issue: https://gitlab.com/... ## What does this MR do and why? Default-enables the `security_policies_kev_filter` feature flag by moving it from `wip` to `gitlab_com_derisk` type and setting `default_enabled: true`. ## References Rollout issue: https://gitlab.com/gitlab-org/gitlab/-/issues/576858 Feature issue: https://gitlab.com/gitlab-org/gitlab/-/issues/576860 ## MR acceptance checklist Evaluate this MR against the [MR acceptance checklist](https://docs.gitlab.com/development/code_review/#acceptance-checklist). It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. Category:Security Policy Management devops::security risk management feature flag group::security policies pipeline::tier-1 section::sec https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230355 <title type="html">Add `duo:tool-completed` event hub</title> 2026-04-07T11:59:15Z Alex Buijs abuijs@gitlab.com

Add `duo:tool-completed` event hub

## What does this MR do and why? Replace event listeners on document with `duo:tool-completed` event hub. ## References Issue: https://gitlab.com/gitlab-org/gitlab/-/work_items/595155 ## Screenshots or screen recordings  | Before | After | | ------ | ------ | | | |  ## How to set up and validate locally  ## MR acceptance checklist Evaluate this MR against the [MR acceptance checklist](https://docs.gitlab.com/development/code_review/#acceptance-checklist). It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. 18.11 Category:Permissions devops::software supply chain security frontend group::authorization maintenance::refactor pipeline::tier-1 section::sec type::maintenance Alex Buijs abuijs@gitlab.com Alex Buijs abuijs@gitlab.com https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/9286 <title type="html">Draft: Default to PostgreSQL 17 for fresh installs</title> 2026-04-07T12:26:53Z Nailia Iskhakova

Draft: Default to PostgreSQL 17 for fresh installs

## What does this MR do?   ## What does this MR do?  Default to PostgreSQL 17 for fresh installs * Fresh installs now default to PostrgreSQL 17. * The default can be overridden by setting `postgresql['version']=16`. * Existing installations do not upgrade automatically. ## Related issues  Related to #9724+ ## Checklist See [Definition of done](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/CONTRIBUTING.md#definition-of-done). For anything in this list which will not be completed, please provide a reason in the MR discussion. ### Required - [x] MR title and description are up to date, accurate, and descriptive. - [x] MR targeting the appropriate branch. - [ ] Latest Merge Result pipeline is green. - [ ] When ready for review, MR is labeled ~"workflow::ready for review" per the [Distribution MR workflow](https://about.gitlab.com/handbook/engineering/development/enablement/systems/distribution/merge_requests.html). #### For GitLab team members If you don't have access to this, the reviewer should trigger these jobs for you during the review process. - [ ] The manual `Trigger:ee-package` jobs have a green pipeline running against latest commit. - [ ] If `config/software` or `config/patches` directories are changed, make sure the `build-package-on-all-os` job within the `Trigger:ee-package` downstream pipeline succeeded. - [ ] If you are changing anything SSL related, then the `Trigger:package:fips` manual job within the `Trigger:ee-package` downstream pipeline must succeed. - [ ] If CI configuration is changed, the branch must be pushed to [`dev.gitlab.org`](https://dev.gitlab.org/gitlab/omnibus-gitlab) to confirm regular branch builds aren't broken. ### Expected (please provide an explanation if not completing) - [ ] Test plan indicating conditions for success has been posted and passes. - [x] Documentation created/updated. - [x] Tests added - not applicable, existing tests cover this. - [x] Integration tests added to [GitLab QA](https://gitlab.com/gitlab-org/gitlab-qa). - N/A - [x] Equivalent MR/issue for the [GitLab Chart](https://gitlab.com/gitlab-org/charts/gitlab) opened. - N/A as Charts don't have PG anymore - [x] Validate potential values for new configuration settings. Formats such as integer `10`, duration `10s`, URI `scheme://user:passwd@host:port` may require quotation or other special handling when rendered in a template and written to a configuration file. 18.11 department::infrastructure platforms devops::gitlab delivery group::operate section::gitlab delivery type::maintenance Nailia Iskhakova Nailia Iskhakova https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230354 <title type="html">Draft: Scope malicious_package_detection ff to group</title> 2026-04-07T11:47:34Z David Pisek

Draft: Scope malicious_package_detection ff to group

## What does this MR do and why? ## References  ## Screenshots or screen recordings  | Before | After | | ------ | ------ | | | |  ## How to set up and validate locally  ## MR acceptance checklist Evaluate this MR against the [MR acceptance checklist](https://docs.gitlab.com/development/code_review/#acceptance-checklist). It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. backend pipeline::tier-1 David Pisek David Pisek https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230353 <title type="html">Skip group SAML URL/fingerprint validation when disabled</title> 2026-04-07T11:57:03Z Eduardo Sanz García

Skip group SAML URL/fingerprint validation when disabled

## What does this MR do and why? Only validate sso_url and certificate_fingerprint when group SAML is enabled, allowing users to disable the feature without validation errors. Changelog: fixed ## References Closes https://gitlab.com/... ## What does this MR do and why? Only validate sso_url and certificate_fingerprint when group SAML is enabled, allowing users to disable the feature without validation errors. Changelog: fixed ## References Closes https://gitlab.com/gitlab-org/gitlab/-/work_items/582630  ## Screenshots or screen recordings  No error message appears.  ## How to set up and validate locally 1. Setup a group with SAML enabled: - Create a group with premium/ultimate license - Navigate to Group Settings → SAML SSO - Configure SAML with a valid URL and certificate fingerprint - Verify "Enable SAML authentication for this group" is checked 2. Verify disabling works without errors: - Uncheck "Enable SAML authentication for this group" - Clear the URL field (leave empty) - Clear the certificate fingerprint field (leave empty) - Click Save - Confirm the form saves successfully without validation errors 3. Verify SAML is actually disabled: - Reload the page - Confirm "Enable SAML authentication for this group" is unchecked - Confirm the URL and fingerprint fields are empty 4. Run automated tests: bundle exec rspec ee/spec/controllers/groups/saml_providers_controller_spec.rb bundle exec rspec ee/spec/models/saml_provider_spec.rb bundle exec rspec ee/spec/features/groups/saml_providers_spec.rb 5. Verify re-enabling still requires fields: - Check "Enable SAML authentication for this group" - Try to save without entering URL and fingerprint - Confirm validation errors appear (URL and fingerprint required) - Enter valid values and save successfully ## MR acceptance checklist Evaluate this MR against the [MR acceptance checklist](https://docs.gitlab.com/development/code_review/#acceptance-checklist). It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability. 18.11 backend bug::ux devops::software supply chain security group::authentication pipeline::tier-1 section::sec type::bug Eduardo Sanz García Eduardo Sanz García https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6615 <title type="html">Docs: Standardize runner capitalization in Docker Machine autoscale docs</title> 2026-04-07T11:23:04Z Roshni Sarangadharan

Docs: Standardize runner capitalization in Docker Machine autoscale docs

## What does this MR do? Fixes inconsistent capitalization of "runner" vs "GitLab Runner" in the Docker Machine executor autoscale configuration documentation and corrects related grammar issues. This is a followup to https://gitlab.com... ## What does this MR do? Fixes inconsistent capitalization of "runner" vs "GitLab Runner" in the Docker Machine executor autoscale configuration documentation and corrects related grammar issues. This is a followup to https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/6611+. ## Related issues  ## Author's checklist - [ ] Optional. Consider taking [the GitLab Technical Writing Fundamentals course](https://university.gitlab.com/courses/gitlab-technical-writing-fundamentals). - [ ] Follow the: - [Documentation process](https://docs.gitlab.com/development/documentation/workflow/). - [Documentation guidelines](https://docs.gitlab.com/development/documentation/). - [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). - [ ] If you're adding or changing the main heading of the page (H1), ensure that the [product availability details](https://docs.gitlab.com/development/documentation/styleguide/availability_details/) are added. - [ ] If you are a GitLab team member, [request a review](https://docs.gitlab.com/development/code_review/#dogfooding-the-reviewers-feature) based on: - The documentation page's [metadata](https://docs.gitlab.com/development/documentation/metadata/). - The [associated Technical Writer](https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments). If you are a GitLab team member and only adding documentation, do not add any of the following labels: - `~"frontend"` - `~"backend"` - `~"type::bug"` - `~"database"` These labels cause the MR to be added to code verification QA issues. ## Reviewer's checklist Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on [Documentation Guidelines](https://docs.gitlab.com/development/documentation/) and the [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). If you aren't sure which tech writer to ask, use [roulette](https://gitlab-org.gitlab.io/gitlab-roulette/?sortKey=stats.avg30&order=-1&hourFormat24=true&visible=maintainer%7Cdocs) or ask in the [#docs](https://gitlab.slack.com/archives/C16HYA2P5) Slack channel. - [ ] If the content requires it, ensure the information is reviewed by a subject matter expert. - Technical writer review items: - [ ] Ensure docs metadata is present and up-to-date. - [ ] Ensure the appropriate [labels](https://docs.gitlab.com/development/documentation/workflow/#labels) are added to this MR. - [ ] Ensure a release milestone is set. - If relevant to this MR, ensure [content topic type](https://docs.gitlab.com/development/documentation/topic_types/) principles are in use, including: - [ ] The headings should be something you'd do a Google search for. Instead of `Default behavior`, say something like `Default behavior when you close an issue`. - [ ] The headings (other than the page title) should be active. Instead of `Configuring GDK`, say something like `Configure GDK`. - [ ] Any task steps should be written as a numbered list. - If the content still needs to be edited for topic types, you can create a follow-up issue with the ~"docs-technical-debt" label. - [ ] Review by assigned maintainer, who can always request/require the above reviews. Maintainer's review can occur before or after a technical writer review. 18.11 Category:Runner devops::verify docs-only documentation group::runner core maintenance::refactor section::ci type::maintenance Roshni Sarangadharan Roshni Sarangadharan https://gitlab.com/gitlab-org/gitlab-development-kit/-/merge_requests/5881 <title type="html">Fix broken URL in developer license documentation</title> 2026-04-07T11:20:42Z Imam Hossain

Fix broken URL in developer license documentation

Fix Broken URL link to correct URL https://handbook.gitlab.com/handbook/engineering/workflow/developer-onboarding/#working-on-gitlab-ee-developer-licenses Fix Broken URL link to correct URL https://handbook.gitlab.com/handbook/engineering/workflow/developer-onboarding/#working-on-gitlab-ee-developer-licenses docs-only docs::fix documentation type::bug Imam Hossain Imam Hossain https://gitlab.com/gitlab-org/gitlab-development-kit/-/merge_requests/5880 <title type="html">Update gitlab-topology-service digest to 89f495b</title> 2026-04-07T12:16:59Z GitLab Dependency Bot

Update gitlab-topology-service digest to 89f495b

This MR contains the following updates: | Package | Update | Change | |---|---|---| | gitlab-topology-service | digest | `1afc5ea` -> `89f495b` | MR created with the help of [gitlab-org/frontend/renovate-gitlab-bot](https://gitlab.com/... This MR contains the following updates: | Package | Update | Change | |---|---|---| | gitlab-topology-service | digest | `1afc5ea` -> `89f495b` | MR created with the help of [gitlab-org/frontend/renovate-gitlab-bot](https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot) --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Category:GDK Engineering Productivity automation:bot-authored backend maintenance::dependency type::maintenance GitLab Dependency Bot GitLab Dependency Bot https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230352 <title type="html">Tutorial landing page enhancements</title> 2026-04-07T12:07:27Z Kati Paizee

Tutorial landing page enhancements

## What does this MR do? - Adds the 'Set up your organization' tutorial to the 'Find your way around GitLab' landing page. - Replaces a deprecated course with a GitLab basic course. ## Author's checklist - [ ] Optional. Consider taki... ## What does this MR do? - Adds the 'Set up your organization' tutorial to the 'Find your way around GitLab' landing page. - Replaces a deprecated course with a GitLab basic course. ## Author's checklist - [ ] Optional. Consider taking [the GitLab Technical Writing Fundamentals course](https://university.gitlab.com/courses/gitlab-technical-writing-fundamentals). - [ ] Follow the: - [Documentation process](https://docs.gitlab.com/development/documentation/workflow/). - [Documentation guidelines](https://docs.gitlab.com/development/documentation/). - [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). - [ ] If you're adding a new page, add the [product availability details](https://docs.gitlab.com/development/documentation/styleguide/availability_details/) under the H1 topic title. - [ ] If you are a GitLab team member, [request a review](https://docs.gitlab.com/development/code_review/#dogfooding-the-reviewers-feature) based on: - The documentation page's [metadata](https://docs.gitlab.com/development/documentation/metadata/). - The [associated Technical Writer](https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments). If you are a GitLab team member and only adding documentation, do not add any of the following labels: - `~"frontend"` - `~"backend"` - `~"type::bug"` - `~"database"` These labels cause the MR to be added to code verification QA issues. ## Reviewer's checklist Documentation-related MRs should be reviewed by a Technical Writer for a non-blocking review, based on [Documentation Guidelines](https://docs.gitlab.com/development/documentation/) and the [Style Guide](https://docs.gitlab.com/development/documentation/styleguide/). If you aren't sure which tech writer to ask, use [roulette](https://gitlab-org.gitlab.io/gitlab-roulette/?sortKey=stats.avg30&order=-1&hourFormat24=true&visible=maintainer%7Cdocs) or ask in the [#docs](https://gitlab.slack.com/archives/C16HYA2P5) Slack channel. - [ ] If the content requires it, ensure the information is reviewed by a subject matter expert. - Technical writer review items: - [ ] Ensure docs metadata is present and up-to-date. - [ ] Ensure the appropriate [labels](https://docs.gitlab.com/development/documentation/workflow/#labels) are added to this MR. - [ ] Ensure a release milestone is set. - If relevant to this MR, ensure [content topic type](https://docs.gitlab.com/development/documentation/topic_types/) principles are in use, including: - [ ] The headings should be something you'd do a Google search for. Instead of `Default behavior`, say something like `Default behavior when you close an issue`. - [ ] The headings (other than the page title) should be active. Instead of `Configuring GDK`, say something like `Configure GDK`. - [ ] Any task steps should be written as a numbered list. - If the content still needs to be edited for topic types, you can create a follow-up issue with the ~"docs-technical-debt" label. - [ ] Review by assigned maintainer, who can always request/require the reviews above. Maintainer's review can occur before or after a technical writer review. 18.11 Technical Writing docs-only documentation maintenance::refactor type::maintenance Kati Paizee Kati Paizee https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230351 <title type="html">Use cursor-based iteration in CreateEnabledNamespaceEventWorker</title> 2026-04-07T12:14:14Z Arturo Herrero aherrero@gitlab.com

Use cursor-based iteration in CreateEnabledNamespaceEventWorker

## Description Follow-up to !229483 and !229503. Introduces a `last_processed_id` cursor to `CreateEnabledNamespaceEventWorker`, matching the pattern already used in `ProcessInvalidEnabledNamespaceEventWorker`. Instead of restarting fr... ## Description Follow-up to !229483 and !229503. Introduces a `last_processed_id` cursor to `CreateEnabledNamespaceEventWorker`, matching the pattern already used in `ProcessInvalidEnabledNamespaceEventWorker`. Instead of restarting from row 0 on every re-emission, the worker resumes from where it left off — iterating `GitlabSubscription` on SaaS and `Namespace` on self-managed. Also adds `LIMIT = 10_000` to cap total inserts per run, separate from `BATCH_SIZE` which controls the inner DB batch size. Related to https://gitlab.com/gitlab-org/gitlab/-/work_items/591063 18.11 Category:Code Search backend devops::ai-powered group::global search maintenance::performance section::ai type::maintenance Arturo Herrero aherrero@gitlab.com Arturo Herrero aherrero@gitlab.com https://gitlab.com/gitlab-org/gitlab/-/merge_requests/230350 <title type="html">Draft: Expose scan profile statuses via GraphQL</title> 2026-04-07T11:16:29Z Nicolae Rotaru

Draft: Expose scan profile statuses via GraphQL

## What does this MR do and why? Exposes scan profile statuses via GraphQL so the frontend can display scanner health indicators for security scan profiles. The API exposes a single computed `status` enum that resolves the final displa... ## What does this MR do and why? Exposes scan profile statuses via GraphQL so the frontend can display scanner health indicators for security scan profiles. The API exposes a single computed `status` enum that resolves the final display state server-side (NOT_CONFIGURED, ACTIVE, WARNING, FAILED, STALE), so the frontend can use it directly for badge rendering without reimplementing threshold or staleness logic. **Why:** The data exists in `security_scan_profile_project_statuses` (from [!227103 (merged)](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/227103)) and is populated by the status update worker (from the status update MR). This MR makes it queryable. This is MR 4 of 4 in the [implementation plan](https://gitlab.com/gitlab-org/gitlab/-/work_items/591916). ## Implementation details - **`ScanProfileStatusEnum`** (`ee/app/graphql/types/security/scan_profile_status_enum.rb`): - 5 values: `NOT_CONFIGURED`, `ACTIVE`, `WARNING`, `FAILED`, `STALE` - **`ScanProfileProjectStatusType`** (`ee/app/graphql/types/security/scan_profile_project_status_type.rb`): - Fields: `scanProfile`, `status`, `consecutiveFailureCount`, `consecutiveSuccessCount`, `lastScanAt`, `buildId` - `status` field uses `method: :computed_status` which resolves the display state from the model - Authorization delegated to parent field level (same pattern as `ScanProfileType`) - **`ProjectType#scanProfileStatuses`** (`ee/app/graphql/ee/types/project_type.rb`): - New field gated by `authorize: :read_security_scan_profiles` and `licensed_feature_available?(:security_scan_profiles)` - Eager loads `:scan_profile` via `with_scan_profile` scope to prevent N+1 - Marked as `experiment: { milestone: '18.11' }` - **`computed_status` method** (`ee/app/models/security/scan_profile_project_status.rb`): - Resolution order: `not_configured?` -\> `stale?` -\> `profile_failed?` -\> `warning?` -\> else `active` - Staleness takes priority: a profile with 3+ failures but no scan in 90 days shows as `STALE`, not `FAILED` - **`with_scan_profile` scope** added to `ScanProfileProjectStatus` for eager loading ### Status resolution logic | DB status | Condition | GraphQL `status` | |-----------|-----------|------------------| | `not_configured` | \-- | `NOT_CONFIGURED` | | `success` | `last_scan_at` nil or recent | `ACTIVE` | | `success` | `last_scan_at` \> 90 days | `STALE` | | `warning` | `last_scan_at` recent | `WARNING` | | `warning` | `last_scan_at` \> 90 days | `STALE` | | `failed` | `last_scan_at` recent | `FAILED` | | `failed` | `last_scan_at` \> 90 days | `STALE` | ## Example query ```graphql query { project(fullPath: "my-group/my-project") { scanProfileStatuses { scanProfile { id name scanType } status consecutiveFailureCount consecutiveSuccessCount lastScanAt buildId } } } ``` ## Example response ```json { "data": { "project": { "scanProfileStatuses": [ { "scanProfile": { "id": "gid://gitlab/Security::ScanProfile/61", "name": "Secret Detection (default)", "scanType": "SECRET_DETECTION" }, "status": "ACTIVE", "consecutiveFailureCount": 0, "consecutiveSuccessCount": 1, "lastScanAt": "2026-04-07T08:07:06Z", "buildId": "gid://gitlab/CommitStatus/957" }, { "scanProfile": { "id": "gid://gitlab/Security::ScanProfile/62", "name": "Dependency Scanning (default)", "scanType": "DEPENDENCY_SCANNING" }, "status": "WARNING", "consecutiveFailureCount": 1, "consecutiveSuccessCount": 0, "lastScanAt": "2026-04-07T08:07:16Z", "buildId": "gid://gitlab/CommitStatus/958" } ] } }, "correlationId": "01KNKSV95Q96JV5HCY670FYR62" } ``` ## How to set up and validate locally 1. In GDK, create a group and a project with a repository 2. Attach a scan profile to the group and apply it to the project 3. Push a commit to trigger a pipeline and wait for completion 4. Run the GraphQL query above using the GraphiQL explorer at `/-/graphql-explorer` 5. Verify the response includes the profile status with the correct computed `status` value ## MR acceptance checklist - [x] Enum spec: 5 values (`ee/spec/graphql/types/security/scan_profile_status_enum_spec.rb`) - [x] Type spec: expected fields, no direct authorization (`ee/spec/graphql/types/security/scan_profile_project_status_type_spec.rb`) - [x] Model spec: 8 parameterized `computed_status` scenarios (`ee/spec/models/security/scan_profile_project_status_spec.rb`) - [x] Request spec: 12 tests covering happy path, empty state, license gating, authorization, and all 8 status resolution scenarios (`ee/spec/requests/api/graphql/project/scan_profile_statuses_spec.rb`) - [x] RuboCop clean - [x] No database migration needed ## Related issues - Closes [#593133](https://gitlab.com/gitlab-org/gitlab/-/work_items/593133) - Part of [#591916 (closed)](https://gitlab.com/gitlab-org/gitlab/-/work_items/591916) (implementation plan) - Related to [#591555](https://gitlab.com/gitlab-org/gitlab/-/work_items/591555) (parent issue) Changelog: added\ EE: true <

Metadata

Assignees

No one assigned

Labels

No labels

No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests