From 50d8b24f95c3b0d669b94dd4a66c716e605fd0ee Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:11:38 -0600
Subject: [PATCH 01/14] Feat(Q): Add AmazonQ db and config

---
 ...41120210519_add_amazon_q_to_ai_settings.rb | 38 +++++++++++++++
 ...0241121140110_migrate_amazon_q_settings.rb | 47 +++++++++++++++++++
 db/schema_migrations/20241120210519           |  1 +
 db/schema_migrations/20241121140110           |  1 +
 db/structure.sql                              | 15 ++++++
 ee/app/models/ai/setting.rb                   | 13 +++++
 .../models/gitlab_subscriptions/features.rb   |  7 +--
 .../wip/amazon_q_integration.yml              |  9 ++++
 ee/spec/models/ai/setting_spec.rb             | 18 +++++++
 9 files changed, 146 insertions(+), 3 deletions(-)
 create mode 100644 db/migrate/20241120210519_add_amazon_q_to_ai_settings.rb
 create mode 100644 db/migrate/20241121140110_migrate_amazon_q_settings.rb
 create mode 100644 db/schema_migrations/20241120210519
 create mode 100644 db/schema_migrations/20241121140110
 create mode 100644 ee/config/feature_flags/wip/amazon_q_integration.yml

diff --git a/db/migrate/20241120210519_add_amazon_q_to_ai_settings.rb b/db/migrate/20241120210519_add_amazon_q_to_ai_settings.rb
new file mode 100644
index 00000000000000..1b78acf77b1814
--- /dev/null
+++ b/db/migrate/20241120210519_add_amazon_q_to_ai_settings.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class AddAmazonQToAiSettings < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+
+  milestone '17.7'
+
+  def up
+    with_lock_retries do
+      add_column :ai_settings, :amazon_q_oauth_application_id, :bigint
+      add_column :ai_settings, :amazon_q_service_account_user_id, :bigint
+      add_column :ai_settings, :amazon_q_ready, :boolean, default: false, null: false
+      add_column :ai_settings, :amazon_q_role_arn, :text
+    end
+
+    add_concurrent_index :ai_settings, :amazon_q_oauth_application_id
+    add_concurrent_foreign_key :ai_settings,
+      :oauth_applications,
+      column: :amazon_q_oauth_application_id,
+      on_delete: :nullify
+    add_concurrent_index :ai_settings, :amazon_q_service_account_user_id
+    add_concurrent_foreign_key :ai_settings,
+      :users,
+      column: :amazon_q_service_account_user_id,
+      on_delete: :nullify
+
+    add_text_limit :ai_settings, :amazon_q_role_arn, 2048
+  end
+
+  def down
+    with_lock_retries do
+      remove_column :ai_settings, :amazon_q_oauth_application_id, if_exists: true
+      remove_column :ai_settings, :amazon_q_service_account_user_id, if_exists: true
+      remove_column :ai_settings, :amazon_q_ready, if_exists: true
+      remove_column :ai_settings, :amazon_q_role_arn, if_exists: true
+    end
+  end
+end
diff --git a/db/migrate/20241121140110_migrate_amazon_q_settings.rb b/db/migrate/20241121140110_migrate_amazon_q_settings.rb
new file mode 100644
index 00000000000000..8ac4a29727ef9a
--- /dev/null
+++ b/db/migrate/20241121140110_migrate_amazon_q_settings.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+# TODO(Q): We can remove this when we merge upstream as this column would never have been created?
+class MigrateAmazonQSettings < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+
+  milestone '17.7'
+
+  def up
+    Gitlab::Database::QueryAnalyzers::RestrictAllowedSchemas.with_suppressed do
+      execute <<~SQL
+        DO $$
+        BEGIN
+          IF EXISTS (
+            SELECT 1
+            FROM pg_attribute
+            WHERE attrelid = 'application_settings'::regclass
+              AND attname = 'duo'
+              AND NOT attisdropped
+          ) THEN
+            UPDATE ai_settings
+            SET
+              amazon_q_oauth_application_id = (SELECT duo->>'duo_amazon_q_oauth_application_id' FROM application_settings)::bigint,
+              amazon_q_service_account_user_id = (SELECT duo->>'duo_amazon_q_service_account_user_id' FROM application_settings)::bigint,
+              amazon_q_ready = (SELECT duo->>'duo_amazon_q_ready' FROM application_settings)::boolean,
+              amazon_q_role_arn = (SELECT duo->>'duo_amazon_q_role_arn' FROM application_settings);
+          END IF;
+        END $$;
+      SQL
+    rescue # rubocop:disable Style/RescueStandardError -- This will fail outside of the main database as the ai_settings table will be read-only
+    end
+
+    with_lock_retries { remove_column :application_settings, :duo, if_exists: true } # rubocop:disable Migration/RemoveColumn -- This is only temporary
+  end
+
+  def down
+    with_lock_retries do
+      add_column :application_settings, :duo, :jsonb, default: {}, null: true
+    end
+
+    add_check_constraint(
+      :application_settings,
+      "(jsonb_typeof(duo) = 'object')",
+      'check_application_settings_duo_is_hash'
+    )
+  end
+end
diff --git a/db/schema_migrations/20241120210519 b/db/schema_migrations/20241120210519
new file mode 100644
index 00000000000000..903304ef0e0e43
--- /dev/null
+++ b/db/schema_migrations/20241120210519
@@ -0,0 +1 @@
+96e7602127a393034b48697a892e89830fc8fae140f9ace566e14f64ee603384
\ No newline at end of file
diff --git a/db/schema_migrations/20241121140110 b/db/schema_migrations/20241121140110
new file mode 100644
index 00000000000000..3138effc15b18e
--- /dev/null
+++ b/db/schema_migrations/20241121140110
@@ -0,0 +1 @@
+40785e1d6af5d751371315c3173380e3f5e00982ceaee75a7d523116491fc961
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index 97d2ac440c2b43..a462b0b104f815 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -6039,7 +6039,12 @@ CREATE TABLE ai_settings (
     singleton boolean DEFAULT true NOT NULL,
     created_at timestamp with time zone DEFAULT now() NOT NULL,
     updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    amazon_q_oauth_application_id bigint,
+    amazon_q_service_account_user_id bigint,
+    amazon_q_ready boolean DEFAULT false NOT NULL,
+    amazon_q_role_arn text,
     CONSTRAINT check_3cf9826589 CHECK ((char_length(ai_gateway_url) <= 2048)),
+    CONSTRAINT check_a02bd8868c CHECK ((char_length(amazon_q_role_arn) <= 2048)),
     CONSTRAINT check_singleton CHECK ((singleton IS TRUE))
 );
 
@@ -29048,6 +29053,10 @@ CREATE UNIQUE INDEX index_ai_feature_settings_on_feature ON ai_feature_settings
 
 CREATE UNIQUE INDEX index_ai_self_hosted_models_on_name ON ai_self_hosted_models USING btree (name);
 
+CREATE INDEX index_ai_settings_on_amazon_q_oauth_application_id ON ai_settings USING btree (amazon_q_oauth_application_id);
+
+CREATE INDEX index_ai_settings_on_amazon_q_service_account_user_id ON ai_settings USING btree (amazon_q_service_account_user_id);
+
 CREATE UNIQUE INDEX index_ai_settings_on_singleton ON ai_settings USING btree (singleton);
 
 CREATE INDEX index_ai_vectorizable_files_on_project_id ON ai_vectorizable_files USING btree (project_id);
@@ -35710,6 +35719,9 @@ ALTER TABLE ONLY analytics_dashboards_pointers
 ALTER TABLE ONLY issues
     ADD CONSTRAINT fk_05f1e72feb FOREIGN KEY (author_id) REFERENCES users(id) ON DELETE SET NULL;
 
+ALTER TABLE ONLY ai_settings
+    ADD CONSTRAINT fk_05f695565a FOREIGN KEY (amazon_q_oauth_application_id) REFERENCES oauth_applications(id) ON DELETE SET NULL;
+
 ALTER TABLE ONLY merge_requests
     ADD CONSTRAINT fk_06067f5644 FOREIGN KEY (latest_merge_request_diff_id) REFERENCES merge_request_diffs(id) ON DELETE SET NULL;
 
@@ -37024,6 +37036,9 @@ ALTER TABLE ONLY external_status_checks_protected_branches
 ALTER TABLE ONLY dast_profiles_pipelines
     ADD CONSTRAINT fk_cc206a8c13 FOREIGN KEY (dast_profile_id) REFERENCES dast_profiles(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY ai_settings
+    ADD CONSTRAINT fk_cce81e0b9a FOREIGN KEY (amazon_q_service_account_user_id) REFERENCES users(id) ON DELETE SET NULL;
+
 ALTER TABLE ONLY todos
     ADD CONSTRAINT fk_ccf0373936 FOREIGN KEY (author_id) REFERENCES users(id) ON DELETE CASCADE;
 
diff --git a/ee/app/models/ai/setting.rb b/ee/app/models/ai/setting.rb
index a9b8b449bddb38..277962dae7b20b 100644
--- a/ee/app/models/ai/setting.rb
+++ b/ee/app/models/ai/setting.rb
@@ -5,9 +5,22 @@ class Setting < ApplicationRecord
     self.table_name = "ai_settings"
 
     validates :ai_gateway_url, length: { maximum: 2048 }, allow_nil: true
+    validates :amazon_q_role_arn, length: { maximum: 2048 }, allow_nil: true
+
     validate :validate_ai_gateway_url
     validate :validates_singleton
 
+    has_one :amazon_q_oauth_application, # rubocop:disable Rails/InverseOf -- This model is defined oustide of the project
+      class_name: 'Doorkeeper::Application',
+      foreign_key: 'id',
+      primary_key: 'amazon_q_oauth_application_id',
+      dependent: :nullify
+    has_one :amazon_q_service_account, # rubocop:disable Rails/InverseOf -- I don't think we need this?
+      class_name: 'User',
+      foreign_key: 'id',
+      primary_key: 'amazon_q_service_account_user_id',
+      dependent: :nullify
+
     def self.instance
       first || create!(defaults)
     rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
diff --git a/ee/app/models/gitlab_subscriptions/features.rb b/ee/app/models/gitlab_subscriptions/features.rb
index 5d5dccccaab7a5..f06f350ff24258 100644
--- a/ee/app/models/gitlab_subscriptions/features.rb
+++ b/ee/app/models/gitlab_subscriptions/features.rb
@@ -185,15 +185,16 @@ class Features
     ].freeze
 
     ULTIMATE_FEATURES = %i[
+      ai_agents
       ai_config_chat
       ai_features
-      ai_workflows
-      glab_ask_git_command
-      ai_agents
       ai_review_mr
+      ai_workflows
+      amazon_q
       api_discovery
       api_fuzzing
       auto_rollback
+      glab_ask_git_command
       cluster_receptive_agents
       cluster_image_scanning
       external_status_checks
diff --git a/ee/config/feature_flags/wip/amazon_q_integration.yml b/ee/config/feature_flags/wip/amazon_q_integration.yml
new file mode 100644
index 00000000000000..7125078b38cb37
--- /dev/null
+++ b/ee/config/feature_flags/wip/amazon_q_integration.yml
@@ -0,0 +1,9 @@
+---
+name: amazon_q_integration
+feature_issue_url:
+introduced_by_url:
+rollout_issue_url:
+milestone: '17.5'
+group: group::ai framework
+type: wip
+default_enabled: false
diff --git a/ee/spec/models/ai/setting_spec.rb b/ee/spec/models/ai/setting_spec.rb
index bf449c35cae9ab..26780c8487043d 100644
--- a/ee/spec/models/ai/setting_spec.rb
+++ b/ee/spec/models/ai/setting_spec.rb
@@ -3,6 +3,22 @@
 require 'spec_helper'
 
 RSpec.describe Ai::Setting, feature_category: :ai_abstraction_layer do
+  describe 'associations' do
+    it 'has expected associations' do
+      is_expected.to have_one(:amazon_q_oauth_application)
+        .class_name('Doorkeeper::Application')
+        .with_foreign_key('id')
+        .with_primary_key('amazon_q_oauth_application_id')
+        .dependent(:nullify)
+
+      is_expected.to have_one(:amazon_q_service_account)
+        .class_name('User')
+        .with_foreign_key('id')
+        .with_primary_key('amazon_q_service_account_user_id')
+        .dependent(:nullify)
+    end
+  end
+
   describe 'validations' do
     subject(:setting) { described_class.instance }
 
@@ -93,5 +109,7 @@
         expect(described_class.count).to eq(1)
       end
     end
+
+    it { is_expected.to validate_length_of(:amazon_q_role_arn).is_at_most(2048).allow_nil }
   end
 end
-- 
GitLab


From 15708a69c0718cfd276725b2931dc5dbce59f30d Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:23:58 -0600
Subject: [PATCH 02/14] Feat(Q): Initialize AmazonQ onboarding admin pages

---
 .../application_settings/general.html.haml    |  1 +
 .../admin/ai/amazon_q_settings_controller.rb  | 39 +++++++++++++++++++
 .../ee/projects/application_controller.rb     |  6 +++
 ee/app/policies/ee/global_policy.rb           |  8 ++++
 .../ai/amazon_q_settings/index.html.haml      | 14 +++++++
 .../application_settings/_amazon_q.html.haml  | 12 ++++++
 .../seat_utilization/index.html.haml          | 11 ++++++
 ee/config/routes/admin.rb                     |  5 +++
 ee/lib/ai/amazon_q.rb                         | 32 +++++++++++++++
 ee/spec/policies/global_policy_spec.rb        | 29 ++++++++++++++
 10 files changed, 157 insertions(+)
 create mode 100644 ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
 create mode 100644 ee/app/views/admin/ai/amazon_q_settings/index.html.haml
 create mode 100644 ee/app/views/admin/application_settings/_amazon_q.html.haml
 create mode 100644 ee/lib/ai/amazon_q.rb

diff --git a/app/views/admin/application_settings/general.html.haml b/app/views/admin/application_settings/general.html.haml
index ab212e22694d91..bf08a03e84d298 100644
--- a/app/views/admin/application_settings/general.html.haml
+++ b/app/views/admin/application_settings/general.html.haml
@@ -109,3 +109,4 @@
 = render 'admin/application_settings/slack'
 = render 'admin/application_settings/security_txt', expanded: expanded_by_default?
 = render_if_exists 'admin/application_settings/analytics'
+= render_if_exists 'admin/application_settings/amazon_q'
diff --git a/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
new file mode 100644
index 00000000000000..16125ca00fbb74
--- /dev/null
+++ b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Admin
+  module Ai
+    # NOTE: This module is under development and will grow in future MR's.
+    #       See <ISSUE_URL>.
+    class AmazonQSettingsController < Admin::ApplicationController
+      before_action :authorize_admin_amazon_q!
+      before_action :expire_current_settings
+      feature_category :duo_workflow
+
+      def index
+        setup_view_model
+      end
+
+      private
+
+      def setup_view_model
+        @view_model = {
+          submitUrl: admin_ai_amazon_q_settings_path,
+          disconnectUrl: disconnect_admin_ai_amazon_q_settings_path,
+          amazonQSettings: {
+            ready: ::Ai::Setting.instance.amazon_q_ready,
+            roleArn: ::Ai::Setting.instance.amazon_q_role_arn,
+            availability: Gitlab::CurrentSettings.duo_availability
+          }
+        }
+      end
+
+      def authorize_admin_amazon_q!
+        access_denied!("Amazon Q is not enabled") unless can?(current_user, :admin_amazon_q)
+      end
+
+      def expire_current_settings
+        Gitlab::CurrentSettings.expire_current_application_settings
+      end
+    end
+  end
+end
diff --git a/ee/app/controllers/ee/projects/application_controller.rb b/ee/app/controllers/ee/projects/application_controller.rb
index c72edad9118d33..66d77ca3a09846 100644
--- a/ee/app/controllers/ee/projects/application_controller.rb
+++ b/ee/app/controllers/ee/projects/application_controller.rb
@@ -6,6 +6,12 @@ module ApplicationController
       extend ActiveSupport::Concern
       extend ::Gitlab::Utils::Override
 
+      prepended do
+        before_action do
+          push_frontend_feature_flag(:amazon_q_integration, current_user)
+        end
+      end
+
       private
 
       override :auth_proc
diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb
index dc2612ac936c50..22e9c52792e80b 100644
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -141,6 +141,10 @@ module GlobalPolicy
         License.feature_available?(:remote_development)
       end
 
+      condition(:amazon_q_feature_available) do
+        ::Ai::AmazonQ.feature_available?
+      end
+
       rule { ~anonymous & remote_development_feature_licensed }.policy do
         enable :access_workspaces_feature
       end
@@ -219,6 +223,10 @@ module GlobalPolicy
       rule { security_policy_bot }.policy do
         enable :access_git
       end
+
+      rule { admin & amazon_q_feature_available }.policy do
+        enable :admin_amazon_q
+      end
     end
 
     def duo_chat_free_access_was_cut_off?
diff --git a/ee/app/views/admin/ai/amazon_q_settings/index.html.haml b/ee/app/views/admin/ai/amazon_q_settings/index.html.haml
new file mode 100644
index 00000000000000..d8e665d3d6e3cb
--- /dev/null
+++ b/ee/app/views/admin/ai/amazon_q_settings/index.html.haml
@@ -0,0 +1,14 @@
+- page_title s_('AmazonQ|Amazon Q Configuration')
+- add_to_breadcrumbs _("General"), general_admin_application_settings_path
+- breadcrumb_title _("Amazon Q")
+
+%h2.gl-flex.gl-items-center.gl-gap-3
+  = s_('AmazonQ|Configure GitLab Duo with Amazon Q')
+  = render Pajamas::BadgeComponent.new(s_('AmazonQ|Beta'), variant: :tier)
+%p
+  -# NOTE(Q): View this docs for how to turn off help page redirecting in your local gitlab instance
+  -#          https://docs.gitlab.com/ee/administration/settings/help_page.html#redirect-help-pages
+  - help_link = link_to('', help_page_path('user/duo_amazon_q/index.md'), target: '_blank', rel: 'noopener noreferrer')
+  = safe_format(s_('AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java.%{br}GitLab Duo with Amazon Q is separate from GitLab Duo Pro and Enterprise. %{help_link_start}Learn more%{help_link_end}.'), tag_pair(help_link, :help_link_start, :help_link_end), br: '<br/>'.html_safe)
+
+#js-amazon-q-settings{ data: { view_model: @view_model.to_json } }
diff --git a/ee/app/views/admin/application_settings/_amazon_q.html.haml b/ee/app/views/admin/application_settings/_amazon_q.html.haml
new file mode 100644
index 00000000000000..6da51e02cb88b2
--- /dev/null
+++ b/ee/app/views/admin/application_settings/_amazon_q.html.haml
@@ -0,0 +1,12 @@
+- return unless ::Ai::AmazonQ.feature_available?
+
+= render ::Layouts::SettingsBlockComponent.new(s_('AmazonQ|GitLab Duo with Amazon Q'),
+  id: 'js-amazon-q-settings',
+  expanded: expanded_by_default?) do |c|
+  - c.with_description do
+    - link = link_to('', help_page_path('user/duo_amazon_q/index.md'), target: '_blank', rel: 'noopener noreferrer')
+    = safe_format(s_('AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java. %{link_start}Learn more%{link_end}.'), tag_pair(link, :link_start, :link_end))
+  - c.with_body do
+    .gl-mt-3
+      = render Pajamas::ButtonComponent.new(variant: :confirm, href: admin_ai_amazon_q_settings_path) do
+        = s_('AmazonQ|View configuration setup')
diff --git a/ee/app/views/admin/gitlab_duo/seat_utilization/index.html.haml b/ee/app/views/admin/gitlab_duo/seat_utilization/index.html.haml
index 4ada61f84ccdef..fb98526d87c1ab 100644
--- a/ee/app/views/admin/gitlab_duo/seat_utilization/index.html.haml
+++ b/ee/app/views/admin/gitlab_duo/seat_utilization/index.html.haml
@@ -5,4 +5,15 @@
 - add_to_breadcrumbs(_('GitLab Duo'), admin_gitlab_duo_path)
 - duo_pro_url = add_duo_pro_seats_url(@subscription_name)
 
+-# TODO(Q): Add tests. Logic might want to be in helper to make tests easier...
+- if ::Ai::AmazonQ.feature_available? && !::Ai::AmazonQ.connected?
+  = render Pajamas::BannerComponent.new(close_options: { class: '!gl-hidden'},
+    svg_path: 'illustrations/tanuki-ai-sm.svg',
+    button_text: s_('AmazonQ|Get started'),
+    button_link: admin_ai_amazon_q_settings_path) do |c|
+    - c.with_title do
+      = s_('AmazonQ|Configure GitLab Duo with Amazon Q (Beta)')
+    %p
+      = s_('AmazonQ|Use Amazon Q to automate workflows, create a merge request from an issue, upgrade Java, and improve your code with AI-powered reviews.')
+
 #js-code-suggestions-page{ data: { add_duo_pro_seats_url: duo_pro_url, subscription_name: @subscription_name, is_bulk_add_on_assignment_enabled: 'true', subscription_start_date: @subscription_start_date, subscription_end_date: @subscription_end_date } }
diff --git a/ee/config/routes/admin.rb b/ee/config/routes/admin.rb
index a7dce2bdc04c23..8f7e51842ef915 100644
--- a/ee/config/routes/admin.rb
+++ b/ee/config/routes/admin.rb
@@ -58,6 +58,11 @@
         resources :terms_and_conditions, only: [:index, :create]
       end
     end
+    resources :amazon_q_settings, only: [:index, :create] do
+      collection do
+        post :disconnect
+      end
+    end
   end
 
   # using `only: []` to keep duplicate routes from being created
diff --git a/ee/lib/ai/amazon_q.rb b/ee/lib/ai/amazon_q.rb
new file mode 100644
index 00000000000000..b23e589e085581
--- /dev/null
+++ b/ee/lib/ai/amazon_q.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    # NOTE: This module is under development and will grow in future MR's.
+    #       See <ISSUE_URL>.
+    class << self
+      def feature_available?
+        # amazon_q not available on gitlab.com for now
+        return false if ::Gitlab.org_or_com? # rubocop:disable Gitlab/AvoidGitlabInstanceChecks -- This rule only makes sense if you want to selectively enable behavior. I am not going to add a .com license to disable behavior on .com
+
+        return false unless ::Feature.enabled?(:amazon_q_integration, nil)
+
+        return false unless License.feature_available?(:amazon_q)
+
+        true
+      end
+
+      def connected?
+        return false unless feature_available?
+
+        ai_settings.amazon_q_ready
+      end
+
+      private
+
+      def ai_settings
+        Ai::Setting.instance
+      end
+    end
+  end
+end
diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb
index 5d06a6340e8046..4e123d8b7c2f6e 100644
--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -902,4 +902,33 @@
       it { is_expected.to be_disallowed(:manage_ai_settings) }
     end
   end
+
+  describe "Admin Amazon Q" do
+    let(:current_user) { admin }
+    let(:amazon_q_available) { true }
+
+    before do
+      allow(::Ai::AmazonQ).to receive(:feature_available?).and_return(amazon_q_available)
+    end
+
+    context 'when admin' do
+      context 'when amazon q is available', :enable_admin_mode do
+        it { is_expected.to be_allowed(:admin_amazon_q) }
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:admin_amazon_q) }
+      end
+
+      context 'when amazon q is not available', :enable_admin_mode do
+        let(:amazon_q_available) { false }
+
+        it { is_expected.to be_disallowed(:admin_amazon_q) }
+      end
+    end
+
+    context 'when regular user' do
+      it { is_expected.to be_disallowed(:manage_ai_settings) }
+    end
+  end
 end
-- 
GitLab


From d1daf0094cd8334967f5095c3bd573a08b4d4503 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:35:29 -0600
Subject: [PATCH 03/14] Feat(Q): Add create/update service for AmazonQ

---
 app/services/service_response.rb              |   8 +
 .../types/q_onbarding_updated.yml             |  10 +
 doc/user/compliance/audit_event_types.md      |   1 +
 .../admin/ai/amazon_q_settings_controller.rb  |  46 ++++-
 ee/app/services/ai/amazon_q/base_service.rb   |  59 ++++++
 ee/app/services/ai/amazon_q/create_service.rb | 116 +++++++++++
 ee/app/services/ai/amazon_q/update_service.rb |  27 +++
 .../users/service_accounts/create_service.rb  |   3 +-
 ee/config/cloud_connector/access_data.yml     |  40 +++-
 ee/lib/ai/amazon_q.rb                         |  37 +++-
 .../ai/amazon_q/identity_provider_payload.rb  |  70 +++++++
 ee/lib/gitlab/llm/q_ai/client.rb              |  74 +++++++
 .../identity_provider_payload_spec.rb         |  53 +++++
 ee/spec/lib/ai/amazon_q_spec.rb               | 190 ++++++++++++++++++
 ee/spec/lib/gitlab/llm/q_ai/client_spec.rb    |  41 ++++
 .../ai/amazon_q_settings_controller_spec.rb   | 110 ++++++++++
 .../ai/amazon_q/create_service_spec.rb        | 184 +++++++++++++++++
 .../ai/amazon_q/update_service_spec.rb        | 102 ++++++++++
 lib/assets/images/bot_avatars/q_avatar.png    | Bin 0 -> 16990 bytes
 lib/gitlab/auth.rb                            |   2 +
 20 files changed, 1163 insertions(+), 10 deletions(-)
 create mode 100644 config/audit_events/types/q_onbarding_updated.yml
 create mode 100644 ee/app/services/ai/amazon_q/base_service.rb
 create mode 100644 ee/app/services/ai/amazon_q/create_service.rb
 create mode 100644 ee/app/services/ai/amazon_q/update_service.rb
 create mode 100644 ee/lib/ai/amazon_q/identity_provider_payload.rb
 create mode 100644 ee/lib/gitlab/llm/q_ai/client.rb
 create mode 100644 ee/spec/lib/ai/amazon_q/identity_provider_payload_spec.rb
 create mode 100644 ee/spec/lib/ai/amazon_q_spec.rb
 create mode 100644 ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
 create mode 100644 ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
 create mode 100644 ee/spec/services/ai/amazon_q/create_service_spec.rb
 create mode 100644 ee/spec/services/ai/amazon_q/update_service_spec.rb
 create mode 100644 lib/assets/images/bot_avatars/q_avatar.png

diff --git a/app/services/service_response.rb b/app/services/service_response.rb
index fa495d164684f7..3db7247accb91c 100644
--- a/app/services/service_response.rb
+++ b/app/services/service_response.rb
@@ -20,6 +20,14 @@ def self.error(message:, payload: {}, http_status: nil, reason: nil)
     )
   end
 
+  # This is used to help wrap old service responses that were just hashes
+  def self.from_legacy_hash(response)
+    return response if response.is_a?(ServiceResponse)
+    return ServiceResponse.new(**response) if response.is_a?(Hash)
+
+    raise ArgumentError, "argument must be a ServiceResponse or a Hash"
+  end
+
   attr_reader :status, :message, :http_status, :payload, :reason
 
   def initialize(status:, message: nil, payload: {}, http_status: nil, reason: nil)
diff --git a/config/audit_events/types/q_onbarding_updated.yml b/config/audit_events/types/q_onbarding_updated.yml
new file mode 100644
index 00000000000000..3cf73a6fc73dae
--- /dev/null
+++ b/config/audit_events/types/q_onbarding_updated.yml
@@ -0,0 +1,10 @@
+---
+name: q_onbarding_updated
+description: Amazon Q instance settings changed
+introduced_by_issue: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/integration-motion-planning/-/issues/211
+introduced_by_mr: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/123
+feature_category: ai_framework
+milestone: "17.7"
+saved_to_database: true
+streamed: true
+scope: [Instance]
diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 9757ad0263ad0e..18f7ef42e4901e 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -49,6 +49,7 @@ Audit event types belong to the following product categories.
 | Name | Description | Saved to database | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
 | [`duo_features_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/145509) | GitLab Duo Features enabled setting on group or project changed | **{check-circle}** Yes | GitLab [16.10](https://gitlab.com/gitlab-org/gitlab/-/issues/442485) | Group, Project |
+| [`q_onbarding_updated`](https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/123) | Amazon Q instance settings changed | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/integration-motion-planning/-/issues/211) | Instance |
 
 ### Audit events
 
diff --git a/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
index 16125ca00fbb74..4750b1d35c2677 100644
--- a/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
+++ b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
@@ -2,8 +2,6 @@
 
 module Admin
   module Ai
-    # NOTE: This module is under development and will grow in future MR's.
-    #       See <ISSUE_URL>.
     class AmazonQSettingsController < Admin::ApplicationController
       before_action :authorize_admin_amazon_q!
       before_action :expire_current_settings
@@ -13,12 +11,39 @@ def index
         setup_view_model
       end
 
+      def create
+        Gitlab::AppLogger.info(message: "Receive create for Amazon Q Settings", params: permitted_params)
+
+        # TODO(Q): What to do with the result??
+        service = if ::Ai::AmazonQ.connected?
+                    ::Ai::AmazonQ::UpdateService
+                  else
+                    ::Ai::AmazonQ::CreateService
+                  end
+
+        response = service.new(current_user, permitted_params).execute
+
+        setup_view_model
+
+        message = if response.success?
+                    { notice: s_('AmazonQ|Amazon Q Settings have been saved.') }
+                  else
+                    { alert: response.message || s_("AmazonQ|Something went wrong saving Amazon Q settings.") }
+                  end
+
+        redirect_to(
+          admin_ai_amazon_q_settings_path,
+          **message
+        )
+      end
+
       private
 
       def setup_view_model
         @view_model = {
           submitUrl: admin_ai_amazon_q_settings_path,
           disconnectUrl: disconnect_admin_ai_amazon_q_settings_path,
+          identityProviderPayload: identity_provider,
           amazonQSettings: {
             ready: ::Ai::Setting.instance.amazon_q_ready,
             roleArn: ::Ai::Setting.instance.amazon_q_role_arn,
@@ -27,6 +52,23 @@ def setup_view_model
         }
       end
 
+      def identity_provider
+        return if ::Ai::Setting.instance.amazon_q_ready
+
+        result = ::Ai::AmazonQ::IdentityProviderPayload.new.execute
+        case result
+        in { ok: payload }
+          payload
+        else
+          flash[:alert] = s_('AmazonQ|Something went wrong retrieving the identity provider payload.')
+          {}
+        end
+      end
+
+      def permitted_params
+        params.permit(:role_arn, :availability)
+      end
+
       def authorize_admin_amazon_q!
         access_denied!("Amazon Q is not enabled") unless can?(current_user, :admin_amazon_q)
       end
diff --git a/ee/app/services/ai/amazon_q/base_service.rb b/ee/app/services/ai/amazon_q/base_service.rb
new file mode 100644
index 00000000000000..4e02567379c791
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/base_service.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class BaseService
+      include Gitlab::Utils::StrongMemoize
+
+      AVAILABILITY_OPTIONS = %w[default_on default_off never_on].freeze
+
+      def initialize(user, params = {})
+        @user = user
+        @params = params
+      end
+
+      private
+
+      attr_accessor :user, :params
+
+      def availability_param_error
+        return ServiceResponse.error(message: 'Missing availability parameter') unless params[:availability].present?
+        return if AVAILABILITY_OPTIONS.include?(params[:availability])
+
+        ServiceResponse.error(message: "availability must be one of: #{AVAILABILITY_OPTIONS.join(', ')}")
+      end
+      strong_memoize_attr :availability_param_error
+
+      def application_settings
+        ::Gitlab::CurrentSettings.current_application_settings
+      end
+      strong_memoize_attr :application_settings
+
+      def ai_settings
+        Ai::Setting.instance
+      end
+      strong_memoize_attr :ai_settings
+
+      def create_audit_event(audit_availability:, audit_ai_settings:, exclude_columns: [])
+        message = 'Changed '
+        message += "availability to #{application_settings.duo_availability}, " if audit_availability
+
+        if audit_ai_settings
+          columns = %w[amazon_q_role_arn amazon_q_service_account_user_id amazon_q_oauth_application_id amazon_q_ready]
+          columns -= exclude_columns
+          message += columns.map do |column|
+            "#{column} to #{ai_settings[column].presence || 'null'}, "
+          end.join
+        end
+
+        ::Gitlab::Audit::Auditor.audit({
+          name: 'q_onbarding_updated',
+          author: user,
+          scope: Gitlab::Audit::InstanceScope.new,
+          target: ai_settings,
+          message: message[0...-2]
+        })
+      end
+    end
+  end
+end
diff --git a/ee/app/services/ai/amazon_q/create_service.rb b/ee/app/services/ai/amazon_q/create_service.rb
new file mode 100644
index 00000000000000..bbb9a25e9a043c
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/create_service.rb
@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class CreateService < BaseService
+      def execute
+        return ServiceResponse.error(message: 'Missing role_arn parameter') unless params[:role_arn].present?
+        return availability_param_error if availability_param_error
+
+        # TODO(Q): error surfacing and handling
+        if update_settings
+          create_audit_event(audit_availability: true, audit_ai_settings: true)
+          ServiceResponse.success
+        else
+          ServiceResponse.error(message: ai_settings.errors.full_messages.to_sentence)
+        end
+      end
+
+      private
+
+      def update_settings
+        return unless ai_settings.update(amazon_q_role_arn: params[:role_arn])
+        return unless application_settings.update(duo_availability: params[:availability])
+
+        create_amazon_q_onboarding
+      end
+
+      def create_amazon_q_onboarding
+        # TODO(Q): there should be a retry mechanism in the UI if any of these steps fail
+        service_account = existing_q_service_account || create_service_account
+        ensure_service_account_block_status(service_account: service_account)
+
+        return unless find_or_create_oauth_app
+        return unless ai_settings.update(amazon_q_oauth_application_id: @application.id)
+        return unless register_oauth_application_with_amazon
+
+        ai_settings.update(amazon_q_ready: true)
+      end
+
+      def create_service_account
+        service_account_result = ServiceResponse.from_legacy_hash(
+          ::Users::ServiceAccounts::CreateService.new(
+            @user,
+            { name: 'Amazon Q Service', avatar: Users::Internal.bot_avatar(image: 'q_avatar.png') }
+          ).execute
+        )
+        return unless service_account_result.success?
+
+        service_account = service_account_result.payload
+        return unless ai_settings.update(amazon_q_service_account_user_id: service_account.id)
+
+        service_account
+      end
+
+      def ensure_service_account_block_status(service_account: nil)
+        if Ai::AmazonQ.should_block_service_account?(availability: params[:availability])
+          Ai::AmazonQ.ensure_service_account_blocked!(current_user: user, service_account: service_account)
+        else
+          Ai::AmazonQ.ensure_service_account_unblocked!(current_user: user, service_account: service_account)
+        end
+      end
+
+      def existing_q_service_account
+        user_id = ai_settings.amazon_q_service_account_user_id
+        user_id && User.find_by_id(user_id)
+      end
+
+      def find_or_create_oauth_app
+        @application = existing_q_oauth_application
+        return true if @application
+
+        @application = Doorkeeper::Application.new(
+          name: 'Amazon Q OAuth',
+          redirect_uri: oauth_callback_url,
+          scopes: ::Gitlab::Auth::Q_SCOPES,
+          trusted: false,
+          confidential: false
+        )
+        @application.save
+      end
+
+      def register_oauth_application_with_amazon
+        client = ::Gitlab::Llm::QAi::Client.new(user, unit_primitive: 'agent_quick_actions')
+        # Currently the AI Gateway API call is idempotent; it will remove the existing
+        # application if it already exists.
+        response = client.perform_create_auth_application(
+          @application,
+          @application.secret,
+          params[:role_arn]
+        )
+        return true if response.success?
+
+        ai_settings.errors.add(:application,
+          "could not be created by the AI Gateway: Error #{response.code} - #{response.body}")
+        false
+      end
+
+      def existing_q_oauth_application
+        oauth_app_id && oauth_application
+      end
+
+      def oauth_application
+        Doorkeeper::Application.find_by_id(oauth_app_id)
+      end
+
+      def oauth_callback_url
+        # This value is unused but cannot be nil
+        Gitlab::Routing.url_helpers.root_url
+      end
+
+      def oauth_app_id
+        ai_settings.amazon_q_oauth_application_id
+      end
+    end
+  end
+end
diff --git a/ee/app/services/ai/amazon_q/update_service.rb b/ee/app/services/ai/amazon_q/update_service.rb
new file mode 100644
index 00000000000000..7e7efb7ee7fa43
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/update_service.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class UpdateService < BaseService
+      def execute
+        return availability_param_error if availability_param_error
+
+        # TODO(Q): error surfacing and handling
+        success = application_settings.update(duo_availability: params[:availability])
+        return ServiceResponse.error(message: application_settings.errors.full_messages.to_sentence) unless success
+
+        create_audit_event(audit_availability: true, audit_ai_settings: false)
+        result =
+          if Ai::AmazonQ.should_block_service_account?(availability: params[:availability])
+            Ai::AmazonQ.ensure_service_account_blocked!(current_user: user)
+          else
+            Ai::AmazonQ.ensure_service_account_unblocked!(current_user: user)
+          end
+
+        return result unless result.success?
+
+        ServiceResponse.success
+      end
+    end
+  end
+end
diff --git a/ee/app/services/users/service_accounts/create_service.rb b/ee/app/services/users/service_accounts/create_service.rb
index 82ae44a084ae52..2b7702243df239 100644
--- a/ee/app/services/users/service_accounts/create_service.rb
+++ b/ee/app/services/users/service_accounts/create_service.rb
@@ -54,7 +54,8 @@ def default_user_params
           user_type: :service_account,
           external: true,
           skip_confirmation: true, # Bot users should always have their emails confirmed.
-          organization_id: params[:organization_id]
+          organization_id: params[:organization_id],
+          avatar: params[:avatar].presence
         }
       end
 
diff --git a/ee/config/cloud_connector/access_data.yml b/ee/config/cloud_connector/access_data.yml
index 6f8a5713059062..ad849620cac02e 100644
--- a/ee/config/cloud_connector/access_data.yml
+++ b/ee/config/cloud_connector/access_data.yml
@@ -258,8 +258,38 @@ services: # Cloud connector features (i.e. code_suggestions, duo_chat...)
         unit_primitives:
           - explain_code
           - generate_commit_message
-          - generate_cube_query
-          - glab_ask_git_command
-          - semantic_search_issue
-          - summarize_issue_discussions
-          - summarize_merge_request
+  summarize_comments:
+    backend: 'gitlab-ai-gateway'
+    cut_off_date: 2024-10-17 00:00:00 UTC
+    bundled_with:
+      duo_enterprise:
+        unit_primitives:
+          - summarize_comments
+  observability_all:
+    backend: 'gitlab-observability-backend'
+    bundled_with:
+      observability:
+        unit_primitives:
+          - observability_all
+  sast:
+    backend: 'gitlab-security-gateway'
+    bundled_with:
+      _irrelevant_: # not checked when cut_off_date is null
+        unit_primitives:
+          - security_scans
+  duo_workflow:
+    backend: 'gitlab-duo-workflow-service'
+    bundled_with:
+      _irrelevant: # not checked when cut_off_date is null
+        unit_primitives:
+          - duo_workflow_execute_workflow
+          - duo_workflow_generate_token
+  agent_quick_actions:
+    backend: 'gitlab-ai-gateway'
+    bundled_with:
+      _irrelevant: # not checked when cut_off_date is null
+        unit_primitives:
+          - event
+          - amazon_q_create_oauth_app
+          - amazon_q_create_onboarding_grant_code
+          - agent_quick_actions
diff --git a/ee/lib/ai/amazon_q.rb b/ee/lib/ai/amazon_q.rb
index b23e589e085581..c94ec697351961 100644
--- a/ee/lib/ai/amazon_q.rb
+++ b/ee/lib/ai/amazon_q.rb
@@ -2,8 +2,6 @@
 
 module Ai
   module AmazonQ
-    # NOTE: This module is under development and will grow in future MR's.
-    #       See <ISSUE_URL>.
     class << self
       def feature_available?
         # amazon_q not available on gitlab.com for now
@@ -22,6 +20,41 @@ def connected?
         ai_settings.amazon_q_ready
       end
 
+      def enabled?(user:, namespace:)
+        return false unless feature_available? && connected?
+        return false if ::Gitlab::CurrentSettings.duo_availability == :never_on
+
+        user.can?(:access_duo_features, namespace)
+      end
+
+      def should_block_service_account?(availability:)
+        availability == "never_on"
+      end
+
+      def ensure_service_account_blocked!(current_user:, service_account: nil)
+        service_account ||= User.find_by_id(ai_settings.amazon_q_service_account_user_id)
+
+        return ServiceResponse.success(message: "Service account not found. Nothing to do.") unless service_account
+
+        if service_account.blocked?
+          ServiceResponse.success(message: "Service account already blocked. Nothing to do.")
+        else
+          ServiceResponse.from_legacy_hash(::Users::BlockService.new(current_user).execute(service_account))
+        end
+      end
+
+      def ensure_service_account_unblocked!(current_user:, service_account: nil)
+        service_account ||= User.find_by_id(ai_settings.amazon_q_service_account_user_id)
+
+        return ServiceResponse.error(message: "Service account not found.") unless service_account
+
+        if service_account.blocked?
+          ServiceResponse.from_legacy_hash(::Users::UnblockService.new(current_user).execute(service_account))
+        else
+          ServiceResponse.success(message: "Service account already unblocked. Nothing to do.")
+        end
+      end
+
       private
 
       def ai_settings
diff --git a/ee/lib/ai/amazon_q/identity_provider_payload.rb b/ee/lib/ai/amazon_q/identity_provider_payload.rb
new file mode 100644
index 00000000000000..cdf9add4d55832
--- /dev/null
+++ b/ee/lib/ai/amazon_q/identity_provider_payload.rb
@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class IdentityProviderPayload
+      def execute
+        cloud_connector_token_result
+          .and_then(->(token) { decode_token(token) })
+          .and_then(->(token) { instance_uid_from_token(token) })
+          .map(->(instance_uid) { build_payload(instance_uid) })
+      end
+
+      private
+
+      def cloud_connector_token_result
+        token = ::CloudConnector::AvailableServices.find_by_name(:agent_quick_actions)&.access_token
+        return ::Gitlab::Fp::Result.ok(token) if token
+
+        ::Gitlab::Fp::Result.err({
+          message: s_('AmazonQ|Active cloud connector token not found.'),
+          reason: :cc_token_not_found
+        })
+      end
+
+      def decode_token(token)
+        ::Gitlab::Fp::Result.ok(
+          JWT.decode(token, false, nil)&.first
+        )
+      rescue JWT::DecodeError => e
+        Gitlab::AppLogger.error(e)
+
+        ::Gitlab::Fp::Result.err({
+          message: s_('AmazonQ|Cloud connector token could not be decoded'),
+          reason: :cc_token_jwt_decode
+        })
+      end
+
+      def instance_uid_from_token(token)
+        gitlab_instance_uid = token['gitlab_instance_uid']
+        if gitlab_instance_uid
+          Gitlab::AppLogger.info(
+            "gitlab_instance_uid found in latest Cloud Connector token. Using gitlab_instance_uid."
+          )
+
+          return ::Gitlab::Fp::Result.ok(gitlab_instance_uid)
+        end
+
+        instance_identifier = token['sub']
+        if instance_identifier
+          Gitlab::AppLogger.info("gitlab_instance_uid not found in latest Cloud Connector token. Using subject.")
+
+          return ::Gitlab::Fp::Result.ok(instance_identifier)
+        end
+
+        ::Gitlab::Fp::Result.err({
+          message: s_('Neither gitlab_instance_uid or sub found on Cloud Connector token'),
+          reason: :cc_token_no_uid
+        })
+      end
+
+      def build_payload(instance_uid)
+        {
+          instance_uid: instance_uid,
+          aws_provider_url: "https://auth.token.gitlab.com/cc/oidc/#{instance_uid}",
+          aws_audience: "gitlab-cc-#{instance_uid}"
+        }
+      end
+    end
+  end
+end
diff --git a/ee/lib/gitlab/llm/q_ai/client.rb b/ee/lib/gitlab/llm/q_ai/client.rb
new file mode 100644
index 00000000000000..3ea4613f258a74
--- /dev/null
+++ b/ee/lib/gitlab/llm/q_ai/client.rb
@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module Llm
+    module QAi
+      class Client
+        include ::Gitlab::Llm::Concerns::ExponentialBackoff
+        include ::Gitlab::Llm::Concerns::EventTracking
+        include ::Gitlab::Llm::Concerns::AvailableModels
+        include Langsmith::RunHelpers
+
+        DEFAULT_TIMEOUT = 30.seconds
+
+        def initialize(user, unit_primitive:, tracking_context: {})
+          @user = user
+          @tracking_context = tracking_context
+          @unit_primitive = unit_primitive
+          @logger = Gitlab::Llm::Logger.build
+        end
+
+        def perform_create_auth_application(oauth_app, secret, role_arn)
+          payload = {
+            clientId: oauth_app.uid.to_s,
+            clientSecret: secret,
+            redirectUrl: oauth_app.redirect_uri,
+            instanceUrl: Gitlab.config.gitlab.url,
+            roleArn: role_arn
+          }
+
+          Gitlab::HTTP.post(
+            "#{url}/v1/oauth/application",
+            body: payload.to_json,
+            headers: request_headers
+          )
+        end
+
+        private
+
+        attr_reader :user, :logger, :tracking_context, :unit_primitive
+
+        def url
+          Gitlab::AiGateway.url
+        end
+
+        def service_name
+          :agent_quick_actions
+        end
+
+        def service
+          ::CloudConnector::AvailableServices.find_by_name(service_name)
+        end
+
+        def api_key
+          service.access_token(user)
+        end
+
+        def request_headers
+          {
+            "Accept" => "application/json",
+            'X-Gitlab-Unit-Primitive' => unit_primitive
+          }.merge(Gitlab::AiGateway.headers(user: user, service: service))
+        end
+
+        def request_body(prompt:, options: {})
+          {
+            prompt: prompt,
+            max_tokens_to_sample: DEFAULT_MAX_TOKENS,
+            temperature: DEFAULT_TEMPERATURE
+          }.merge(options)
+        end
+      end
+    end
+  end
+end
diff --git a/ee/spec/lib/ai/amazon_q/identity_provider_payload_spec.rb b/ee/spec/lib/ai/amazon_q/identity_provider_payload_spec.rb
new file mode 100644
index 00000000000000..5fe6f124f4aead
--- /dev/null
+++ b/ee/spec/lib/ai/amazon_q/identity_provider_payload_spec.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::IdentityProviderPayload, feature_category: :ai_agents do
+  using RSpec::Parameterized::TableSyntax
+
+  let(:signing_key) { OpenSSL::PKey::RSA.new(Rails.application.credentials.openid_connect_signing_key) }
+  let(:service_data_default) { instance_double(CloudConnector::SelfManaged::AvailableServiceData) }
+
+  let(:token_invalid) { 'NOT_A_REAL_TOKEN' }
+  let(:token_no_uid) { JWT.encode({ foo: 'bar' }, signing_key, 'RS256', { typ: 'JWT' }) }
+  let(:token_with_uid) do
+    JWT.encode({ sub: 'test-subject', gitlab_instance_uid: 'test-gitlab-uid' }, signing_key, 'RS256', { typ: 'JWT' })
+  end
+
+  let(:token_self_issued) do
+    ::Gitlab::CloudConnector::SelfIssuedToken.new(
+      audience: 'test-audience',
+      subject: 'test-subject',
+      scopes: []
+    ).encoded
+  end
+
+  describe '#execute' do
+    subject(:execution) { described_class.new.execute }
+
+    where(:service_data, :token, :expectation) do
+      nil                        | nil                     | { err: hash_including(reason: :cc_token_not_found) }
+      ref(:service_data_default) | nil                     | { err: hash_including(reason: :cc_token_not_found) }
+      ref(:service_data_default) | ref(:token_invalid)     | { err: hash_including(reason: :cc_token_jwt_decode) }
+      ref(:service_data_default) | ref(:token_no_uid)      | { err: hash_including(reason: :cc_token_no_uid) }
+      ref(:service_data_default) | ref(:token_with_uid)    | { ok: { aws_audience: 'gitlab-cc-test-gitlab-uid',
+                                                                     aws_provider_url: 'https://auth.token.gitlab.com/cc/oidc/test-gitlab-uid',
+                                                                     instance_uid: 'test-gitlab-uid' } }
+      ref(:service_data_default) | ref(:token_self_issued) | { ok: { aws_audience: 'gitlab-cc-test-subject',
+                                                                     aws_provider_url: 'https://auth.token.gitlab.com/cc/oidc/test-subject',
+                                                                     instance_uid: 'test-subject' } }
+    end
+
+    with_them do
+      before do
+        allow(service_data).to receive(:access_token).and_return(token)
+
+        allow(::CloudConnector::AvailableServices).to receive(:find_by_name)
+          .with(:agent_quick_actions)
+          .and_return(service_data)
+      end
+
+      it { expect(execution.to_h).to include(expectation) }
+    end
+  end
+end
diff --git a/ee/spec/lib/ai/amazon_q_spec.rb b/ee/spec/lib/ai/amazon_q_spec.rb
new file mode 100644
index 00000000000000..17e686372cb37c
--- /dev/null
+++ b/ee/spec/lib/ai/amazon_q_spec.rb
@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+using RSpec::Parameterized::TableSyntax
+
+RSpec.describe Ai::AmazonQ, feature_category: :ai_abstraction_layer do
+  let(:application_settings) { ::Gitlab::CurrentSettings.current_application_settings }
+
+  describe '#connected?' do
+    where(:q_available, :q_ready, :result) do
+      true  | true  | true
+      true  | false | false
+      false | true  | false
+      false | false | false
+    end
+
+    with_them do
+      before do
+        Ai::Setting.instance.update!(amazon_q_ready: q_ready)
+        allow(described_class).to receive(:feature_available?).and_return(q_available)
+      end
+
+      it 'returns the expected result' do
+        expect(described_class.connected?).to be result
+      end
+    end
+  end
+
+  describe '#feature_available?' do
+    where(:feature_flag_enabled, :amazon_q_license_available, :gitlab_com, :result) do
+      true  | true  | true  | false
+      true  | false | true  | false
+      false | true  | true  | false
+      false | false | true  | false
+      true  | true  | false | true
+      true  | false | false | false
+      false | true  | false | false
+      false | false | false | false
+    end
+
+    with_them do
+      before do
+        stub_licensed_features(amazon_q: amazon_q_license_available)
+        stub_feature_flags(amazon_q_integration: feature_flag_enabled)
+        allow(::Gitlab).to receive(:org_or_com?).and_return(gitlab_com)
+      end
+
+      it 'returns the expected result' do
+        expect(described_class.feature_available?).to eq(result)
+      end
+    end
+  end
+
+  describe '#enabled?' do
+    context 'with args' do
+      let(:namespace) { build(:project_namespace) }
+      let(:user) { build(:user) }
+
+      where(:duo_availability, :user_can_access_duo_features, :result) do
+        :default_on  | true | true
+        :default_on  | false | false
+        :never_on    | true  | false
+        :never_on    | false | false
+        :default_off | true  | true
+        :default_off | false | false
+      end
+
+      with_them do
+        before do
+          allow(described_class).to receive_messages(
+            feature_available?: true,
+            connected?: true
+          )
+          allow(::Gitlab::CurrentSettings).to receive_messages(
+            duo_availability: duo_availability
+          )
+          allow(user).to receive(:can?).with(:access_duo_features, namespace).and_return(user_can_access_duo_features)
+        end
+
+        it { expect(described_class.enabled?(user: user, namespace: namespace)).to eq(result) }
+      end
+    end
+  end
+
+  describe '#should_block_service_account?' do
+    where(:availability, :expectation) do
+      "default_on"  | false
+      "default_off" | false
+      "never_on"    | true
+    end
+
+    with_them do
+      it { expect(described_class.should_block_service_account?(availability: availability)).to be(expectation) }
+    end
+  end
+
+  describe '#ensure_service_account_blocked!' do
+    let_it_be(:current_user) { create(:user, :admin) }
+    let_it_be_with_reload(:service_account_normal) { create(:user, :service_account) }
+    let_it_be_with_reload(:service_account_blocked) { create(:user, :service_account, :blocked) }
+    let_it_be(:service_account_not_found) { Struct.new(:id).new(999999) }
+
+    context 'with service_account set in application settings' do
+      where(:service_account, :expected_service_class, :expected_status, :expected_message) do
+        ref(:service_account_normal)     | ::Users::BlockService | true | nil
+        ref(:service_account_blocked)    | nil | true | "Service account already blocked. Nothing to do."
+      end
+
+      with_them do
+        before do
+          Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account&.id)
+        end
+
+        it 'conditionally block the service account', :aggregate_failures do
+          if expected_service_class
+            expect_next_instance_of(expected_service_class, current_user) do |instance|
+              expect(instance).to receive(:execute).with(service_account).and_call_original
+            end
+          end
+
+          response = described_class.ensure_service_account_blocked!(current_user: current_user)
+
+          expect(response.success?).to be(expected_status)
+          expect(response.message).to be(expected_message)
+        end
+      end
+    end
+
+    context 'with service_account set as argument' do
+      it 'conditionally blocks the given service account', :aggregate_failures do
+        expect(service_account_normal.blocked?).to be(false)
+
+        response = described_class.ensure_service_account_blocked!(
+          current_user: current_user,
+          service_account: service_account_normal
+        )
+
+        expect(response.success?).to be(true)
+        expect(service_account_normal.blocked?).to be(true)
+      end
+    end
+  end
+
+  describe '#ensure_service_account_unblocked!' do
+    let_it_be(:current_user) { create(:user, :admin) }
+    let_it_be_with_reload(:service_account_normal) { create(:user, :service_account) }
+    let_it_be_with_reload(:service_account_blocked) { create(:user, :service_account, :blocked) }
+
+    context 'with service_account set in application settings' do
+      where(:service_account, :expected_service_class, :expected_status, :expected_message) do
+        ref(:service_account_normal)     | nil | true | "Service account already unblocked. Nothing to do."
+        ref(:service_account_blocked)    | ::Users::UnblockService | true | nil
+      end
+
+      with_them do
+        before do
+          Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account&.id)
+        end
+
+        it 'conditionally block the service account', :aggregate_failures do
+          if expected_service_class
+            expect_next_instance_of(expected_service_class, current_user) do |instance|
+              expect(instance).to receive(:execute).with(service_account).and_call_original
+            end
+          end
+
+          response = described_class.ensure_service_account_unblocked!(current_user: current_user)
+
+          expect(response.success?).to be(expected_status)
+          expect(response.message).to be(expected_message)
+        end
+      end
+    end
+
+    context 'with service_account set as argument' do
+      it 'conditionally blocks the given service account', :aggregate_failures do
+        expect(service_account_blocked.blocked?).to be(true)
+
+        response = described_class.ensure_service_account_unblocked!(
+          current_user: current_user,
+          service_account: service_account_blocked
+        )
+
+        expect(response.success?).to be(true)
+        expect(service_account_blocked.blocked?).to be(false)
+      end
+    end
+  end
+end
diff --git a/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb b/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
new file mode 100644
index 00000000000000..53f2a54d4c007f
--- /dev/null
+++ b/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Llm::QAi::Client, feature_category: :ai_agents do
+  describe '#perform_create_auth_application' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:oauth_app) { create(:doorkeeper_application) }
+
+    let(:cc_token) { 'cc_token' }
+    let(:response) { 'response' }
+    let(:role_arn) { 'role_arn' }
+    let(:secret) { 'secret' }
+
+    subject(:perform_create_auth_application) do
+      described_class.new(user, unit_primitive: 'agent_quick_actions')
+        .perform_create_auth_application(oauth_app, secret, role_arn)
+    end
+
+    before do
+      cc_servide = double(name: 'name', access_token: cc_token) # rubocop:disable RSpec/VerifiedDoubles -- Not sure what class this should be?
+      allow(::CloudConnector::AvailableServices).to receive(:find_by_name)
+        .with(:agent_quick_actions).and_return(cc_servide)
+      payload = {
+        clientId: oauth_app.uid.to_s,
+        clientSecret: secret,
+        redirectUrl: oauth_app.redirect_uri,
+        instanceUrl: Gitlab.config.gitlab.url,
+        roleArn: role_arn
+      }
+
+      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/oauth/application")
+        .with(body: payload.to_json)
+        .to_return(body: response)
+    end
+
+    it 'makes expected HTTP post request' do
+      expect(perform_create_auth_application.parsed_response).to eq(response)
+    end
+  end
+end
diff --git a/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb b/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
new file mode 100644
index 00000000000000..b4d5b41ddf7b7d
--- /dev/null
+++ b/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Admin::Ai::AmazonQSettingsController, :enable_admin_mode, feature_category: :ai_abstraction_layer do
+  let(:admin) { create(:admin) }
+  let(:connected) { true }
+
+  let(:actual_view_model) do
+    Gitlab::Json.parse(
+      Nokogiri::HTML(response.body).css('#js-amazon-q-settings').first['data-view-model']
+    )
+  end
+
+  before do
+    stub_licensed_features(amazon_q: true)
+    stub_feature_flags(amazon_q_integration: true)
+
+    allow(::Ai::AmazonQ).to receive(:connected?).and_return(connected)
+
+    sign_in(admin)
+  end
+
+  shared_examples 'returns forbidden when feature is unavailable' do
+    before do
+      stub_licensed_features(amazon_q: false)
+    end
+
+    it 'returns 403' do
+      perform_request
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
+
+  describe 'GET #index' do
+    it_behaves_like 'returns forbidden when feature is unavailable' do
+      let(:perform_request) { get admin_ai_amazon_q_settings_path }
+    end
+
+    context 'when there is a problem retreiving the identity provider payload' do
+      it 'renders alert and empty identityProviderPayload' do
+        get admin_ai_amazon_q_settings_path
+
+        expect(actual_view_model).to include("identityProviderPayload" => {})
+        expect(flash[:alert]).to eq(s_('AmazonQ|Something went wrong retrieving the identity provider payload.'))
+      end
+    end
+
+    context 'when there is a valid identity provider payload' do
+      before do
+        jwt = JWT.encode({ sub: 'abc123' }, '')
+        service = instance_double(::CloudConnector::SelfSigned::AvailableServiceData, access_token: jwt)
+        allow(::CloudConnector::AvailableServices).to receive(:find_by_name).with(:agent_quick_actions)
+          .and_return(service)
+      end
+
+      it 'renders the frontend entrypoint with view model' do
+        get admin_ai_amazon_q_settings_path
+
+        expect(actual_view_model).to eq({
+          "amazonQSettings" => {
+            "availability" => "default_on",
+            "ready" => false,
+            "roleArn" => nil
+          },
+          "disconnectUrl" => disconnect_admin_ai_amazon_q_settings_path,
+          "submitUrl" => admin_ai_amazon_q_settings_path,
+          "identityProviderPayload" => {
+            "aws_audience" => "gitlab-cc-abc123",
+            "aws_provider_url" => "https://auth.token.gitlab.com/cc/oidc/abc123",
+            "instance_uid" => "abc123"
+          }
+        })
+      end
+    end
+  end
+
+  describe 'POST #create' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:params) { { role_arn: 'a', availability: 'always_on' } }
+    let(:perform_request) { post admin_ai_amazon_q_settings_path, params: params }
+
+    it_behaves_like 'returns forbidden when feature is unavailable'
+
+    # rubocop: disable Layout/LineLength -- Wrapping won't work!
+    where(:connected, :service, :service_response, :message) do
+      true  | ::Ai::AmazonQ::UpdateService | ServiceResponse.success | { notice: s_('AmazonQ|Amazon Q Settings have been saved.') }
+      true  | ::Ai::AmazonQ::UpdateService | ServiceResponse.error(message: nil) | { alert: s_('AmazonQ|Something went wrong saving Amazon Q settings.') }
+      false | ::Ai::AmazonQ::CreateService | ServiceResponse.success | { notice: s_('AmazonQ|Amazon Q Settings have been saved.') }
+      false | ::Ai::AmazonQ::CreateService | ServiceResponse.error(message: 'Doh!') | { alert: 'Doh!' }
+    end
+    # rubocop: enable Layout/LineLength
+
+    with_them do
+      it 'triggers the expected service' do
+        allow(::Ai::AmazonQ).to receive(:connected?).and_return(connected)
+
+        expect_next_instance_of(service, admin, ActionController::Parameters.new(params).permit!) do |service|
+          expect(service).to receive(:execute).and_return(service_response)
+        end
+
+        perform_request
+
+        expect(response).to redirect_to(admin_ai_amazon_q_settings_path)
+      end
+    end
+  end
+end
diff --git a/ee/spec/services/ai/amazon_q/create_service_spec.rb b/ee/spec/services/ai/amazon_q/create_service_spec.rb
new file mode 100644
index 00000000000000..b47b06219927aa
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/create_service_spec.rb
@@ -0,0 +1,184 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::CreateService, feature_category: :ai_agents do
+  describe '#execute' do
+    let_it_be(:user) { create(:admin) }
+    let_it_be(:service_account) { create(:service_account) }
+    let_it_be(:doorkeeper_application) { create(:doorkeeper_application) }
+
+    let(:params) { { role_arn: 'a', availability: 'default_off' } }
+    let(:status) { 200 }
+    let(:body) { 'success' }
+
+    before do
+      allow_next_instance_of(::Users::ServiceAccounts::CreateService) do |instance|
+        allow(instance).to receive(:execute).and_return({ status: :success, payload: service_account })
+      end
+
+      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/oauth/application")
+        .and_return(status: status, body: body)
+    end
+
+    subject(:instance) { described_class.new(user, params) }
+
+    context 'with missing role_arn param' do
+      let(:params) { { availability: 'b' } }
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: 'Missing role_arn parameter'
+        )
+      end
+    end
+
+    context 'with missing availability param' do
+      let(:params) { { role_arn: 'a' } }
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: 'Missing availability parameter'
+        )
+      end
+    end
+
+    context 'with invalid availability param' do
+      let(:params) { { role_arn: 'a', availability: 'z' } }
+
+      it 'does not change duo_availability' do
+        expect { instance.execute }
+          .not_to change { ::Gitlab::CurrentSettings.current_application_settings.duo_availability }
+      end
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: "availability must be one of: default_on, default_off, never_on"
+        )
+      end
+    end
+
+    context 'when setting availability to never_on' do
+      let(:params) { { role_arn: 'a', availability: 'never_on' } }
+
+      it 'blocks service account' do
+        expect { instance.execute }.to change { service_account.blocked? }.from(false).to(true)
+      end
+    end
+
+    it 'updates application settings' do
+      expect { instance.execute }
+        .to change { Ai::Setting.instance.amazon_q_role_arn }.from(nil).to('a')
+        .and change {
+          ::Gitlab::CurrentSettings.current_application_settings.duo_availability
+        }.from(:default_on).to(:default_off)
+    end
+
+    it 'creates an audit event' do
+      expect { instance.execute }.to change { AuditEvent.count }.by(1)
+      expect(AuditEvent.last.details).to include(
+        event_name: 'q_onbarding_updated',
+        custom_message: "Changed availability to default_off, " \
+          "amazon_q_role_arn to a, " \
+          "amazon_q_service_account_user_id to #{service_account.id}, " \
+          "amazon_q_oauth_application_id to #{Doorkeeper::Application.last.id}, " \
+          "amazon_q_ready to true"
+      )
+    end
+
+    it 'returns ServiceResponse.success' do
+      result = instance.execute
+
+      expect(result).to be_a(ServiceResponse)
+      expect(result.success?).to be(true)
+    end
+
+    context "when q service account does not already exist" do
+      it 'creates q service account and stores the user id in application settings' do
+        expect { instance.execute }
+          .to change { Ai::Setting.instance.amazon_q_service_account_user_id }.from(nil).to(service_account.id)
+        expect(::Users::ServiceAccounts::CreateService).to have_received(:new)
+      end
+    end
+
+    context "when q service account already exists" do
+      before do
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
+      end
+
+      it 'does not attempt to create q service account' do
+        expect { instance.execute }.not_to change { Ai::Setting.instance.amazon_q_service_account_user_id }
+        expect(::Users::ServiceAccounts::CreateService).not_to have_received(:new)
+      end
+    end
+
+    context "when an existing oauth application does not exist" do
+      it "creates a new oauth application" do
+        expect_next_instance_of(::Gitlab::Llm::QAi::Client) do |client|
+          expect(client).to receive(:perform_create_auth_application)
+            .with(
+              doorkeeper_application,
+              doorkeeper_application.secret,
+              params[:role_arn]
+            ).and_call_original
+        end
+
+        expect(Doorkeeper::Application).to receive(:new).with(
+          {
+            name: 'Amazon Q OAuth',
+            redirect_uri: Gitlab::Routing.url_helpers.root_url,
+            scopes: Gitlab::Auth::Q_SCOPES,
+            trusted: false,
+            confidential: false
+          }
+        ).and_return(doorkeeper_application)
+
+        expect { instance.execute }.to change { Ai::Setting.instance.amazon_q_oauth_application_id }
+          .from(nil).to(doorkeeper_application.id)
+      end
+
+      context 'when AI client returns a 403 error' do
+        let(:status) { 403 }
+        let(:body) { '403 Unauthorized' }
+
+        it 'displays a 403 error in the errors' do
+          expect(instance.execute).to have_attributes(
+            success?: false,
+            message: 'Application could not be created by the AI Gateway: Error 403 - 403 Unauthorized'
+          )
+        end
+      end
+    end
+
+    context "when an oauth application exists" do
+      before do
+        Ai::Setting.instance.update!(amazon_q_oauth_application_id: doorkeeper_application.id)
+      end
+
+      it "does not create a new oauth application" do
+        expect(Doorkeeper::Application).not_to receive(:new)
+
+        expect_next_instance_of(::Gitlab::Llm::QAi::Client) do |client|
+          expect(client).to receive(:perform_create_auth_application)
+            .with(
+              doorkeeper_application,
+              doorkeeper_application.secret,
+              params[:role_arn]
+            ).and_call_original
+        end
+
+        result = nil
+        expect do
+          result = instance.execute
+        end.not_to change {
+          Ai::Setting.instance.amazon_q_oauth_application_id
+        }
+
+        expect(result.success?).to be_truthy
+      end
+    end
+  end
+end
diff --git a/ee/spec/services/ai/amazon_q/update_service_spec.rb b/ee/spec/services/ai/amazon_q/update_service_spec.rb
new file mode 100644
index 00000000000000..b0c12e400da5f3
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/update_service_spec.rb
@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::UpdateService, feature_category: :ai_agents do
+  describe '#execute' do
+    let_it_be(:user) { create(:admin) }
+    let_it_be_with_reload(:service_account) { create(:service_account) }
+
+    let(:params) { { availability: 'default_off' } }
+    let(:status) { 200 }
+    let(:body) { 'success' }
+
+    subject(:instance) { described_class.new(user, params) }
+
+    before do
+      Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
+    end
+
+    context 'with missing availability param' do
+      let(:params) { {} }
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: 'Missing availability parameter'
+        )
+      end
+    end
+
+    context 'with invalid availability param' do
+      let(:params) { { availability: 'z' } }
+
+      it 'does not change duo_availability' do
+        expect { instance.execute }
+          .not_to change { ::Gitlab::CurrentSettings.current_application_settings.duo_availability }
+      end
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: "availability must be one of: default_on, default_off, never_on"
+        )
+      end
+    end
+
+    context 'when the application settings update fails' do
+      before do
+        allow(::Gitlab::CurrentSettings).to receive_message_chain(:current_application_settings, :update)
+          .and_return(false)
+        allow(::Gitlab::CurrentSettings).to receive_message_chain(
+          :current_application_settings, :errors, :full_messages, :to_sentence
+        ).and_return('Invalid value')
+      end
+
+      it 'returns ServiceResponse.error with expected error message' do
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: 'Invalid value'
+        )
+      end
+    end
+
+    it 'updates application settings' do
+      expect { instance.execute }
+        .to change {
+          ::Gitlab::CurrentSettings.current_application_settings.duo_availability
+        }.from(:default_on).to(:default_off)
+    end
+
+    it 'creates an audit event' do
+      expect { instance.execute }.to change { AuditEvent.count }.by(1)
+      expect(AuditEvent.last.details).to include(
+        event_name: 'q_onbarding_updated',
+        custom_message: 'Changed availability to default_off'
+      )
+    end
+
+    context 'when setting availability to never_on' do
+      let(:params) { { availability: 'never_on' } }
+
+      it 'blocks service account' do
+        expect { instance.execute }.to change { service_account.reload.blocked? }.from(false).to(true)
+      end
+    end
+
+    context 'when service account blocked' do
+      it 'unblocks service account' do
+        ::Users::BlockService.new(user).execute(service_account)
+
+        expect { instance.execute }.to change { service_account.reload.blocked? }.from(true).to(false)
+      end
+    end
+
+    it 'returns ServiceResponse.success' do
+      result = instance.execute
+
+      expect(result).to be_a(ServiceResponse)
+      expect(result.success?).to be(true)
+    end
+  end
+end
diff --git a/lib/assets/images/bot_avatars/q_avatar.png b/lib/assets/images/bot_avatars/q_avatar.png
new file mode 100644
index 0000000000000000000000000000000000000000..a89b320d2a7df960f68078721e95c447a27d93d6
GIT binary patch
literal 16990
zcmeAS@N?(olHy`uVBq!ia0y~yU^oE69Bd2>3_*8t*cliYI14-?iy0WWg+Z8+Vb&Z8
z1_lPk;vjb?hIQv;UNSH+u%tWsIx;Y9?C1WI$jZRr_}SCNF{Fa=Z7t`X*wE5{+t2wn
z7^v}d2|P{AzM3U?JZr0fqb{F=L`XryjBA{0dDd>_Gi~9^$Tbb9Kj#$05+c)J)%=0s
zZ>B7x>%l0YKin1y3M?Ed@8A5FyB1abw)ma0`FmAc{gaXV_uQ#IZ~Hm&@b|S_zwL9-
z-}~i~Hw_4*;Fb%g)u!)!UtE0s?4f_RbDEjc1-~t4{3g$^J4E!^PkVEP3kwc;DcuPX
zTvvEtNB!PkzmhXWt8Om2Bz-__O62=u?ma>BcGV58aSNYUskYZ2O_&hZ`{{M{f3E*G
z10(tiTul#r%I;q#`XY6*M?S-Br+be@_a74apVt_k@ce7+lo%cb&E1vqaxM|&V$zLL
zEUwKFFYWdB?lN!b)!WOM<70WZx3bml^#1B?pUbcPx7;AK`ja~Ud?kmVe;;P<VciiK
z8dshWr|R_Meb~>hRn9j$E=eD7o3L~FuASfW+J$Y)>`&gmxHIslAg_W{W4*shoUNv*
zE9-eTheaPA{Y~$D_~X5{up^Vrr}f$bN{0k(-Dj-(!e-!m^WprvO6wQC|LSG8p0Dct
z-inaA6^ti-i||@7v9$KPF*0|qdG6oU$1s1@nm+=E6XiCpSy$ke&k;QR9>X#X>v^vV
z|LN#_Jhj(B^lrt!g7oYuYyxoy3(_aVv%Z>O%F}9hMp!D);o+3{?{53wW!|^n)b1KQ
z@g9R&fXyAr&*g7J)?YYY-C7oBtf{s8^ZUQni~smdv0o!-vZG9fb5+TG?)7q0W>zvt
za-{Ga*{8-V<S})Ti^8ey{pBpZi>FUqYTh8I`ruFG*5f}#{XU(tHP@;P`mo~1qAv-`
z9dY{~g>O-A`4gEW6XdwrXWI&o$w6jKYBH<5lJ?dx+1g8lRxwLB%6;P7enI>7??3nL
z8ZRt5)g>=trLph(u_bZ#npUQk4ANbzCvN-voAZ71qsdp;*qnNFzsUy~3n+6=Y*KDi
zy|%U9Hdj{3euwa0AFaKNHXUz%iXHp;q|k2Db-g|HK_$oUPp(N<V!9GgF?&OpuVoa=
z50^ISEd}*zC%2geToVbJHATn%!|A*=GJe1P&hx8Hy~ogY;?Cqdcji7z=nQ`_dCjG6
z!7GuShl{R%_$DMdMR>;dU3$`Os;4@o1GwMcJ~P2#>64GD-6=gT(<B#jvK2m#dhkF_
zZ0l0<hPIx+bGha0HU8ac`;_)4Z@T2s@czD{$hnnHHN5u^=iL4yb42Xio9xLJvz2D*
zY@eDUq0Dh#|NFF^UvBSJT=9kNz^C^5$6{BQ=e&*mGUMcPahB<#SL*bxZ9H|xEnrfT
zq1;N*4@GuzB7Pt1R<ByYE3%czukn_NmQLcfw<67(xN3Lb|3CA-<(z4Yrr%?bE1o1h
zo1?40<8$;%pAg=D-lM-WT-#dyA9l}5tu@HplHsI!!$atSU#R4#ZkHL{ix+Ilb-KKQ
zxsPWVgZOsGKkwY69&E|qpYi$`d-Phyp2|7)>;gM3`-Pe%@<p*ouwCArByah5<qr9&
z*SHd<?s*`Zn&NTn`Sy>U|29RQtNP)|m2$R2QN?mwq{sO{rHj*dbL!lSO1v1B$<SXv
z+1gNKbIraQah{L+nBrA7CyU1J>*wkfdVV|OVn9avx7%H8*EFP9c6TT&U_Z$bnpU~=
z^zE67laq8SSQ0C3H-7!ty!I5sxBA7$e|G%*^OyJAJf8jb5zm%Sy>C8oafgtu^U1bQ
z2iYx(lZ{`7*t&1HH0k3%*YcHt?+!NbHuy01M#V0ZlKrzO^k2>N+SdVA%+Z}WqHG)f
zzrHi0en+~$0AEf;b~;z|%qdb&P32~VESwworzl>d=ud)Qg4C0!fa5}mhqb%nl(cxe
z=g<1gC1+E++F{uR_6**AnhPfNYCPL}JX$+FJfiAp*a7}+8O%5CKmHS$U9jl-nG4JI
zbcd#dU2=MvxY_cY#x@=HoL51j+cFv@j!8D8=`QeGz@2n=jo<>w+yJ-c#-}Vv3|Cgk
zO*iOl`zEECl4P{ECh6@o-tKJ?%oV?~?|h8wobFk_Ph-*72fS-!72H4V3t(QTruj^V
zUuxx<MA!9c+%9bqElR>ylpgGi3y``t;p+sOvSYt)9<~lkYPEKqHAU*kOk=mrL9S9>
z(**D9NADI(&*^O2a8&ZZX0e^Davb_AgMT|6yDRCoWz{xkBZEa5hga{plGV6DWm|)m
z^OS9K^;o;49B;UO`DZ!%irNjeUag7Q5o#Tmmz8m-v6!8F?${jc(b93YviZy0_&ulA
z@BVU1JSTEPMz>)DYxkX){*TSa?eA6OifmZIsd^&e^`3Q)%BM?RUr=i|Rq=4*?m4%X
zxIH_*%(eSOfD1!d);ismX_?^?7bkES=)}I_IlduaMWk$AO6``lx12O`*BJ|}lsGSQ
zYhAXEoPEjZjNSL%@G5BRyWTb7n$1P+BR1(%PfPaS4XF4yPpmka)wpZFoy4U>f4+Ub
zz~is{E8<c1Pj}%u(}z>;PVeOi5oLb2^z5x?|89q-o?=^Y*g!gRN!qO`atAJbJS!uX
zdyTE&g!Y{#_L?&GmA;a#?pxz#Zc;ak3r*zFez~D-8;|pm3ayAot8_0^@oZ7*)B53e
zn^C{g=!1AatDN2W|7U%#fBbEFpue8=&x!xFFWDZfnk{vaD<idC<=2A52St0&@FwXd
z1n?>zz4A^w>zkbD>&U0um)uP6-oTdLlfNwY`s}5QGDSVn28JG&`?lERZ5CbFxpAdN
z#?H3yVHt-nGPrhaxg)M->y{kz!LRs%Ulrer_46!meXYGHeem{vt~({^Mh?9k8k-%C
zDdfZl1txQ>4r6}O_@jB6;Fbq{9~ez1Je;VIYyRM-)`P_d(@yZ4X){OcxNtW1c1G~J
zg<SVlwz#IT^)8y+s<t-Qpk`;I+|SLyt@)+BZSTcxPtSi-+&FjpVYbsduQU9wYBg`U
zKb<Xo;UrV1;#k%cXCtOfadXt~X+6`Jlo@3r>gCLpk$Jm_YkH24`LB$E56@V-&7_$v
z-l(qhy;=Q(Lq>-8<AsF$8Ph~}{+_irF?Ub0V@G8?+i&x!T+Rw1H}pULJYuqH&G#+#
zAL9NPJm~*^Xp4$VV|lf*#s6E!K3=q%?-{&wQ_pU1VHGFN^jTY*Ry=9mv@GCeh*o}h
zkMD_#DL>8Zlxm*-G`=s8wue#2<`(M=;a#T3XDta86&6@CPqDWmb%w?TogB%<nIY-j
zZ)2=Oqn`a;C~^1gR_PaCk{j&*GUtSFwte`vo-uxh;(5Kq&93JP1WeBP^G@C$?402+
zKWQ7MR#jJ9zxM*g7{%+7?>>Z;-AZl0V00#7=0&!GClm8J?GFcY&&i$=G<EO7J6x5k
z7UeEHaoPWouD8s4uI2`<nY}zRrZ(q}Yl|}+mz{7gUyF0Yi@Tg+og2BAH||w$`*WLP
z*>k^RtIu!Byi~?rS}pNx!>J<C{8qk)CSTh>-sI~}&oY^@k?q5y)^|De?&3EC^5u54
zs-4@$V{m1oO2j_?`w>l1Qd3Ue*N%^<w|234mgvuZujt6K&_B!ey!LvqCp#(S1as*s
zx7)7DN^Ng*c%6D268k<r;`K0&>^5!N61-(sFtg{k<2D&JY*Gh%Od68;%BSx>=J2I0
z{d8!=$19UlvU40)=4lvAczA{*V%OAbHJ=tYT;I!3acc2}PM10Xo`<(KEnC=I8QLr|
z`}NlM(Zb)RO*po)$oxZn@XMvo7F<n>PElTS<nKL>GzrIfg=`--Ip4kcZ=p_9zfjbi
zcRbIw2QE19ZJD#NP~z7w5}WD|o=)Ww683OiW?Rl2_u1*eh2_a^9tJJpF$^)kv)B1X
zc(ml~ID0YI>BnP@Dknqfx#zNM1AO8OSXUbIoRqLU%<r+=FW9Q|SZZh56vjP|T=jfR
zE3ytpPqj7sbE}K%>V$o>)GB#zhiz!SX2_y$J^AKFxyx^NFuzb`XFUFE|J-fIr##Jz
z{}ELuT5xS@!9tF*E5VNHzd~OAshly5rA}Z$pwH}CQSB=$C#as-7R2{&-J?7E-b!s<
zD{!{&(zOJcM>F3REzwBdqxNS*l(h1}9*sG?2F@uL74;nEJ^d3{Vr(Jx==&z0xH)z1
z2JuIK=yRw)xbvZ6Zk}^xw9;Lzy0T4sYyxV^5BytDUpsgGp11rt*3!Y#yz6=PJk0t3
zOZh=#>B|KBy`m-G%rAfcT>jOxS+l6~?>82|AD6%Un{EEG_Hy{X_9}Y~U6p^`t6kk6
zehHm+be8e{rtcGZ+P}Y_plmQ(xIHaSZ@03|ne4mU_FLq?3^!y>Ip)&fdcIuyFR$!u
zkx2pE*B4KGoB8c_x>5I}JL}k^o^m|0fB!$?Lel*6^^X=C>i&FpzVZ8S_kVNe``5iG
zh^>A*i!0sTR`T*BhHfVli|<jrZ979%?jNpMziQJqhbs~`#&51(V_R{8M|EF9`flx$
zhOanfzPyz*=zrN`&~UW9;>F_)E=GoJ8~kQ{m%o%3vrH@S$+6SREbjR$Z=LmRy27N}
ziPaZY*Q7mv@jM}_=zHw}_WeA6o{OrArN5ZQRjF4fV!K`I;6i@c_uQHMhqpYr6<-<m
z^yfkScTStPR`2y|IP4b4pCOoF+#H)MmTheqE*I~RW%2mFT@Rnr@k=`y_q-D@-?r`8
z(|<n4wg_KdBA=VqHhp=)Y?0-W(hW~}`lMz~yfov~ys8zA4|XU!xZCpID3r3WKheIQ
z=R0S8YWdyvg*T^*wL9*veY|2hgSuV%uRjlj7uJ2?O}IKY_0oZxk=hA83^T(UjUHY-
z_-&b%Pp?^4bY!0B1)nb;0$$v_Z`-rZp&jIiUpw<A)?0ep)STGlvx6tMXM5Os6~O~l
zl|0S93{uA~u6rkS<BNJdPu1t_2HW!ETb}&3XP!2P`A(Jl&8WoQ^Ng<I%WeNBy4X*6
zGI^O~Z{5Shi|RHiR)0^u;mP^!uADd_TRF|@JKMtCfA?no+2>f?*7b;;q0;_fh2H;r
zf_L2-&+$IkdcM&9gZa-+Ry|+-xwDM5O!mBZ@|BUhx}ivITaC=!ZwvVu{VLb0PwYRs
z<;k`CjNa1^*ZzN=VR~(56^qngkJQ&&v*)f)EBtm(RHWy@i{69$>%5L7h~7=<zR=Kf
ztKMY})7;R^bM>3N3IkKGZDb1#vhrJQH9xyHWqR?nvMdI5or2%jMe8~q#_ew5@=Y~7
zbx=@II9BB7dL`M6?|c9DEjT=nf6pHcAMddH+%>OWA2|MRHE;f`g4LD12Txc&I(TTm
z+mzFDmUZoEuq(RrCGleYU4}hhFR^rs@Janpomytj>6q6ek-goAKdN}zvsW9gaB(b;
z{hMSZDtl6=M4Nq*XQ0<F9j~ZG`Kce;b=Lh{J>!#)T*s>o8??;&mz?>Sq`v!G{Js}I
z7bN$ymEB;xJjp+vY0g{G`;Y%DkUz=t)T@G_*24U`57(s2eTH0DJtxNe())J#$ZG|=
z^riw?U+sTi#2!SxXN&tIvO}1k&G)JRUv0^+&l4N`_G?|`|1o3ZuDFwiKWiTRh!WUr
zv6J!Q{L2Rnr>rh=&)ce3$Wkd#I5&Z%@4b6Pnkb(``=v~lAFo;8eg3yhcg~U>t=AH!
zw0)nmgrP0$+VP6N$8F`lToPyQua{Y-8Xo_?TTGnMeh=ff?+iv~jNV_J9CgXoMm4&i
zDU6%_u;^sAzS8D!TkapH1=(-=s5$=hKfhsxhl0tD5W^c9HAmz2&8Room!H<MW7it{
zw?_gW>@&SldUf?K&7RUMhJ33Fe=pp>qHZBIZ(ep%sddolz?rwVuRX|B>7$nUz5Rf0
z6i?Ny%LckXujU?LKgYc9WAmq)Xtr)Mk*vZQil-e@r)N$yds=OjQvGIcw$e%cI-zB%
z2L<juT6{~quI=H;mc+{k8$|b2U9fETl2f?6y`95Q+W*)5=@+iPaIi9M5ausfxA4if
zuM2IBKc{rrotZuBe7npm(Z@4h9-LeKj?wPB>Hp{5k>&SSKkj(DgV|eV;SSq1>Axm&
z{qcXQe{{#PB6D6YOJlP$i7nq773S{|ytM53504Muryscc)4|N=H;>Ct$D?0gd^mY(
ziOb;$XBIr4Y;vj9JL=E=;}?rc6y{1E@Z`QDp|;^tm<sQl!mTxV)j`)^6y$_9JUz(L
zU-@KXoMzv_El(zC+nW5C^Znm`=ZS?<)8;*OnpLCs`R^Ido{7^UmFlESr@F2VQ_-2a
zv4G*@=I|Xy>)E(AWLUKooL%22UdOcKaUGAmzoDneCYA`b+pAU`vtTy*%5do9ev5sx
ze|lJ}9{iW*rXPRuaM{n*r|O=a@lfg0<9%NIGH$ZKwhvL(abn*eO#MIOi+SkJi~bG8
z_T1%f{U85(RM_0atMX~a=aflu`vpFoGKtt7pglP+#cdwP#>aC{x~k4QH^)47`UL;<
zY3<G-e{7e=)JC13e>igAi?5;e|J3E*EWR&td6|EOM!~&{Cpl#9Uw5oxd$4(WcE?xg
z$T;h``Thm53g`7cHfAV%bopC)#pbh2;;fHZuYwk8M;?ydvF=B)W8<UW3q1bVIUTdo
z<$fJ<@}kiC`6X-hzHdJ+ck;KtE7Kjz$IJ(APiMLw`@H|{q)DfC9(n%i$B&wOQ!l5w
z%+Xu_<j%t9)6VVgdwuNdQ>neFC+!}|zn}hN#)RZfwNq7v)=xfPe*Y(Y`yIYNYt0{|
z|I_}kcIu2te}38>ke;{d`I7_Z9nS}PF+a0&@&5AM^x^f-p>@xB754GhKm5Dv!(En)
z*eLZnH}^}CEH}hX&MvkJw%Klz%)5GOaKBvb$|a_jD`#9<R_fKd>F$yIz8OuQ*pL1{
zBwkzh$6Ir|zedpX2_|cnq+I4a=BsM;a^}vSFpoQ>T+BCTf4-M^sk=yJ`Nih#=^LaH
zStjhw{j$vOz2wPi(f6tKFSRe}|J8`;U{ROfl9+k9V8?!Y1`)QqcPjTcF49{*?P=7L
zU6+&}{(h2_8h?2)^GlJbTUI3VUz}J{@uFn$5$~?&T~*IaxGWz3JyEr<Yx~kRcAod&
zKTN%wo||y{fd4w?dw;gut^cpN<9FEV_U^cSUIwjFa@SW*KR@q!sNeL7k@~Le1uZLr
zmvq0rD)n=Y%T%qk!k0U$WC~PPZJur(c&PJh_Lq{QwLSIof69GGf6sXDb$40$TFJln
z&fMjz_<Q-&-#nT9U+-AVy4Wz+y@Ty_&E15gxmC3-*SG$xO}}Kxu5j#K*W^SF+1=tF
zfAP)}P^}AB=M`N4L%cmXWoM@9hDVPDUmf`yeyn<Pd-regeD|cB2QO5)1y5%830OKE
zUDPi&L1MkT|Jmznug5G8NqW13BlL6GCf-YSkH1Dedg=3oML6;B)HCIU@#!_PC5`@%
z=Y5iq7oBGjrSv5A_fpHQCw5nat}d7;rFVYX^73UyftgA=UoNP>Su*L6<l$B8mIO1e
zSRm>yl)8PET8p3D#Fj8-XNN@*F@e0lE5FpewlDL^p2uJFbN?l0<w}Xrs&#DVI$UO`
zy$R{rx-7@=;}zG+v(4pfpFWssE_t;0h<2aBs<ixB3eHw*_pBG;JUJ&qSY@FF8zbwI
zuKTUB_uu?Hs43oXuY6^H)%tHY7wzP)+Wmp!|6e=n!*@%>mn6Nt@zFU^$NqSuVcBDa
zMT=K2JvFB*>7|mj%(SbzEUQjWSQWq_DaNs-Lvk@s=Ya_=J}0jKwW(>btUUKu<HOeO
z3i}fuRu-wY2&_mwY-1GT>0;t6u)JXHIhLCTgwqqaH8WFgEO8NfHtW@%_owE(uKM@M
zcIsnKrh}3dFXQW9@;;nk?B48hkK<HI!_9EU_Di-+d)=S?b6dQEne$tHHZx0<d6dX4
zkxOeCH*AvN$^Ez`EhxfMdD)h(n>8N}@w!dS|CN>gCB@kw_v3`uIRz=3gET~Z6DJxb
z3B8GzlsmBAGW*JjIL>x~>%JPsHZ?xW_b?v)dFT`Wlh4|H>Mw(DzI$g{pqRSL?q<69
zJ@Kye3GW?arQ!?opV%#b?3NzJ%|7D>*Jg*}J;!IxnEQ}>;@M7vY0u1sJGB`^xBT=C
zOG)2+P-vU{lHAM}Z_Rf^_a*kPyl}Rq&g(Sm_HI+F8{fCe?Q5|O`NZs%t$pX=<K45~
z3(4<3bL>NT(R-8RV_VsF&M!T=_fTJkh-ixIwgX!4c3&!qJn25mU}~j*;e8wR6}vzG
zk1b}X)0nDQ<Pi2QqN1o%qHE!dCIKI=i+T2wmZ(ptY%WRf`oxh|mbrD)Vq?!gA)%_J
zjiJ3uZk!Un@w02w;kf0GldqiNKaqNr(><wZ&5|3E=agSYdI}x+s-?E~gq!sKvY&FZ
zvZXxPJ<nYgWw~>*FssaO(<Z63SQ&+RUX$;as@~n^Y`yl8ur>Qx4$h6;<`eTnHe0>v
zQ5Q*F<*hn5<W2LGoX(0fs~k&?a<oi2)jVybxN7ZEXOo-zZZu3eoE>)TX-<C}@A@>O
zIKQ;*D`s8^labAOt>UqFzl+qPGc$}ktJJwTgAKP&ELM4caDwQ}s^#-%rgBd%zL?)@
zD6z<YtAwn(-*&}$*~;F_*&YO~dF~|mREITaqEA?Jg<p#P^CPc!&aq;xJ`vb=x8gyh
zB8ywf`&Dm6lO$G^%vsiRP$hC<N@-EN?I!lL^Ya#X&s`WZS6|n%Y0g*0ug{JphwbS*
zAl0b!(a$Sz!lxZfd(#Z|D4Ck&bO@^*`z+u-!N|*M-@%VtO_gP=dzh?deZQb~oNtLU
z^M^CqGI7yd3nyPbaBqg9d63B2n-gZMR4@O^@$}V3v-K0TCxlKs+%_-LZ*rFyZ;q7t
z-1*uC`lswqscVNg{>a$1Eyri3zeUE{=8P8$W~LbYl-RX)^5@6Q+A*uQZnBwWarQg+
zJHce(<xiFr#Y@U72bf6|o$Wj2qHs&$&8~?{jhT0x|9^H`7hksTj>)2{T4b7-d}eH8
zT%ZxOar=1<<^T4RLe|wdJUXkGB9c?`^q=N=y`#s=*;YNxotj{zdG!Q?QCFwYDb77f
z@$<OTHsyC(oOHBklXmiIo&2PBx|jSS=1!(hTVMQh-^hIO-;4Cj+JZCIGgKln+%>IU
zZ*BdpXZ)VCT>9gO*)F?U9Xx9nzwbEQ^5~G&p@lc@=j>V05;px%g^}#O+^we-r?~Bz
z`Dkj2G3V{RsU5bv9_8I;K72d9B6-TTQ~k!Snlm)qj#eK$<m>8F;BQmEFH~sanqY;S
z4krsZyRU38`BlIo_*m`K%L`vQJDFy`?p-gs*iG&E!$6}uO5vYopNW2T<e}8{pY?ik
zr5xT)t`ZG=6zXcSLPB^0-_kP1=bN@G@9T`2r@P5OS#D2;;ko2u*5`|l+-2}ux=68Q
z_FmiYVqwP?OY`GybM{nUnf<ohqqkhCts(ll&cx$4xlBK^i|mkM6I<9&P^7m`FwlKp
z{+cHnF09&7UNgNW*R{P=X?}iF-^+W)(<Lrn;B+fZW13sUz~8jTJTYdX1M7X0#IQmJ
z9m6n%uM3t09yBzY=5ygh!KB*;H}V%%1nlWb3%yZm^{(>#!#PFYPVEbu#JS0gxAf>o
zD?V$MikpF%Q)cn)*x7sCxy@Fp_R`OZCx7mCy7^OPCXaVW!7~5-9cJ5>wye6Sl)gtq
zdTPQVhA)gy-U!)CSBANkoOOG+&5KXqNM^XWBENZ}xPRsmmIMnXlbS;U4oUrIIr}cQ
z6s_;62s-<1MS1caUg1@~tAoyon3m~kOXRPXN!Wj!xxSX^!v)(<Z0BtmDvkv=aPNP_
z`*8Ee8%v9>sy=z}S@+U}k1;8-PhJ<PUDBNIDK2$CeA8JCuNOsckKHjZm8kiD<fr=b
z0PTCrm3BFu+$6Hkdg3|D2CMrmfB*7cvU6N=J3>`QPToRuT3=l2gywX$C}mE|$C($K
z0+<XJ*^B0D-=Fw#$&`lyVY_4&nrOX!C;G29e@=~AmjUl%?Y=L^K0G&+x^R8nDYxfF
zAroKaA9|Pa!!zjIpUZw34l-W4l0~x2oh&iCC5|#YV!dXysaNW|ukC)9@YjDYOD?f;
zQr_6G)|}}G+sy?JG<QBTsR}mhu)6y!Y7%GRU6ClyJOvT4BX2m|K4>glzryTYWOq#O
z*EQQW)iY=(-Ex$9erjpm*=&~e=Et?aar3dp{aAF7?P>do59aGx=RID0sM`Kf;>G-#
zyEk3(<~{KA@$xA-N7>SCO++I#H9{^5ESq?ym!&c0+>E0kI;S*FoIiYxBPc6`qh2pV
z?UDE0r~h58`WY4~cLf<*EEAq{$8^b*41q_2Opj7JRZ^oKJicfW-(oA-AK&_>tvl=O
z#89PU(O!&t>t<D_v}{f=Uw`I(l-bss8uLCxBpm%6WMc8Wc$wUV9WF;}m(2>BI4ODO
zu`9cHeZ8B0^6$vZTk=~iZ+}Cxo^XPZL6EVXhEcfRZB;E*-^ur0{pVhJVd5Qmu0+8z
z?KKf=ejQ&EAY;dpr_J)+VRz?_yr}hldK!Pf#OB4C>7H5aQS;%BkWIk^J)gHRSM<Cu
zuhl%BSz<jccYkS~W!>M-%kwMWJ#}}fxbkYo+8uW-${L*Z8s98lJ4bS3Tg|*b;aleQ
zvoywR<X1PC6!USe@o}H;f)fI>fByMVdGzyp1D+DUCfn}M_ZBV-x$U3aGe`P|zp1%g
z*q;`r+pCieR{S*!F?{$`=Fo&kmzuer-kUWeZYfXNWaG`Ut3KJ4rkm}J(Q+`<xwvY>
z^!7K6y-E+StH0mtUR~LhB*`=F+4|hz_#PiF#}yjeQh&TPQ>Z-feZ`B0sryADMdlr?
zR_fPx4wY`ar0h~|#O$#lyzX+J*n2MD3oYN3Loem=ed;@DsBV~YjyI9LuwR*3;p;oU
zpcU)BD(D`$s959rOJt495>`D&73IWNyjJ0jmCKZ`eG=0;Z#}oT%{R(5eV0If^4${>
zy+v|UwT0M&W>5V4Vzu1t#VeaNy9|3KiR4Vb^zq4#7_$<~nbV9MH`;i9e0Su2$&xo}
zIlDskMl7ALZ9eOsXB$hYp54KU^1f3$*DA{HI&o~tXU`6wA1)@|PMb@sP6>6_Fj?xD
z7v2$Xz0;p>bz5cH#CeQQmtOJ?+3`0}K_I~4OhtZ2zw*DH`JQ)U)N^O|1X#3Gy1HMo
zWl8!ov97Rpe!{6QE?VwsDxM{#JhLy!uJ#mqnrfT)_j~YVt1EfD&w9FF^@#1c!m(L>
z%ElAdjJw+py9s4FUO2qGBiK)%?Twg;(T1p?eKEy1pO#5HTo#zj?r|pS(%hYze3Ejv
zq87L?bVhlc2+I<h>ru{_aaPLUYpcNhTbi<Je`Vs6xA%YF;L~O3_@Go~v7h46m!*Ff
z9TrJEp-`N!HrYzFOR>`GXvc)d&m!X1zREe${!8E6p?-tETJMSE{?8$*rH;quDt<mX
z!Rv|Qf{-=Fhbj#wPTRQGYfty@<n!IvSEpRk7YRQ7;@_?_tz}&YCNZhoP5Gj#wUb%p
zwD5_-8h=eI3D@wY;)gGsSC);Qx+pItFh)*7|J_9S1!vkCmIa=Wh&jt}@|UzH)6BSU
zc@K_U|NVXUQq5yWB{T#hvXA)Lr!$MOw&cC;F}f~2f%Vk!2FVTcH#_wj-kYS^Bx&LQ
zOwRMzTJ4ut7$zN`&*3%i^8A~dpPOhb_e!2+@@&%LK#N{EA;+LC5-)E|{rYa}$5~60
z4lnuWb+rBGJt-fvj$S=>d5)Ste-|Y8KPt}RdEp*AZ@P==$4h2KAF_W*n=)<bcYGFM
zw)R$;z%x0|lGMi&;(cGaSUr32a=E-rbydfs=nNG(`*qU)l>Rsx$!O{q^)_6WbzP&h
znd$gDm&FpUQv}vutvX>gKR2ymfv?21!}_;t{@6D>ms|0(bVgOfIh*SrwzWR;+_G7&
zdheq)nZx^@RbT7lG5Fei>wxRWYFW>AwhhNB%D;a4CAaFwMhCI!*EP8`D)qMcDyO^m
zG5l)C5-I){Q4{0B_>iqBac<S0OA#)Xf5P|w7B!p65+R~+aprqA+miC)b&Kw3@YwKf
zSm`|{ueYl9(D&n}%ghD!cs9*(;!1K@ZLzH2qU4RvcS|-WFRz?&<hJ(D(4~E+;?!px
zZmqqsYGV=8z4nK^%ChmRr>ccSuh;bQcU$@7;p;hb^^#v5TCEz>%WbzKvsdAS@^{aR
z50+eKJSeaxNIT_ZSGdFuiP9Q-C+nEh1q&<~kA0k$K4C(%WxM0%su*dBX%k*+d`zG0
zaa_h>qdjNm)w1>%7iY3;K6HK8I>QM{%_d5-ozG+*W0}<G&?g@w{Qh}CAJexNYf5-{
zIaJlk&Hu~1d%K=xUjbiN*(G1aM)^Od?Uxv`b^VRyydK4tzfM$nLfOfhTiH`I3>+r1
zXjDx3`fbghGNy-Xr!#jLsprl~aGk%v>EYRUt(8xB0;OWL1QV1#b>8yrsd@7w#K&X(
zsT{X={Hu76>2ECc<9+ru@nc!V|5nih)_u(TzM8I?zGzJxug_KaHor^LS?dbaG)g8%
zv97T=;1wmLmb~<0(qHqn5%HcIT%?*muio_DV@K1Hd2@T2u3nR3lsLCz#h0f4kC|Ry
zyu3fEbKPYP!RxD4rB!~^U#ZsoqbS+u((HE3>2mutZ4DczFeAl|6BiCkK0W+)JCpW3
z=0Cq@H{Q<6oqyIg?xVhqc*SGyz3TPSA7*DdEI+{S_wCOE+2st??<Vfu>**~PY;mcB
z%j4O<h}7j}OBO!5XX$r$QO|;D!V8pN)_9~ev2EOY@Z*VaFW!QUj^|j<$9>Lkc1vCA
zD5Lj2>FJK5(5X@{MJjh)tWq=z>3UnLa$Crw>(@)~xJa$tM_B8P6-5=I!z)iLdV9EW
z<(7ZvO%L3zHK{oExj}p%(~VmH2bZ`TyX^&!vmJl@=S|duv-PYtuM-}8NZ#x8zEkt$
z<@vMz>Fs5*c)$6;`h4x*^-uO>9APv}dQx^R{WhnHahd_Q_g9DIy3&O+_dWHp_P=~%
zX2~5M@x0Iv%%!vD9QfU1lI%EFz)!;9{I55!-`;s^>}VwF_(tMsWowM=wp_CvK6<A9
zA@cH0N{u3`e;!HBy)mW2CHU1b<$0yLn%;(T*UnvSzVamX_xoad!R<UXw+}DOk3E#j
zVH2~#h)sN2?c<;wuj_fL?may4nNRlTrKnGHm>cbXK2Bk|C!ulF`iA7!HGw`_T%{>H
zG~69;&VRFf(s{q->n6${+m@^PEBVgXYu-(l54bs(teh+6`@oGm#V1ZR`N+&A7PotX
z>o(M#j9kvSd2YzO%MQ+p#WC^<m$ecL_vtR$dF+!-t@RB51uB=B7ud2faw)zr<8M9p
zo8yDIol?xtQlCgBdyAXtUFWQf`|Q<bpA}NtZKv5$l3QSRs*J-kch)ZFbwbVygXT%?
zbLO~GC{@x_B)0s>r)5HC{wVz0*OAf`#GQ7ArS)l+jKtPeO0CApHGZ1|4yhL1+kGOr
z`;f#N?-i$e+#jER_TY22#l%fkv#X}WDBliRUh?YrJ@)StQ!hVeKPd3;U~zMB-0S=A
z(>nfj+@AgVoU4U-%a5YkpiT>^s}JUc-WGVY?c&nkVI6nA9e7afG<CzZR|Thdt}grD
zzJ00BglvynB`S(1%^XGMb%pgvu&M=ZC_g8(L+R>rNu?=X`IlPG%Ad+OJ3szu+#;W_
z*NSdW_Wypi^uYanQa_FyUzX0nC^q-);)B{Xw@Qv%HtoGueA*&8*mAOEac;B1W*-@s
zs~r=Tm3M8sB$&8Rx<su1m(k?~E^cAk=fn%7o?ln^Z251_mL50u=0L}-ucuG3>b;<8
z8uD48CU2Gc%d4vDxi=>2X6e_aa>`d1OTIjEe!itrm)XNcNppeisRFvoUD;;eKDoW)
z`$-wb_`L$}*zdFHeo^^(p8wF4pN=b}WojILom}y?^Bd2}pWN)H=Cn%&#N7OJx2EyI
z$CGU`<(6^_E^{!f`*iK*<K_EyG_iZEc5ZT<rNp}3>w4m9&dcT|v#eL%JnX$Z^PR0w
z#uK44Mls4!b9Co%{#&1Tn~^IcA$XOLVVA}P#c7*ELmJ&fnaxk{b1J>MJov7=t&Y{t
z^$+TbbeHKcirE(Bw21nqG-WS$$&I@F<<}HlshRIztpC5@Fvo>LMV-JqcNnGOgiSnI
z^^W~qnH^Hen81-etHHTP<>q;hpv|jSB}%`_+R*m#Urb=`I#t~#KJNuQ=N=G9*|hhE
zXuv-a5pAofUV#$F1I|6*Dq8vT&;7qrPqNwH9lrd8{q^Ki{|ZGk68MdDOy<sKeVMv%
zVm8CN+hs4_DNIN|m^W>SZg6GitN^z*hUN3;dK+lCMg}z`UY%>9Y~Qq`<B>#z=eK!`
z5k70f3^yOKj~3{4UY6gfz3fZ2*X?UEx3qn~2Y&SK^?S``S*TUdXP_A@cW<$Sj(^e7
z4_bMu#~+j^A6`Gf>}aT6aLJR?LAOed%We#GJ()XetD0WZ9f5UIk9=8iC#gVdihIw=
zklv}<a?-uuj+ph9q%++9IeSB2p-p%|*741MIbJ-A;yP2(8Tfp07*EmJ0~?jxm?bv~
zJX2e=@yN#GehPMl-}ZNX&^l|SVJz^`B{nm;;MY8t*>7_M9vEN$+1jEn@m2Ii{PG7&
zjqSP1wgo#Z6L#Yc@BY1kL#gK9pGwWts+Q;M>^{x%Tk@rjgsw=O6~%srp{DPlz%tf-
zYAY9tJlzo}_0eo<iFoa`HHJ6lJ!D;4_n)CW>*X(>{W{T)zWm5*%3^ar#CT(Uf60&K
zGW&F=)E8L0$Rsml_8XM4nPjs}np>39!^gI5LRvk~EFq3$w);;~PZV@{-FWQt?1&R*
z*0!h@R(s~PyZ%_w?xMcG>hXa^1>yC-qdh9Lel1mTcKs$ZasBZn6Ii8A?z&Q{?Q(su
z!<_%;TXj9VqH5-e+$rpGy>zVa^5PtYDc?Vye*HfF{YL)(yXStG(t7*X+pI}i4wh<;
zahDzD-07Xw7g>CEp_|%E(K&CWH`z~*dQk7nyy;TdOc(L4MMsUpC!CbfpUQs4HNW0*
z!(qE-#W|m(9vn{hxh(MKU)|^E<T<5gA5NJtY8@}k;G3!Qdv(@Rx5d-)%sNZ%@^Tr!
zyPgsk)OL)gt}uq>vg4;932!fJ#@ya-_5VN5t-fCU#?m^};@Oti58w3P_Z^qr;#;9)
zbx7x{ZNXdz>CZPlTc>+$c41PzI6+6S+&#;F-`O^iF1;s))nAg1nFhxcyDmE_HRY!N
zM@#JmyH9;?-aeP*`_0dWs+_0(-@eat^2>rZzt+5|wiKW7dGpN0v*sSSc7sb$>)@=S
z5Z85YEfO^*J+YXu`jDxoGs})xrG(0rLh*mUURAz-A@;k}gV6W0yQk~j<^252-9&oz
z>DEu~>*aZjQae9=lCtrM)V^Z6JupLsA*an{p<vF!)p`mpc`Mi5_F6hmq*X9;_U4b<
zEI%LVs@VUXJAP+HmagdY`ehdE)}<+W->y3MMt3J%dZ)-Zug7qq^2=ZDpEUZ!C!Jis
z;@T4@r>i!pi@aqQ{mH($Qd;Ct`Q-cEx`LTnrGMU7uTB=JxN>=${Lh?uRX^tZ_`a3@
zp7Z^^KkV*Qc0W$>-eBm}V_w>8RPX&<MnPmtr~kC@n2gnr)-S#CGd#6qSAi#kWk!{)
zTx)$^=q`;=Llys{(`1>asvPY3#<9I^j{lFz)^E7ez7(D3+;;!KPp|s7iC0RmFa123
zCu9zfPHOFzi~LR<mnEOYUv~MY>VN#6ecU1yPOH!V?-ny04>-JZPkj#yPp#UCZ?CS*
zY!Gti4i`Dyv6{grCVbD^v^&+`Gn$jv*u4L0{ot$o{C0KueY`W423*|mT%yQQ^Z3<g
zb1b<|NU%O+J8Q`1Fi*7cKbsKatD=2MMXAa+CmaesxBU5cSO0U#|5z$szg!SLf6K#D
z@=v<sneu+~zDcOM{o?tm#AKF$14>yg)@!E*94~F~<5kcM3)*zc<mgPEZlNbO!Ysm}
zt-gQOJ?jf>)7k#_6XW-#-~WpRPh{xsv&>E3^Y!%ZONZr*JvK`3wC{Xuep6?fP}$m)
z!;y8#M(QcQYg*PEI@D&BUdJ<YTgoNV4ck&;y5i>8%5nX9s(B##9xIodf#}co|G%+)
zU}e4^!}xp)`wGV6Z}zwfe#-cGW@_6(ffdFx86PtqsI0jpxk&c;-Nzi0SLDQKG;c9z
zaTU(|!|>!g>#7(3gD<MCv2>jN?|JTw&7T?cYYtyomdV#vaBBIpht=Zi4_>z`(Z5@1
z+%NOt_|tu=LMHRFY(DPU*(dOtC+63quDB2>p^8UYQv{Zatq8c%c`0L+QeYC>h9%WZ
ze~-@C@UP6eX<jW$!H0>#pMNN6=d;*-sC%(Su<7d31){mpU3EXLp8R=Q&i-Y3k^|d6
zhM#t84$Hpquu_(Hj5GRnbk`%!<4@Z^Y0bMG%;huXfb*|Fo++<SRDImt@&9w(n=1XP
z!_IpIZBlNrD(187_|p8n>%5xfHkP1&f%fZ^PA`xxILPagW*d;#wtA=6n;nyGRh*BS
za=qVgt5K`T%xAR>x8Bb@a8aFMx2?$KN!ohN(S>3eUu~bwNcs0;bBz1zJv*mp&abpR
z{&@PO%3zZ>0TuS2R&9Q%RH86f>VWt6ofS(LAG8xOwb8cQ82<D=cZdB_t$AVhkFN++
zwM||sY;1VD>*9{P&-1<YtsW{?91|>FUV63sj*%em!)kH+1)>>`ddxzTmdR}Fkh(tQ
zyz#`kO<hkTE_P1e%B!@0+Nl@+|9$8@@VTE|?kkIrciyMC|8x2e{(Z75r@`%I@N(^$
zpP8>XY<+Z=D}TFaYrbS)RNaLiMN;nUmvUKdJb!flxAca9y>_DW<RdGu6d%h7c=~VQ
z5+A+%*|tW83no3ytnaV8)mQP<{(bA+@AuN8!s}1-3P%)vdVg1TyT!kcc3x|5e$)*2
z;}Je)p!rqv<8rSgk3^PZ+0VW=oKwr*n|q_;_S{BiF-CT|-b~LQjC~iJK2GiaRJlN_
zcWsBm+l&ilexL8n*<DfBney(F=-rDAe!LG}Y&`$_lF!$B9HJfyu5Cs(Zu?jZOXf5<
z@pbLwEL&Y^x!jdIIf?nFu{>v7!6CUDwg1d!^wqq7^t-ULpQHRvjB;h|hNAGAZKBqm
z!fSt6_Xfl;W>kd)mNj}htgJX+D_U^CyCyJymT&&_m>FqHc09j#r7q=x<kl&YnoCc4
z={#mINZC8>leEN?UhW-#UO&I!_`-wjMZmY&)o0e*^jm4xCe3}o@1Pdem+14y!FTb}
zJ5!HMNV%~w=zFA#;K$$bar@b>$8EE!lc_#5NAq*@UO8Lt{`zlbh3o&nchCO$K*eO5
zZUo1w3%5&*s^0Bcuf@v#!SmR6(fXCkpWnCn<ayxrc^0{P27_v;Z`FrQ4^-b{s(J2}
z@RoUHiQ?VbDScP>Xcz4(+-b7CFkSxe!J2oQ78O@Y9{A_;jeX6IkGGbFFHoNODEWRx
z(G|P-d+)e6G8@;OkF!gDwk$n;`=cw1tsA{G3qrV-dY#W-7}}=1`~BXv>Zht7yyRYf
znm;S%Q{s7ky<Ph){+G-Nne3Z>VnUzdqz|*YrdzxDI~7RUCr{t&;J#m3@<547kAB?0
z{Cx=(YlS}e9Q*m}Xt1>0B;|=N8pl~;&WWbgGGFF;ak;_yDvR9Dss5L=N>t{$H7NAo
zeY!OHUzm=-m!>z?y;?^3KBpr$Z9jib&0X+%K#KZnb@6Pa*2A-QXUBa0y1VeV?&}TT
z7jHlO&D#I%wlg<7KUm1~KKuFQrLOs!!?opCXT55kqip_7*x78-jg$xdF&SN1b^EQG
z=an<Pm{HI2%$6s3TJ`&HGuQYt$wx7Xvt2yWUH&uF*0TDgmw;4t>67q+u3-OZhuhXA
z+f9FcVtL7&!u5aB7dXGPVbYQL{pZfAc@Zz~pG)n};K<F9IX2-9-~LrXGkd(BcBuG9
z-rSP$WlQCpLRFdO&7Pd=+yBaz+*w!gO}qSX-skjWt53cDYYv7!U)z~0YAKZZe!fzu
zAH$7~z}Bdy|Gy-U3yAGuyOF2v6Z=Q*xIJ^tOZ$g5H<v1^Tr;)Z{`F69YM*l?_j_&6
zWeevxESmXLX#KBKKesT+dOa6>@XOkM>$8o!WlWFXzskDwbikf@e`^k1Rya6Wb2ZP_
z<VU$Gd=`=~n2w5`Y@Imy{$XK#?HQU6u1>waZeg}w^xJLsH!j*MzxnQzp9ht{dH;E^
z?<(K+e>$b>oub+<E$neVb6qCp{f*$xzQ5bKe#^gFJ@s}{)}!y=_J=b+-^=}Ows`Y3
z+XdUFcXuA$>TRR2bH9+1s!~AV``hixznj-S`>j;={ORg_e>|gl`j&p?5KwVpTqXab
z(SB}i@Wm}!8|_sNCl~#7W$QRoy;)|Ozk`vdX8if%8^5-M>@bo!EPp<|^Tm$(s)(#L
zvya{7`t#tjci7`&?|nD)W^rAQ5l-B`m;GHwaQfwa{`2lF<}98V_eK6d|Nh2@KYwgk
z6Lel~cCg`*?Aaa*Zq9eRb=lMHxX7-csk^lnHLqpfQOf84>k?~;sns;eL<Yyc8UJ50
z?`7U)qxN&I>RO+?-c8ztK8#A50WHSM0^APsxN~aiSn6F~df{<rV(Z)ag-7(JTv~Ry
z+4X*ZW-xzup6H*sefH_;hm8C0vYoH_sl#8s>|eySJFGFKj=y&2e{I&-@{>pF6}Q--
zg8QCo>({(cz0xQpEcIKfv&3wPvEIH0zhgWT&M8hf@wGg*;Bs=Aoz|UatS>*_o}!j%
z@5{u`Q)BTgZ9+)RwFi2dm$sZXQQ7Sfy>ssLPyd<vFI~*r_pol)pE=f#KK<;!*_W1Y
zZK}$fc{zP=&F+c@hbijUnEb7B%*6KB^Zk1<lbOGK*@{2^xaz7}*FV}P`s3u(dxz~N
zD7O0sGu>J~`MtjItsm|`ZS|k;p4jhlO?+X4?WM_6t~VdLxP>R8v$W#o*X#PR&5{bn
zYD^tEH9soTf8XB1@n~l9ohNZpL65k6YlW&SbWIEm*R8tKvS^~p9(jvc|I1F7R!{a^
z(aYBR-qz>lwY?vBcVC>ZcPI7KpM>O7tKKtDuRZhlue^w8O!(%eZu9An!g3Q%t4w5c
zzJ79onrrU^3$_WJEh`0iW%h?xJb8b0)mA?C*owsR%=636*f2|2SFelS{x&s^dA^3^
zq$gh|pI)iKsyq3p=7XSDQmHSTQw(aC7PKv>{COp8qIC7ech-{{f)-{R{E%NZf4}a%
zl5dA=WfRNP%Z(1q{n*cR|5wVz7_q<AzRm`F_qey|oXzQVkO+|8oh^DjrCI7We|CGp
zpIxsQXGNZpPdVnGF!A;KJsD?{%WE$#f5pkQ`O)!fdd?Z17rC@!UhSS<@g}GvUE%UI
z&q?tO{tIWS7;Rp}Jw<5$N$pcFbkf7P^b-%9efs>)%bLFp&+MyiYhLF!i*WjXz&$(W
zgPHi=`hC`wQ@c*>v3@x%RZRW3N9%{Gn}23*F`6ql>E_Z#hiCI<2Xh{ee)^y9*BPGR
ze+sfc)?R$N;pcO`kLCHCA8WV!7QSpWudbQ0CGCWAq!@Rm&$Sa_ZIV)=zfZSV*QBfv
zHJ=bS-=wCveQx^CUk7b${<qvUlhyh3e8Z>Trgr78T-NBm*cr^a@sCoxzMHj5dVEFB
ztQG<O%*<^cG9s$CZN9zi{W0~l#E<If3qG;WyvQby^6*cwn1$4wr|+Na+jjKeHqqy0
z96Y97T7G+G-(FSha&o1|$AwP~HJ1B%*66&Syx;rBf=gj9?tZ&>Z101XyDwgHm)~1a
z{{7qR=12AqF0VLOGF?czICXJ~@HdVS&4--_|4w#Tnr3+BW=JMudw|H!Cl%ZM1^leP
zci#=Gx~^_~kHMwJ#Nw*`9rK^oHs;}Z-0SCy%;D&L%C`G?X=o=`9mB^}Qi&X9LIo`k
zPX6)X*AAHQl&k*9Yqs@2p4)D`9k+Q|>Gb!zPd|Juzfb<YP5xT9%|5SYZZJP)zocO*
zucPRk-US}XPMmt8mcQ?;oyoi0XyV}q^_^0Gr0OodQriDW^Ynfr<GuT)o;}9Uq;u!<
zAHy?c-hYHG?d)ExdX!i`MfCbMj}Hb#NfF*$;%lC>7`QafYGblx+jRUa+ocHqDU)Bk
zbbr$%zQ=A$XwHKd!TZ04K3{imsr)Yf?6B_FXD7P3EetK{opsUZV*kY32Ag&_zVB`{
zSTM))k>;h#yF`y&uU!9Lv|eU*XHFQK!lr^V(oVgn|HR67Gi=>-aY5i8r9d&EGkMjm
zQC<38VIdioPfvB;aQPaubi;~;KdR(D9$mk^eZAWL2Q9H5P58U7o#uD?eW+aiz|r@S
zZ?pMLwaePdM8)6U_|Ybjq0O|)oPB1_#pc5*Pnj1>wBNrz_utnm{c%p|Nyd}UUSe<&
zv-|VM_21LE|BQ|))b0LoD)d`dh||n9E5x3gTef6|6sL526F9u_iRG_<j=OfUxwRfN
z|1G;^@&DV5pKD&398%W*e)p}-vG~`b|Lgu#{Hg2ze4R1sr}T$4SD3Fi)K1o_H&!}j
z<twv4?&-M;8sQ~@TO1OYB6h|08c*xJJog4q>Si;BiLIZ{$3N14I`_!pvrE6v6W!F}
z!ngA;qv{pSO^(~vI(6rHPSn!s?TTuCv^mHx&F09FIhM_f+2${3I{hJn$#z}I$+oL(
zZR`zietMieB3G`lM^Wvt2HT6nPIJ{9zrF6QHje$X@Z-$>&+<OoIG8ym{a|cTlsSK7
z`h^fT=1`qE3TK5>f3K|gu{7|68=Gc$+v4`=r7Ht-nx9H#WfbwH{B&2_az){hWl?JL
zv|@Gc&n&+(Rg@a*j4B(>CAh!3dsxy$B-+?INy4i~u<+liQc<z}^);Ul{^VDS?qTfE
zx%2zZ-#}iw=b{Nb%ciYP5!|(;!F9<7j;C9+d#`8*sT3}ele2PF{{Fq#yYSnqY5oC;
z0zzwh3>UV9YNQ?2cn}`*E~csE<<%bRzULET>bQEuq*RjwkCykEsHOIwFVJ*YZvFRn
z@c+Nkv*pj#8{B-v<B;-D+3u+_<Fp^kZN#MC9QEJ6fZt^GrEl*Z{&)PBQ#I*`^K>uC
zl!Qx5LtN%A(v1$?yLZhC+f!}bIZM*!_dc9IRZ8gn<*66BqWA+nRF+gkWErPcXz5fZ
znEBm~Dg4)bQY@RnF=<=IqN>UD`w}1QZ520|dS56${l=vRh1T!BTUpOa6vi%iz&1@J
zT({}2)*a4phkMK4=}O1!;gPiNnQ~d{L{;9s$J&~k-CRoqnV*(T__2HTwjH7c|6F>5
z?|r`e?)NwIsW}(f6ejT~PI!_f_|b-Y((?6F=D6{%d@^%y%BLAqTNS2ouC0jpc+Po~
z+hMKKXIE{R^eM$Ht;YEo?==a}1(TOF^a^fK2!6&CBVZz^{7+hhd7b6?{ilTQgwOpK
zyNfA$M~*0)g3zU9alAFRw%ls((8|)-y2Lp#Z8}F#;s1a(;Y0E*2aau3kq(ydc$c))
zXU)u%%|&LbcACxl@K3dS3EPDapIV#Dl_$vZvIjWM`)R$Lb-(qVuX6&|9+q4lxA*D6
zxrv)XB^x{*u*cat9m}}CY1b+R##?WWb;*nBI8ENr&M1D+LCDi<{rr33p;BMoMST1r
zaa6$L<2}jW(<eIedhRhZYP??jZRLe0=g%%-Owvf{?dDp1;zG`Yi+)>^0>YQ)=yvIE
z3YBsYc*gGir`g_4t2OE8k{h9m6~s1fGXBcY$+GCgi8&6&`W|iq^&*QJ|8w7S<b9mX
z%$)oqY)Me^#B(9BVNz|!*qP7fEVWr{{LX&PH~;YSlE=d|qSrEZusE-{^XB`mTe?2;
zZaz6DsTy6O#HIEx-gebojp>F~+Os}B5mG(H6uEgqSXGv#om5M#$CgIdl->@mKk@te
z?e~>TKK|d^e}C0EuAHNru1YtYn8^SCi_-eQ_g}n>)Lu2YeLSO4eNN=)1%oxhTaP?l
zb>irP|EnfGJ|DN+M8|NS*L4j`&)X42yFwEBq)y7(Db3l)_Eqxqx_R3}56(@zB<<iV
zc5Z({=kZ?)-&Vz`O>jAzmDeVBR#Iincel>>iZAX<ux{1b9>BAH$6hVvNvdx$`(00k
zEq1i@E`9s(hAZ<bzsl=ZKZh-xuCbSqXCg<pTH5~0_vgB5=4NeD<7}DowPDSJ4JpRj
zI|`Vr!*<H-NLKQbX_$F(i$u)Si~lYh+wRjRedMO=ocDJ!|9^Yj-n)3ZQx$WCKxbRP
z`CU2(7D=#A@Z6-j@KTw;#oonD9cJ}s)h0Z;W3}+*DI@R0Y)4;ScKdcLp?-O;IIr`f
z6pt0}KCu1nKfP}DexAKNQ|~djO;{}VapvQ_%YOC<e$&0ZG_<jIyPM;j*>Y0HR;x2J
zD)MhA{8XH@^q~lIaS=D$*3EW7rr+|Xg{`(d7r*s=7^pm}VwMOz^rd(6hIdP<7X4~}
z@p`k<tt%-p+h^7IIC3uKnv|Qs^PfRq>hZkUU2<`ALskVp`S>BzVBfimkN9Kvzt{S*
zDefh20`pPnrswRX64e_xxQaWXd^49ZZ$8UeV%=t#<imT($84=v+D^lLTh1r=tzPB0
z^~YcPx+@k{l95%+GZx9%mK|hz&X!*JRhrq$$tEWAAa9=P^o&VS!B?{QPAEQ#=TW<B
zCUx^|sIA3YW^<b~xAXf9f|r^%WS*MH|No8B`WcB4&-P84r^0jeDXaep*6nOllvGcq
zZQwpSW!VgF>9CA#5oXW-bzYvfwkoOr^Ky;7j5#cv8!`f}t5-d>HB9e5Ro0a@QRn%a
zsXpR|EsCd1P?A`pc~1IJLd}CaC*}X$oV?Ca|MH}J3}%a1oM-S>Enj_Ci9^3b_jJ$e
zop*Q6IkcB^W}7=(UF^%#k=^#+J}>WEJiS+GFJlf9$O_(jFTd9M%yd}#_un?N0I~CJ
zTY_5l$?kvh{omo45!?T6dTM*;<_hq^0gI2@?Qh7k;+tcr^@?c{oA1kuA%2%{ZkU`H
zBKPXYQSrpLecDw=@0(nbKJb5{OR_`hj(!IJ1r~di-{vRy2mF}*=k?sWgFEz@W2|Sa
t(2Lpk>gL`{-)V9@!X<D0=-xl|OE~LGe(tDKVqjok@O1TaS?83{1OSB>(n<gT

literal 0
HcmV?d00001

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 94edda50fa9995..17d17b925d4a1b 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -58,6 +58,8 @@ module Auth
     ADMIN_MODE_SCOPE = :admin_mode
     ADMIN_SCOPES = [SUDO_SCOPE, ADMIN_MODE_SCOPE, READ_SERVICE_PING_SCOPE].freeze
 
+    Q_SCOPES = [API_SCOPE, REPOSITORY_SCOPES].flatten.freeze
+
     # Default scopes for OAuth applications that don't define their own
     DEFAULT_SCOPES = [API_SCOPE].freeze
 
-- 
GitLab


From 86b75e30f94f760ea103c759141b075611fb5cb2 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:42:30 -0600
Subject: [PATCH 04/14] Feat(Q): Add disconnect endpoint

---
 .../admin/ai/amazon_q_settings_controller.rb  | 16 ++++
 .../services/ai/amazon_q/destroy_service.rb   | 44 +++++++++++
 .../ai/amazon_q_settings_controller_spec.rb   | 45 +++++++++++
 .../ai/amazon_q/destroy_service_spec.rb       | 79 +++++++++++++++++++
 4 files changed, 184 insertions(+)
 create mode 100644 ee/app/services/ai/amazon_q/destroy_service.rb
 create mode 100644 ee/spec/services/ai/amazon_q/destroy_service_spec.rb

diff --git a/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
index 4750b1d35c2677..aee28142c7c2c4 100644
--- a/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
+++ b/ee/app/controllers/admin/ai/amazon_q_settings_controller.rb
@@ -37,6 +37,22 @@ def create
         )
       end
 
+      def disconnect
+        return head :unprocessable_entity unless ::Ai::AmazonQ.connected?
+
+        response = ::Ai::AmazonQ::DestroyService.new(current_user).execute
+
+        # TODO(Q): If we don't expire the application settings then they stick around across requests.
+        #          Should we handle this differently?
+        Gitlab::CurrentSettings.expire_current_application_settings
+
+        if response.success?
+          head :ok
+        else
+          render json: { message: response.message }, status: :unprocessable_entity
+        end
+      end
+
       private
 
       def setup_view_model
diff --git a/ee/app/services/ai/amazon_q/destroy_service.rb b/ee/app/services/ai/amazon_q/destroy_service.rb
new file mode 100644
index 00000000000000..0cabc932a979c3
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/destroy_service.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class DestroyService < BaseService
+      def execute
+        # TODO(Q): We will probably need to make some API calls to effectively clean things up downstream...
+        result = block_service_account!
+
+        return result unless result.success?
+
+        destroy_oauth_application!
+
+        if ai_settings.update(
+          amazon_q_oauth_application_id: nil,
+          amazon_q_ready: false,
+          amazon_q_role_arn: nil
+        )
+          create_audit_event(
+            audit_availability: false,
+            audit_ai_settings: true,
+            exclude_columns: %w[amazon_q_service_account_user_id]
+          )
+          ServiceResponse.success
+        else
+          ServiceResponse.error(message: ai_settings.errors.full_messages.to_sentence)
+        end
+      end
+
+      private
+
+      attr_reader :user
+
+      def destroy_oauth_application!
+        oauth_application = Doorkeeper::Application.find_by_id(ai_settings.amazon_q_oauth_application_id)
+        oauth_application&.destroy!
+      end
+
+      def block_service_account!
+        Ai::AmazonQ.ensure_service_account_blocked!(current_user: user)
+      end
+    end
+  end
+end
diff --git a/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb b/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
index b4d5b41ddf7b7d..c11ac6c0c9d522 100644
--- a/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
+++ b/ee/spec/requests/admin/ai/amazon_q_settings_controller_spec.rb
@@ -107,4 +107,49 @@
       end
     end
   end
+
+  describe 'POST #disconnect' do
+    let(:perform_request) { post disconnect_admin_ai_amazon_q_settings_path }
+
+    it_behaves_like 'returns forbidden when feature is unavailable'
+
+    context 'when not connected' do
+      let(:connected) { false }
+
+      it 'returns unprocessable entity response' do
+        perform_request
+
+        expect(response).to have_gitlab_http_status(:unprocessable_entity)
+      end
+    end
+
+    context 'when connected' do
+      let(:service_response) { ServiceResponse.success }
+
+      it 'calls ::Ai::AmazonQ::DestroyService.execute and returns OK response' do
+        expect_next_instance_of(::Ai::AmazonQ::DestroyService, admin) do |destroy_service|
+          expect(destroy_service).to receive(:execute).and_return(service_response)
+        end
+
+        perform_request
+
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      context 'when ::Ai::AmazonQ::DestroyService.execute returns error response' do
+        let(:service_response) { ServiceResponse.error(message: 'Oops') }
+
+        it 'returns unprocessable entity response with corresponding message' do
+          expect_next_instance_of(::Ai::AmazonQ::DestroyService, admin) do |destroy_service|
+            expect(destroy_service).to receive(:execute).and_return(service_response)
+          end
+
+          perform_request
+
+          expect(response).to have_gitlab_http_status(:unprocessable_entity)
+          expect(json_response).to eq({ 'message' => 'Oops' })
+        end
+      end
+    end
+  end
 end
diff --git a/ee/spec/services/ai/amazon_q/destroy_service_spec.rb b/ee/spec/services/ai/amazon_q/destroy_service_spec.rb
new file mode 100644
index 00000000000000..f63dfa390337ba
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/destroy_service_spec.rb
@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::DestroyService, feature_category: :ai_agents do
+  describe '#execute' do
+    let_it_be(:user) { create(:admin) }
+    let_it_be(:service_account) { create(:service_account) }
+    let_it_be(:doorkeeper_application) { create(:doorkeeper_application) }
+    let_it_be(:role_arn) { SecureRandom.hex }
+
+    before do
+      Ai::Setting.instance.update!(
+        amazon_q_service_account_user_id: service_account.id,
+        amazon_q_oauth_application_id: doorkeeper_application.id,
+        amazon_q_ready: true,
+        amazon_q_role_arn: role_arn
+      )
+    end
+
+    subject(:instance) { described_class.new(user) }
+
+    it 'returns ServiceResponse.success' do
+      result = instance.execute
+
+      expect(result).to be_a(ServiceResponse)
+      expect(result.success?).to be(true)
+    end
+
+    context 'when the AI settings update fails' do
+      it 'returns ServiceResponse.error with expected error message' do
+        ai_settings = Ai::Setting.instance
+        allow(Ai::Setting).to receive(:instance).and_return(ai_settings)
+        allow(ai_settings).to receive(:update).and_return(false)
+        allow(ai_settings).to receive_message_chain(
+          :errors, :full_messages, :to_sentence
+        ).and_return('Oh oh!')
+
+        expect(instance.execute).to have_attributes(
+          success?: false,
+          message: 'Oh oh!'
+        )
+      end
+    end
+
+    it 'blocks the service account' do
+      expect { instance.execute }.to change { service_account.reload.blocked? }.from(false).to(true)
+    end
+
+    it 'destroys the oauth application' do
+      instance.execute
+
+      expect { doorkeeper_application.reload }.to raise_error(ActiveRecord::RecordNotFound)
+    end
+
+    it 'updates application settings' do
+      expect { instance.execute }
+        .to change {
+          Ai::Setting.instance.amazon_q_oauth_application_id
+        }.from(doorkeeper_application.id).to(nil).and change {
+          Ai::Setting.instance.amazon_q_ready
+        }.from(true).to(false).and change {
+          Ai::Setting.instance.amazon_q_role_arn
+        }.from(role_arn).to(nil).and not_change {
+          Ai::Setting.instance.amazon_q_service_account_user_id
+        }
+    end
+
+    it 'creates an audit event' do
+      expect { instance.execute }.to change { AuditEvent.count }.by(1)
+      expect(AuditEvent.last.details).to include(
+        event_name: 'q_onbarding_updated',
+        custom_message: 'Changed amazon_q_role_arn to null, ' \
+          'amazon_q_oauth_application_id to null, ' \
+          'amazon_q_ready to null'
+      )
+    end
+  end
+end
-- 
GitLab


From 7284cb21c62dcfa905c7f205cc8c65b06d6951b0 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:48:38 -0600
Subject: [PATCH 05/14] Feat(Q): Frontend for AmazonQ admin

---
 .../amazon_q_settings/components/app.vue      | 377 ++++++++++++++++++
 .../pages/admin/ai/amazon_q_settings/index.js |   4 +
 .../amazon_q_settings/components/app_spec.js  | 352 ++++++++++++++++
 3 files changed, 733 insertions(+)
 create mode 100644 ee/app/assets/javascripts/amazon_q_settings/components/app.vue
 create mode 100644 ee/app/assets/javascripts/pages/admin/ai/amazon_q_settings/index.js
 create mode 100644 ee/spec/frontend/amazon_q_settings/components/app_spec.js

diff --git a/ee/app/assets/javascripts/amazon_q_settings/components/app.vue b/ee/app/assets/javascripts/amazon_q_settings/components/app.vue
new file mode 100644
index 00000000000000..3bd3d1511b31aa
--- /dev/null
+++ b/ee/app/assets/javascripts/amazon_q_settings/components/app.vue
@@ -0,0 +1,377 @@
+<script>
+import {
+  GlButton,
+  GlAlert,
+  GlFormGroup,
+  GlFormInput,
+  GlFormInputGroup,
+  GlForm,
+  GlFormRadioGroup,
+  GlFormRadio,
+  GlSprintf,
+  GlModalDirective,
+} from '@gitlab/ui';
+import axios from '~/lib/utils/axios_utils';
+import { createAndSubmitForm } from '~/lib/utils/create_and_submit_form';
+import { confirmAction } from '~/lib/utils/confirm_via_gl_modal/confirm_via_gl_modal';
+import { logError } from '~/lib/logger';
+import { createAlert } from '~/alert';
+import { s__ } from '~/locale';
+import { helpPagePath } from '~/helpers/help_page_helper';
+import HelpPageLink from '~/vue_shared/components/help_page_link/help_page_link.vue';
+import ClipboardButton from '~/vue_shared/components/clipboard_button.vue';
+
+const AVAILABILITY_OPTIONS = [
+  {
+    value: 'default_on',
+    label: s__('AmazonQ|On by default'),
+    helpText: s__(
+      'AmazonQ|Features are available. However, any group, subgroup, or project can turn them off.',
+    ),
+  },
+  {
+    value: 'default_off',
+    label: s__('AmazonQ|Off by default'),
+    helpText: s__(
+      'AmazonQ|Features are not available. However, any group, subgroup, or project can turn them on.',
+    ),
+  },
+  {
+    value: 'never_on',
+    label: s__('AmazonQ|Always off'),
+    helpText: s__(
+      'AmazonQ|Features are not available and cannot be turned on for any group, subgroup, or project.',
+    ),
+  },
+];
+
+const I18N_LABEL_STATUS = s__('AmazonQ|Status');
+const I18N_LABEL_SETUP = s__('AmazonQ|Setup');
+const I18N_READY = s__('AmazonQ|GitLab Duo with Amazon Q is ready to go! 🎉');
+const I18N_STEP_IDENTITY_PROVIDER = s__(
+  'AmazonQ|Create an identity provider for this GitLab instance within AWS using the following values. %{helpStart}Learn more%{helpEnd}.',
+);
+const I18N_STEP_IDENTITY_PROVIDER_BUTTON = s__('AmazonQ|Show identity provider values');
+const I18N_STEP_IAM_ROLE = s__(
+  'AmazonQ|Within your AWS account, create an IAM role for Amazon Q and the relevant identity provider. %{helpStart}Learn how to create an IAM role%{helpEnd}.',
+);
+const I18N_STEP_ROLE_ARN = s__("AmazonQ|Enter the IAM role's ARN.");
+const I18N_BTN_DISCONNECT = s__('AmazonQ|Disconnect');
+const I18N_BTN_SAVE = s__('AmazonQ|Save changes');
+const I18N_IAM_ROLE_ARN_LABEL = s__("AmazonQ|IAM role's ARN");
+const I18N_WARNING_NEVER_ON = s__(
+  'AmazonQ|Amazon Q will be turned off for all groups, subgroups, and projects, even if they have previously enabled it.',
+);
+const I18N_WARNING_OFF_BY_DEFAULT = s__(
+  'AmazonQ|Amazon Q will be turned off by default, but still be available to any groups or projects that have previously enabled it.',
+);
+const I18N_SAVE_ACKNOWLEDGE = s__(
+  'AmazonQ|I understand that by selecting Save changes, GitLab creates a service account for Amazon Q and sends its credentials to AWS. Use of the Amazon Q Developer capabilities as part of GitLab Duo with Amazon Q is governed by the %{helpStart}AWS Customer Agreement%{helpEnd} or other written agreement between you and AWS governing your use of AWS services.',
+);
+const I18N_COPY = s__('AmazonQ|Copy to clipboard');
+const I18N_LOADING_LABEL = s__('AmazonQ|Fetching Identity Provider parameters');
+
+const PROVIDER_TYPE_VALUE = 'OpenID Connect';
+const INPUT_PLACEHOLDER_ARN = 'arn:aws:iam::account-id:role/role-name';
+const HELP_PAGE_IAM_ROLE = helpPagePath('user/duo_amazon_q/setup.md', {
+  anchor: 'create-an-iam-role',
+});
+
+export default {
+  components: {
+    ClipboardButton,
+    GlAlert,
+    GlButton,
+    GlForm,
+    GlFormGroup,
+    GlFormInput,
+    GlFormInputGroup,
+    GlFormRadioGroup,
+    GlFormRadio,
+    GlSprintf,
+    HelpPageLink,
+  },
+  directives: {
+    GlModal: GlModalDirective,
+  },
+  props: {
+    submitUrl: {
+      type: String,
+      required: true,
+    },
+    disconnectUrl: {
+      type: String,
+      required: true,
+    },
+    identityProviderPayload: {
+      type: Object,
+      required: false,
+      default: null,
+    },
+    amazonQSettings: {
+      type: Object,
+      required: false,
+      default: null,
+    },
+  },
+  data() {
+    return {
+      availability: this.amazonQSettings?.availability || 'default_on',
+      roleArn: this.amazonQSettings?.roleArn || '',
+      ready: this.amazonQSettings?.ready || false,
+      isSubmitting: false,
+      isDisconnecting: false,
+    };
+  },
+  computed: {
+    payload() {
+      if (this.ready) {
+        return {
+          availability: this.availability,
+        };
+      }
+
+      return {
+        availability: this.availability,
+        role_arn: this.roleArn,
+      };
+    },
+    roleArnDisabled() {
+      return this.isSubmitting || this.ready;
+    },
+    availabilityWarning() {
+      if (!this.ready || this.availability === this.amazonQSettings?.availability) {
+        return '';
+      }
+
+      if (this.availability === 'never_on') {
+        return I18N_WARNING_NEVER_ON;
+      }
+      if (this.availability === 'default_off') {
+        return I18N_WARNING_OFF_BY_DEFAULT;
+      }
+      return '';
+    },
+  },
+  methods: {
+    onSubmit(event) {
+      event.preventDefault();
+
+      // TODO(Q): Validate
+      try {
+        this.isSubmitting = true;
+
+        createAndSubmitForm({
+          url: this.submitUrl,
+          data: this.payload,
+        });
+      } catch (e) {
+        // eslint-disable-next-line @gitlab/require-i18n-strings
+        logError('Unexpected error while submitting the form.', e);
+
+        createAlert({
+          message: s__(
+            'AmazonQ|An unexpected error occurred while submitting the form. Please see the browser console log for more details.',
+          ),
+          error: e,
+        });
+      } finally {
+        this.isSubmitting = false;
+      }
+    },
+    async onDisconnect() {
+      const confirmed = await confirmAction(
+        s__(
+          'AmazonQ|This will disable GitLab Duo with Amazon Q and delete some integration artifacts such as the service account and OAuth application. You can safely reconnect Amazon Q later.',
+        ),
+        {
+          title: s__('AmazonQ|Are you sure?'),
+          primaryBtnVariant: 'danger',
+          primaryBtnText: s__('AmazonQ|Disconnect'),
+        },
+      );
+
+      if (!confirmed) {
+        return;
+      }
+
+      try {
+        this.isDisconnecting = true;
+
+        await axios.post(this.disconnectUrl);
+
+        this.roleArn = '';
+        // TODO(Q): We need to reload to get the identityProviderPayload (should we always grab it to avoid this?)
+        window.location.reload();
+      } catch (e) {
+        // eslint-disable-next-line @gitlab/require-i18n-strings
+        logError('Unexpected error while disconnecting Amazon Q.', e);
+
+        createAlert({
+          message: s__(
+            'AmazonQ|An unexpected error occurred while disconnecting Amazon Q. Please see the browser console log for more details.',
+          ),
+          error: e,
+        });
+      } finally {
+        this.isDisconnecting = false;
+      }
+    },
+  },
+  I18N_LABEL_STATUS,
+  I18N_LABEL_SETUP,
+  I18N_READY,
+  I18N_STEP_IDENTITY_PROVIDER,
+  I18N_STEP_IDENTITY_PROVIDER_BUTTON,
+  I18N_STEP_IAM_ROLE,
+  I18N_STEP_ROLE_ARN,
+  I18N_BTN_DISCONNECT,
+  I18N_BTN_SAVE,
+  I18N_IAM_ROLE_ARN_LABEL,
+  I18N_SAVE_ACKNOWLEDGE,
+  I18N_WARNING_OFF_BY_DEFAULT,
+  I18N_WARNING_NEVER_ON,
+  I18N_COPY,
+  I18N_LOADING_LABEL,
+  PROVIDER_TYPE_VALUE,
+  INPUT_PLACEHOLDER_ARN,
+  HELP_PAGE_IAM_ROLE,
+  AVAILABILITY_OPTIONS,
+};
+</script>
+
+<template>
+  <gl-form @submit="onSubmit">
+    <gl-form-group v-if="ready" :label="$options.I18N_LABEL_STATUS">
+      {{ $options.I18N_READY }}
+    </gl-form-group>
+    <gl-form-group v-else :label="$options.I18N_LABEL_SETUP">
+      <ol class="!gl-mb-0 gl-list-inside !gl-pl-0">
+        <li>
+          <gl-sprintf :message="$options.I18N_STEP_IDENTITY_PROVIDER">
+            <template #help="{ content }">
+              <help-page-link
+                href="user/duo_amazon_q/setup.md"
+                anchor="create-an-iam-identity-provider"
+                target="_blank"
+                rel="noopener noreferrer"
+                >{{ content }}</help-page-link
+              >
+            </template>
+          </gl-sprintf>
+          <div class="gl-mt-3">
+            <gl-form-group :label="s__('AmazonQ|Instance ID')">
+              <gl-form-input-group readonly :value="identityProviderPayload.instance_uid">
+                <template #append>
+                  <clipboard-button
+                    :text="identityProviderPayload.instance_uid"
+                    :title="$options.I18N_COPY"
+                    class="!gl-m-0"
+                  />
+                </template>
+              </gl-form-input-group>
+            </gl-form-group>
+            <gl-form-group :label="s__('AmazonQ|Provider type')">
+              <gl-form-input-group readonly :value="$options.PROVIDER_TYPE_VALUE">
+                <template #append>
+                  <clipboard-button
+                    :text="$options.PROVIDER_TYPE_VALUE"
+                    :title="$options.I18N_COPY"
+                    class="!gl-m-0"
+                  />
+                </template>
+              </gl-form-input-group>
+            </gl-form-group>
+            <gl-form-group :label="s__('AmazonQ|Provider URL')">
+              <gl-form-input-group readonly :value="identityProviderPayload.aws_provider_url">
+                <template #append>
+                  <clipboard-button
+                    :text="identityProviderPayload.aws_provider_url"
+                    :title="$options.I18N_COPY"
+                    class="!gl-m-0"
+                  />
+                </template>
+              </gl-form-input-group>
+            </gl-form-group>
+            <gl-form-group :label="s__('AmazonQ|Audience')">
+              <gl-form-input-group readonly :value="identityProviderPayload.aws_audience">
+                <template #append>
+                  <clipboard-button
+                    :text="identityProviderPayload.aws_audience"
+                    :title="$options.I18N_COPY"
+                    class="!gl-m-0"
+                  />
+                </template>
+              </gl-form-input-group>
+            </gl-form-group>
+          </div>
+        </li>
+        <li>
+          <gl-sprintf :message="$options.I18N_STEP_IAM_ROLE">
+            <template #help="{ content }">
+              <help-page-link
+                href="user/duo_amazon_q/setup.md"
+                anchor="create-an-iam-role"
+                target="_blank"
+                rel="noopener noreferrer"
+                >{{ content }}</help-page-link
+              >
+            </template>
+          </gl-sprintf>
+        </li>
+        <li>
+          {{ $options.I18N_STEP_ROLE_ARN }}
+        </li>
+      </ol>
+    </gl-form-group>
+    <gl-form-group :label="$options.I18N_IAM_ROLE_ARN_LABEL" :disabled="roleArnDisabled">
+      <gl-form-input
+        v-model="roleArn"
+        type="text"
+        width="lg"
+        name="aws_role"
+        :placeholder="$options.INPUT_PLACEHOLDER_ARN"
+      />
+    </gl-form-group>
+    <gl-form-group class="!gl-mb-3" :label="s__('AmazonQ|Availability')">
+      <!-- TODO(Q): We effectively copy this field from Duo settings. How do we want to handle this? -->
+      <gl-form-radio-group v-model="availability" name="availability">
+        <gl-form-radio
+          v-for="{ value, label, helpText } in $options.AVAILABILITY_OPTIONS"
+          :key="value"
+          :value="value"
+        >
+          {{ label }}
+          <template #help>{{ helpText }}</template>
+        </gl-form-radio>
+      </gl-form-radio-group>
+    </gl-form-group>
+    <gl-alert v-if="availabilityWarning" class="gl-mb-5" :dismissible="false" variant="warning">{{
+      availabilityWarning
+    }}</gl-alert>
+    <div class="gl-flex">
+      <gl-button type="submit" variant="confirm" category="primary" :loading="isSubmitting">
+        {{ $options.I18N_BTN_SAVE }}
+      </gl-button>
+      <gl-button
+        v-if="ready"
+        class="gl-ml-3"
+        variant="danger"
+        category="primary"
+        :loading="isDisconnecting"
+        @click="onDisconnect"
+      >
+        {{ $options.I18N_BTN_DISCONNECT }}
+      </gl-button>
+    </div>
+    <p v-if="!ready" class="gl-mt-3" data-testid="amazon-q-save-warning">
+      <gl-sprintf :message="$options.I18N_SAVE_ACKNOWLEDGE">
+        <template #help="{ content }">
+          <a href="http://aws.amazon.com/agreement" target="_blank" rel="noopener noreferrer">{{
+            content
+          }}</a>
+        </template>
+      </gl-sprintf>
+    </p>
+  </gl-form>
+</template>
diff --git a/ee/app/assets/javascripts/pages/admin/ai/amazon_q_settings/index.js b/ee/app/assets/javascripts/pages/admin/ai/amazon_q_settings/index.js
new file mode 100644
index 00000000000000..9c57e93e7f71a9
--- /dev/null
+++ b/ee/app/assets/javascripts/pages/admin/ai/amazon_q_settings/index.js
@@ -0,0 +1,4 @@
+import SettingsApp from 'ee/amazon_q_settings/components/app.vue';
+import { initSimpleApp } from '~/helpers/init_simple_app_helper';
+
+initSimpleApp('#js-amazon-q-settings', SettingsApp);
diff --git a/ee/spec/frontend/amazon_q_settings/components/app_spec.js b/ee/spec/frontend/amazon_q_settings/components/app_spec.js
new file mode 100644
index 00000000000000..ac2d4f184e9562
--- /dev/null
+++ b/ee/spec/frontend/amazon_q_settings/components/app_spec.js
@@ -0,0 +1,352 @@
+import { nextTick } from 'vue';
+import {
+  GlAlert,
+  GlButton,
+  GlForm,
+  GlFormInput,
+  GlFormInputGroup,
+  GlFormGroup,
+  GlFormRadioGroup,
+  GlFormRadio,
+  GlSprintf,
+} from '@gitlab/ui';
+import { shallowMount } from '@vue/test-utils';
+import App from 'ee/amazon_q_settings/components/app.vue';
+import HelpPageLink from '~/vue_shared/components/help_page_link/help_page_link.vue';
+import { createAndSubmitForm } from '~/lib/utils/create_and_submit_form';
+import ClipboardButton from '~/vue_shared/components/clipboard_button.vue';
+
+jest.mock('~/lib/utils/create_and_submit_form');
+
+const TEST_SUBMIT_URL = '/foo/submit/url';
+const TEST_DISCONNECT_URL = '/foo/disconnect';
+const TEST_AMAZON_Q_SETTINGS = {
+  ready: true,
+  availability: 'default_on',
+  roleArn: 'aws:role:arn',
+};
+
+describe('ee/amazon_q_settings/components/app.vue', () => {
+  let wrapper;
+
+  const createWrapper = (props = {}) => {
+    wrapper = shallowMount(App, {
+      propsData: {
+        submitUrl: TEST_SUBMIT_URL,
+        disconnectUrl: TEST_DISCONNECT_URL,
+        identityProviderPayload: {
+          instance_uid: 'instance-uid',
+          aws_provider_url: 'https://provider.url',
+          aws_audience: 'audience',
+        },
+        ...props,
+      },
+      stubs: {
+        GlFormInputGroup,
+        GlSprintf,
+      },
+    });
+  };
+
+  const findForm = () => wrapper.findComponent(GlForm);
+  const findFormGroup = (label) =>
+    findForm()
+      .findAllComponents(GlFormGroup)
+      .wrappers.find((x) => x.attributes('label') === label);
+
+  const findStatusFormGroup = () => findFormGroup('Status');
+  const findSetupFormGroup = () => findFormGroup('Setup');
+  const listItems = () => findSetupFormGroup().findAll('ol li').wrappers;
+  const listItem = (at) => listItems()[at];
+
+  // arn helpers -----
+  const findArnFormGroup = () => findFormGroup("IAM role's ARN");
+  const findArnField = () => findArnFormGroup().findComponent(GlFormInput);
+  const setArn = (val) => findArnField().vm.$emit('input', val);
+
+  // availability helpers -----
+  const findAvailabilityRadioGroup = () =>
+    findFormGroup('Availability').findComponent(GlFormRadioGroup);
+  const findAvailabilityRadioButtons = () =>
+    findAvailabilityRadioGroup()
+      .findAllComponents(GlFormRadio)
+      .wrappers.map((x) => ({
+        value: x.attributes('value'),
+        label: x.text(),
+      }));
+  const setAvailability = (val) => findAvailabilityRadioGroup().vm.$emit('input', val);
+
+  // warning helpers -----
+  const findAvailabilityWarning = () => findForm().findComponent(GlAlert);
+  const findSaveWarning = () => findForm().find('[data-testid=amazon-q-save-warning]');
+  const findSaveWarningLink = () => findSaveWarning().find('a');
+
+  // button helpers -----
+  const findButton = (text) =>
+    findForm()
+      .findAllComponents(GlButton)
+      .wrappers.find((x) => x.text() === text);
+  const findSubmitButton = () => findButton('Save changes');
+  const findDisconnectButton = () => findButton('Disconnect');
+
+  describe('default', () => {
+    beforeEach(() => {
+      createWrapper();
+    });
+
+    it('renders form', () => {
+      expect(findForm().exists()).toBe(true);
+    });
+
+    it('does not render status', () => {
+      expect(findStatusFormGroup()).toBeUndefined();
+    });
+
+    describe('setup', () => {
+      it('renders setup', () => {
+        expect(findSetupFormGroup().exists()).toBe(true);
+
+        expect(listItems()).toHaveLength(3);
+      });
+
+      it('renders step 1', () => {
+        const idpStepText = listItem(0).text();
+        const idpStepHelpPageLink = listItem(0).findComponent(HelpPageLink);
+
+        expect(idpStepText).toBe(
+          'Create an identity provider for this GitLab instance within AWS using the following values. Learn more.',
+        );
+        expect(idpStepHelpPageLink.props()).toEqual({
+          anchor: 'create-an-iam-identity-provider',
+          href: 'user/duo_amazon_q/setup.md',
+        });
+        expect(idpStepHelpPageLink.text()).toEqual('Learn more');
+      });
+
+      it('renders identity provider details with clipboard buttons', () => {
+        const idpFormFields = listItem(0).findAllComponents(GlFormInputGroup).wrappers;
+        const idpClipboardButtons = listItem(0).findAllComponents(ClipboardButton).wrappers;
+
+        expect(idpFormFields[0].props('value')).toEqual('instance-uid');
+        expect(idpClipboardButtons[0].props('text')).toEqual('instance-uid');
+
+        expect(idpFormFields[1].props('value')).toEqual('OpenID Connect');
+        expect(idpClipboardButtons[1].props('text')).toEqual('OpenID Connect');
+
+        expect(idpFormFields[2].props('value')).toEqual('https://provider.url');
+        expect(idpClipboardButtons[2].props('text')).toEqual('https://provider.url');
+
+        expect(idpFormFields[3].props('value')).toEqual('audience');
+        expect(idpClipboardButtons[3].props('text')).toEqual('audience');
+      });
+
+      it('renders step 2', () => {
+        const iamStepText = listItem(1).text();
+        const iamStepHelpPageLink = listItem(1).findComponent(HelpPageLink);
+
+        expect(iamStepText).toBe(
+          'Within your AWS account, create an IAM role for Amazon Q and the relevant identity provider. Learn how to create an IAM role.',
+        );
+        expect(iamStepHelpPageLink.props()).toEqual({
+          anchor: 'create-an-iam-role',
+          href: 'user/duo_amazon_q/setup.md',
+        });
+        expect(iamStepHelpPageLink.text()).toEqual('Learn how to create an IAM role');
+      });
+
+      it('renders step 3', () => {
+        const arnStepText = listItem(2).text();
+
+        expect(arnStepText).toEqual("Enter the IAM role's ARN.");
+      });
+    });
+
+    it('renders arn field', () => {
+      expect(findArnFormGroup().exists()).toBe(true);
+
+      const input = findArnFormGroup().findComponent(GlFormInput);
+
+      expect(input.attributes()).toMatchObject({
+        value: '',
+        type: 'text',
+        width: 'lg',
+        name: 'aws_role',
+        placeholder: 'arn:aws:iam::account-id:role/role-name',
+      });
+    });
+
+    it('renders availability field', () => {
+      expect(findAvailabilityRadioGroup().attributes()).toMatchObject({
+        checked: 'default_on',
+        name: 'availability',
+      });
+      expect(findAvailabilityRadioButtons()).toEqual([
+        {
+          label: 'On by default',
+          value: 'default_on',
+        },
+        {
+          label: 'Off by default',
+          value: 'default_off',
+        },
+        {
+          label: 'Always off',
+          value: 'never_on',
+        },
+      ]);
+    });
+
+    it('does not render availability warning', () => {
+      expect(findAvailabilityWarning().exists()).toBe(false);
+    });
+
+    it('renders enabled arn', () => {
+      expect(findArnFormGroup().attributes('disabled')).toBeUndefined();
+    });
+
+    it('renders save button', () => {
+      expect(findSubmitButton().attributes()).toMatchObject({
+        type: 'submit',
+        variant: 'confirm',
+        category: 'primary',
+      });
+    });
+
+    it('does not render disconnect button', () => {
+      expect(findDisconnectButton()).toBeUndefined();
+    });
+
+    it('renders save acknowledgement', () => {
+      expect(findSaveWarning().text()).toBe(
+        'I understand that by selecting Save changes, GitLab creates a service account for Amazon Q and sends its credentials to AWS. Use of the Amazon Q Developer capabilities as part of GitLab Duo with Amazon Q is governed by the AWS Customer Agreement or other written agreement between you and AWS governing your use of AWS services.',
+      );
+
+      expect(findSaveWarningLink().attributes()).toEqual({
+        href: 'http://aws.amazon.com/agreement',
+        rel: 'noopener noreferrer',
+        target: '_blank',
+      });
+      expect(findSaveWarningLink().text()).toEqual('AWS Customer Agreement');
+    });
+
+    describe('when submitting', () => {
+      let event;
+
+      beforeEach(async () => {
+        event = new Event('submit');
+        jest.spyOn(event, 'preventDefault');
+
+        setArn('aws:test:value');
+        setAvailability('default_off');
+
+        await nextTick();
+
+        findForm().vm.$emit('submit', event);
+      });
+
+      it('prevents default', () => {
+        expect(event.preventDefault).toHaveBeenCalled();
+      });
+
+      it('triggers submit form', () => {
+        expect(createAndSubmitForm).toHaveBeenCalledTimes(1);
+        expect(createAndSubmitForm).toHaveBeenCalledWith({
+          url: TEST_SUBMIT_URL,
+          data: {
+            availability: 'default_off',
+            role_arn: 'aws:test:value',
+          },
+        });
+      });
+    });
+  });
+
+  describe('when ready', () => {
+    beforeEach(() => {
+      createWrapper({
+        amazonQSettings: TEST_AMAZON_Q_SETTINGS,
+      });
+    });
+
+    it('renders status', () => {
+      expect(findStatusFormGroup().exists()).toBe(true);
+      expect(findStatusFormGroup().text()).toBe(App.I18N_READY);
+    });
+
+    it('does not render setup', () => {
+      expect(findSetupFormGroup()).toBeUndefined();
+    });
+
+    it('renders disabled arn', () => {
+      expect(findArnFormGroup().attributes('disabled')).toBeDefined();
+    });
+
+    it('renders disconnect button', () => {
+      expect(findDisconnectButton().attributes()).toMatchObject({
+        variant: 'danger',
+        category: 'primary',
+      });
+    });
+
+    it('does not render save acknowledgement', () => {
+      expect(findSaveWarning().exists()).toBe(false);
+    });
+
+    describe('when submitting', () => {
+      beforeEach(async () => {
+        setAvailability('default_off');
+
+        await nextTick();
+
+        findForm().vm.$emit('submit', new Event('submit'));
+      });
+
+      it('triggers submit form', () => {
+        expect(createAndSubmitForm).toHaveBeenCalledTimes(1);
+        expect(createAndSubmitForm).toHaveBeenCalledWith({
+          url: TEST_SUBMIT_URL,
+          data: {
+            availability: 'default_off',
+          },
+        });
+      });
+    });
+  });
+
+  describe('availability warnings', () => {
+    it.each`
+      orig             | value            | expected
+      ${'default_off'} | ${'default_off'} | ${''}
+      ${'default_off'} | ${'never_on'}    | ${App.I18N_WARNING_NEVER_ON}
+      ${'default_off'} | ${'default_on'}  | ${''}
+      ${'never_on'}    | ${'never_on'}    | ${''}
+      ${'never_on'}    | ${'default_off'} | ${App.I18N_WARNING_OFF_BY_DEFAULT}
+      ${'never_on'}    | ${'default_on'}  | ${''}
+      ${'default_on'}  | ${'default_on'}  | ${''}
+      ${'default_on'}  | ${'default_off'} | ${App.I18N_WARNING_OFF_BY_DEFAULT}
+      ${'default_on'}  | ${'never_on'}    | ${App.I18N_WARNING_NEVER_ON}
+    `('from $orig to $value', async ({ orig, value, expected }) => {
+      createWrapper({
+        amazonQSettings: {
+          ...TEST_AMAZON_Q_SETTINGS,
+          availability: orig,
+        },
+      });
+
+      expect(findAvailabilityWarning().exists()).toBe(false);
+
+      setAvailability(value);
+      await nextTick();
+
+      if (expected) {
+        expect(findAvailabilityWarning().props()).toMatchObject({
+          dismissible: false,
+          variant: 'warning',
+        });
+        expect(findAvailabilityWarning().text()).toBe(expected);
+      } else {
+        expect(findAvailabilityWarning().exists()).toBe(false);
+      }
+    });
+  });
+});
-- 
GitLab


From 6bcf283fa1899c8151dc9235ba75715d1cc8eec7 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:59:23 -0600
Subject: [PATCH 06/14] Feat(Q): Add Group AmazonQ availability settings

---
 .../settings/components/amazon_q_settings.vue |  88 ++++++++++++++
 .../ai/settings/pages/ai_group_settings.vue   |  10 +-
 ee/app/helpers/ee/groups/settings_helper.rb   |   3 +-
 .../service_account_member_remove_service.rb  |  42 +++++++
 ee/app/services/ee/groups/update_service.rb   |   8 ++
 .../components/amazon_q_settings_spec.js      | 110 ++++++++++++++++++
 .../settings/pages/ai_group_settings_spec.js  |  32 +++++
 .../helpers/ee/groups/settings_helper_spec.rb |  13 ++-
 ...vice_account_member_remove_service_spec.rb | 104 +++++++++++++++++
 .../services/groups/update_service_spec.rb    |  31 +++++
 10 files changed, 433 insertions(+), 8 deletions(-)
 create mode 100644 ee/app/assets/javascripts/ai/settings/components/amazon_q_settings.vue
 create mode 100644 ee/app/services/ai/amazon_q/service_account_member_remove_service.rb
 create mode 100644 ee/spec/frontend/ai/settings/components/amazon_q_settings_spec.js
 create mode 100644 ee/spec/services/ai/amazon_q/service_account_member_remove_service_spec.rb

diff --git a/ee/app/assets/javascripts/ai/settings/components/amazon_q_settings.vue b/ee/app/assets/javascripts/ai/settings/components/amazon_q_settings.vue
new file mode 100644
index 00000000000000..930d97a740b3bd
--- /dev/null
+++ b/ee/app/assets/javascripts/ai/settings/components/amazon_q_settings.vue
@@ -0,0 +1,88 @@
+<script>
+import { GlLink, GlSprintf, GlForm, GlAlert, GlButton } from '@gitlab/ui';
+import { helpPagePath } from '~/helpers/help_page_helper';
+import { s__, __ } from '~/locale';
+import SettingsBlock from '~/vue_shared/components/settings/settings_block.vue';
+import { AVAILABILITY_OPTIONS } from '../constants';
+import DuoAvailability from './duo_availability_form.vue';
+
+export default {
+  name: 'AmazonQSettings',
+  components: {
+    GlLink,
+    GlSprintf,
+    GlForm,
+    GlAlert,
+    GlButton,
+    SettingsBlock,
+    DuoAvailability,
+  },
+  i18n: {
+    confirmButtonText: __('Save changes'),
+    neverOnWarning: s__(
+      'AmazonQ|When you save, Amazon Q will be turned off for all subgroups, and projects, even if they have previously enabled it.%{br}This will also remove the Amazon Q service account from these groups and projects.',
+    ),
+    settingsBlockTitle: __('Amazon Q'),
+    settingsBlockDescription: s__(
+      'AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java. GitLab Duo with Amazon Q is separate from GitLab Duo Pro and Enterprise. %{linkStart}Learn more%{linkEnd}.',
+    ),
+  },
+  inject: ['duoAvailability'],
+  data() {
+    return {
+      availability: this.duoAvailability,
+    };
+  },
+  computed: {
+    hasAvailabilityChanged() {
+      return this.availability !== this.duoAvailability;
+    },
+    warningMessage() {
+      if (this.hasAvailabilityChanged && this.availability === AVAILABILITY_OPTIONS.NEVER_ON) {
+        return this.$options.i18n.neverOnWarning;
+      }
+
+      return null;
+    },
+  },
+  methods: {
+    submitForm() {
+      this.$emit('submit', {
+        duoAvailability: this.availability,
+      });
+    },
+    onRadioChanged(value) {
+      this.availability = value;
+    },
+  },
+  helpPath: helpPagePath('user/duo_amazon_q/index.md'),
+};
+</script>
+<template>
+  <settings-block :title="$options.i18n.settingsBlockTitle">
+    <template #description>
+      <gl-sprintf :message="$options.i18n.settingsBlockDescription">
+        <template #link="{ content }">
+          <gl-link :href="$options.helpPath">{{ content }}</gl-link>
+        </template>
+      </gl-sprintf>
+    </template>
+    <template #default>
+      <gl-form @submit.prevent="submitForm">
+        <duo-availability :duo-availability="availability" @change="onRadioChanged" />
+        <gl-alert v-if="warningMessage" :dismissible="false" variant="warning">
+          <gl-sprintf :message="warningMessage">
+            <template #br>
+              <br />
+            </template>
+          </gl-sprintf>
+        </gl-alert>
+        <div class="gl-mt-6">
+          <gl-button type="submit" variant="confirm" :disabled="!hasAvailabilityChanged">
+            {{ $options.i18n.confirmButtonText }}
+          </gl-button>
+        </div>
+      </gl-form>
+    </template>
+  </settings-block>
+</template>
diff --git a/ee/app/assets/javascripts/ai/settings/pages/ai_group_settings.vue b/ee/app/assets/javascripts/ai/settings/pages/ai_group_settings.vue
index b8104c636314e7..299c12b7dc9df3 100644
--- a/ee/app/assets/javascripts/ai/settings/pages/ai_group_settings.vue
+++ b/ee/app/assets/javascripts/ai/settings/pages/ai_group_settings.vue
@@ -4,6 +4,7 @@ import { visitUrlWithAlerts } from '~/lib/utils/url_utility';
 import { createAlert, VARIANT_INFO } from '~/alert';
 import { __ } from '~/locale';
 import AiCommonSettings from '../components/ai_common_settings.vue';
+import AmazonQSettings from '../components/amazon_q_settings.vue';
 
 const EarlyAccessProgramBanner = () => import('../components/early_access_program_banner.vue');
 
@@ -12,6 +13,7 @@ export default {
   components: {
     AiCommonSettings,
     EarlyAccessProgramBanner,
+    AmazonQSettings,
   },
   i18n: {
     successMessage: __('Group was successfully updated.'),
@@ -19,7 +21,10 @@ export default {
       'An error occurred while retrieving your settings. Reload the page to try again.',
     ),
   },
-  inject: ['showEarlyAccessBanner'],
+  inject: {
+    showEarlyAccessBanner: { default: false },
+    amazonQAvailable: { default: false },
+  },
   props: {
     redirectPath: {
       type: String,
@@ -62,7 +67,8 @@ export default {
 };
 </script>
 <template>
-  <ai-common-settings @submit="updateSettings">
+  <amazon-q-settings v-if="amazonQAvailable" @submit="updateSettings" />
+  <ai-common-settings v-else @submit="updateSettings">
     <template #ai-common-settings-top>
       <early-access-program-banner v-if="showEarlyAccessBanner" />
     </template>
diff --git a/ee/app/helpers/ee/groups/settings_helper.rb b/ee/app/helpers/ee/groups/settings_helper.rb
index af9bb5861a5125..5ecbc87ce2fad2 100644
--- a/ee/app/helpers/ee/groups/settings_helper.rb
+++ b/ee/app/helpers/ee/groups/settings_helper.rb
@@ -22,7 +22,7 @@ def unique_project_download_limit_settings_data
       end
 
       def show_group_ai_settings?
-        @group.licensed_ai_features_available?
+        Ai::AmazonQ.connected? || @group.licensed_ai_features_available?
       end
 
       def show_early_access_program_banner?
@@ -55,6 +55,7 @@ def group_ai_settings_helper_data
           are_experiment_settings_allowed: @group.experiment_settings_allowed?.to_s,
           show_early_access_banner: show_early_access_program_banner?.to_s,
           early_access_path: group_early_access_opt_in_path(@group),
+          amazon_q_available: Ai::AmazonQ.connected?.to_s,
           update_id: @group.id
         }
       end
diff --git a/ee/app/services/ai/amazon_q/service_account_member_remove_service.rb b/ee/app/services/ai/amazon_q/service_account_member_remove_service.rb
new file mode 100644
index 00000000000000..6124c3f1da07ad
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/service_account_member_remove_service.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class ServiceAccountMemberRemoveService
+      def initialize(user, membership_container)
+        @user = user
+        @membership_container = membership_container
+      end
+
+      def execute
+        q_user_id = Ai::Setting.instance.amazon_q_service_account_user_id
+        member = find_or_initialize_member_by_user(q_user_id)
+
+        return ServiceResponse.success(message: "Membership not found. Nothing to do.") unless member
+
+        Members::DestroyService.new(user).execute(
+          member,
+          skip_authorization: true,
+          skip_subresources: false,
+          unassign_issuables: false
+        )
+
+        ServiceResponse.success
+      end
+
+      private
+
+      attr_reader :user, :membership_container
+
+      def find_or_initialize_member_by_user(user_id)
+        existing_member = membership_container.members.find_by(user_id: user_id) # rubocop: disable CodeReuse/ActiveRecord -- We need to fetch this member
+
+        return existing_member unless membership_container.is_a?(Group) && !existing_member
+
+        # If we're a Group we go ahead and build a membership so we can run destroy service on subresources
+        # TODO(Q): Let's find a way to make this workaround more straightforward in `Members::DestroyService`
+        membership_container.members.build(user_id: user_id)
+      end
+    end
+  end
+end
diff --git a/ee/app/services/ee/groups/update_service.rb b/ee/app/services/ee/groups/update_service.rb
index 3c22f05d856c2f..67f408d00e53fd 100644
--- a/ee/app/services/ee/groups/update_service.rb
+++ b/ee/app/services/ee/groups/update_service.rb
@@ -36,6 +36,7 @@ def after_update
 
         update_cascading_settings
         activate_pending_members
+        update_amazon_q_service_account!
       end
 
       override :before_assignment_hook
@@ -166,6 +167,13 @@ def activate_pending_members
           ::Members::ActivateService.for_group(group).execute(current_user: current_user)
         end
       end
+
+      def update_amazon_q_service_account!
+        return unless ::Ai::AmazonQ.connected?
+        return unless params[:duo_availability] == 'never_on'
+
+        ::Ai::AmazonQ::ServiceAccountMemberRemoveService.new(current_user, group).execute
+      end
     end
   end
 end
diff --git a/ee/spec/frontend/ai/settings/components/amazon_q_settings_spec.js b/ee/spec/frontend/ai/settings/components/amazon_q_settings_spec.js
new file mode 100644
index 00000000000000..a72c93a7fcccbc
--- /dev/null
+++ b/ee/spec/frontend/ai/settings/components/amazon_q_settings_spec.js
@@ -0,0 +1,110 @@
+import { nextTick } from 'vue';
+import { GlLink, GlSprintf, GlForm, GlAlert, GlButton } from '@gitlab/ui';
+import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
+import { stubComponent, RENDER_ALL_SLOTS_TEMPLATE } from 'helpers/stub_component';
+import AmazonQSettings from 'ee/ai/settings/components/amazon_q_settings.vue';
+import { AVAILABILITY_OPTIONS } from 'ee/ai/settings/constants';
+import SettingsBlock from '~/vue_shared/components/settings/settings_block.vue';
+import DuoAvailability from 'ee/ai/settings/components/duo_availability_form.vue';
+
+describe('ee/ai/settings/components/amazon_q_settings.vue', () => {
+  let wrapper;
+
+  const createComponent = ({ duoAvailability = AVAILABILITY_OPTIONS.DEFAULT_ON } = {}) => {
+    wrapper = shallowMountExtended(AmazonQSettings, {
+      provide: {
+        duoAvailability,
+      },
+      stubs: {
+        SettingsBlock: stubComponent(SettingsBlock, {
+          template: RENDER_ALL_SLOTS_TEMPLATE,
+        }),
+        GlSprintf,
+      },
+    });
+  };
+
+  const findSettingsBlock = () => wrapper.findComponent(SettingsBlock);
+  const findSettingsBlockDescription = () => wrapper.findByTestId('slot-description');
+  const findSettingsBlockDescriptionLink = () =>
+    findSettingsBlockDescription().findComponent(GlLink);
+  const findForm = () => wrapper.findComponent(GlForm);
+  const findDuoAvailabilityInput = () => findForm().findComponent(DuoAvailability);
+  const findWarningAlert = () => findForm().findComponent(GlAlert);
+  const findSubmitButton = () => findForm().findComponent(GlButton);
+
+  describe('default', () => {
+    beforeEach(() => {
+      createComponent();
+    });
+
+    it('renders settings block', () => {
+      expect(findSettingsBlock().props('title')).toEqual('Amazon Q');
+    });
+
+    it('renders settings block description', () => {
+      expect(findSettingsBlockDescription().text()).toEqual(
+        'Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java. GitLab Duo with Amazon Q is separate from GitLab Duo Pro and Enterprise. Learn more.',
+      );
+      expect(findSettingsBlockDescriptionLink().text()).toEqual('Learn more');
+      expect(findSettingsBlockDescriptionLink().attributes('href')).toEqual(
+        '/help/user/duo_amazon_q/index.md',
+      );
+    });
+
+    it('renders duo availability input', () => {
+      expect(findDuoAvailabilityInput().props()).toMatchObject({
+        duoAvailability: AVAILABILITY_OPTIONS.DEFAULT_ON,
+      });
+    });
+
+    it('does not render warning alert', () => {
+      expect(findWarningAlert().exists()).toBe(false);
+    });
+
+    it('renders submit button', () => {
+      expect(findSubmitButton().text()).toEqual('Save changes');
+      expect(findSubmitButton().attributes()).toMatchObject({
+        type: 'submit',
+        disabled: 'true',
+      });
+    });
+
+    describe('when value changes to never_on', () => {
+      beforeEach(async () => {
+        findDuoAvailabilityInput().vm.$emit('change', AVAILABILITY_OPTIONS.NEVER_ON);
+
+        await nextTick();
+      });
+
+      it('renders warning alert', () => {
+        expect(findWarningAlert().props()).toMatchObject({
+          dismissible: false,
+          variant: 'warning',
+        });
+        expect(findWarningAlert().text()).toEqual(
+          'When you save, Amazon Q will be turned off for all subgroups, and projects, even if they have previously enabled it.This will also remove the Amazon Q service account from these groups and projects.',
+        );
+      });
+
+      it('enables submit button', () => {
+        expect(findSubmitButton().props('disabled')).toBe(false);
+      });
+
+      it('emits submit event when form is submitted', async () => {
+        expect(wrapper.emitted('submit')).toBeUndefined();
+
+        findForm().vm.$emit('submit', new Event('submit'));
+        await nextTick();
+
+        expect(wrapper.emitted('submit')).toEqual([
+          [
+            {
+              duoAvailability: AVAILABILITY_OPTIONS.NEVER_ON,
+            },
+          ],
+        ]);
+      });
+    });
+  });
+});
diff --git a/ee/spec/frontend/ai/settings/pages/ai_group_settings_spec.js b/ee/spec/frontend/ai/settings/pages/ai_group_settings_spec.js
index 13ca0b166a9c7e..417e82d80d1059 100644
--- a/ee/spec/frontend/ai/settings/pages/ai_group_settings_spec.js
+++ b/ee/spec/frontend/ai/settings/pages/ai_group_settings_spec.js
@@ -4,6 +4,7 @@ import { updateGroupSettings } from 'ee/api/groups_api';
 import { visitUrlWithAlerts } from '~/lib/utils/url_utility';
 import { createAlert } from '~/alert';
 import AiCommonSettings from 'ee/ai/settings/components/ai_common_settings.vue';
+import AmazonQSettings from 'ee/ai/settings/components/amazon_q_settings.vue';
 import AiGroupSettings from 'ee/ai/settings/pages/ai_group_settings.vue';
 import waitForPromises from 'helpers/wait_for_promises';
 import { AVAILABILITY_OPTIONS } from 'ee/ai/settings/constants';
@@ -34,6 +35,7 @@ const createComponent = (props = {}, provide = {}) => {
 };
 
 const findAiCommonSettings = () => wrapper.findComponent(AiCommonSettings);
+const findAmazonQSettings = () => wrapper.findComponent(AmazonQSettings);
 const findEarlyAccessBanner = () => wrapper.findComponent({ name: 'EarlyAccessProgramBanner' });
 
 describe('AiGroupSettings', () => {
@@ -45,6 +47,10 @@ describe('AiGroupSettings', () => {
     it('renders the component', () => {
       expect(wrapper.exists()).toBe(true);
     });
+
+    it('does not render amazonQ settings', () => {
+      expect(findAmazonQSettings().exists()).toBe(false);
+    });
   });
 
   describe('when showEarlyAccessBanner setting is set', () => {
@@ -108,4 +114,30 @@ describe('AiGroupSettings', () => {
       );
     });
   });
+
+  describe('with amazonQAvailable is true', () => {
+    beforeEach(async () => {
+      createComponent({}, { amazonQAvailable: true });
+      await nextTick();
+    });
+
+    it('renders AmazonQSettings and not AiCommonSettings', () => {
+      expect(findAmazonQSettings().exists()).toBe(true);
+      expect(findAiCommonSettings().exists()).toBe(false);
+    });
+
+    it('calls updateGroupSettings with correct parameters', async () => {
+      updateGroupSettings.mockResolvedValue({});
+
+      await findAmazonQSettings().vm.$emit('submit', {
+        duoAvailability: AVAILABILITY_OPTIONS.DEFAULT_OFF,
+      });
+
+      expect(updateGroupSettings).toHaveBeenCalledTimes(1);
+      expect(updateGroupSettings).toHaveBeenCalledWith('100', {
+        duo_availability: AVAILABILITY_OPTIONS.DEFAULT_OFF,
+        experiment_features_enabled: undefined,
+      });
+    });
+  });
 });
diff --git a/ee/spec/helpers/ee/groups/settings_helper_spec.rb b/ee/spec/helpers/ee/groups/settings_helper_spec.rb
index 4b2ccaa31f3a00..62182a0070f1c3 100644
--- a/ee/spec/helpers/ee/groups/settings_helper_spec.rb
+++ b/ee/spec/helpers/ee/groups/settings_helper_spec.rb
@@ -77,6 +77,7 @@
         {
           cascading_settings_data: "{\"locked_by_application_setting\":false,\"locked_by_ancestor\":false}",
           duo_availability: group.namespace_settings.duo_availability.to_s,
+          amazon_q_available: "false",
           are_duo_settings_locked: group.namespace_settings.duo_features_enabled_locked?.to_s,
           experiment_features_enabled: group.namespace_settings.experiment_features_enabled.to_s,
           are_experiment_settings_allowed: group.experiment_settings_allowed?.to_s,
@@ -92,17 +93,19 @@
     using RSpec::Parameterized::TableSyntax
     subject { helper.show_group_ai_settings? }
 
-    where(:ai_chat_enabled, :ai_features_enabled, :result) do
-      true  | true  | true
-      true  | false | true
-      false | true  | true
-      false | false | false
+    where(:ai_chat_enabled, :ai_features_enabled, :amazon_q_connected, :result) do
+      true  | true  | false | true
+      true  | false | false | true
+      false | true  | false | true
+      false | false | false | false
+      false | false | true  | true
     end
 
     with_them do
       before do
         allow(group).to receive(:licensed_feature_available?).with(:ai_chat).and_return(ai_chat_enabled)
         allow(group).to receive(:licensed_feature_available?).with(:ai_features).and_return(ai_features_enabled)
+        allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_connected)
       end
 
       it "returns expected result" do
diff --git a/ee/spec/services/ai/amazon_q/service_account_member_remove_service_spec.rb b/ee/spec/services/ai/amazon_q/service_account_member_remove_service_spec.rb
new file mode 100644
index 00000000000000..16289e7026f656
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/service_account_member_remove_service_spec.rb
@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::ServiceAccountMemberRemoveService, feature_category: :duo_workflow do
+  let_it_be(:current_user) { create(:user) }
+  let_it_be(:service_account) { create(:user) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, namespace: group) }
+  let(:service) { described_class.new(current_user, project) }
+
+  shared_examples 'when the service account is a member of the project' do
+    before do
+      project.add_developer(service_account)
+    end
+
+    it 'removes the service account membership' do
+      expect { service.execute }.to change { project.members.count }.by(-1)
+      expect(project.members.find_by(user_id: service_account.id)).to be_nil
+    end
+
+    it 'returns a success response' do
+      result = service.execute
+
+      expect(result).to be_success
+    end
+
+    it 'calls destroy service' do
+      # Note: call expected_member first so that it can handle whatever mocks it needs
+      member = expected_member
+
+      expect_next_instance_of(Members::DestroyService, current_user) do |destroy_service|
+        expect(destroy_service).to receive(:execute).with(
+          member,
+          skip_authorization: true,
+          skip_subresources: false,
+          unassign_issuables: false
+        )
+      end
+
+      service.execute
+    end
+  end
+
+  describe '#execute' do
+    before do
+      Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
+    end
+
+    it_behaves_like 'when the service account is a member of the project' do
+      let(:expected_member) { project.members.find_by(user_id: service_account.id) }
+    end
+
+    context 'when the service account is not a member of the project' do
+      it 'does not remove any membership' do
+        expect { service.execute }.not_to change { project.members.count }
+      end
+
+      it 'returns a success response with a message' do
+        result = service.execute
+
+        expect(result).to be_success
+        expect(result.message).to eq("Membership not found. Nothing to do.")
+      end
+    end
+
+    context 'when the service targets the group' do
+      let(:service) { described_class.new(current_user, group) }
+
+      it_behaves_like 'when the service account is a member of the project' do
+        let(:expected_member) do
+          member = group.members.build(user_id: service_account.id)
+
+          # what: Stub `.build` so that we always return the same value which can strengthen our assertion
+          #
+          # note: We put this inside the `expected_member` so that the other tests run without this stub, to give us
+          # some "integration" coverage
+          allow(group.members).to receive(:build).with(user_id: service_account.id).and_return(member)
+
+          member
+        end
+      end
+
+      context 'when the service account is a member of the group' do
+        before do
+          group.add_developer(service_account)
+        end
+
+        it 'calls destroy service' do
+          expect_next_instance_of(Members::DestroyService, current_user) do |destroy_service|
+            expect(destroy_service).to receive(:execute).with(
+              group.members.find_by(user_id: service_account.id),
+              skip_authorization: true,
+              skip_subresources: false,
+              unassign_issuables: false
+            )
+          end
+
+          service.execute
+        end
+      end
+    end
+  end
+end
diff --git a/ee/spec/services/groups/update_service_spec.rb b/ee/spec/services/groups/update_service_spec.rb
index d5e826b5744cd3..885cef052e4ffe 100644
--- a/ee/spec/services/groups/update_service_spec.rb
+++ b/ee/spec/services/groups/update_service_spec.rb
@@ -639,6 +639,37 @@ def update_file_template_project_id(id)
     end
   end
 
+  context 'when updating duo_availability' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:duo_availability, :amazon_q_connected, :expected_result) do
+      'never_on'    | true  | true
+      'never_on'    | false | false
+      'default_off' | true  | false
+      'default_off' | false | false
+    end
+
+    with_them do
+      let(:params) { { duo_availability: duo_availability } }
+
+      before do
+        allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_connected)
+      end
+
+      it 'calls the service when conditions are met' do
+        if expected_result
+          expect_next_instance_of(::Ai::AmazonQ::ServiceAccountMemberRemoveService, user, group) do |service|
+            expect(service).to receive(:execute)
+          end
+        else
+          expect(::Ai::AmazonQ::ServiceAccountMemberRemoveService).not_to receive(:new)
+        end
+
+        update_group(group, user, params)
+      end
+    end
+  end
+
   def update_group(group, user, opts)
     Groups::UpdateService.new(group, user, opts).execute
   end
-- 
GitLab


From 27103fb29bf271074e9bab870b8f4057bfa39a86 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 11:03:08 -0600
Subject: [PATCH 07/14] Feat(Q): Add Project AmazonQ availability settings

---
 .../permissions/components/settings_panel.vue |  38 ++++--
 .../projects/shared/permissions/constants.js  |   1 +
 .../assets/javascripts/ai/settings/index.js   |   2 +
 ee/app/helpers/ee/projects_helper.rb          |   1 +
 .../service_account_member_add_service.rb     |  28 +++++
 ee/app/services/ee/projects/update_service.rb |  15 +++
 ee/spec/helpers/projects_helper_spec.rb       |  13 ++
 ...service_account_member_add_service_spec.rb |  49 ++++++++
 .../services/projects/update_service_spec.rb  | 111 ++++++++++++++++++
 .../components/settings_panel_spec.js         |  22 ++++
 10 files changed, 272 insertions(+), 8 deletions(-)
 create mode 100644 ee/app/services/ai/amazon_q/service_account_member_add_service.rb
 create mode 100644 ee/spec/services/ai/amazon_q/service_account_member_add_service_spec.rb

diff --git a/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue b/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
index 8b4e12b4339fa2..e1d25219677541 100644
--- a/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
+++ b/app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue
@@ -21,6 +21,7 @@ import {
   modelExperimentsHelpPath,
   modelRegistryHelpPath,
   duoHelpPath,
+  amazonQHelpPath,
   pipelineExecutionPoliciesHelpPath,
 } from '../constants';
 import { toggleHiddenClassBySelector } from '../external';
@@ -78,8 +79,6 @@ export default {
     releasesHelpText: s__(
       'ProjectSettings|Combine git tags with release notes, release evidence, and assets to create a release.',
     ),
-    duoLabel: s__('ProjectSettings|GitLab Duo'),
-    duoHelpText: s__('ProjectSettings|Use AI-powered features in this project.'),
     securityAndComplianceLabel: s__('ProjectSettings|Security and compliance'),
     snippetsLabel: s__('ProjectSettings|Snippets'),
     wikiLabel: s__('ProjectSettings|Wiki'),
@@ -106,7 +105,6 @@ export default {
   VISIBILITY_LEVEL_PUBLIC_INTEGER,
   modelExperimentsHelpPath,
   modelRegistryHelpPath,
-  duoHelpPath,
   pipelineExecutionPoliciesHelpPath,
   components: {
     CiCatalogSettings,
@@ -197,6 +195,11 @@ export default {
       required: false,
       default: false,
     },
+    amazonQAvailable: {
+      type: Boolean,
+      required: false,
+      default: false,
+    },
     duoFeaturesLocked: {
       type: Boolean,
       required: false,
@@ -452,6 +455,25 @@ export default {
         Object.keys(this.cascadingSettingsData).length
       );
     },
+    duoEnabledSetting() {
+      // TODO(Q): What if both Amazon Q and Duo are available??
+      if (this.amazonQAvailable) {
+        return {
+          label: s__('ProjectSettings|Amazon Q'),
+          helpText: s__('ProjectSettings|This project can use Amazon Q.'),
+          helpPath: amazonQHelpPath,
+        };
+      }
+      if (this.licensedAiFeaturesAvailable) {
+        return {
+          label: s__('ProjectSettings|GitLab Duo'),
+          helpText: s__('ProjectSettings|Use AI-powered features in this project.'),
+          helpPath: duoHelpPath,
+        };
+      }
+
+      return null;
+    },
   },
   watch: {
     visibilityLevel(value, oldValue) {
@@ -1072,11 +1094,11 @@ export default {
         />
       </project-setting-row>
       <project-setting-row
-        v-if="licensedAiFeaturesAvailable"
+        v-if="duoEnabledSetting"
         data-testid="duo-settings"
-        :label="$options.i18n.duoLabel"
-        :help-text="$options.i18n.duoHelpText"
-        :help-path="$options.duoHelpPath"
+        :label="duoEnabledSetting.label"
+        :help-text="duoEnabledSetting.helpText"
+        :help-path="duoEnabledSetting.helpPath"
         :locked="duoFeaturesLocked"
       >
         <template #label-icon>
@@ -1093,7 +1115,7 @@ export default {
           v-model="duoFeaturesEnabled"
           class="gl-mb-4 gl-mt-2"
           :disabled="duoFeaturesLocked"
-          :label="$options.i18n.duoLabel"
+          :label="duoEnabledSetting.label"
           label-position="hidden"
           name="project[project_setting_attributes][duo_features_enabled]"
           data-testid="duo_features_enabled_toggle"
diff --git a/app/assets/javascripts/pages/projects/shared/permissions/constants.js b/app/assets/javascripts/pages/projects/shared/permissions/constants.js
index 24fa5f9aba5dfa..3021f22d456dc1 100644
--- a/app/assets/javascripts/pages/projects/shared/permissions/constants.js
+++ b/app/assets/javascripts/pages/projects/shared/permissions/constants.js
@@ -52,6 +52,7 @@ export const modelExperimentsHelpPath = helpPagePath(
 export const modelRegistryHelpPath = helpPagePath('user/project/ml/model_registry/index.md');
 
 export const duoHelpPath = helpPagePath('user/ai_features');
+export const amazonQHelpPath = helpPagePath('user/duo_amazon_q/index.md');
 
 export const pipelineExecutionPoliciesHelpPath = helpPagePath(
   'user/application_security/policies/pipeline_execution_policies',
diff --git a/ee/app/assets/javascripts/ai/settings/index.js b/ee/app/assets/javascripts/ai/settings/index.js
index 00c9e1b871c9ee..95f0e15f7e0743 100644
--- a/ee/app/assets/javascripts/ai/settings/index.js
+++ b/ee/app/assets/javascripts/ai/settings/index.js
@@ -22,6 +22,7 @@ export const initAiSettings = (id, component) => {
     earlyAccessPath,
     selfHostedModelsEnabled,
     aiTermsAndConditionsPath,
+    amazonQAvailable,
     onGeneralSettingsPage,
   } = el.dataset;
 
@@ -47,6 +48,7 @@ export const initAiSettings = (id, component) => {
       selfHostedModelsEnabled: parseBoolean(selfHostedModelsEnabled),
       aiTermsAndConditionsPath,
       earlyAccessPath,
+      amazonQAvailable: parseBoolean(amazonQAvailable),
       onGeneralSettingsPage: parseBoolean(onGeneralSettingsPage),
     },
     render: (createElement) =>
diff --git a/ee/app/helpers/ee/projects_helper.rb b/ee/app/helpers/ee/projects_helper.rb
index b345985cca1ad5..980fa1b1376f3d 100644
--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -32,6 +32,7 @@ def project_permissions_panel_data(project)
         canManageSecretManager: ::Feature.enabled?(:secrets_manager, project, type: :wip),
         requirementsAvailable: project.feature_available?(:requirements),
         licensedAiFeaturesAvailable: project.licensed_ai_features_available?,
+        amazonQAvailable: Ai::AmazonQ.connected?,
         duoFeaturesLocked: project.project_setting.duo_features_enabled_locked?,
         requestCveAvailable: ::Gitlab.com?,
         cveIdRequestHelpPath: help_page_path('user/application_security/cve_id_request.md'),
diff --git a/ee/app/services/ai/amazon_q/service_account_member_add_service.rb b/ee/app/services/ai/amazon_q/service_account_member_add_service.rb
new file mode 100644
index 00000000000000..7210ddcfa00790
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/service_account_member_add_service.rb
@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class ServiceAccountMemberAddService
+      def initialize(project)
+        @project = project
+      end
+
+      def execute
+        q_user_id = Ai::Setting.instance.amazon_q_service_account_user_id
+
+        existing_member = project.member(q_user_id)
+        return ServiceResponse.success(message: "Membership already exists. Nothing to do.") if existing_member
+
+        existing_user = User.find_by_id(q_user_id)
+        return ServiceResponse.error(message: "Service account user not found") unless existing_user
+
+        result = project.add_developer(existing_user)
+        ServiceResponse.success(payload: result)
+      end
+
+      private
+
+      attr_reader :project
+    end
+  end
+end
diff --git a/ee/app/services/ee/projects/update_service.rb b/ee/app/services/ee/projects/update_service.rb
index 259480a20d8268..a1e13281ad9a3f 100644
--- a/ee/app/services/ee/projects/update_service.rb
+++ b/ee/app/services/ee/projects/update_service.rb
@@ -54,6 +54,7 @@ def execute
           sync_wiki_on_enable if !wiki_was_enabled && project.wiki_enabled?
           project.import_state.force_import_job! if params[:mirror].present? && project.mirror?
           project.remove_import_data if project.previous_changes.include?('mirror') && !project.mirror?
+          update_amazon_q_service_account!
 
           if suggested_reviewers_already_enabled
             trigger_project_deregistration
@@ -216,6 +217,20 @@ def refresh_merge_trains(project)
 
         MergeTrains::Train.all_for_project(project).each(&:refresh_async)
       end
+
+      def update_amazon_q_service_account!
+        duo_features_enabled = params.dig(:project_setting_attributes, :duo_features_enabled)
+
+        return unless duo_features_enabled.present? && ::Ai::AmazonQ.connected?
+
+        service = if duo_features_enabled == 'true'
+                    ::Ai::AmazonQ::ServiceAccountMemberAddService.new(project)
+                  else
+                    ::Ai::AmazonQ::ServiceAccountMemberRemoveService.new(current_user, project)
+                  end
+
+        service.execute
+      end
     end
   end
 end
diff --git a/ee/spec/helpers/projects_helper_spec.rb b/ee/spec/helpers/projects_helper_spec.rb
index 32602aa878eaf2..3e143be12e68e6 100644
--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -649,6 +649,19 @@
 
     it { is_expected.to include(expected_data) }
 
+    context "if AmazonQ is connected" do
+      where(connected: [true, false])
+      with_them do
+        before do
+          allow(::Ai::AmazonQ).to receive(:connected?).and_return(connected)
+        end
+
+        it 'sets amazonQAvailable to the correct value' do
+          expect(subject[:amazonQAvailable]).to eq(connected)
+        end
+      end
+    end
+
     context "if in Gitlab.com" do
       where(is_gitlab_com: [true, false])
       with_them do
diff --git a/ee/spec/services/ai/amazon_q/service_account_member_add_service_spec.rb b/ee/spec/services/ai/amazon_q/service_account_member_add_service_spec.rb
new file mode 100644
index 00000000000000..9531d85d858b5c
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/service_account_member_add_service_spec.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::ServiceAccountMemberAddService, feature_category: :duo_workflow do
+  let_it_be(:service_account) { create(:user) }
+  let(:project) { create(:project) }
+  let(:service) { described_class.new(project) }
+
+  describe '#execute' do
+    before do
+      Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
+    end
+
+    context 'when the service account is not a member of the project' do
+      it 'adds the service account as a developer' do
+        expect { service.execute }.to change { project.members.count }.by(1)
+
+        member = project.members.last
+        expect(member.user_id).to eq(service_account.id)
+        expect(member.access_level).to eq(Gitlab::Access::DEVELOPER)
+      end
+
+      it 'returns a success response' do
+        result = service.execute
+
+        expect(result).to be_success
+        expect(result.payload).to be_a(ProjectMember)
+      end
+    end
+
+    context 'when the service account is already a member of the project' do
+      before do
+        project.add_developer(service_account)
+      end
+
+      it 'does not add a new membership' do
+        expect { service.execute }.not_to change { project.members.count }
+      end
+
+      it 'returns a success response with a message' do
+        result = service.execute
+
+        expect(result).to be_success
+        expect(result.message).to eq("Membership already exists. Nothing to do.")
+      end
+    end
+  end
+end
diff --git a/ee/spec/services/projects/update_service_spec.rb b/ee/spec/services/projects/update_service_spec.rb
index 9875e7d0a04244..9a8d154d1950c8 100644
--- a/ee/spec/services/projects/update_service_spec.rb
+++ b/ee/spec/services/projects/update_service_spec.rb
@@ -830,6 +830,117 @@ def update_default_branch(branch = 'feature')
     end
   end
 
+  describe 'when updating pages_multiple_versions_enabled setting', feature_category: :pages do
+    let(:params) { { project_setting_attributes: { pages_multiple_versions_enabled: true } } }
+
+    let_it_be(:maintainer) { create(:user) }
+    let_it_be(:developer) { create(:user) }
+
+    before do
+      stub_licensed_features(pages_multiple_versions: true)
+      project.add_maintainer(maintainer)
+      project.add_developer(developer)
+    end
+
+    context 'when feature flag is disabled' do
+      before do
+        stub_feature_flags(pages_multiple_versions_setting: false)
+      end
+
+      context 'when user is not project maintainer' do
+        it 'updates project pages_multiple_versions_enabled setting' do
+          expect { update_project(project, developer, params) }
+            .not_to change { project.project_setting.pages_multiple_versions_enabled }
+        end
+      end
+
+      context 'when user is project maintainer' do
+        it 'updates project pages_multiple_versions_enabled setting' do
+          expect { update_project(project, maintainer, params) }
+            .not_to change { project.project_setting.pages_multiple_versions_enabled }
+        end
+      end
+    end
+
+    context 'when licensed feature is disabled' do
+      before do
+        stub_licensed_features(pages_multiple_versions: false)
+      end
+
+      context 'when user is not project maintainer' do
+        it 'updates project pages_multiple_versions_enabled setting' do
+          expect { update_project(project, developer, params) }
+            .not_to change { project.project_setting.pages_multiple_versions_enabled }
+        end
+      end
+
+      context 'when user is project maintainer' do
+        it 'updates project pages_multiple_versions_enabled setting' do
+          expect { update_project(project, maintainer, params) }
+            .not_to change { project.project_setting.pages_multiple_versions_enabled }
+        end
+      end
+    end
+
+    context 'when user is not project maintainer' do
+      it 'updates project pages_multiple_versions_enabled setting' do
+        expect { update_project(project, developer, params) }
+          .not_to change { project.project_setting.pages_multiple_versions_enabled }
+      end
+    end
+
+    context 'when user is project maintainer' do
+      it 'updates project pages_multiple_versions_enabled setting' do
+        expect { update_project(project, maintainer, params) }
+          .to change { project.project_setting.pages_multiple_versions_enabled }
+          .from(false).to(true)
+      end
+    end
+  end
+
+  describe 'when updating duo_features_enabled' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:add_instance) { Ai::AmazonQ::ServiceAccountMemberAddService.new(project) }
+    let(:remove_instance) { Ai::AmazonQ::ServiceAccountMemberRemoveService.new(user, project) }
+
+    before do
+      allow(Ai::AmazonQ::ServiceAccountMemberAddService).to receive(:new).with(project).and_return(add_instance)
+      allow(Ai::AmazonQ::ServiceAccountMemberRemoveService).to receive(:new).with(user, project).and_return(remove_instance)
+      allow(add_instance).to receive(:execute).and_call_original
+      allow(remove_instance).to receive(:execute).and_call_original
+    end
+
+    where(:attrs, :amazon_q_connected, :expected_service) do
+      { duo_features_enabled: 'true' }  | true | Ai::AmazonQ::ServiceAccountMemberAddService
+      { duo_features_enabled: 'false' } | true | Ai::AmazonQ::ServiceAccountMemberRemoveService
+      { duo_features_enabled: 'true' }  | false | nil
+      { duo_features_enabled: 'false' } | false | nil
+      {} | true | nil
+      {} | false | nil
+    end
+
+    with_them do
+      def expect_on_service(service, instance)
+        if service == expected_service
+          expect(service).to have_received(:new)
+          expect(instance).to have_received(:execute)
+        else
+          expect(service).not_to have_received(:new)
+        end
+      end
+
+      it 'triggers the expected service' do
+        allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_connected)
+
+        update_project(project, user, { project_setting_attributes: attrs })
+
+        expect_on_service(Ai::AmazonQ::ServiceAccountMemberAddService, add_instance)
+        expect_on_service(Ai::AmazonQ::ServiceAccountMemberRemoveService, remove_instance)
+      end
+    end
+  end
+
   def update_project(project, user, opts)
     Projects::UpdateService.new(project, user, opts).execute
   end
diff --git a/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js b/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
index 1ab5cf2290e6f5..f1b63f42c0263c 100644
--- a/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
+++ b/spec/frontend/pages/projects/shared/permissions/components/settings_panel_spec.js
@@ -849,7 +849,14 @@ describe('Settings Panel', () => {
   describe('Duo', () => {
     it('shows duo toggle', () => {
       wrapper = mountComponent({});
+
       expect(findDuoSettings().exists()).toBe(true);
+      expect(findDuoSettings().props()).toEqual({
+        helpPath: '/help/user/ai_features',
+        helpText: 'Use AI-powered features in this project.',
+        label: 'GitLab Duo',
+        locked: false,
+      });
     });
 
     describe('when areDuoSettingsLocked is false', () => {
@@ -910,6 +917,21 @@ describe('Settings Panel', () => {
       });
     });
   });
+
+  describe('Amazon Q', () => {
+    it('shows Amazon Q text for duo field when Amazon Q is enabled', () => {
+      wrapper = mountComponent({ amazonQAvailable: true });
+
+      expect(findDuoSettings().exists()).toBe(true);
+      expect(findDuoSettings().props()).toEqual({
+        helpPath: '/help/user/duo_amazon_q/index.md',
+        helpText: 'This project can use Amazon Q.',
+        label: 'Amazon Q',
+        locked: false,
+      });
+    });
+  });
+
   describe('Pipeline execution policies', () => {
     it('does not show the pipeline execution policy settings by default', () => {
       wrapper = mountComponent();
-- 
GitLab


From 2b6dcaf5be24e80c8d8b98b5786dc03249a64011 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 11:25:30 -0600
Subject: [PATCH 08/14] Feat(Q): Add AmazonQ quick action

---
 app/assets/javascripts/gfm_auto_complete.js   |  10 +-
 app/services/issuable_base_service.rb         |  18 +
 app/services/notes/quick_actions_service.rb   |   7 +-
 .../assets/javascripts/gfm_auto_complete.js   |  74 +++
 ee/app/policies/ee/issuable_policy.rb         |  12 +
 .../ai/amazon_q/amazon_q_trigger_service.rb   | 358 ++++++++++++
 .../ee/notes/quick_actions_service.rb         |  27 +
 ee/app/services/ee/system_note_service.rb     |   4 +
 .../ee/system_notes/issuables_service.rb      |  18 +
 .../issue_and_merge_request_actions.rb        |  41 ++
 ee/spec/policies/issuable_policy_spec.rb      |  48 +-
 .../amazon_q/amazon_q_trigger_service_spec.rb | 552 ++++++++++++++++++
 .../ee/notes/quick_actions_service_spec.rb    | 375 ++++++++++++
 .../ee/projects/autocomplete_service_spec.rb  |  32 +
 spec/services/service_response_spec.rb        |  30 +
 15 files changed, 1601 insertions(+), 5 deletions(-)
 create mode 100644 ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
 create mode 100644 ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb

diff --git a/app/assets/javascripts/gfm_auto_complete.js b/app/assets/javascripts/gfm_auto_complete.js
index 566b8c09ca1410..ae8979e0968f50 100644
--- a/app/assets/javascripts/gfm_auto_complete.js
+++ b/app/assets/javascripts/gfm_auto_complete.js
@@ -977,9 +977,7 @@ class GfmAutoComplete {
     } else if (dataSource) {
       AjaxCache.retrieve(dataSource, true)
         .then((data) => {
-          if (data.some((c) => c.name === 'submit_review')) {
-            this.setSubmitReviewStates($input);
-          }
+          this.loadSubcommands($input, data);
           this.loadData($input, at, data);
         })
         .catch(() => {
@@ -990,6 +988,12 @@ class GfmAutoComplete {
     }
   }
 
+  loadSubcommands($input, data) {
+    if (data.some((c) => c.name === 'submit_review')) {
+      this.setSubmitReviewStates($input);
+    }
+  }
+
   // eslint-disable-next-line max-params
   loadData($input, at, data, { search } = {}) {
     this.isLoadingData[at] = false;
diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index 20d67969194a54..e60358649676f1 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -200,6 +200,7 @@ def create(issuable, skip_system_notes: false)
 
     params.delete(:remove_contacts)
     add_crm_contact_emails = params.delete(:add_contacts)
+    amazon_q_params = params.delete(:amazon_q)
 
     initialize_callbacks!(issuable)
     issuable.assign_attributes(allowed_create_params(params))
@@ -220,6 +221,8 @@ def create(issuable, skip_system_notes: false)
 
       after_create(issuable)
       set_crm_contacts(issuable, add_crm_contact_emails)
+      execute_amazon_q_trigger(amazon_q_params)
+
       execute_hooks(issuable)
 
       users_to_invalidate = issuable.allows_reviewers? ? issuable.assignees | issuable.reviewers : issuable.assignees
@@ -272,6 +275,7 @@ def handle_description_updated(issuable)
     GraphqlTriggers.issuable_description_updated(issuable)
   end
 
+  # rubocop:disable Metrics/AbcSize -- Method is only slightly over the limit due to decomposition method
   def update(issuable)
     ::Gitlab::Database::LoadBalancing::SessionMap.current(issuable.load_balancer).use_primary!
 
@@ -281,6 +285,7 @@ def update(issuable)
     filter_params(issuable)
 
     change_additional_attributes(issuable)
+    amazon_q_params = params.delete(:amazon_q)
 
     initialize_callbacks!(issuable)
 
@@ -339,6 +344,7 @@ def update(issuable)
           )
         end
 
+        execute_amazon_q_trigger(amazon_q_params)
         issuable.update_project_counter_caches if update_project_counters
       end
     end
@@ -347,6 +353,7 @@ def update(issuable)
 
     issuable
   end
+  # rubocop:enable Metrics/AbcSize
 
   # Overriden in child class
   def trigger_update_subscriptions(issuable, old_associations); end
@@ -632,6 +639,17 @@ def filter_contact_params(issuable)
 
     params.extract!(:add_contacts, :remove_contacts)
   end
+
+  def execute_amazon_q_trigger(params)
+    return unless params
+
+    # TODO: Do we need to update the parameter here as well?
+    ::Ai::AmazonQ::AmazonQTriggerService.new(
+      user: current_user,
+      command: params[:command],
+      source: params[:source]
+    ).execute
+  end
 end
 
 IssuableBaseService.prepend_mod_with('IssuableBaseService')
diff --git a/app/services/notes/quick_actions_service.rb b/app/services/notes/quick_actions_service.rb
index d78e53909dfcb8..888d4594cf3042 100644
--- a/app/services/notes/quick_actions_service.rb
+++ b/app/services/notes/quick_actions_service.rb
@@ -37,7 +37,7 @@ def execute(note, options = {})
       @interpret_service = QuickActions::InterpretService.new(
         container: note.resource_parent,
         current_user: current_user,
-        params: options
+        params: options.merge(discussion_id: note.discussion_id)
       )
 
       # NOTE: old_note would be nil if the note hasn't changed or it is a new record
@@ -57,11 +57,16 @@ def apply_updates(update_params, note)
         update_params[:spend_time][:note_id] = note.id
       end
 
+      execute_triggers(note, update_params)
       execute_update_service(note, update_params)
     end
 
     private
 
+    def execute_triggers(note, params)
+      # This is overridden in EE
+    end
+
     def execute_update_service(note, params)
       service_response = noteable_update_service(note, params).execute(note.noteable)
 
diff --git a/ee/app/assets/javascripts/gfm_auto_complete.js b/ee/app/assets/javascripts/gfm_auto_complete.js
index 2019d81cc343c8..84cae25d9fe115 100644
--- a/ee/app/assets/javascripts/gfm_auto_complete.js
+++ b/ee/app/assets/javascripts/gfm_auto_complete.js
@@ -2,6 +2,7 @@ import $ from 'jquery';
 import { DEFAULT_DEBOUNCE_AND_THROTTLE_MS } from '~/lib/utils/constants';
 import '~/lib/utils/jquery_at_who';
 import GfmAutoComplete, { showAndHideHelper, escape } from '~/gfm_auto_complete';
+import { s__ } from '~/locale';
 
 /**
  * This is added to keep the export parity with the CE counterpart.
@@ -23,6 +24,38 @@ const EPICS_ALIAS = 'epics';
 const ITERATIONS_ALIAS = 'iterations';
 const VULNERABILITIES_ALIAS = 'vulnerabilities';
 
+const Q_ISSUE_SUB_COMMANDS = {
+  dev: {
+    header: s__('AmazonQ|dev'),
+    description: s__('AmazonQ|Create a merge request to incorporate Amazon Q suggestions (Beta)'),
+  },
+  transform: {
+    header: s__('AmazonQ|transform'),
+    description: s__('AmazonQ|Upgrade Java Maven application to Java 17 (Beta)'),
+  },
+};
+
+const Q_MERGE_REQUEST_SUB_COMMANDS = {
+  dev: {
+    header: s__('AmazonQ|dev'),
+    description: s__('AmazonQ|Apply changes to this merge request based on the comments (Beta)'),
+  },
+  fix: {
+    header: s__('AmazonQ|fix'),
+    description: s__('AmazonQ|Create fixes for review findings (Beta)'),
+  },
+  test: {
+    header: s__('AmazonQ|test'),
+    description: s__(
+      'AmazonQ|Create unit tests for selected lines of code in Java or Python files (Beta)',
+    ),
+  },
+  review: {
+    header: s__('AmazonQ|review'),
+    description: s__('AmazonQ|Review merge request for code quality and security issues (Beta)'),
+  },
+};
+
 GfmAutoComplete.Iterations = {
   templateFunction({ id, title }) {
     return `<li><small>*iteration:${id}</small> ${escape(title)}</li>`;
@@ -46,6 +79,18 @@ class GfmAutoCompleteEE extends GfmAutoComplete {
     super.setupAtWho($input);
   }
 
+  loadSubcommands($input, data) {
+    if (data.some((c) => c.name === 'q')) {
+      if (gl.mrWidget) {
+        this.setupQMergeRequestSubCommands($input);
+      } else {
+        this.setupQIssueSubCommands($input);
+      }
+    }
+
+    super.loadSubcommands($input, data);
+  }
+
   // eslint-disable-next-line class-methods-use-this
   setupAutoCompleteEpics = ($input, defaultCallbacks) => {
     $input.atwho({
@@ -156,6 +201,35 @@ class GfmAutoCompleteEE extends GfmAutoComplete {
     });
     showAndHideHelper($input, VULNERABILITIES_ALIAS);
   };
+
+  setupQIssueSubCommands($input) {
+    this.setupQSubCommands($input, Q_ISSUE_SUB_COMMANDS);
+  }
+
+  setupQMergeRequestSubCommands($input) {
+    this.setupQSubCommands($input, Q_MERGE_REQUEST_SUB_COMMANDS);
+  }
+
+  // eslint-disable-next-line class-methods-use-this
+  setupQSubCommands($input, subCommands) {
+    $input.filter('[data-supports-quick-actions="true"]').atwho({
+      // Always keep the trailing space otherwise the command won't display correctly
+      at: '/q ',
+      alias: 'q',
+      data: Object.keys(subCommands),
+      maxLen: 100,
+      displayTpl({ name }) {
+        const isDiffsPage = window.location.pathname.split('/').reverse()[0] === 'diffs';
+        if (name === 'test' && !isDiffsPage) {
+          return null;
+        }
+
+        const subCommand = subCommands[name];
+
+        return `<li><span class="name gl-font-bold">${subCommand.header}</span><small class="description"><em>${subCommand.description}</em></small></li>`;
+      },
+    });
+  }
 }
 
 export default GfmAutoCompleteEE;
diff --git a/ee/app/policies/ee/issuable_policy.rb b/ee/app/policies/ee/issuable_policy.rb
index a83366ec27469d..dc88d7bb181214 100644
--- a/ee/app/policies/ee/issuable_policy.rb
+++ b/ee/app/policies/ee/issuable_policy.rb
@@ -9,6 +9,14 @@ module IssuablePolicy
         @user && @subject.author_id == @user.id
       end
 
+      condition(:amazon_q_integration_enabled) do
+        project = @subject.is_a?(MergeRequest) ? @subject.target_project : @subject.project
+
+        next false unless project
+
+        ::Ai::AmazonQ.enabled?(user: @user, namespace: project.project_namespace)
+      end
+
       with_scope :subject
       condition(:issuable_resource_links_available) do
         @subject.issuable_resource_links_available?
@@ -37,6 +45,10 @@ module IssuablePolicy
         enable :admin_issuable_resource_link
         enable :read_issuable_resource_link
       end
+
+      rule { amazon_q_integration_enabled & can?(:developer_access) }.policy do
+        enable :trigger_amazon_q
+      end
     end
   end
 end
diff --git a/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
new file mode 100644
index 00000000000000..5d10af2f309266
--- /dev/null
+++ b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
@@ -0,0 +1,358 @@
+# frozen_string_literal: true
+
+module Ai
+  module AmazonQ
+    class AmazonQTriggerService < BaseService
+      include ::Gitlab::Utils::StrongMemoize
+
+      CloudConnectorTokenError = Class.new(StandardError)
+      PayloadGenerationError = Class.new(StandardError)
+      UnsupportedCommandError = Class.new(StandardError)
+      UnsupportedSourceError = Class.new(StandardError)
+      ServiceAccountError = Class.new(StandardError)
+      MissingPrerequisiteError = Class.new(StandardError)
+      MERGE_REQUEST_SUBCOMMANDS = %w[dev fix review test].freeze
+      ISSUE_SUBCOMMANDS = %w[dev transform].freeze
+      REVIEW_FINDING_KEYWORDS = ["We detected", "We recommend", "Severity:"].freeze
+
+      def initialize(user:, command:, source:, note: nil, discussion_id: nil, input: nil)
+        @user = user
+        @command = command
+        @input = input
+        @source = source
+        @note = note
+        @discussion_id = discussion_id
+      end
+
+      attr_reader :user, :command, :source, :note, :discussion_id, :input
+
+      def execute
+        validate!
+
+        add_service_account_to_project
+        code = create_auth_grant_new
+
+        SystemNoteService.amazon_q_called(source, user, command)
+
+        create_note_if_needed
+
+        Gitlab::AppLogger.info(message: "[amazon_q] AI Gateway request", payload: payload)
+
+        client = ::Gitlab::Llm::AiGateway::Client.new(user, service_name: service_name)
+        response = client.complete(
+          url: "#{::Gitlab::AiGateway.url}/v1/oauth/q_send_event",
+          body: {
+            payload: payload,
+            code: code,
+            roleArn: ai_settings.amazon_q_role_arn
+          }
+        )
+        Gitlab::AppLogger.info(message: "[amazon_q] AI Gateway response", success: response&.success?)
+        handle_response(response)
+        response
+      rescue StandardError => e
+        Gitlab::AppLogger.error(message: "[amazon_q] Command #{command} encountered #{e.class.name}", error: e.message)
+        handle_note_error(e.message)
+      end
+
+      private
+
+      def validate!
+        validate_source_and_command!
+        validate_service_account!
+        validate_cloud_connector_token!
+      end
+
+      def q_issue_sub_commands
+        {
+          dev: s_("AmazonQ|I'm generating code for this issue. " \
+            "I'll update this comment and open a merge request when I'm done."),
+          transform: s_("AmazonQ|I'm upgrading your code to Java 17. " \
+            "I'll update this comment and open a merge request when I'm done.")
+        }.freeze
+      end
+
+      def q_merge_request_sub_commands
+        {
+          dev: s_("AmazonQ|I'm revising this merge request based on your feedback. " \
+            "I'll update this comment and this merge request when I'm done."),
+          fix: s_("AmazonQ|I'm generating a fix for this review finding. I'll update this comment when I'm done."),
+          test: s_("AmazonQ|:hourglass_flowing_sand: I'm creating unit tests for the selected lines of code. " \
+            "I'll update this comment when I'm done."),
+          review: s_("AmazonQ|I'm reviewing this merge request for security vulnerabilities, " \
+            "quality issues, and deficiencies. I'll provide an update when I'm done.")
+        }.freeze
+      end
+
+      def service_name
+        :agent_quick_actions
+      end
+
+      def cloud_connector_token
+        ::CloudConnector::AvailableServices.find_by_name(service_name).access_token
+      end
+      strong_memoize_attr :cloud_connector_token
+
+      def handle_response(response)
+        # response is nil when the server returns a 5xx error
+        return if response&.success?
+
+        update_failure_note
+      end
+
+      def payload
+        data = base_payload
+        data.merge!(note_payload)
+
+        if source.is_a?(MergeRequest)
+          data.merge!(merge_request_payload)
+          data.merge!(test_command_payload) if command == 'test'
+        end
+
+        data
+      rescue ArgumentError => e
+        Gitlab::AppLogger.error(message: "[amazon_q] #{e.class}: #{e.message}")
+        raise
+      rescue StandardError => e
+        Gitlab::AppLogger.error(message: "[amazon_q] Unexpected error creating payload: #{e.class}: #{e.message}")
+        raise PayloadGenerationError, "Failed to generate payload: #{e.message}"
+      end
+      strong_memoize_attr :payload
+
+      def validate_source_and_command!
+        case source
+        when Issue
+          cmd_list = ISSUE_SUBCOMMANDS
+          msg = "Unsupported issue command: #{command}"
+          raise UnsupportedCommandError, msg unless cmd_list.include?(command)
+        when MergeRequest
+          cmd_list = MERGE_REQUEST_SUBCOMMANDS
+          msg = "Unsupported merge request command: #{command}"
+          raise UnsupportedCommandError, msg unless cmd_list.include?(command)
+
+          validate_command!
+          validate_code_position! if command == 'test'
+        else
+          raise UnsupportedSourceError, "Unsupported source type: #{source.class}"
+        end
+      end
+
+      def validate_cloud_connector_token!
+        return if cloud_connector_token.present?
+
+        raise CloudConnectorTokenError, "Unable to generate valid cloud connector token for #{service_name}"
+      end
+
+      def validate_code_position!
+        position = note&.position
+
+        raise ArgumentError, "Invalid code position" if position.nil?
+        raise ArgumentError, "Invalid code position" if position.start_sha.nil? || position.head_sha.nil?
+        raise ArgumentError, "Unknown code line position" unless line_position_for_comment
+      end
+
+      def base_payload
+        {
+          command: command,
+          source: source.issuable_type,
+          roleArn: ai_settings.amazon_q_role_arn,
+          projectPath: source.project.full_path,
+          projectId: source.project.id.to_s,
+          "#{source.issuable_type.camelize(:lower)}Id": source.id.to_s,
+          "#{source.issuable_type.camelize(:lower)}IId": source.iid.to_s
+        }
+      end
+
+      def use_existing_thread?
+        %w[dev fix review transform].include?(command)
+      end
+
+      def reply_only?
+        %w[fix].include?(command)
+      end
+
+      def create_note?
+        !use_existing_thread?
+      end
+
+      def note_payload
+        note_reference = use_existing_thread? ? service_account_notes&.first : @progress_note
+
+        {
+          noteId: note_reference&.id.to_s,
+          discussionId: (note_reference&.discussion_id || discussion_id).to_s
+        }
+      end
+
+      def create_note_if_needed
+        return unless create_note?
+
+        create_note
+      end
+
+      def merge_request_payload
+        {
+          source_branch: source.source_branch,
+          target_branch: source.target_branch,
+          last_commit_id: source.recent_commits&.first&.id
+        }
+      end
+
+      def test_command_payload
+        {
+          start_sha: note.position.start_sha,
+          head_sha: note.position.head_sha,
+          file_path: note.position.new_path,
+          user_message: input&.to_s
+        }.merge(line_position_for_comment)
+      end
+
+      def line_position_for_comment
+        if note.position.line_range.present?
+          {
+            comment_start_line: note.position.line_range.dig("start", "new_line").to_s,
+            comment_end_line: note.position.line_range.dig("end", "new_line").to_s
+          }
+        elsif note.position.new_line.present?
+          {
+            comment_start_line: note.position.new_line.to_s,
+            comment_end_line: note.position.new_line.to_s
+          }
+        end
+      end
+      strong_memoize_attr :line_position_for_comment
+
+      def create_auth_grant_new
+        Gitlab::AppLogger.info(message: "[amazon_q] OAUTH GRANT CREATE STARTED")
+
+        owner_id = ai_settings.amazon_q_service_account_user_id
+        app_id = ai_settings.amazon_q_oauth_application_id
+        code = Doorkeeper::AccessGrant.create!(
+          resource_owner_id: owner_id,
+          application_id: app_id,
+          redirect_uri: Gitlab::Routing.url_helpers.root_url,
+          expires_in: 1.hour,
+          scopes: Gitlab::Auth::Q_SCOPES
+        ).plaintext_token
+
+        Gitlab::AppLogger.info(message: "[amazon_q] OAUTH GRANT COMPLETE")
+
+        code
+      end
+
+      def create_note
+        return unless note
+
+        Gitlab::AppLogger.info(message: "[amazon_q] save note message for quick action command", command: command)
+        _, service_account = amazon_q_service_account
+        new_note = note.dup
+        update_note_params = { note: generate_note_message, author: service_account }
+
+        @progress_note = Notes::UpdateService.new(
+          source.project,
+          service_account,
+          update_note_params).execute(new_note)
+      end
+
+      def update_failure_note
+        _, service_account = amazon_q_service_account
+        if @progress_note.nil?
+          @progress_note = Notes::CreateService.new(
+            source.project,
+            service_account,
+            author: service_account,
+            noteable: source,
+            note: failure_message,
+            discussion_id: note&.discussion_id
+          ).execute
+        else
+          update_note_params = { note: failure_message }
+
+          Notes::UpdateService.new(
+            source.project,
+            service_account,
+            update_note_params).execute(@progress_note)
+        end
+      end
+
+      def generate_note_message
+        command_map = case source
+                      when MergeRequest then q_merge_request_sub_commands
+                      when Issue then q_issue_sub_commands
+                      end
+        command_map&.[](command.to_sym)
+      end
+
+      def failure_message
+        msg = s_("AmazonQ|Sorry, I'm not able to complete the request at this moment. Please try again later")
+        request_id = Labkit::Correlation::CorrelationId.current_id
+        msg + format("\n\nRequest ID: %{request_id}", request_id: request_id)
+      end
+
+      def amazon_q_service_account
+        service_account_id = ai_settings.amazon_q_service_account_user_id
+        return [service_account_id, nil] if service_account_id.blank?
+
+        [service_account_id, User.find_by_id(service_account_id)]
+      end
+      strong_memoize_attr :amazon_q_service_account
+
+      def validate_service_account!
+        service_account_id, _ = amazon_q_service_account
+        if service_account_id.blank?
+          raise ServiceAccountError,
+            "#{command} failed due to Amazon Q service account ID is not configured"
+        end
+
+        true
+      end
+
+      def add_service_account_to_project
+        ::Ai::AmazonQ::ServiceAccountMemberAddService.new(source.project).execute
+      end
+
+      def validate_command!
+        # Check the discussions involved in the reply.
+        return true unless reply_only?
+
+        # Filter only notes authored by the Amazon Q service user.
+        # Search for any of the keywords relating to review findings in the note.
+        comments = search_comments_by_service_account(REVIEW_FINDING_KEYWORDS)
+        return true unless comments.blank?
+
+        raise MissingPrerequisiteError,
+          "#{command} can only be executed as a response to the review command"
+      end
+
+      def search_comments_by_service_account(keywords = nil)
+        filtered_notes = service_account_notes
+
+        return filtered_notes if keywords.blank?
+
+        keywords = Array(keywords).map(&:downcase)
+
+        filtered_notes.select do |note|
+          note_content = note.note.to_s.downcase
+          keywords.any? { |keyword| note_content.include?(keyword) }
+        end
+      end
+
+      def handle_note_error(error_message)
+        return unless note
+
+        note.errors.add(:quick_action, "command /q: #{error_message}")
+      end
+
+      def service_account_notes
+        service_account_id, _ = amazon_q_service_account
+        source.notes.authored_by(service_account_id).find_discussion(discussion_id)&.notes.to_a
+      end
+      strong_memoize_attr :service_account_notes
+
+      def ai_settings
+        Ai::Setting.instance
+      end
+      strong_memoize_attr :ai_settings
+    end
+  end
+end
diff --git a/ee/app/services/ee/notes/quick_actions_service.rb b/ee/app/services/ee/notes/quick_actions_service.rb
index ff56f50c9fde48..37b72f7401c58b 100644
--- a/ee/app/services/ee/notes/quick_actions_service.rb
+++ b/ee/app/services/ee/notes/quick_actions_service.rb
@@ -4,6 +4,7 @@ module EE
   module Notes
     module QuickActionsService
       extend ActiveSupport::Concern
+      extend ::Gitlab::Utils::Override
       include ::Gitlab::Utils::StrongMemoize
 
       prepended do
@@ -25,6 +26,32 @@ def noteable_update_service(note, update_params)
 
         Epics::UpdateService.new(group: note.resource_parent, current_user: current_user, params: update_params)
       end
+
+      override :execute_triggers
+      def execute_triggers(note, params)
+        super
+
+        execute_amazon_q_trigger(note, params)
+      end
+
+      private
+
+      def execute_amazon_q_trigger(note, params)
+        return unless params[:amazon_q]
+
+        ::Gitlab::AppLogger.info(message: "[amazon_q] note", note: note)
+        ::Gitlab::AppLogger.info(message: "[amazon_q] params", params: params)
+        q_params = params.delete(:amazon_q)
+
+        ::Ai::AmazonQ::AmazonQTriggerService.new(
+          user: current_user,
+          command: q_params[:command],
+          input: q_params[:input],
+          source: q_params[:source],
+          note: note,
+          discussion_id: q_params[:discussion_id]
+        ).execute
+      end
     end
   end
 end
diff --git a/ee/app/services/ee/system_note_service.rb b/ee/app/services/ee/system_note_service.rb
index b0533de8f7b18d..3cd81dacbaedc1 100644
--- a/ee/app/services/ee/system_note_service.rb
+++ b/ee/app/services/ee/system_note_service.rb
@@ -189,6 +189,10 @@ def override_requested_changes(noteable, user, event)
       merge_requests_service(noteable, noteable.project, user).override_requested_changes(event)
     end
 
+    def amazon_q_called(noteable, user, event)
+      issuables_service(noteable, noteable.project, user).amazon_q_called(event)
+    end
+
     private
 
     def issuables_service(noteable, project, author)
diff --git a/ee/app/services/ee/system_notes/issuables_service.rb b/ee/app/services/ee/system_notes/issuables_service.rb
index a195d863aaccf9..b2123c0cc8535a 100644
--- a/ee/app/services/ee/system_notes/issuables_service.rb
+++ b/ee/app/services/ee/system_notes/issuables_service.rb
@@ -139,6 +139,24 @@ def blocked_by_issuable(noteable_ref)
         create_note(NoteSummary.new(noteable, project, author, body, action: 'relate'))
       end
 
+      # Called when an Amazon Q command is successfully sent to the AI gateway
+      #
+      # noteable_ref - Referenced noteable object
+      # event - The type of command executed by the user
+      #
+      # Example Note text:
+      #
+      #   "sent dev request to Amazon Q"
+      #
+      # Returns the created Note object
+      def amazon_q_called(event)
+        body = "sent #{event} request to Amazon Q"
+
+        track_issue_event(:track_issue_related_action)
+
+        create_note(NoteSummary.new(noteable, project, author, body, action: event))
+      end
+
       override :track_cross_reference_action
       def track_cross_reference_action
         super
diff --git a/ee/lib/ee/gitlab/quick_actions/issue_and_merge_request_actions.rb b/ee/lib/ee/gitlab/quick_actions/issue_and_merge_request_actions.rb
index 9cf2956740c493..c054ea3a8daeb8 100644
--- a/ee/lib/ee/gitlab/quick_actions/issue_and_merge_request_actions.rb
+++ b/ee/lib/ee/gitlab/quick_actions/issue_and_merge_request_actions.rb
@@ -59,6 +59,47 @@ module IssueAndMergeRequestActions
           command :clear_weight do
             @updates[:weight] = nil
           end
+
+          desc { _('Use Amazon Q to streamline development workflow and project upgrades (Beta)') }
+          explanation { _('Use Amazon Q to streamline development workflow and project upgrades (Beta)') }
+          execution_message { _('Q got your message!') }
+          params do
+            case quick_action_target
+            when ::Issue
+              "<#{::Ai::AmazonQ::AmazonQTriggerService::ISSUE_SUBCOMMANDS.join(' | ')}>"
+            when ::MergeRequest
+              "<#{::Ai::AmazonQ::AmazonQTriggerService::MERGE_REQUEST_SUBCOMMANDS.join(' | ')}>"
+            end
+          end
+          types Issue, MergeRequest
+          condition do
+            Ability.allowed?(current_user, :trigger_amazon_q, quick_action_target) &&
+              (quick_action_target.is_a?(Issue) || quick_action_target.persisted?)
+          end
+          command :q do |input = "dev"|
+            sub_command, *comment_words = input.strip.split(' ', 2)
+            case quick_action_target
+            when ::Issue
+              unless ::Ai::AmazonQ::AmazonQTriggerService::ISSUE_SUBCOMMANDS.include?(sub_command)
+                @execution_message[:q] = "Could not apply Amazon Q command for issue"
+                next
+              end
+            when ::MergeRequest
+              unless ::Ai::AmazonQ::AmazonQTriggerService::MERGE_REQUEST_SUBCOMMANDS.include?(sub_command)
+                @execution_message[:q] = "Could not apply Amazon Q command for merge request"
+                next
+              end
+            end
+            comment = comment_words.join(' ')
+            action_data = {
+              command: sub_command,
+              input: comment,
+              source: quick_action_target,
+              discussion_id: params[:discussion_id]
+            }
+            action_data[:input] = comment unless comment.empty?
+            @updates[:amazon_q] = action_data
+          end
         end
       end
     end
diff --git a/ee/spec/policies/issuable_policy_spec.rb b/ee/spec/policies/issuable_policy_spec.rb
index 36437b4482f4c0..ae8a30d2ea6c71 100644
--- a/ee/spec/policies/issuable_policy_spec.rb
+++ b/ee/spec/policies/issuable_policy_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe IssuablePolicy, :models do
+RSpec.describe IssuablePolicy, feature_category: :team_planning do
   let_it_be(:non_member) { create(:user) }
   let_it_be(:guest) { create(:user) }
   let_it_be(:planner) { create(:user) }
@@ -166,5 +166,51 @@ def permissions(user, issue)
         end
       end
     end
+
+    describe 'trigger_amazon_q' do
+      let_it_be(:project) { create(:project, :private) }
+      let(:user) { developer }
+      let(:amazon_q_enabled) { true }
+
+      before do
+        allow(::Ai::AmazonQ).to receive(:enabled?).with(
+          user: user,
+          namespace: project.project_namespace
+        ).and_return(amazon_q_enabled)
+      end
+
+      it 'is allowed for non persisted issues' do
+        issue = build(:issue, project: project)
+
+        expect(permissions(user, issue)).to be_allowed(:trigger_amazon_q)
+      end
+
+      it 'is not allowed for work items without a project' do
+        # note: We might want to do this in the future, but for now we're using the project_namespace for this check
+        epic = build(:epic, group: project.group)
+
+        expect(permissions(user, epic)).to be_disallowed(:trigger_amazon_q)
+      end
+
+      it 'is allowed' do
+        expect(permissions(user, guest_issue)).to be_allowed(:trigger_amazon_q)
+      end
+
+      context 'when amazon q onboarding has not been completed' do
+        let(:amazon_q_enabled) { false }
+
+        it 'is disallowed' do
+          expect(permissions(user, guest_issue)).to be_disallowed(:trigger_amazon_q)
+        end
+      end
+
+      context 'when user is not developer+' do
+        let(:user) { reporter }
+
+        it 'is disallowed' do
+          expect(permissions(user, guest_issue)).to be_disallowed(:trigger_amazon_q)
+        end
+      end
+    end
   end
 end
diff --git a/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
new file mode 100644
index 00000000000000..d04632519eb0cc
--- /dev/null
+++ b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
@@ -0,0 +1,552 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ai::AmazonQ::AmazonQTriggerService, feature_category: :ai_agents do
+  let_it_be(:user) { create(:user) }
+  let_it_be(:project) { create(:project, :repository) }
+  let_it_be(:issue) { create(:issue, project: project) }
+  let_it_be(:merge_request) { create(:merge_request_with_diffs, source_project: project) }
+  let_it_be(:oauth_app) { create(:doorkeeper_application) }
+  let(:response) { { 'status' => 'success' } }
+  let(:source) { issue }
+
+  before do
+    Ai::Setting.instance.update!(
+      amazon_q_service_account_user_id: user.id,
+      amazon_q_oauth_application_id: oauth_app.id
+    )
+  end
+
+  describe '#execute' do
+    let(:command) { 'dev' }
+    let(:source) { 'issue' }
+    let!(:note) { create(:note_on_issue, noteable: issue, project: project) }
+    let(:service) { described_class.new(user: user, command: command, source: source, note: note) }
+    let(:service_name) { :agent_quick_actions }
+    let(:service_data) do
+      instance_double(CloudConnector::BaseAvailableServiceData,
+        name: service_name,
+        access_token: SecureRandom.hex)
+    end
+
+    let(:expected_payload) { anything }
+
+    subject(:execution) { service.execute }
+
+    before do
+      allow(::CloudConnector::AvailableServices).to receive(:find_by_name).with(service_name).and_return(service_data)
+      stub_request(:post, "https://cloud.gitlab.com/ai/v1/oauth/q_send_event")
+        .with(body: hash_including('code' => anything,
+          'payload' => expected_payload,
+          'roleArn' => anything))
+        .to_return(status: 200, body: response.to_json, headers: { "Content-Type": "application/json" })
+
+      allow(SystemNoteService).to receive(:amazon_q_called)
+    end
+
+    context 'with dev command' do
+      let(:command) { 'dev' }
+
+      shared_examples 'successful dev execution' do
+        it 'creates an auth grant' do
+          expect { execution }.to change { OauthAccessGrant.count }.by(1)
+        end
+
+        it 'executes successfully' do
+          expect { execution }.not_to change { Note.count }
+          expect(execution.parsed_response).to eq(response)
+          expect(SystemNoteService).to have_received(:amazon_q_called).with(source, user, command)
+        end
+      end
+
+      context 'with issue' do
+        let(:source) { issue }
+
+        it_behaves_like 'successful dev execution'
+
+        context 'when server returns a 500 error' do
+          before do
+            stub_request(:post, "https://cloud.gitlab.com/ai/v1/oauth/q_send_event")
+              .with(body: hash_including('code' => anything,
+                'payload' => anything,
+                'roleArn' => anything))
+              .to_return(status: 500, body: "", headers: { "Content-Type": "application/json" })
+          end
+
+          it 'updates a new note with an error' do
+            expect { execution }.to change { Note.count }.by(1)
+            expect(Note.last.note).to include(
+              "Sorry, I'm not able to complete the request at this moment. Please try again later")
+            expect(Note.last.note).to include("Request ID:")
+          end
+        end
+      end
+
+      context 'with merge request' do
+        let(:source) { merge_request }
+
+        it_behaves_like 'successful dev execution'
+      end
+    end
+
+    context 'with fix command' do
+      let_it_be(:diff_note) { create(:diff_note_on_merge_request, noteable: merge_request, project: project) }
+      let(:command) { 'fix' }
+      let(:service) do
+        described_class.new(user: user, command: command, source: source, note: diff_note,
+          discussion_id: diff_note.discussion_id)
+      end
+
+      let(:source) { merge_request }
+
+      context 'when executes fix command after validation' do
+        before do
+          allow(service).to receive(:validate_source_and_command!)
+        end
+
+        it 'creates an auth grant' do
+          expect { execution }.to change { OauthAccessGrant.count }.by(1)
+        end
+
+        it 'executes successfully' do
+          expect { execution }.not_to change { Note.count }
+          expect(execution.parsed_response).to eq(response)
+          expect(SystemNoteService).to have_received(:amazon_q_called).with(source, user, command)
+        end
+      end
+
+      context 'when executes fix command with review findings' do
+        let(:command) { 'fix' }
+        let!(:diff_note) do
+          create(:diff_note_on_merge_request, noteable: merge_request, project: project, author: user,
+            note: 'We recommend to fix this security finding')
+        end
+
+        let!(:service) do
+          described_class.new(user: user, command: command, source: source, note: diff_note,
+            discussion_id: diff_note.discussion_id)
+        end
+
+        it 'executes successfully' do
+          expect { service.execute }.not_to raise_error
+        end
+      end
+    end
+
+    context 'with test command' do
+      let_it_be(:diff_note) { build(:diff_note_on_merge_request, noteable: merge_request, project: project) }
+      let(:command) { 'test' }
+      let(:service) do
+        described_class.new(user: user, command: command, source: source, note: diff_note,
+          discussion_id: diff_note.discussion_id)
+      end
+
+      let(:source) { merge_request }
+
+      let(:expected_payload) do
+        hash_including(
+          'command' => 'test',
+          'source' => 'merge_request',
+          'mergeRequestId' => merge_request.id.to_s,
+          'mergeRequestIId' => merge_request.iid.to_s,
+          'noteId' => anything,
+          'discussionId' => diff_note.discussion_id,
+          'source_branch' => merge_request.source_branch,
+          'target_branch' => merge_request.target_branch,
+          'last_commit_id' => merge_request.recent_commits.first.id,
+          'comment_start_line' => diff_note.position.new_line.to_s,
+          'comment_end_line' => diff_note.position.new_line.to_s,
+          'start_sha' => diff_note.position.start_sha,
+          'head_sha' => diff_note.position.head_sha,
+          'file_path' => diff_note.position.new_path,
+          'user_message' => anything
+        )
+      end
+
+      it 'creates an auth grant' do
+        expect { execution }.to change { OauthAccessGrant.count }.by(1)
+      end
+
+      it 'executes successfully with the right payload' do
+        expect { execution }.to change { Note.count }.by(1)
+        expect(execution.parsed_response).to eq(response)
+      end
+    end
+
+    context 'when handle error' do
+      let(:command) { 'unsupported' }
+      let(:source) { issue }
+      let!(:service) do
+        described_class.new(user: user, command: command, source: source, note: note,
+          discussion_id: note.discussion_id)
+      end
+
+      before do
+        allow(service).to receive(:handle_note_error)
+        allow(Gitlab::AppLogger).to receive(:error)
+      end
+
+      context 'when UnsupportedCommandError is raised' do
+        let(:error_message) { "Unsupported issue command: #{command}" }
+        let(:error) do
+          Ai::AmazonQ::AmazonQTriggerService::UnsupportedCommandError.new("Unsupported issue command: #{command}")
+        end
+
+        before do
+          allow(service).to receive(:validate_source_and_command!).and_raise(error)
+        end
+
+        it 'logs the error and handles the note error' do
+          expect(Gitlab::AppLogger).to receive(:error).with(
+            message: "[amazon_q] Command #{command} encountered #{error.class.name}",
+            error: error_message
+          )
+          expect(service).to receive(:handle_note_error).with(error_message)
+
+          expect { execution }.not_to raise_error
+        end
+      end
+    end
+
+    context 'when unable to generate a cloud connector access token' do
+      let(:service_data) do
+        instance_double(CloudConnector::BaseAvailableServiceData,
+          name: service_name,
+          access_token: nil)
+      end
+
+      it 'raises CloudConnectorTokenError wth expected message' do
+        expect do
+          service.send(:validate_cloud_connector_token!)
+        end.to raise_error(described_class::CloudConnectorTokenError).with_message(
+          'Unable to generate valid cloud connector token for agent_quick_actions'
+        )
+      end
+    end
+
+    describe '#payload' do
+      let(:note) { create(:note_on_issue, noteable: issue, project: project) }
+      let(:service) { described_class.new(user: user, command: 'dev', source: issue, note: note) }
+
+      it 'generates the correct payload for an issue' do
+        service.execute
+
+        payload = service.send(:payload)
+
+        expect(payload.keys).to match_array(
+          %i[command source projectPath projectId issueId issueIId discussionId noteId roleArn])
+
+        expect(payload[:command]).to eq('dev')
+        expect(payload[:source]).to eq('issue')
+        expect(payload[:projectPath]).to eq(project.full_path)
+        expect(payload[:projectId]).to eq(project.id.to_s)
+        expect(payload[:issueId]).to eq(issue.id.to_s)
+        expect(payload[:issueIId]).to eq(issue.iid.to_s)
+      end
+    end
+  end
+
+  describe '#generate_note_message' do
+    let(:service) { described_class.new(user: user, command: 'dev', source: issue) }
+
+    it 'generates the correct note message for an issue' do
+      message = service.send(:generate_note_message)
+
+      expect(message).to eq(
+        "I'm generating code for this issue. " \
+          "I'll update this comment and open a merge request when I'm done.")
+    end
+  end
+
+  describe '#amazon_q_service_account' do
+    let(:service) { described_class.new(user: user, command: 'dev', source: issue) }
+
+    context 'when service account exists' do
+      let(:user) { create(:user) }
+
+      before do
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: user.id)
+      end
+
+      it 'returns service account ID and user object' do
+        service_account_id, service_account = service.send(:amazon_q_service_account)
+
+        expect(service_account_id).to eq(user.id)
+        expect(service_account).to eq(user)
+      end
+    end
+  end
+
+  describe '#validate_service_account!' do
+    let(:service) { described_class.new(user: user, command: 'dev', source: issue) }
+
+    context 'when service account is properly configured' do
+      let(:user) { create(:user) }
+
+      before do
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: user.id)
+      end
+
+      it 'returns true' do
+        expect(service.send(:validate_service_account!)).to be true
+      end
+    end
+
+    context 'when service account does not exist' do
+      before do
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: nil)
+      end
+
+      it 'raises ServiceAccountError' do
+        expect { service.send(:validate_service_account!) }
+          .to raise_error(
+            Ai::AmazonQ::AmazonQTriggerService::ServiceAccountError,
+            'dev failed due to Amazon Q service account ID is not configured'
+          )
+      end
+    end
+  end
+
+  describe '#validate_command!' do
+    let(:note) { create(:note_on_issue, noteable: issue, project: project) }
+    let(:discussion) { create(:discussion_note_on_issue, noteable: issue, project: issue.project).discussion }
+    let(:service) { described_class.new(user: user, command: 'dev', source: issue, note: discussion.notes.first) }
+
+    context 'when not using an existing thread' do
+      it 'returns true' do
+        expect(service.send(:validate_command!)).to be_truthy
+      end
+    end
+
+    context 'when using an existing thread' do
+      let!(:service) { described_class.new(user: user, command: 'fix', source: issue, note: discussion.notes.first) }
+
+      context 'when there are no comments from the service account' do
+        before do
+          allow(service).to receive(:search_comments_by_service_account).and_return(nil)
+        end
+
+        it 'raises a MissingPrerequisiteError' do
+          expect { service.send(:validate_command!) }.to raise_error(
+            Ai::AmazonQ::AmazonQTriggerService::MissingPrerequisiteError,
+            "fix can only be executed as a response to the review command"
+          )
+        end
+      end
+
+      context 'when there are comments from the service account' do
+        before do
+          allow(service).to receive(:search_comments_by_service_account).and_return(note)
+        end
+
+        it 'returns true' do
+          expect(service.send(:validate_command!)).to be_truthy
+        end
+      end
+    end
+  end
+
+  describe '#search_comments_by_service_account' do
+    let(:discussion) do
+      create(:discussion_note_on_issue, noteable: issue, project: issue.project, note: "test note",
+        author: user).discussion
+    end
+
+    let(:service) do
+      described_class.new(user: user, command: 'dev', source: issue, note: discussion.notes.first,
+        discussion_id: discussion.notes.first.discussion_id)
+    end
+
+    it 'filters notes by author_id' do
+      expect(service.send(:search_comments_by_service_account).count).to eq(1)
+    end
+
+    context 'when keyword is blank' do
+      it 'returns notes filtered by author_id' do
+        expect(service.send(:search_comments_by_service_account, []).count).to eq(1)
+      end
+    end
+
+    context 'when keyword is present' do
+      it 'filters notes by keyword' do
+        expect(service.send(:search_comments_by_service_account, ['test']).count).to eq(1)
+      end
+
+      it 'returns empty array when not found keyword' do
+        expect(service.send(:search_comments_by_service_account, ['unknown'])).to be_empty
+      end
+    end
+  end
+
+  describe '#handle_note_error' do
+    let!(:note) { create(:note_on_issue, noteable: issue, project: project) }
+    let(:error_message) { "Test error message" }
+
+    context 'when note is already defined' do
+      let(:service) { described_class.new(user: user, command: 'dev', source: issue, note: note) }
+
+      before do
+        allow(service).to receive(:note).and_return(note)
+      end
+
+      it 'adds error to the existing note' do
+        error = service.send(:handle_note_error, error_message)
+        expect(error.type).to eq("command /q: #{error_message}")
+      end
+    end
+  end
+
+  describe '#create_note' do
+    let(:original_note) { create(:note_on_issue, noteable: issue, project: project) }
+    let(:command) { 'dev' }
+    let(:generated_msg) { 'Generated message' }
+    let(:service) { described_class.new(user: user, command: command, source: source, note: original_note) }
+    let(:service_account) { create(:user) }
+    let(:update_service) { instance_double(Notes::UpdateService) }
+
+    before do
+      allow(service).to receive(:generate_note_message).and_return(generated_msg)
+      allow(service).to receive_messages(
+        generate_note_message: generated_msg,
+        amazon_q_service_account: [service_account.id, service_account]
+      )
+    end
+
+    context 'when note exists' do
+      before do
+        allow(Notes::UpdateService).to receive(:new)
+          .with(project, service_account, { note: generated_msg, author: service_account })
+          .and_return(update_service)
+        allow(update_service).to receive(:execute).and_return(original_note)
+      end
+
+      it 'creates a new note with correct parameters' do
+        expect(Gitlab::AppLogger).to receive(:info).with(
+          message: '[amazon_q] save note message for quick action command',
+          command: command
+        )
+
+        service.send(:create_note)
+
+        expect(Notes::UpdateService).to have_received(:new)
+          .with(project, service_account, { note: generated_msg, author: service_account })
+        expect(update_service).to have_received(:execute).with(kind_of(Note))
+      end
+
+      it 'sets the progress note' do
+        service.send(:create_note)
+
+        expect(service.instance_variable_get(:@progress_note)).to eq(original_note)
+      end
+    end
+
+    context 'when note does not exist' do
+      before do
+        allow(service).to receive(:note).and_return(nil)
+      end
+
+      it 'returns nil without creating a note' do
+        expect(Notes::UpdateService).not_to receive(:new)
+
+        expect(service.send(:create_note)).to be_nil
+      end
+    end
+  end
+
+  describe '#update_failure_note' do
+    let_it_be(:note) { create(:note_on_issue, noteable: issue, project: project) }
+
+    let(:service) { described_class.new(user: user, command: 'dev', source: issue, note: note) }
+    let(:failure_message) { 'Error occurred' }
+
+    before do
+      allow(service).to receive(:failure_message).and_return(failure_message)
+    end
+
+    context 'when progress note does not exist' do
+      let(:create_service) { instance_double(Notes::CreateService) }
+      let(:created_note) { create(:note) }
+
+      before do
+        service.instance_variable_set(:@progress_note, nil)
+
+        allow(Notes::CreateService).to receive(:new)
+          .with(
+            issue.project,
+            user,
+            {
+              author: user,
+              noteable: issue,
+              note: failure_message,
+              discussion_id: note.discussion_id
+            }
+          ).and_return(create_service)
+        allow(create_service).to receive(:execute).and_return(created_note)
+      end
+
+      it 'creates a new note with failure message' do
+        service.send(:update_failure_note)
+
+        expect(Notes::CreateService).to have_received(:new)
+          .with(
+            issue.project,
+            user,
+            {
+              author: user,
+              noteable: issue,
+              note: failure_message,
+              discussion_id: note.discussion_id
+            }
+          )
+        expect(create_service).to have_received(:execute)
+      end
+
+      it 'sets the progress note to the newly created note' do
+        service.send(:update_failure_note)
+
+        expect(service.instance_variable_get(:@progress_note)).to eq(created_note)
+      end
+    end
+
+    context 'when note is nil' do
+      let(:service) { described_class.new(user: user, command: 'dev', source: issue, note: nil) }
+      let(:create_service) { instance_double(Notes::CreateService) }
+      let(:created_note) { create(:note) }
+
+      before do
+        service.instance_variable_set(:@progress_note, nil)
+
+        allow(Notes::CreateService).to receive(:new)
+          .with(
+            issue.project,
+            user,
+            {
+              author: user,
+              noteable: issue,
+              note: failure_message,
+              discussion_id: nil
+            }
+          ).and_return(create_service)
+        allow(create_service).to receive(:execute).and_return(created_note)
+      end
+
+      it 'creates a new note without discussion_id' do
+        service.send(:update_failure_note)
+
+        expect(Notes::CreateService).to have_received(:new)
+          .with(
+            issue.project,
+            user,
+            {
+              author: user,
+              noteable: issue,
+              note: failure_message,
+              discussion_id: nil
+            }
+          )
+        expect(create_service).to have_received(:execute)
+      end
+    end
+  end
+end
diff --git a/ee/spec/services/ee/notes/quick_actions_service_spec.rb b/ee/spec/services/ee/notes/quick_actions_service_spec.rb
index a274178936464c..49cca4aa4516c8 100644
--- a/ee/spec/services/ee/notes/quick_actions_service_spec.rb
+++ b/ee/spec/services/ee/notes/quick_actions_service_spec.rb
@@ -2,6 +2,8 @@
 require 'spec_helper'
 
 RSpec.describe Notes::QuickActionsService, feature_category: :team_planning do
+  include StubRequests
+
   let_it_be(:group) { create(:group) }
   let_it_be(:private_group) { create(:group, :private) }
   let_it_be(:project) { create(:project, group: group) }
@@ -786,4 +788,377 @@ def execute(note, include_message: false)
       end
     end
   end
+
+  context '/q' do
+    let_it_be_with_reload(:amazon_q_service_account) { create(:user, :service_account) }
+    let_it_be(:project) { create(:project, :repository, group: group) }
+    let_it_be(:oauth_app) { create(:doorkeeper_application) }
+    let(:amazon_q_enabled) { true }
+    let(:user) { create(:user) }
+
+    let(:payload) do
+      {
+        command: command,
+        source: source,
+        roleArn: 'arn:mock',
+        projectPath: project.full_path,
+        projectId: project.id.to_s,
+        "#{source.camelize(:lower)}Id" => note.noteable.id.to_s,
+        "#{source.camelize(:lower)}IId" => note.noteable.iid.to_s,
+        noteId: note.id.to_s,
+        discussionId: note.discussion_id
+      }
+    end
+
+    before do
+      group.add_developer(user)
+      service = instance_double(
+        CloudConnector::BaseAvailableServiceData,
+        name: :agent_quick_actions,
+        access_token: 'token')
+      allow(CloudConnector::AvailableServices).to receive(:find_by_name).with(:agent_quick_actions).and_return(service)
+      allow_any_instance_of(::Ai::AmazonQ::AmazonQTriggerService).to receive(:create_auth_grant_new) # rubocop:disable RSpec/AnyInstanceOf -- to mock private
+      stub_request(:post, "#{::Gitlab::AiGateway.url}/v1/oauth/q_send_event")
+        .to_return(status: 200, body: '{}', headers: {})
+      allow(Gitlab::HTTP).to receive(:post).and_call_original
+      allow(::Ai::AmazonQ).to receive(:enabled?).and_return(amazon_q_enabled)
+      Ai::Setting.instance.update!(
+        amazon_q_service_account_user_id: amazon_q_service_account.id,
+        amazon_q_role_arn: "arn:mock",
+        amazon_q_oauth_application_id: oauth_app.id
+      )
+    end
+
+    context 'when amazon_q_integration feature is not enabled' do
+      let_it_be(:note_text) { '/q' }
+      let(:note) { create(:note_on_issue, project: project, note: note_text) }
+      let(:amazon_q_enabled) { false }
+
+      it 'does not call out to the AI gateway' do
+        execute(note)
+
+        expect(Gitlab::HTTP).not_to have_received(:post)
+      end
+    end
+
+    context 'with dev sub-command for an issue' do
+      let_it_be(:note_text) { '/q dev' }
+      let!(:note) { create(:note_on_issue, project: project, note: note_text, author: user) }
+      let!(:author) { note.author }
+      let(:command) { 'dev' }
+      let(:source) { 'issue' }
+
+      it 'calls out to the AI gateway with correct payload' do
+        result = nil
+        expect { result = execute(note, include_message: true) }.to change { Note.count }.by(1)
+        expect(note.note).to eq(note_text)
+        expect(note.author).to eq(author)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          payload = body['payload']
+
+          expect(payload).to include(
+            'issueId' => note.noteable.id.to_s,
+            'issueIId' => note.noteable.iid.to_s
+          )
+          expect(payload['noteId']).to be_empty
+          expect(payload['discussionId']).to eq(note.discussion_id)
+        end
+      end
+
+      it 'adds service account as member to project' do
+        expect(project.member(amazon_q_service_account.id)).to be_falsy
+
+        execute(note)
+
+        expect(project.member(amazon_q_service_account.id)).to be_truthy
+      end
+    end
+
+    context 'when using unsupported sub-command for issue' do
+      let_it_be(:note_text) { '/q unknown' }
+      let(:note) { create(:note_on_issue, project: project, note: note_text) }
+      let(:command) { 'unknown' }
+      let(:source) { 'issue' }
+
+      it 'returns an error' do
+        content, update_params, message, _ = service.execute(note)
+
+        expect(content).to be_blank
+        expect(update_params).to be_empty
+        expect(message).to eq('Could not apply Amazon Q command for issue')
+      end
+    end
+
+    context 'when using unsupported sub-command for epic' do
+      let_it_be(:note_text) { '/q unknown' }
+      let(:note) { create(:note_on_epic, project: project, note: note_text) }
+      let(:command) { 'unknown' }
+      let(:source) { 'epic' }
+
+      it 'returns an error' do
+        content, update_params, message, _ = service.execute(note)
+
+        expect(content).to be_blank
+        expect(update_params).to be_empty
+        expect(message).to eq('Could not apply q command.')
+      end
+    end
+
+    context 'with java upgrade sub-command for an issue' do
+      let_it_be(:note_text) { '/q transform' }
+      let!(:note) { create(:note_on_issue, project: project, note: note_text) }
+      let!(:author) { note.author }
+      let(:command) { 'transform' }
+      let(:source) { 'issue' }
+
+      it 'calls out to the AI gateway with correct payload' do
+        result = nil
+        expect { result = execute(note, include_message: true) }.to change { Note.count }.by(1)
+        expect(note.note).to eq(note_text)
+        expect(note.author).to eq(author)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          payload = body['payload']
+
+          expect(payload).to include(
+            'issueId' => note.noteable.id.to_s,
+            'issueIId' => note.noteable.iid.to_s
+          )
+          expect(payload['noteId']).to be_empty
+          expect(payload['discussionId']).to eq(note.discussion_id)
+        end
+      end
+    end
+
+    context 'when using unsupported sub-command transform for merge request' do
+      let_it_be(:note_text) { '/q transform' }
+      let(:note) { create(:note_on_merge_request, project: project, note: note_text) }
+
+      it 'returns an error' do
+        content, update_params, message, _ = service.execute(note)
+
+        expect(content).to be_blank
+        expect(update_params).to be_empty
+        expect(message).to eq('Could not apply Amazon Q command for merge request')
+      end
+    end
+
+    context 'with dev sub-command for a merge request' do
+      let_it_be(:note_text) { '/q dev' }
+      let(:note) { create(:note_on_merge_request, project: project, note: note_text, author: user) }
+      let(:command) { 'dev' }
+      let(:source) { 'merge_request' }
+
+      it 'calls out to the AI gateway' do
+        payload.merge!(
+          source_branch: note.noteable&.source_branch,
+          target_branch: note.noteable&.target_branch,
+          last_commit_id: nil
+        )
+
+        result = execute(note, include_message: true)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['noteId']).not_to be_nil
+          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
+          expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
+        end
+      end
+    end
+
+    context 'with generate unit test sub-command' do
+      let_it_be(:note_text) { '/q test this is a test' }
+      let_it_be(:merge_request) { create(:merge_request_with_diffs, source_project: project, target_project: project) }
+
+      let(:line_range) do
+        {
+          "start" => {
+            "line_code" => "ab09011fa121d0a2bb9fa4ca76094f2482b902b7_18_18",
+            "type" => nil,
+            "old_line" => 18,
+            "new_line" => 18
+          },
+          "end" => {
+            "line_code" => "ab09011fa121d0a2bb9fa4ca76094f2482b902b7_18_30",
+            "type" => nil,
+            "old_line" => 30,
+            "new_line" => 30
+          }
+        }
+      end
+
+      let!(:position) do
+        Gitlab::Diff::Position.new(
+          old_path: "files/ruby/popen.rb",
+          new_path: "files/ruby/popen.rb",
+          old_line: nil,
+          new_line: 18,
+          diff_refs: merge_request.diff_refs,
+          line_range: line_range
+        )
+      end
+
+      let(:note) do
+        create(
+          :diff_note_on_merge_request,
+          noteable: merge_request,
+          project: project,
+          position: position,
+          author: user,
+          note: note_text
+        )
+      end
+
+      let(:command) { 'test' }
+
+      let(:source) { 'merge_request' }
+
+      it 'calls out to the AI gateway', :aggregate_failures do
+        result = execute(note, include_message: true)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['noteId']).to be_present
+          # Expect to create new note in the same discussion
+          expect(body['payload']['noteId']).not_to eq(note.id.to_s)
+          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
+          expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
+          expect(body['payload']['last_commit_id']).to be_present
+          expect(body['payload']['comment_start_line']).to eq("18")
+          expect(body['payload']['comment_end_line']).to eq("30")
+          expect(body['payload']['start_sha']).to eq(note.position.start_sha.to_s)
+          expect(body['payload']['head_sha']).to eq(note.position.head_sha.to_s)
+          expect(body['payload']['file_path']).to eq(note.position.new_path)
+          expect(body['payload']['user_message']).to eq('this is a test')
+        end
+      end
+    end
+
+    context 'with fix sub-comand for a merge request' do
+      let_it_be(:note_text) { '/q fix' }
+      let!(:bot_note) do
+        create(:note_on_merge_request, project: project,
+          note: "We detected an SQL command that might use unsanitized input.",
+          author: amazon_q_service_account)
+      end
+
+      let(:note) do
+        create(:note, project: project, note: note_text, author: user, noteable: bot_note.noteable,
+          discussion_id: bot_note.discussion_id)
+      end
+
+      let(:command) { 'fix' }
+      let(:source) { 'merge_request' }
+
+      it 'calls out to the AI gateway' do
+        payload.merge!(
+          source_branch: note.noteable&.source_branch,
+          target_branch: note.noteable&.target_branch,
+          last_commit_id: "b83d6e391c22777fca1ed3012fce84f633d7fed0",
+          noteId: bot_note.id.to_s,
+          discussionId: bot_note.discussion_id
+        )
+        body = {
+          payload: payload,
+          code: nil,
+          roleArn: 'arn:mock'
+        }
+        result = execute(note, include_message: true)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post).with(
+          anything,
+          hash_including(body: body.to_json)
+        )
+      end
+    end
+
+    context 'with review sub-command for a merge request' do
+      let_it_be(:note_text) { '/q review' }
+      let!(:note) { create(:note_on_merge_request, project: project, note: note_text) }
+      let!(:author) { note.author }
+      let(:command) { 'review' }
+      let(:source) { 'merge_request' }
+
+      it 'calls out to the AI gateway' do
+        payload.merge!(
+          source_branch: note.noteable&.source_branch,
+          target_branch: note.noteable&.target_branch,
+          last_commit_id: nil
+        )
+
+        result = nil
+        expect { result = execute(note, include_message: true) }.to change { Note.count }.by(1)
+        expect(note.note).to eq(note_text)
+        expect(note.author).to eq(author)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['noteId']).to be_empty
+          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
+          expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
+        end
+      end
+    end
+
+    context 'with review sub-command and valid commit id for a merge request' do
+      let_it_be(:note_text) { '/q review' }
+      let(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+      let!(:note) { create(:note_on_merge_request, project: project, noteable: merge_request, note: note_text) }
+      let!(:author) { note.author }
+      let(:command) { 'review' }
+      let(:source) { 'merge_request' }
+      let(:commit_id) { instance_double('Commit', id: 'abc123def456') } # rubocop:disable RSpec/VerifiedDoubleReference -- making minimal changes during rebase
+
+      before do
+        allow(merge_request).to receive(:source_branch).and_return('feature-branch') # rubocop:disable RSpec/ReceiveMessages -- making minimal changes during rebase
+        allow(merge_request).to receive(:target_branch).and_return('main') # rubocop:disable RSpec/ReceiveMessages -- making minimal changes during rebase
+        allow(merge_request).to receive_message_chain(:recent_commits, :first).and_return(commit_id)
+      end
+
+      it 'calls out to the AI gateway' do
+        result = nil
+        expect { result = execute(note, include_message: true) }.to change { Note.count }.by(1)
+        expect(note.note).to eq(note_text)
+        expect(note.author).to eq(author)
+        expect(result[0]).to be_empty
+        expect(result[1]).to eq('Q got your message!')
+
+        expect(Gitlab::HTTP).to have_received(:post) do |*args|
+          body = ::Gitlab::Json.parse(args[1][:body])
+          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['noteId']).to be_empty
+          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['source_branch']).to eq('feature-branch')
+          expect(body['payload']['target_branch']).to eq('main')
+          expect(body['payload']['last_commit_id']).to eq('abc123def456')
+        end
+      end
+    end
+  end
 end
diff --git a/ee/spec/services/ee/projects/autocomplete_service_spec.rb b/ee/spec/services/ee/projects/autocomplete_service_spec.rb
index 23e2fa8a4b2099..4c01eef00c0eab 100644
--- a/ee/spec/services/ee/projects/autocomplete_service_spec.rb
+++ b/ee/spec/services/ee/projects/autocomplete_service_spec.rb
@@ -8,6 +8,7 @@
 
   let(:user) { create(:user) }
   let!(:epic) { create(:epic, group: group, author: user) }
+  let_it_be(:issue) { create(:issue, project: project, title: 'Issue 1') }
 
   subject { described_class.new(project, user) }
 
@@ -64,4 +65,35 @@
       it { is_expected.to contain_exactly(open_iteration) }
     end
   end
+
+  describe '#commands' do
+    let(:amazon_q_enabled) { true }
+
+    subject(:commands) { described_class.new(project, user).commands(issue) }
+
+    before do
+      allow(::Ai::AmazonQ).to receive(:enabled?).and_return(amazon_q_enabled)
+      stub_const('Ai::AmazonQ::AmazonQTriggerService::ISSUE_SUBCOMMANDS', %w[dev transform])
+    end
+
+    context 'with q quick action for issue' do
+      it 'params include subcommands' do
+        expect(commands).to include(a_hash_including(
+          name: :q,
+          params: ['<dev | transform>']
+        ))
+      end
+    end
+
+    context 'with q quick action for merge request' do
+      let(:issue) { create(:merge_request, source_project: project, target_project: project, title: 'Merge Request 1') }
+
+      it 'params include subcommands' do
+        expect(commands).to include(a_hash_including(
+          name: :q,
+          params: ['<dev | fix | review | test>']
+        ))
+      end
+    end
+  end
 end
diff --git a/spec/services/service_response_spec.rb b/spec/services/service_response_spec.rb
index 0b7e71106b4fa9..eea1d36ff94206 100644
--- a/spec/services/service_response_spec.rb
+++ b/spec/services/service_response_spec.rb
@@ -75,6 +75,36 @@
     end
   end
 
+  describe '.from_legacy_hash' do
+    it 'with a ServiceResponse, returns the argument' do
+      response = described_class.success
+
+      expect(described_class.from_legacy_hash(response)).to be(response)
+    end
+
+    it 'with a Hash, builds a new ServiceResponse' do
+      hash = {
+        status: :error,
+        message: 'lorem ipsum',
+        payload: { foo: 123 }
+      }
+
+      result = described_class.from_legacy_hash(hash)
+
+      expect(result.class).to be(described_class)
+      expect(result.success?).to be(false)
+      expect(result.payload).to match(a_hash_including({ foo: 123 }))
+      expect(result.status).to be(:error)
+      expect(result.message).to be('lorem ipsum')
+      expect(result.http_status).to be_nil
+      expect(result.reason).to be_nil
+    end
+
+    it 'throws if argument not expected type' do
+      expect { described_class.from_legacy_hash(123) }.to raise_error(ArgumentError)
+    end
+  end
+
   describe '#success?' do
     it 'returns true for a successful response' do
       expect(described_class.success.success?).to eq(true)
-- 
GitLab


From f1472bbc2faf6a42490e88c9a575c78e5d947e95 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 09:52:58 -0600
Subject: [PATCH 09/14] Chore(Q): Improve Q metric and usage tracking

---
 .../quick_actions/interpret_service.rb        |  3 ++-
 ee/config/events/i_quickactions_q.yml         | 18 +++++++++++++++
 ...distinct_user_id_from_i_quickactions_q.yml | 19 +++++++++++++++
 ...inct_user_id_from_i_quickactions_q_dev.yml | 23 +++++++++++++++++++
 ...inct_user_id_from_i_quickactions_q_fix.yml | 23 +++++++++++++++++++
 ...t_user_id_from_i_quickactions_q_review.yml | 23 +++++++++++++++++++
 ...nct_user_id_from_i_quickactions_q_test.yml | 23 +++++++++++++++++++
 ...ser_id_from_i_quickactions_q_transform.yml | 23 +++++++++++++++++++
 .../hll_redis_legacy_events.yml               |  1 +
 .../quick_action_activity_unique_counter.rb   | 19 +++++++++++++--
 ...ick_action_activity_unique_counter_spec.rb | 18 ++++++++++-----
 .../quick_actions/interpret_service_spec.rb   |  6 ++---
 12 files changed, 187 insertions(+), 12 deletions(-)
 create mode 100644 ee/config/events/i_quickactions_q.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_dev.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_fix.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_review.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_test.yml
 create mode 100644 ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_transform.yml

diff --git a/app/services/quick_actions/interpret_service.rb b/app/services/quick_actions/interpret_service.rb
index 7553ae34eb02b1..926880d7b0129c 100644
--- a/app/services/quick_actions/interpret_service.rb
+++ b/app/services/quick_actions/interpret_service.rb
@@ -233,7 +233,8 @@ def usage_ping_tracking(quick_action_name, arg)
       Gitlab::UsageDataCounters::QuickActionActivityUniqueCounter.track_unique_action(
         quick_action_name.to_s,
         args: arg&.strip,
-        user: current_user
+        user: current_user,
+        project: project
       )
     end
 
diff --git a/ee/config/events/i_quickactions_q.yml b/ee/config/events/i_quickactions_q.yml
new file mode 100644
index 00000000000000..33496265c95a0b
--- /dev/null
+++ b/ee/config/events/i_quickactions_q.yml
@@ -0,0 +1,18 @@
+---
+description: When the quickaction /q is executed
+internal_events: true
+action: i_quickactions_q
+identifiers:
+- project
+- namespace
+- user
+product_group: ai_framework
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/119
+distributions:
+- ee
+tiers:
+- ultimate
+additional_properties:
+  label:
+    description: The subcommand used
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q.yml
new file mode 100644
index 00000000000000..c64c8f612e561d
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q.yml
@@ -0,0 +1,19 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q
+description: Count of unique users using the /q quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/119
+time_frame: 28d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tiers:
+- ultimate
+events:
+- name: i_quickactions_q
+  unique: user.id
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_dev.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_dev.yml
new file mode 100644
index 00000000000000..be1cd2f2ecd415
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_dev.yml
@@ -0,0 +1,23 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q_dev
+description: Count of unique users using the /q dev quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: "17.7"
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/141
+time_frame:
+  - 7d
+  - 28d
+data_source: internal_events
+data_category: optional
+distribution:
+  - ee
+tiers:
+  - ultimate
+events:
+  - name: i_quickactions_q
+    unique: user.id
+    filter:
+      label: dev
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_fix.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_fix.yml
new file mode 100644
index 00000000000000..fabfda69e58162
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_fix.yml
@@ -0,0 +1,23 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q_fix
+description: Count of unique users using the /q fix quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/141
+time_frame:
+- 7d
+- 28d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tiers:
+- ultimate
+events:
+- name: i_quickactions_q
+  unique: user.id
+  filter:
+    label: fix
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_review.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_review.yml
new file mode 100644
index 00000000000000..3b54dad7c0f164
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_review.yml
@@ -0,0 +1,23 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q_review
+description: Count of unique users using the /q review quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/141
+time_frame:
+- 7d
+- 28d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tiers:
+- ultimate
+events:
+- name: i_quickactions_q
+  unique: user.id
+  filter:
+    label: review
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_test.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_test.yml
new file mode 100644
index 00000000000000..2b84fe1367c41d
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_test.yml
@@ -0,0 +1,23 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q_test
+description: Count of unique users using the /q test quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/141
+time_frame:
+- 7d
+- 28d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tiers:
+- ultimate
+events:
+- name: i_quickactions_q
+  unique: user.id
+  filter:
+    label: test
diff --git a/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_transform.yml b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_transform.yml
new file mode 100644
index 00000000000000..fcbe04b7422c41
--- /dev/null
+++ b/ee/config/metrics/counts_all/count_distinct_user_id_from_i_quickactions_q_transform.yml
@@ -0,0 +1,23 @@
+---
+key_path: redis_hll_counters.count_distinct_user_id_from_i_quickactions_q_transform
+description: Count of unique users using the /q transform quickaction
+product_group: ai_framework
+performance_indicator_type: []
+value_type: number
+status: active
+milestone: '17.7'
+introduced_by_url: https://gitlab.com/gitlab-com/ops-sub-department/aws-gitlab-ai-integration/gitlab/-/merge_requests/142
+time_frame:
+- 7d
+- 28d
+data_source: internal_events
+data_category: optional
+distribution:
+- ee
+tiers:
+- ultimate
+events:
+- name: i_quickactions_q
+  unique: user.id
+  filter:
+    label: transform
diff --git a/lib/gitlab/usage_data_counters/hll_redis_legacy_events.yml b/lib/gitlab/usage_data_counters/hll_redis_legacy_events.yml
index b95da54b559f33..0413259d8f2627 100644
--- a/lib/gitlab/usage_data_counters/hll_redis_legacy_events.yml
+++ b/lib/gitlab/usage_data_counters/hll_redis_legacy_events.yml
@@ -249,6 +249,7 @@
 - i_quickactions_copy_metadata_issue
 - i_quickactions_copy_metadata_merge_request
 - i_quickactions_create_merge_request
+- i_quickactions_q
 - i_quickactions_done
 - i_quickactions_draft
 - i_quickactions_due
diff --git a/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter.rb b/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter.rb
index d7decf8c8f7de9..c0f069b171ef12 100644
--- a/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter.rb
+++ b/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter.rb
@@ -12,18 +12,24 @@ class << self
           convert_to_ticket
           remove_email_multiple
           remove_email_single
+          q
         ].freeze
 
         # Tracks the quick action with name `name`.
         # `args` is expected to be a single string, will be split internally when necessary.
-        def track_unique_action(name, args:, user:)
+        def track_unique_action(name, args:, user:, project:)
           return unless user
 
           args ||= ''
           name = prepare_name(name, args)
 
           if INTERNAL_EVENTS.include?(name)
-            Gitlab::InternalEvents.track_event("i_quickactions_#{name}", user: user)
+            Gitlab::InternalEvents.track_event(
+              "i_quickactions_#{name}",
+              user: user,
+              project: project,
+              additional_properties: prepare_additional_properties(name, args)
+            )
           else
             # Legacy event implementation. Migrate existing events to internal events.
             # See implementation of `convert_to_ticket` quickaction and
@@ -61,6 +67,15 @@ def prepare_name(name, args)
           end
         end
 
+        def prepare_additional_properties(name, args)
+          case name
+          when 'q'
+            { label: args.split.first }
+          else
+            {}
+          end
+        end
+
         def event_name_for_assign(args)
           args = args.split
 
diff --git a/spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb b/spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb
index 74f9e4ca304f0f..45b7093f1ed781 100644
--- a/spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb
+++ b/spec/lib/gitlab/usage_data_counters/quick_action_activity_unique_counter_spec.rb
@@ -6,6 +6,7 @@
   let(:user) { build(:user, id: 1) }
   let(:note) { build(:note, author: user) }
   let(:args) { nil }
+  let(:project) { build(:project) }
 
   shared_examples_for 'a tracked quick action unique event' do
     specify do
@@ -25,14 +26,9 @@
     it_behaves_like 'internal event tracking' do
       let(:event) { action }
     end
-
-    it 'tracks the internal event' do
-      expect(Gitlab::InternalEvents).to receive(:track_event).with(action, user: user).once
-      subject
-    end
   end
 
-  subject { described_class.track_unique_action(quickaction_name, args: args, user: user) }
+  subject { described_class.track_unique_action(quickaction_name, args: args, user: user, project: project) }
 
   describe '.track_unique_action' do
     let(:quickaction_name) { 'approve' }
@@ -247,4 +243,14 @@
       let(:action) { 'i_quickactions_convert_to_ticket' }
     end
   end
+
+  context 'when tracking q', feature_category: :ai_agents do
+    let(:quickaction_name) { 'q' }
+    let(:args) { 'dev' }
+    let(:label) { 'dev' }
+
+    it_behaves_like 'a tracked quick action internal event' do
+      let(:action) { 'i_quickactions_q' }
+    end
+  end
 end
diff --git a/spec/services/quick_actions/interpret_service_spec.rb b/spec/services/quick_actions/interpret_service_spec.rb
index 0c1ed6f6bd332d..a18d34b5f21825 100644
--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -2292,15 +2292,15 @@
 
       expect(Gitlab::UsageDataCounters::QuickActionActivityUniqueCounter)
         .to receive(:track_unique_action)
-        .with('shrug', args: 'test', user: developer)
+        .with('shrug', args: 'test', user: developer, project: project)
 
       expect(Gitlab::UsageDataCounters::QuickActionActivityUniqueCounter)
         .to receive(:track_unique_action)
-        .with('assign', args: 'me', user: developer)
+        .with('assign', args: 'me', user: developer, project: project)
 
       expect(Gitlab::UsageDataCounters::QuickActionActivityUniqueCounter)
         .to receive(:track_unique_action)
-        .with('milestone', args: '%4', user: developer)
+        .with('milestone', args: '%4', user: developer, project: project)
 
       service.execute(content, issue)
     end
-- 
GitLab


From a745d61138999bced0fa59a36d9bd0f3e7dd94f7 Mon Sep 17 00:00:00 2001
From: Paul Slaughter <pslaughter@gitlab.com>
Date: Tue, 3 Dec 2024 10:51:24 -0600
Subject: [PATCH 10/14] Chore(Q): Extra backstage stuff for AmazonQ

---
 ee/lib/cloud_connector/available_services.rb  |   5 +-
 .../cloud_connector/self_issued_token.rb      |   6 +-
 .../available_services_spec.rb                |   8 +-
 .../cloud_connector/self_issued_token_spec.rb |   3 +-
 locale/gitlab.pot                             | 213 ++++++++++++++++++
 qa/qa/ee/page/component/duo_chat_callout.rb   |   2 +-
 scripts/pipeline_test_report_builder.rb       |   4 +
 scripts/utils.sh                              |   6 +-
 8 files changed, 232 insertions(+), 15 deletions(-)

diff --git a/ee/lib/cloud_connector/available_services.rb b/ee/lib/cloud_connector/available_services.rb
index a3e6bcccae56e9..00cf6a25415937 100644
--- a/ee/lib/cloud_connector/available_services.rb
+++ b/ee/lib/cloud_connector/available_services.rb
@@ -31,10 +31,7 @@ def use_self_signed_token?(service_name)
         return true if service_name == :self_hosted_models
 
         # All remaining code paths require requesting self-signed tokens.
-        return false unless Gitlab::Utils.to_boolean(ENV['CLOUD_CONNECTOR_SELF_SIGN_TOKENS'])
-
-        # Permit self-signed tokens in development for testing purposes.
-        Rails.env.development?
+        Gitlab::Utils.to_boolean(ENV['CLOUD_CONNECTOR_SELF_SIGN_TOKENS'])
       end
       # rubocop:enable Gitlab/AvoidGitlabInstanceChecks
     end
diff --git a/ee/lib/gitlab/cloud_connector/self_issued_token.rb b/ee/lib/gitlab/cloud_connector/self_issued_token.rb
index 6f8cf69d700122..2ffe85d97148e2 100644
--- a/ee/lib/gitlab/cloud_connector/self_issued_token.rb
+++ b/ee/lib/gitlab/cloud_connector/self_issued_token.rb
@@ -23,7 +23,7 @@ def initialize(audience:, subject:, scopes:, extra_claims: {})
       end
 
       def encoded
-        headers = { typ: 'JWT' }
+        headers = { typ: 'JWT', kid: kid }
 
         JWT.encode(payload, key, 'RS256', headers)
       end
@@ -56,6 +56,10 @@ def key
 
         OpenSSL::PKey::RSA.new(key_data)
       end
+
+      def kid
+        key.public_key.to_jwk[:kid]
+      end
     end
   end
 end
diff --git a/ee/spec/lib/cloud_connector/available_services_spec.rb b/ee/spec/lib/cloud_connector/available_services_spec.rb
index aee0202a66e7dd..013dc24bf06351 100644
--- a/ee/spec/lib/cloud_connector/available_services_spec.rb
+++ b/ee/spec/lib/cloud_connector/available_services_spec.rb
@@ -19,13 +19,7 @@
         stub_env('CLOUD_CONNECTOR_SELF_SIGN_TOKENS', '1')
       end
 
-      it 'returns SelfSigned::SelfManaged outside of development' do
-        is_expected.to be_a_kind_of(CloudConnector::SelfManaged::AccessDataReader)
-      end
-
-      it 'returns SelfSigned::AccessDataReader in development' do
-        stub_rails_env('development')
-
+      it 'returns SelfSigned::AccessDataReader' do
         is_expected.to be_a_kind_of(CloudConnector::SelfSigned::AccessDataReader)
       end
     end
diff --git a/ee/spec/lib/gitlab/cloud_connector/self_issued_token_spec.rb b/ee/spec/lib/gitlab/cloud_connector/self_issued_token_spec.rb
index e7e3ddb8e37c5e..adfcf683fecc09 100644
--- a/ee/spec/lib/gitlab/cloud_connector/self_issued_token_spec.rb
+++ b/ee/spec/lib/gitlab/cloud_connector/self_issued_token_spec.rb
@@ -43,10 +43,11 @@
       it 'decodes successfully with public key', :aggregate_failures do
         jwt = token.encoded
         public_key = token.send(:key).public_key
+        kid = public_key.to_jwk[:kid]
 
         payload, headers = JWT.decode(jwt, public_key, true, { algorithm: 'RS256' })
 
-        expect(headers).to eq("alg" => "RS256", "typ" => "JWT")
+        expect(headers).to eq("alg" => "RS256", "typ" => "JWT", "kid" => kid)
         expect(payload.keys).to contain_exactly(
           "jti",
           "aud",
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 1829008c0f7830..30237cbb14c879 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -5877,6 +5877,204 @@ msgstr ""
 msgid "Amazon EKS integration allows you to provision EKS clusters from GitLab."
 msgstr ""
 
+msgid "Amazon Q"
+msgstr ""
+
+msgid "AmazonQ|:hourglass_flowing_sand: I'm creating unit tests for the selected lines of code. I'll update this comment when I'm done."
+msgstr ""
+
+msgid "AmazonQ|Active cloud connector token not found."
+msgstr ""
+
+msgid "AmazonQ|Always off"
+msgstr ""
+
+msgid "AmazonQ|Amazon Q Configuration"
+msgstr ""
+
+msgid "AmazonQ|Amazon Q Settings have been saved."
+msgstr ""
+
+msgid "AmazonQ|Amazon Q will be turned off by default, but still be available to any groups or projects that have previously enabled it."
+msgstr ""
+
+msgid "AmazonQ|Amazon Q will be turned off for all groups, subgroups, and projects, even if they have previously enabled it."
+msgstr ""
+
+msgid "AmazonQ|An unexpected error occurred while disconnecting Amazon Q. Please see the browser console log for more details."
+msgstr ""
+
+msgid "AmazonQ|An unexpected error occurred while submitting the form. Please see the browser console log for more details."
+msgstr ""
+
+msgid "AmazonQ|Apply changes to this merge request based on the comments (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Are you sure?"
+msgstr ""
+
+msgid "AmazonQ|Audience"
+msgstr ""
+
+msgid "AmazonQ|Availability"
+msgstr ""
+
+msgid "AmazonQ|Beta"
+msgstr ""
+
+msgid "AmazonQ|Cloud connector token could not be decoded"
+msgstr ""
+
+msgid "AmazonQ|Configure GitLab Duo with Amazon Q"
+msgstr ""
+
+msgid "AmazonQ|Configure GitLab Duo with Amazon Q (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Copy to clipboard"
+msgstr ""
+
+msgid "AmazonQ|Create a merge request to incorporate Amazon Q suggestions (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Create an identity provider for this GitLab instance within AWS using the following values. %{helpStart}Learn more%{helpEnd}."
+msgstr ""
+
+msgid "AmazonQ|Create fixes for review findings (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Create unit tests for selected lines of code in Java or Python files (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Disconnect"
+msgstr ""
+
+msgid "AmazonQ|Enter the IAM role's ARN."
+msgstr ""
+
+msgid "AmazonQ|Features are available. However, any group, subgroup, or project can turn them off."
+msgstr ""
+
+msgid "AmazonQ|Features are not available and cannot be turned on for any group, subgroup, or project."
+msgstr ""
+
+msgid "AmazonQ|Features are not available. However, any group, subgroup, or project can turn them on."
+msgstr ""
+
+msgid "AmazonQ|Fetching Identity Provider parameters"
+msgstr ""
+
+msgid "AmazonQ|Get started"
+msgstr ""
+
+msgid "AmazonQ|GitLab Duo with Amazon Q"
+msgstr ""
+
+msgid "AmazonQ|GitLab Duo with Amazon Q is ready to go! 🎉"
+msgstr ""
+
+msgid "AmazonQ|I understand that by selecting Save changes, GitLab creates a service account for Amazon Q and sends its credentials to AWS. Use of the Amazon Q Developer capabilities as part of GitLab Duo with Amazon Q is governed by the %{helpStart}AWS Customer Agreement%{helpEnd} or other written agreement between you and AWS governing your use of AWS services."
+msgstr ""
+
+msgid "AmazonQ|I'm generating a fix for this review finding. I'll update this comment when I'm done."
+msgstr ""
+
+msgid "AmazonQ|I'm generating code for this issue. I'll update this comment and open a merge request when I'm done."
+msgstr ""
+
+msgid "AmazonQ|I'm reviewing this merge request for security vulnerabilities, quality issues, and deficiencies. I'll provide an update when I'm done."
+msgstr ""
+
+msgid "AmazonQ|I'm revising this merge request based on your feedback. I'll update this comment and this merge request when I'm done."
+msgstr ""
+
+msgid "AmazonQ|I'm upgrading your code to Java 17. I'll update this comment and open a merge request when I'm done."
+msgstr ""
+
+msgid "AmazonQ|IAM role's ARN"
+msgstr ""
+
+msgid "AmazonQ|Instance ID"
+msgstr ""
+
+msgid "AmazonQ|Off by default"
+msgstr ""
+
+msgid "AmazonQ|On by default"
+msgstr ""
+
+msgid "AmazonQ|Provider URL"
+msgstr ""
+
+msgid "AmazonQ|Provider type"
+msgstr ""
+
+msgid "AmazonQ|Review merge request for code quality and security issues (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Save changes"
+msgstr ""
+
+msgid "AmazonQ|Setup"
+msgstr ""
+
+msgid "AmazonQ|Show identity provider values"
+msgstr ""
+
+msgid "AmazonQ|Something went wrong retrieving the identity provider payload."
+msgstr ""
+
+msgid "AmazonQ|Something went wrong saving Amazon Q settings."
+msgstr ""
+
+msgid "AmazonQ|Sorry, I'm not able to complete the request at this moment. Please try again later"
+msgstr ""
+
+msgid "AmazonQ|Status"
+msgstr ""
+
+msgid "AmazonQ|This will disable GitLab Duo with Amazon Q and delete some integration artifacts such as the service account and OAuth application. You can safely reconnect Amazon Q later."
+msgstr ""
+
+msgid "AmazonQ|Upgrade Java Maven application to Java 17 (Beta)"
+msgstr ""
+
+msgid "AmazonQ|Use Amazon Q to automate workflows, create a merge request from an issue, upgrade Java, and improve your code with AI-powered reviews."
+msgstr ""
+
+msgid "AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java. %{link_start}Learn more%{link_end}."
+msgstr ""
+
+msgid "AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java. GitLab Duo with Amazon Q is separate from GitLab Duo Pro and Enterprise. %{linkStart}Learn more%{linkEnd}."
+msgstr ""
+
+msgid "AmazonQ|Use GitLab Duo with Amazon Q to create and review merge requests and upgrade Java.%{br}GitLab Duo with Amazon Q is separate from GitLab Duo Pro and Enterprise. %{help_link_start}Learn more%{help_link_end}."
+msgstr ""
+
+msgid "AmazonQ|View configuration setup"
+msgstr ""
+
+msgid "AmazonQ|When you save, Amazon Q will be turned off for all subgroups, and projects, even if they have previously enabled it.%{br}This will also remove the Amazon Q service account from these groups and projects."
+msgstr ""
+
+msgid "AmazonQ|Within your AWS account, create an IAM role for Amazon Q and the relevant identity provider. %{helpStart}Learn how to create an IAM role%{helpEnd}."
+msgstr ""
+
+msgid "AmazonQ|dev"
+msgstr ""
+
+msgid "AmazonQ|fix"
+msgstr ""
+
+msgid "AmazonQ|review"
+msgstr ""
+
+msgid "AmazonQ|test"
+msgstr ""
+
+msgid "AmazonQ|transform"
+msgstr ""
+
 msgid "AmbiguousRef|There is a branch and a tag with the same name of %{ref}."
 msgstr ""
 
@@ -35874,6 +36072,9 @@ msgstr ""
 msgid "Needs attention"
 msgstr ""
 
+msgid "Neither gitlab_instance_uid or sub found on Cloud Connector token"
+msgstr ""
+
 msgid "Network"
 msgstr ""
 
@@ -43289,6 +43490,9 @@ msgstr ""
 msgid "ProjectSettings|Always show thumbs-up and thumbs-down emoji buttons on issues, merge requests, and snippets."
 msgstr ""
 
+msgid "ProjectSettings|Amazon Q"
+msgstr ""
+
 msgid "ProjectSettings|Analytics"
 msgstr ""
 
@@ -43715,6 +43919,9 @@ msgstr ""
 msgid "ProjectSettings|This project"
 msgstr ""
 
+msgid "ProjectSettings|This project can use Amazon Q."
+msgstr ""
+
 msgid "ProjectSettings|This setting is applied on the server level and can be overridden by an admin."
 msgstr ""
 
@@ -45068,6 +45275,9 @@ msgstr ""
 msgid "PushoverService|Total commits count: %{total_commits_count}"
 msgstr ""
 
+msgid "Q got your message!"
+msgstr ""
+
 msgid "QualitySummary|Project quality"
 msgstr ""
 
@@ -59647,6 +59857,9 @@ msgstr ""
 msgid "Use .gitlab-ci.yml"
 msgstr ""
 
+msgid "Use Amazon Q to streamline development workflow and project upgrades (Beta)"
+msgstr ""
+
 msgid "Use CRON syntax. %{linkStart}Learn more.%{linkEnd}"
 msgstr ""
 
diff --git a/qa/qa/ee/page/component/duo_chat_callout.rb b/qa/qa/ee/page/component/duo_chat_callout.rb
index b90b14e3793d29..3b97cabff8c614 100644
--- a/qa/qa/ee/page/component/duo_chat_callout.rb
+++ b/qa/qa/ee/page/component/duo_chat_callout.rb
@@ -18,7 +18,7 @@ def self.prepended(base)
           end
 
           def dismiss_duo_chat_popup
-            return unless has_element?('duo-chat-promo-callout-popover', wait: 0.5)
+            return unless has_element?('duo-chat-promo-callout-popover', wait: 2)
 
             within_element('duo-chat-promo-callout-popover') do
               click_element('close-button')
diff --git a/scripts/pipeline_test_report_builder.rb b/scripts/pipeline_test_report_builder.rb
index de0b7dc23d9db0..fe5ca8bb436156 100755
--- a/scripts/pipeline_test_report_builder.rb
+++ b/scripts/pipeline_test_report_builder.rb
@@ -144,6 +144,10 @@ def fetch(uri_str)
 
     body = ''
 
+    if ENV['PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE']
+      request['PRIVATE-TOKEN'] = ENV['PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE']
+    end
+
     Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
       http.request(request) do |response|
         case response
diff --git a/scripts/utils.sh b/scripts/utils.sh
index cd85b0da723811..db3a52ba58fea2 100644
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -107,6 +107,9 @@ function bundle_install_script() {
   run_timed_command "bundle install ${BUNDLE_INSTALL_FLAGS} ${extra_install_args}"
 
   if [[ $(bundle info pg) ]]; then
+    # Bundler will complain about replacing gems in world-writeable directories, so lock down access.
+    # This appears to happen when the gems are uncached, since the Runner uses a restrictive umask.
+    find vendor -type d -exec chmod 700 {} +
     # When we test multiple versions of PG in the same pipeline, we have a single `setup-test-env`
     # job but the `pg` gem needs to be rebuilt since it includes extensions (https://guides.rubygems.org/gems-with-extensions).
     # Uncomment the following line if multiple versions of PG are tested in the same pipeline.
@@ -476,7 +479,8 @@ function define_trigger_branch_in_build_env() {
   then
     export TRIGGER_BRANCH="${target_branch_name%-ee}"
   else
-    export TRIGGER_BRANCH=master
+    # TODO(Q): Change the TRIGGER_BRANCH value to master when moving this to public GitLab repository
+    export TRIGGER_BRANCH=vp/change-alternateive-source-for-fork
   fi
 
   if [ -f "$BUILD_ENV" ]; then
-- 
GitLab


From 6ade8732125a05d61886041c12ebb3703b191b9c Mon Sep 17 00:00:00 2001
From: Jessie Young <jessieyoung@gitlab.com>
Date: Tue, 3 Dec 2024 22:09:24 -0800
Subject: [PATCH 11/14] Use dynamic scope for Q access grants

---
 app/services/issuable_base_service.rb         |  2 -
 .../ai/amazon_q/amazon_q_trigger_service.rb   | 14 ++++-
 .../amazon_q/amazon_q_trigger_service_spec.rb | 55 +++++++++++--------
 3 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb
index e60358649676f1..3d53a1887e06f8 100644
--- a/app/services/issuable_base_service.rb
+++ b/app/services/issuable_base_service.rb
@@ -275,7 +275,6 @@ def handle_description_updated(issuable)
     GraphqlTriggers.issuable_description_updated(issuable)
   end
 
-  # rubocop:disable Metrics/AbcSize -- Method is only slightly over the limit due to decomposition method
   def update(issuable)
     ::Gitlab::Database::LoadBalancing::SessionMap.current(issuable.load_balancer).use_primary!
 
@@ -353,7 +352,6 @@ def update(issuable)
 
     issuable
   end
-  # rubocop:enable Metrics/AbcSize
 
   # Overriden in child class
   def trigger_update_subscriptions(issuable, old_associations); end
diff --git a/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
index 5d10af2f309266..5d0fbc3d6f29d3 100644
--- a/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
+++ b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
@@ -10,6 +10,7 @@ class AmazonQTriggerService < BaseService
       UnsupportedCommandError = Class.new(StandardError)
       UnsupportedSourceError = Class.new(StandardError)
       ServiceAccountError = Class.new(StandardError)
+      CompositeIdentityEnforcedError = Class.new(StandardError)
       MissingPrerequisiteError = Class.new(StandardError)
       MERGE_REQUEST_SUBCOMMANDS = %w[dev fix review test].freeze
       ISSUE_SUBCOMMANDS = %w[dev transform].freeze
@@ -232,7 +233,7 @@ def create_auth_grant_new
           application_id: app_id,
           redirect_uri: Gitlab::Routing.url_helpers.root_url,
           expires_in: 1.hour,
-          scopes: Gitlab::Auth::Q_SCOPES
+          scopes: Gitlab::Auth::Q_SCOPES + dynamic_user_scope
         ).plaintext_token
 
         Gitlab::AppLogger.info(message: "[amazon_q] OAUTH GRANT COMPLETE")
@@ -240,6 +241,10 @@ def create_auth_grant_new
         code
       end
 
+      def dynamic_user_scope
+        ["user:#{user.id}"]
+      end
+
       def create_note
         return unless note
 
@@ -298,10 +303,15 @@ def amazon_q_service_account
       strong_memoize_attr :amazon_q_service_account
 
       def validate_service_account!
-        service_account_id, _ = amazon_q_service_account
+        service_account_id, service_account = amazon_q_service_account
         if service_account_id.blank?
           raise ServiceAccountError,
             "#{command} failed due to Amazon Q service account ID is not configured"
+        elsif Feature.disabled?(:composite_identity, service_account)
+          # TODO: check for database composite identity enforced attribute once https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174026
+          # is merged
+          raise CompositeIdentityEnforcedError,
+            "Cannot find the service account with composite identity enabled."
         end
 
         true
diff --git a/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
index d04632519eb0cc..3cb817cf7ddb5d 100644
--- a/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
+++ b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
@@ -3,6 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe Ai::AmazonQ::AmazonQTriggerService, feature_category: :ai_agents do
+  let_it_be(:service_account) { create(:user, :service_account) }
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :repository) }
   let_it_be(:issue) { create(:issue, project: project) }
@@ -13,7 +14,7 @@
 
   before do
     Ai::Setting.instance.update!(
-      amazon_q_service_account_user_id: user.id,
+      amazon_q_service_account_user_id: service_account.id,
       amazon_q_oauth_application_id: oauth_app.id
     )
   end
@@ -49,8 +50,10 @@
       let(:command) { 'dev' }
 
       shared_examples 'successful dev execution' do
-        it 'creates an auth grant' do
+        it 'creates an auth grant with the correct scopes', :aggregate_failures do
           expect { execution }.to change { OauthAccessGrant.count }.by(1)
+          grant = OauthAccessGrant.find_by(resource_owner: service_account, application: oauth_app)
+          expect(grant.scopes.to_s).to eq("api read_repository write_repository user:#{user.id}")
         end
 
         it 'executes successfully' do
@@ -119,7 +122,7 @@
       context 'when executes fix command with review findings' do
         let(:command) { 'fix' }
         let!(:diff_note) do
-          create(:diff_note_on_merge_request, noteable: merge_request, project: project, author: user,
+          create(:diff_note_on_merge_request, noteable: merge_request, project: project, author: service_account,
             note: 'We recommend to fix this security finding')
         end
 
@@ -263,17 +266,15 @@
     let(:service) { described_class.new(user: user, command: 'dev', source: issue) }
 
     context 'when service account exists' do
-      let(:user) { create(:user) }
-
       before do
-        Ai::Setting.instance.update!(amazon_q_service_account_user_id: user.id)
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
       end
 
       it 'returns service account ID and user object' do
-        service_account_id, service_account = service.send(:amazon_q_service_account)
+        service_account_id, service_account_user = service.send(:amazon_q_service_account)
 
-        expect(service_account_id).to eq(user.id)
-        expect(service_account).to eq(user)
+        expect(service_account_id).to eq(service_account.id)
+        expect(service_account_user).to eq(service_account)
       end
     end
   end
@@ -282,10 +283,8 @@
     let(:service) { described_class.new(user: user, command: 'dev', source: issue) }
 
     context 'when service account is properly configured' do
-      let(:user) { create(:user) }
-
       before do
-        Ai::Setting.instance.update!(amazon_q_service_account_user_id: user.id)
+        Ai::Setting.instance.update!(amazon_q_service_account_user_id: service_account.id)
       end
 
       it 'returns true' do
@@ -306,6 +305,19 @@
           )
       end
     end
+
+    context 'when service account does not have composite identity enabled' do
+      before do
+        stub_feature_flags(composite_identity: false)
+      end
+
+      it 'raises CompositeIdentityEnforcedError' do
+        expect { service.send(:validate_service_account!) }.to raise_error(
+          Ai::AmazonQ::AmazonQTriggerService::CompositeIdentityEnforcedError,
+          "Cannot find the service account with composite identity enabled."
+        )
+      end
+    end
   end
 
   describe '#validate_command!' do
@@ -350,7 +362,7 @@
   describe '#search_comments_by_service_account' do
     let(:discussion) do
       create(:discussion_note_on_issue, noteable: issue, project: issue.project, note: "test note",
-        author: user).discussion
+        author: service_account).discussion
     end
 
     let(:service) do
@@ -402,7 +414,6 @@
     let(:command) { 'dev' }
     let(:generated_msg) { 'Generated message' }
     let(:service) { described_class.new(user: user, command: command, source: source, note: original_note) }
-    let(:service_account) { create(:user) }
     let(:update_service) { instance_double(Notes::UpdateService) }
 
     before do
@@ -474,9 +485,9 @@
         allow(Notes::CreateService).to receive(:new)
           .with(
             issue.project,
-            user,
+            service_account,
             {
-              author: user,
+              author: service_account,
               noteable: issue,
               note: failure_message,
               discussion_id: note.discussion_id
@@ -491,9 +502,9 @@
         expect(Notes::CreateService).to have_received(:new)
           .with(
             issue.project,
-            user,
+            service_account,
             {
-              author: user,
+              author: service_account,
               noteable: issue,
               note: failure_message,
               discussion_id: note.discussion_id
@@ -520,9 +531,9 @@
         allow(Notes::CreateService).to receive(:new)
           .with(
             issue.project,
-            user,
+            service_account,
             {
-              author: user,
+              author: service_account,
               noteable: issue,
               note: failure_message,
               discussion_id: nil
@@ -537,9 +548,9 @@
         expect(Notes::CreateService).to have_received(:new)
           .with(
             issue.project,
-            user,
+            service_account,
             {
-              author: user,
+              author: service_account,
               noteable: issue,
               note: failure_message,
               discussion_id: nil
-- 
GitLab


From cf62583d979c56cd3f4021c1bf689a3a7abffd07 Mon Sep 17 00:00:00 2001
From: Stan Hu <stanhu@gmail.com>
Date: Sat, 7 Dec 2024 07:19:41 -0800
Subject: [PATCH 12/14] Drop unnecessary change for scripts/utils.sh

This change was only needed to build from the private fork,
but on the public repository we can drop this.
---
 scripts/utils.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/utils.sh b/scripts/utils.sh
index db3a52ba58fea2..e93fdb96b4db0a 100644
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -479,8 +479,7 @@ function define_trigger_branch_in_build_env() {
   then
     export TRIGGER_BRANCH="${target_branch_name%-ee}"
   else
-    # TODO(Q): Change the TRIGGER_BRANCH value to master when moving this to public GitLab repository
-    export TRIGGER_BRANCH=vp/change-alternateive-source-for-fork
+    export TRIGGER_BRANCH=master
   fi
 
   if [ -f "$BUILD_ENV" ]; then
-- 
GitLab


From cae77f32882488635eecb3add44cb27e22ff99fb Mon Sep 17 00:00:00 2001
From: Jessie Young <jessieyoung@gitlab.com>
Date: Tue, 10 Dec 2024 13:28:05 -0600
Subject: [PATCH 13/14] Fix Q oauth app scopes

---
 ee/app/services/ai/amazon_q/create_service.rb       | 2 +-
 ee/spec/services/ai/amazon_q/create_service_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ee/app/services/ai/amazon_q/create_service.rb b/ee/app/services/ai/amazon_q/create_service.rb
index bbb9a25e9a043c..02ffeccc11ff6e 100644
--- a/ee/app/services/ai/amazon_q/create_service.rb
+++ b/ee/app/services/ai/amazon_q/create_service.rb
@@ -72,7 +72,7 @@ def find_or_create_oauth_app
         @application = Doorkeeper::Application.new(
           name: 'Amazon Q OAuth',
           redirect_uri: oauth_callback_url,
-          scopes: ::Gitlab::Auth::Q_SCOPES,
+          scopes: ::Gitlab::Auth::Q_SCOPES + [::Gitlab::Auth::DYNAMIC_USER],
           trusted: false,
           confidential: false
         )
diff --git a/ee/spec/services/ai/amazon_q/create_service_spec.rb b/ee/spec/services/ai/amazon_q/create_service_spec.rb
index b47b06219927aa..197a6dd4b6ceed 100644
--- a/ee/spec/services/ai/amazon_q/create_service_spec.rb
+++ b/ee/spec/services/ai/amazon_q/create_service_spec.rb
@@ -130,7 +130,7 @@
           {
             name: 'Amazon Q OAuth',
             redirect_uri: Gitlab::Routing.url_helpers.root_url,
-            scopes: Gitlab::Auth::Q_SCOPES,
+            scopes: [:api, :read_repository, :write_repository, :"user:*"],
             trusted: false,
             confidential: false
           }
-- 
GitLab


From e187446e34a26314a7f7a08257e3635f6a2fe29c Mon Sep 17 00:00:00 2001
From: Igor Drozdov <idrozdov@gitlab.com>
Date: Wed, 11 Dec 2024 22:55:13 +0100
Subject: [PATCH 14/14] Migrate Q calls to use conventional API format

---
 .../ai/amazon_q/amazon_q_trigger_service.rb   | 18 ++---
 ee/lib/gitlab/llm/q_ai/client.rb              | 12 ++--
 ee/spec/lib/gitlab/llm/q_ai/client_spec.rb    | 12 ++--
 .../amazon_q/amazon_q_trigger_service_spec.rb | 26 +++----
 .../ai/amazon_q/create_service_spec.rb        |  2 +-
 .../ee/notes/quick_actions_service_spec.rb    | 72 +++++++++----------
 6 files changed, 71 insertions(+), 71 deletions(-)

diff --git a/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
index 5d0fbc3d6f29d3..8981eabd21cccd 100644
--- a/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
+++ b/ee/app/services/ai/amazon_q/amazon_q_trigger_service.rb
@@ -41,11 +41,11 @@ def execute
 
         client = ::Gitlab::Llm::AiGateway::Client.new(user, service_name: service_name)
         response = client.complete(
-          url: "#{::Gitlab::AiGateway.url}/v1/oauth/q_send_event",
+          url: "#{::Gitlab::AiGateway.url}/v1/amazon_q/events",
           body: {
             payload: payload,
             code: code,
-            roleArn: ai_settings.amazon_q_role_arn
+            role_arn: ai_settings.amazon_q_role_arn
           }
         )
         Gitlab::AppLogger.info(message: "[amazon_q] AI Gateway response", success: response&.success?)
@@ -156,11 +156,11 @@ def base_payload
         {
           command: command,
           source: source.issuable_type,
-          roleArn: ai_settings.amazon_q_role_arn,
-          projectPath: source.project.full_path,
-          projectId: source.project.id.to_s,
-          "#{source.issuable_type.camelize(:lower)}Id": source.id.to_s,
-          "#{source.issuable_type.camelize(:lower)}IId": source.iid.to_s
+          role_arn: ai_settings.amazon_q_role_arn,
+          project_path: source.project.full_path,
+          project_id: source.project.id.to_s,
+          "#{source.issuable_type.underscore}_id": source.id.to_s,
+          "#{source.issuable_type.underscore}_iid": source.iid.to_s
         }
       end
 
@@ -180,8 +180,8 @@ def note_payload
         note_reference = use_existing_thread? ? service_account_notes&.first : @progress_note
 
         {
-          noteId: note_reference&.id.to_s,
-          discussionId: (note_reference&.discussion_id || discussion_id).to_s
+          note_id: note_reference&.id.to_s,
+          discussion_id: (note_reference&.discussion_id || discussion_id).to_s
         }
       end
 
diff --git a/ee/lib/gitlab/llm/q_ai/client.rb b/ee/lib/gitlab/llm/q_ai/client.rb
index 3ea4613f258a74..b7c19ca5579dab 100644
--- a/ee/lib/gitlab/llm/q_ai/client.rb
+++ b/ee/lib/gitlab/llm/q_ai/client.rb
@@ -20,15 +20,15 @@ def initialize(user, unit_primitive:, tracking_context: {})
 
         def perform_create_auth_application(oauth_app, secret, role_arn)
           payload = {
-            clientId: oauth_app.uid.to_s,
-            clientSecret: secret,
-            redirectUrl: oauth_app.redirect_uri,
-            instanceUrl: Gitlab.config.gitlab.url,
-            roleArn: role_arn
+            client_id: oauth_app.uid.to_s,
+            client_secret: secret,
+            redirect_url: oauth_app.redirect_uri,
+            instance_url: Gitlab.config.gitlab.url,
+            role_arn: role_arn
           }
 
           Gitlab::HTTP.post(
-            "#{url}/v1/oauth/application",
+            "#{url}/v1/amazon_q/oauth/application",
             body: payload.to_json,
             headers: request_headers
           )
diff --git a/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb b/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
index 53f2a54d4c007f..105ff5864c121c 100644
--- a/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
+++ b/ee/spec/lib/gitlab/llm/q_ai/client_spec.rb
@@ -22,14 +22,14 @@
       allow(::CloudConnector::AvailableServices).to receive(:find_by_name)
         .with(:agent_quick_actions).and_return(cc_servide)
       payload = {
-        clientId: oauth_app.uid.to_s,
-        clientSecret: secret,
-        redirectUrl: oauth_app.redirect_uri,
-        instanceUrl: Gitlab.config.gitlab.url,
-        roleArn: role_arn
+        client_id: oauth_app.uid.to_s,
+        client_secret: secret,
+        redirect_url: oauth_app.redirect_uri,
+        instance_url: Gitlab.config.gitlab.url,
+        role_arn: role_arn
       }
 
-      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/oauth/application")
+      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/amazon_q/oauth/application")
         .with(body: payload.to_json)
         .to_return(body: response)
     end
diff --git a/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
index 3cb817cf7ddb5d..e5d4de55d361c2 100644
--- a/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
+++ b/ee/spec/services/ai/amazon_q/amazon_q_trigger_service_spec.rb
@@ -37,10 +37,10 @@
 
     before do
       allow(::CloudConnector::AvailableServices).to receive(:find_by_name).with(service_name).and_return(service_data)
-      stub_request(:post, "https://cloud.gitlab.com/ai/v1/oauth/q_send_event")
+      stub_request(:post, "https://cloud.gitlab.com/ai/v1/amazon_q/events")
         .with(body: hash_including('code' => anything,
           'payload' => expected_payload,
-          'roleArn' => anything))
+          'role_arn' => anything))
         .to_return(status: 200, body: response.to_json, headers: { "Content-Type": "application/json" })
 
       allow(SystemNoteService).to receive(:amazon_q_called)
@@ -70,10 +70,10 @@
 
         context 'when server returns a 500 error' do
           before do
-            stub_request(:post, "https://cloud.gitlab.com/ai/v1/oauth/q_send_event")
+            stub_request(:post, "https://cloud.gitlab.com/ai/v1/amazon_q/events")
               .with(body: hash_including('code' => anything,
                 'payload' => anything,
-                'roleArn' => anything))
+                'role_arn' => anything))
               .to_return(status: 500, body: "", headers: { "Content-Type": "application/json" })
           end
 
@@ -151,10 +151,10 @@
         hash_including(
           'command' => 'test',
           'source' => 'merge_request',
-          'mergeRequestId' => merge_request.id.to_s,
-          'mergeRequestIId' => merge_request.iid.to_s,
-          'noteId' => anything,
-          'discussionId' => diff_note.discussion_id,
+          'merge_request_id' => merge_request.id.to_s,
+          'merge_request_iid' => merge_request.iid.to_s,
+          'note_id' => anything,
+          'discussion_id' => diff_note.discussion_id,
           'source_branch' => merge_request.source_branch,
           'target_branch' => merge_request.target_branch,
           'last_commit_id' => merge_request.recent_commits.first.id,
@@ -238,14 +238,14 @@
         payload = service.send(:payload)
 
         expect(payload.keys).to match_array(
-          %i[command source projectPath projectId issueId issueIId discussionId noteId roleArn])
+          %i[command source project_path project_id issue_id issue_iid discussion_id note_id role_arn])
 
         expect(payload[:command]).to eq('dev')
         expect(payload[:source]).to eq('issue')
-        expect(payload[:projectPath]).to eq(project.full_path)
-        expect(payload[:projectId]).to eq(project.id.to_s)
-        expect(payload[:issueId]).to eq(issue.id.to_s)
-        expect(payload[:issueIId]).to eq(issue.iid.to_s)
+        expect(payload[:project_path]).to eq(project.full_path)
+        expect(payload[:project_id]).to eq(project.id.to_s)
+        expect(payload[:issue_id]).to eq(issue.id.to_s)
+        expect(payload[:issue_iid]).to eq(issue.iid.to_s)
       end
     end
   end
diff --git a/ee/spec/services/ai/amazon_q/create_service_spec.rb b/ee/spec/services/ai/amazon_q/create_service_spec.rb
index 197a6dd4b6ceed..41a4e9e321a126 100644
--- a/ee/spec/services/ai/amazon_q/create_service_spec.rb
+++ b/ee/spec/services/ai/amazon_q/create_service_spec.rb
@@ -17,7 +17,7 @@
         allow(instance).to receive(:execute).and_return({ status: :success, payload: service_account })
       end
 
-      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/oauth/application")
+      stub_request(:post, "#{Gitlab::AiGateway.url}/v1/amazon_q/oauth/application")
         .and_return(status: status, body: body)
     end
 
diff --git a/ee/spec/services/ee/notes/quick_actions_service_spec.rb b/ee/spec/services/ee/notes/quick_actions_service_spec.rb
index 49cca4aa4516c8..ee301312f823a8 100644
--- a/ee/spec/services/ee/notes/quick_actions_service_spec.rb
+++ b/ee/spec/services/ee/notes/quick_actions_service_spec.rb
@@ -800,13 +800,13 @@ def execute(note, include_message: false)
       {
         command: command,
         source: source,
-        roleArn: 'arn:mock',
-        projectPath: project.full_path,
-        projectId: project.id.to_s,
-        "#{source.camelize(:lower)}Id" => note.noteable.id.to_s,
-        "#{source.camelize(:lower)}IId" => note.noteable.iid.to_s,
-        noteId: note.id.to_s,
-        discussionId: note.discussion_id
+        role_arn: 'arn:mock',
+        project_path: project.full_path,
+        project_id: project.id.to_s,
+        "#{source.underscore}_id" => note.noteable.id.to_s,
+        "#{source.underscore}_iid" => note.noteable.iid.to_s,
+        note_id: note.id.to_s,
+        discussion_id: note.discussion_id
       }
     end
 
@@ -818,7 +818,7 @@ def execute(note, include_message: false)
         access_token: 'token')
       allow(CloudConnector::AvailableServices).to receive(:find_by_name).with(:agent_quick_actions).and_return(service)
       allow_any_instance_of(::Ai::AmazonQ::AmazonQTriggerService).to receive(:create_auth_grant_new) # rubocop:disable RSpec/AnyInstanceOf -- to mock private
-      stub_request(:post, "#{::Gitlab::AiGateway.url}/v1/oauth/q_send_event")
+      stub_request(:post, "#{::Gitlab::AiGateway.url}/v1/amazon_q/events")
         .to_return(status: 200, body: '{}', headers: {})
       allow(Gitlab::HTTP).to receive(:post).and_call_original
       allow(::Ai::AmazonQ).to receive(:enabled?).and_return(amazon_q_enabled)
@@ -861,11 +861,11 @@ def execute(note, include_message: false)
           payload = body['payload']
 
           expect(payload).to include(
-            'issueId' => note.noteable.id.to_s,
-            'issueIId' => note.noteable.iid.to_s
+            'issue_id' => note.noteable.id.to_s,
+            'issue_iid' => note.noteable.iid.to_s
           )
-          expect(payload['noteId']).to be_empty
-          expect(payload['discussionId']).to eq(note.discussion_id)
+          expect(payload['note_id']).to be_empty
+          expect(payload['discussion_id']).to eq(note.discussion_id)
         end
       end
 
@@ -928,11 +928,11 @@ def execute(note, include_message: false)
           payload = body['payload']
 
           expect(payload).to include(
-            'issueId' => note.noteable.id.to_s,
-            'issueIId' => note.noteable.iid.to_s
+            'issue_id' => note.noteable.id.to_s,
+            'issue_iid' => note.noteable.iid.to_s
           )
-          expect(payload['noteId']).to be_empty
-          expect(payload['discussionId']).to eq(note.discussion_id)
+          expect(payload['note_id']).to be_empty
+          expect(payload['discussion_id']).to eq(note.discussion_id)
         end
       end
     end
@@ -969,10 +969,10 @@ def execute(note, include_message: false)
 
         expect(Gitlab::HTTP).to have_received(:post) do |*args|
           body = ::Gitlab::Json.parse(args[1][:body])
-          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
-          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
-          expect(body['payload']['noteId']).not_to be_nil
-          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['merge_request_id']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['merge_request_iid']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['note_id']).not_to be_nil
+          expect(body['payload']['discussion_id']).to eq(note.discussion_id)
           expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
           expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
         end
@@ -1033,12 +1033,12 @@ def execute(note, include_message: false)
 
         expect(Gitlab::HTTP).to have_received(:post) do |*args|
           body = ::Gitlab::Json.parse(args[1][:body])
-          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
-          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
-          expect(body['payload']['noteId']).to be_present
+          expect(body['payload']['merge_request_id']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['merge_request_iid']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['note_id']).to be_present
           # Expect to create new note in the same discussion
-          expect(body['payload']['noteId']).not_to eq(note.id.to_s)
-          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['note_id']).not_to eq(note.id.to_s)
+          expect(body['payload']['discussion_id']).to eq(note.discussion_id)
           expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
           expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
           expect(body['payload']['last_commit_id']).to be_present
@@ -1073,13 +1073,13 @@ def execute(note, include_message: false)
           source_branch: note.noteable&.source_branch,
           target_branch: note.noteable&.target_branch,
           last_commit_id: "b83d6e391c22777fca1ed3012fce84f633d7fed0",
-          noteId: bot_note.id.to_s,
-          discussionId: bot_note.discussion_id
+          note_id: bot_note.id.to_s,
+          discussion_id: bot_note.discussion_id
         )
         body = {
           payload: payload,
           code: nil,
-          roleArn: 'arn:mock'
+          role_arn: 'arn:mock'
         }
         result = execute(note, include_message: true)
         expect(result[0]).to be_empty
@@ -1115,10 +1115,10 @@ def execute(note, include_message: false)
 
         expect(Gitlab::HTTP).to have_received(:post) do |*args|
           body = ::Gitlab::Json.parse(args[1][:body])
-          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
-          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
-          expect(body['payload']['noteId']).to be_empty
-          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['merge_request_id']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['merge_request_iid']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['note_id']).to be_empty
+          expect(body['payload']['discussion_id']).to eq(note.discussion_id)
           expect(body['payload']['source_branch']).to eq(note.noteable&.source_branch)
           expect(body['payload']['target_branch']).to eq(note.noteable&.target_branch)
         end
@@ -1150,10 +1150,10 @@ def execute(note, include_message: false)
 
         expect(Gitlab::HTTP).to have_received(:post) do |*args|
           body = ::Gitlab::Json.parse(args[1][:body])
-          expect(body['payload']['mergeRequestId']).to eq(note.noteable.id.to_s)
-          expect(body['payload']['mergeRequestIId']).to eq(note.noteable.iid.to_s)
-          expect(body['payload']['noteId']).to be_empty
-          expect(body['payload']['discussionId']).to eq(note.discussion_id)
+          expect(body['payload']['merge_request_id']).to eq(note.noteable.id.to_s)
+          expect(body['payload']['merge_request_iid']).to eq(note.noteable.iid.to_s)
+          expect(body['payload']['note_id']).to be_empty
+          expect(body['payload']['discussion_id']).to eq(note.discussion_id)
           expect(body['payload']['source_branch']).to eq('feature-branch')
           expect(body['payload']['target_branch']).to eq('main')
           expect(body['payload']['last_commit_id']).to eq('abc123def456')
-- 
GitLab