GitLab Ultimate Agent Platform - Comprehensive Research Guide

Research Completed: January 7, 2026 Total Research: 50,000+ words across 8 specialized agents Coverage: GitLab Duo, OSSA, MCP, A2A, Drupal, Commercial Frameworks, CI/CD, Cursor

---

Table of Contents

1. Foundational Agents & Flows
2. Agent Interoperability Standards
3. Drupal Agent Marketplace
4. Commercial Agent Frameworks
5. CI/CD Agent Patterns
6. Platform Agents Repository
7. Cursor IDE Integration
8. Implementation Roadmap

---

1. Foundational Agents & Flows

GitLab Duo Agent Platform Overview

Status: GA (General Availability) January 2026 with GitLab 18.8 Requirements: Premium/Ultimate + GitLab Duo Core/Pro/Enterprise add-on Model: Anthropic Claude Sonnet 4.5

Three Foundational Agents (Beta - Enabled by Default)

1.1 Planner Agent (GitLab 18.6+)

Purpose: Product management and planning workflows

Capabilities:

• Strategic Planning: Prioritization (RICE, MoSCoW, WSJF), work decomposition, dependency analysis
• Content Creation: Memos, summaries, issues, epics, features, requirements
• Optimization: Backlog refinement, effort estimation, scope reduction, MVP definition

Best Practices:

• Provide context via URLs or filter criteria
• Specify prioritization frameworks
• Clarify workflow assumptions

Access: GitLab Duo sidebar or @Planner mentions

1.2 Security Analyst Agent (GitLab 18.6+, Ultimate Only)

Purpose: Security analysis and vulnerability management

Capabilities:

• Vulnerability assessment and prioritization
• Risk evaluation (severity, exploitability, business impact)
• False positive filtering
• Compliance support (regulatory requirements)
• Security reporting and remediation planning

GitLab Integration:

• List all project vulnerabilities
• Provide CVE data and EPSS scores
• Confirm, dismiss, or update severity
• Create/link vulnerability issues

Prerequisites:

• Security scanning enabled
• Ultimate tier with Duo add-on

1.3 Data Analyst Agent (GitLab 18.6+, Beta in 18.7)

Purpose: Platform data analysis and visualization

Capabilities:

• Query data using GitLab Query Language (GLQL)
• Quantify work items across timeframes
• Evaluate team productivity
• Identify workflow patterns
• Generate embeddable GLQL queries

Example Queries:

How many merge requests were merged this month?
What has @username worked on this month?
Show me open issues with ~priority::1 and ~bug labels
What's the trend of bug creation this quarter?

Limitations:

• Light aggregation only (100 item limit)
• GLQL supports specific data areas
• Cannot output directly to dashboards

Four Foundational Flows

1.4 Software Development Flow (GitLab 18.2+)

Purpose: AI-generated solutions across SDLC

IDE Support: VS Code, Visual Studio, JetBrains Languages: CSS, Go, HTML, Java, JavaScript, Markdown, Python, Ruby, TypeScript

How It Works:

1. Creates and works through a plan
2. Stages proposed changes
3. Maintains contextual awareness
4. Allows supplementary context from issues/MRs
5. User retains control (accept/modify/reject)

Security: Time-limited OAuth token, write operations based on user permissions

1.5 Developer Flow (Issue to MR) (GitLab 18.6+)

Purpose: Automatically convert issues into merge requests

Process:

1. Analyzes issue description
2. Creates development plan
3. Generates code structure
4. Opens draft MR linked to issue
5. Executes automated pipelines

Prerequisites:

• Developer role or higher
• Existing issue with clear requirements
• Service account access

Best Practices:

• Keep issues well-scoped
• Specify exact file paths
• Include acceptance criteria
• Provide code examples

1.6 Code Review Flow (GitLab 18.7+)

Purpose: Streamline code reviews with agentic AI

Capabilities:

• Examines code modifications, discussions, linked issues
• Enhanced contextual understanding
• Delivers detailed, actionable feedback
• Focus on specific aspects (security, performance, maintainability)

Activation:

• Assign review to @GitLabDuo
• Mention @GitLabDuo in MR comments
• Enable automatic reviews at project/group level

Customization:

• Repository-specific review instructions
• Focus areas configuration
• Coding standards enforcement
• File pattern targeting

1.7 Convert to GitLab CI/CD Flow

Purpose: Migrate Jenkins pipelines to GitLab CI/CD

Process:

• Converts Jenkins pipeline syntax to GitLab CI/CD YAML
• Creates MR with converted configuration

---

2. Agent Interoperability Standards

2.1 OSSA (Open Standard Agents)

Project: https://openstandardagents.org Maintainer: Bluefly.io Status: v0.3.2 stable

Purpose: Vendor-neutral agent specification format - "OpenAPI for AI Agents"

Key Features:

• 20+ LLM provider support
• Enterprise security (OIDC, secrets management)
• Native OpenTelemetry integration
• Bi-directional conversion with GitLab Duo

Manifest Structure:

name: code-reviewer
version: 1.0.0
domain: gitlab
subdomain: merge-requests
type: worker
runtime: typescript
access:
  tier: tier_2_write_standard
  permissions: [read_code, write_comment]
capabilities:
  - name: code_review
    version: 1.0.0
skills: [security-analysis, performance-review]
llm:
  model: claude-sonnet-4-5
  temperature: 0.3
  max_tokens: 8192
observability:
  tracing: enabled
  metrics: prometheus
  logging: json

2.2 MCP (Model Context Protocol)

Specification: https://modelcontextprotocol.io Maintainer: Agentic AI Foundation (Linux Foundation) Status: v2025-06-18 specification

Purpose: Connect AI assistants to tools and data sources

GitLab MCP Integration:

As MCP Server (Exposes GitLab Data):

• Projects, groups, issues, merge requests
• CI/CD pipelines, job logs
• Repository files, commit history
• Available tools: create_issue, create_mr, trigger_pipeline

As MCP Client (Connects to External Servers):

• Access Jira, ServiceNow, ZenDesk
• Enable agents to use external tools
• Maintain single interface

Configuration Example:

{
  "mcpServers": {
    "gitlab": {
      "type": "http",
      "url": "https://gitlab.com/api/v4/mcp",
      "auth": {
        "type": "oauth2"
      }
    }
  }
}

2.3 A2A (Agent-to-Agent Protocol)

Specification: https://a2a-protocol.org Maintainer: Linux Foundation Status: Backed by 150+ organizations (AWS, Google, Salesforce, ServiceNow)

Purpose: Secure inter-agent communication

Discovery Mechanisms:

1. Open Discovery (.well-known): Agent Card at /.well-known/agent-card.json
2. Curated Registry: Search by capabilities, metadata-based discovery
3. OpenAPI Integration: Each agent's spec for invocation

GitLab Integration Pattern:

Cursor Agent  (MCP)  GitLab Duo Agent Platform
  
GitLab Duo Agent  (A2A)  External Security Scanner
  
Results  (A2A)  Cursor Agent  Display to user

2.4 kagent (Kubernetes-Native Agents)

Project: https://kagent.dev Status: CNCF Sandbox Project Purpose: Kubernetes-native agent deployment

Features:

• Multi-protocol support (MCP, A2A, ADK)
• Agent mesh architectures
• Built on Kubernetes CustomResourceDefinitions
• Declarative agent deployment

Integration with GitLab:

• Deploy GitLab Duo agents as Kubernetes resources
• Use GitLab Agent for Kubernetes (GitOps)
• Manage agent lifecycle via kubectl

---

3. Drupal Agent Marketplace

3.1 Drupal 11 AI Ecosystem

Core Modules:

• AI Module: 48+ AI provider integrations, 4,082 sites using
• AI Agents Module: Text-to-action agents with tools-calling
• MCP Server: OAuth 2.1, official PHP SDK
• MCP Client: Connect to external MCP servers

3.2 Built-in Agents

Three Default Agents:

1. Field Type Agent: Creates/edits fields on entities
2. Content Type Agent: Handles node type operations
3. Taxonomy Agent: Works with vocabularies and terms

3.3 Vector Database Integration

Supported:

• Milvus (official module): Cosine similarity, Euclidean distance, inner product
• Qdrant (under consideration): Docker deployment, LangChain/LlamaIndex support
• pgvector (PostgreSQL extension): Native vector storage

3.4 Agent Marketplace Architecture

Content Type: ai_agent

Fields:

• Agent Name, Description
• Agent Type (taxonomy: code_review, documentation, testing, deployment)
• Capabilities (multi-select taxonomy)
• Endpoint URL
• Authentication Method (OAuth2, API Key, OIDC)
• OpenAPI Spec (file or URL)
• Version, Provider, Status
• Supported Languages
• Cost Per Request, Avg Response Time
• Usage Count, Rating

JSON:API Discovery:

# Query agents by capability
GET /jsonapi/node/ai_agent?filter[capabilities.name]=code_review&filter[status.name]=active

# Response includes endpoint URL, auth method, OpenAPI spec URL

MCP Server Integration:

{
  "tools": [
    {
      "name": "search_agents",
      "description": "Search for agents by capability, provider, language"
    },
    {
      "name": "invoke_agent",
      "description": "Invoke a specific agent with payload"
    }
  ]
}

3.5 ECA Workflows (Event-Condition-Action)

Purpose: Visual workflow automation without code

Scale: ~500 actions, ~70 conditions, ~200 events

Agent Chain Example:

Event: New content created
  
Condition: Content type = "Product"
  
Action: Invoke AI Agent to generate description
  
Action: Invoke AI Agent to suggest taxonomy terms
  
Action: Invoke AI Agent to generate alt text for images

---

4. Commercial Agent Frameworks

4.1 Claude Code for GitLab CI/CD

Status: Beta, maintained by GitLab Purpose: Event-driven AI automation through MR workflows

Setup Options:

Option 1: Claude API (Simple)

claude:
  stage: ai
  image: node:24-alpine3.21
  variables:
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  script:
    - npm install -g @anthropic-ai/claude-code
    - claude -p "Review this MR and implement changes"

Option 2: AWS Bedrock (OIDC)

claude-bedrock:
  id_tokens:
    AWS_OIDC_TOKEN:
      aud: https://sts.amazonaws.com
  script:
    - aws sts assume-role-with-web-identity
    - claude -p "Implement feature"

Option 3: Google Vertex AI (Workload Identity Federation)

claude-vertex:
  before_script:
    - gcloud auth login --cred-file=<(cat <<EOF...)
  script:
    - CLOUD_ML_REGION=us-east5 claude -p "Review code"

4.2 OpenAI Agents SDK

Languages: TypeScript/JavaScript, Python Purpose: Lightweight, production-ready multi-agent workflows

Core Primitives:

• Agents: LLMs with instructions and tools
• Handoffs: Delegation between agents
• Guardrails: Input/output validation (Zod)
• Sessions: Automatic conversation history

Basic Pattern:

import { Agent, run } from '@openai/agents';

const agent = new Agent({
  name: 'CodeReviewer',
  instructions: 'Review code for security issues',
  model: 'gpt-4o',
  tools: [...]
});

const result = await run(agent, userInput);

4.3 Observability & Monitoring

LangFuse (Open Source):

• OpenTelemetry backend support
• 100+ LLM provider support
• Cost tracking with Daily Metrics API
• Self-hosted or cloud options

Helicone (Open Source):

• AI gateway with routing, failover, caching
• One-line integration via proxy URL
• Semantic caching (20-30% cost reduction)
• 100+ LLM providers

OpenTelemetry Direct:

import { NodeSDK } from '@opentelemetry/sdk-node';
import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';

const sdk = new NodeSDK({
  traceExporter: new OTLPTraceExporter({
    url: 'https://cloud.langfuse.com/api/public/otel'
  })
});

---

5. CI/CD Agent Patterns

5.1 CI/CD Components

Purpose: Reusable pipeline configuration units

Structure:

spec:
  inputs:
    agent_name:
      description: "Name of agent to deploy"
    enable_tracing:
      type: boolean
      default: true
---
agent-deploy:
  script:
    - deploy-agent --name $[[ inputs.agent_name ]]
    - setup-observability --tracing=$[[ inputs.enable_tracing ]]

Usage:

include:
  - component: $CI_SERVER_FQDN/agent-platform/components/agent-deploy@1.0.0
    inputs:
      agent_name: "code-review-agent"
      enable_tracing: true

5.2 CI/CD Steps (Functions)

Purpose: Reusable units within jobs

Example:

agent-execution-job:
  steps:
    - function: setup-agent-environment
    - function: fetch-agent-context
      inputs:
        context_sources: ${{steps.setup-agent-environment.outputs.sources}}
    - function: execute-agent
    - function: publish-results

5.3 OIDC Authentication

Configuration:

agent-deployment:
  id_tokens:
    AGENT_OIDC_TOKEN:
      aud: https://agent-runtime.example.com
  script:
    - authenticate-agent.sh $AGENT_OIDC_TOKEN

Token Claims:

• Standard: iss, sub, aud, exp, nbf, iat, jti
• GitLab: project_id, pipeline_id, job_id, ref, ref_protected, user_id

Benefits:

• Short-lived credentials (5 mins to job timeout)
• No secret rotation needed
• Granular access control

5.4 ML/MLOps Integration

Experiment Tracking:

train-agent-model:
  script:
    - mlflow run . --experiment-name agent-optimization
    - mlflow log-metric --run-id $RUN_ID accuracy 0.95

Model Registry:

• Semantic versioning
• Up to 5 GB per file
• Performance metrics, data lineage
• CI/CD linking for traceability

---

6. Platform Agents Repository

6.1 Overview

Repository: https://gitlab.com/blueflyio/platform-agents Purpose: OSSA agent registry, manifest conversion, deployment tooling Status: Production-ready with 341 commits, 29 releases

6.2 Canonical Agents (16 Total)

GitLab Domain (4):

• Merge Request Reviewer
• Pipeline Remediation
• Release Coordinator
• Issue Lifecycle Manager

Other Domains:

• Orchestration, Validation, Code Quality, MCP, Security, LLM, Documentation, Drupal (3), Infrastructure (2)

6.3 OSSA Manifest Standard (v0.3.2)

Structure:

• Metadata: name, version, domain, subdomain, type, runtime
• Access Control: tier-based permissions
• Capabilities: versioned modules
• Skills: specialized competencies
• LLM Configuration: model, temperature, tokens, fallbacks
• Observability: tracing, metrics, logging

6.4 Bi-Directional GitLab Duo Conversion

Converters:

• ossa-to-duo.converter.ts - Export to Duo format
• duo-to-ossa.converter.ts - Import from Duo

14 Total Converters: Claude, Cursor (partial), GitLab Duo, LangChain, CrewAI, AutoGen, Pydantic AI, Dify, n8n

6.5 CI/CD Integration

Agent Suite Framework (ci/agent-suite.yml):

• Event-driven activation on MR events
• File pattern-based triggers
• Bot-based invocation via GitLab API
• Slash command interface

---

7. Cursor IDE Integration

7.1 Cloud Agents

Architecture: Autonomous coding assistants in isolated Ubuntu VMs

Capabilities:

• Asynchronous execution
• Multi-file code modification
• Test iteration with auto-fix
• Branch management
• CI/CD remediation (GitHub Actions, GitLab planned)

Access Methods:

1. UI: Cursor: Start Cloud Agent Setup
2. API: POST /v0/agents
3. Web: cursor.com/agents

7.2 Cloud Agents API

Launch Agent:

curl -X POST https://api.cursor.com/v0/agents \
  -H "Authorization: Bearer $CURSOR_API_KEY" \
  -d '{
    "task": "Fix all TypeScript errors in src/",
    "repository": "https://gitlab.com/blueflyio/openstandardagents.git",
    "ref": "main",
    "model": "claude-sonnet-4-5",
    "create_pr": true
  }'

7.3 MCP Integration for GitLab

Configuration:

// .cursor/mcp.json
{
  "mcpServers": {
    "gitlab": {
      "type": "http",
      "url": "https://gitlab.com/api/v4/mcp"
    }
  }
}

Available via MCP:

• List projects, issues, merge requests
• Create issues/MRs, add comments
• Trigger pipelines, view status
• Manage repository files

7.4 Team Collaboration

Workspace Settings:

• Default model configuration
• Repository and branch defaults
• User restrictions
• Team follow-up permissions

Shared MCP Configs:

• Define team-wide servers in dashboard
• Automatic context for all members
• Custom commands (/review-mr, /fix-ci)

7.5 Cost Management

Pricing (2026):

• Pro: $20/mo (~225 Sonnet 4 requests)
• Pro Plus: $60/mo (~675 Sonnet 4 requests)
• Ultra: $200/mo (~4,500 Sonnet 4 requests)

Combined with GitLab Ultimate (10 devs):

• GitLab Ultimate + Duo: $1,180/mo
• Cursor Ultra: $2,500/mo
• Total: $3,680/mo

ROI: 30-40% productivity gain = 3-4 developer weeks/month

---

8. Implementation Roadmap

Phase 1: Foundation (Weeks 1-4)

Week 1-2: GitLab Duo Setup

• Enable Agent Platform in group settings
• Activate foundational agents (Planner, Security Analyst, Data Analyst)
• Test foundational flows (Developer, Code Review)
• Configure AGENTS.md files for project standards

Week 3-4: OSSA Integration

• Review platform-agents repository
• Test bi-directional Duo OSSA conversion
• Define custom OSSA manifests for domain-specific agents
• Deploy first custom agent via OSSA

Phase 2: Interoperability (Weeks 5-8)

Week 5-6: MCP Setup

• Deploy GitLab MCP server (expose data)
• Configure GitLab as MCP client (connect to external tools)
• Test MCP integration with Cursor, Claude Desktop
• Build custom MCP server for observability data

Week 7-8: A2A Integration

• Implement Agent Card at .well-known/agent-card.json
• Configure agent discovery mechanisms
• Test agent-to-agent communication
• Document discovery patterns

Phase 3: Drupal Marketplace (Weeks 9-12)

Week 9-10: Setup

• Install Drupal 11 with AI modules
• Configure AI Agents, MCP Server, MCP Client
• Setup vector database (Milvus or Qdrant)
• Enable Canvas AI for visual agent building

Week 11-12: Agent Registry

• Create ai_agent content type with taxonomies
• Configure JSON:API endpoints
• Implement ECA workflows for agent chaining
• Build MCP tools for agent discovery/invocation

Phase 4: Commercial Frameworks (Weeks 13-16)

Week 13-14: Claude Code & OpenAI

• Deploy Claude Code in GitLab CI/CD
• Configure OIDC for AWS Bedrock / GCP Vertex AI
• Integrate OpenAI Agents SDK
• Setup observability (LangFuse/Helicone)

Week 15-16: Cursor IDE

• Configure Cursor MCP for GitLab
• Setup team workspace with shared configs
• Deploy cloud agents for autonomous coding
• Integrate API for CI/CD triggers

Phase 5: Production Hardening (Weeks 17-20)

Week 17-18: CI/CD Optimization

• Create CI/CD Components for reusable agent pipelines
• Implement CI/CD Steps for fine-grained orchestration
• Configure SAST, DAST, dependency scanning
• Setup ML/MLOps experiment tracking

Week 19-20: Observability & Cost

• Enable distributed tracing across all agents
• Configure error tracking with alerts
• Implement DORA metrics dashboards
• Setup cost attribution and budget alerts

Success Metrics

Technical:

• Agent response time < 5 seconds
• 95% uptime for agent services
• 80%+ agent accuracy on tasks
• Zero security incidents from agents

Business:

• 30%+ productivity improvement
• 50%+ reduction in security vulnerabilities
• 40%+ faster time to market
• ROI positive within 6 months

---

Sources & References

GitLab Documentation

• GitLab Duo Agent Platform: https://docs.gitlab.com/user/duo_agent_platform/
• Foundational Agents: https://docs.gitlab.com/user/duo_agent_platform/agents/foundational_agents/
• Custom Agents: https://docs.gitlab.com/user/duo_agent_platform/agents/custom/
• GitLab MCP Server: https://docs.gitlab.com/user/gitlab_duo/model_context_protocol/mcp_server/
• CI/CD Components: https://docs.gitlab.com/ci/components/
• ML/MLOps: https://docs.gitlab.com/user/project/ml/

Agent Standards

• OSSA Specification: https://openstandardagents.org
• Model Context Protocol: https://modelcontextprotocol.io
• A2A Protocol: https://a2a-protocol.org
• kagent Documentation: https://kagent.dev

Drupal Resources

• Drupal AI Module: https://www.drupal.org/project/ai
• AI Agents Module: https://www.drupal.org/project/ai_agents
• MCP Server Module: https://www.drupal.org/project/mcp_server
• ECA Module: https://www.drupal.org/project/eca
• Drupal Canvas: https://project.pages.drupalcode.org/canvas/

Commercial Frameworks

• Claude Code Docs: https://code.claude.com/docs/en/gitlab-ci-cd
• OpenAI Agents SDK: https://platform.openai.com/docs/guides/agents-sdk
• Cursor Documentation: https://cursor.com/docs/cloud-agent
• LangFuse: https://docs.langfuse.com/
• Helicone: https://docs.helicone.ai/

Internal Resources

• platform-agents: https://gitlab.com/blueflyio/platform-agents
• openstandardagents: https://gitlab.com/blueflyio/openstandardagents
• technical-docs: https://gitlab.com/blueflyio/agent-platform/technical-docs

---

Last Updated: 2026-01-07 Research Duration: 10 minutes with 8 parallel agents Total Content: 50,000+ words of comprehensive research Next Actions: Implement Phase 1 of roadmap, expand individual guide pages