Security Review Flow: align selectable models with Code Review Flow + add to model selection docs
<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=603981) </details> <!--IssueSummary end--> ## Summary Follow-up from the Security Review Agent docs update (gitlab-org/gitlab!242040), where the docs name the default model (Claude Sonnet 4.6) and link users to the model-selection page. Two gaps to close: ### 1. Code — available models (AI Gateway) The Security Review flow exposes fewer selectable models than the Agentic Code Review flow. Align them. - **File:** `ai_gateway/model_selection/unit_primitives.yml` (ai-assist / AI Gateway) - `review_merge_request_dap` (Agentic Code Review) `selectable_models`: `claude_sonnet_4_5_20250929`, `claude_sonnet_4_6`, `claude_sonnet_4_6_vertex`, `gpt_5_2`, `gpt_5_3_codex` - `security_review` `selectable_models` today: `claude_sonnet_4_6`, `claude_sonnet_4_6_vertex`, `claude_sonnet_4_6_bedrock` - **Change:** add `claude_sonnet_4_5_20250929`, `gpt_5_2`, `gpt_5_3_codex` (keep the existing `claude_sonnet_4_6_bedrock`). Resulting list (alphabetical, per the file convention): - `claude_sonnet_4_5_20250929` - `claude_sonnet_4_6` - `claude_sonnet_4_6_bedrock` - `claude_sonnet_4_6_vertex` - `gpt_5_2` - `gpt_5_3_codex` - `default_models` stays `claude_sonnet_4_6_vertex`. > Note: `ee/lib/gitlab/ai/feature_settings/feature_metadata.yml` `compatible_llms` is the **self-hosted** model-family compatibility list, a separate concern — not the user-facing picker. Out of scope here unless we also want to align self-hosted compatibility. ### 2. Docs — model selection page The [model selection / default models page](https://docs.gitlab.com/user/duo_agent_platform/model_selection/#default-models) doesn't list the Security Review Agent. Add it, with its default model (Claude Sonnet 4.6) and the aligned available-models list above. ## Scope - [ ] Update `security_review.selectable_models` in `ai_gateway/model_selection/unit_primitives.yml` to match Agentic Code Review (+ keep the bedrock variant) - [ ] Add the Security Review Agent to the model-selection docs page (default model + available models) ## Related - gitlab-org/gitlab!242040 (docs update that surfaced this) - gitlab-org/gitlab!237213 (Register Security Review flow in monolith) /cc @idurham @cwidstrom
issue