Security Review Flow: align selectable models with Code Review Flow + add to model selection docs
<!--IssueSummary start-->
<details>
<summary>
Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards.
</summary>
- [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=603981)
</details>
<!--IssueSummary end-->
## Summary
Follow-up from the Security Review Agent docs update (gitlab-org/gitlab!242040), where the docs name the default model (Claude Sonnet 4.6) and link users to the model-selection page. Two gaps to close:
### 1. Code — available models (AI Gateway)
The Security Review flow exposes fewer selectable models than the Agentic Code Review flow. Align them.
- **File:** `ai_gateway/model_selection/unit_primitives.yml` (ai-assist / AI Gateway)
- `review_merge_request_dap` (Agentic Code Review) `selectable_models`: `claude_sonnet_4_5_20250929`, `claude_sonnet_4_6`, `claude_sonnet_4_6_vertex`, `gpt_5_2`, `gpt_5_3_codex`
- `security_review` `selectable_models` today: `claude_sonnet_4_6`, `claude_sonnet_4_6_vertex`, `claude_sonnet_4_6_bedrock`
- **Change:** add `claude_sonnet_4_5_20250929`, `gpt_5_2`, `gpt_5_3_codex` (keep the existing `claude_sonnet_4_6_bedrock`). Resulting list (alphabetical, per the file convention):
- `claude_sonnet_4_5_20250929`
- `claude_sonnet_4_6`
- `claude_sonnet_4_6_bedrock`
- `claude_sonnet_4_6_vertex`
- `gpt_5_2`
- `gpt_5_3_codex`
- `default_models` stays `claude_sonnet_4_6_vertex`.
> Note: `ee/lib/gitlab/ai/feature_settings/feature_metadata.yml` `compatible_llms` is the **self-hosted** model-family compatibility list, a separate concern — not the user-facing picker. Out of scope here unless we also want to align self-hosted compatibility.
### 2. Docs — model selection page
The [model selection / default models page](https://docs.gitlab.com/user/duo_agent_platform/model_selection/#default-models) doesn't list the Security Review Agent. Add it, with its default model (Claude Sonnet 4.6) and the aligned available-models list above.
## Scope
- [ ] Update `security_review.selectable_models` in `ai_gateway/model_selection/unit_primitives.yml` to match Agentic Code Review (+ keep the bedrock variant)
- [ ] Add the Security Review Agent to the model-selection docs page (default model + available models)
## Related
- gitlab-org/gitlab!242040 (docs update that surfaced this)
- gitlab-org/gitlab!237213 (Register Security Review flow in monolith)
/cc @idurham @cwidstrom
issue