Remediation approval rules
Require human approval before acknowledging drift or merging remediation on sensitive repositories — per repo, branch, and path patterns.
Shipped: CP-2.10 — rules match agent binding repoRef and block incident ack until forceApproval: true is sent by an authorized user.
When to use
- Production monorepos — ack on
mainrequires platform team sign-off - SchemaSync PRs — gate auto draft PR merges on high-risk services
- Compliance — separate “detect drift” from “declare incident resolved”
Rule fields
| Field | Required | Description |
|---|---|---|
name | Yes | Display name in console and API responses |
repoPattern | Yes | Repository match — e.g. acme/platform or glob |
branchPattern | No | Branch filter — e.g. main, release/* |
pathPattern | No | Path within repo for file-scoped gates |
requireAck | No | Incident ack must pass rule (default true) |
requireApproval | No | Explicit approval required before ack succeeds (default false) |
Create a rule
curl -s https://driftguard.org/api/remediation-approval-rules \
-H "Authorization: Bearer dg_live_…" \
-H "Content-Type: application/json" \
-d '{
"name": "Platform main gate",
"repoPattern": "acme/platform",
"branchPattern": "main",
"requireApproval": true
}'
List rules
curl -s https://driftguard.org/api/remediation-approval-rules \
-H "Authorization: Bearer dg_live_…"
Blocked ack
When a rule matches the binding repoRef on an open incident, ack returns 409:
POST /api/watches/{watchId}/incident/ack
→ 409 { "error": "Remediation approval required …" }
Authorized users bypass with explicit force:
POST /api/watches/{watchId}/incident/ack
{ "forceApproval": true }
Link bindings to rules
Set repoRef on agent bindings — in console or agents.yaml:
agents:
- id: billing-refund-v3
repoRef: acme/platform@main
policy: production-guard
watches: [stripe-refunds-mcp]
Check pending blocks per watch:
GET /api/watches/{watchId}/remediation-approval
Console
Manage rules under ConsoleSettingsApproval rules. The Needs Review hub surfaces incidents waiting on ack or approval.