Remediation approval rules

Require human approval before acknowledging drift or merging remediation on sensitive repositories — per repo, branch, and path patterns.

Shipped: CP-2.10 — rules match agent binding repoRef and block incident ack until forceApproval: true is sent by an authorized user.

When to use

  • Production monorepos — ack on main requires platform team sign-off
  • SchemaSync PRs — gate auto draft PR merges on high-risk services
  • Compliance — separate “detect drift” from “declare incident resolved”

Rule fields

FieldRequiredDescription
nameYesDisplay name in console and API responses
repoPatternYesRepository match — e.g. acme/platform or glob
branchPatternNoBranch filter — e.g. main, release/*
pathPatternNoPath within repo for file-scoped gates
requireAckNoIncident ack must pass rule (default true)
requireApprovalNoExplicit approval required before ack succeeds (default false)

Create a rule

curl -s https://driftguard.org/api/remediation-approval-rules \
  -H "Authorization: Bearer dg_live_…" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Platform main gate",
    "repoPattern": "acme/platform",
    "branchPattern": "main",
    "requireApproval": true
  }'

List rules

curl -s https://driftguard.org/api/remediation-approval-rules \
  -H "Authorization: Bearer dg_live_…"

Blocked ack

When a rule matches the binding repoRef on an open incident, ack returns 409:

POST /api/watches/{watchId}/incident/ack
→ 409 { "error": "Remediation approval required …" }

Authorized users bypass with explicit force:

POST /api/watches/{watchId}/incident/ack
{ "forceApproval": true }

Link bindings to rules

Set repoRef on agent bindings — in console or agents.yaml:

agents:
  - id: billing-refund-v3
    repoRef: acme/platform@main
    policy: production-guard
    watches: [stripe-refunds-mcp]

Check pending blocks per watch:

GET /api/watches/{watchId}/remediation-approval

Console

Manage rules under ConsoleSettingsApproval rules. The Needs Review hub surfaces incidents waiting on ack or approval.

Related

  • Drift policy presets
  • SchemaSync draft PRs
  • Agent bindings