## Problem When project settings drift from governance policies (push rules changed, branch protections weakened, compliance frameworks removed), GitLab logs the change in audit events but provides no mechanism to automatically restore the desired state. Administrators must manually identify and fix each non-compliant project. There is also no dry-run mode to preview what a policy enforcement would change before applying it, and no rollback mechanism to restore previous settings if a policy change causes problems. This breaks **continuous compliance**: organizations cannot maintain their compliance posture automatically. ## Agentic Context Self-healing governance follows the same pattern as self-healing CI (Nx, Elastic, CircleCI Chunk): agent detects a problem, agent proposes a fix, system verifies and applies. When an agent or human violates a governance policy, the system should auto-remediate at machine speed. Without automatic remediation, governance violations compound at agent scale. ## Field Evidence A Professional Services tool deployed at a regulated enterprise customer provides: - **Dry-run mode:** Shows exactly what would change per project without applying anything (exit code 0 = no changes, 2 = pending changes) - **Snapshot capture:** Saves full project state before changes as JSON - **Rollback:** Restores any previous snapshot in a single operation - **Automatic remediation:** Brings non-compliant projects back to desired state This is used for safe, auditable governance enforcement across hundreds of projects at a regulated bank (SOX, PCI-DSS). The capability does not exist natively. ## Proposal 1. When drift is detected (#591822), offer one-click remediation to restore desired state 2. Provide dry-run preview showing all changes that would be applied per project 3. Automatically capture a settings snapshot before any bulk policy application (#591827) 4. Allow rollback to any previous snapshot from the UI or API 5. Log all remediation actions as audit events ## Connection to Existing Work - #546119 -- "Proactive Security Configuration Change Monitoring" (detection side) - #590661 -- "Policy inspect/debug mode" for security policies (same dry-run UX pattern) ## DAP & AI Governance Cross-References - &14897 -- Custom compliance frameworks improvements (proposed parent epic) - &20466 -- Admin HITL Guardrails for Agent Actions (HITL checkpoint before high-risk remediation) - #585928 -- DAP Governance: Enterprise authentication layer (approval workflows) - #585931 -- DAP Governance: Automated approval workflows (same pattern) - #591235 -- Agent Speculative Execution & Universal Rollback (same rollback pattern) ## Part of Governance-as-Code Series This is one of 9 related issues: #591821, #591822, #591823, #591824, #591825, #591826, #591827, #591828, #591829