## Problem When applying governance policies across many projects (via API or future bulk operations), there is no way to validate the configuration before applying it. Errors are caught during application, potentially leaving some projects updated and others not, creating inconsistent compliance state. Examples of errors that could be caught before apply: - Referenced compliance framework was renamed or deleted - Referenced group doesn't exist or token lacks access - Push rule configuration conflicts with instance-level settings - Branch protection references a branch pattern that doesn't exist in any matched project ## Agentic Context Agents need deterministic pass/fail signals, not error-recovery loops. When a governance enforcement step is part of a DAP flow or CI pipeline, pre-validation provides the deterministic gate: the agent checks if the policy is valid before applying, and stops on failure rather than creating partial state. This is the governance equivalent of `terraform plan` before `terraform apply`. Joe Burnett's Auto Flow design (Runner Core) uses OPA to evaluate every `run` call with execute/hold/reject outcomes. Pre-validation provides the same pattern for governance policy application. ## Field Evidence A Professional Services tool deployed at a regulated enterprise customer provides an `--online` validation mode that verifies all referenced groups, compliance frameworks, and token permissions exist on the GitLab instance before applying any changes. This prevents partial application failures and is used as a CI gate before governance enforcement runs. ## Proposal 1. Provide a validation endpoint that accepts a governance policy definition and returns a list of warnings/errors without applying anything 2. Validate: token permissions, group existence, compliance framework existence, setting compatibility 3. Return per-project validation results (would succeed / would fail / would skip) 4. Support use as a CI/CD job (exit code 0 = valid, non-zero = errors found) for continuous compliance pipelines ## Connection to Existing Work - #590661 -- "Policy inspect/debug mode" for security policies (parallel concept) ## DAP & AI Governance Cross-References - &14897 -- Custom compliance frameworks improvements (proposed parent epic) - &20418 -- AI Agent Policy Enforcement & Guardrails (OPA-based validation pattern) - #591157 -- Experiment: AI governance policy (validation as policy primitive) ## Part of Governance-as-Code Series This is one of 9 related issues: #591821, #591822, #591823, #591824, #591825, #591826, #591827, #591828, #591829