<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=591829) </details> <!--IssueSummary end--> ## Problem Each governance setting type in GitLab has its own UI page, API endpoint, inheritance model, and enforcement mechanism. There is no unified surface where an admin can declare "this is what compliance looks like for this group of projects." ## Agentic Context A unified governance policy surface is what agents read to understand "what governance applies here." This is the compliance equivalent of AGENTS.md: a declarative file that tells any actor (human or agent) what rules govern this project or group. As DAP scales, agents need a single, machine-readable governance definition. Without it, each agent must query multiple APIs to discover the governance posture, which is slow and fragile. This connects to: &21067 (DAP Software Factory), &20421 (MCP Registry 3-layer model), &21127 (AI orchestration strategy), and the broader vision of GitLab as the agentic infrastructure platform. ## Prior Art - #432186 (Epic &12248, closed Aug 2025), #328458, #591157 (active AI governance policy experiment) ## Field Evidence A Professional Services tool deployed at a regulated enterprise customer provides a single YAML configuration managing push rules, branch protections, and compliance frameworks with a consistent precedence model. One config, one execution model, one report. ## Proposal 1. Declarative governance policy format (YAML) combining all setting types 2. Consistent precedence model across all setting types 3. Group-level UI and API 4. Git-stored governance-as-code with version history and approval workflows 5. Integration with existing security policy projects ## Vision The "continuous compliance" equivalent of `.gitlab-ci.yml` for CI/CD. For the agentic era: AGENTS.md for compliance. ## DAP & AI Governance Cross-References - &14897 -- Custom compliance frameworks improvements (proposed parent epic) - &21067 -- DAP Software Factory (agents need governance definition) - &20421 -- MCP Registry & Tool Governance (tool-level parallels project-level) - &21127 -- AI orchestration strategy (unified governance across all AI usage) - &18954 -- Comprehensive AI Audit Event System (governance surface feeds audit) - #591157 -- AI governance policy experiment (building block) - #573629 -- UX for DAP Permissions and Governance ## Component Issues - #591821 -- Push rule enforcement and lock - #591822 -- Settings drift detection - #591823 -- Automatic remediation with dry-run and rollback - #591824 -- Bulk policy application API - #591825 -- Topic-based policy routing - #591826 -- Pre-validation API - #591827 -- Settings snapshot and rollback - #591828 -- Compliance framework enforcement trigger