Remediation Safety, Approval Workflow & Policy Guardrails

[IgnacioPro]

Auto-remediation requires human-in-the-loop approvals, risk gating, pre/post evidence collection, dry-run/diff previews, rollback hooks, and organization policy integration. Guardrails (allow/deny lists, block dangerous prompts/actions) must be centrally managed per org/tenant.

Paths:

• Integrate with internal/remediation/ and internal/doctor/
• Approval workflow, rollback hooks: check current fix/apply flows for approval/dry-run tokens (add as needed)
• Risk gating: centralize risk score and policy enforcement
• Evidence: capture artifacts before/after and persist/audit via API
• Guardrails: enforce allow/deny at CLI/API, integrate into config and flows

References: internal/remediation/, internal/doctor/, policy/config, admin UI.