Autonomous Governance

v5.0 Autonomous Governance

v5.0 moves Terraform Guardrail from explaining governance decisions to helping operate the governance program. The first foundation adds remediation plans and governance health reporting on top of v4 evaluation, explainability, evidence, and waiver data.

Remediation Plans

Create a remediation plan from a stored evaluation result:

terraform-guardrail enterprise remediation create <result-id>

Generate Markdown for a pull request, work item, or audit note:

terraform-guardrail enterprise remediation create <result-id> \
  --format markdown \
  --output guardrail-remediation.md

The plan includes rule ID, severity, path, suggested fix, Terraform snippet preview for common safe fixes, confidence level, and skipped findings when an approved waiver is active.

API:

• POST /remediation/plans
• GET /remediation/plans
• GET /remediation/plans/{plan_id}
• GET /remediation/plans/{plan_id}/markdown

Governance Health

Governance health summarizes stored enterprise activity:

terraform-guardrail enterprise health
terraform-guardrail enterprise health --format json
terraform-guardrail enterprise trends

API:

• GET /governance/health
• GET /governance/trends

The report includes total evaluations, findings, policies, baselines, remediation plans, pass/warn/block counts, top recurring rules, waiver summary, evidence summary, and risk signals. The trend report adds chart-ready waiver aging, evidence coverage, remediation/PR activity, and 7-day governance activity data.

Web UI Dashboard

The Enterprise web workspace includes a Governance health dashboard at the top of the page. It shows evaluation, finding, blocked-decision, waiver, evidence, and remediation-plan counts, plus trend charts for waiver aging, evidence coverage, remediation/PR activity, 7-day governance activity, top recurring rules, current risk signals, and latest remediation plans.

After a scan, select Create Remediation Plan in the evaluation report to generate a v5 plan from the stored result. The page displays reviewable actions, suggested fixes, confidence, and Terraform snippet previews when a common safe fix is available.

Scheduled Governance Scans

v5 includes a scheduler-ready configuration layer for recurring governance scans. A target defines the Terraform path, cadence, provider, baseline, fail threshold, and context. The current foundation stores the schedule and supports manual execution; a later step can attach a background runner or external orchestrator.

Create a target:

terraform-guardrail enterprise schedule create \
  --name daily-prod \
  --path ./infra \
  --cadence daily \
  --provider aws \
  --context environment=prod \
  --context risk_tier=high

Run it on demand:

terraform-guardrail enterprise schedule run <target-id>
terraform-guardrail enterprise schedule runs --target-id <target-id>

API:

• POST /scheduled-scans
• GET /scheduled-scans
• GET /scheduled-scans/{target_id}
• POST /scheduled-scans/{target_id}/run
• GET /scheduled-scans/{target_id}/runs

Remediation Pull Request Scaffold

The first PR automation step is provider-neutral. Terraform Guardrail generates branch/commit metadata, a pull request body, a manifest, and Terraform snippet files from a remediation plan. The GitHub automation layer then records a safe dry-run PR plan by default, or calls gh pr create when --create is explicitly supplied.

terraform-guardrail enterprise remediation patch-bundle <plan-id>
terraform-guardrail enterprise remediation patch-bundles --plan-id <plan-id>
terraform-guardrail enterprise remediation github-pr <bundle-id> \
  --repository Huzefaaa2/terraform-guardrail
terraform-guardrail enterprise remediation github-pr <bundle-id> \
  --repository Huzefaaa2/terraform-guardrail \
  --create
terraform-guardrail enterprise remediation github-prs --bundle-id <bundle-id>

The bundle includes:

• Branch name such as guardrail/remediate/eval-....
• Commit message.
• PULL_REQUEST.md.
• manifest.json.
• Generated Terraform snippet files under terraform-guardrail-remediation/.

API:

• POST /remediation/patch-bundles
• GET /remediation/patch-bundles
• GET /remediation/patch-bundles/{bundle_id}
• POST /remediation/patch-bundles/{bundle_id}/github-pr
• GET /remediation/github-prs

Evidence Scheduling

Evidence schedules define recurring audit export jobs by result ID or by matching evaluation context. The current foundation stores schedules and supports manual execution; a later background runner can call the same run endpoint on a cadence.

Create a monthly schedule for a repository:

terraform-guardrail evidence schedule create \
  --name monthly-payments \
  --cadence monthly \
  --format json \
  --repo payments-infra \
  --limit 10

Run and inspect it:

terraform-guardrail evidence schedule run <schedule-id>
terraform-guardrail evidence schedule runs --schedule-id <schedule-id>

Schedules can filter by:

• result_id
• baseline
• app, org, group, or repo
• standard
• control_id

API:

• POST /evidence/schedules
• GET /evidence/schedules
• GET /evidence/schedules/{schedule_id}
• POST /evidence/schedules/{schedule_id}/run
• GET /evidence/schedules/{schedule_id}/runs

Background Runner Scaffold

The v5 runner gives external schedulers one command/API call that executes enabled scheduled scan targets and evidence schedules. This is intentionally scheduler-neutral: run it from cron, GitHub Actions schedule, CodeBuild, Kubernetes CronJob, or any enterprise orchestrator.

terraform-guardrail enterprise automation run
terraform-guardrail enterprise automation runs

Run only one side of the loop when needed:

terraform-guardrail enterprise automation run --no-include-evidence
terraform-guardrail enterprise automation run --no-include-scans

API:

• POST /automation/run
• GET /automation/runs

Next v5 Steps

• Release hardening for the v5.0.0 final build, package verification, and documentation polish.