Midgard Adds AI Configuration Governance for Drupal 11

Release 1.0.0-alpha1 of Midgard introduces a Drupal 11 module suite for governing AI-driven configuration changes, adding review, risk scoring, approval, rollback, export, and audit controls around agent-led site operations. Drupal developer Andrés Moreno Rubio announced the project in a LinkedIn post, and Drupal.org lists the first public alpha as released on 17 June 2026.

The release matters because Midgard frames AI output in Drupal as configuration rather than generated text. It is designed to capture changes to content types, Views, fields, and other site settings as governed events that can be reviewed, risk-scored, queued for human approval, snapshotted, rolled back, and exported. That places the project between Drupal's growing AI tooling and the configuration management practices already used by site teams.

The suite includes three named components. Midgard provides the umbrella layer, including the AI provider layer, safety primitive, admin interface, installer, and diagnostic tooling. Bifrost exposes governed Drupal capabilities to AI agents through Model Context Protocol (MCP) tools, while Heimdall handles risk scoring, human approval for high-impact changes, and a hash-chained audit log.

Midgard builds on the AI module, MCP Server, Simple OAuth, Key, and Config Guardian. The project page says provider access goes through AI, rather than direct calls to services such as OpenAI, Anthropic, Gemini, or Ollama. Its snapshot, rollback, and audit functions are delegated to Config Guardian, which Andrés also maintains.

Config Guardian provides point-in-time snapshots, rollback support, dependency analysis, risk scoring, hashing, audit trails, and backup scheduling for Drupal configuration. Drupal.org lists its 1.0.3 release as published on 12 June 2026, with compatibility for Drupal 10.5, 11, and 12. Stable releases of Config Guardian are covered by Drupal's security advisory policy.

Midgard remains a pre-1.0 alpha and is not covered by Drupal's security advisory policy. The release notes say it is intended for evaluation and feedback rather than production, and that releases will remain alpha or beta until the MCP transport dependency has a stable tagged release and security coverage is opted in. That status should shape how site teams assess the project, especially because it governs configuration changes rather than content generation alone.

The documented installation path uses Composer and Drush, including composer require 'drupal/midgard:^1.0@alpha', drush midgard:install, and drush midgard:doctor. The roadmap names Muninn for observability and content or configuration insight across governed changes. Further submodules are planned for auditing, configuration repair, content quality assurance, and design sync as the suite matures.