Governance

Your engineering standards survive autonomy.

Discipline has to be engineered in. The human-defined gate stays human-defined. The Inspector agent enforces evidence requirements. The Marshal agent respects branch protection. Conventions are read directly from your codebase.

Three configurable controls, set on the pilot call:

Per-issue cost caps — escalate to a human when an issue exceeds budget.
Automerge threshold — how confidently Colony has to act before merging without human approval.
Human-review-required labels — any matching issue routes through mandatory human review.

Talk to us → Security & trust

Three controls

Inspector, Marshal, conventions. Each is a hard gate.

Soft gates fail under autonomy. Each control here is a transition the pipeline cannot cross without satisfying a deterministic check.

Evidence-bound review

The Inspector agent doesn’t take the PR’s word for it. Tests must have run. Coverage must hold. The change plan must match the diff. If the evidence doesn’t justify the change, the PR goes back to the Builder for rework. No exceptions, no shortcuts.

Protocol-respecting merge

The Marshal agent uses the same branch-protection rules a human would have to satisfy: required reviews, required status checks, code-owner approvals, signed commits. It cannot elevate its own permissions; if your repo requires two human reviewers, it will not bypass them.

⌖

Convention enforcement

Conventions are read from your repository — CONTRIBUTING.md, .eslintrc, code style, commit-message format, test patterns. The Inspector agent checks the diff against them. New code matches the room it’s landing in.

Configurable, audited

You set the policy. The pipeline enforces it.

Policies are declarative, versioned, and auditable. The same file that defines “PRs need two human reviewers” defines “Builder agent cannot delete database migrations.” If your policy changes, the audit log shows when and who.

Per-repo policy file, versioned with the code
Per-tenant defaults inherited and overridable
Policy changes recorded in the audit trail
Dry-run mode for testing a new rule before enforcing

# .colony/policy.yaml
review:
  required: "two_humans"
  evidence:
    tests: "must_pass"
    coverage: "no_regression"

merge:
  branch: "main"
  require_status_checks: true
  require_signed_commits: true

builder:
  forbid_paths:
    - "migrations/*"
    - "infra/secrets/*"

The conventions file

The other half of the operating contract.

Policy defines what the pipeline must enforce. Conventions define how new code should look. The agents read both before they touch the repo.

A versioned file (.colony/conventions.md) in each repository defines your stack, coding standards, naming conventions, testing approach, and forbidden patterns. The agents read it before they touch code. A well-maintained conventions file produces consistent, on-pattern output; a thin one produces output that needs more human correction.

It’s a living document. The most effective teams update it the first time they find themselves declining the same kind of PR twice — the convention you wished existed becomes the convention you can write down, and the pipeline enforces it on the next PR.

An enforcement, replayed

What happens when the gate holds.

A real-shaped audit trace from a PR that didn’t pass review. The Inspector flagged it; the Builder reworked; the second attempt cleared.

audit.issue(2843) · gate_enforcement flagged → reworked → merged

10:14:02Builderimplemented · webhook-retry-fix · 38 lines

10:14:55BuilderPR #2843 opened

10:15:11Inspectorreading PR · checking evidence

10:16:02InspectorFLAGGED · subprocess timeout test missing; policy require_test_for_io violated

10:16:05Builderreceived rework request · re-analyzing

10:18:40Builderadded subprocess timeout test · re-pushed

10:19:12Inspectorevidence ok · approving

10:19:55Marshalbranch_protection ok · merged #2843

Bring your policies. We’ll enforce them.

Pilot setup includes a policy review with your team — what you have today, what gets enforced day one.

Talk to us → Security →