Policy modes
Choose how hard your workspace enforces outcomes — from visibility to full-stops that match regulated delivery.
Three postures
The same engines run everywhere; the difference is what happens when risk shows up — log-only, blocked merge, or strict denial with audit trail.
Advisory
Engines return natural results. You still read safe_to_deploy, scores, and evidence — without HTTP failure for policy alone. Best while tuning snapshots and thresholds.
Blocking
Failed gates can surface as 422 with the standard v1 error envelope. CI and humans get a clear stop signal tied to policy, not mystery 500s.
Strict
Highest assurance: policy packs and engine outcomes must align before success paths unlock — for teams that cannot afford silent waivers.
Policy packs
Packs label preset expectations — for example a GitHub PR flow or a regulated release train — so every workspace speaks the same vocabulary.
- Shared language across dev, security, and release managers
- Easier onboarding: new repos inherit the org baseline
- Room to grow into custom rules and enterprise governance
How to roll out
Start in advisory while you trust the data going in, move to blocking for PR and CI gates, and reserve strict for environments where every override should be rare and visible.