TRUST ARCHITECTURE

6 layers between
AI and your production.

Auto-generated fixes on a misdiagnosed alert? That's what these gates prevent. Every fix must survive all six — or a human decides.

01
02
03
04
05
06
01

Layer 01

CONFIDENCE GATE

If the AI isn't sure, it stops.

Every diagnosis comes with a confidence score derived from the actual logs, stack traces, and build output. Below 30%, the pipeline halts and escalates to a human. No guessing. No 'maybe this will work' deployments.

< 30%

confidence = abort

CONFIDENCE GATE

02

Layer 02

SELF-REVIEW

The AI reviews its own fix — and can reject it.

A second AI pass acts as a code reviewer. It checks for regressions, type errors, missing imports, and unnecessary changes. Score below 70? The fix is rejected before it ever touches a branch.

< 70

review score = reject

SELF-REVIEW

03

Layer 03

FILE BLOCKLIST

Some files are untouchable. Period.

.env, .lock files, CI configs, migration files, credentials — hardcoded blocklist. No override, no flag to bypass. The AI physically cannot generate changes to these paths.

0

exceptions

FILE BLOCKLIST

04

Layer 04

CI MUST PASS

Your existing tests are the final judge.

The fix runs through your full CI pipeline. If it fails, the AI analyzes the CI error and tries a completely different approach — up to 3 times. Three failures? Escalates to your on-call. No PR is created.

retry with different approach

CI MUST PASS

05

Layer 05

TRUST LEVELS

Zero autonomy by default. Earned, not given.

Every project starts at Rookie — draft PRs only, human must approve every merge. The system earns trust through successful fixes with passing CI and no regressions. Each level unlocks tighter auto-merge gates.

0

ROOKIE

Draft PR only

Human approves every merge

1

APPRENTICE

Auto-merge enabled

Confidence ≥ 90% · Review ≥ 70 · ≤ 50 lines

2

TRUSTED

Expanded autonomy

Confidence ≥ 80% · Review ≥ 70 · ≤ 100 lines

3

EXPERT

Full auto-merge

Confidence ≥ 70% · Review ≥ 60 · ≤ 200 lines

06

Layer 06

POST-MERGE MONITOR

Merged doesn't mean done.

After merge, InariWatch monitors for 10 minutes. New errors detected? Automatic revert. The branch is rolled back, the incident is re-opened, and your on-call is notified. No human intervention needed.

10 min

active monitoring

POST-MERGE MONITOR

THE ANSWER

“How much human review
is expected?”

By default: 100%.

Every project starts at Trust Level 0 (Rookie). The AI creates draft PRs only. A human reviews and merges every single fix.

Autonomy is earned, not configured.

The system builds a track record. Fixes that pass CI, survive post-merge monitoring, and cause zero regressions count toward the next trust level. Bad fixes reset progress.

Even at maximum trust, 5 gates must pass.

If a single gate fails — low confidence, failed self-review, CI error, or too many lines changed — it falls back to a draft PR. Human decides.

Worst case: auto-revert in 10 minutes.

If a fix somehow passes all gates and causes a new error in production, the post-merge monitor auto-reverts the change. No human intervention needed.

PERSPECTIVE

Dev hotfix at 3 AM

  • -No second reviewer
  • -“Skip CI, it's urgent”
  • -No post-merge monitoring
  • -Revert is manual if it breaks
  • -Cognitive load at lowest point

InariWatch auto-fix

  • +AI self-review on every fix
  • +Full CI must pass (3 retries)
  • +10-min post-merge monitor
  • +Auto-revert if new errors
  • +Consistent process, always

Safer than your 3 AM hotfix.

Start at zero trust. Watch it earn your confidence — one successful fix at a time.