Back to home
← CARTIE
For procurement · SRE · engineering leads

How CARTIE works with your team. You always have the kill-switch.

Every action CARTIE takes on your repo runs at a tier you chose, inside a Shadow Mode window you can extend forever. There is no path where CARTIE merges code without an explicit policy you set.

Shadow Mode

Default ON for 14 days on every new repo. CARTIE generates the diff internally and emails you a weekly digest — but never opens a PR.

Safe default

New repos default to T3 (Draft PR + Slack). CARTIE never auto-merges unless you opt the repo in to T1 explicitly.

Excluded paths

Glob-pattern blocklist. src/payments/**, auth modules, security boundaries — never touched, regardless of tier.

The four autonomy tiers

Set per repo. Change anytime. Each tier explicitly defines what CARTIE may and may not do in your codebase.

Tier 4 · T4

Detect only

CARTIE flags it. Your engineer writes the fix.

When to use

Anything touching auth, payments, security, PII, or one-way-doors.

Risk profile

Zero — CARTIE never touches your repo.

What actually happens when a spike fires
  1. 1Cost spike fires in Slack with a 3-bullet root cause
  2. 2Code Tracer points to the exact line + suggested diff
  3. 3No PR opens. Your engineer copy-pastes the diff (or ignores it).
Tier 3 · T3Safe default

Draft PR + Slack

CARTIE opens a DRAFT PR. You un-draft and merge.

When to use

Default for every new repo. Trust-building tier.

Risk profile

Low — no merge is possible without a human un-drafting + clicking merge.

What actually happens when a spike fires
  1. 1Cost spike + Code Tracer fires identically to T4
  2. 2CARTIE opens a DRAFT PR on your repo with the diff
  3. 3Slack pings the configured reviewer team with a 1-line summary
  4. 4Your engineer reviews, removes the DRAFT flag, merges
Tier 2 · T2

Auto-PR + human merges

CARTIE opens a real PR. Your engineer reviews + merges.

When to use

Repos with full CI + code owners. After ~30 days at T3 with zero false-positives.

Risk profile

Medium — relies on your CI catching anything CARTIE missed.

What actually happens when a spike fires
  1. 1Cost spike fires + diff opens as a regular PR (not draft)
  2. 2Required reviewers + CI checks gate the merge
  3. 3Your engineer merges when satisfied
Tier 1 · T1Opt-in only

Auto-merge after CI + 24h soak

CARTIE opens, CI passes, 24h soak, auto-merges.

When to use

Mature repos with deep test coverage. Opt-in PER repo.

Risk profile

High — CARTIE merges without explicit human approval. Customer must opt in per repo.

What actually happens when a spike fires
  1. 1Cost spike fires + diff opens as PR
  2. 2CI runs to completion — must pass
  3. 324-hour soak window for your team to override
  4. 4CARTIE auto-merges after the soak if nobody intervenes
Shadow Mode · 14-day default

CARTIE earns your trust before opening a single PR.

For the first 14 days on any new repo (regardless of the tier you picked), CARTIE runs in Shadow Mode: it produces every diff and Slack notification it would have sent — but the PR is generated internally only. You see exactly what CARTIE would have done, and you decide if its judgment matches yours. Graduate the repo manually when you're ready, or extend Shadow indefinitely.

Day 0

Repo added · tier picked · shadow ON

Days 1–14

Weekly Slack digest: "here's what we would have shipped"

Day 14+

You graduate (or extend shadow). PRs go live at your chosen tier.

A worked example

Friday 3 p.m. Engine #12 (Anomaly Engine) detects $4,200/day spike in your Anthropic spend. Repo policy: T3 + Shadow OFF (you graduated 6 weeks ago).

  1. 15:00 — Anomaly Engine fires. Cost up 4× vs. 30-day baseline.

  2. 15:01 — Code Tracer scans your repo. Finds 3 call sites using claude-opus-4-5 in a tight loop.

  3. 15:02 — DRAFT PR opens: swap to claude-haiku-4-5 (estimated 67% cost reduction, same task quality on this prompt family).

  4. 15:02 — Slack ping to #cartie-cost with PR link + 3-line diff summary + estimated savings.

  5. 15:15 — Your senior engineer reviews. Diff looks right. Removes DRAFT flag.

  6. 15:17 — CI passes. Engineer merges.

  7. 15:18 — Cost drops 67%. CARTIE books the $X realized savings in your ledger. Audit log records every step.

What CARTIE never does

  • Touch files under your `excluded_paths` glob (regardless of tier)
  • Merge a PR without an explicit T1 opt-in on that specific repo
  • Push to your default branch directly (always a feature branch + PR)
  • Modify CI configs, IAM policies, or secrets without T4 escalation
  • Open PRs during Shadow Mode (the diff stays internal-only)
  • Take any action your audit log can't replay step-by-step

Ready to set this up for your team?

Configure per-repo tiers + shadow durations. Audit log records every change.

Source of truth: /api/policies/automation/tiers · live values rendered above

4 tiers loaded from live policy API · shadow_mode_default_days=14

We value your privacy. Cookies help us improve your experience. Learn more

Install CARTIE AI

Add to your home screen for quick access and offline support