Every action CARTIE takes on your repo runs at a tier you chose, inside a Shadow Mode window you can extend forever. There is no path where CARTIE merges code without an explicit policy you set.
Default ON for 14 days on every new repo. CARTIE generates the diff internally and emails you a weekly digest — but never opens a PR.
New repos default to T3 (Draft PR + Slack). CARTIE never auto-merges unless you opt the repo in to T1 explicitly.
Glob-pattern blocklist. src/payments/**, auth modules, security boundaries — never touched, regardless of tier.
Set per repo. Change anytime. Each tier explicitly defines what CARTIE may and may not do in your codebase.
CARTIE flags it. Your engineer writes the fix.
Anything touching auth, payments, security, PII, or one-way-doors.
Zero — CARTIE never touches your repo.
CARTIE opens a DRAFT PR. You un-draft and merge.
Default for every new repo. Trust-building tier.
Low — no merge is possible without a human un-drafting + clicking merge.
CARTIE opens a real PR. Your engineer reviews + merges.
Repos with full CI + code owners. After ~30 days at T3 with zero false-positives.
Medium — relies on your CI catching anything CARTIE missed.
CARTIE opens, CI passes, 24h soak, auto-merges.
Mature repos with deep test coverage. Opt-in PER repo.
High — CARTIE merges without explicit human approval. Customer must opt in per repo.
For the first 14 days on any new repo (regardless of the tier you picked), CARTIE runs in Shadow Mode: it produces every diff and Slack notification it would have sent — but the PR is generated internally only. You see exactly what CARTIE would have done, and you decide if its judgment matches yours. Graduate the repo manually when you're ready, or extend Shadow indefinitely.
Repo added · tier picked · shadow ON
Weekly Slack digest: "here's what we would have shipped"
You graduate (or extend shadow). PRs go live at your chosen tier.
Friday 3 p.m. Engine #12 (Anomaly Engine) detects $4,200/day spike in your Anthropic spend. Repo policy: T3 + Shadow OFF (you graduated 6 weeks ago).
15:00 — Anomaly Engine fires. Cost up 4× vs. 30-day baseline.
15:01 — Code Tracer scans your repo. Finds 3 call sites using claude-opus-4-5 in a tight loop.
15:02 — DRAFT PR opens: swap to claude-haiku-4-5 (estimated 67% cost reduction, same task quality on this prompt family).
15:02 — Slack ping to #cartie-cost with PR link + 3-line diff summary + estimated savings.
15:15 — Your senior engineer reviews. Diff looks right. Removes DRAFT flag.
15:17 — CI passes. Engineer merges.
15:18 — Cost drops 67%. CARTIE books the $X realized savings in your ledger. Audit log records every step.
Configure per-repo tiers + shadow durations. Audit log records every change.
Source of truth: /api/policies/automation/tiers · live values rendered above
4 tiers loaded from live policy API · shadow_mode_default_days=14