Guardrails

Safety built in, not bolted on.

Autonomous AI development only works when something keeps it honest. Incredibuilders ships with deterministic guardrails at every layer — from per-stage verification to org-wide circuit breakers — so the pipeline can run unattended without becoming a liability.

circuit breaker
stage gates
injection firewall
failure taxonomy
audit archival
baseline detection
Six layers of defense

The autonomous safety stack

Each layer sits at a different point in the pipeline — together they make the difference between "an AI tool" and "an AI dev system you can leave running overnight."

Pause-on-cluster

Cascade Circuit Breaker

A sliding-window failure tracker that halts autonomous mode the moment failures start to cluster — so a systemic fault never fans out across your repo.

Trust but verify

Deterministic Stage Gates

After every LLM stage, a deterministic post-condition check verifies the work actually happened. No more 'skill said success but didn't do the work.'

Two-layer defense

Prompt Injection Firewall

Two-layer input/output validation blocks dangerous bash patterns, credential exfiltration, path traversal, and privilege escalation before they ever execute.

Signal over noise

Failure Taxonomy

Weighted classification distinguishes transient infra failures (rate limits, network blips) from organic ones — so health scores aren't polluted by noise.

Compliance-ready

Audit Archival

Every stage, every fix, every recovery — captured as a structured event stream with configurable retention. Built for the compliance review you haven't been asked for yet.

Pre-existing ≠ regression

Baseline-Failure Detection

Pre-existing CI failures are tracked separately from new ones. The auto- fix loop only addresses regressions your change introduced — never legacy flakes.

Layer 1 · Org-wide safety

Cascade Circuit Breaker

Autonomous pipelines fail fast and quietly when something is wrong. Without a backstop, a single bad input can fan out into a cascading wave of broken PRs. The circuit breaker is that backstop.

Armed

Sliding window watches every autonomous run. Default: 4 failures in 30 minutes trips the breaker. Fully configurable per team.

Tripped

Autonomous mode is paused immediately. In-flight stages complete; new pipelines do not start. A diagnostic event is emitted with the failure cluster.

Manual triage

No automatic resume. The breaker waits for a human to inspect the cluster, fix the upstream issue, and explicitly re-arm. Safer than eventual self-healing.

Cluster detection

Pattern-aware: identical errors across multiple repos trip faster than scattered, unrelated failures.

Notifier-integrated

Trip events route to Discord and Mattermost so on-call sees them immediately — no log-grepping required.

Per-scope thresholds

Set tighter limits on production repos, looser on sandboxes. Same breaker, different rules per workspace.

Layer 2 · Per-phase verification

Deterministic Phase Gates & Failure Taxonomy

Trust LLM output, but verify deterministically. After every phase — not just every stage — Incredibuilders runs hard post-condition checks. 21 of the 94 phases are dedicated gates. Every failure is weighed so transient noise doesn’t look like a regression.

Trust but verify

Post-condition gates

Each stage declares the artifacts it promised to produce — a plan file, a passing build, a created PR. A deterministic checker runs after the skill returns. Skill says success ≠ stage passes.

  • Plan stage → PLAN.md exists and has acceptance criteria
  • Dev stage → git diff shows actual changes
  • Validate stage → build & tests actually ran
  • PR-create stage → PR exists, links the issue
Signal > noise

Weighted failure taxonomy

Not every failure is the same. Infra failures (rate limits, network blips, GitHub API timeouts) are weighted differently from organic failures (bad code, broken tests, missed acceptance criteria).

  • Health score isn’t polluted by transient infra noise
  • Retry policy adapts to the failure class
  • Circuit breaker only counts organic failures toward its threshold
Pre-existing ≠ regression

Baseline failure detection

Before any auto-fix runs, the pipeline records the baseline of CI failures already present on the branch. The auto-fix loop only attempts to resolve failures the current change introduced.

  • No wasted tokens fixing legacy flakes
  • RALPH loop converges on real regressions
  • False-alarm rate dropped 80%+ since #3662
Forensic

Stage-exit diagnostic

Every stop — clean or otherwise — writes a structured exit record: last bash command, stderr tail, rate-limit signals, stall reason. The retro skill reads these to root-cause incidents in seconds, not hours.

Layer 3 · Security

Prompt Injection Firewall

LLMs read everything in your codebase — including malicious comments and crafted issue bodies. A two-layer firewall validates both what the model receives and what it tries to run.

01

Input sanitization

Issue bodies, PR descriptions, file contents, and tool outputs are scanned for injection patterns before they reach the model. Suspicious payloads are flagged or stripped.

  • Hidden instruction overrides ("ignore previous", "act as")
  • Obfuscated bash via base64 / unicode tricks
  • Credential exfiltration patterns
  • Tool-call hijacking attempts
02

Output validation

Every bash command, file write, and tool call from the model passes through a deterministic checker before execution. Dangerous patterns are blocked outright, not just warned.

  • Bash escapes and process-substitution tricks
  • Path traversal beyond the workspace
  • Privilege escalation (sudo, chmod 777)
  • Network egress to disallowed hosts

Plus the rest of the standard security playbook

Secret scanning

PR pre-flight blocks any commit containing recognisable API keys, tokens, or PEM blocks.

Workspace sandbox

Pipelines cannot read or write outside the declared workspace root. No reaching into ~/.ssh.

No long-term memory bleed

Context is JSON-handoff between stages — no conversation history leaks between issues.

Skill IP protection

Premium skills are served from the platform on demand — never bundled in the VSIX, never persisted to disk.

Layer 4 · Audit & observability

Audit Archival

Every pipeline run produces an immutable trail. Every stage start and exit, every retry, every fix, every cost line item — captured as a structured event stream you can query, export, and retain for as long as compliance requires.

1. Capture

Structured events at every state transition: stage-enter, stage-exit, retry, fix, gate-failure, escalation, model-switch, cost-event.

2. Retain

Configurable retention per workspace. Defaults are conservative (90d hot, 1y cold) and can be tuned per tier.

3. Query & export

Tail-the-pipeline view, time-range queries, JSON / CSV export. The Audit dashboard tab is your compliance review.

What the audit trail enables

  • Post-incident retro reads exit records to root-cause in seconds
  • Cost attribution per issue, per epic, per repo, per developer
  • SOC 2 / ISO control evidence on AI-assisted code changes
  • Diff-review across pipeline runs to spot drift
  • Per-PR provenance: every line of generated code links back to the prompt that wrote it
Event types21
Retention — default90d hot · 1y cold
StorageLocal + Cloud (Team Pro+)
Export formatsJSON, CSV, NDJSON
Tamper-evidenceHash-chained events

Together — circuit breaker, stage gates, failure taxonomy, baseline detection, injection firewall, and audit archival — these layers are what let teams point Incredibuilders at a repo and walk away. The pipeline isn’t just smart. It’s governed.

Ready to see it in action?

Incredibuilders is available to select clients. Get early access and experience the full pipeline.

Get Early Access Back to Overview