AI-SDLC
v1alpha1 · Apache 2.0

Govern AI agents across your entire SDLC

An open-source orchestrator that drives AI coding agents through quality gates, progressive autonomy, and codebase-aware context — so AI output improves as your codebase grows.

Get Started Star on GitHub
pipeline.yaml
apiVersion: ai-sdlc.io/v1alpha1
kind: Pipeline
metadata:
  name: feature-delivery
spec:
  triggers:
    - event: issue.assigned
  stages:
    - name: implement
      agent: coding-agent
    - name: review
      qualityGates: [coverage, security]
    - name: deploy

AI agents can build. But can they scale?

Without governance, AI-generated code creates a productivity paradox: more output, less quality, declining trust.

19%
Slower

Experienced developers using AI tools are 19% slower on mature codebases, despite believing they are 20% faster.

METR 2025

7.9%
Code Churn

Code churn rose from 5.5% to 7.9% while refactoring dropped from 25% to 10% of all changes.

GitClear 2024

7.2%
Stability Drop

Every 25% increase in AI adoption correlates with a 7.2% drop in system stability.

Google DORA 2024

3%
Trust Level

Only 3% of developers express high trust in AI-generated code output.

Stack Overflow 2025

The root cause isn't that AI agents write bad code. It's that nobody orchestrates how they work as the codebase grows.

Continuous reconciliation loop

Declare your desired SDLC state in YAML. The orchestrator continuously reconciles actual development activity toward that declared state — like Kubernetes for your development process.

1. WATCH

Listen for triggers — issue assigned, CI failed, schedule

2. ASSESS

Analyze codebase complexity, score task complexity (1-10)

3. ROUTE

Select strategy: fully-autonomous, AI-with-review, or human-led

4. EXECUTE

Invoke agent with context, constraints, and sandbox

5. VALIDATE

Run quality gates — tests, coverage, security, lint

6. DELIVER

Create PR with provenance, request review if required

7. LEARN

Record outcome, update autonomy level, store episodic memory

Five declarative resource types

Every resource follows the spec/status split — you declare what you want, the controller makes it happen. Validated against JSON Schema (draft 2020-12).

Pipeline

A complete SDLC workflow: triggers, providers, stages, and complexity-based routing.

kind: Pipeline
spec:
  triggers:
    - event: issue.assigned
  stages:
    - name: implement
      agent: coding-agent

AgentRole

An AI agent's identity, tools, constraints, handoff contracts, and discovery info.

kind: AgentRole
spec:
  role: "Software Engineer"
  tools: [code_editor, terminal]
  constraints:
    maxFilesPerChange: 10

QualityGate

Policy rules with scope targeting, graduated enforcement, and evaluation config.

kind: QualityGate
spec:
  gates:
    - name: test-coverage
      enforcement: hard-mandatory
      rule:
        metric: line-coverage
        threshold: 80

AutonomyPolicy

Progressive autonomy levels with permissions, guardrails, and promotion criteria.

kind: AutonomyPolicy
spec:
  levels:
    - level: 1
      name: "Junior"
      guardrails:
        requireApproval: all

AdapterBinding

Tool integration declaring which interface it implements, its config, and health checks.

kind: AdapterBinding
spec:
  interface: IssueTracker
  provider: linear
  config:
    apiUrl: https://api.linear.app

Everything you need to govern AI agents

Built on 10 design principles derived from Kubernetes, Terraform, OpenTelemetry, and 20+ major open-source projects.

Progressive Autonomy

Agents earn trust through demonstrated competence — from Intern (read-only) to Principal (minimal oversight).

Quality Gates

Graduated enforcement: advisory, soft-mandatory, hard-mandatory. Start by observing, then enforce.

Agent-Agnostic

Works with Claude Code, Copilot, Cursor, Codex, or any LLM through a standard AgentRunner interface.

Codebase Intelligence

Persistent complexity analysis, architectural pattern detection, hotspot identification, and episodic memory.

Declarative YAML

Declare your desired SDLC state. Controllers continuously reconcile actual activity toward that state.

Audit Logging

Full provenance tracking for every AI-generated change. Export to SIEM, Splunk, or Datadog.

Adapter Contracts

Swap Linear for Jira, GitHub for GitLab — pipeline definitions remain unchanged. Terraform-style providers.

Compliance by Design

Maps to EU AI Act, NIST AI RMF, and ISO 42001. Risk-tier classification built into routing.

SDKs for every stack

First-class support for TypeScript, Python, and Go. Build custom integrations, adapters, and agent runners in your language of choice.

TypeScript

$ npm install @ai-sdlc/sdk
import { PipelineBuilder } from "@ai-sdlc/sdk";

const pipeline = new PipelineBuilder("delivery")
  .addTrigger("issue.assigned")
  .addStage("implement", "coding-agent")
  .addStage("review", "human")
  .build();

Python

$ pip install ai-sdlc-framework
from ai_sdlc import PipelineBuilder

pipeline = (PipelineBuilder("delivery")
  .add_trigger("issue.assigned")
  .add_stage("implement", "coding-agent")
  .add_stage("review", "human")
  .build())

Go

$ go get github.com/ai-sdlc-framework/ai-sdlc/sdk-go
p, _ := builders.NewPipelineBuilder("delivery").
  AddTrigger("issue.assigned", nil).
  AddStage("implement", "coding-agent", nil).
  AddStage("review", "human", nil).
  Build()

Works with every AI coding tool

The orchestrator is agent-agnostic. It invokes AI coding agents through a standard AgentRunner interface. Set the auth token and the runner becomes available.

CC
Claude Code
Anthropic
C
Copilot
GitHub
C
Cursor
Cursor AI
C
Codex
OpenAI
AL
Any LLM
OpenAI-compatible API
All runners follow the same pattern: build prompt, spawn CLI, collect output, stage and commit

Compliance by design

Map lifecycle phases and controls directly to major regulatory frameworks. Governance isn't an afterthought — it's the architecture.

EU AI Act

Risk-tier classification maps to complexity-based routing. Transparency requirements map to provenance tracking.

NIST AI RMF

Govern, Map, Measure, Manage — each function maps directly to AI-SDLC resource types and reconciliation.

ISO 42001

Plan-Do-Check-Act maps to Pipeline spec, Agent execution, Quality gates, and Auto-remediation.

Solutions by industry

AI-SDLC adapts to your industry's compliance requirements, risk posture, and team structure — so governance fits your workflow, not the other way around.

Financial Services

Govern AI coding agents across your financial services SDLC with PCI-DSS, SOX, and EU AI Act compliance built in.

Learn more

Healthcare

Govern AI coding agents in healthcare with HIPAA, FDA 21 CFR Part 11, and EU AI Act compliance built into your SDLC.

Learn more

Government & Defense

Govern AI coding agents in government and defense with FedRAMP, NIST AI RMF, and CMMC compliance built into your SDLC.

Learn more

SaaS & Developer Tools

Govern AI coding agents in your SaaS development workflow with SOC 2 and ISO 42001 compliance and quality gates that scale.

Learn more

Fintech

Govern AI coding agents in fintech with PCI-DSS, SOC 2, and EU AI Act compliance — plus the quality gates fast-moving teams need.

Learn more

Platform Engineering

Add AI agent governance to your internal developer platform. Kubernetes-native declarative model, adapter architecture, and cross-industry compliance.

Learn more
Apache 2.0

Open source, open governance

The AI-SDLC Framework is fully open source. Contribute adapters, quality gates, agent runners, or the spec itself. Community-driven, enterprise-ready.

Star on GitHubRead the Docs

Need SIEM, SSO, and compliance reports?

Enterprise plans include Splunk/Datadog export, SSO/SAML, SOC 2 and ISO compliance reports, dedicated CSM, and 4-hour SLA support.

Talk to Sales