The Decision Engine for autonomous software development
An open-source framework that turns development into a series of well-framed decisions executed deterministically. You frontload the thinking through a Definition-of-Ready gate; the autonomous orchestrator dispatches developer subagents, runs cross-harness reviewers in parallel, signs DSSE attestations, and merges through declarative quality gates. Issue → PR, with humans in the loop only where judgment is needed.
apiVersion: ai-sdlc.io/v1alpha1
kind: Pipeline
metadata:
name: feature-delivery
spec:
triggers:
- event: issue.assigned
stages:
- name: implement
agent: coding-agent
- name: review
qualityGates: [coverage, security]
- name: deployAI agents can build. But can they ship?
Without a framework around them, AI-generated code creates a productivity paradox: more output, less quality, declining trust.
Experienced developers using AI tools are 19% slower on mature codebases, despite believing they are 20% faster.
METR 2025
Code churn rose from 5.5% to 7.9% while refactoring dropped from 25% to 10% of all changes.
GitClear 2024
Every 25% increase in AI adoption correlates with a 7.2% drop in system stability.
Google DORA 2024
Only 3% of developers express high trust in AI-generated code output.
Stack Overflow 2025
The root cause isn't that AI agents write bad code. It's that nobody orchestrates how they work as the codebase grows.
From idea to merged PR
Declare your desired SDLC state and decision policy in YAML. The orchestrator runs the contract end-to-end — operators only intervene on the load-bearing decisions the framework genuinely can't make.
1. CAPTURE
An idea surfaces — issue, RFC, emergent finding — and becomes a well-defined work item with explicit open questions.
2. DECIDE
The operator resolves open questions with framework assistance (recommendation + counter-arguments) until the Definition-of-Ready gate is satisfied.
3. ADMIT
DoR gate validates; PPA scores priority; the orchestrator walks the dependency graph and admits the ready frontier.
4. DISPATCH
Worktree-isolated developer subagent executes the contract — Claude Code, Codex, Cursor, or any harness — under declared constraints.
5. REVIEW
Three reviewer subagents run in parallel; cross-harness independence is enforced (the implementer cannot also be the reviewer).
6. ATTEST
DSSE envelope signed with rebase-stable content hash; quality gates run advisory → soft → hard-mandatory; compliance posture derives the required strictness.
7. MERGE
PR opens with provenance; operator approves; merge queue ships. Every decision and override flows back to calibration.
Declarative resources for the whole lifecycle
Every resource follows the spec/status split — you declare what you want, the orchestrator makes it happen. Validated against JSON Schema (draft 2020-12).
Pipeline
A complete SDLC workflow: triggers, providers, stages, DoR gate config, and dependency-aware routing.
kind: Pipeline
spec:
triggers:
- event: issue.assigned
stages:
- name: implement
agent: coding-agentDecision
An open question routed to an actor (Engineering, Product, Design, operator, or framework when LLM-eligible) with recommendation, counter-arguments, and sub-decision graph.
kind: Decision
spec:
summary: "Which auth flow does 'fix login' refer to?"
options:
- id: opt-a
description: "OAuth (current flow)"
- id: opt-b
description: "Magic link (Q3 migration)"AgentRole
An AI agent's identity, tools, constraints, harness adapter, handoff contracts, and discovery info.
kind: AgentRole
spec:
role: "Software Engineer"
tools: [code_editor, terminal]
constraints:
maxFilesPerChange: 10QualityGate
Policy rules with scope targeting, graduated enforcement (advisory → hard-mandatory), and evaluation config.
kind: QualityGate
spec:
gates:
- name: test-coverage
enforcement: hard-mandatory
rule:
metric: line-coverage
threshold: 80AutonomyPolicy
Optional graduated permissions and oversight thresholds for routine agent work — guardrails and promotion criteria stay declarative.
kind: AutonomyPolicy
spec:
levels:
- level: 1
name: "Junior"
guardrails:
requireApproval: allAdapterBinding
Tool integration declaring which interface it implements, its config, and health checks.
kind: AdapterBinding
spec:
interface: IssueTracker
provider: linear
config:
apiUrl: https://api.linear.appFive pillars of an autonomous SDLC framework
Autonomous orchestrator, cross-harness review, decision engine, operator TUI, and declarative governance — built on 10 design principles derived from Kubernetes, Terraform, OpenTelemetry, and 20+ major open-source projects.
Decision Engine
Frontload operator decisions through a deterministic-first evaluation ladder (RFC-0011 DoR, RFC-0035 Decision Catalog). The framework recommends with confidence and counter-arguments; you decide; it executes.
Autonomous Orchestrator
cli-orchestrator walks the dependency graph (RFC-0014), admits ready work, dispatches developer subagents in isolated worktrees, and opens PRs — without operator typing (RFC-0015).
Definition-of-Ready Gate
Every contract passes a deterministic-first DoR rubric before dispatch. Well-formed work hits the orchestrator in seconds; under-specified work surfaces clarifications, not failed dispatches.
Cross-Harness Review
Three reviewer subagents run in parallel with harness independence enforced (Claude can't review what Claude wrote). DSSE envelopes carry harness identity and rebase-stable content hashes.
Operator TUI
Decisions-pending pane, dependency graph, pipeline overview, config editor, usage analytics. Foregrounds the load-bearing decisions and stays out of the way otherwise (RFC-0023).
Quality Gates
Graduated enforcement: advisory, soft-mandatory, hard-mandatory. AI-specific gates for provenance, attribution, and security. Compliance posture derives the strictness.
Autonomy Policies
Declarative AutonomyPolicy resource: declare promotion criteria, guardrails, and oversight thresholds in YAML. Routine work runs unattended; high-stakes work always has human review.
Agent-Agnostic
Works with Claude Code, Copilot, Cursor, Codex, Aider, or any LLM through a standard AgentRunner interface. Harness adapter pattern keeps you portable.
Adapter Contracts
Swap Linear for Jira, GitHub for GitLab, OpenAI embeddings for self-hosted — pipeline definitions remain unchanged. Terraform-style provider pattern.
Compliance by Design
Declare your compliance posture (RFC-0022); the framework derives gate defaults, attestation requirements, and retention. Maps to EU AI Act, NIST AI RMF, ISO 42001.
Action Governance
Declarative blockedActions in YAML, enforced at orchestrator, CLI hooks, and branch protection. Agents never merge, force-push, or escape their worktree.
Review Calibration
Deterministic-first review: AST preprocessing, confidence-tiered LLM filtering, evidence requirements, meta-review pass. Calibrate with YAML exemplars, not code rules.
SDKs for every stack
First-class support for TypeScript, Python, and Go. Build custom integrations, adapters, and agent runners in your language of choice.
TypeScript
import { PipelineBuilder } from "@ai-sdlc/sdk";
const pipeline = new PipelineBuilder("delivery")
.addTrigger("issue.assigned")
.addStage("implement", "coding-agent")
.addStage("review", "human")
.build();Python
from ai_sdlc import PipelineBuilder
pipeline = (PipelineBuilder("delivery")
.add_trigger("issue.assigned")
.add_stage("implement", "coding-agent")
.add_stage("review", "human")
.build())Go
p, _ := builders.NewPipelineBuilder("delivery").
AddTrigger("issue.assigned", nil).
AddStage("implement", "coding-agent", nil).
AddStage("review", "human", nil).
Build()Works with every AI coding tool
The orchestrator is agent-agnostic. It invokes AI coding agents through a standard AgentRunner interface. Set the auth token and the runner becomes available.
Compliance by design
Map lifecycle phases and controls directly to major regulatory frameworks. Compliance isn't an afterthought — it's part of the framework.
EU AI Act
Risk-tier classification maps to complexity-based routing. Transparency requirements map to provenance tracking.
NIST AI RMF
Govern, Map, Measure, Manage — each function maps directly to AI-SDLC resource types and reconciliation.
ISO 42001
Plan-Do-Check-Act maps to Pipeline spec, Agent execution, Quality gates, and Auto-remediation.
Solutions by industry
AI-SDLC adapts to your industry's compliance requirements, risk posture, and team structure — the framework fits your workflow, not the other way around.
Financial Services
Govern AI coding agents across your financial services SDLC with PCI-DSS, SOX, and EU AI Act compliance built in.
Learn moreHealthcare
Govern AI coding agents in healthcare with HIPAA, FDA 21 CFR Part 11, and EU AI Act compliance built into your SDLC.
Learn moreGovernment & Defense
Govern AI coding agents in government and defense with FedRAMP, NIST AI RMF, and CMMC compliance built into your SDLC.
Learn moreSaaS & Developer Tools
Govern AI coding agents in your SaaS development workflow with SOC 2 and ISO 42001 compliance and quality gates that scale.
Learn moreFintech
Govern AI coding agents in fintech with PCI-DSS, SOC 2, and EU AI Act compliance — plus the quality gates fast-moving teams need.
Learn morePlatform Engineering
Add AI agent governance to your internal developer platform. Kubernetes-native declarative model, adapter architecture, and cross-industry compliance.
Learn moreOpen source, open governance
The AI-SDLC Framework is fully open source. Contribute adapters, quality gates, agent runners, or the spec itself. Community-driven, enterprise-ready.
Need SIEM, SSO, and compliance reports?
Enterprise plans include Splunk/Datadog export, SSO/SAML, SOC 2 and ISO compliance reports, dedicated CSM, and 4-hour SLA support.