Verity Autonomy — Engineer's Explorer

Policy — .verity/autonomy.yml

mode

review.trust

0 = never merge · 1 = low-risk auto-merge · 2 = merge on green

max_usd_per_day

Repo state (what the scanner sees)

Open verity:request issue

Item carries verity:approved

Fresh lock on the item

verity:circuit-open issue

Spend so far today

The PR the run produces

Changed lines

Touches protected path

protected: **/auth/**, .github/**, scripts/deploy*, .verity/** (last two are forced — un-removable)

CI checks green

Build role outcome

Simulates verity-worker --repo you/app --once — exactly the state machine in SKETCH §4.

One tick of verity-worker --once (hover each stage)

1 · Startup checks

fail fast, exit 30

Ordered: policy validates → mode:manual → exit 0 ("autonomy disabled") → daily limits from .verity/usage.csv → gh auth status → bot login ∉ humans → no open verity:circuit-open issue. Read-only; no labels or comments are touched during checks.

→

2 · Scanner

ranked P1–P5, FIFO

P1 approved resumes (consumes verity:approved) · P2 PRs awaiting AI review · P3 ready stages · P4 new verity:request issues (bot-authored excluded — no self-feeding) · P5 whatever verity next --json says. First non-empty tier wins; oldest first; anything labeled verity:needs-human or freshly locked is skipped.

→

3 · Lock

GitHub-native, stateless

Adds verity:in-progress + a comment lock:<run-id> expires:<now + wall_clock × 1.5>. A second worker sees the fresh lock and exits 0 "locked". Expired locks are reclaimed. Release happens in finally — even on a crash.

→

4 · Run loop

next → agent-exec → repeat

Each iteration asks verity next --json (ground truth from GitHub, never cached), then runs one role headlessly via verity agent-exec <role> (Claude Code with -p --output-format stream-json and a per-role --allowed-tools deny-by-default list). Circuit breakers: max 6 chained roles, 2M tokens, 45 min wall clock. Two failures on one item → verity:needs-human, worker skips it until a human clears it.

→

5 · Gate / Summarize

audit trail + usage.csv

Human gates (review:merge, ship:prod, golive — the last is forced) pause the run: label verity:awaiting-approval + a comment telling you the exact approval action. Every run ends with one append-only summary comment (roles, outcome, tokens, est $, wall time) and a row in .verity/usage.csv.

Label vocabulary = the state machine (created by verity install, idempotent)

State lives in GitHub labels and comments — the worker is stateless and crash-safe by construction. verity:approved is a single-use token: consumed on resume.

Trust ladder — merge authority is deterministic code in the worker, never the LLM

Effective policy for your current settings

Kill switches (learn these first)

① Open any issue labeled verity:circuit-open — the worker halts at its next wake-up, before doing anything. ② verity autonomy set mode manual — worker exits 0 immediately. ③ Daily budget/run caps trip automatically (exit 30, slug daily-limit).

Tick trace

Set the scenario on the left, then press ▶ Run one worker tick.