Risk Engine
Risk is measured, not guessed
Every autonomous action is classified across nine change categories and four risk tiers. Each rating is decomposable; each contributor is auditable.
Risk heatmap · last 24h
Action volume by category × risk tier. Hover a cell for the underlying ledger entries.
| Category | Low | Medium | High | Critical | Total |
|---|---|---|---|---|---|
| documentation | 142 | 4 | 0 | 0 | 146 |
| frontend | 88 | 31 | 6 | 0 | 125 |
| backend | 64 | 71 | 22 | 1 | 158 |
| infrastructure | 12 | 28 | 14 | 0 | 54 |
| security | 8 | 19 | 24 | 2 | 53 |
| database | 14 | 22 | 18 | 1 | 55 |
| authentication | 6 | 11 | 12 | 1 | 30 |
| billing | 4 | 9 | 11 | 2 | 26 |
| compliance | 18 | 14 | 6 | 0 | 38 |
Risk contributors
How a single action gets its rating.
- Blast radiusweight 28%high · 3 services
- Reversibilityweight 22%reversible · rollback ready
- Data sensitivityweight 18%PII · GDPR Art. 9
- Traffic exposureweight 14%100% prod traffic
- Test coverageweight 10%94.2% lines · 88.1% branches
- Recent incident proximityweight 8%0 incidents 30d
Composite score
71highthreshold for human approval = 60
Approval requirements
By risk tier.
- lowauto-execute0 approversno canaryanytime
- mediumauto-execute0 approverscanaryanytime
- highhuman required1 approvercanarywindow
- criticalhuman required2 approverscanarywindow
Mitigation playbook
Applied automatically to every high/critical risk action.
- 01Atomic transaction wrap — all-or-nothing apply
- 02Canary at 5% for ≥ 10 minutes before promotion
- 03Synthetic monitor on critical path during deploy
- 04Auto-rollback if SLO error budget burn > 2%
- 05Sentinel security re-scan on deploy completion