The problem

AI coding agents are fast and occasionally catastrophic. Review every agent-authored pull request by hand and you throw away the speed that made agents worth adopting. Trust all of them and you quietly erase the invariants that keep a repository safe — until the day a generated PR rewrites your auth code or your CI config.

What is missing is a dial between those two failure modes: a way to say "small, reversible changes can flow; anything that touches the dangerous parts stops for a human."

What I built

interlock is that dial — a deterministic governance gate driven by a single interlock.yml policy. It is a fuse, not another AI: glob matching and rule evaluation, the same verdict every time. No language model judges your PR, and the gate cannot silently fail open.

tiers:
  tier0: ["docs/**", "**/*.md"]          # behaviour-neutral
  tier2: [".github/**", "interlock.yml"] # protected — humans only
rules:
  agent-on-tier2: block
  • Reversibility tiers. Paths sort into Tier 0 (behaviour-neutral), Tier 1 (normal review) and Tier 2 (protected — CI config, auth, the policy itself). A PR's tier is the maximum across every file it touches, so one protected file in a thousand-file change still stops for a human.
  • Author-aware. Agent-authored PRs are detected by login, branch prefix, or commit trailer, and held to stricter rules than human ones.
  • Two surfaces, one policy. A GitHub Action enforces in CI; a CLI runs the same check locally as a pre-flight.
  • Safe by construction. The policy is always read from the PR's base branch, so a PR cannot weaken the rule that judges it — and interlock.yml protects itself.
A PR is classified by path and takes the maximum reversibility tier across its files. Only Tier 0 rejoins the autonomous loop; Tier 2 always stops for a human.

Outcome

Published to npm as agent-interlock and shipped as a versioned GitHub Action. The engine carries a 100+-test suite, releases are semantically versioned, and the pipeline is hardened — least-privilege tokens, dependency-advisory pinning, automated dependency triage. It runs as its own dogfood gate.

Tech

A TypeScript monorepo: a pure core engine (classification, policy parsing, gating), a cli entry point, and an action/ wrapper whose bundle is reproducibly built and verified in CI. Tested with Vitest.