Canonical seven-stage flow
Policy decisions should stay attached to the existing quote -> 402 -> inspect lifecycle, not invent a second control path outside persisted actions.
Maintainer controls
This surface translates Sigillum’s current policy direction into an operator-facing control board. It does not mutate live rules yet, but it now shows the exact controls maintainers and agent operators need for production readiness.
Maintainer surface
These cards translate the live Sigillum product state into a maintainer/admin runbook without exposing raw payloads or editing the payment path.
Policy decisions should stay attached to the existing quote -> 402 -> inspect lifecycle, not invent a second control path outside persisted actions.
Maintainers need explicit controls for fail-on-warn, recommendation gating, and optional score ceilings before Sigillum can be treated as a mature branch or workflow gate.
Policies should also explain when to pause before spend. Quotes already provide the truth source, so budget-based blocks can sit alongside risk-based blocks.
Primary runbook
These are the concrete control layers that turn Sigillum from a proof feed into a real operator gate while still respecting the current hosted architecture.
The first layer should let an operator decide which Sigillum outcomes are acceptable for their repo or agent flow.
Some teams will prefer a numeric ceiling rather than only a recommendation gate. That should stay additive rather than replacing the recommendation signal.
Quotes already expose the price before inspection, which makes spend policy a natural companion to risk policy.
Admin checks
These cards define the production-ready policy contract without widening into server edits in this worker.
Admin metrics
These are the operational proof points the current GitHub, policy, and pricing surfaces should make easy to audit before expanding scope.
Repo default
That is a safe initial state for adoption, but production repos typically want stronger enforcement once the workflow is trusted.
Recommended knobs
Recommendation threshold, max risk score, spend cap, and comment/reporting mode are the smallest serious maintainer control set.
Shared logic
GitHub maintainers, indie builders, and autonomous agents should all consume the same rule semantics even if their UI differs.
Audit requirement
Whenever a quote or receipt is blocked by policy, the reason should be clear and persisted so teams can audit why Sigillum stopped the action.
Pricing packaging
One quote engine still prices the work. These cards show how that same logic can be presented to different operators without introducing separate backend math.
Maintainer policy
Best for review workflows where the admin wants a monthly ceiling and deterministic branch-gate behavior without introducing subscription billing yet.
Indie builder policy
Best for hosted CLI use, where a solo user wants a simple spend ceiling and a clean answer before paying for inspection.
Agent policy
Best for automated systems where multiple runners or agents need budget guardrails before unattended spend accumulates.
Useful links
These routes let maintainers move from runbook guidance back into live proof without hunting through internal docs.