New requirements should never land like a sudden tax on your developers. Now they don't have to. Every requirement carries one of three enforcement modes: audit, warn, and enforce.
- Audit runs the requirement and records every finding to the detailed findings page, but stays invisible to developers and coding agents. Use it to measure how often a rule would fire before you commit to rolling it out.
- Warn surfaces findings as hints in PR/MR reviews, but doesn't block.
- Enforce runs guardrails, blocks merges, and pipes findings back to coding agents so they can fix and retry.
Pro tip: turn a new requirement on in audit for a week. Watch the detailed findings page, see where it actually fires, refine the language or scope based on real signal, then promote to warn for another week, and only then to enforce. Audit-only findings deliberately don't leak into PR comments or hook output, so you get clean measurement without spooking anyone. The same applies in reverse if you ever need to dial a noisy rule back down without deleting it.