CI/CD gate with differential thresholds
The CI/CD gate closes the prevention loop. It blocks pull requests that breach the accessibility budget — but with separate budgets for AI-authored code (stricter) and human-authored code (looser). The differential is grounded in measured AI-bug-density signal from the AI authorship attribution module. Not a flat threshold, not a "fail if findings > 0" sledgehammer — a budget that knows who wrote which line. Standalone product: clamper.ai.
What it does
-
Differential thresholds
Two budgets, one PR. AI-authored regions are gated more strictly than human-authored regions because AI-authored code shows roughly 1.7× bug density (CodeRabbit, GitClear). The gate reflects that asymmetry instead of ignoring it.
-
Per-line attribution feed
The AI authorship attribution module fingerprints the diff and reports which lines were authored by Copilot, Cursor, Claude Code, Windsurf, Devin, or human. The gate uses that signal to apply the right budget to the right region.
-
Policy DSL
Budgets, exemptions, regulator profiles, and rollout plans are written in a small policy DSL committed to the repo. Compliance posture lives in version control, not a dashboard.
-
Baseline-aware gating
New violations are gated; pre-existing ones are tracked but not blocked. Teams adopt the gate without paying for legacy debt on day one. The baseline shrinks as the LLM remediation cascade remediates.
-
Provider-portable
Ships as GitHub Action, GitLab job, Bitbucket pipeline, Azure DevOps task, or generic CLI. The same policy DSL runs everywhere; CI provider is a deployment detail.
-
Source-only enforcement
Blocks merge before code reaches production. No runtime script ships to clients; no live-site manipulation. Gate decisions live in CI logs, where auditors can read them.
Layer mapping
The CI/CD gate sits at the L2 Dev Tools / L3 Testing boundary. It consumes attribution from the AI authorship module and findings from L3 scanners, then emits a merge / block decision per pull request.
| Axis | Direction | What flows |
|---|---|---|
| L2 Dev Tools | Outbound — gate decision | Pass / fail status posted to GitHub / GitLab / Bitbucket / Azure DevOps with cited findings. |
| L3 Testing (WCAG/EAA) | Inbound — finding | WCAG / EN 301 549 findings from the multi-domain scan's diff inform the gate. |
| AI authorship attribution | Inbound — attribution | Per-line author signal that drives the differential thresholds. |
| Regression detection | Inbound — baseline | The regression module identifies new violations vs pre-existing baseline. |
| Backlog optimizer | Outbound — constraints | Budget thresholds become hard constraints in the backlog optimizer. |
| LLM remediation cascade | Inbound — PR | Cascade remediation PRs flow through the same gate as human-authored PRs. |
Filed IP
ARIADA holds filed-IP positions covering differential AI-vs-human thresholds, per-line attribution-driven gating, baseline-aware regression policy, and the policy DSL surface area underlying this module. Provisional application only; conversion to non-provisional and PCT national-phase decisions are pending within the 12-month window.
Application numbers, claim counts, and PCT deadlines are available for accredited-investor due diligence on the Legal & IP page.
Why differential gating matters
Snyk, Dependabot, SonarCloud, and every other CI gate in this class use a flat threshold. A finding is a finding; the line's origin is irrelevant. That model assumes uniform bug density across authors — which has not held since copilots arrived. Empirical signal (CodeRabbit's review of 470 PRs; GitClear's 211M-line longitudinal analysis) shows AI-authored code carries materially higher accessibility-bug density.
This is the only accessibility CI gate, to our knowledge, that ingests per-line authorship and gates asymmetrically. The result: teams keep shipping at velocity on human-authored work while the AI-authored regions get the review they actually need. The differential converges as authorship-conditioned bug density converges — the gate learns, it does not punish.
Standalone marketplace product: clamper.ai ships this gate as a focused CI/CD product; the umbrella ariada.ai ships it as part of the integrated nine-module pipeline.
Cross-references
- LLM remediation cascade: emits the remediation PRs that the gate subsequently checks. See the cascade →
- Backlog optimizer: consumes the gate's budget thresholds as hard constraints. See the backlog optimizer →
- AI authorship attribution: the per-line author signal that powers the differential thresholds. See AI authorship attribution →
- Regression detection: distinguishes new vs pre-existing findings so the gate does not block on legacy debt. See regression detection →
- Standalone product: clamper.ai — the gate as a marketplace CI product, same engine.
- Triad context: the CI/CD gate closes the Remediate-tier loop — prevention at the merge boundary. See the homepage triad for Architect · Detect · Remediate framing.
Source-level remediation only — agentic suggestions are not autonomous deployments; pull requests require client merge. Not a legal certification body.