CI-Native Agent (Autonomy)

The CI-Native Agent is SquireX's autonomous remediation loop. It closes security alerts end-to-end — from a GitHub Advanced Security (GHAS) finding to a reviewed, test-validated draft PR — without any SquireX-hosted sandbox or your source code ever leaving your infrastructure.

This is the Bring Your Own Pipeline (BYOP) model: SquireX generates and statically validates the fix, then your own CI proves it with your own credentials.

Why it exists

Static scanning tells you what is wrong. The CI-Native Agent closes the loop and fixes it — while keeping a human in the merge seat and your compute under your control.

Without Autonomy	With the CI-Native Agent
Alert sits in a backlog	Fix proposed automatically as a draft PR
Engineer context-switches to triage	Engineer reviews a focused, scoped diff
Fix unverified until CI runs	Fix pre-validated by the SquireX scanner before the branch exists
Vendor sandbox holds your code	Nothing leaves your pipeline; you keep your CI credentials

The two-tier validation model

GHAS alert ──► LLM fix ──► Tier 1 (SquireX rescan) ──► branch + draft PR ──► Tier 2 (your CI) ──► green ✅
                                  │ fail                                          │ fail
                                  └── retry (max 2, free) ◄───────────────────────┘ retry (max 3)

Tier 1 — local, seconds, free. The SquireX static scanner re-runs against the proposed patch and confirms the original violation is gone before any branch is created. ServiceNow ATF and MuleSoft MUnit validation stubs are ready for customer MCP integration.
Tier 2 — your CI, minutes. Your existing GitHub Actions pipeline runs sf apex run test, ServiceNow ATF, or MuleSoft MUnit using your credentials. SquireX only reacts to the resulting check_run.completed webhook.

Safety invariants

Human always merges. Every fix is opened as a draft PR — never auto-merged.
Loop prevention. Branches the agent creates use the squirex-autofix/alert-{id} prefix and are skipped by the alert handler, so a fix can never trigger a fix of itself.
Opt-in per customer. The agent only runs when AUTOFIX_ENABLED=true is set for that installation.
Bounded retries. Up to 2 free local Tier 1 retries plus 3 CI retries. On exhaustion the agent posts a transparent explanation comment and stops — at zero charge.
Conversation chaining. Every retry replays the complete conversation history (prior attempts + CI failure logs) so the model learns within the loop instead of repeating failures.

Finds problems on its own

The agent doesn't wait to be asked. A proactive scan runs on every push to main and weekly, files a readable Jules-style GitHub Issue for each finding (first-person, severity-coded, deduplicated), and surfaces regulatory compliance tags (SOC 2, NIST AI RMF, EU AI Act, HIPAA, PCI DSS, OWASP MCP) right in the issue — then announces the incoming silent draft PR.

Pay-Per-Merge

You are billed only for autofix PRs you actually merge. Opened-but-unmerged and exhausted fixes are free. Each merged autofix is recorded for transparent monthly reconciliation.

Pricing tiers are unchanged — see the pricing page. Pay-Per-Merge applies only to the CI-Native Agent surface.

Next steps

The Fix Loop → — chaining, retries, and the state machine
Proactive Scan & Issues → — Jules-style issues + compliance tagging
BYOP CI Setup → — wire your pipeline in

Why it exists​

The two-tier validation model​

Safety invariants​

Finds problems on its own​

Pay-Per-Merge​

Next steps​