quality-gate

Quality Gate

Use after implement-task has set a task to Implementation Complete.

Preconditions

If AGENTS.md is absent at the repository root, stop immediately and direct the user to run /sdd-bootstrap:sdd-adopt; do not proceed without it. Missing reports/quality-gate/ or docs/review-tickets/ directories may be created on the fly before continuing.

Required Reading

Read the task, implementation report, requirements, design, acceptance tests, traceability, contracts, ADRs, Git diff, and all bundled references, including deterministic-check-policy.md, evaluation-rubric.md, risk-gate-matrix.md, and risk-classification-policy.md.

Process

1. Reject any target not in Implementation Complete.
2. Create the Default-FAIL verification contract for the task from templates/verification-contract.template.json following deterministic-check-policy.md. Treat the implementation report as a claim, not as evidence.
3. Compare the implementation and report with the approved task and source artifacts.
4. Detect and run all available CI-equivalent checks using verification-policy.md. Save real command output as evidence and update the contract.
5. Verify tests using test-policy.md.
6. Run the scripted gates with scripts/*.sh or scripts/*.ps1, in this order:
   • check-risk on the task: confirms a valid Risk: tier, a non-empty Risk Rationale:, and — for high/critical — Required Workflow: tdd. The tier selects the required-check set per risk-gate-matrix.md.
   • check-placeholders on the changed production files only.
   • check-task-state on tasks.md.
   • check-contract on the task contract: enforces the tier-minimum required set (superset rule) and, when required_workflow is tdd, non-empty red_evidence + green_evidence for every test-type check.
   • check-traceability on specs/<feature>/traceability.json: every REQ → AC → TEST → evidence chain is intact (required for high/critical). For Done tasks, validate specs/<feature>/verification/<task-id>.evidence.json with check-evidence-bundle.(sh|ps1) so the report, contract, and passing evidence artifacts are all bound together. For high/critical the bundle must carry spec_revision, build_env, and review_verdict.verdict == PASS; for critical it must additionally carry a verifiable HMAC signature and a clean tree (git_generated_dirty == true is a hard fail). Always produce the bundle with generate-evidence-bundle.(sh|ps1) — never hand-author sha256 fields or the git_commit field. The runner binds the bundle to the current git commit and computes digests automatically.
7. For refactor and bugfix tasks with a baseline-behavior.md, apply differential-test-policy.md and classify every BL diff.
8. Run critical review with an isolated evaluator using evaluation-rubric.md. On Claude Code use the sdd-evaluator subagent. On Codex use the shipped sdd-evaluator TOML agent; do not create new agent role files under ~/.codex/agents/. Elsewhere, perform the review in a fresh session or a clearly separated critical-review pass. For high/critical tasks, record the evaluator's verdict as review_verdict in the evidence bundle; check-evidence-bundle requires review_verdict.verdict == PASS.
9. Classify findings as Accepted, Rejected, or Deferred.
10. Apply only safe fixes allowed by auto-fix-policy.md.
11. Repeat critical review for a maximum of 3 cycles.
12. For UI changes, use available browser or Playwright tooling to verify the rendered screen, DOM, and console, and when feasible perform the smoke run described in deterministic-check-policy.md.
13. Create review-ticket YAML for unresolved or non-auto-fixable findings.
14. Update traceability and detect drift using integrity-policy.md.
15. Create reports/quality-gate/<timestamp>.md naming the task id.

Sudo Mode

If a valid SDD_SUDO flag file exists at the project root (see plugins/sdd-quality-loop/references/sudo-mode-policy.md), routine approval checkpoints auto-pass: record Approval: Approved (sudo <ISO8601 UTC>) in tasks.md and continue. A refactor/bugfix BL diff classified accepted also auto-passes (mark (sudo <ISO8601 UTC>) and update baseline-behavior.md).

Sudo never auto-passes genuine judgment: requires_human_decision: true findings, architecture/auth/authz/breaking-API/security decisions, and a fix-required baseline diff still stop the gate and require a human. All deterministic gates apply; every check runs as normal.

Done Decision

Set the task to Done only when:

• check-risk passes: valid tier + rationale, and high/critical declares Required Workflow: tdd
• check-contract passes: every required contract check (the tier-minimum superset) is true with existing evidence files; for tdd, test checks carry red_evidence + green_evidence
• check-traceability passes for high/critical (REQ → AC → TEST → evidence)
• check-evidence-bundle passes: the bundle names the report, contract, and contract-passing artifacts, with matching hashes and task id; for high/critical it carries spec_revision, build_env, and review_verdict.verdict == PASS; for critical it carries a verified HMAC signature over a clean tree
• for critical, a second distinct named approver recorded Second Approval: Approved (enforced by check-task-state; never sudo-bypassed)
• acceptance criteria have tests
• no unresolved Critical or Major finding remains
• required UI verification succeeds
• contracts and ADRs agree with the implementation
• traceability is current

Otherwise set the task to Blocked or retain Implementation Complete, and create review tickets. Do not commit, push, or create a PR/MR unless explicitly requested.