Skip to content

Quality Gates - Automated Security and Code Quality Checks

Quality Gates run automatically as skill invocations during the verification phase of a strategy. They detect security vulnerabilities, code quality issues, and documentation sync status.

GatePurposeChecks For
verify-securitySecurity vulnerability scanInjection flaws, leaked secrets, dangerous functions, OWASP Top 10
verify-qualityCode quality checkCyclomatic complexity, function length, duplication, naming conventions
verify-changeChange impact analysisDoc sync, API signature change impact, dependency changes
verify-moduleModule completeness checkDirectory structure, missing docs, README/DESIGN existence
gen-docsDocumentation generatorAuto-generates README.md + DESIGN.md skeletons

Quality gates fire based on context — no manual invocation needed:

/gen-docs <module-path> → Generate documentation skeleton
/verify-module <module-path> → Check structural completeness
/verify-security <module-path> → Security scan
/verify-change → Analyze change impact, check doc sync
/verify-quality <changed-path> → Check complexity, code smells

When Changes Touch Security-Sensitive Code

Section titled “When Changes Touch Security-Sensitive Code”

Changes involving authentication, authorization, encryption, input validation, or secrets management:

/verify-security <changed-path> → Security vulnerability scan
/verify-change → Ensure docs reflect the refactoring
/verify-quality <refactored-path> → Verify quality improved
/verify-security <refactored-path> → Confirm no new vulnerabilities

Checks for:

  • SQL injection, XSS, SSRF, and other injection vulnerabilities
  • Hardcoded keys / tokens / passwords
  • Insecure cryptographic implementations
  • Missing input validation
  • Dangerous function calls (eval, exec, system)
  • Path traversal risks
  • CORS misconfiguration

Output format:

[Critical] src/api/auth.ts:42 — Hardcoded JWT secret
[High] src/utils/db.ts:15 — Non-parameterized SQL concatenation
[Medium] src/config.ts:8 — CORS allows all origins

Checks for:

  • Function cyclomatic complexity > 10
  • Single function exceeding 50 lines
  • Single file exceeding 500 lines
  • Duplicate code blocks
  • Non-compliant naming (violates project conventions)
  • Unused imports / variables
  • Missing error handling

Quality thresholds:

MetricThresholdSeverity
Cyclomatic complexity> 10Warning
Cyclomatic complexity> 20Critical
Function length> 50 linesWarning
File length> 500 linesWarning
Duplication rate> 5%Warning

Checks for:

  • Public API signature changes with call-site impact search
  • README / DESIGN.md sync status
  • Config file changes needing documentation updates
  • Dependency version change impact radius
  • Database schema change migration status

Checks for:

  • Whether the directory contains a README.md
  • Whether it contains a DESIGN.md (optional)
  • Whether an export file (index.ts / mod.rs etc.) exists
  • Whether test files exist
  • Whether documentation is in sync with code
LevelMeaningAction
CriticalMust fix immediatelyBlocks delivery
HighShould fixRecommended before delivery
WarningSuggested improvementNon-blocking, logged as tech debt
InfoInformationalNotification only, no action needed
  1. Non-blocking — Except for Critical findings, gates only produce reports without stopping delivery
  2. Chainable — Execute in the order specified above; skip subsequent gates if a previous one fails
  3. Silent on pass — No verbose “all clear” output when everything passes
  4. Idempotent — Safe to re-run; same input produces same output

Quality gates run during Phase 5 of the full-collaborate strategy:

Phase 4: Implementation (Builder coding)
Phase 5: Verification ← Quality gates run here
├── verify-security
├── verify-quality
└── verify-change
Phase 6: Dual-model cross-review

You can invoke quality gates directly as skills in a Claude Code session:

Please run verify-security on the src/auth/ directory
Please run verify-quality on the changes I just made

The engine routes the request to the corresponding skill file for execution.