Quality Gates - Automated Security and Code Quality Checks
Quality Gates run automatically as skill invocations during the verification phase of a strategy. They detect security vulnerabilities, code quality issues, and documentation sync status.
Available Gates
Section titled “Available Gates”| Gate | Purpose | Checks For |
|---|---|---|
verify-security | Security vulnerability scan | Injection flaws, leaked secrets, dangerous functions, OWASP Top 10 |
verify-quality | Code quality check | Cyclomatic complexity, function length, duplication, naming conventions |
verify-change | Change impact analysis | Doc sync, API signature change impact, dependency changes |
verify-module | Module completeness check | Directory structure, missing docs, README/DESIGN existence |
gen-docs | Documentation generator | Auto-generates README.md + DESIGN.md skeletons |
Automatic Trigger Conditions
Section titled “Automatic Trigger Conditions”Quality gates fire based on context — no manual invocation needed:
When a New Module is Created
Section titled “When a New Module is Created”/gen-docs <module-path> → Generate documentation skeleton ↓/verify-module <module-path> → Check structural completeness ↓/verify-security <module-path> → Security scanWhen Code Changes Exceed 30 Lines
Section titled “When Code Changes Exceed 30 Lines”/verify-change → Analyze change impact, check doc sync ↓/verify-quality <changed-path> → Check complexity, code smellsWhen Changes Touch Security-Sensitive Code
Section titled “When Changes Touch Security-Sensitive Code”Changes involving authentication, authorization, encryption, input validation, or secrets management:
/verify-security <changed-path> → Security vulnerability scanAfter Refactoring
Section titled “After Refactoring”/verify-change → Ensure docs reflect the refactoring ↓/verify-quality <refactored-path> → Verify quality improved ↓/verify-security <refactored-path> → Confirm no new vulnerabilitiesGate Details
Section titled “Gate Details”verify-security
Section titled “verify-security”Checks for:
- SQL injection, XSS, SSRF, and other injection vulnerabilities
- Hardcoded keys / tokens / passwords
- Insecure cryptographic implementations
- Missing input validation
- Dangerous function calls (
eval,exec,system) - Path traversal risks
- CORS misconfiguration
Output format:
[Critical] src/api/auth.ts:42 — Hardcoded JWT secret[High] src/utils/db.ts:15 — Non-parameterized SQL concatenation[Medium] src/config.ts:8 — CORS allows all originsverify-quality
Section titled “verify-quality”Checks for:
- Function cyclomatic complexity > 10
- Single function exceeding 50 lines
- Single file exceeding 500 lines
- Duplicate code blocks
- Non-compliant naming (violates project conventions)
- Unused imports / variables
- Missing error handling
Quality thresholds:
| Metric | Threshold | Severity |
|---|---|---|
| Cyclomatic complexity | > 10 | Warning |
| Cyclomatic complexity | > 20 | Critical |
| Function length | > 50 lines | Warning |
| File length | > 500 lines | Warning |
| Duplication rate | > 5% | Warning |
verify-change
Section titled “verify-change”Checks for:
- Public API signature changes with call-site impact search
- README / DESIGN.md sync status
- Config file changes needing documentation updates
- Dependency version change impact radius
- Database schema change migration status
verify-module
Section titled “verify-module”Checks for:
- Whether the directory contains a
README.md - Whether it contains a
DESIGN.md(optional) - Whether an export file (
index.ts/mod.rsetc.) exists - Whether test files exist
- Whether documentation is in sync with code
Severity Levels
Section titled “Severity Levels”| Level | Meaning | Action |
|---|---|---|
| Critical | Must fix immediately | Blocks delivery |
| High | Should fix | Recommended before delivery |
| Warning | Suggested improvement | Non-blocking, logged as tech debt |
| Info | Informational | Notification only, no action needed |
Execution Rules
Section titled “Execution Rules”- Non-blocking — Except for Critical findings, gates only produce reports without stopping delivery
- Chainable — Execute in the order specified above; skip subsequent gates if a previous one fails
- Silent on pass — No verbose “all clear” output when everything passes
- Idempotent — Safe to re-run; same input produces same output
Position in Strategy Flow
Section titled “Position in Strategy Flow”Quality gates run during Phase 5 of the full-collaborate strategy:
Phase 4: Implementation (Builder coding) ↓Phase 5: Verification ← Quality gates run here ├── verify-security ├── verify-quality └── verify-change ↓Phase 6: Dual-model cross-reviewManual Invocation
Section titled “Manual Invocation”You can invoke quality gates directly as skills in a Claude Code session:
Please run verify-security on the src/auth/ directoryPlease run verify-quality on the changes I just madeThe engine routes the request to the corresponding skill file for execution.