Ai quality-gates
Quality checkpoints at every development stage — pre-commit through post-deploy — with configuration examples, threshold tables, bypass protocols, and CI/CD integration. Use when setting up quality automation, configuring CI pipelines, establishing coverage thresholds, or defining deployment requirements.
install
source · Clone the upstream repo
git clone https://github.com/wpank/ai
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/wpank/ai "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/testing/quality-gates" ~/.claude/skills/wpank-ai-quality-gates && rm -rf "$T"
manifest:
skills/testing/quality-gates/SKILL.mdsource content
Quality Gates
Enforce quality checkpoints at every stage of the development lifecycle. Each gate defines what is checked, when it runs, and whether it blocks progression.
Installation
OpenClaw / Moltbot / Clawbot
npx clawhub@latest install quality-gates
When to Use
- Before committing — catch lint errors, formatting issues, type errors, and secrets before they enter history
- Before merging — ensure full test suites pass, coverage thresholds are met, and code has been reviewed
- Before deploying — validate integration tests, security scans, and performance budgets in staging
- During code review — verify that all automated gates have passed and manual review criteria are satisfied
- After deploying — monitor health checks, error rates, and performance baselines
Gate Overview
| Gate | When | Checks | Blocking? |
|---|---|---|---|
| Pre-commit | | Lint, format, type-check, secrets scan | Yes |
| Pre-push | | Unit tests, build verification | Yes |
| Pre-merge | PR/MR approval | Full test suite, code review, coverage threshold | Yes |
| Pre-deploy (staging) | Deploy to staging | Integration tests, smoke tests, security scan | Yes |
| Pre-deploy (production) | Deploy to production | Staging verification, load test, rollback plan | Yes |
| Post-deploy | After production deploy | Health checks, error rate monitoring, perf baselines | Alerting |
Pre-commit Setup
Husky + lint-staged (Node.js)
{ "lint-staged": { "*.{js,ts,tsx}": ["eslint --fix", "prettier --write"], "*.{json,md,yaml}": ["prettier --write"] } }
npx husky init echo "npx lint-staged" > .husky/pre-commit
Pre-commit framework (Python)
# .pre-commit-config.yaml repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files - repo: https://github.com/astral-sh/ruff-pre-commit rev: v0.6.0 hooks: - id: ruff args: [--fix] - id: ruff-format - repo: https://github.com/pre-commit/mirrors-mypy rev: v1.11.0 hooks: - id: mypy
Secrets Scanning (pre-commit hook)
#!/bin/sh # .git/hooks/pre-commit gitleaks protect --staged --verbose if [ $? -ne 0 ]; then echo "Secrets detected. Commit blocked." exit 1 fi
CI/CD Gate Configuration
GitHub Actions
name: Quality Gates on: pull_request: branches: [main] jobs: lint-and-typecheck: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npm ci - run: npm run lint - run: npm run typecheck unit-tests: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npm ci - run: npm test -- --coverage - name: Check coverage threshold run: | COVERAGE=$(jq '.total.lines.pct' coverage/coverage-summary.json) if (( $(echo "$COVERAGE < 80" | bc -l) )); then echo "Coverage $COVERAGE% is below 80% threshold" exit 1 fi security-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: npm audit --audit-level=high - uses: gitleaks/gitleaks-action@v2 build: needs: [lint-and-typecheck, unit-tests, security-scan] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npm ci - run: npm run build
Set these as required status checks in branch protection rules so PRs cannot merge until all gates pass.
Coverage Gates
| Type | Minimum Threshold | Notes |
|---|---|---|
| Unit tests | 80% line coverage | Per-file and aggregate |
| Integration tests | 60% of integration points | API endpoints, DB queries |
| E2E tests | 100% of critical paths | Auth, checkout, core workflows |
| No decrease rule | 0% regression allowed | New code must not lower overall coverage |
Enforcing Thresholds
// jest.config.js or vitest.config.ts { "coverageThreshold": { "global": { "branches": 75, "functions": 80, "lines": 80, "statements": 80 } } }
For the no decrease rule, compare coverage against the base branch in CI and fail if the delta is negative.
Security Gates
Dependency Scanning
| Ecosystem | Tool | Command |
|---|---|---|
| Node.js | npm audit | |
| Python | pip-audit | |
| Rust | cargo audit | |
| Go | govulncheck | |
| Universal | Trivy | |
Secret Detection
| Tool | Use Case | Command |
|---|---|---|
| gitleaks | Pre-commit and CI | |
| TruffleHog | Deep history scan | |
| detect-secrets | Baseline-aware scanning | |
Performance Gates
Bundle Size Budgets
{ "bundlesize": [ { "path": "dist/main.*.js", "maxSize": "150 kB" }, { "path": "dist/vendor.*.js", "maxSize": "250 kB" }, { "path": "dist/**/*.css", "maxSize": "30 kB" } ] }
Lighthouse CI Thresholds
{ "ci": { "assert": { "assertions": { "categories:performance": ["error", { "minScore": 0.9 }], "categories:accessibility": ["error", { "minScore": 0.95 }], "categories:best-practices": ["error", { "minScore": 0.9 }], "first-contentful-paint": ["error", { "maxNumericValue": 2000 }], "largest-contentful-paint": ["error", { "maxNumericValue": 2500 }], "cumulative-layout-shift": ["error", { "maxNumericValue": 0.1 }] } } } }
API Response Time Limits
| Endpoint Type | P50 | P95 | P99 |
|---|---|---|---|
| Read (GET) | < 100ms | < 300ms | < 500ms |
| Write (POST/PUT) | < 200ms | < 500ms | < 1000ms |
| Search/aggregate | < 300ms | < 800ms | < 2000ms |
| Health check | < 50ms | < 100ms | < 200ms |
Enforce via load testing tools (k6, Artillery) in CI with pass/fail thresholds.
Review Gates
Required Approvals
| Change Scope | Approvals Required |
|---|---|
| Standard code changes | 1 approval minimum |
| Infrastructure, auth, payments, data models | 2 approvals |
| Dependency updates, cryptographic changes | Security team approval |
CODEOWNERS
# .github/CODEOWNERS * @team/engineering /infra/ @team/platform /src/auth/ @team/security /src/payments/ @team/payments @team/security *.sql @team/data-engineering Dockerfile @team/platform
Gate Bypass Protocol
When Bypass Is Acceptable
- Hotfixes for production incidents with active user impact
- Trivial changes (typos, comments) where automated checks are overkill
- Dependency updates that break CI due to upstream issues (not your code)
Required Documentation for Every Bypass
- Reason — why the gate cannot pass right now
- Risk assessment — what could go wrong by skipping
- Follow-up ticket — link to an issue that tracks resolving the bypass
- Approver — name of the senior engineer or lead who authorized the bypass
NEVER Do
- NEVER disable gates permanently — fix the root cause, don't remove the guardrail
- NEVER commit secrets — even to "test" branches; git history is forever
- NEVER skip tests to unblock a deploy — if tests fail, the code is not ready
- NEVER merge with failing required checks — admin merge bypasses erode team trust
- NEVER set coverage thresholds to 0% — even a low threshold is better than none
- NEVER bypass security scans for speed — vulnerabilities in production cost far more than CI minutes
- NEVER rely solely on post-deploy gates — catching issues after users are impacted is damage control, not quality
- NEVER treat alerting gates as optional — post-deploy monitoring exists because pre-deploy gates cannot catch everything; ignoring alerts defeats the purpose