gate

# /gate — Quality Gates

<context>
**Arguments**: $ARGUMENTS

**Current Branch**: !`git branch --show-current 2>/dev/null || echo "none"`

**Project Detection**:
- Node.js: !`test -f package.json && echo "yes" || echo "no"`
- Python: !`test -f pyproject.toml -o -f requirements.txt && echo "yes" || echo "no"`
- Rust: !`test -f Cargo.toml && echo "yes" || echo "no"`
- Go: !`test -f go.mod && echo "yes" || echo "no"`

**Workflow State**: @.spec-flow/memory/state.yaml
</context>

<objective>
Unified quality gate validation:

| Command | Purpose | Pass Criteria |
|---------|---------|---------------|
| `/gate ci` | CI quality checks | All checks pass |
| `/gate sec` | Security scanning | No CRITICAL/HIGH issues |

Gates block deployment until passed.
</objective>

<process>

## Step 1: Parse Gate Type

Extract first argument as gate type:
- `ci` → Run CI quality checks
- `sec` → Run security scanning

**If no argument provided**, use AskUserQuestion:

```json
{
  "questions": [{
    "question": "Which quality gate do you want to run?",
    "header": "Gate",
    "multiSelect": false,
    "options": [
      {"label": "ci", "description": "Tests, linting, types, coverage (Recommended)"},
      {"label": "sec", "description": "SAST, secrets detection, dependency audit"}
    ]
  }]
}
```

---

## Gate: CI (`/gate ci`)

### Purpose

Validate code quality before deployment:
1. All tests pass
2. Linting checks pass
3. Type checks pass
4. Coverage meets threshold (if configured)

### Step CI-1: Detect Project Type

Use Glob to detect project files:

| File Found | Project Type | Test Command | Lint Command | Type Command |
|------------|--------------|--------------|--------------|--------------|
| `package.json` | Node.js | `npm test` or `pnpm test` | `npm run lint` | `npx tsc --noEmit` |
| `pyproject.toml` | Python | `pytest` | `ruff check .` | `mypy .` |
| `Cargo.toml` | Rust | `cargo test` | `cargo clippy` | `cargo check` |
| `go.mod` | Go | `go test ./...` | `go vet ./...` | (included in vet) |

**If multiple project types detected**, run checks for each.

### Step CI-2: Run Tests

Execute test command for detected project type:

```bash
# Node.js
npm test 2>&1

# Python
pytest 2>&1

# Rust
cargo test 2>&1

# Go
go test ./... 2>&1
```

**Capture**: Exit code and output
**Record**: TESTS_PASSED = (exit code == 0)

### Step CI-3: Run Linters

Execute lint command:

```bash
# Node.js
npm run lint 2>&1

# Python
ruff check . 2>&1

# Rust
cargo clippy -- -D warnings 2>&1

# Go
go vet ./... 2>&1
```

**Capture**: Exit code and output
**Record**: LINTERS_PASSED = (exit code == 0)

### Step CI-4: Run Type Checks

Execute type check command:

```bash
# Node.js (if tsconfig.json exists)
npx tsc --noEmit 2>&1

# Python (if mypy configured)
mypy . 2>&1

# Rust (built into cargo check)
cargo check 2>&1

# Go (included in go vet)
# Already run in linter step
```

**Capture**: Exit code and output
**Record**: TYPE_CHECK_PASSED = (exit code == 0)

### Step CI-5: Check Coverage (If Configured)

**Node.js** — Check `coverage/coverage-summary.json`:
```bash
# Read coverage file if exists
test -f coverage/coverage-summary.json && cat coverage/coverage-summary.json
```

Extract `total.lines.pct` using Read tool and JSON parsing.

**Python** — Check `coverage.xml` or `.coverage`:
```bash
# Generate coverage report if .coverage exists
test -f .coverage && coverage report --format=total
```

**Rust/Go** — Coverage optional, mark as SKIPPED (not PASSED).

**Coverage Evaluation**:
| Coverage | Status |
|----------|--------|
| >= 80% | PASSED |
| < 80% | FAILED |
| Not configured | SKIPPED |

**IMPORTANT**: SKIPPED is NOT the same as PASSED. Display honestly:
- `PASSED (87%)` — Coverage meets threshold
- `FAILED (62%)` — Coverage below threshold
- `SKIPPED` — Coverage not configured for this project type

### Step CI-6: Determine Gate Status

```
GATE_STATUS = "PASSED" if:
  - TESTS_PASSED == true
  - LINTERS_PASSED == true
  - TYPE_CHECK_PASSED == true
  - COVERAGE_STATUS != "FAILED"  (SKIPPED is acceptable)

GATE_STATUS = "FAILED" otherwise
```

### Step CI-7: Record Results

Update `.spec-flow/memory/state.yaml`:

```yaml
quality_gates:
  ci:
    status: passed  # or failed
    timestamp: 2025-12-14T18:00:00Z
    checks:
      tests: passed
      linters: passed
      type_check: passed
      coverage: passed  # or failed or skipped
    coverage_pct: 87  # if available
```

### Step CI-8: Display Results

```
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 CI Quality Gate
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Project: {Node.js | Python | Rust | Go}

Tests:      {PASSED | FAILED}
Linting:    {PASSED | FAILED}
Type Check: {PASSED | FAILED}
Coverage:   {PASSED (N%) | FAILED (N%) | SKIPPED}

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

{PASSED: Gate passed. Ready for deployment.}
{FAILED: Gate failed. Fix issues before proceeding.}

{If FAILED, show first error from each failing check}
```

---

## Gate: Security (`/gate sec`)

### Purpose

Ensure no security vulnerabilities before deployment:
1. Static Application Security Testing (SAST)
2. Secrets detection (no hardcoded credentials)
3. Dependency vulnerability scanning

### Step SEC-1: Check Available Tools

Detect which security tools are installed:

```bash
# Check each tool
command -v semgrep >/dev/null 2>&1 && echo "semgrep: available"
command -v git-secrets >/dev/null 2>&1 && echo "git-secrets: available"
command -v npm >/dev/null 2>&1 && echo "npm audit: available"
command -v pip-audit >/dev/null 2>&1 && echo "pip-audit: available"
```

**If no tools available**, provide installation guidance:

```
Security tools not found. Install one or more:

SAST:
  pip install semgrep

Secrets Detection:
  brew install git-secrets  (macOS)
  choco install git-secrets (Windows)

Dependency Scanning:
  npm audit (Node.js - built-in)
  pip install pip-audit (Python)
```

### Step SEC-2: Run SAST (if available)

```bash
# Semgrep with auto config
semgrep --config=auto --json . 2>&1