{ "schemaVersion": "1.0", "item": { "slug": "quality-gates", "name": "Quality Gates", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/wpank/quality-gates", "canonicalUrl": "https://clawhub.ai/wpank/quality-gates", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/quality-gates", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=quality-gates", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "README.md", "SKILL.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/quality-gates" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/quality-gates", "agentPageUrl": "https://openagent3.xyz/skills/quality-gates/agent", "manifestUrl": "https://openagent3.xyz/skills/quality-gates/agent.json", "briefUrl": "https://openagent3.xyz/skills/quality-gates/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Quality Gates", "body": "Enforce quality checkpoints at every stage of the development lifecycle. Each gate defines what is checked, when it runs, and whether it blocks progression." }, { "title": "When to Use", "body": "Before committing — catch lint errors, formatting issues, type errors, and secrets before they enter history\nBefore merging — ensure full test suites pass, coverage thresholds are met, and code has been reviewed\nBefore deploying — validate integration tests, security scans, and performance budgets in staging\nDuring code review — verify that all automated gates have passed and manual review criteria are satisfied\nAfter deploying — monitor health checks, error rates, and performance baselines" }, { "title": "Gate Overview", "body": "GateWhenChecksBlocking?Pre-commitgit commitLint, format, type-check, secrets scanYesPre-pushgit pushUnit tests, build verificationYesPre-mergePR/MR approvalFull test suite, code review, coverage thresholdYesPre-deploy (staging)Deploy to stagingIntegration tests, smoke tests, security scanYesPre-deploy (production)Deploy to productionStaging verification, load test, rollback planYesPost-deployAfter production deployHealth checks, error rate monitoring, perf baselinesAlerting" }, { "title": "Husky + lint-staged (Node.js)", "body": "{\n \"lint-staged\": {\n \"*.{js,ts,tsx}\": [\"eslint --fix\", \"prettier --write\"],\n \"*.{json,md,yaml}\": [\"prettier --write\"]\n }\n}\n\nnpx husky init\necho \"npx lint-staged\" > .husky/pre-commit" }, { "title": "Pre-commit framework (Python)", "body": "# .pre-commit-config.yaml\nrepos:\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.6.0\n hooks:\n - id: trailing-whitespace\n - id: end-of-file-fixer\n - id: check-yaml\n - id: check-added-large-files\n - repo: https://github.com/astral-sh/ruff-pre-commit\n rev: v0.6.0\n hooks:\n - id: ruff\n args: [--fix]\n - id: ruff-format\n - repo: https://github.com/pre-commit/mirrors-mypy\n rev: v1.11.0\n hooks:\n - id: mypy" }, { "title": "Secrets Scanning (pre-commit hook)", "body": "#!/bin/sh\n# .git/hooks/pre-commit\ngitleaks protect --staged --verbose\nif [ $? -ne 0 ]; then\n echo \"Secrets detected. Commit blocked.\"\n exit 1\nfi" }, { "title": "GitHub Actions", "body": "name: Quality Gates\non:\n pull_request:\n branches: [main]\n\njobs:\n lint-and-typecheck:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm run lint\n - run: npm run typecheck\n\n unit-tests:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm test -- --coverage\n - name: Check coverage threshold\n run: |\n COVERAGE=$(jq '.total.lines.pct' coverage/coverage-summary.json)\n if (( $(echo \"$COVERAGE < 80\" | bc -l) )); then\n echo \"Coverage $COVERAGE% is below 80% threshold\"\n exit 1\n fi\n\n security-scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm audit --audit-level=high\n - uses: gitleaks/gitleaks-action@v2\n\n build:\n needs: [lint-and-typecheck, unit-tests, security-scan]\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm run build\n\nSet these as required status checks in branch protection rules so PRs cannot merge until all gates pass." }, { "title": "Coverage Gates", "body": "TypeMinimum ThresholdNotesUnit tests80% line coveragePer-file and aggregateIntegration tests60% of integration pointsAPI endpoints, DB queriesE2E tests100% of critical pathsAuth, checkout, core workflowsNo decrease rule0% regression allowedNew code must not lower overall coverage" }, { "title": "Enforcing Thresholds", "body": "// jest.config.js or vitest.config.ts\n{\n \"coverageThreshold\": {\n \"global\": {\n \"branches\": 75,\n \"functions\": 80,\n \"lines\": 80,\n \"statements\": 80\n }\n }\n}\n\nFor the no decrease rule, compare coverage against the base branch in CI and fail if the delta is negative." }, { "title": "Dependency Scanning", "body": "EcosystemToolCommandNode.jsnpm auditnpm audit --audit-level=highPythonpip-auditpip-audit --strictRustcargo auditcargo auditGogovulncheckgovulncheck ./...UniversalTrivytrivy fs --severity HIGH,CRITICAL ." }, { "title": "Secret Detection", "body": "ToolUse CaseCommandgitleaksPre-commit and CIgitleaks protect --stagedTruffleHogDeep history scantrufflehog git file://. --only-verifieddetect-secretsBaseline-aware scanningdetect-secrets scan --baseline .secrets.baseline" }, { "title": "Bundle Size Budgets", "body": "{\n \"bundlesize\": [\n { \"path\": \"dist/main.*.js\", \"maxSize\": \"150 kB\" },\n { \"path\": \"dist/vendor.*.js\", \"maxSize\": \"250 kB\" },\n { \"path\": \"dist/**/*.css\", \"maxSize\": \"30 kB\" }\n ]\n}" }, { "title": "Lighthouse CI Thresholds", "body": "{\n \"ci\": {\n \"assert\": {\n \"assertions\": {\n \"categories:performance\": [\"error\", { \"minScore\": 0.9 }],\n \"categories:accessibility\": [\"error\", { \"minScore\": 0.95 }],\n \"categories:best-practices\": [\"error\", { \"minScore\": 0.9 }],\n \"first-contentful-paint\": [\"error\", { \"maxNumericValue\": 2000 }],\n \"largest-contentful-paint\": [\"error\", { \"maxNumericValue\": 2500 }],\n \"cumulative-layout-shift\": [\"error\", { \"maxNumericValue\": 0.1 }]\n }\n }\n }\n}" }, { "title": "API Response Time Limits", "body": "Endpoint TypeP50P95P99Read (GET)< 100ms< 300ms< 500msWrite (POST/PUT)< 200ms< 500ms< 1000msSearch/aggregate< 300ms< 800ms< 2000msHealth check< 50ms< 100ms< 200ms\n\nEnforce via load testing tools (k6, Artillery) in CI with pass/fail thresholds." }, { "title": "Required Approvals", "body": "Change ScopeApprovals RequiredStandard code changes1 approval minimumInfrastructure, auth, payments, data models2 approvalsDependency updates, cryptographic changesSecurity team approval" }, { "title": "CODEOWNERS", "body": "# .github/CODEOWNERS\n* @team/engineering\n/infra/ @team/platform\n/src/auth/ @team/security\n/src/payments/ @team/payments @team/security\n*.sql @team/data-engineering\nDockerfile @team/platform" }, { "title": "When Bypass Is Acceptable", "body": "Hotfixes for production incidents with active user impact\nTrivial changes (typos, comments) where automated checks are overkill\nDependency updates that break CI due to upstream issues (not your code)" }, { "title": "Required Documentation for Every Bypass", "body": "Reason — why the gate cannot pass right now\nRisk assessment — what could go wrong by skipping\nFollow-up ticket — link to an issue that tracks resolving the bypass\nApprover — name of the senior engineer or lead who authorized the bypass" }, { "title": "NEVER Do", "body": "NEVER disable gates permanently — fix the root cause, don't remove the guardrail\nNEVER commit secrets — even to \"test\" branches; git history is forever\nNEVER skip tests to unblock a deploy — if tests fail, the code is not ready\nNEVER merge with failing required checks — admin merge bypasses erode team trust\nNEVER set coverage thresholds to 0% — even a low threshold is better than none\nNEVER bypass security scans for speed — vulnerabilities in production cost far more than CI minutes\nNEVER rely solely on post-deploy gates — catching issues after users are impacted is damage control, not quality\nNEVER treat alerting gates as optional — post-deploy monitoring exists because pre-deploy gates cannot catch everything; ignoring alerts defeats the purpose" } ], "body": "Quality Gates\n\nEnforce quality checkpoints at every stage of the development lifecycle. Each gate defines what is checked, when it runs, and whether it blocks progression.\n\nWhen to Use\nBefore committing — catch lint errors, formatting issues, type errors, and secrets before they enter history\nBefore merging — ensure full test suites pass, coverage thresholds are met, and code has been reviewed\nBefore deploying — validate integration tests, security scans, and performance budgets in staging\nDuring code review — verify that all automated gates have passed and manual review criteria are satisfied\nAfter deploying — monitor health checks, error rates, and performance baselines\nGate Overview\nGate\tWhen\tChecks\tBlocking?\nPre-commit\tgit commit\tLint, format, type-check, secrets scan\tYes\nPre-push\tgit push\tUnit tests, build verification\tYes\nPre-merge\tPR/MR approval\tFull test suite, code review, coverage threshold\tYes\nPre-deploy (staging)\tDeploy to staging\tIntegration tests, smoke tests, security scan\tYes\nPre-deploy (production)\tDeploy to production\tStaging verification, load test, rollback plan\tYes\nPost-deploy\tAfter production deploy\tHealth checks, error rate monitoring, perf baselines\tAlerting\nPre-commit Setup\nHusky + lint-staged (Node.js)\n{\n \"lint-staged\": {\n \"*.{js,ts,tsx}\": [\"eslint --fix\", \"prettier --write\"],\n \"*.{json,md,yaml}\": [\"prettier --write\"]\n }\n}\n\nnpx husky init\necho \"npx lint-staged\" > .husky/pre-commit\n\nPre-commit framework (Python)\n# .pre-commit-config.yaml\nrepos:\n - repo: https://github.com/pre-commit/pre-commit-hooks\n rev: v4.6.0\n hooks:\n - id: trailing-whitespace\n - id: end-of-file-fixer\n - id: check-yaml\n - id: check-added-large-files\n - repo: https://github.com/astral-sh/ruff-pre-commit\n rev: v0.6.0\n hooks:\n - id: ruff\n args: [--fix]\n - id: ruff-format\n - repo: https://github.com/pre-commit/mirrors-mypy\n rev: v1.11.0\n hooks:\n - id: mypy\n\nSecrets Scanning (pre-commit hook)\n#!/bin/sh\n# .git/hooks/pre-commit\ngitleaks protect --staged --verbose\nif [ $? -ne 0 ]; then\n echo \"Secrets detected. Commit blocked.\"\n exit 1\nfi\n\nCI/CD Gate Configuration\nGitHub Actions\nname: Quality Gates\non:\n pull_request:\n branches: [main]\n\njobs:\n lint-and-typecheck:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm run lint\n - run: npm run typecheck\n\n unit-tests:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm test -- --coverage\n - name: Check coverage threshold\n run: |\n COVERAGE=$(jq '.total.lines.pct' coverage/coverage-summary.json)\n if (( $(echo \"$COVERAGE < 80\" | bc -l) )); then\n echo \"Coverage $COVERAGE% is below 80% threshold\"\n exit 1\n fi\n\n security-scan:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm audit --audit-level=high\n - uses: gitleaks/gitleaks-action@v2\n\n build:\n needs: [lint-and-typecheck, unit-tests, security-scan]\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - uses: actions/setup-node@v4\n - run: npm ci\n - run: npm run build\n\n\nSet these as required status checks in branch protection rules so PRs cannot merge until all gates pass.\n\nCoverage Gates\nType\tMinimum Threshold\tNotes\nUnit tests\t80% line coverage\tPer-file and aggregate\nIntegration tests\t60% of integration points\tAPI endpoints, DB queries\nE2E tests\t100% of critical paths\tAuth, checkout, core workflows\nNo decrease rule\t0% regression allowed\tNew code must not lower overall coverage\nEnforcing Thresholds\n// jest.config.js or vitest.config.ts\n{\n \"coverageThreshold\": {\n \"global\": {\n \"branches\": 75,\n \"functions\": 80,\n \"lines\": 80,\n \"statements\": 80\n }\n }\n}\n\n\nFor the no decrease rule, compare coverage against the base branch in CI and fail if the delta is negative.\n\nSecurity Gates\nDependency Scanning\nEcosystem\tTool\tCommand\nNode.js\tnpm audit\tnpm audit --audit-level=high\nPython\tpip-audit\tpip-audit --strict\nRust\tcargo audit\tcargo audit\nGo\tgovulncheck\tgovulncheck ./...\nUniversal\tTrivy\ttrivy fs --severity HIGH,CRITICAL .\nSecret Detection\nTool\tUse Case\tCommand\ngitleaks\tPre-commit and CI\tgitleaks protect --staged\nTruffleHog\tDeep history scan\ttrufflehog git file://. --only-verified\ndetect-secrets\tBaseline-aware scanning\tdetect-secrets scan --baseline .secrets.baseline\nPerformance Gates\nBundle Size Budgets\n{\n \"bundlesize\": [\n { \"path\": \"dist/main.*.js\", \"maxSize\": \"150 kB\" },\n { \"path\": \"dist/vendor.*.js\", \"maxSize\": \"250 kB\" },\n { \"path\": \"dist/**/*.css\", \"maxSize\": \"30 kB\" }\n ]\n}\n\nLighthouse CI Thresholds\n{\n \"ci\": {\n \"assert\": {\n \"assertions\": {\n \"categories:performance\": [\"error\", { \"minScore\": 0.9 }],\n \"categories:accessibility\": [\"error\", { \"minScore\": 0.95 }],\n \"categories:best-practices\": [\"error\", { \"minScore\": 0.9 }],\n \"first-contentful-paint\": [\"error\", { \"maxNumericValue\": 2000 }],\n \"largest-contentful-paint\": [\"error\", { \"maxNumericValue\": 2500 }],\n \"cumulative-layout-shift\": [\"error\", { \"maxNumericValue\": 0.1 }]\n }\n }\n }\n}\n\nAPI Response Time Limits\nEndpoint Type\tP50\tP95\tP99\nRead (GET)\t< 100ms\t< 300ms\t< 500ms\nWrite (POST/PUT)\t< 200ms\t< 500ms\t< 1000ms\nSearch/aggregate\t< 300ms\t< 800ms\t< 2000ms\nHealth check\t< 50ms\t< 100ms\t< 200ms\n\nEnforce via load testing tools (k6, Artillery) in CI with pass/fail thresholds.\n\nReview Gates\nRequired Approvals\nChange Scope\tApprovals Required\nStandard code changes\t1 approval minimum\nInfrastructure, auth, payments, data models\t2 approvals\nDependency updates, cryptographic changes\tSecurity team approval\nCODEOWNERS\n# .github/CODEOWNERS\n* @team/engineering\n/infra/ @team/platform\n/src/auth/ @team/security\n/src/payments/ @team/payments @team/security\n*.sql @team/data-engineering\nDockerfile @team/platform\n\nGate Bypass Protocol\nWhen Bypass Is Acceptable\nHotfixes for production incidents with active user impact\nTrivial changes (typos, comments) where automated checks are overkill\nDependency updates that break CI due to upstream issues (not your code)\nRequired Documentation for Every Bypass\nReason — why the gate cannot pass right now\nRisk assessment — what could go wrong by skipping\nFollow-up ticket — link to an issue that tracks resolving the bypass\nApprover — name of the senior engineer or lead who authorized the bypass\nNEVER Do\nNEVER disable gates permanently — fix the root cause, don't remove the guardrail\nNEVER commit secrets — even to \"test\" branches; git history is forever\nNEVER skip tests to unblock a deploy — if tests fail, the code is not ready\nNEVER merge with failing required checks — admin merge bypasses erode team trust\nNEVER set coverage thresholds to 0% — even a low threshold is better than none\nNEVER bypass security scans for speed — vulnerabilities in production cost far more than CI minutes\nNEVER rely solely on post-deploy gates — catching issues after users are impacted is damage control, not quality\nNEVER treat alerting gates as optional — post-deploy monitoring exists because pre-deploy gates cannot catch everything; ignoring alerts defeats the purpose" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/wpank/quality-gates", "publisherUrl": "https://clawhub.ai/wpank/quality-gates", "owner": "wpank", "version": "0.1.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/quality-gates", "downloadUrl": "https://openagent3.xyz/downloads/quality-gates", "agentUrl": "https://openagent3.xyz/skills/quality-gates/agent", "manifestUrl": "https://openagent3.xyz/skills/quality-gates/agent.json", "briefUrl": "https://openagent3.xyz/skills/quality-gates/agent.md" } }