The gate runner (ops/run_gates.py) executes gates 0 through 12 in strict sequence. No gate can be skipped. If any gate issues a fail verdict, execution halts and the run is marked as failed (with full evidence of what failed and why).
| Gate | Purpose |
|---|---|
| 0 | Intake Validation — Schema conformance, required fields, submission format |
| 1 | Plan Review — Declared intent matches submission scope, no undeclared changes |
| 2 | Policy Binding — Correct policy version resolved and locked for this run |
| 3 | Static Analysis — Linting, complexity metrics, code style conformance |
| 4 | Security Scan — Known vulnerability patterns, dependency audit, secret detection |
| 5 | Test Execution — Unit/integration tests run in DinD, coverage thresholds enforced |
| 6 | Coverage Verification — Independent coverage measurement against policy minimums |
| 7 | Behavioral Analysis — Runtime behavior profiling, resource usage, API call patterns |
| 8 | Dependency Audit — License compliance, known-vulnerable versions, supply chain checks |
| 9 | Documentation Check — Required docs present, API contracts documented, changelog updated |
| 10 | Approval Gate — Human approval required (if configured in policy). Blocks until approved or timed out. |
| 11 | Integration Verification — Merge simulation, conflict detection, compatibility checks |
| 12 | Final Seal — Aggregate verdict, proof package assembly, hash chain extension |
Each gate evaluates rules defined in the active policy. A rule consists of:
test-coverage, complexity-score, vuln-count)Available Operators:
| Operator | Meaning | Example |
|---|---|---|
eq |
Equals | license eq "MIT" |
neq |
Not equals | status neq "deprecated" |
gt |
Greater than | coverage gt 80 |
gte |
Greater than or equal | tests gte 1 |
lt |
Less than | complexity lt 20 |
lte |
Less than or equal | vuln-critical lte 0 |
contains |
String/array contains | tags contains "reviewed" |
not_contains |
Does not contain | deps not_contains "lodash" |
matches |
Regex match | branch matches "^release/" |
not_matches |
No regex match | message not_matches "WIP" |
in |
Value in set | lang in ["python","typescript"] |
not_in |
Value not in set | env not_in ["production"] |
Rules within a gate can be grouped using combinators:
all — All rules must pass (AND logic)any — At least one rule must pass (OR logic)none — No rules may pass (NOR logic)Combinators can be nested up to a configurable depth limit (default: 3 levels) to prevent infinitely complex policy definitions.
There is no API endpoint, CLI flag, or configuration option to skip a gate. The gate runner iterates gates 0–12 unconditionally. The only way to change what a gate checks is to modify the policy through the policy API (which itself requires approval chain completion if configured).