You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a team delivering with pair I want the pre-merge quality gate pipeline modulated by the risk tier read from PR classification tags — always install+lint+type+build, unit from 🟡, integration+E2E only on 🔴, untagged PR treated as 🔴 — with deterministic secret scanning always on So that gate effort matches risk with zero classification logic in CI (the pipeline only reads tags) and no PR merges past a red gate
Where: CI pipeline of the adopting project (generated/configured via pair-capability-setup-gates) + PR checks on the code host
Refined: Story is detailed, estimated, and ready for development
In Progress: Story is actively being developed
Done: Story delivered and accepted
Acceptance Criteria
Functional Requirements
Given-When-Then Format:
Given a PR tagged risk:green When the pre-merge pipeline runs Then it executes install+lint+type+build only — no unit, no integration/E2E jobs are scheduled
Given a PR tagged risk:yellow When the pre-merge pipeline runs Then unit tests run in addition to the base checks, and integration/E2E do not
Given a PR tagged risk:red OR a PR with no classification tags When the pre-merge pipeline runs Then the full matrix runs (base + unit + integration + E2E) — untagged ⇒ treated as 🔴 (fail-safe)
Given any tier When any required gate job fails (including secret scanning) Then the PR is blocked from merging until the gate is green
Given a diff containing a secret/key When the deterministic secret-scanning layer (gitleaks, KB default A4) runs Then the build goes red — no LLM involved, always on at every tier
Given a merge to the main branch When the post-merge staging pipeline runs Then it performs build+deploy only (no gate re-run)
Business Rules
The pipeline contains NO classification criteria of its own (D18): it only reads classification tags on the PR — grep-verifiable
Automated tests written and passing (pipeline config generation fixtures)
Documentation updated — docs site (apps/website) page for tag-driven gates
CLI (apps/pair-cli) updated where install/update/distribution is touched
Quality Assurance
Matrix verified on a sample repo for all three tiers + untagged case
Grep audit: no classification criteria inside generated pipeline config
Secret-scanning red path verified with a planted dummy secret
Story Sizing and Sprint Readiness
Refined Story Points
Final Story Points: 5 (L) Confidence Level: Medium Sizing Justification: confirmed L(5) — gate matrix + setup-gates generation across stacks + fail-safe/edge handling + deterministic security layer; consumption-only design (no classify logic) keeps it out of XL
Sprint Capacity Validation
Sprint Fit Assessment: yes, single sprint with prerequisites landed Total Effort Assessment: fits — Yes
Third-party Integrations: gitleaks (default, swappable via adoption); CI provider of the adopting project (config stays provider-shaped but criteria-free)
Validation and Testing Strategy
Acceptance Testing Approach
Testing Methods: fixture repo with PRs tagged green/yellow/red/untagged; assert scheduled job set per tier; failing job ⇒ merge blocked Test Data Requirements: sample diffs incl. one with a dummy secret
Notes and Additional Context
Refinement Session Insights: fail-safe default (untagged ⇒ 🔴) is non-negotiable; pipeline is a pure tag consumer (D18) Documentation Links: R8.1 · Spec G9 (+G7 deterministic layer) · D18, A4, A11
Technical Analysis
Implementation Approach
Technical Strategy: extend pair-capability-setup-gates to emit tier-aware pipeline config: a first step resolves classification tags from the PR into a TIER value (fail-safe red), subsequent jobs are conditioned on TIER; secret scanning job unconditional; KB guideline documents the matrix (tier → checks) as the single source Key Components: setup-gates SKILL.md + config templates per stack; gate-matrix section in quality guidelines; tag-resolution step (provider-agnostic shell) Integration Points: classification tags (#233), publish-pr propagation (#206), verify-quality (sibling story), branch protection/required checks on the code host
Technical Risks and Mitigation
Risk
Impact
Probability
Mitigation Strategy
CI-provider lock-in in templates
Medium
Medium
criteria live in KB matrix; templates thin per-provider adapters
Tag drift between runs
Medium
Low
tags re-read at every run; matrix can only widen vs previous run on same PR
Story Statement
As a team delivering with pair
I want the pre-merge quality gate pipeline modulated by the risk tier read from PR classification tags — always install+lint+type+build, unit from 🟡, integration+E2E only on 🔴, untagged PR treated as 🔴 — with deterministic secret scanning always on
So that gate effort matches risk with zero classification logic in CI (the pipeline only reads tags) and no PR merges past a red gate
Where: CI pipeline of the adopting project (generated/configured via
pair-capability-setup-gates) + PR checks on the code hostEpic Context
Parent Epic: CI/CD gates tag-driven #210
Status: Refined
Priority: P0 (Must-Have)
Status Workflow
Acceptance Criteria
Functional Requirements
Given-When-Then Format:
Given a PR tagged
risk:greenWhen the pre-merge pipeline runs
Then it executes install+lint+type+build only — no unit, no integration/E2E jobs are scheduled
Given a PR tagged
risk:yellowWhen the pre-merge pipeline runs
Then unit tests run in addition to the base checks, and integration/E2E do not
Given a PR tagged
risk:redOR a PR with no classification tagsWhen the pre-merge pipeline runs
Then the full matrix runs (base + unit + integration + E2E) — untagged ⇒ treated as 🔴 (fail-safe)
Given any tier
When any required gate job fails (including secret scanning)
Then the PR is blocked from merging until the gate is green
Given a diff containing a secret/key
When the deterministic secret-scanning layer (gitleaks, KB default A4) runs
Then the build goes red — no LLM involved, always on at every tier
Given a merge to the main branch
When the post-merge staging pipeline runs
Then it performs build+deploy only (no gate re-run)
Business Rules
pair-capability-setup-gatesfor the adopted tech stack; hooks default to husky (A11)Edge Cases and Error Handling
Definition of Done Checklist
Development Completion
setup-gatestemplates follow project conventionsapps/website) page for tag-driven gatesapps/pair-cli) updated where install/update/distribution is touchedQuality Assurance
Story Sizing and Sprint Readiness
Refined Story Points
Final Story Points: 5 (L)
Confidence Level: Medium
Sizing Justification: confirmed L(5) — gate matrix + setup-gates generation across stacks + fail-safe/edge handling + deterministic security layer; consumption-only design (no classify logic) keeps it out of XL
Sprint Capacity Validation
Sprint Fit Assessment: yes, single sprint with prerequisites landed
Total Effort Assessment: fits — Yes
Dependencies and Coordination
Story Dependencies
Prerequisite Stories: #233 (classify produces tags), #202 (canonical states/board semantics); publish-pr tag propagation (#206 scope)
Dependent Stories: verify-quality gate-matrix integration (sibling); #212 automation (consumes green gates)
External Dependencies
Third-party Integrations: gitleaks (default, swappable via adoption); CI provider of the adopting project (config stays provider-shaped but criteria-free)
Validation and Testing Strategy
Acceptance Testing Approach
Testing Methods: fixture repo with PRs tagged green/yellow/red/untagged; assert scheduled job set per tier; failing job ⇒ merge blocked
Test Data Requirements: sample diffs incl. one with a dummy secret
Notes and Additional Context
Refinement Session Insights: fail-safe default (untagged ⇒ 🔴) is non-negotiable; pipeline is a pure tag consumer (D18)
Documentation Links: R8.1 · Spec G9 (+G7 deterministic layer) · D18, A4, A11
Technical Analysis
Implementation Approach
Technical Strategy: extend
pair-capability-setup-gatesto emit tier-aware pipeline config: a first step resolves classification tags from the PR into aTIERvalue (fail-safe red), subsequent jobs are conditioned onTIER; secret scanning job unconditional; KB guideline documents the matrix (tier → checks) as the single sourceKey Components: setup-gates SKILL.md + config templates per stack; gate-matrix section in quality guidelines; tag-resolution step (provider-agnostic shell)
Integration Points: classification tags (#233), publish-pr propagation (#206), verify-quality (sibling story), branch protection/required checks on the code host
Technical Risks and Mitigation
Task Breakdown
Checklist
Dependency Graph
T1 → T2 → T3 → T5; T4 → T5
AC Coverage