Pre-commit order
hatch run formathatch run type-checkhatch run linthatch run yaml-linthatch run contract-testhatch run smart-test
SpecFact code review JSON
- Treat
.specfact/code-review.jsonas mandatory evidence before an OpenSpec change is complete. - Re-run the review when the report is missing or stale.
- Resolve every finding at any severity unless a rare, explicit exception is documented.
- Record the review command and timestamps in
TDD_EVIDENCE.mdor the PR description when quality gates are part of the change.
Independent static analysis
Do not treat specfact code review run as sufficient security evidence for this repository. The review gate is intentionally self-referential: it is valuable for SpecFact-specific conventions, command-surface expectations, OpenSpec alignment, and local clean-code policy, but it can inherit blind spots from SpecFact itself.
PR validation therefore requires an independent static-analysis check alongside the self-review gate:
Independent Static Analysisruns Semgrep OSS SAST throughhatch run semgrep-sastand validates results withhatch run semgrep-sast-gate.- Existing Semgrep findings are tracked in
tools/semgrep/sast-baseline.json; new findings outside that baseline fail CI. - Bandit runs through
hatch run bandit-scanand is expected to remain clean for blocking medium/high findings. - The Semgrep and Bandit artifacts are external evidence and must not be replaced by
.specfact/code-review.json.
Clean-code review gate
The repository enforces the clean-code charter through specfact code review run. Zero regressions in naming, kiss, yagni, dry, and solid are required before merge.
Module signature gate
Every change that affects signed module assets or bundled manifests must satisfy verification before
the change reaches main.
- Local / feature branches: pre-commit runs
verify-modules-signature.pywithVERIFY_MODULES_PR(version bump vs base;--skip-checksum-verification) when the branch is notmain— seescripts/module-verify-policy.sh,scripts/pre-commit-verify-modules.sh, andscripts/git-branch-module-signature-flag.sh. - Before merging to
mainor when validating release readiness, run strict verification:
hatch run verify-modules-signature
CI mirrors this boundary: pr-orchestrator.yml uses VERIFY_MODULES_STRICT for pull requests
targeting main and for pushes to main; relaxed PR verification is only for development PRs that do
not cross the release boundary.
If verification fails because module contents changed, re-sign the affected manifests and bump the
module version before re-running verification. Note: verify-modules-signature.py has no
--allow-unsigned flag. The --allow-unsigned option on sign-modules.py is only for local test signing.