Pre-commit order

1. hatch run format
2. hatch run type-check
3. hatch run lint
4. hatch run yaml-lint
5. hatch run contract-test
6. hatch run smart-test

SpecFact code review JSON

• Treat .specfact/code-review.json as mandatory evidence before an OpenSpec change is complete.
• Re-run the review when the report is missing or stale.
• Resolve every finding at any severity unless a rare, explicit exception is documented.
• Record the review command and timestamps in TDD_EVIDENCE.md or the PR description when quality gates are part of the change.

Clean-code review gate

The repository enforces the clean-code charter through specfact code review run. Zero regressions in naming, kiss, yagni, dry, and solid are required before merge.

Module signature gate

Every change that affects signed module assets or bundled manifests must satisfy verification before the change reaches main.

• Local / feature branches: pre-commit runs verify-modules-signature.py with VERIFY_MODULES_PR (version bump vs base; --skip-checksum-verification) when the branch is not main — see scripts/module-verify-policy.sh, scripts/pre-commit-verify-modules.sh, and scripts/git-branch-module-signature-flag.sh.
• Before merging to main or when validating release readiness, run strict verification:

hatch run verify-modules-signature

If verification fails because module contents changed, re-sign the affected manifests and bump the module version before re-running verification. Note: verify-modules-signature.py has no --allow-unsigned flag. The --allow-unsigned option on sign-modules.py is only for local test signing.