paulund/quality-gate
quality-gate/SKILL.md
Use when the user wants to run the project's lint + types + build sequence as a gate before pushing, opening a PR, or merging. Invoked by chained dev skills between phases. Trigger phrases - "/quality-gate", "run the quality gate", "check it builds".
$ install --global
skillsauthnpx skillsauth add paulund/ai quality-gateInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 10, 2026, 5:07 AM144.9s1 file scanned
SKILL.md
- name:
- quality-gate
- description:
- Use when the user wants to run the project's lint + types + build sequence as a gate before pushing, opening a PR, or merging. Invoked by chained dev skills between phases. Trigger phrases - "/quality-gate", "run the quality gate", "check it builds".
- category:
- dev
Quality Gate
Run the project's static-checks + build sequence. Stop on the first failure, diagnose the root cause, and fix it before re-running.
Workflow
Step 1 — Detect the toolchain
Read package.json scripts (or equivalent for the project: composer.json, Makefile, Cargo.toml). Pick the first command from each row that exists:
| Phase | Preferred | Fallback |
|---|---|---|
| Lint | pnpm lint / npm run lint | npx next lint, composer run lint |
| Types | pnpm types / npm run types | npx tsc --noEmit |
| Tests | pnpm test / npm test | composer run test, framework default |
| Build | pnpm build / npm run build | npx next build |
If a phase has no command for the project (e.g. a JS-only repo with no types script), skip that phase and continue.
Step 2 — Run in order
Run the four phases sequentially. Each must pass before the next runs.
<lint command>
<types command>
<tests command>
<build command>
Step 3 — On failure, Stop-the-Line
- STOP running later phases.
- PRESERVE the full error output — don't truncate it from your context.
- DIAGNOSE — reproduce the failure if needed, trace the root cause, not the symptom. Use
git log/git blame/ existing tests for context. - FIX the root cause.
- GUARD — if the failure was a regression, add a test that would have caught it.
- Re-run the full gate from the top.
Max 2 diagnose-fix cycles. If still failing, stop and surface the failure to the caller — don't hide it.
Step 4 — Report
On success: one-line confirmation listing the phases that ran (lint, types, tests, build).
On failure: the failing phase, the command that ran, and the first ~20 lines of error output.
Constraints
MUST DO
- Detect toolchain commands from project files; do not assume
pnpmeverywhere. - Run phases in the documented order — fast feedback first.
- Surface failure output verbatim to the caller; never silence it.
- Add a regression test on Step 3 step 5 when the failure is a regression.
MUST NOT DO
- Skip a phase to "save time" — the gate is the contract.
- Run later phases after an earlier one failed.
- Loop more than 2 diagnose-fix cycles before stopping.
- Mask failures by editing the test or config to make them pass without fixing the underlying issue.
Related Skills
paulund/pr-verify
tools
VerifiedTrustedCommunity
Use when the user wants to verify a PR's feature works at runtime by booting the dev server, exercising the affected UI via Chrome DevTools MCP, and posting a screenshot summary back to the PR. Idempotent — skips if `verified` or `verify-failed` is already on the PR. Trigger phrases - "/pr-verify", "verify this PR", "runtime check the pr".
2SKILL.mdUpdated May 10, 2026
paulund/pr-security-review
testing
VerifiedTrustedCommunity
Use when the user wants a security-focused review pass on a PR with findings actioned as commits on the same branch. Trigger phrases - "/pr-security-review", "security review and fix".
2SKILL.mdUpdated May 10, 2026
paulund/pr-open
testing
VerifiedTrustedCommunity
Use when the user wants to open a pull request for an already-pushed branch that implements a specific issue. Idempotent — returns the existing PR if one is already open for the branch. Trigger phrases - "/pr-open", "open the pr", "create pr for this branch".
2SKILL.mdUpdated May 10, 2026
paulund/pr-fix
testing
VerifiedTrustedCommunity
Use when the user wants to action external review feedback or fix CI failures on an open pull request. Single-purpose — does not handle merge conflicts (use merge-main) or open PRs (use pr-open). Trigger phrases - "/pr-fix", "fix the pr", "address review comments", "fix ci".
2SKILL.mdUpdated May 10, 2026