@wopr-network/defcon 0.2.0

package/drizzle/meta/_journal.json

@@ -0,0 +1,83 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1772820079904,
+      "tag": "0000_simple_surge",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1772820079905,
+      "tag": "0001_peaceful_marvel_apes",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1772820079906,
+      "tag": "0002_add_invocations_created_at",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "6",
+      "when": 1772820079907,
+      "tag": "0003_drop_integration_config",
+      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "6",
+      "when": 1772868838854,
+      "tag": "0004_lucky_silverclaw",
+      "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "6",
+      "when": 1772894164983,
+      "tag": "0005_old_blue_shield",
+      "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "6",
+      "when": 1772893521314,
+      "tag": "0006_solid_magik",
+      "breakpoints": true
+    },
+    {
+      "idx": 7,
+      "version": "6",
+      "when": 1741305600000,
+      "tag": "0007_fancy_luke_cage",
+      "breakpoints": true
+    },
+    {
+      "idx": 8,
+      "version": "6",
+      "when": 1772909877406,
+      "tag": "0008_thick_dark_beast",
+      "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "6",
+      "when": 1772906724993,
+      "tag": "0009_brief_midnight",
+      "breakpoints": true
+    },
+    {
+      "idx": 10,
+      "version": "6",
+      "when": 1772906724994,
+      "tag": "0010_amusing_bastion",
+      "breakpoints": true
+    }
+  ]
+}

package/gates/blocking-graph.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Custom gate: checks whether all Linear blockers for an entity's issue
+ * have corresponding merged PRs on GitHub.
+ *
+ * Referenced by seed as: "gates/blocking-graph.ts:isUnblocked"
+ *
+ * NOTE: Function gates are not yet evaluated by the engine (gate-evaluator.ts
+ * throws for type "function"). This file exists as the implementation target
+ * for when function gate support lands.
+ *
+ * NOTE: This file is intentionally outside src/ — it is loaded dynamically at
+ * runtime, not compiled by the main build.
+ */
+import type { Entity } from "../src/repositories/interfaces.js";
+export interface BlockingGraphResult {
+    passed: boolean;
+    output: string;
+}
+/**
+ * Check if all blocking issues for the given entity have merged PRs.
+ *
+ * Expects entity.refs.linear.id to be the Linear issue ID.
+ * Uses LINEAR_API_KEY env var for authentication.
+ * Uses `gh` CLI to check PR merge status on GitHub.
+ */
+export declare function isUnblocked(entity: Entity): Promise<BlockingGraphResult>;

package/gates/blocking-graph.js

@@ -0,0 +1,102 @@
+/**
+ * Custom gate: checks whether all Linear blockers for an entity's issue
+ * have corresponding merged PRs on GitHub.
+ *
+ * Referenced by seed as: "gates/blocking-graph.ts:isUnblocked"
+ *
+ * NOTE: Function gates are not yet evaluated by the engine (gate-evaluator.ts
+ * throws for type "function"). This file exists as the implementation target
+ * for when function gate support lands.
+ *
+ * NOTE: This file is intentionally outside src/ — it is loaded dynamically at
+ * runtime, not compiled by the main build.
+ */
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { LinearClient } from "@linear/sdk";
+const execFileAsync = promisify(execFile);
+/**
+ * Check if all blocking issues for the given entity have merged PRs.
+ *
+ * Expects entity.refs.linear.id to be the Linear issue ID.
+ * Uses LINEAR_API_KEY env var for authentication.
+ * Uses `gh` CLI to check PR merge status on GitHub.
+ */
+export async function isUnblocked(entity) {
+    const linearApiKey = process.env.LINEAR_API_KEY;
+    if (!linearApiKey) {
+        return { passed: false, output: "LINEAR_API_KEY not set" };
+    }
+    const issueId = entity.refs?.linear?.id;
+    if (!issueId) {
+        return { passed: false, output: "Entity has no linear ref" };
+    }
+    const client = new LinearClient({ apiKey: linearApiKey });
+    let issue;
+    let inverseRelations;
+    try {
+        issue = await client.issue(issueId);
+        inverseRelations = await issue.inverseRelations();
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { passed: false, output: `Linear API error: ${message}` };
+    }
+    const blockers = inverseRelations.nodes.filter((r) => r.type === "blocks");
+    if (blockers.length === 0) {
+        return { passed: true, output: "No blockers" };
+    }
+    const unmerged = [];
+    for (const relation of blockers) {
+        try {
+            const blockerIssue = await relation.issue;
+            if (!blockerIssue)
+                continue;
+            const identifier = blockerIssue.identifier;
+            // Resolve the PR via Linear attachment — the attachment URL tells us which repo
+            const attachments = await blockerIssue.attachments();
+            const prAttachment = attachments.nodes.find((a) => {
+                if (!a.url)
+                    return false;
+                let hostname;
+                try {
+                    hostname = new URL(a.url).hostname;
+                }
+                catch {
+                    return false;
+                }
+                return hostname === "github.com" && a.url.includes("/pull/");
+            });
+            if (!prAttachment?.url) {
+                unmerged.push(`${identifier} (no PR found)`);
+                continue;
+            }
+            const match = prAttachment.url.match(/github\.com\/([^/]+\/[^/]+)\/pull\/(\d+)/);
+            if (!match) {
+                unmerged.push(`${identifier} (unrecognized PR URL)`);
+                continue;
+            }
+            const [, repo, prNum] = match;
+            try {
+                const { stdout } = await execFileAsync("gh", ["pr", "view", prNum, "--repo", repo, "--json", "state", "--jq", ".state"], { timeout: 10000 });
+                if (stdout.trim() !== "MERGED") {
+                    unmerged.push(identifier);
+                }
+            }
+            catch {
+                unmerged.push(`${identifier} (gh check failed)`);
+            }
+        }
+        catch (err) {
+            const errMsg = err instanceof Error ? err.message : String(err);
+            unmerged.push(`(blocker check failed: ${errMsg})`);
+        }
+    }
+    if (unmerged.length > 0) {
+        return {
+            passed: false,
+            output: `Blocked by unmerged: ${unmerged.join(", ")}`,
+        };
+    }
+    return { passed: true, output: `All ${blockers.length} blockers merged` };
+}

package/gates/blocking-graph.ts

@@ -0,0 +1,121 @@
+/**
+ * Custom gate: checks whether all Linear blockers for an entity's issue
+ * have corresponding merged PRs on GitHub.
+ *
+ * Referenced by seed as: "gates/blocking-graph.ts:isUnblocked"
+ *
+ * NOTE: Function gates are not yet evaluated by the engine (gate-evaluator.ts
+ * throws for type "function"). This file exists as the implementation target
+ * for when function gate support lands.
+ *
+ * NOTE: This file is intentionally outside src/ — it is loaded dynamically at
+ * runtime, not compiled by the main build.
+ */
+
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { LinearClient } from "@linear/sdk";
+import type { Entity } from "../src/repositories/interfaces.js";
+
+const execFileAsync = promisify(execFile);
+
+export interface BlockingGraphResult {
+  passed: boolean;
+  output: string;
+}
+
+/**
+ * Check if all blocking issues for the given entity have merged PRs.
+ *
+ * Expects entity.refs.linear.id to be the Linear issue ID.
+ * Uses LINEAR_API_KEY env var for authentication.
+ * Uses `gh` CLI to check PR merge status on GitHub.
+ */
+export async function isUnblocked(entity: Entity): Promise<BlockingGraphResult> {
+  const linearApiKey = process.env.LINEAR_API_KEY;
+  if (!linearApiKey) {
+    return { passed: false, output: "LINEAR_API_KEY not set" };
+  }
+
+  const issueId = entity.refs?.linear?.id as string | undefined;
+  if (!issueId) {
+    return { passed: false, output: "Entity has no linear ref" };
+  }
+
+  const client = new LinearClient({ apiKey: linearApiKey });
+  let issue: Awaited<ReturnType<LinearClient["issue"]>>;
+  let inverseRelations: Awaited<ReturnType<typeof issue.inverseRelations>>;
+  try {
+    issue = await client.issue(issueId);
+    inverseRelations = await issue.inverseRelations();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { passed: false, output: `Linear API error: ${message}` };
+  }
+
+  const blockers = inverseRelations.nodes.filter((r) => r.type === "blocks");
+
+  if (blockers.length === 0) {
+    return { passed: true, output: "No blockers" };
+  }
+
+  const unmerged: string[] = [];
+
+  for (const relation of blockers) {
+    try {
+      const blockerIssue = await relation.issue;
+      if (!blockerIssue) continue;
+
+      const identifier = blockerIssue.identifier;
+
+      // Resolve the PR via Linear attachment — the attachment URL tells us which repo
+      const attachments = await blockerIssue.attachments();
+      const prAttachment = attachments.nodes.find((a) => {
+        if (!a.url) return false;
+        let hostname: string;
+        try {
+          hostname = new URL(a.url).hostname;
+        } catch {
+          return false;
+        }
+        return hostname === "github.com" && a.url.includes("/pull/");
+      });
+      if (!prAttachment?.url) {
+        unmerged.push(`${identifier} (no PR found)`);
+        continue;
+      }
+      const match = prAttachment.url.match(
+        /github\.com\/([^/]+\/[^/]+)\/pull\/(\d+)/,
+      );
+      if (!match) {
+        unmerged.push(`${identifier} (unrecognized PR URL)`);
+        continue;
+      }
+      const [, repo, prNum] = match;
+      try {
+        const { stdout } = await execFileAsync(
+          "gh",
+          ["pr", "view", prNum, "--repo", repo, "--json", "state", "--jq", ".state"],
+          { timeout: 10000 },
+        );
+        if (stdout.trim() !== "MERGED") {
+          unmerged.push(identifier);
+        }
+      } catch {
+        unmerged.push(`${identifier} (gh check failed)`);
+      }
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      unmerged.push(`(blocker check failed: ${errMsg})`);
+    }
+  }
+
+  if (unmerged.length > 0) {
+    return {
+      passed: false,
+      output: `Blocked by unmerged: ${unmerged.join(", ")}`,
+    };
+  }
+
+  return { passed: true, output: `All ${blockers.length} blockers merged` };
+}

package/gates/check-design-posted.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# Gate: check-design-posted — verify design spec comment on Linear issue
+# Usage: gates/check-design-posted.sh <linear-issue-id>
+set -euo pipefail
+
+LINEAR_ID="${1:?Usage: check-design-posted.sh <linear-issue-id>}"
+LINEAR_API_KEY="${LINEAR_API_KEY:?LINEAR_API_KEY env var is required}"
+
+PAYLOAD=$(jq -n --arg id "$LINEAR_ID" '{
+  "query": "query($id: String!) { issue(id: $id) { comments { nodes { body } } } }",
+  "variables": {"id": $id}
+}')
+RESPONSE=$(curl -s -f -X POST "https://api.linear.app/graphql" \
+  -H "Authorization: Bearer ${LINEAR_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d "$PAYLOAD" 2>&1) || {
+  echo "Failed to query Linear API: $RESPONSE"
+  exit 1
+}
+
+if echo "$RESPONSE" | jq -e '.errors' > /dev/null 2>&1; then
+  echo "GraphQL error: $(echo "$RESPONSE" | jq -r '.errors[0].message // "unknown"')"
+  exit 1
+fi
+
+if [ "$(echo "$RESPONSE" | jq '.data.issue')" = "null" ]; then
+  echo "ERROR: Linear issue $LINEAR_ID not found"
+  exit 1
+fi
+
+COMMENTS=$(echo "$RESPONSE" | jq -r '.data.issue.comments.nodes[].body // empty')
+
+if echo "$COMMENTS" | grep -qiE '(palette|typography|responsive|design spec|color scheme|breakpoint)'; then
+  echo "Design comment found on issue $LINEAR_ID"
+  exit 0
+else
+  echo "No design comment found on issue $LINEAR_ID"
+  exit 1
+fi

package/gates/check-merge.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# Gate: check-merge — poll PR until merged, fail on CI failure in merge queue
+# Usage: gates/check-merge.sh <pr-number> <repo>
+# Timeout is handled by defcon's gate evaluator (execFile timeout).
+set -euo pipefail
+
+PR="${1:?Usage: check-merge.sh <pr-number> <repo>}"
+REPO="${2:?Usage: check-merge.sh <pr-number> <repo>}"
+
+# Trap SIGTERM from gate evaluator timeout for clean exit
+trap 'echo "Timed out waiting for PR #$PR to merge"; exit 1' TERM
+
+while true; do
+  STATUS=$(gh pr view "$PR" --repo "$REPO" --json state,mergeStateStatus --jq '{state: .state, mergeStateStatus: .mergeStateStatus}' 2>/dev/null) || {
+    echo "Failed to query PR status"
+    sleep 30
+    continue
+  }
+  if ! echo "$STATUS" | jq . >/dev/null 2>&1; then
+    echo "ERROR: invalid JSON from gh pr view"
+    sleep 30
+    continue
+  fi
+
+  STATE=$(echo "$STATUS" | jq -r '.state')
+  MERGE_STATUS=$(echo "$STATUS" | jq -r '.mergeStateStatus')
+
+  case "$STATE" in
+    MERGED)
+      echo "PR #$PR merged in $REPO"
+      exit 0
+      ;;
+    CLOSED)
+      echo "PR #$PR was closed without merging in $REPO"
+      exit 1
+      ;;
+  esac
+
+  # Check for CI failure in merge queue
+  if [ "$MERGE_STATUS" = "DIRTY" ] || [ "$MERGE_STATUS" = "BLOCKED" ] || [ "$MERGE_STATUS" = "UNSTABLE" ]; then
+    RESULT=$(gh pr view "$PR" --repo "$REPO" --json state,mergeStateStatus,statusCheckRollup \
+      --jq '{state: .state, mergeStatus: .mergeStateStatus, failing: [.statusCheckRollup // [] | .[] | select(.conclusion == "FAILURE") | .name]}' 2>/dev/null) || continue
+    FAILING=$(echo "$RESULT" | jq -r '.failing[]' 2>/dev/null)
+    if [ -n "$FAILING" ]; then
+      echo "CI failing in merge queue: $FAILING"
+      exit 1
+    fi
+  fi
+
+  sleep 30
+done

package/gates/check-pr-capacity.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+# Gate: check-pr-capacity — exit 0 if open PR count < max
+# Usage: gates/check-pr-capacity.sh <repo> [max]
+set -euo pipefail
+
+REPO="${1:?Usage: check-pr-capacity.sh <repo>}"
+MAX="${2:-4}"
+
+COUNT=$(gh pr list --repo "$REPO" --state open --json number --jq 'length')
+
+if [ "$COUNT" -lt "$MAX" ]; then
+  echo "PR capacity OK: $COUNT open (max $MAX)"
+  exit 0
+else
+  echo "PR capacity exceeded: $COUNT open (max $MAX)"
+  exit 1
+fi

package/gates/check-review-ready.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+# Gate: check-review-ready — CI green AND bot reviewers posted
+# Usage: gates/check-review-ready.sh <pr-number> <repo>
+set -euo pipefail
+
+PR="${1:?Usage: check-review-ready.sh <pr-number> <repo>}"
+REPO="${2:?Usage: check-review-ready.sh <pr-number> <repo>}"
+
+# Check 1: All CI checks passing
+echo "Checking CI status..."
+CHECKS=$(gh pr view "$PR" --repo "$REPO" --json statusCheckRollup --jq '.statusCheckRollup' 2>/dev/null) || { echo "ERROR: failed to query statusCheckRollup for PR #$PR"; exit 1; }
+FAILING=$(echo "$CHECKS" | jq -r '[.[] | select(.conclusion == "FAILURE") | .name] | .[]' 2>/dev/null)
+if [ -n "$FAILING" ]; then
+  echo "CI checks failing for PR #$PR in $REPO: $FAILING"
+  exit 1
+fi
+PENDING=$(echo "$CHECKS" | jq -r '[.[] | select(.status == "IN_PROGRESS" or .status == "QUEUED" or .status == "PENDING") | .name] | .[]' 2>/dev/null)
+if [ -n "$PENDING" ]; then
+  echo "CI checks still pending for PR #$PR in $REPO: $PENDING"
+  exit 1
+fi
+echo "CI checks passed"
+
+# Check 2: Bot reviewers posted
+echo "Checking for review bot comments..."
+COMMENTS=$(gh api "repos/$REPO/issues/$PR/comments" --jq '.[].user.login' 2>/dev/null || echo "")
+PR_COMMENTS=$(gh api "repos/$REPO/pulls/$PR/comments" --jq '.[].user.login' 2>/dev/null || echo "")
+REVIEWS=$(gh api "repos/$REPO/pulls/$PR/reviews" --jq '.[].user.login' 2>/dev/null || echo "")
+ALL_AUTHORS=$(printf '%s\n%s\n%s' "$COMMENTS" "$PR_COMMENTS" "$REVIEWS" | sort -u)
+
+BOTS_FOUND=0
+BOTS_MISSING=()
+for BOT in "qodo-code-review[bot]" "coderabbitai[bot]" "sourcery-ai[bot]" "devin-ai-integration[bot]"; do
+  if echo "$ALL_AUTHORS" | grep -qF "$BOT"; then
+    BOTS_FOUND=$((BOTS_FOUND + 1))
+  else
+    BOTS_MISSING+=("$BOT")
+  fi
+done
+
+if [ "$BOTS_FOUND" -eq 0 ]; then
+  echo "No review bots have posted on PR #$PR: missing ${BOTS_MISSING[*]}"
+  exit 1
+fi
+
+echo "Review ready: CI green, $BOTS_FOUND bot(s) posted"
+exit 0

package/gates/check-spec-posted.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Gate: check-spec-posted — verify implementation spec comment on Linear issue
+# Usage: gates/check-spec-posted.sh <linear-issue-id>
+set -euo pipefail
+
+LINEAR_ID="${1:?Usage: check-spec-posted.sh <linear-issue-id>}"
+LINEAR_API_KEY="${LINEAR_API_KEY:?LINEAR_API_KEY env var is required}"
+
+PAYLOAD=$(jq -n --arg id "$LINEAR_ID" '{
+  "query": "query($id: String!) { issue(id: $id) { comments { nodes { body } } } }",
+  "variables": {"id": $id}
+}')
+RESPONSE=$(curl -s -f -X POST "https://api.linear.app/graphql" \
+  -H "Authorization: Bearer ${LINEAR_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d "$PAYLOAD" 2>&1) || {
+  echo "Failed to query Linear API: $RESPONSE"
+  exit 1
+}
+
+if echo "$RESPONSE" | jq -e '.errors' > /dev/null 2>&1; then
+  echo "GraphQL error: $(echo "$RESPONSE" | jq -r '.errors[0].message // "unknown"')"
+  exit 1
+fi
+
+COMMENTS=$(echo "$RESPONSE" | jq -r '.data.issue.comments.nodes[].body // empty')
+
+if echo "$COMMENTS" | grep -qE '## (Implementation Spec|Implementation|File Changes)'; then
+  echo "Spec comment found on issue $LINEAR_ID"
+  exit 0
+else
+  echo "No spec comment found on issue $LINEAR_ID"
+  exit 1
+fi

package/gates/check-unblocked.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# Gate: check-unblocked — verify all blockedBy issues have merged PRs
+# Usage: gates/check-unblocked.sh <linear-issue-id>
+set -euo pipefail
+
+LINEAR_ID="${1:?Usage: check-unblocked.sh <linear-issue-id>}"
+LINEAR_API_KEY="${LINEAR_API_KEY:?LINEAR_API_KEY env var is required}"
+
+# Fetch inverse relations (issues that block this one)
+PAYLOAD=$(jq -n --arg id "$LINEAR_ID" '{
+  "query": "query($id: String!) { issue(id: $id) { relations { nodes { type relatedIssue { identifier attachments { nodes { url } } } } } } }",
+  "variables": {"id": $id}
+}')
+
+RESPONSE=$(curl -s -f -X POST "https://api.linear.app/graphql" \
+  -H "Authorization: Bearer ${LINEAR_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d "$PAYLOAD" 2>&1) || {
+  echo "Failed to query Linear API: $RESPONSE"
+  exit 1
+}
+
+if echo "$RESPONSE" | jq -e '.errors' > /dev/null 2>&1; then
+  echo "GraphQL error: $(echo "$RESPONSE" | jq -r '.errors[0].message // "unknown"')"
+  exit 1
+fi
+
+UNMERGED=()
+while IFS= read -r blocker; do
+  IDENTIFIER=$(echo "$blocker" | jq -r '.identifier')
+  # Find GitHub PR URL in attachments
+  PR_URL=$(echo "$blocker" | jq -r '.attachments.nodes // [] | .[] | select(.url | test("github.com/.*/pull/")) | .url' | head -1)
+  if [ -z "$PR_URL" ]; then
+    UNMERGED+=("${IDENTIFIER} (no PR)")
+    continue
+  fi
+  # Extract repo and PR number from URL
+  REPO=$(echo "$PR_URL" | sed -n 's|.*github.com/\([^/]*/[^/]*\)/pull/.*|\1|p')
+  PR_NUM=$(echo "$PR_URL" | sed -n 's|.*/pull/\([0-9]*\).*|\1|p')
+  if [ -z "$REPO" ] || [ -z "$PR_NUM" ]; then
+    UNMERGED+=("${IDENTIFIER} (bad PR URL)")
+    continue
+  fi
+  STATE=$(gh pr view "$PR_NUM" --repo "$REPO" --json state --jq '.state' 2>/dev/null || echo "UNKNOWN")
+  if [ "$STATE" != "MERGED" ]; then
+    UNMERGED+=("${IDENTIFIER}")
+  fi
+done < <(echo "$RESPONSE" | jq -c '.data.issue.relations.nodes[] | select(.type == "isBlockedBy") | .relatedIssue')
+
+if [ ${#UNMERGED[@]} -gt 0 ]; then
+  echo "Blocked by unmerged: ${UNMERGED[*]}"
+  exit 1
+fi
+
+echo "All blockers merged"
+exit 0

package/gates/ci-green.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Gate: ci-green — wait for CI checks to pass on a PR
+# Usage: gates/ci-green.sh <pr-number> <repo>
+set -euo pipefail
+
+PR="${1:?Usage: ci-green.sh <pr-number> <repo>}"
+REPO="${2:?Usage: ci-green.sh <pr-number> <repo>}"
+
+gh pr checks "$PR" --repo "$REPO" --watch --fail-fast 2>&1

package/gates/merge-queue.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# Gate: merge-queue — watch PR through merge queue
+# Usage: gates/merge-queue.sh <pr-number> <repo>
+set -euo pipefail
+
+PR="${1:?Usage: merge-queue.sh <pr-number> <repo>}"
+REPO="${2:?Usage: merge-queue.sh <pr-number> <repo>}"
+
+WATCH_SCRIPT="${WOPR_PR_WATCH_SCRIPT:-${WOPR_SCRIPTS_DIR:-$HOME}/wopr-pr-watch.sh}"
+if [ ! -x "$WATCH_SCRIPT" ]; then
+  echo "ERROR: WOPR_PR_WATCH_SCRIPT not found or not executable: $WATCH_SCRIPT" >&2
+  exit 1
+fi
+"$WATCH_SCRIPT" "$PR" "$REPO" 2>&1

package/gates/review-bots-ready.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Gate: review-bots-ready — wait for review bots to post
+# Usage: gates/review-bots-ready.sh <pr-number> <repo>
+set -euo pipefail
+
+PR="${1:?Usage: review-bots-ready.sh <pr-number> <repo>}"
+REPO="${2:?Usage: review-bots-ready.sh <pr-number> <repo>}"
+
+"${WOPR_AWAIT_REVIEWS_SCRIPT:-${WOPR_SCRIPTS_DIR:-$HOME}/wopr-await-reviews.sh}" "$PR" "$REPO" 2>&1

package/gates/spec-posted.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# Gate: spec-posted — verify architect spec comment exists on Linear issue
+# Usage: gates/spec-posted.sh <linear-issue-id>
+set -euo pipefail
+
+LINEAR_ID="${1:?Usage: spec-posted.sh <linear-issue-id>}"
+
+# Query Linear API for comments on the issue containing "Implementation Spec"
+LINEAR_API_KEY="${LINEAR_API_KEY:?LINEAR_API_KEY env var is required}"
+PAYLOAD=$(jq -n --arg id "$LINEAR_ID" '{"query": "query { issue(id: \($id)) { comments { nodes { body } } } }"}')
+RESPONSE=$(curl -s -f -X POST "https://api.linear.app/graphql" \
+  -H "Authorization: ${LINEAR_API_KEY}" \
+  -H "Content-Type: application/json" \
+  -d "$PAYLOAD" 2>&1) || {
+  echo "Failed to query Linear API: $RESPONSE"
+  exit 1
+}
+if echo "$RESPONSE" | jq -e '.errors' > /dev/null 2>&1; then
+  echo "GraphQL error from Linear API: $(echo "$RESPONSE" | jq -r '.errors[0].message // "unknown error"')"
+  exit 1
+fi
+
+COMMENTS=$(echo "$RESPONSE" | jq -r '.data.issue.comments.nodes[].body // empty')
+
+if echo "$COMMENTS" | grep -q "Implementation Spec"; then
+  echo "Spec comment found on issue $LINEAR_ID"
+  exit 0
+else
+  echo "No spec comment found on issue $LINEAR_ID"
+  exit 1
+fi

package/gates/test/bad-return-gate.d.ts

@@ -0,0 +1 @@
+export declare function check(): unknown;

package/gates/test/bad-return-gate.js

@@ -0,0 +1,4 @@
+// Fixture: returns wrong shape (no `passed` boolean) to test return-shape validation
+export function check() {
+    return { status: "ok" }; // wrong shape — missing `passed`
+}

package/gates/test/bad-return-gate.ts

@@ -0,0 +1,4 @@
+// Fixture: returns wrong shape (no `passed` boolean) to test return-shape validation
+export function check(): unknown {
+  return { status: "ok" }; // wrong shape — missing `passed`
+}

package/gates/test/passing-gate.d.ts

@@ -0,0 +1,2 @@
+import type { GateEvalResult } from "../../src/engine/gate-evaluator.js";
+export declare function check(): GateEvalResult;