autonomous-coding-toolkit 1.0.0

package/scripts/tests/test-run-plan-parser.sh

@@ -0,0 +1,217 @@
+#!/usr/bin/env bash
+# Test plan parser functions
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../lib/run-plan-parser.sh"
+
+FAILURES=0
+TESTS=0
+
+assert_eq() {
+    local desc="$1" expected="$2" actual="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$expected" != "$actual" ]]; then
+        echo "FAIL: $desc"
+        echo "  expected: $expected"
+        echo "  actual:   $actual"
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+assert_contains() {
+    local desc="$1" needle="$2" haystack="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$haystack" != *"$needle"* ]]; then
+        echo "FAIL: $desc"
+        echo "  expected to contain: $needle"
+        echo "  in: ${haystack:0:200}..."
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+# --- Create test fixture ---
+WORK=$(mktemp -d)
+trap 'rm -rf "$WORK"' EXIT
+FIXTURE="$WORK/fixture.md"
+cat > "$FIXTURE" << 'EOF'
+# Feature X Implementation Plan
+
+**Goal:** Build feature X
+
+**Tech Stack:** Python, pytest
+
+---
+
+## Batch 1: Foundation (Tasks 1-2)
+
+### Task 1: Create Data Model
+
+**Files:**
+- Create: `src/models.py`
+- Test: `tests/test_models.py`
+
+**Step 1: Write the failing test**
+
+```python
+def test_model():
+    m = Model("test")
+    assert m.name == "test"
+```
+
+**Step 2: Implement**
+
+Create the Model class.
+
+### Task 2: Add Validation
+
+**Files:**
+- Modify: `src/models.py`
+
+Add validation to Model.
+
+## Batch 2: Integration (Tasks 3-4)
+
+### Task 3: Wire Together
+
+Wire the models into the API.
+
+### Task 4: End-to-End Test
+
+Write integration test.
+
+## Batch 3: Dashboard ⚠ CRITICAL
+
+### Task 5: UI Components
+
+Build the dashboard.
+EOF
+
+# --- Test: count_batches ---
+count=$(count_batches "$FIXTURE")
+assert_eq "count_batches returns 3" "3" "$count"
+
+# --- Test: get_batch_title ---
+title=$(get_batch_title "$FIXTURE" 1)
+assert_eq "batch 1 title" "Foundation (Tasks 1-2)" "$title"
+
+title=$(get_batch_title "$FIXTURE" 2)
+assert_eq "batch 2 title" "Integration (Tasks 3-4)" "$title"
+
+title=$(get_batch_title "$FIXTURE" 3)
+assert_eq "batch 3 title" "Dashboard ⚠ CRITICAL" "$title"
+
+# --- Test: get_batch_text ---
+text=$(get_batch_text "$FIXTURE" 1)
+assert_contains "batch 1 has Task 1" "Task 1: Create Data Model" "$text"
+assert_contains "batch 1 has Task 2" "Task 2: Add Validation" "$text"
+assert_contains "batch 1 has code" "def test_model" "$text"
+
+text2=$(get_batch_text "$FIXTURE" 2)
+assert_contains "batch 2 has Task 3" "Task 3: Wire Together" "$text2"
+assert_contains "batch 2 has Task 4" "Task 4: End-to-End Test" "$text2"
+
+# Batch 2 should NOT contain batch 1 content
+TESTS=$((TESTS + 1))
+if [[ "$text2" == *"Create Data Model"* ]]; then
+    echo "FAIL: batch 2 text should not contain batch 1 content"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: batch 2 text does not leak batch 1"
+fi
+
+# Batch 1 should NOT contain batch 2 content
+TESTS=$((TESTS + 1))
+if [[ "$text" == *"Wire Together"* ]]; then
+    echo "FAIL: batch 1 text should not contain batch 2 content"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: batch 1 text does not leak batch 2"
+fi
+
+# --- Test: get_batch_task_count ---
+tc=$(get_batch_task_count "$FIXTURE" 1)
+assert_eq "batch 1 has 2 tasks" "2" "$tc"
+
+tc2=$(get_batch_task_count "$FIXTURE" 2)
+assert_eq "batch 2 has 2 tasks" "2" "$tc2"
+
+tc3=$(get_batch_task_count "$FIXTURE" 3)
+assert_eq "batch 3 has 1 task" "1" "$tc3"
+
+# --- Test: is_critical_batch ---
+TESTS=$((TESTS + 1))
+if is_critical_batch "$FIXTURE" 3; then
+    echo "PASS: batch 3 is critical"
+else
+    echo "FAIL: batch 3 should be critical"
+    FAILURES=$((FAILURES + 1))
+fi
+
+TESTS=$((TESTS + 1))
+if is_critical_batch "$FIXTURE" 1; then
+    echo "FAIL: batch 1 should not be critical"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: batch 1 is not critical"
+fi
+
+TESTS=$((TESTS + 1))
+if is_critical_batch "$FIXTURE" 2; then
+    echo "FAIL: batch 2 should not be critical"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: batch 2 is not critical"
+fi
+
+# --- Test: nonexistent batch ---
+text_empty=$(get_batch_text "$FIXTURE" 99)
+assert_eq "nonexistent batch returns empty" "" "$text_empty"
+
+title_empty=$(get_batch_title "$FIXTURE" 99)
+assert_eq "nonexistent batch title returns empty" "" "$title_empty"
+
+tc_empty=$(get_batch_task_count "$FIXTURE" 99)
+assert_eq "nonexistent batch task count returns 0" "0" "$tc_empty"
+
+# === get_batch_context_refs tests ===
+
+# Create a plan with context_refs
+cat > "$WORK/refs-plan.md" << 'PLAN'
+## Batch 1: Setup
+
+### Task 1: Create base
+Content here.
+
+## Batch 2: Build on base
+context_refs: src/auth.py, tests/test_auth.py
+
+### Task 2: Extend
+Uses auth module from batch 1.
+PLAN
+
+# Batch 1 has no refs
+val=$(get_batch_context_refs "$WORK/refs-plan.md" 1)
+assert_eq "get_batch_context_refs: batch 1 has no refs" "" "$val"
+
+# Batch 2 has refs
+val=$(get_batch_context_refs "$WORK/refs-plan.md" 2)
+echo "$val" | grep -q "src/auth.py" && echo "PASS: batch 2 refs include src/auth.py" && TESTS=$((TESTS + 1)) || {
+    echo "FAIL: batch 2 refs missing src/auth.py"; TESTS=$((TESTS + 1)); FAILURES=$((FAILURES + 1))
+}
+
+echo "$val" | grep -q "tests/test_auth.py" && echo "PASS: batch 2 refs include tests/test_auth.py" && TESTS=$((TESTS + 1)) || {
+    echo "FAIL: batch 2 refs missing tests/test_auth.py"; TESTS=$((TESTS + 1)); FAILURES=$((FAILURES + 1))
+}
+
+echo ""
+echo "Results: $((TESTS - FAILURES))/$TESTS passed"
+if [[ $FAILURES -gt 0 ]]; then
+    echo "FAILURES: $FAILURES"
+    exit 1
+fi
+echo "ALL PASSED"

package/scripts/tests/test-run-plan-prompt.sh

@@ -0,0 +1,254 @@
+#!/usr/bin/env bash
+# Test prompt builder functions
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../lib/run-plan-parser.sh"
+source "$SCRIPT_DIR/../lib/run-plan-prompt.sh"
+
+FAILURES=0
+TESTS=0
+
+assert_contains() {
+    local desc="$1" needle="$2" haystack="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$haystack" != *"$needle"* ]]; then
+        echo "FAIL: $desc"
+        echo "  expected to contain: $needle"
+        echo "  in: ${haystack:0:300}..."
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+assert_not_contains() {
+    local desc="$1" needle="$2" haystack="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$haystack" == *"$needle"* ]]; then
+        echo "FAIL: $desc"
+        echo "  expected NOT to contain: $needle"
+        echo "  in: ${haystack:0:300}..."
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+assert_eq() {
+    local desc="$1" expected="$2" actual="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$actual" != "$expected" ]]; then
+        echo "FAIL: $desc"
+        echo "  expected: $expected"
+        echo "  actual:   $actual"
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+# --- Setup: fixture plan + temp git worktree ---
+TMPDIR_ROOT=$(mktemp -d)
+trap 'rm -rf "$TMPDIR_ROOT"' EXIT
+
+FIXTURE="$TMPDIR_ROOT/plan.md"
+cat > "$FIXTURE" << 'EOF'
+# Feature X Implementation Plan
+
+**Goal:** Build feature X
+
+---
+
+## Batch 1: Foundation (Tasks 1-2)
+
+### Task 1: Create Data Model
+
+**Files:**
+- Create: `src/models.py`
+- Test: `tests/test_models.py`
+
+**Step 1: Write the failing test**
+
+```python
+def test_model():
+    m = Model("test")
+    assert m.name == "test"
+```
+
+**Step 2: Implement**
+
+Create the Model class.
+
+### Task 2: Add Validation
+
+**Files:**
+- Modify: `src/models.py`
+
+Add validation to Model.
+
+## Batch 2: Integration (Tasks 3-4)
+
+### Task 3: Wire Together
+
+Wire the models into the API.
+
+### Task 4: End-to-End Test
+
+Write integration test.
+EOF
+
+# Create a temp git repo so git branch works
+WORKTREE="$TMPDIR_ROOT/worktree"
+mkdir -p "$WORKTREE"
+git -C "$WORKTREE" init -b test-branch --quiet
+git -C "$WORKTREE" config user.email "test@test.com"
+git -C "$WORKTREE" config user.name "Test"
+touch "$WORKTREE/.gitkeep"
+git -C "$WORKTREE" add .gitkeep
+git -C "$WORKTREE" commit -m "init" --quiet
+
+# --- Test: build_batch_prompt for batch 1 ---
+prompt=$(build_batch_prompt "$FIXTURE" 1 "$WORKTREE" "/usr/bin/python3" "scripts/quality-gate.sh --project-root ." 0)
+
+assert_contains "has batch number" "Batch 1" "$prompt"
+assert_contains "has batch title" "Foundation (Tasks 1-2)" "$prompt"
+assert_contains "has plan file reference" "plan.md" "$prompt"
+assert_contains "has worktree path" "$WORKTREE" "$prompt"
+assert_contains "has python path" "/usr/bin/python3" "$prompt"
+assert_contains "has branch name" "test-branch" "$prompt"
+assert_contains "has task text - Task 1" "Task 1: Create Data Model" "$prompt"
+assert_contains "has task text - Task 2" "Task 2: Add Validation" "$prompt"
+assert_contains "has TDD instruction" "TDD" "$prompt"
+assert_contains "has quality gate command" "scripts/quality-gate.sh --project-root ." "$prompt"
+assert_contains "has previous test count" "0+" "$prompt"
+assert_contains "has progress.txt instruction" "progress.txt" "$prompt"
+
+# --- Test: build_batch_prompt for batch 2 ---
+prompt2=$(build_batch_prompt "$FIXTURE" 2 "$WORKTREE" "/opt/python3.12" "make test" 15)
+
+assert_contains "batch 2 has batch number" "Batch 2" "$prompt2"
+assert_contains "batch 2 has batch title" "Integration (Tasks 3-4)" "$prompt2"
+assert_contains "batch 2 has task text - Task 3" "Task 3: Wire Together" "$prompt2"
+assert_contains "batch 2 has task text - Task 4" "Task 4: End-to-End Test" "$prompt2"
+assert_contains "batch 2 has different python" "/opt/python3.12" "$prompt2"
+assert_contains "batch 2 has different quality gate" "make test" "$prompt2"
+assert_contains "batch 2 has prev test count" "15+" "$prompt2"
+
+# --- Test: batch 2 does NOT contain batch 1 tasks ---
+TESTS=$((TESTS + 1))
+if [[ "$prompt2" == *"Create Data Model"* ]]; then
+    echo "FAIL: batch 2 prompt should not contain batch 1 tasks"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: batch 2 prompt does not leak batch 1 tasks"
+fi
+
+# =============================================================================
+# build_stable_prefix tests
+# =============================================================================
+
+stable=$(build_stable_prefix "$FIXTURE" "$WORKTREE" "/usr/bin/python3" "scripts/quality-gate.sh")
+
+assert_contains "stable prefix has worktree path" "$WORKTREE" "$stable"
+assert_contains "stable prefix has python path" "/usr/bin/python3" "$stable"
+assert_contains "stable prefix has branch name" "test-branch" "$stable"
+assert_contains "stable prefix has TDD rule" "TDD" "$stable"
+assert_contains "stable prefix has quality gate" "scripts/quality-gate.sh" "$stable"
+assert_contains "stable prefix has progress.txt rule" "progress.txt" "$stable"
+
+# #48: stable prefix must NOT contain prev_test_count — that belongs in variable suffix
+assert_not_contains "stable prefix does NOT contain test count line" "tests must pass" "$stable"
+
+# --- Test: build_stable_prefix with bad worktree emits warning but returns 'unknown' ---
+TESTS=$((TESTS + 1))
+bad_worktree_output=$(build_stable_prefix "$FIXTURE" "/nonexistent/path/xyz" "python3" "gate.sh" 2>&1)
+if [[ "$bad_worktree_output" == *"WARNING"* && "$bad_worktree_output" == *"unknown"* ]]; then
+    echo "PASS: build_stable_prefix warns on missing worktree and uses 'unknown' branch"
+else
+    echo "FAIL: build_stable_prefix should warn on missing worktree"
+    echo "  output: $bad_worktree_output"
+    FAILURES=$((FAILURES + 1))
+fi
+
+# =============================================================================
+# build_variable_suffix tests
+# =============================================================================
+
+suffix=$(build_variable_suffix "$FIXTURE" 1 "$WORKTREE" 7)
+
+assert_contains "variable suffix has batch number" "Batch 1" "$suffix"
+assert_contains "variable suffix has batch title" "Foundation" "$suffix"
+assert_contains "variable suffix has task text" "Task 1: Create Data Model" "$suffix"
+# #48: test count is in the variable suffix, not the stable prefix
+assert_contains "variable suffix has test count" "7+" "$suffix"
+
+# Different test count gives different suffix (confirms test count varies per batch)
+suffix_b2=$(build_variable_suffix "$FIXTURE" 2 "$WORKTREE" 20)
+assert_contains "variable suffix b2 has test count 20+" "20+" "$suffix_b2"
+
+# =============================================================================
+# Cross-batch context tests
+# =============================================================================
+
+# --- Setup: add progress.txt and a commit to the worktree ---
+echo "Batch 1: Implemented auth module" > "$WORKTREE/progress.txt"
+echo "code" > "$WORKTREE/code.py"
+git -C "$WORKTREE" add code.py progress.txt
+git -C "$WORKTREE" commit -q -m "feat: add auth"
+
+# --- Test: prompt includes recent commits ---
+prompt3=$(build_batch_prompt "$FIXTURE" 2 "$WORKTREE" "python3" "scripts/quality-gate.sh" 42)
+assert_contains "cross-batch: has Recent commits" "Recent commits" "$prompt3"
+
+# --- Test: prompt includes progress.txt content ---
+assert_contains "cross-batch: has Previous progress" "Previous progress" "$prompt3"
+assert_contains "cross-batch: has progress content" "Implemented auth module" "$prompt3"
+
+# --- Test: prompt includes commit message ---
+assert_contains "cross-batch: has commit in log" "feat: add auth" "$prompt3"
+
+# =============================================================================
+# #47: corrupted state file — jq failure emits warning, prev_gate stays empty
+# =============================================================================
+
+echo "NOT VALID JSON {{{" > "$WORKTREE/.run-plan-state.json"
+TESTS=$((TESTS + 1))
+jq_warn_output=$(build_variable_suffix "$FIXTURE" 2 "$WORKTREE" 0 2>&1)
+if [[ "$jq_warn_output" == *"WARNING"* && "$jq_warn_output" == *"corrupted"* ]]; then
+    echo "PASS: build_variable_suffix warns on corrupted state file"
+else
+    echo "FAIL: build_variable_suffix should warn on corrupted state file"
+    echo "  output: ${jq_warn_output:0:200}"
+    FAILURES=$((FAILURES + 1))
+fi
+# Clean up corrupted state file
+rm -f "$WORKTREE/.run-plan-state.json"
+
+# =============================================================================
+# #50: unreadable progress.txt — error is NOT silently swallowed (no 2>/dev/null || true)
+# The fix removes the error suppression so stderr shows the permission denial.
+# We verify by running tail directly under the same condition — the error must be visible.
+# (Command substitution $() cannot propagate exit codes from within sourced functions
+#  reliably across bash versions, so we test the absence of suppression via the source.)
+# =============================================================================
+
+TESTS=$((TESTS + 1))
+# Check that progress_tail assignment in build_variable_suffix does NOT use || true
+# by inspecting the source code — the fix is the removal of the error suppression.
+PROMPT_SRC="$SCRIPT_DIR/../lib/run-plan-prompt.sh"
+if grep -q 'tail.*progress\.txt.*|| true' "$PROMPT_SRC" 2>/dev/null || \
+   grep -q 'tail.*progress\.txt.*2>/dev/null.*|| true' "$PROMPT_SRC" 2>/dev/null; then
+    echo "FAIL: build_variable_suffix still has suppressed tail error (|| true present)"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: build_variable_suffix does not suppress tail errors on progress.txt"
+fi
+
+echo ""
+echo "Results: $((TESTS - FAILURES))/$TESTS passed"
+if [[ $FAILURES -gt 0 ]]; then
+    echo "FAILURES: $FAILURES"
+    exit 1
+fi
+echo "ALL PASSED"

package/scripts/tests/test-run-plan-quality-gate.sh

@@ -0,0 +1,222 @@
+#!/usr/bin/env bash
+# Test quality gate runner helper functions
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "$SCRIPT_DIR/../lib/run-plan-quality-gate.sh"
+
+FAILURES=0
+TESTS=0
+
+assert_eq() {
+    local desc="$1" expected="$2" actual="$3"
+    TESTS=$((TESTS + 1))
+    if [[ "$expected" != "$actual" ]]; then
+        echo "FAIL: $desc"
+        echo "  expected: $expected"
+        echo "  actual:   $actual"
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+assert_exit() {
+    local desc="$1" expected_exit="$2"
+    shift 2
+    local actual_exit=0
+    "$@" || actual_exit=$?
+    TESTS=$((TESTS + 1))
+    if [[ "$expected_exit" != "$actual_exit" ]]; then
+        echo "FAIL: $desc"
+        echo "  expected exit: $expected_exit"
+        echo "  actual exit:   $actual_exit"
+        FAILURES=$((FAILURES + 1))
+    else
+        echo "PASS: $desc"
+    fi
+}
+
+# --- Temp dir for git repo simulation ---
+WORK=$(mktemp -d)
+trap 'rm -rf "$WORK"' EXIT
+
+# =============================================================================
+# extract_test_count tests
+# =============================================================================
+
+# --- Test: extract passed count with skipped ---
+val=$(extract_test_count "1953 passed, 15 skipped in 45.2s")
+assert_eq "extract_test_count: passed with skipped" "1953" "$val"
+
+# --- Test: extract passed count without skipped ---
+val=$(extract_test_count "42 passed in 2.1s")
+assert_eq "extract_test_count: passed without skipped" "42" "$val"
+
+# --- Test: extract from no tests ran ---
+val=$(extract_test_count "ERROR: no tests ran")
+assert_eq "extract_test_count: no tests ran" "-1" "$val"
+
+# --- Test: extract from empty string ---
+val=$(extract_test_count "")
+assert_eq "extract_test_count: empty string" "-1" "$val"
+
+# --- Test: extract from multi-line pytest output ---
+output="============================= test session starts ==============================
+collected 87 items
+
+tests/test_foo.py ........ [  9%]
+tests/test_bar.py ........ [ 18%]
+
+============================== 87 passed in 12.34s ==============================="
+val=$(extract_test_count "$output")
+assert_eq "extract_test_count: full pytest output" "87" "$val"
+
+# --- Test: extract with failures in output ---
+output="3 failed, 85 passed, 2 skipped in 30.1s"
+val=$(extract_test_count "$output")
+assert_eq "extract_test_count: with failures" "85" "$val"
+
+# --- Test: extract from jest output ---
+output="Tests:       3 failed, 45 passed, 48 total"
+val=$(extract_test_count "$output")
+assert_eq "extract_test_count: jest output" "45" "$val"
+
+# --- Test: extract from jest all-pass output ---
+output="Tests:       12 passed, 12 total"
+val=$(extract_test_count "$output")
+assert_eq "extract_test_count: jest all-pass" "12" "$val"
+
+# --- Test: extract from go test output ---
+output="ok  	github.com/foo/bar	0.123s
+ok  	github.com/foo/baz	0.456s
+FAIL	github.com/foo/qux	0.789s"
+val=$(extract_test_count "$output")
+assert_eq "extract_test_count: go test (2 ok of 3)" "2" "$val"
+
+# --- Test: unrecognized format returns -1 ---
+val=$(extract_test_count "Some random build output with no test results")
+assert_eq "extract_test_count: unrecognized format" "-1" "$val"
+
+# =============================================================================
+# check_test_count_regression tests
+# =============================================================================
+
+# --- Test: no regression (increase) ---
+assert_exit "check_test_count_regression: 200 >= 150 passes" 0 \
+    check_test_count_regression 200 150
+
+# --- Test: no regression (equal) ---
+assert_exit "check_test_count_regression: 150 >= 150 passes" 0 \
+    check_test_count_regression 150 150
+
+# --- Test: regression detected ---
+assert_exit "check_test_count_regression: 100 < 150 fails" 1 \
+    check_test_count_regression 100 150
+
+# --- Test: no regression from zero baseline ---
+assert_exit "check_test_count_regression: 50 >= 0 passes" 0 \
+    check_test_count_regression 50 0
+
+# =============================================================================
+# check_git_clean tests
+# =============================================================================
+
+# --- Setup: create a temp git repo ---
+git -C "$WORK" init -q
+git -C "$WORK" config user.email "test@test.com"
+git -C "$WORK" config user.name "Test"
+echo "initial" > "$WORK/file.txt"
+git -C "$WORK" add file.txt
+git -C "$WORK" commit -q -m "initial"
+
+# --- Test: clean repo passes ---
+assert_exit "check_git_clean: clean repo passes" 0 \
+    check_git_clean "$WORK"
+
+# --- Test: dirty repo (untracked file) fails ---
+echo "dirty" > "$WORK/untracked.txt"
+assert_exit "check_git_clean: untracked file fails" 1 \
+    check_git_clean "$WORK"
+
+# --- Test: dirty repo (modified file) fails ---
+rm "$WORK/untracked.txt"
+echo "modified" >> "$WORK/file.txt"
+assert_exit "check_git_clean: modified file fails" 1 \
+    check_git_clean "$WORK"
+
+# --- Test: -1 skips regression check ---
+assert_exit "check_test_count_regression: -1 new skips check" 0 \
+    check_test_count_regression -1 150
+
+assert_exit "check_test_count_regression: -1 previous skips check" 0 \
+    check_test_count_regression 50 -1
+
+# Clean up for any subsequent tests
+git -C "$WORK" checkout -- file.txt
+
+# =============================================================================
+# Security: no eval in quality gate runner (#3)
+# =============================================================================
+
+TESTS=$((TESTS + 1))
+QG_FILE="$SCRIPT_DIR/../lib/run-plan-quality-gate.sh"
+if grep -q 'eval.*quality_gate_cmd\|eval.*\$quality_gate' "$QG_FILE"; then
+    echo "FAIL: run-plan-quality-gate.sh uses eval on quality_gate_cmd (command injection risk, bug #3)"
+    FAILURES=$((FAILURES + 1))
+else
+    echo "PASS: run-plan-quality-gate.sh does not use eval on quality_gate_cmd"
+fi
+
+TESTS=$((TESTS + 1))
+if grep -q 'bash -c.*quality_gate_cmd\|bash -c.*\$quality_gate' "$QG_FILE"; then
+    echo "PASS: run-plan-quality-gate.sh uses bash -c instead of eval"
+else
+    echo "FAIL: run-plan-quality-gate.sh should use bash -c instead of eval (bug #3)"
+    FAILURES=$((FAILURES + 1))
+fi
+
+# =============================================================================
+# Bug #3 BEHAVIORAL: bash -c limits injection scope vs eval
+# =============================================================================
+# eval "$cmd" would expand variables/globs in the current shell context.
+# bash -c "$cmd" runs in a fresh subshell — variable references from the
+# parent shell don't leak into the command execution.
+
+# Create a gate command that tries to reference a parent shell variable
+INJECT_WORK=$(mktemp -d)
+git -C "$INJECT_WORK" init -q
+git -C "$INJECT_WORK" config user.email "test@test.com"
+git -C "$INJECT_WORK" config user.name "Test"
+echo "init" > "$INJECT_WORK/file.txt"
+git -C "$INJECT_WORK" add file.txt
+git -C "$INJECT_WORK" commit -q -m "init"
+
+# Set a variable in the current shell that bash -c should NOT see
+_GATE_SECRET="LEAKED"
+
+# A gate command that tries to echo the secret — with bash -c it gets empty string
+gate_output=$(cd "$INJECT_WORK" && bash -c 'echo "secret=${_GATE_SECRET:-none}"' 2>&1) || true
+
+TESTS=$((TESTS + 1))
+if [[ "$gate_output" == *"secret=none"* ]]; then
+    echo "PASS: bash -c does not leak parent shell variables (injection limited)"
+else
+    echo "FAIL: bash -c should not see parent shell variable _GATE_SECRET"
+    echo "  output: $gate_output"
+    FAILURES=$((FAILURES + 1))
+fi
+
+rm -rf "$INJECT_WORK"
+
+# =============================================================================
+# Summary
+# =============================================================================
+
+echo ""
+echo "Results: $((TESTS - FAILURES))/$TESTS passed"
+if [[ $FAILURES -gt 0 ]]; then
+    echo "FAILURES: $FAILURES"
+    exit 1
+fi
+echo "ALL PASSED"