cc-devflow 4.5.1 → 4.5.3

package/.claude/skills/cc-check/references/review-contract.md

@@ -21,6 +21,7 @@
 
 每个 reviewer 结果至少说明：
 
+- reviewPacket
 - status
 - summary
 - evidence
@@ -30,16 +31,119 @@
 
 - severity
 - confidence
+- confidenceScore
 - source
 - summary
 - evidence
 - action
+- triageStatus
+- fingerprint
+- displayTier
+- suppressionReason
+
+## Review Packet
+
+Review 不能依赖聊天记忆。每个 task-level review 和 requirement-level diff review 至少记录：
+
+- `baseSha`：被审查范围的起点
+- `headSha`：被审查范围的终点
+- `requirements`：对应的 plan、task、analysis 或 spec 路径
+- `implemented`：实现者声称完成的内容
+- `reviewerContext`：reviewer 实际拿到的上下文摘要
+
+缺 `baseSha` / `headSha` 时，review 只能算 `blocked` 或 `skipped`，不能支撑 `pass`。
+
+## Review Freshness
+
+Review 必须绑定当前被交付的 commit，而不是绑定聊天记忆。
+
+每份 requirement-level review 至少记录：
+
+- `review.freshness.status`：`fresh` / `stale` / `unknown` / `not-applicable`
+- `review.freshness.reviewedCommit`
+- `review.freshness.currentCommit`
+- `review.freshness.commitsSinceReview`
+- `review.freshness.staleReason`
+- `review.qualityScore`：0-10，可空但空值不能支撑高置信 pass
+
+`status=stale`、`status=unknown` 且没有解释，或 `commitsSinceReview > 0` 且未重审，都会阻塞 `pass`。
+
+## Specialist Facets
+
+`review.specialistReviews[]` 用来记录按风险覆盖的审查面，不要求每次都派发独立 reviewer，但要求边界说清：
+
+- `testing`：负路径、边界条件、隔离性、flaky 风险、回归测试质量
+- `security`：trust boundary、shell / SQL / secret / auth 风险
+- `performance`：热路径、批量、缓存、N+1、资源泄漏
+- `api-contract`：输入输出、状态枚举、兼容面、错误语义
+- `data-migration`：schema、回滚、幂等、历史数据
+- `design`：UI / UX / visual consistency 和可用性
+
+没有相关风险时写 `status=skipped` 和 `skipReason`；有风险却缺 facet 时，至少是 review gap。
+
+## Finding Triage
+
+Review finding 不只是“发现过”，必须有处置结果：
+
+| triageStatus | 什么时候用 |
+| --- | --- |
+| `accepted-fixed` | finding 正确，已修复，并有验证证据 |
+| `rejected-with-evidence` | finding 不适用，已有代码 / 测试 / 契约证据支撑 |
+| `deferred-minor` | minor，不阻塞本次交付，已写入 follow-up |
+| `clarification-needed` | finding 不清楚，需要用户或 reviewer 澄清 |
+
+`critical` / `important` finding 不能用 `deferred-minor`。任何 `clarification-needed` 都会阻塞 `pass`。
+
+## QA Test Review Facts
+
+Review 必须判断测试是否证明行为：
+
+- 反馈环是否可信：速度、确定性、信号锋利度、复现率是否足够支撑结论
+- bugfix 是否复现并覆盖了用户描述的原始症状，而不是附近的另一个失败
+- expected / actual / reproduction steps 是否能让 reviewer 独立复现或判断缺件
+- 回归测试是否有 red/green 证据
+- red 是否因为目标行为缺失而失败
+- green 是否包含 targeted test 和必要的 broader gate
+- 测试是否通过公共接口覆盖行为
+- mock 是否只停在系统边界，且没有断言 mock 本身或内部调用顺序
+- 生产代码是否新增 test-only API
+- integration / contract test 是否比复杂 mock 更直接
+- 如果没有正确测试 seam，是否记录了架构 follow-up，而不是造易碎测试
+- coverage audit 是否映射真实 codepath / user flow / error state / edge case
+- UI 或用户路径变更是否有 browser evidence、截图、console 结果，或明确 skip reason
+
+## Durable Follow-Up Facts
+
+Review 产生的 QA issue 或 follow-up 必须可长期执行：
+
+- 用领域语言描述用户或系统行为，不把当前文件路径 / 行号当成唯一真相
+- 写清 current behavior、desired behavior、key interfaces、acceptance criteria、out of scope
+- 独立行为拆成独立条目；有依赖关系时写明顺序
+- `deferred-minor` 只能用于不阻塞本次交付的 minor 项，并且必须进入 `cc-act` follow-up writeback
+
+## Failure Ownership
+
+失败归属必须结构化写入 `runtime.failureOwnership[]`：
+
+- `classification=in-branch`：当前分支引入
+- `classification=pre-existing`：base branch 也能复现，必须有证据
+- `classification=environment`：缺依赖、权限、服务、密钥或平台条件
+- `classification=ambiguous`：归属不明，默认不能支撑 `pass`
+
+不要把 pre-existing failure 当成当前分支失败，也不要把 ambiguous failure 当成环境问题。
 
 ## Gate Rules
 
 - 任务级 review 缺证据，不能绿灯
 - 需求级 diff review 在 strict 模式下缺失，至少是 `blocked`
 - `important` / `critical` finding 未处理前，不算通过
+- `important` / `critical` finding 缺 triageStatus，不算通过
+- QA test quality 缺失且本次涉及行为变化，至少是 `blocked`
+- 行为变更缺 `qa.feedbackLoop` / `qa.behaviorEvidence` 且没有明确例外，至少是 `blocked`
+- bugfix 没有复现原始症状，也没有解释不可复现原因，不能通过
+- review freshness 缺失、过期或与当前 head 不一致，不能绿灯
+- UI / 用户路径变更缺 browser evidence 且无 skip reason，不能绿灯
+- `runtime.failureOwnership` 仍有 `in-branch` 或 `ambiguous` 未解释失败，不能绿灯
 - plan item 是 `PARTIAL` / `NOT_DONE` 且影响成功标准时，不能通过
 - scope drift 没有解释清楚时，不能通过
 - 文档漂移如果影响 reviewer / maintainer 接手，必须阻塞到 `cc-act` doc sync 或 reroute

package/.claude/skills/cc-check/scripts/render-report-card.js

@@ -68,6 +68,34 @@ function deriveVerdict(manifest, quickGates, strictGates, review) {
     return 'fail';
   }
 
+  if ([...quickGates, ...strictGates].some((gate) => ['blocked', 'pending'].includes(gate.status))) {
+    return 'blocked';
+  }
+
+  if (review.qa?.status === 'fail') {
+    return 'fail';
+  }
+
+  if (['blocked', 'pending'].includes(review.qa?.status)) {
+    return 'blocked';
+  }
+
+  if (['fail'].includes(review.qa?.feedbackLoop?.status)) {
+    return 'fail';
+  }
+
+  if (['blocked', 'pending'].includes(review.qa?.feedbackLoop?.status)) {
+    return 'blocked';
+  }
+
+  if (['fail'].includes(review.qa?.behaviorEvidence?.status)) {
+    return 'fail';
+  }
+
+  if (['blocked', 'pending'].includes(review.qa?.behaviorEvidence?.status)) {
+    return 'blocked';
+  }
+
   if (review.status === 'blocked') {
     return 'blocked';
   }
@@ -76,6 +104,20 @@ function deriveVerdict(manifest, quickGates, strictGates, review) {
     return 'fail';
   }
 
+  const freshness = buildReviewFreshness(review).status;
+  if (review.status === 'pass' && !['fresh', 'not-applicable'].includes(freshness)) {
+    return 'blocked';
+  }
+
+  const openOwnedFailures = (review.runtime?.failureOwnership || []).some((item) => {
+    const classification = item.classification || '';
+    const status = item.status || 'open';
+    return ['in-branch', 'ambiguous'].includes(classification) && !['resolved', 'closed'].includes(status);
+  });
+  if (openOwnedFailures) {
+    return 'blocked';
+  }
+
   return 'pass';
 }
 
@@ -116,10 +158,160 @@ function buildSummary({ quickGates, strictGates, review, verdict }) {
   ].join(' ');
 }
 
+function claimFromGate(gate) {
+  const name = String(gate.name || '').toLowerCase();
+  if (/test|spec/.test(name)) {
+    return 'tests-pass';
+  }
+  if (/lint/.test(name)) {
+    return 'lint-clean';
+  }
+  if (/type/.test(name)) {
+    return 'typecheck-clean';
+  }
+  if (/build|compile/.test(name)) {
+    return 'build-succeeds';
+  }
+  return `gate-${gate.name || 'unknown'}`;
+}
+
+function buildClaimEvidence({ manifest, quickGates, strictGates, review }) {
+  const gateClaims = [...quickGates, ...strictGates].map((gate) => ({
+    claim: claimFromGate(gate),
+    requiredProof: 'fresh command output with exit status and key observation',
+    commandOrArtifact: gate.command || gate.name || '',
+    exitStatus: gate.exitStatus ?? null,
+    keyObservation: gate.summary || gate.details || '',
+    status: gate.status || 'blocked'
+  }));
+
+  const openTasks = (manifest.tasks || []).filter((task) => task.status !== 'done' && task.status !== 'completed');
+  gateClaims.push({
+    claim: 'requirements-met',
+    requiredProof: 'line-by-line planning/tasks.md and task-manifest.json checklist',
+    commandOrArtifact: 'planning/tasks.md + planning/task-manifest.json',
+    exitStatus: null,
+    keyObservation: openTasks.length === 0 ? 'no open task gaps recorded' : `${openTasks.length} open task gaps recorded`,
+    status: openTasks.length === 0 && review.status === 'pass' ? 'pass' : 'blocked'
+  });
+
+  return [...(review.claimEvidence || []), ...gateClaims];
+}
+
+function buildQa(review) {
+  return {
+    status: review.qa?.status || 'skipped',
+    feedbackLoop: review.qa?.feedbackLoop || {
+      status: 'skipped',
+      mode: 'not-applicable',
+      commandOrArtifact: '',
+      speed: '',
+      determinism: '',
+      signalSharpness: '',
+      reproductionRate: '',
+      attempts: [],
+      blockedReason: 'not recorded'
+    },
+    behaviorEvidence: review.qa?.behaviorEvidence || {
+      status: 'skipped',
+      userFacingBoundary: '',
+      expectedBehavior: '',
+      actualBehavior: '',
+      reproductionSteps: [],
+      consistency: '',
+      domainLanguage: []
+    },
+    regressionProof: review.qa?.regressionProof || [],
+    testQuality: review.qa?.testQuality || [],
+    coverageAudit: review.qa?.coverageAudit || {
+      status: 'skipped',
+      coveragePct: null,
+      pathMap: [],
+      gaps: [],
+      testsAdded: [],
+      e2eRequired: false,
+      evalRequired: false,
+      qualityStars: ''
+    },
+    browserEvidence: review.qa?.browserEvidence || {
+      status: 'skipped',
+      mode: 'not-applicable',
+      affectedRoutes: [],
+      screenshots: [],
+      consoleErrors: [],
+      healthScore: null,
+      issues: [],
+      skipReason: 'not recorded'
+    },
+    architectureFollowUps: review.qa?.architectureFollowUps || [],
+    tddException: review.qa?.tddException || null
+  };
+}
+
+function buildRuntime(review) {
+  const failureOwnership = review.runtime?.failureOwnership || [];
+  const hasOpenOwnedFailure = failureOwnership.some((item) => {
+    const classification = item.classification || '';
+    const status = item.status || 'open';
+    return ['in-branch', 'ambiguous'].includes(classification) && !['resolved', 'closed'].includes(status);
+  });
+
+  return {
+    status: review.runtime?.status || (hasOpenOwnedFailure ? 'blocked' : 'pass'),
+    failureOwnership
+  };
+}
+
+function firstReviewHead(review) {
+  return [
+    review.taskReviews?.reviewPacket?.headSha,
+    review.diffReview?.reviewPacket?.headSha
+  ].find((value) => typeof value === 'string' && value.length > 0) || '';
+}
+
+function buildReviewFreshness(review) {
+  if (review.freshness) {
+    return review.freshness;
+  }
+
+  const headSha = firstReviewHead(review);
+  if (!headSha) {
+    return {
+      status: 'unknown',
+      reviewedCommit: '',
+      currentCommit: '',
+      commitsSinceReview: null,
+      staleReason: 'review headSha is not recorded'
+    };
+  }
+
+  return {
+    status: 'fresh',
+    reviewedCommit: headSha,
+    currentCommit: headSha,
+    commitsSinceReview: 0,
+    staleReason: ''
+  };
+}
+
+function buildReview(review) {
+  return {
+    ...review,
+    freshness: buildReviewFreshness(review),
+    qualityScore: review.qualityScore ?? null,
+    specialistReviews: review.specialistReviews || []
+  };
+}
+
+function isFindingOpen(item) {
+  const status = item.status || item.triageStatus || '';
+  return !['resolved', 'accepted', 'informational', 'accepted-fixed', 'rejected-with-evidence', 'deferred-minor'].includes(status);
+}
+
 function summarizeOpenReviewFindings(findings = []) {
   return findings
-    .filter((item) => item.status !== 'resolved' && item.status !== 'accepted' && item.status !== 'informational')
-    .map((item) => `${item.source}: ${item.summary}`);
+    .filter(isFindingOpen)
+    .map((item) => `${item.source || 'review'}: ${item.summary || item.evidence || 'open finding'}`);
 }
 
 function collectBlockingFindings({ manifest, quickGates, strictGates, review }) {
@@ -132,8 +324,8 @@ function collectBlockingFindings({ manifest, quickGates, strictGates, review })
   }
 
   for (const gate of [...quickGates, ...strictGates]) {
-    if (gate.status === 'fail') {
-      findings.push(`${gate.name}: ${gate.details}`);
+    if (['fail', 'blocked', 'pending'].includes(gate.status)) {
+      findings.push(`${gate.name}: ${gate.details || gate.summary || gate.status}`);
     }
   }
 
@@ -200,6 +392,15 @@ function main() {
     blockingFindings
   });
   const specSignals = deriveSpecSignals(manifest, verdict, review);
+  const claimEvidence = buildClaimEvidence({
+    manifest,
+    quickGates,
+    strictGates,
+    review
+  });
+  const runtime = buildRuntime(review);
+  const qa = buildQa(review);
+  const reviewReport = buildReview(review);
 
   const report = {
     changeId: args.changeId,
@@ -214,9 +415,12 @@ function main() {
     specAlignment: specSignals.specAlignment,
     specDeltaVerified: specSignals.specDeltaVerified,
     specSyncReady: specSignals.specSyncReady,
+    runtime,
+    claimEvidence,
+    qa,
     quickGates,
     strictGates,
-    review,
+    review: reviewReport,
     blockingFindings,
     gaps: manifest.spec?.newGaps || [],
     reroute,

package/.claude/skills/cc-check/scripts/verify-gate.sh

@@ -36,6 +36,10 @@ jq -e '
   .summary and
   .review and
   .blockingFindings and
+  (.runtime and (.runtime | type == "object")) and
+  (.runtime.status | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.runtime.failureOwnership? // []) | type == "array") and
+  ((.runtime.failureOwnership? // []) | all(.[]; (.classification? // "environment") | IN("in-branch", "pre-existing", "environment", "ambiguous"))) and
   (.specAlignment? // "blocked") and
   ((.specDeltaVerified? // false) | type == "boolean") and
   ((.specSyncReady? // false) | type == "boolean") and
@@ -45,6 +49,30 @@ jq -e '
   (.overall | IN("pass", "fail")) and
   (.reroute | IN("none", "cc-do", "cc-investigate", "cc-plan")) and
   (.review.status | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.review.freshness? // {"status":"unknown"}) | type == "object") and
+  ((.review.freshness.status? // "unknown") | IN("fresh", "stale", "unknown", "not-applicable")) and
+  ((.review.specialistReviews? // []) | type == "array") and
+  ((.claimEvidence? // []) | type == "array") and
+  ((.claimEvidence? // []) | all(.[];
+    (.claim and .requiredProof and .commandOrArtifact and .keyObservation and .status) and
+    (.status | IN("pass", "fail", "blocked", "skipped", "pending"))
+  )) and
+  ((.qa? // {"status":"skipped"}) | type == "object") and
+  ((.qa.status? // "skipped") | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.qa.coverageAudit? // {"status":"skipped"}) | type == "object") and
+  ((.qa.coverageAudit.status? // "skipped") | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.qa.browserEvidence? // {"status":"skipped"}) | type == "object") and
+  ((.qa.browserEvidence.status? // "skipped") | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.qa.feedbackLoop? // {"status":"skipped"}) | type == "object") and
+  ((.qa.feedbackLoop.status? // "skipped") | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.qa.behaviorEvidence? // {"status":"skipped"}) | type == "object") and
+  ((.qa.behaviorEvidence.status? // "skipped") | IN("pass", "fail", "blocked", "skipped", "pending")) and
+  ((.qa.architectureFollowUps? // []) | type == "array") and
+  ((.review.findings? // []) | all(.[]; ((.confidenceScore? // 7) | type == "number") and ((.displayTier? // "info") | IN("blocking", "warning", "info", "suppressed")))) and
+  ((.verdict != "pass") or ((.review.freshness.status? // "unknown") | IN("fresh", "not-applicable"))) and
+  ((.verdict != "pass") or ((.qa.feedbackLoop.status? // "skipped") | IN("pass", "skipped"))) and
+  ((.verdict != "pass") or ((.qa.behaviorEvidence.status? // "skipped") | IN("pass", "skipped"))) and
+  ((.verdict != "pass") or (((.runtime.failureOwnership? // []) | map(select(((.classification? // "") | IN("in-branch", "ambiguous")) and ((.status? // "open") | IN("open", "pending")))) | length) == 0)) and
   ((.verdict == "pass" and .reroute == "none") or (.verdict != "pass" and .reroute != "none"))
 ' "$REPORT" >/dev/null
 

package/.claude/skills/cc-do/CHANGELOG.md

@@ -1,5 +1,17 @@
 # CC-Do Skill Changelog
 
+## v1.6.0 - 2026-04-28
+
+- prohibit horizontal TDD execution by requiring one tracer bullet Red/Green/Refactor cycle per observable behavior
+- add test fixture discipline so partial fixtures, type assertions, generated stubs, and mocks must preserve public seam behavior
+- require checkpoints to record fixture risk when test data shortcuts could hide a seam or contract problem
+
+## v1.5.3 - 2026-04-28
+
+- require Red evidence to prove behavior through a public seam instead of private methods, internal call counts, or implementation-shaped tests
+- add mock-boundary and test-quality gates to the TDD execution contract so internal collaborators are not mocked as fake proof
+- allow `write-task-checkpoint.sh --tdd-json` and runtime checkpoint schema to preserve structured TDD evidence for recovery and review
+
 ## v1.5.2 - 2026-04-27
 
 - require execution evidence that adds human-readable summaries to resolve the runtime output policy first

package/.claude/skills/cc-do/PLAYBOOK.md

@@ -50,10 +50,12 @@
 
 1. 先写失败测试，再运行到红。
 2. 确认红灯是预期失败，不是测试写错、fixture 缺失或环境没接上。
-3. 只写让当前测试转绿的最小实现。
-4. 绿后才允许重构。
-5. 重构后必须保持绿。
-6. 测试没先红过，就不能宣称这次变更受 TDD 保护。
+3. 确认红灯通过公共 seam 证明行为缺失，而不是测私有函数、内部调用次数或临时结构。
+4. 确认 mock 只发生在系统边界；内部协作者不 mock。
+5. 只写让当前测试转绿的最小实现。
+6. 绿后才允许重构。
+7. 重构后必须保持绿。
+8. 测试没先红过，或红灯不是公共 seam 上的行为失败，就不能宣称这次变更受 TDD 保护。
 
 ## TDD Exception Rule
 
@@ -78,11 +80,14 @@
 
 1. `red_failed`: 已观察到预期失败
 2. `red_reason_verified`: 红灯原因与目标行为缺失一致
-3. `green_passed`: 当前任务实现转绿
-4. `refactor_done` 或 `refactor_not_needed`
-5. `refactor_green`: 重构后相关测试仍绿
-6. `spec_review_pass`
-7. `code_review_pass`
+3. `red_seam_verified`: 红灯通过公共接口、调用方流程、CLI/API/UI 或真实边界进入系统
+4. `red_behavior_verified`: 测试断言用户或调用方可观察行为，不断言内部实现细节
+5. `mock_boundary_verified`: mock 只在系统边界，内部协作者没有被 mock
+6. `green_passed`: 当前任务实现转绿
+7. `refactor_done` 或 `refactor_not_needed`
+8. `refactor_green`: 重构后相关测试仍绿
+9. `spec_review_pass`
+10. `code_review_pass`
 
 任何一门失败，都回到实现，不准直接跨过去。
 

package/.claude/skills/cc-do/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: cc-do
-version: 1.5.2
+version: 1.6.0
 description: Use when implementing planned tasks, resuming interrupted work, applying a frozen investigation handoff, or landing review feedback after cc-plan or cc-investigate.
 triggers:
   - 开始做 T003
@@ -36,7 +36,7 @@ entry_gate:
   - Select only ready tasks whose dependencies and file ownership are clear.
   - If the current task cannot be restated from canonical artifacts, run a context reset before coding.
 exit_criteria:
-  - The current task has red/green evidence, review evidence, and a resumable checkpoint trail.
+  - The current task has red/green evidence, public-seam test quality evidence, review evidence, and a resumable checkpoint trail.
   - Execution leaves the next verifier enough runtime truth to judge the task without chat memory.
   - The honest next step is cc-check or an explicit reroute.
 reroutes:
@@ -134,8 +134,14 @@ NO PRODUCTION CODE WITHOUT A FAILING TEST FIRST
 3. Refactor：只有 Green 之后才能清理命名、重复、结构和坏味道。
 4. Record：每一站都写入 `checkpoint.json`，必要时写入 `events.jsonl`。
 
+Red 不是形式上的红，而是公共 seam 上的行为缺失证明。测试必须通过公共接口、调用方流程、CLI/API/UI 路径或其它真实边界进入系统；只验证私有函数、内部调用次数、临时数据结构或 mock 自己控制的内部协作者，不算 TDD 证据。
+
 例外只能用于 throwaway prototype、纯生成文件、纯配置改动；例外必须写进 checkpoint 的 `tddException`，包含原因、风险和替代验证命令。测试第一次就绿，说明测试没有证明新行为，必须修测试而不是继续写生产代码。
 
+禁止水平切片：不要先写一批测试，再写一批实现。每次只推进一个 tracer bullet：一个可观察行为的 Red -> 让它变绿的最小实现 -> 必要重构 -> 记录证据，然后再进入下一个行为。
+
+测试数据也必须诚实。fixture 只提供当前行为需要的最小输入；partial fixture、类型断言、mock payload 或 generated stub 必须写清哪些字段是真实 contract，哪些只是测试填充。不能用 `as`、`any`、双重 cast、缺字段 partial mock 或 test-only method 掩盖 seam 设计问题。
+
 ## Entry Gate
 
 1. 先读 `planning/design.md` 或 `planning/analysis.md`，再读 `planning/tasks.md`、`planning/task-manifest.json`；如果是恢复执行，再补读最近 checkpoint 或已有 `handoff/resume-index.md`。
@@ -151,11 +157,13 @@ NO PRODUCTION CODE WITHOUT A FAILING TEST FIRST
 3. 没有明确并行资格，不准把多个实现任务同时推进。
 4. 先 `fail-first`：先写失败测试，先看见预期红，再写生产代码。
 5. 如果红灯不是预期失败（语法错、fixture 错、测试没连上），先修测试直到它正确失败。
-6. 按 `Red -> Green -> Refactor` 推进，Green 只允许最小实现。
-7. Refactor 后必须重跑相关测试，保持 Green。
-8. 每次推进都写 task runtime：`events.jsonl` + `checkpoint.json`。
-9. 任务实现后，先过 `spec review`，再过 `code review`，两道门都过才算任务收口；这里只验证 spec delta，不回写长期 spec。
-10. 当前任务完成后，把可验证证据留给 `cc-check`。
+6. 如果红灯通过错误 seam 得到，比如私有方法、内部调用次数、mock 内部协作者，先修测试 seam，不准进入 Green。
+7. 按 `Red -> Green -> Refactor` 推进，Green 只允许最小实现。
+8. 如果当前 Red 需要新的 fixture 或 mock，先证明它仍从公共 seam 触发真实行为；fixture 缺字段、类型强转或内部 mock 都要写入 `tdd.testQuality.fixtureRisk` 或先修 seam。
+9. Refactor 后必须重跑相关测试，保持 Green。
+10. 每次推进都写 task runtime：`events.jsonl` + `checkpoint.json`，并记录 `tdd.testQuality` 或 `tddException`。
+11. 任务实现后，先过 `spec review`，再过 `code review`，两道门都过才算任务收口；这里只验证 spec delta，不回写长期 spec。
+12. 当前任务完成后，把可验证证据留给 `cc-check`。
 
 ## Output
 
@@ -168,7 +176,8 @@ NO PRODUCTION CODE WITHOUT A FAILING TEST FIRST
 ## Good Output
 
 - 当前 task 一眼可见，执行者不用从聊天记录里猜目标
-- 至少留下一次明确的 Red/Green/Refactor 证据，且 Red 是预期失败
+- 至少留下一次明确的 tracer bullet Red/Green/Refactor 证据，且 Red 是公共 seam 上的预期行为失败
+- 测试 fixture 说明真实 contract 字段和测试填充字段，没有用类型欺骗或内部 mock 制造假绿
 - runtime / checkpoint 足够让下一位接手者无损恢复
 - reviewer 能顺着 review 记录和验证命令复盘这次实现
 
@@ -194,11 +203,13 @@ NO PRODUCTION CODE WITHOUT A FAILING TEST FIRST
 3. 没有失败测试，不准写生产代码。
 4. 测试如果第一次就绿，说明你没证明任何东西，先修测试。
 5. 红灯原因必须和目标行为缺失一致；红灯如果只是测试写错，不算 TDD 证据。
-6. 先过 `spec review`，再过 `code review`，顺序不能反。
-7. 不在 `cc-do` 里改 capability spec 正文；这里只产出实现证据和 spec 对齐证据。
-8. 失败和阻塞都要留下恢复证据。
-9. 给 subagent 的输入必须包含：当前进度、当前任务全文、依赖状态、必读文件、验收标准、可信命令。
-10. 三次失败修补后必须先质疑调查合同或设计合同，而不是继续堆补丁。
+6. 红灯必须验证公共接口上的行为；实现细节测试、私有方法测试、内部调用次数断言都要先退回 Red 修正。
+7. Mock 只能放在系统边界；如果必须 mock 内部协作者才能测试，说明 seam 或设计合同有问题。
+8. 先过 `spec review`，再过 `code review`，顺序不能反。
+9. 不在 `cc-do` 里改 capability spec 正文；这里只产出实现证据和 spec 对齐证据。
+10. 失败和阻塞都要留下恢复证据。
+11. 给 subagent 的输入必须包含：当前进度、当前任务全文、依赖状态、必读文件、验收标准、可信命令。
+12. 三次失败修补后必须先质疑调查合同或设计合同，而不是继续堆补丁。
 
 ## Exit Criteria
 

package/.claude/skills/cc-do/references/execution-recovery.md

@@ -37,11 +37,14 @@
 1. `context_ready`
 2. `red_failed`
 3. `red_reason_verified`
-4. `green_passed`
-5. `refactor_done` 或 `refactor_not_needed`
-6. `refactor_green`
-7. `spec_review_pass`
-8. `code_review_pass`
+4. `red_seam_verified`
+5. `red_behavior_verified`
+6. `mock_boundary_verified`
+7. `green_passed`
+8. `refactor_done` 或 `refactor_not_needed`
+9. `refactor_green`
+10. `spec_review_pass`
+11. `code_review_pass`
 
 如果 `events.jsonl` 没开启，至少仍要有最新 `checkpoint.json` 和 manifest review verdict。
 
@@ -52,9 +55,17 @@
 - `red.command`
 - `red.exitStatus`
 - `red.expectedFailure`
+- `red.testSeam`
+- `red.behaviorAsserted`
+- `red.allowedMocks`
+- `red.implementationDetailRisk`
 - `green.command`
 - `green.exitStatus`
 - `refactor.status`
+- `testQuality.usesPublicInterface`
+- `testQuality.describesBehavior`
+- `testQuality.survivesInternalRefactor`
+- `testQuality.mocksOnlySystemBoundaries`
 - `review.spec.status`
 - `review.code.status`
 

package/.claude/skills/cc-do/scripts/verify-task-gates.sh

@@ -82,12 +82,25 @@ if [[ -f "$events_file" ]]; then
       echo "-1"
     }
 
-    red_idx="$(first_index "red_failed")"
-    green_idx="$(first_index "green_passed")"
-    if [[ "$red_idx" != "-1" && "$green_idx" != "-1" && "$red_idx" -ge "$green_idx" ]]; then
-      echo "Task $TASK_ID gate order is invalid" >&2
-      exit 1
-    fi
+    assert_before() {
+      local before="$1"
+      local after="$2"
+      local before_idx after_idx
+      before_idx="$(first_index "$before")"
+      after_idx="$(first_index "$after")"
+      if [[ "$before_idx" != "-1" && "$after_idx" != "-1" && "$before_idx" -ge "$after_idx" ]]; then
+        echo "Task $TASK_ID gate order is invalid: $before must precede $after" >&2
+        exit 1
+      fi
+    }
+
+    assert_before "red_failed" "red_reason_verified"
+    assert_before "red_reason_verified" "red_seam_verified"
+    assert_before "red_seam_verified" "red_behavior_verified"
+    assert_before "red_behavior_verified" "mock_boundary_verified"
+    assert_before "mock_boundary_verified" "green_passed"
+    assert_before "red_failed" "green_passed"
+    assert_before "green_passed" "refactor_green"
   fi
 fi