opencastle 0.7.0 → 0.8.0

package/README.md

@@ -85,11 +85,11 @@ npx opencastle@1.2.3 update    # pin to a specific version
 
 ## What's Inside
 
-**18 agents.** Developer, UI/UX, Database, Security, Testing, Reviewer, and more.
+**Specialist Agents.** Developer, UI/UX, Database, Security, Testing, Reviewer, and more.
 
-**34 skills.** Loaded on demand to keep context windows lean. Auto-selected during init based on your stack.
+**On-Demand Skills.** Loaded on demand to keep context windows lean. Auto-selected during init based on your stack.
 
-**8 workflows.** Features, bug fixes, data pipelines, security audits — reproducible execution templates.
+**Workflow Templates.** Features, bug fixes, data pipelines, security audits — reproducible execution templates.
 
 **Quality gates.** Fast review after every step. Panel majority vote for high-stakes changes. Lint, test, build checks.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencastle",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "type": "module",
   "description": "Multi-agent orchestration framework for AI coding assistants",
   "bin": {

package/src/dashboard/node_modules/.vite/deps/_metadata.json

@@ -1,25 +1,25 @@
 {
-  "hash": "34cc5b0e",
+  "hash": "ef84f2a1",
   "configHash": "30f8ea04",
-  "lockfileHash": "51ed83e7",
-  "browserHash": "7f7adab5",
+  "lockfileHash": "fc571d9a",
+  "browserHash": "822a1467",
   "optimized": {
     "astro > cssesc": {
       "src": "../../../../../node_modules/cssesc/cssesc.js",
       "file": "astro___cssesc.js",
-      "fileHash": "00126710",
+      "fileHash": "d234c1d0",
       "needsInterop": true
     },
     "astro > aria-query": {
       "src": "../../../../../node_modules/aria-query/lib/index.js",
       "file": "astro___aria-query.js",
-      "fileHash": "8c2d97b4",
+      "fileHash": "bcc57b41",
       "needsInterop": true
     },
     "astro > axobject-query": {
       "src": "../../../../../node_modules/axobject-query/lib/index.js",
       "file": "astro___axobject-query.js",
-      "fileHash": "229c73d4",
+      "fileHash": "196f4f3c",
       "needsInterop": true
     }
   },

package/src/orchestrator/agent-workflows/feature-implementation.md

@@ -204,15 +204,22 @@ If there are no open questions, explicitly state: "No open questions — plan is
 3. Verify no files outside partitions were modified
 4. Check all tracker issue acceptance criteria
 5. Run panel review if high-stakes (security, DB, architecture)
-6. Move all issues to Done
-7. Update session checkpoint → delete checkpoint
-8. Update `.github/customizations/project/roadmap.md`
+6. **Final Smoke Test (Gate 10)** — verify the complete feature end-to-end:
+   - Full clean build of all affected projects (not incremental)
+   - End-to-end browser walkthrough of the complete user flow
+   - Verify all states: loading, empty, populated, error, partial
+   - Cross-task integration check (e.g., migration + component + page compose correctly)
+   - Final responsive sweep at all breakpoints (if UI changes)
+7. Move all issues to Done
+8. Update session checkpoint → delete checkpoint
+9. Update `.github/customizations/project/roadmap.md`
 
 ### Exit Criteria
 
 - [ ] All phases verified
 - [ ] All tracker issues Done
 - [ ] Full build passes
+- [ ] **Final smoke test passed** — complete user flow verified end-to-end
 - [ ] Roadmap updated
 - [ ] Delivery Outcome completed (see `general.instructions.md`) — branch pushed, PR opened (not merged), tracker linked
 

package/src/orchestrator/prompts/bug-fix.prompt.md

@@ -107,12 +107,17 @@ Delegate to the appropriate specialist agent via **sub-agent** (inline). For bug
 
 > Load the **validation-gates** skill for detailed steps on each gate.
 
-Every bug fix must pass ALL of these checks:
-
-1. **Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Bug-Specific Verification** (mandatory) — start dev server, reproduce original bug (should be gone), verify correct behavior, test edge cases, screenshot before/after, check both apps if shared code
-3. **Regression Check** — run tests for all projects consuming modified files, browser-test adjacent functionality
-4. **Panel Review** (only if needed) — use **panel-majority-vote** skill if fix touches auth/authorization, RLS, security headers/CSP, or sensitive data
+Every bug fix must pass ALL applicable gates:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify the fix is minimal and scoped (bug fixes should be ≤100 lines, ≤3 files; escalate if larger)
+4. **Gate 4: Dependency Audit** (when `package.json` or lockfiles change) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates the fix. No auto-PASS for sensitive files
+6. **Gate 6: Bug-Specific Verification** (MANDATORY) — start dev server, reproduce original bug (should be gone), verify correct behavior, test edge cases, screenshot before/after, check both apps if shared code
+7. **Gate 7: Browser Testing** (for UI-related bugs) — clear cache, start server, verify fix + responsive + screenshots
+8. **Gate 8: Regression Testing** — run tests for all projects consuming modified files, browser-test adjacent functionality
+9. **Gate 9: Panel Review** (only if needed) — use **panel-majority-vote** skill if fix touches auth/authorization, RLS, security headers/CSP, or sensitive data
 
 ### 6. Delivery
 

package/src/orchestrator/prompts/implement-feature.prompt.md

@@ -79,10 +79,15 @@ Include the self-improvement reminder in every delegation prompt (see `general.i
 
 Every subtask must pass ALL gates before being marked Done:
 
-1. **Gate 1: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Gate 2: Browser Testing** (MANDATORY for UI changes) — clear cache, start server, verify features + responsive + screenshots
-3. **Gate 3: Regression Testing** — full test suite for affected projects, browser-test adjacent pages if shared components changed
-4. **Gate 4: Panel Review** (for high-stakes changes) — use **panel-majority-vote** skill for security, DB migrations, architecture
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify scope is expected (≤200 lines, ≤5 files normal; escalate if >500 lines or >10 files)
+4. **Gate 4: Dependency Audit** (when `package.json` changes) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates every delegation output. No auto-PASS for sensitive files
+6. **Gate 6: Browser Testing** (MANDATORY for UI changes) — clear cache, start server, verify features + responsive + screenshots
+7. **Gate 7: Regression Testing** — full test suite for affected projects, browser-test adjacent pages if shared components changed
+8. **Gate 8: Panel Review** (for high-stakes changes) — use **panel-majority-vote** skill for security, DB migrations, architecture
+9. **Gate 9: Final Smoke Test** — after all tasks Done, verify the complete feature end-to-end as a cohesive unit
 
 ### 5. Delivery
 

package/src/orchestrator/prompts/quick-refinement.prompt.md

@@ -98,11 +98,15 @@ Delegate to the appropriate specialist agent(s). Since follow-ups are scoped and
 
 > Load the **validation-gates** skill for detailed steps on each gate.
 
-Every follow-up, no matter how small, must pass these checks:
-
-1. **Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
-2. **Browser Testing** (MANDATORY for any visual change) — clear cache, start server, verify scenario + responsive + screenshot evidence
-3. **Regression Check** — if shared component/library modified, run tests for all consuming projects and browser-test at least one page per affected app
+Every follow-up, no matter how small, must pass these gates:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify scope matches the "small follow-up" expectation (≤100 lines, ≤3 files normal; if larger, escalate to `implement-feature` workflow)
+4. **Gate 4: Dependency Audit** (when `package.json` or lockfiles change) — vulnerability scan, license check, bundle size, duplicates
+5. **Gate 5: Fast Review** (MANDATORY) — single reviewer sub-agent validates the change. No auto-PASS for sensitive files
+6. **Gate 6: Browser Testing** (MANDATORY for any visual change) — clear cache, start server, verify scenario + responsive + screenshot evidence
+7. **Gate 7: Regression Testing** — if shared component/library modified, run tests for all consuming projects and browser-test at least one page per affected app
 
 ### 6. Delivery
 

package/src/orchestrator/prompts/resolve-pr-comments.prompt.md

@@ -57,10 +57,21 @@ Acceptance criteria:
 
 ### Phase 4: Verify & Report
 
-1. **Run verification** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands)
-2. **Commit fixes** — Use descriptive commit messages referencing the PR: `TAS-XX: Address PR review — [summary]`
-3. **Push to the same branch** — The PR updates automatically
-4. **Report back** — Provide a structured summary of what was resolved
+> Load the **validation-gates** skill for detailed steps on each gate.
+
+All fixes must pass applicable gates before pushing:
+
+1. **Gate 1: Secret Scanning** — scan diff for API keys, tokens, passwords, connection strings — block immediately if found
+2. **Gate 2: Deterministic Checks** — run lint, test, and build for all affected projects (see the **codebase-tool** skill for commands) — all zero errors
+3. **Gate 3: Blast Radius Check** — verify changes are scoped to commented files only; flag any files modified outside the comment scope
+4. **Gate 4: Fast Review** (MANDATORY) — single reviewer sub-agent validates the combined PR comment fixes
+5. **Gate 5: Regression Testing** — run tests for all projects consuming modified files
+
+After all gates pass:
+
+6. **Commit fixes** — Use descriptive commit messages referencing the PR: `TAS-XX: Address PR review — [summary]`
+7. **Push to the same branch** — The PR updates automatically
+8. **Report back** — Provide a structured summary of what was resolved
 
 ## Output Format
 
@@ -85,9 +96,12 @@ After resolving comments, report:
 | path/to/file.ts | [question/debate] | [your take + options] |
 
 ### Verification
+- Secret Scanning: PASS/FAIL
 - Lint: PASS/FAIL
 - Tests: PASS/FAIL
 - Build: PASS/FAIL
+- Blast Radius: PASS/ESCALATED
+- Fast Review: PASS/FAIL
 
 ### Commits
 - `abc1234` TAS-XX: Address PR review — [summary]

package/src/orchestrator/skills/fast-review/SKILL.md

@@ -123,7 +123,9 @@ CONFIDENCE: low | medium | high
 **Auto-PASS conditions (skip reviewer):**
 - The delegation was pure research/exploration with no code changes
 - The delegation only modified documentation files (`.md`)
-- All deterministic gates already passed AND the change is ≤10 lines across ≤2 files
+- All deterministic gates already passed AND the change is ≤10 lines across ≤2 files AND **no sensitive files were touched** (see validation-gates Gate 3 sensitive file list)
+
+> **Sensitive file override:** Changes to auth/middleware files, database migrations, RLS policies, security headers, CSP configuration, environment variable schemas, or CI/CD configuration **always** require a reviewer — even for 1-line changes. Auto-PASS never applies to these files.
 
 ### Step 4: Handle Verdict
 
@@ -247,14 +249,23 @@ Fast review sits between the agent's output and the Team Lead's acceptance:
 Agent completes work
        │
        ▼
-Deterministic checks (lint, test, build)  ← validation-gates Gate 1
+Secret Scanning                           ← validation-gates Gate 1
+       │
+       ▼
+Deterministic checks (lint, test, build)  ← validation-gates Gate 2
+       │
+       ▼
+Blast Radius Check                        ← validation-gates Gate 3
+       │
+       ▼
+Dependency Audit (if packages changed)    ← validation-gates Gate 4
        │
        ▼
-Fast Review (this skill)                  ← validation-gates Gate 1.5
+Fast Review (this skill)                  ← validation-gates Gate 5
        │
        ├── PASS → Accept, move to next task
        ├── FAIL → Retry loop (up to 2x)
-       └── 3x FAIL → Escalate to Panel (Gate 5)
+       └── 3x FAIL → Escalate to Panel (Gate 9)
 ```
 
 ### Relationship to on-post-delegate Hook

package/src/orchestrator/skills/validation-gates/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: validation-gates
-description: "Shared validation gates for all orchestration workflows — deterministic checks, browser testing, cache management, regression checks. Referenced by prompt templates to maintain single source of truth."
+description: "Shared validation gates for all orchestration workflows — secret scanning, deterministic checks, blast radius analysis, dependency auditing, browser testing, cache management, regression checks, and final smoke tests. Referenced by prompt templates to maintain single source of truth."
 ---
 
 <!-- ⚠️ This file is managed by OpenCastle. Edits will be overwritten on update. Customize in the .github/customizations/ directory instead. -->
@@ -9,7 +9,57 @@ description: "Shared validation gates for all orchestration workflows — determ
 
 Canonical reference for validation gates shared across all orchestration workflows. Prompt templates reference this skill to avoid duplication.
 
-## Gate 1: Deterministic Checks
+**Gate summary:**
+
+| Gate | Name | Runs When |
+|------|------|-----------|
+| 1 | Secret Scanning | Every delegation |
+| 2 | Deterministic Checks | Every delegation |
+| 3 | Blast Radius Check | Every delegation |
+| 4 | Dependency Audit | When `package.json` or lockfiles change |
+| 5 | Fast Review | Every delegation (with auto-PASS exceptions) |
+| 6 | Cache Clearing | Before browser testing |
+| 7 | Browser Testing | UI changes |
+| 8 | Regression Testing | Every delegation |
+| 9 | Panel Review | High-stakes changes only |
+| 10 | Final Smoke Test | Feature completion (after all tasks Done) |
+
+---
+
+## Gate 1: Secret Scanning
+
+> **HARD GATE — Constitution rule #1.** No tokens, keys, passwords, or connection strings in code, logs, commits, or terminal output.
+
+Scan every diff **before** any other gate. A secret leak caught after merge is exponentially more expensive than one caught at review time.
+
+### What to scan
+
+Run a regex scan of all changed files for patterns that match common secret formats:
+
+```bash
+# Scan staged/changed files for common secret patterns
+grep -rn -E '(AKIA[0-9A-Z]{16}|sk-[a-zA-Z0-9]{20,}|ghp_[a-zA-Z0-9]{36}|glpat-[a-zA-Z0-9\-]{20}|xox[bpors]-[a-zA-Z0-9\-]+|eyJ[a-zA-Z0-9]{10,}\.[a-zA-Z0-9]{10,}|-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----|mongodb(\+srv)?://[^\s]+|postgres(ql)?://[^\s]+|mysql://[^\s]+|redis://[^\s]+)' <changed-files>
+```
+
+Also check for:
+- Hardcoded `password`, `secret`, `api_key`, `apiKey`, `token` assignments (not just references)
+- `.env` file contents copied into source files
+- Base64-encoded secrets (common obfuscation attempt)
+
+### On detection
+
+- **BLOCK immediately** — do not proceed to Gate 2
+- Flag the specific file and line number
+- Re-delegate to the agent with explicit instruction to use environment variables instead
+- If a secret was already committed, **rotate it immediately** — git history is permanent
+
+### Exceptions
+
+- Test fixtures with obviously fake values (e.g., `sk-test-1234567890`)
+- Documentation examples with placeholder values (e.g., `YOUR_API_KEY_HERE`)
+- Pattern matches inside comments that are clearly explanatory
+
+## Gate 2: Deterministic Checks
 
 Run for every affected project (resolve exact commands via the **codebase-tool** skill):
 
@@ -19,31 +69,84 @@ Run for every affected project (resolve exact commands via the **codebase-tool**
 
 All must pass with zero errors. Run for **every** project that consumed modified files, not just the primary project.
 
-## Gate 1.5: Fast Review (MANDATORY)
+## Gate 3: Blast Radius Check
+
+Assess the scope of changes to catch scope creep and ensure reviewers can evaluate the diff effectively.
+
+### Thresholds
+
+| Metric | Normal | Warning | Escalate |
+|--------|--------|---------|----------|
+| Lines changed | ≤200 | 201–500 | >500 |
+| Files changed | ≤5 | 6–10 | >10 |
+| Projects affected | ≤1 | 2 | >2 |
+
+### Actions
+
+- **Normal** — proceed to Gate 4
+- **Warning** — log a note in the delegation record. Ask: *"Was this scope expected?"* If yes, proceed. If unexpected, investigate whether the agent drifted from the partition
+- **Escalate** — **STOP.** The Team Lead must review the diff before proceeding:
+  1. Verify all changed files are within the agent's assigned partition
+  2. Check whether the task should have been split into smaller subtasks
+  3. If scope creep: revert extra changes, re-delegate with tighter scope
+  4. If legitimately large: proceed, but **always run fast review** (no auto-PASS) and consider panel review
+
+### Sensitive files
+
+Changes to these file categories always trigger Warning regardless of line count:
+
+- Auth/middleware files (e.g., `middleware.ts`, `auth.ts`, `**/auth/**`)
+- Database migrations, RLS policies
+- Security headers, CSP configuration (`next.config.*`, `vercel.json`)
+- Environment variable schemas (`.env.example`, `env.ts`)
+- CI/CD configuration (`.github/workflows/**`)
+- Package manager configs (`package.json`, lockfiles) — also triggers Gate 4
+
+## Gate 4: Dependency Audit
+
+> Runs only when `package.json`, `yarn.lock`, `package-lock.json`, `pnpm-lock.yaml`, or similar lockfiles are modified.
+
+When agents add, remove, or update npm packages, verify:
+
+1. **Vulnerability scan** — Run `npm audit` (or the project's equivalent). No new `high` or `critical` vulnerabilities
+2. **License compatibility** — New packages must use MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, or ISC licenses. Flag any copyleft (GPL, LGPL, AGPL) or proprietary licenses for human review
+3. **Bundle size impact** — For frontend packages, note the minified + gzipped size. Flag packages >50KB gzipped that have lighter alternatives
+4. **Duplicate functionality** — Check whether the new dependency overlaps with an existing one (e.g., adding `moment` when `date-fns` is already installed)
+5. **Maintenance health** — Flag packages with no updates in >2 years or <100 weekly downloads
+
+### On failure
+
+- **Vulnerability:** BLOCK. Re-delegate with instruction to use a patched version or alternative package
+- **License concern:** Flag for human review. Do not block, but document in the PR description
+- **Size/duplicate:** Flag as SHOULD-FIX in the fast review. Not blocking unless egregious (>200KB)
+
+## Gate 5: Fast Review (MANDATORY)
 
 > **HARD GATE:** Every agent delegation output must pass fast review before acceptance. This is non-negotiable — even for overnight/unattended runs. Load the **fast-review** skill for the full procedure.
 
-After deterministic checks (Gate 1) pass:
+After gates 1–4 pass:
 
 1. **Spawn a single reviewer sub-agent** with the review prompt from the fast-review skill
 2. **On PASS** — proceed to remaining gates
 3. **On FAIL** — re-delegate to the same agent with reviewer feedback (up to 2 retries)
-4. **On 3x FAIL** — escalate to panel review (Gate 5)
+4. **On 3x FAIL** — escalate to panel review (Gate 9)
 
 The reviewer validates: acceptance criteria met, file partition respected, no regressions, type safety, error handling, security basics, and edge cases.
 
 **Auto-PASS conditions** (skip the reviewer sub-agent):
 - Pure research/exploration with no code changes
 - Only `.md` files were modified
-- All deterministic gates passed AND the change is ≤10 lines across ≤2 files
+- All deterministic gates passed AND the change is ≤10 lines across ≤2 files AND **no sensitive files were touched** (see Gate 3 sensitive file list)
 
-## Gate 2: Cache Clearing (BEFORE Browser Testing)
+> **Sensitive file override:** If any changed file falls into the sensitive file categories listed in Gate 3 (auth, migrations, security headers, env schemas, CI/CD), auto-PASS is **never** applied — even for 1-line changes. These files always get a human-quality review.
+
+## Gate 6: Cache Clearing (BEFORE Browser Testing)
 
 **Always clear before testing.** Testing stale code wastes time and produces false results.
 
 Clear framework caches and task runner caches before starting the dev server for browser testing. See the **codebase-tool** skill for cache-clearing commands.
 
-## Gate 3: Browser Testing (MANDATORY for UI Changes)
+## Gate 7: Browser Testing (MANDATORY for UI Changes)
 
 > **HARD GATE:** A task with UI changes is NOT done until you have screenshots in Chrome proving the feature works. "The code looks correct" is not proof. "Tests pass" is not proof. Only a screenshot of the working UI in Chrome is proof.
 
@@ -59,7 +162,7 @@ Clear framework caches and task runner caches before starting the dev server for
 
 Load the **browser-testing** skill for Chrome MCP commands, breakpoint details, and reporting format.
 
-## Gate 4: Regression Testing
+## Gate 8: Regression Testing
 
 New features must not break existing functionality:
 
@@ -68,7 +171,7 @@ New features must not break existing functionality:
 3. **Verify navigation** — Ensure routing, links, and back-button behavior still work
 4. **Check shared components** — If a component from a shared library was modified, test it in all apps that consume it
 
-## Gate 5: Panel Review (High-Stakes Only)
+## Gate 9: Panel Review (High-Stakes Only)
 
 Use the **panel-majority-vote** skill for:
 
@@ -79,16 +182,50 @@ Use the **panel-majority-vote** skill for:
 
 If the panel returns BLOCK, extract MUST-FIX items, re-delegate to the same agent, and re-run the panel. Never skip, never halt. Max 3 attempts, then escalate to Architect.
 
+## Gate 10: Final Smoke Test (Feature-Level)
+
+> Runs once after ALL tasks in a feature are Done — not per-task.
+
+Individual tasks pass gates 1–9 independently. But the combined result may have integration issues that per-task testing misses. This gate verifies the feature as a cohesive unit.
+
+### Steps
+
+1. **Full build** — Build all affected projects from clean state (not incremental)
+2. **Full test suite** — Run tests across all projects that consumed any changed files
+3. **End-to-end browser walkthrough** — Navigate the complete user flow from start to finish:
+   - Verify all states: loading, empty, populated, error, partial
+   - Test every state transition end-to-end (not just individual screens)
+   - Confirm data flows correctly between pages/components
+   - Test the happy path AND at least one error path
+4. **Cross-task integration check** — Verify that outputs from different tasks (e.g., DB migration + component + page) compose correctly
+5. **Smoke test at all breakpoints** — If the feature has UI, one final responsive sweep
+
+### When to skip
+
+- Non-UI features with comprehensive test coverage (e.g., pure backend/data pipeline work where tests verify integration)
+- Single-task features (Gate 8 already covers regression)
+
+### On failure
+
+Re-delegate the specific failing integration point to the agent responsible for that layer. Do NOT re-run the entire feature implementation.
+
+---
+
 ## Universal Completion Checklist
 
 Use this checklist for any orchestration workflow:
 
-- [ ] Lint, test, and build pass for all affected projects
-- [ ] **Fast review passed** (mandatory — load **fast-review** skill)
-- [ ] Dev server started with **clean cache** (clear framework + task runner caches — see the **codebase-tool** skill)
-- [ ] UI changes verified in Chrome with screenshots at all breakpoints
+- [ ] **No secrets in diff** (Gate 1)
+- [ ] Lint, test, and build pass for all affected projects (Gate 2)
+- [ ] Blast radius assessed — scope is expected (Gate 3)
+- [ ] Dependency audit passed if packages changed (Gate 4)
+- [ ] **Fast review passed** (mandatory — load **fast-review** skill) (Gate 5)
+- [ ] Dev server started with **clean cache** (Gate 6)
+- [ ] UI changes verified in Chrome with screenshots at all breakpoints (Gate 7)
 - [ ] Every acceptance criteria item visually confirmed — not just "page loads"
-- [ ] No regressions in adjacent functionality
+- [ ] No regressions in adjacent functionality (Gate 8)
+- [ ] Panel review passed for high-stakes changes (Gate 9)
+- [ ] **Final smoke test passed** for multi-task features (Gate 10)
 - [ ] Shared code changes tested across all consuming apps
 - [ ] No duplicated code — shared logic extracted to libraries
 - [ ] Lessons learned captured if any retries occurred