shipwright-cli 2.4.0 → 3.1.0

package/scripts/lib/pipeline-stages.sh

@@ -1,8 +1,23 @@
-# pipeline-stages.sh — Stage implementations (intake, plan, build, test, review, pr, merge, deploy, validate, monitor) for sw-pipeline.sh
+# pipeline-stages.sh — Stage implementations (intake, plan, build, test, review, compound_quality, pr, merge, deploy, validate, monitor) for sw-pipeline.sh
 # Source from sw-pipeline.sh. Requires all pipeline globals and state/github/detection/quality modules.
 [[ -n "${_PIPELINE_STAGES_LOADED:-}" ]] && return 0
 _PIPELINE_STAGES_LOADED=1
 
+# ─── Safe git helpers ────────────────────────────────────────────────────────
+# BASE_BRANCH may not exist locally (e.g. --local mode with no remote).
+# These helpers return empty output instead of crashing under set -euo pipefail.
+_safe_base_log() {
+    local branch="${BASE_BRANCH:-main}"
+    git rev-parse --verify "$branch" >/dev/null 2>&1 || { echo ""; return 0; }
+    git log "$@" "${branch}..HEAD" 2>/dev/null || true
+}
+
+_safe_base_diff() {
+    local branch="${BASE_BRANCH:-main}"
+    git rev-parse --verify "$branch" >/dev/null 2>&1 || { git diff HEAD~5 "$@" 2>/dev/null || true; return 0; }
+    git diff "${branch}...HEAD" "$@" 2>/dev/null || true
+}
+
 show_stage_preview() {
     local stage_id="$1"
     echo ""
@@ -12,8 +27,10 @@ show_stage_preview() {
         plan)     echo -e "  Generate plan via Claude, post task checklist to issue" ;;
         design)   echo -e "  Generate Architecture Decision Record (ADR), evaluate alternatives" ;;
         build)    echo -e "  Delegate to ${CYAN}shipwright loop${RESET} for autonomous building" ;;
+        test_first) echo -e "  Generate tests from requirements (TDD mode) before implementation" ;;
         test)     echo -e "  Run test suite and check coverage" ;;
         review)   echo -e "  AI code review on the diff, post findings" ;;
+        compound_quality) echo -e "  Adversarial review, negative tests, e2e, DoD audit" ;;
         pr)       echo -e "  Create GitHub PR with labels, reviewers, milestone" ;;
         merge)    echo -e "  Wait for CI checks, merge PR, optionally delete branch" ;;
         deploy)   echo -e "  Deploy to staging/production with rollback" ;;
@@ -125,7 +142,7 @@ stage_plan() {
     CURRENT_STAGE_ID="plan"
     local plan_file="$ARTIFACTS_DIR/plan.md"
 
-    if ! command -v claude &>/dev/null; then
+    if ! command -v claude >/dev/null 2>&1; then
         error "Claude CLI not found — cannot generate plan"
         return 1
     fi
@@ -138,6 +155,12 @@ stage_plan() {
         "$context_script" gather --goal "$GOAL" --stage plan 2>/dev/null || true
     fi
 
+    # Gather rich architecture context (call-graph, dependencies)
+    local arch_context=""
+    if type gather_architecture_context &>/dev/null; then
+        arch_context=$(gather_architecture_context "${PROJECT_ROOT:-.}" 2>/dev/null || true)
+    fi
+
     # Build rich prompt with all available context
     local plan_prompt="You are an autonomous development agent. Analyze this codebase and create a detailed implementation plan.
 
@@ -153,6 +176,14 @@ ${ISSUE_BODY}
 "
     fi
 
+    # Inject architecture context (import graph, modules, test map)
+    if [[ -n "$arch_context" ]]; then
+        plan_prompt="${plan_prompt}
+## Architecture Context
+${arch_context}
+"
+    fi
+
     # Inject context bundle from context engine (if available)
     local _context_bundle="${ARTIFACTS_DIR}/context-bundle.md"
     if [[ -f "$_context_bundle" ]]; then
@@ -167,7 +198,7 @@ ${_cb_content}
     fi
 
     # Inject intelligence memory context for similar past plans
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         local plan_memory
         plan_memory=$(intelligence_search_memory "plan stage for ${TASK_TYPE:-feature}: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
         if [[ -n "$plan_memory" && "$plan_memory" != *'"results":[]'* && "$plan_memory" != *'"error"'* ]]; then
@@ -285,10 +316,22 @@ Checklist of completion criteria.
     fi
 
     local _token_log="${ARTIFACTS_DIR}/.claude-tokens-plan.log"
-    claude --print --model "$plan_model" --max-turns 25 \
+    claude --print --model "$plan_model" --max-turns 25 --dangerously-skip-permissions \
         "$plan_prompt" < /dev/null > "$plan_file" 2>"$_token_log" || true
     parse_claude_tokens "$_token_log"
 
+    # Claude may write to disk via tools instead of stdout — rescue those files
+    local _plan_rescue
+    for _plan_rescue in "${PROJECT_ROOT}/PLAN.md" "${PROJECT_ROOT}/plan.md" \
+                         "${PROJECT_ROOT}/implementation-plan.md"; do
+        if [[ -s "$_plan_rescue" ]] && [[ $(wc -l < "$plan_file" 2>/dev/null | xargs) -lt 10 ]]; then
+            info "Plan written to ${_plan_rescue} via tools — adopting as plan artifact"
+            cat "$_plan_rescue" >> "$plan_file"
+            rm -f "$_plan_rescue"
+            break
+        fi
+    done
+
     if [[ ! -s "$plan_file" ]]; then
         error "Plan generation failed — empty output"
         return 1
@@ -392,7 +435,7 @@ CC_TASKS_EOF
 
     # ── Plan Validation Gate ──
     # Ask Claude to validate the plan before proceeding
-    if command -v claude &>/dev/null && [[ -s "$plan_file" ]]; then
+    if command -v claude >/dev/null 2>&1 && [[ -s "$plan_file" ]]; then
         local validation_attempts=0
         local max_validation_attempts=2
         local plan_valid=false
@@ -405,7 +448,7 @@ CC_TASKS_EOF
             local validation_extra=""
 
             # Inject rejected plan history from memory
-            if type intelligence_search_memory &>/dev/null 2>&1; then
+            if type intelligence_search_memory >/dev/null 2>&1; then
                 local rejected_plans
                 rejected_plans=$(intelligence_search_memory "rejected plan validation failures for: ${GOAL:-}" "${HOME}/.shipwright/memory" 3 2>/dev/null) || true
                 if [[ -n "$rejected_plans" ]]; then
@@ -560,16 +603,22 @@ stage_design() {
         return 0
     fi
 
-    if ! command -v claude &>/dev/null; then
+    if ! command -v claude >/dev/null 2>&1; then
         error "Claude CLI not found — cannot generate design"
         return 1
     fi
 
     info "Generating Architecture Decision Record..."
 
+    # Gather rich architecture context (call-graph, dependencies)
+    local arch_struct_context=""
+    if type gather_architecture_context &>/dev/null; then
+        arch_struct_context=$(gather_architecture_context "${PROJECT_ROOT:-.}" 2>/dev/null || true)
+    fi
+
     # Memory integration — inject context if memory system available
     local memory_context=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         local mem_dir="${HOME}/.shipwright/memory"
         memory_context=$(intelligence_search_memory "design stage architecture patterns for: ${GOAL:-}" "$mem_dir" 5 2>/dev/null) || true
     fi
@@ -608,7 +657,7 @@ ${arch_layers}}"
 
     # Inject rejected design approaches and anti-patterns from memory
     local design_antipatterns=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         local rejected_designs
         rejected_designs=$(intelligence_search_memory "rejected design approaches anti-patterns for: ${GOAL:-}" "${HOME}/.shipwright/memory" 3 2>/dev/null) || true
         if [[ -n "$rejected_designs" ]]; then
@@ -636,7 +685,10 @@ $(cat "$plan_file")
 - Language: ${project_lang}
 - Test command: ${TEST_CMD:-not configured}
 - Task type: ${TASK_TYPE:-feature}
-${memory_context:+
+${arch_struct_context:+
+## Architecture Context (import graph, modules, test map)
+${arch_struct_context}
+}${memory_context:+
 ## Historical Context (from memory)
 ${memory_context}
 }${arch_context:+
@@ -684,10 +736,22 @@ Be concrete and specific. Reference actual file paths in the codebase. Consider
     fi
 
     local _token_log="${ARTIFACTS_DIR}/.claude-tokens-design.log"
-    claude --print --model "$design_model" --max-turns 25 \
+    claude --print --model "$design_model" --max-turns 25 --dangerously-skip-permissions \
         "$design_prompt" < /dev/null > "$design_file" 2>"$_token_log" || true
     parse_claude_tokens "$_token_log"
 
+    # Claude may write to disk via tools instead of stdout — rescue those files
+    local _design_rescue
+    for _design_rescue in "${PROJECT_ROOT}/design-adr.md" "${PROJECT_ROOT}/design.md" \
+                           "${PROJECT_ROOT}/ADR.md" "${PROJECT_ROOT}/DESIGN.md"; do
+        if [[ -s "$_design_rescue" ]] && [[ $(wc -l < "$design_file" 2>/dev/null | xargs) -lt 10 ]]; then
+            info "Design written to ${_design_rescue} via tools — adopting as design artifact"
+            cat "$_design_rescue" >> "$design_file"
+            rm -f "$_design_rescue"
+            break
+        fi
+    done
+
     if [[ ! -s "$design_file" ]]; then
         error "Design generation failed — empty output"
         return 1
@@ -715,7 +779,7 @@ Be concrete and specific. Reference actual file paths in the codebase. Consider
     files_to_modify=$(sed -n '/Files to modify/,/^-\|^#\|^$/p' "$design_file" 2>/dev/null | grep -E '^\s*-' | head -20 || true)
 
     if [[ -n "$files_to_create" || -n "$files_to_modify" ]]; then
-        info "Design scope: ${DIM}$(echo "$files_to_create $files_to_modify" | grep -c '^\s*-' || echo 0) file(s)${RESET}"
+        info "Design scope: ${DIM}$(echo "$files_to_create $files_to_modify" | grep -c '^\s*-' || true) file(s)${RESET}"
     fi
 
     # Post design to GitHub issue
@@ -741,6 +805,117 @@ _Generated by \`shipwright pipeline\` design stage at $(now_iso)_"
     log_stage "design" "Generated design.md (${line_count} lines)"
 }
 
+# ─── TDD: Generate tests before implementation ─────────────────────────────────
+stage_test_first() {
+    CURRENT_STAGE_ID="test_first"
+    info "Generating tests from requirements (TDD mode)"
+
+    local plan_file="${ARTIFACTS_DIR}/plan.md"
+    local goal_file="${PROJECT_ROOT}/.claude/goal.md"
+    local requirements=""
+    if [[ -f "$plan_file" ]]; then
+        requirements=$(cat "$plan_file" 2>/dev/null || true)
+    elif [[ -f "$goal_file" ]]; then
+        requirements=$(cat "$goal_file" 2>/dev/null || true)
+    else
+        requirements="${GOAL:-}: ${ISSUE_BODY:-}"
+    fi
+
+    local tdd_prompt="You are writing tests BEFORE implementation (TDD).
+
+Based on the following plan/requirements, generate test files that define the expected behavior. These tests should FAIL initially (since the implementation doesn't exist yet) but define the correct interface and behavior.
+
+Requirements:
+${requirements}
+
+Instructions:
+1. Create test files for each component mentioned in the plan
+2. Tests should verify the PUBLIC interface and expected behavior
+3. Include edge cases and error handling tests
+4. Tests should be runnable with the project's test framework
+5. Mark tests that need implementation with clear TODO comments
+6. Do NOT write implementation code — only tests
+
+Output format: For each test file, use a fenced code block with the file path as the language identifier (e.g. \`\`\`tests/auth.test.ts):
+\`\`\`path/to/test.test.ts
+// file content
+\`\`\`
+
+Create files in the appropriate project directories (e.g. tests/, __tests__/, src/**/*.test.ts) per project convention."
+
+    local model="${CLAUDE_MODEL:-${MODEL:-sonnet}}"
+    [[ -z "$model" || "$model" == "null" ]] && model="sonnet"
+
+    local output=""
+    output=$(echo "$tdd_prompt" | timeout 120 claude --print --model "$model" 2>/dev/null) || {
+        warn "TDD test generation failed, falling back to standard build"
+        return 1
+    }
+
+    # Parse output: extract fenced code blocks and write to files
+    local wrote_any=false
+    local block_path="" in_block=false block_content=""
+    while IFS= read -r line; do
+        if [[ "$line" =~ ^\`\`\`([a-zA-Z0-9_/\.\-]+)$ ]]; then
+            if [[ -n "$block_path" && -n "$block_content" ]]; then
+                local out_file="${PROJECT_ROOT}/${block_path}"
+                local out_dir
+                out_dir=$(dirname "$out_file")
+                mkdir -p "$out_dir" 2>/dev/null || true
+                if echo "$block_content" > "$out_file" 2>/dev/null; then
+                    wrote_any=true
+                    info "  Wrote: $block_path"
+                fi
+            fi
+            block_path="${BASH_REMATCH[1]}"
+            block_content=""
+            in_block=true
+        elif [[ "$line" == "\`\`\`" && "$in_block" == "true" ]]; then
+            if [[ -n "$block_path" && -n "$block_content" ]]; then
+                local out_file="${PROJECT_ROOT}/${block_path}"
+                local out_dir
+                out_dir=$(dirname "$out_file")
+                mkdir -p "$out_dir" 2>/dev/null || true
+                if echo "$block_content" > "$out_file" 2>/dev/null; then
+                    wrote_any=true
+                    info "  Wrote: $block_path"
+                fi
+            fi
+            block_path=""
+            block_content=""
+            in_block=false
+        elif [[ "$in_block" == "true" && -n "$block_path" ]]; then
+            [[ -n "$block_content" ]] && block_content="${block_content}"$'\n'
+            block_content="${block_content}${line}"
+        fi
+    done <<< "$output"
+
+    # Flush last block if unclosed
+    if [[ -n "$block_path" && -n "$block_content" ]]; then
+        local out_file="${PROJECT_ROOT}/${block_path}"
+        local out_dir
+        out_dir=$(dirname "$out_file")
+        mkdir -p "$out_dir" 2>/dev/null || true
+        if echo "$block_content" > "$out_file" 2>/dev/null; then
+            wrote_any=true
+            info "  Wrote: $block_path"
+        fi
+    fi
+
+    if [[ "$wrote_any" == "true" ]]; then
+        if (cd "$PROJECT_ROOT" && git diff --name-only 2>/dev/null | grep -qE 'test|spec'); then
+            git add -A 2>/dev/null || true
+            git commit -m "test: TDD - define expected behavior before implementation" 2>/dev/null || true
+            emit_event "tdd.tests_generated" "{\"stage\":\"test_first\"}"
+        fi
+        success "TDD tests generated"
+    else
+        warn "No test files extracted from TDD output — check format"
+    fi
+
+    return 0
+}
+
 stage_build() {
     local plan_file="$ARTIFACTS_DIR/plan.md"
     local design_file="$ARTIFACTS_DIR/design.md"
@@ -749,7 +924,7 @@ stage_build() {
 
     # Memory integration — inject context if memory system available
     local memory_context=""
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         local mem_dir="${HOME}/.shipwright/memory"
         memory_context=$(intelligence_search_memory "build stage for: ${GOAL:-}" "$mem_dir" 5 2>/dev/null) || true
     fi
@@ -761,6 +936,13 @@ stage_build() {
     local enriched_goal
     enriched_goal=$(_pipeline_compact_goal "$GOAL" "$plan_file" "$design_file")
 
+    # TDD: when test_first ran, tell build to make existing tests pass
+    if [[ "${TDD_ENABLED:-false}" == "true" || "${PIPELINE_TDD:-}" == "true" ]]; then
+        enriched_goal="${enriched_goal}
+
+IMPORTANT (TDD mode): Test files already exist and define the expected behavior. Write implementation code to make ALL tests pass. Do not delete or modify the test files."
+    fi
+
     # Inject memory context
     if [[ -n "$memory_context" ]]; then
         enriched_goal="${enriched_goal}
@@ -790,7 +972,7 @@ $(cat "$TASKS_FILE")"
     fi
 
     # Inject file hotspots from GitHub intelligence
-    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_file_change_frequency &>/dev/null 2>&1; then
+    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_file_change_frequency >/dev/null 2>&1; then
         local build_hotspots
         build_hotspots=$(gh_file_change_frequency 2>/dev/null | head -5 || true)
         if [[ -n "$build_hotspots" ]]; then
@@ -802,7 +984,7 @@ ${build_hotspots}"
     fi
 
     # Inject security alerts context
-    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_security_alerts &>/dev/null 2>&1; then
+    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_security_alerts >/dev/null 2>&1; then
         local build_alerts
         build_alerts=$(gh_security_alerts 2>/dev/null | head -3 || true)
         if [[ -n "$build_alerts" ]]; then
@@ -930,8 +1112,14 @@ ${prevention_text}"
     # Definition of Done: use plan-extracted DoD if available
     [[ -s "$dod_file" ]] && loop_args+=(--definition-of-done "$dod_file")
 
-    # Skip permissions in CI (no interactive terminal)
-    [[ "${CI_MODE:-false}" == "true" ]] && loop_args+=(--skip-permissions)
+    # Checkpoint resume: when pipeline resumed from build-stage checkpoint, pass --resume to loop
+    if [[ "${RESUME_FROM_CHECKPOINT:-false}" == "true" && "${checkpoint_stage:-}" == "build" ]]; then
+        loop_args+=(--resume)
+    fi
+
+    # Skip permissions — pipeline runs headlessly (claude -p) and has no terminal
+    # for interactive permission prompts. Without this flag, agents can't write files.
+    loop_args+=(--skip-permissions)
 
     info "Starting build loop: ${DIM}shipwright loop${RESET} (max ${max_iter} iterations, ${agents} agent(s))"
 
@@ -967,7 +1155,7 @@ ${prevention_text}"
 
     # Read accumulated token counts from build loop (written by sw-loop.sh)
     local _loop_token_file="${PROJECT_ROOT}/.claude/loop-logs/loop-tokens.json"
-    if [[ -f "$_loop_token_file" ]] && command -v jq &>/dev/null; then
+    if [[ -f "$_loop_token_file" ]] && command -v jq >/dev/null 2>&1; then
         local _loop_in _loop_out _loop_cost
         _loop_in=$(jq -r '.input_tokens // 0' "$_loop_token_file" 2>/dev/null || echo "0")
         _loop_out=$(jq -r '.output_tokens // 0' "$_loop_token_file" 2>/dev/null || echo "0")
@@ -984,13 +1172,13 @@ ${prevention_text}"
 
     # Count commits made during build
     local commit_count
-    commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    commit_count=$(_safe_base_log --oneline | wc -l | xargs)
     info "Build produced ${BOLD}$commit_count${RESET} commit(s)"
 
     # Commit quality evaluation when intelligence is enabled
-    if type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null && [[ "${commit_count:-0}" -gt 0 ]]; then
+    if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1 && [[ "${commit_count:-0}" -gt 0 ]]; then
         local commit_msgs
-        commit_msgs=$(git log --format="%s" "${BASE_BRANCH}..HEAD" 2>/dev/null | head -20)
+        commit_msgs=$(_safe_base_log --format="%s" | head -20)
         local quality_score
         quality_score=$(claude --print --output-format text -p "Rate the quality of these git commit messages on a scale of 0-100. Consider: focus (one thing per commit), clarity (describes the why), atomicity (small logical units). Reply with ONLY a number 0-100.
 
@@ -1086,6 +1274,14 @@ ${log_excerpt}
         fi
     fi
 
+    # Emit test.completed with coverage for adaptive learning
+    if [[ -n "$coverage" ]]; then
+        emit_event "test.completed" \
+            "issue=${ISSUE_NUMBER:-0}" \
+            "stage=test" \
+            "coverage=$coverage"
+    fi
+
     # Post test results to GitHub
     if [[ -n "$ISSUE_NUMBER" ]]; then
         local test_summary
@@ -1121,27 +1317,26 @@ stage_review() {
     local diff_file="$ARTIFACTS_DIR/review-diff.patch"
     local review_file="$ARTIFACTS_DIR/review.md"
 
-    git diff "${BASE_BRANCH}...${GIT_BRANCH}" > "$diff_file" 2>/dev/null || \
-        git diff HEAD~5 > "$diff_file" 2>/dev/null || true
+    _safe_base_diff > "$diff_file" 2>/dev/null || true
 
     if [[ ! -s "$diff_file" ]]; then
         warn "No diff found — skipping review"
         return 0
     fi
 
-    if ! command -v claude &>/dev/null; then
+    if ! command -v claude >/dev/null 2>&1; then
         warn "Claude CLI not found — skipping AI review"
         return 0
     fi
 
     local diff_stats
-    diff_stats=$(git diff --stat "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null | tail -1 || echo "")
+    diff_stats=$(_safe_base_diff --stat | tail -1 || echo "")
     info "Running AI code review... ${DIM}($diff_stats)${RESET}"
 
     # Semantic risk scoring when intelligence is enabled
-    if type intelligence_search_memory &>/dev/null 2>&1 && command -v claude &>/dev/null; then
+    if type intelligence_search_memory >/dev/null 2>&1 && command -v claude >/dev/null 2>&1; then
         local diff_files
-        diff_files=$(git diff --name-only "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null || true)
+        diff_files=$(_safe_base_diff --name-only || true)
         local risk_score="low"
         # Fast heuristic: flag high-risk file patterns
         if echo "$diff_files" | grep -qiE 'migration|schema|auth|crypto|security|password|token|secret|\.env'; then
@@ -1185,7 +1380,7 @@ If no issues are found, write: \"Review clean — no issues found.\"
 "
 
     # Inject previous review findings and anti-patterns from memory
-    if type intelligence_search_memory &>/dev/null 2>&1; then
+    if type intelligence_search_memory >/dev/null 2>&1; then
         local review_memory
         review_memory=$(intelligence_search_memory "code review findings anti-patterns for: ${GOAL:-}" "${HOME}/.shipwright/memory" 5 2>/dev/null) || true
         if [[ -n "$review_memory" ]]; then
@@ -1211,7 +1406,7 @@ ${conventions}
     fi
 
     # Inject CODEOWNERS focus areas for review
-    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_codeowners &>/dev/null 2>&1; then
+    if [[ "${NO_GITHUB:-}" != "true" ]] && type gh_codeowners >/dev/null 2>&1; then
         local review_owners
         review_owners=$(gh_codeowners 2>/dev/null | head -10 || true)
         if [[ -n "$review_owners" ]]; then
@@ -1235,11 +1430,9 @@ $(cat "$dod_file")
 ## Diff to Review
 $(cat "$diff_file")"
 
-    # Build claude args — add --dangerously-skip-permissions in CI
-    local review_args=(--print --model "$review_model" --max-turns 25)
-    if [[ "${CI_MODE:-false}" == "true" ]]; then
-        review_args+=(--dangerously-skip-permissions)
-    fi
+    # Skip permissions — pipeline runs headlessly (claude -p) and has no terminal
+    # for interactive permission prompts. Same rationale as build stage (line ~1083).
+    local review_args=(--print --model "$review_model" --max-turns 25 --dangerously-skip-permissions)
 
     claude "${review_args[@]}" "$review_prompt" < /dev/null > "$review_file" 2>"${ARTIFACTS_DIR}/.claude-tokens-review.log" || true
     parse_claude_tokens "${ARTIFACTS_DIR}/.claude-tokens-review.log"
@@ -1384,15 +1577,143 @@ ${review_summary}
     log_stage "review" "AI review complete ($total_issues issues: $critical_count critical, $bug_count bugs, $warning_count suggestions)"
 }
 
+# ─── Compound Quality (fallback) ────────────────────────────────────────────
+# Basic implementation: adversarial review, negative testing, e2e checks, DoD audit.
+# If pipeline-intelligence.sh was sourced first, its enhanced version takes priority.
+if ! type stage_compound_quality >/dev/null 2>&1; then
+stage_compound_quality() {
+    CURRENT_STAGE_ID="compound_quality"
+
+    # Read stage config from pipeline template
+    local cfg
+    cfg=$(jq -r '.stages[] | select(.id == "compound_quality") | .config // {}' "$PIPELINE_CONFIG" 2>/dev/null) || cfg="{}"
+
+    local do_adversarial do_negative do_e2e do_dod max_cycles blocking
+    do_adversarial=$(echo "$cfg" | jq -r '.adversarial // false')
+    do_negative=$(echo "$cfg" | jq -r '.negative // false')
+    do_e2e=$(echo "$cfg" | jq -r '.e2e // false')
+    do_dod=$(echo "$cfg" | jq -r '.dod_audit // false')
+    max_cycles=$(echo "$cfg" | jq -r '.max_cycles // 1')
+    blocking=$(echo "$cfg" | jq -r '.compound_quality_blocking // false')
+
+    local pass_count=0 fail_count=0 total=0
+    local compound_log="$ARTIFACTS_DIR/compound-quality.log"
+    : > "$compound_log"
+
+    # ── Adversarial review ──
+    if [[ "$do_adversarial" == "true" ]]; then
+        total=$((total + 1))
+        info "Running adversarial review..."
+        if [[ -x "$SCRIPT_DIR/sw-adversarial.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-adversarial.sh" --repo "${REPO_DIR:-.}" >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "Adversarial review passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "Adversarial review found issues"
+            fi
+        else
+            warn "sw-adversarial.sh not found, skipping"
+        fi
+    fi
+
+    # ── Negative / edge-case testing ──
+    if [[ "$do_negative" == "true" ]]; then
+        total=$((total + 1))
+        info "Running negative test pass..."
+        if [[ -n "${TEST_CMD:-}" ]]; then
+            if eval "$TEST_CMD" >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "Negative test pass passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "Negative test pass found failures"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "No test command configured, skipping negative tests"
+        fi
+    fi
+
+    # ── E2E checks ──
+    if [[ "$do_e2e" == "true" ]]; then
+        total=$((total + 1))
+        info "Running e2e checks..."
+        if [[ -x "$SCRIPT_DIR/sw-e2e-orchestrator.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-e2e-orchestrator.sh" run >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "E2E checks passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "E2E checks found issues"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "sw-e2e-orchestrator.sh not found, skipping e2e"
+        fi
+    fi
+
+    # ── Definition of Done audit ──
+    if [[ "$do_dod" == "true" ]]; then
+        total=$((total + 1))
+        info "Running definition-of-done audit..."
+        if [[ -x "$SCRIPT_DIR/sw-quality.sh" ]]; then
+            if bash "$SCRIPT_DIR/sw-quality.sh" validate >> "$compound_log" 2>&1; then
+                pass_count=$((pass_count + 1))
+                success "DoD audit passed"
+            else
+                fail_count=$((fail_count + 1))
+                warn "DoD audit found gaps"
+            fi
+        else
+            pass_count=$((pass_count + 1))
+            info "sw-quality.sh not found, skipping DoD audit"
+        fi
+    fi
+
+    # ── Summary ──
+    log_stage "compound_quality" "Compound quality: $pass_count/$total checks passed, $fail_count failed"
+
+    if [[ "$fail_count" -gt 0 && "$blocking" == "true" ]]; then
+        error "Compound quality gate failed: $fail_count of $total checks failed"
+        return 1
+    fi
+
+    return 0
+}
+fi  # end fallback stage_compound_quality
+
 stage_pr() {
     CURRENT_STAGE_ID="pr"
     local plan_file="$ARTIFACTS_DIR/plan.md"
     local test_log="$ARTIFACTS_DIR/test-results.log"
     local review_file="$ARTIFACTS_DIR/review.md"
 
+    # ── Skip PR in local/no-github mode ──
+    if [[ "${NO_GITHUB:-false}" == "true" || "${SHIPWRIGHT_LOCAL:-}" == "1" || "${LOCAL_MODE:-false}" == "true" ]]; then
+        info "Skipping PR stage — running in local/no-github mode"
+        # Save a PR draft locally for reference
+        local branch_name
+        branch_name=$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
+        local commit_count
+        commit_count=$(_safe_base_log --oneline | wc -l | xargs)
+        {
+            echo "# PR Draft (local mode)"
+            echo ""
+            echo "**Branch:** ${branch_name}"
+            echo "**Commits:** ${commit_count:-0}"
+            echo "**Goal:** ${GOAL:-N/A}"
+            echo ""
+            echo "## Changes"
+            _safe_base_diff --stat || true
+        } > ".claude/pr-draft.md" 2>/dev/null || true
+        emit_event "pr.skipped" "issue=${ISSUE_NUMBER:-0}" "reason=local_mode"
+        return 0
+    fi
+
     # ── PR Hygiene Checks (informational) ──
     local hygiene_commit_count
-    hygiene_commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    hygiene_commit_count=$(_safe_base_log --oneline | wc -l | xargs)
     hygiene_commit_count="${hygiene_commit_count:-0}"
 
     if [[ "$hygiene_commit_count" -gt 20 ]]; then
@@ -1401,7 +1722,7 @@ stage_pr() {
 
     # Check for WIP/fixup/squash commits (expanded patterns)
     local wip_commits
-    wip_commits=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | grep -ciE '^[0-9a-f]+ (WIP|fixup!|squash!|TODO|HACK|TEMP|BROKEN|wip[:-]|temp[:-]|broken[:-]|do not merge)' || true)
+    wip_commits=$(_safe_base_log --oneline | grep -ciE '^[0-9a-f]+ (WIP|fixup!|squash!|TODO|HACK|TEMP|BROKEN|wip[:-]|temp[:-]|broken[:-]|do not merge)' || true)
     wip_commits="${wip_commits:-0}"
     if [[ "$wip_commits" -gt 0 ]]; then
         warn "Branch has ${wip_commits} WIP/fixup/squash/temp commit(s) — consider cleaning up"
@@ -1409,7 +1730,7 @@ stage_pr() {
 
     # ── PR Quality Gate: reject PRs with no real code changes ──
     local real_files
-    real_files=$(git diff --name-only "${BASE_BRANCH}...HEAD" 2>/dev/null | grep -v '^\.claude/' | grep -v '^\.github/' || true)
+    real_files=$(_safe_base_diff --name-only | grep -v '^\.claude/' | grep -v '^\.github/' || true)
     if [[ -z "$real_files" ]]; then
         error "No real code changes detected — only pipeline artifacts (.claude/ logs)."
         error "The build agent did not produce meaningful changes. Skipping PR creation."
@@ -1448,7 +1769,7 @@ stage_pr() {
 
     # ── Developer Simulation (pre-PR review) ──
     local simulation_summary=""
-    if type simulation_review &>/dev/null 2>&1; then
+    if type simulation_review >/dev/null 2>&1; then
         local sim_enabled
         sim_enabled=$(jq -r '.intelligence.simulation_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
         # Also check daemon-config
@@ -1459,7 +1780,7 @@ stage_pr() {
         if [[ "$sim_enabled" == "true" ]]; then
             info "Running developer simulation review..."
             local diff_for_sim
-            diff_for_sim=$(git diff "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+            diff_for_sim=$(_safe_base_diff || true)
             if [[ -n "$diff_for_sim" ]]; then
                 local sim_result
                 sim_result=$(simulation_review "$diff_for_sim" "${GOAL:-}" 2>/dev/null || echo "")
@@ -1479,7 +1800,7 @@ stage_pr() {
 
     # ── Architecture Validation (pre-PR check) ──
     local arch_summary=""
-    if type architecture_validate_changes &>/dev/null 2>&1; then
+    if type architecture_validate_changes >/dev/null 2>&1; then
         local arch_enabled
         arch_enabled=$(jq -r '.intelligence.architecture_enabled // false' "$PIPELINE_CONFIG" 2>/dev/null || echo "false")
         local daemon_cfg=".claude/daemon-config.json"
@@ -1489,7 +1810,7 @@ stage_pr() {
         if [[ "$arch_enabled" == "true" ]]; then
             info "Validating architecture..."
             local diff_for_arch
-            diff_for_arch=$(git diff "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+            diff_for_arch=$(_safe_base_diff || true)
             if [[ -n "$diff_for_arch" ]]; then
                 local arch_result
                 arch_result=$(architecture_validate_changes "$diff_for_arch" "" 2>/dev/null || echo "")
@@ -1513,10 +1834,10 @@ stage_pr() {
 
     # Pre-PR diff gate — verify meaningful code changes exist (not just bookkeeping)
     local real_changes
-    real_changes=$(git diff --name-only "origin/${BASE_BRANCH:-main}...HEAD" \
+    real_changes=$(_safe_base_diff --name-only \
         -- . ':!.claude/loop-state.md' ':!.claude/pipeline-state.md' \
         ':!.claude/pipeline-artifacts/*' ':!**/progress.md' \
-        ':!**/error-summary.json' 2>/dev/null | wc -l | xargs || echo "0")
+        ':!**/error-summary.json' | wc -l | xargs || echo "0")
     if [[ "${real_changes:-0}" -eq 0 ]]; then
         error "No meaningful code changes detected — only bookkeeping files modified"
         error "Refusing to create PR with zero real changes"
@@ -1571,10 +1892,10 @@ stage_pr() {
     [[ -n "${GITHUB_ISSUE:-}" ]] && closes_line="Closes ${GITHUB_ISSUE}"
 
     local diff_stats
-    diff_stats=$(git diff --stat "${BASE_BRANCH}...${GIT_BRANCH}" 2>/dev/null | tail -1 || echo "")
+    diff_stats=$(_safe_base_diff --stat | tail -1 || echo "")
 
     local commit_count
-    commit_count=$(git log --oneline "${BASE_BRANCH}..HEAD" 2>/dev/null | wc -l | xargs)
+    commit_count=$(_safe_base_log --oneline | wc -l | xargs)
 
     local total_dur=""
     if [[ -n "$PIPELINE_START_EPOCH" ]]; then
@@ -1614,6 +1935,65 @@ Generated by \`shipwright pipeline\`
 EOF
 )"
 
+    # Verify required evidence before PR (merge policy enforcement)
+    local risk_tier
+    risk_tier="low"
+    if [[ -f "$REPO_DIR/config/policy.json" ]]; then
+        local changed_files
+        changed_files=$(_safe_base_diff --name-only || true)
+        if [[ -n "$changed_files" ]]; then
+            local policy_file="$REPO_DIR/config/policy.json"
+            check_tier_match() {
+                local tier="$1"
+                local patterns
+                patterns=$(jq -r ".riskTierRules.${tier}[]? // empty" "$policy_file" 2>/dev/null)
+                [[ -z "$patterns" ]] && return 1
+                while IFS= read -r pattern; do
+                    [[ -z "$pattern" ]] && continue
+                    local regex
+                    regex=$(echo "$pattern" | sed 's/\./\\./g; s/\*\*/DOUBLESTAR/g; s/\*/[^\/]*/g; s/DOUBLESTAR/.*/g')
+                    while IFS= read -r file; do
+                        [[ -z "$file" ]] && continue
+                        if echo "$file" | grep -qE "^${regex}$"; then
+                            return 0
+                        fi
+                    done <<< "$changed_files"
+                done <<< "$patterns"
+                return 1
+            }
+            check_tier_match "critical" && risk_tier="critical"
+            check_tier_match "high" && [[ "$risk_tier" != "critical" ]] && risk_tier="high"
+            check_tier_match "medium" && [[ "$risk_tier" != "critical" && "$risk_tier" != "high" ]] && risk_tier="medium"
+        fi
+    fi
+
+    local required_evidence
+    required_evidence=$(jq -r ".mergePolicy.\"$risk_tier\".requiredEvidence // [] | .[]" "$REPO_DIR/config/policy.json" 2>/dev/null)
+
+    if [[ -n "$required_evidence" ]]; then
+        local evidence_dir="$REPO_DIR/.claude/evidence"
+        local missing_evidence=()
+        while IFS= read -r etype; do
+            [[ -z "$etype" ]] && continue
+            local has_evidence=false
+            for f in "$evidence_dir"/*"$etype"*; do
+                [[ -f "$f" ]] && has_evidence=true && break
+            done
+            [[ "$has_evidence" != "true" ]] && missing_evidence+=("$etype")
+        done <<< "$required_evidence"
+
+        if [[ ${#missing_evidence[@]} -gt 0 ]]; then
+            warn "Missing required evidence for $risk_tier tier: ${missing_evidence[*]}"
+            emit_event "evidence.missing" "{\"tier\":\"$risk_tier\",\"missing\":\"${missing_evidence[*]}\"}"
+            # Collect missing evidence
+            if [[ -x "$SCRIPT_DIR/sw-evidence.sh" ]]; then
+                for etype in "${missing_evidence[@]}"; do
+                    (cd "$REPO_DIR" && bash "$SCRIPT_DIR/sw-evidence.sh" capture "$etype" 2>/dev/null) || warn "Failed to collect $etype evidence"
+                done
+            fi
+        fi
+    fi
+
     # Build gh pr create args
     local pr_args=(--title "$pr_title" --body "$pr_body" --base "$BASE_BRANCH")
 
@@ -1687,12 +2067,12 @@ EOF
         local reviewer_assigned=false
 
         # Try CODEOWNERS-based routing via GraphQL API
-        if type gh_codeowners &>/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
+        if type gh_codeowners >/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
             local codeowners_json
             codeowners_json=$(gh_codeowners "$REPO_OWNER" "$REPO_NAME" 2>/dev/null || echo "[]")
             if [[ "$codeowners_json" != "[]" && -n "$codeowners_json" ]]; then
                 local changed_files
-                changed_files=$(git diff --name-only "${BASE_BRANCH}...HEAD" 2>/dev/null || true)
+                changed_files=$(_safe_base_diff --name-only || true)
                 if [[ -n "$changed_files" ]]; then
                     local co_reviewers
                     co_reviewers=$(echo "$codeowners_json" | jq -r '.[].owners[]' 2>/dev/null | sort -u | head -3 || true)
@@ -1710,7 +2090,7 @@ EOF
         fi
 
         # Fallback: contributor-based routing via GraphQL API
-        if [[ "$reviewer_assigned" != "true" ]] && type gh_contributors &>/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
+        if [[ "$reviewer_assigned" != "true" ]] && type gh_contributors >/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
             local contributors_json
             contributors_json=$(gh_contributors "$REPO_OWNER" "$REPO_NAME" 2>/dev/null || echo "[]")
             local top_contributor
@@ -1766,13 +2146,14 @@ stage_merge() {
         local merge_diff_file="${ARTIFACTS_DIR}/review-diff.patch"
         local merge_review_file="${ARTIFACTS_DIR}/review.md"
         if [[ ! -s "$merge_diff_file" ]]; then
-            git diff "${BASE_BRANCH}...${GIT_BRANCH}" > "$merge_diff_file" 2>/dev/null || \
-                git diff HEAD~5 > "$merge_diff_file" 2>/dev/null || true
+            _safe_base_diff > "$merge_diff_file" 2>/dev/null || true
         fi
         if [[ -s "$merge_diff_file" ]]; then
             local _merge_critical _merge_sec _merge_blocking _merge_reject
-            _merge_critical=$(grep -ciE '\*\*\[?Critical\]?\*\*' "$merge_review_file" 2>/dev/null || echo "0")
-            _merge_sec=$(grep -ciE '\*\*\[?Security\]?\*\*' "$merge_review_file" 2>/dev/null || echo "0")
+            _merge_critical=$(grep -ciE '\*\*\[?Critical\]?\*\*' "$merge_review_file" 2>/dev/null || true)
+            _merge_critical="${_merge_critical:-0}"
+            _merge_sec=$(grep -ciE '\*\*\[?Security\]?\*\*' "$merge_review_file" 2>/dev/null || true)
+            _merge_sec="${_merge_sec:-0}"
             _merge_blocking=$((${_merge_critical:-0} + ${_merge_sec:-0}))
             [[ "$_merge_blocking" -gt 0 ]] && _merge_reject="Review found ${_merge_blocking} critical/security issue(s)"
             if ! bash "$SCRIPT_DIR/sw-oversight.sh" gate --diff "$merge_diff_file" --description "${GOAL:-Pipeline merge}" --reject-if "${_merge_reject:-}" >/dev/null 2>&1; then
@@ -1816,7 +2197,7 @@ stage_merge() {
     fi
 
     # ── Branch Protection Check ──
-    if type gh_branch_protection &>/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
+    if type gh_branch_protection >/dev/null 2>&1 && [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
         local protection_json
         protection_json=$(gh_branch_protection "$REPO_OWNER" "$REPO_NAME" "${BASE_BRANCH:-main}" 2>/dev/null || echo '{"protected": false}')
         local is_protected
@@ -1912,13 +2293,13 @@ stage_merge() {
         check_status=$(gh pr checks "$pr_number" --json 'bucket,name' --jq '[.[] | .bucket] | unique | sort' 2>/dev/null || echo '["pending"]')
 
         # If all checks passed (only "pass" in buckets)
-        if echo "$check_status" | jq -e '. == ["pass"]' &>/dev/null; then
+        if echo "$check_status" | jq -e '. == ["pass"]' >/dev/null 2>&1; then
             success "All CI checks passed"
             break
         fi
 
         # If any check failed
-        if echo "$check_status" | jq -e 'any(. == "fail")' &>/dev/null; then
+        if echo "$check_status" | jq -e 'any(. == "fail")' >/dev/null 2>&1; then
             error "CI checks failed — aborting merge"
             return 1
         fi
@@ -2018,7 +2399,7 @@ stage_deploy() {
     # Create GitHub deployment tracking
     local gh_deploy_env="production"
     [[ -n "$staging_cmd" && -z "$prod_cmd" ]] && gh_deploy_env="staging"
-    if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_start &>/dev/null 2>&1; then
+    if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_start >/dev/null 2>&1; then
         if [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
             gh_deploy_pipeline_start "$REPO_OWNER" "$REPO_NAME" "${GIT_BRANCH:-HEAD}" "$gh_deploy_env" 2>/dev/null || true
             info "GitHub Deployment: tracking as $gh_deploy_env"
@@ -2151,7 +2532,7 @@ stage_deploy() {
                 error "Staging deploy failed"
                 [[ -n "$ISSUE_NUMBER" ]] && gh_comment_issue "$ISSUE_NUMBER" "Staging deploy failed"
                 # Mark GitHub deployment as failed
-                if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete &>/dev/null 2>&1; then
+                if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete >/dev/null 2>&1; then
                     gh_deploy_pipeline_complete "$REPO_OWNER" "$REPO_NAME" "$gh_deploy_env" false "Staging deploy failed" 2>/dev/null || true
                 fi
                 return 1
@@ -2169,7 +2550,7 @@ stage_deploy() {
                 fi
                 [[ -n "$ISSUE_NUMBER" ]] && gh_comment_issue "$ISSUE_NUMBER" "Production deploy failed — rollback ${rollback_cmd:+attempted}"
                 # Mark GitHub deployment as failed
-                if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete &>/dev/null 2>&1; then
+                if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete >/dev/null 2>&1; then
                     gh_deploy_pipeline_complete "$REPO_OWNER" "$REPO_NAME" "$gh_deploy_env" false "Production deploy failed" 2>/dev/null || true
                 fi
                 return 1
@@ -2184,7 +2565,7 @@ stage_deploy() {
     fi
 
     # Mark GitHub deployment as successful
-    if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete &>/dev/null 2>&1; then
+    if [[ "${NO_GITHUB:-false}" != "true" ]] && type gh_deploy_pipeline_complete >/dev/null 2>&1; then
         if [[ -n "$REPO_OWNER" && -n "$REPO_NAME" ]]; then
             gh_deploy_pipeline_complete "$REPO_OWNER" "$REPO_NAME" "$gh_deploy_env" true "" 2>/dev/null || true
         fi