11-Stage Pipeline Deep Dive

A smoke test that runs on every push or web trigger. Verifies the runner is functional before any real work begins.

• Checks that git, curl, and jq are installed
• Prints runner ID, job ID, pipeline ID for debugging
• Enforces the "No AI in Runners" constraint: if which claude succeeds, the stage fails with exit code 1
• Does NOT require ISSUE_IID - it's the only stage that runs standalone

The PM agent fetches the issue from GitLab's API and auto-classifies it based on keyword detection in the title and description.

• Fetches issue via GET /projects/{id}/issues/{iid}
• Scans title + description for keywords: bug|fix|error = bug, feature|add|new = feature, enhance|improve = enhancement
• Applies scoped labels: status::triage + detected type:: label
• Uses resource_group: issue-$ISSUE_IID to prevent concurrent processing

The PM agent evaluates whether the issue has enough detail to write a specification. If not, it generates structured clarification questions and posts them as a comment.

• Invokes Claude with a prompt containing issue title, description, and labels
• Claude analyzes for: scope clarity, success criteria, technical dependencies, edge cases, priority
• If well-specified: responds WELL_SPECIFIED, pipeline continues
• If vague: posts 3-5 numbered questions as an issue comment
• Adds/removes needs-clarification label based on result
• Updates board: status::triage → status::clarification

The first manual gate. A human must click "play" on this stage in GitLab. The Architect agent then generates a formal specification document.

• Creates directory structure: specs/issue-{IID}/ with checklists/ and contracts/ subdirs
• Uses spec-template.md as a starting point
• Generates spec.md focusing on WHAT and WHY (not technical HOW)
• Includes: overview, requirements, user stories, acceptance criteria, constraints, security considerations
• Artifact retained for 30 days

Quality gate: "unit tests for English." The QA agent validates the spec against a 6-point checklist before allowing planning to begin.

• Check 1: Overview section present
• Check 2: Requirements section present
• Check 3: User Stories section present
• Check 4: Acceptance criteria defined
• Check 5: Security considerations included
• Check 6: TBD items remaining (warning only, doesn't block)

If all checks pass, the spec-approved label is added. If any required check fails, the pipeline loops back for revision.

Now the Architect transforms WHAT into HOW. Reads the approved spec.md and produces a detailed implementation plan.

• Reads spec.md from the previous stage's artifacts
• Generates plan.md with 3+ implementation tasks
• Each task includes: assigned agent, effort estimate, dependencies, files to modify, step-by-step instructions
• May include data model changes, API contracts, architecture decisions

The Developer agent breaks the plan into 3-5 atomic, implementable tasks. Each task is small enough to complete in one session.

• Reads plan.md from previous stage
• Creates task table: ID, name, agent, status, dependencies
• Each task has detailed description with acceptance criteria
• Parallelizable tasks are marked with [P]
• Adds ready-for-implementation label when complete

Another quality gate. The QA agent validates that the tasks are complete, properly scoped, and internally consistent.

• Validates task count (3-5 expected)
• Checks each task has: clear scope, acceptance criteria, dependencies
• Generates ASCII dependency graph showing task ordering
• Cross-references spec ↔ plan ↔ tasks for coverage gaps
• Risk assessment: identifies high-risk tasks and missing edge cases

The second manual gate. Human reviews the spec, plan, and tasks, then triggers implementation. The Developer agent writes the actual code.

• Creates feature branch: issue-{IID}-implementation
• Invokes Claude with full context: spec + plan + tasks + analysis
• Claude generates code changes and implementation suggestions
• Saves detailed output to implementation.md
• Commits and pushes the feature branch
• Updates board label: status::implementation

The Security agent scans the codebase and deployment configuration for vulnerabilities. Behavior differs by group.

• Check 1: Hardcoded credentials (regex: password|secret|token|api_key)
• Check 2: Privileged containers (privileged: true)
• Check 3: Secrets path compliance (should use $HOME/projects/secrets/)
• Check 4: eval() usage (code injection risk)
• Check 5: Network exposure (open ports, public endpoints)

The QA agent auto-detects the project type and runs the appropriate test suite. No configuration needed - it figures out the framework.

• Node.js: detects package.json → runs npm test
• Python: detects pytest.ini or tests/ → runs pytest tests/
• Go: detects go.mod → runs go test ./...
• Rust: detects Cargo.toml → runs cargo test
• Shell: detects tests/*.sh → runs each test script

Generates test-report.md with results. Exits with code 1 if tests fail.

The final manual gate. Human confirms deployment after reviewing security findings and test results.

• Pre-deploy snapshot: Records current commit hash, timestamp, pipeline ID to rollback/ directory
• Execute: Runs deploy.sh or docker compose up -d
• Health check: Waits 10 seconds, verifies containers are running
• On success: Adds status::done, removes status::deployment
• On failure: Automatically triggers rollback, adds deployment-failed label

Automatic Rollback

If deployment fails, the rollback script (scripts/rollback.sh) executes automatically:

• Stops containers: docker compose down --remove-orphans
• Checks out previous commit from the pre-deploy snapshot
• Runs migrations/rollback.sql if it exists
• Restarts containers: docker compose up -d
• Waits 10s and verifies rollback succeeded
• Logs everything to /tmp/rollback_*.log