Iterative red-teaming of any artifact (design docs, plans, code, hypotheses, mockups). Loops until clean or stagnation. Invoked by artifact-producing skills or their parent orchestrator.
Install
mkdir -p .claude/skills/quality-gate-raddue && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16431" && unzip -o skill.zip -d .claude/skills/quality-gate-raddue && rm skill.zipInstalls to .claude/skills/quality-gate-raddue
Activation
This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.
Iterative red-teaming of any artifact (design docs, plans, code, hypotheses, mockups). Loops until clean or stagnation. Invoked by artifact-producing skills or their parent orchestrator.About this skill
Quality Gate
<!-- CANONICAL: shared/dispatch-convention.md -->All subagent dispatches use disk-mediated dispatch. See shared/dispatch-convention.md for the full protocol.
All subagent returns (red-team agents, judges, fix agents) use the Ledger Return Protocol. Every subagent returns exactly one Evidence Receipt per shared/return-convention.md; the orchestrator applies the two-tier receipt linter (see the "Receipt Linter (Ledger Return Protocol)" section below) to every Task return before acting on the declared VERDICT.
The gate maintains an Invariant Cairn per shared/cairn-convention.md. Each gate round is a cairn phase. See ## Cairn (Layer 3) below.
Shared iterative red-teaming mechanism invoked at the end of artifact-producing skills. Provides rigorous adversarial review as the core quality mechanism.
Announce at start: "Running quality gate on [artifact type]."
Skill type: Rigid -- follow exactly, no shortcuts.
Execution model: When this skill is running, YOU are the orchestrator. You drive the loop, dispatch fix agents and reviewers as subagents, track scores, and make escalation decisions. All references to "the orchestrator" in this document refer to you.
Receipt Linter (Ledger Return Protocol)
Apply Tier 1 (structural) and Tier 2 (witness verification) lint per shared/return-convention.md to every Task return before acting on the declared VERDICT. The canonical grammar (CLAIM citations, WITNESS rules, verb-binding, byte-range limits, lint-failure handling) lives in that document. Build, siege, and audit apply the same linter.
The linter is a deterministic runtime tool: orchestrators MUST run python3 scripts/rcpt_verify.py --tier2 --strict --root <dispatch-root> --ledger <dispatch-root>/receipt-ledger.jsonl <receipt> on every received receipt before acting on its VERDICT, and apply the shared convention's in-context pseudocode ONLY as the fallback when the tool is unavailable. --strict hard-FAILs only resolvable path-shaped artifacts on a sha256/witness mismatch; an unresolvable bare basename stays UNVERIFIABLE (never a false FAIL); always pass --root <dispatch-root> explicitly. The obligation to lint every return is unchanged — only the mechanism moves to the tool.
Quality-gate-specific obligations: Receipts from red-team, fix, judge, verifier (the fix-verification dispatch; the persistence-checker JSON output is consumed directly, not receipt-linted — see Persistence Check), and dependency-audit subagents are all linted before their VERDICT is consumed. A lint failure is treated as structurally BLOCKED regardless of declared VERDICT — see "Lint failure handling" in the shared convention.
Red-team receipts lint clean (#366). Red-team returns a structured RCPT v1.1 receipt (not prose), so its receipt passes Tier-1/Tier-2 normally — it does not lint-to-BLOCKED. The red-team findings themselves come from the cited artifact the receipt pins (round-N-findings.md, an [FINDINGS_OUTPUT_PATH] the orchestrator supplies — see the score step and writer-inversion below), which the orchestrator reads directly; the receipt's VERDICT is the witness-verified PASS/FAIL boundary plus the supersession/tripwire anchor, not the findings channel. This makes the :44/:56/:62 couplings operational (red-team genuinely emits a receipt). <!-- CONTRACT:rt-redteam-receipts-lint-clean — check_rt_receipt_contract.py [C15] -->
Cairn (Layer 3)
Per shared/cairn-convention.md. Quality-gate-specific bindings:
- Phase mapping. One cairn phase per gate round:
round/1,round/2, …. A round begins at red-team dispatch, ends at judge verdict (either PASS/escalate or loop-again with score delta recorded). - Phase transitions. At each round-exit, append a LEDGER line
round/N | dispatches=<red-team+judge+fix> receipts=<same> verdict=<PASS|FAIL|MIXED> | <score delta + key finding>. Advance PHASE to the next round on loop; advance toterminal/Non PASS or escalation. - Terminal phase. When the gate returns PASS to its caller, OR when it escalates (stagnation / 15-round limit / architectural concern). Delete
active-run.mdon terminal; keepcairn-<run-id>.md. - Mandatory-invariant categories. Each round-exit MUST capture any finding that survived into the fix journal with severity ≥ Significant and a note on why — these are the load-bearing constraints for any later round's red-team. Also capture the score trajectory (
score-delta: -2) for stagnation-detection audit. - Reconciliation. Full 5-rule pass. Rule 4 (invariant-receipt liveness) drives the orchestrator to retire invariants whose originating finding was fixed by the fix-agent (via Layer 2
SUPERSEDED_BY) — keeping the invariants list from ballooning across long gates.
Tripwire Manifest Sweep (Layer 2)
Starting with convention v1.1, every QG subagent (red-team, judge, fix-agent) returns a receipt carrying TRIPWIRE:, SUPERSEDES:, and (when applicable) TRIPWIRE-CHILD: lines. Full grammar in shared/return-convention.md.
Manifest: After each Task return (post-lint), append:
<rcpt-sha256-prefix-12> <skill>/<dispatch-id> <verdict> TRIPWIRE: <predicates> [SUPERSEDED_BY=<prefix>] [keys=quality-gate:<k>:<v>,…] [files=<path>:<h6>,…]
Namespace CLAIM-key discriminators as quality-gate:<key> (e.g. quality-gate:severity-max:minor) — prevents collision with build/siege keys.
Sweep (dispatch-loop clause): The orchestrator MAY NOT dispatch the next round until it has: (1) linted; (2) appended; (3) processed SUPERSEDES; (4) evaluated self-checks; (5) evaluated forward-checks against every active prior entry (TRIPWIRE ∪ TRIPWIRE-CHILD); (6) Read each firing M's full receipt and narrated the re-read; (7) then dispatch.
Fix-agent supersession. A QG fix-agent supersedes the prior FAIL red-team receipt. SUPERSEDES: <fail-prefix> + cited CLAIM + exec/grep witness with ran=TRACE#N. Tier-2 re-runs the witness against the fix — only survives if clean.
Fix-agent superseding-witness by artifact class (#366). Because the red-team FAIL receipt is now a real supersession anchor, the convention's witness-evidence requirement (a FAIL / SUSPICION ≥ 0.30 predecessor demands the superseding WITNESS be kind ∈ {exec, grep} + ran=TRACE#N) is live on the fix-agent's superseding receipt:
- Test-less artifacts (test-less design / plan / doc gates — the dominant QG case): the fix-agent's superseding receipt carries a
grepwitness against the revised artifact proving the superseded red-team finding-anchor text no longer appears (kind=grep,ran=TRACE#N), plus the justification CLAIM citing the FAIL receipt's prefix (from=<fail-prefix>#…, per the SUPERSEDES Tier-1 justification requirement inreturn-convention.md). This is what makes the supersession survive Tier-2 — the original concern demonstrably no longer reproduces. <!-- CONTRACT:rt-fix-test-less-witness — check_rt_receipt_contract.py [C18] --> - Artifacts WITH tests: the existing
run-testsexec witness applies (therun-testsmandatory-work declaration above).
Clean-PASS TRIPWIRE predicate (#366, SP2). Per the convention's TRIPWIRE-none rule at return-convention.md (the Tripwire Manifest section, ~:427), TRIPWIRE: none is permitted only on a PASS receipt with SUSPICION=0.00; a FAIL red-team receipt carries TRIPWIRE: verdict=FAIL. This is a pointer to the canonical rule, not a redeclaration of the grammar (per CLAUDE.md "link, never copy").
Stagnation-judge tripwires. A stagnation judge's receipt declaring TRIPWIRE: peer-dispatch-disagrees(count) lets a later round's divergent issue-count fire a re-read, surfacing judge-vs-judge disagreement without a separate escalation channel.
Mandatory-work declarations for quality-gate subagent types:
- Red-team agent:
read-artifact,emit-findings. - Judge agent:
read-findings,emit-scores. - Fix agent:
read-findings,apply-edits,run-tests(if tests exist for the artifact's subtree).
On lint failure: treat as structurally BLOCKED regardless of declared VERDICT. Re-dispatch with lint errors appended to the brief, or escalate.
Consensus Detection
At the start of the quality gate, check whether the consensus_query MCP tool
is available in the current environment:
- If the tool is available: consensus-eligible rounds will use multi-model dispatch (see Multi-Model Red-Team Review and Multi-Model Consensus in Stagnation Detection below).
- If the tool is not available: all rounds use standard single-model dispatch. No degradation, no warnings — the gate behaves exactly as it did before consensus was introduced.
Do NOT:
- Prompt the user to set up consensus if it is unavailable
- Log warnings about missing consensus configuration
- Change any scoring, stagnation, or escalation logic based on consensus availability
Consensus is a near-transparent enhancement. Its presence improves coverage; its absence preserves all standard exit paths. The one documented asymmetry: consensus presence enables one additional pre-threshold escalation path — see Pre-Threshold Consensus Carve-Out. This is the only place where consensus availability changes the gate's exit set.
External Model Review (Optional)
At the start of the quality gate, check whether the external_review MCP tool
is available in the current environment AND skills.quality_gate is enabled in
the external review config. If either check fails, skip all external review
steps silently — no warnings, no prompts.
When It Runs
Every red-team round, alongside the host red-team dispatch. Call
external_review with:
prompt: contents ofskills/shared/external-review-prompt.mdcontext: the same artifact context given to the red-team subagentskill:"quality_gate"(top-level arg
Content truncated.