deploy

What this skill does

# Deploy

No gate skipped, no failure ignored. If any gate fails, halt and report. Never `--no-verify`. Never bypass.

**Failure recovery (rule 14).** Worker errors and Quality Gate failures follow the canonical policy in [`skills/hyperflow/failure-recovery.md`](../hyperflow/failure-recovery.md). Gate failures are user-surfaced, never auto-fixed — print the failing command + full stderr and halt the push. Never `--no-verify`, never force-push to main.

## Per-Step Agent Map

| Step | Sub-phase | Worker tier | Thinking tier | Notes |
|---|---|---|---|---|
| 1a | Repo-state scan | Worker A (git status), Worker B (git log) | Sonnet | — |
| 1b | Tool detection | Worker A (profile.md + lockfiles), Worker B (testing.md + devDeps) | Sonnet | — |
| 2a | Lint + typecheck (parallel) | Worker A (linter), Worker B (formatter), Worker C (tsc) | Sonnet | Step 3 (Security Sweep) runs in parallel with Step 2 at orchestrator level; 2a halts chain on any failure before 2b |
| 2b | Build gate | Worker A (prod build), Worker B (dev build) | Sonnet | Depends on 2a PASS |
| 2c | Test gate | Worker A (unit), Worker B (integration/E2E) | Sonnet | Parallel (P1); depends on 2b PASS |
| 3a | Secrets scan | Worker A (diff pattern), Worker B (file pattern) | **Opus** | Runs in parallel with Step 2 (pre-build; read-only) |
| 3b | Dependency audit | Worker A (CVE audit), Worker B (license check) | Sonnet | — |
| 4 | Commit | single Worker | Sonnet | atomic-exempt (DOCTRINE 12.2) |
| 5a | Release execution | single Worker | Sonnet | atomic-exempt (DOCTRINE 12.2) |
| 5b | Version sync | Worker A (manifests), Worker B (changelog) | Sonnet | — |
| 6 | Push gate | AskUserQuestion | — | structural gate; atomic-exempt |
| 7 | Output | single print | — | atomic-exempt (§12.1) |

## Step 1 — Survey State

Sub-phases run in parallel (P1).

### Step 1a — Repo-state scan

Two Workers in parallel:

- Worker A — `git status --short` — uncommitted changes, staged files
- Worker B — `git log origin/<branch>..HEAD --oneline` — commits ahead of remote; detect branch name

Sonnet Reviewer — verdict on repo state (clean / has uncommitted / ahead by N). If detached HEAD or no remote configured → halt with reason.

### Step 1b — Tool detection

Two Workers in parallel:

- Worker A — Read `.hyperflow/profile.md` for package manager and project type; fallback: inspect `package.json`, `pyproject.toml`, `Cargo.toml`, `go.mod`
- Worker B — Check `.hyperflow/testing.md` for test runner; fallback: detect from `package.json` devDependencies (`vitest`, `jest`, `playwright`, `pytest`, etc.)

Sonnet Reviewer — produce a single tool manifest (package manager, test runner, typed-project flag, build script presence). Used by Step 2 gates.

## Step 2 — Quality Gates

Step 2 runs in parallel with Step 3 (Security Sweep) at the orchestrator level — both are pre-build, read-only checks. Both must reach `PASS` before Step 4 (Commit) may proceed. Within Step 2, sub-phases 2a → 2b → 2c run sequentially (2b depends on 2a PASS; 2c depends on 2b PASS). Halt at the first `NEEDS_REVISION` verdict.

Wall-clock note: default flow runs 3 gates simultaneously (lint + security + typecheck in parallel), then build, then tests — roughly max(lint, security, typecheck) + build + max(unit, integration), versus the old 4× sequential gate duration. Typical saving: ~40% wall-clock reduction. Under `--thorough`, intra-sub-phase Workers serialize (DOCTRINE §12.2/clarification), so the full saving collapses to 2c's unit + integration pair only.

Print `Gate <letter> — <name>` before each sub-phase.

### Step 2a — Lint + typecheck (parallel; no build artifact required)

Three Workers in parallel (P1). None depend on build output — safe to run alongside Step 3.

- Worker A — Detect and run primary linter: `npm run lint` / `pnpm lint` / `bun run lint` / `eslint .`. On failure: auto-fix via `--fix`, re-run once; report final error count.
- Worker B — Detect and run formatter check: `prettier --check .` / `biome check .` / equivalent. Report diff count.
- Worker C — Root typecheck: `tsc --noEmit` / `npm run typecheck`. Skip if not a typed project (per Step 1b tool manifest). Also run per-package typecheck if workspace detected (pnpm/yarn workspaces): iterate packages with `tsc --noEmit` in each.

Sonnet Reviewer — aggregate verdict across all three Workers:
- `PASS` — all clean (or absent/untyped)
- `NEEDS_REVISION` — any gate fails → halt before 2b. Report which specific gate(s) failed and why. Do NOT proceed to build.
- `ESCALATE` — config errors preventing execution of any gate

### Step 2b — Build gate (sequential; depends on 2a PASS)

Two Workers in parallel:

- Worker A — Production build: `npm run build` / `pnpm build` / `bun run build`. Capture output; report size or artifact path if printed.
- Worker B — Dev/preview build if a separate script exists (`npm run build:dev`, `vite build --mode development`, etc.). Skip if no separate dev-build script.

Sonnet Reviewer — verdict:
- `PASS` — production build succeeds
- `NEEDS_REVISION` — production build fails → halt with output
- `ESCALATE` — build tool absent or script missing (skip silently, not failure)

### Step 2c — Test gate (parallel; depends on 2b PASS)

Two Workers in parallel (P1):

- Worker A — Unit tests: run full unit suite per runner from Step 1b (vitest, jest, pytest, cargo test, etc.). Full suite — not just affected. Report count.
- Worker B — Integration / E2E tests if runner detected separately (playwright, cypress, etc.). Skip if no integration runner found.

Sonnet Reviewer — verdict:
- `PASS` — all tests pass (or integration absent)
- `NEEDS_REVISION` — failing tests → halt with failing test names. Do NOT skip. Do NOT increase timeout.
- `ESCALATE` — runner misconfigured or no tests found and test runner is declared

See [quality-gates.md](references/quality-gates.md) for gate details.

## Step 3 — Security Sweep

Runs in parallel with Step 2 at the orchestrator level (P3 — concurrent independent pre-conditions; DOCTRINE §12.2). Both Step 2 and Step 3 are pre-build, read-only checks with no shared state. Both must reach `PASS` before Step 4 (Commit) may proceed. Halt on `SECURITY_VIOLATION` immediately — no retry, no 2a must also complete first.

Sub-phases 3a and 3b run in parallel (P1).

### Step 3a — Secrets and keys scan

Two Workers in parallel:

- Worker A — Pattern scan staged + recent diff for hardcoded secrets: API keys, private keys, connection strings, tokens. Use `git diff HEAD~1..HEAD` as scan surface.
- Worker B — File-level scan of files modified in this changeset for common secret patterns (SG., sk-, ghp_, AKIA, BEGIN RSA PRIVATE KEY, etc.).

**Reviewer** — Opus security sweep — aggregate findings from 3a Workers. If any secret found → halt immediately with `SECURITY_VIOLATION: <file>:<line> — <pattern>`. No auto-remediation — user must rotate + remove.

### Step 3b — Dependency audit

Two Workers in parallel:

- Worker A — `npm audit --audit-level=high` / `pnpm audit` / `pip-audit` / `cargo audit`. Report critical and high CVEs only.
- Worker B — License check: scan new dependencies added in this changeset for prohibited licenses (GPL in a proprietary project, etc.) if `.hyperflow/profile.md` declares a license policy.

Sonnet Reviewer — verdict:
- `PASS` — no critical/high CVEs; no license violations
- `NEEDS_REVISION` — critical CVE found → halt and surface CVE IDs
- `ESCALATE` — audit tool absent → skip silently (not a failure); missing license policy → skip

## Step 4 — Commit

Atomic — single Worker → Reviewer pair with no parallel angles. Exempt from sub-phase decomposition per DOCTRINE 12.2 atomic exemption.

- Worker-introduced fixes from Step 2 → commit automatically with a conventional commit message.
- Pre-existing user-owned uncommitted changes → use `AskUserQuestion` to confirm inclusion. Per DOCTRINE rule 8, this is a binary action gate — no recommendation marker:

  ```
  Include uncommitted user changes in this commit?
    Include — your