Pre-Deploy Release Gate

Purpose

1. Aggregate all quality gate signals from build, test, security, and documentation checks
2. Block deployments with NO-GO verdict (exits with code 1, requires override approval)
3. Warn on REVIEW verdict requiring manual verification (exits with code 0, logs warnings)
4. Allow GO verdict to proceed immediately (exits with code 0, minimal output)
5. Provide comprehensive gate report with remediation paths for each failed signal

Trigger

Property	Value
Event	pre-deploy
Blocking	Yes
Timeout	120s
Failure Mode	Block deployment, display gate report
Override Command	Requires approval from release-manager role

Behavior

When Triggered

The hook aggregates quality signals from:

• Build Gates: Compilation success, artifact availability, version consistency
• Test Gates: Coverage >80%, all E2E tests pass, no flaky tests detected
• Security Gates: No critical vulnerabilities, dependency audit clear, SAST scan passed
• Documentation Gates: API docs updated, deployment runbook current, changelog entries present
• Breaking Change Gates: No unmitigated breaking changes, migration paths documented
• Performance Gates: No performance regressions >5%, memory usage within thresholds

Configuration

Create .coditect/config/release-gate-hook.json:

{
  "enabled": true,
  "timeout_seconds": 120,
  "gate_signals": [
    {
      "name": "build-success",
      "weight": 20,
      "required": true,
      "sources": ["ci/build.log", "ci/artifact-manifest.json"]
    },
    {
      "name": "test-coverage",
      "weight": 25,
      "required": true,
      "threshold": 80,
      "sources": ["coverage/report.xml"]
    },
    {
      "name": "security-audit",
      "weight": 25,
      "required": true,
      "sources": ["security/sast-scan.json", "security/dependency-check.json"]
    },
    {
      "name": "documentation",
      "weight": 15,
      "required": false,
      "sources": ["docs/CHANGELOG.md", "docs/DEPLOYMENT.md"]
    },
    {
      "name": "breaking-changes",
      "weight": 10,
      "required": true,
      "sources": [".git/hooks/pre-commit-breaking-impact.log"]
    },
    {
      "name": "performance",
      "weight": 5,
      "required": false,
      "threshold": 5,
      "sources": ["metrics/performance-baseline.json"]
    }
  ],
  "verdicts": {
    "GO": {
      "min_weighted_score": 95,
      "required_gates": ["build-success", "test-coverage", "security-audit"]
    },
    "REVIEW": {
      "min_weighted_score": 85,
      "action": "manual-approval-required"
    },
    "NO-GO": {
      "max_weighted_score": 84,
      "action": "block-deployment"
    }
  },
  "approval_matrix": {
    "NO-GO": ["release-manager", "senior-architect"],
    "REVIEW": ["release-manager"]
  },
  "notify_channels": {
    "NO-GO": ["slack-releases", "email-team-lead"],
    "REVIEW": ["slack-releases"],
    "GO": "log"
  }
}

Integration

The hook integrates with:

• Skill: release-readiness-gate - Gate aggregation and verdict logic
• Input Hooks: Consumes output from breaking-impact, smoke-test hooks
• CI Integration: Queries CI artifact store for build/test signals
• Security Integration: Queries SAST scan and dependency check results
• Override Path: Requires approval from release-manager role (tracked in audit log)

Output

GO Verdict (Exit 0, Proceed)

✓ GATE: GO - All quality signals passing
  Build Success: 100%
  Test Coverage: 92% (target: 80%)
  Security Audit: PASS (0 critical, 2 medium)
  Documentation: CURRENT
  Breaking Changes: NONE
  Performance: +0.2% (within 5% threshold)

Ready for deployment. Proceeding...

REVIEW Verdict (Exit 0, Warnings)

⚠ GATE: REVIEW - Manual verification required
  Build Success: 100%
  Test Coverage: 87% (target: 80%)
  Security Audit: PASS (0 critical, 1 medium - NEW)
  Documentation: PARTIAL (API docs not updated)
  Breaking Changes: 1 deprecated endpoint (has migration window)
  Performance: +3.8% (within 5% threshold)

Action required: Release manager must approve
  - New medium CVE: Review remediation plan
  - Documentation: Update API docs before deploy

Contact: @release-manager on Slack

NO-GO Verdict (Exit 1, Blocked)

✗ GATE: NO-GO - Critical quality issues require resolution

CRITICAL FAILURES:
  1. Test Coverage: 72% (required: 80%)
     Impact: Code quality risk
     Path: Run: make test-coverage-report

  2. Security Audit: 2 CRITICAL vulnerabilities
     CVE-2026-1234: Authentication bypass in session handler
     CVE-2026-1235: SQL injection in user search
     Impact: SEVERE - Security risk
     Path: Review security/sast-scan.json, apply patches

  3. Breaking Changes: 3 unmitigated breaking changes
     - DELETE /api/v1/users (no deprecation)
     - Schema: Removed user.email column
     - Config: New required AUTH_TOKEN
     Impact: HIGH - Deployment will break clients
     Path: Add deprecation windows, document migrations

Deployment blocked. Resolution required:
  1. Fix failing gates above
  2. Re-run: make deploy --gate-check
  3. Contact @release-manager for emergencies

Estimated time to resolve: 2-4 hours

Failure Handling

Scenario	Action	Exit Code
NO-GO verdict	Block deployment, require approval	1
REVIEW verdict	Warn, allow manual approval	0
GO verdict	Proceed immediately	0
Hook timeout (>120s)	REVIEW, escalate to team lead	0
Gate signal missing	Treat as REVIEW, flag for investigation	0
Configuration error	REVIEW, log incident	0

Error Recovery:

# View detailed gate report
cat /tmp/release-gate-report.json | python3 -m json.tool

# Request emergency override (requires approval)
make deploy --gate-override-request "Critical production fix" --approve-by @release-manager

# Re-run gate check
make deploy --gate-check

Related Hooks

Hook	Timing	Relationship	Purpose
pre-commit-breaking-impact.md	Pre-commit	Input	Feeds breaking change signals to gate
post-deploy-smoke-test.md	Post-deploy	Downstream	Verifies gate didn't miss issues
post-deploy-canary-monitor.md	Post-deploy	Monitoring	Auto-rollback if gate failed to detect problems
ci-integration-hook.md	CI pipeline	Parallel	Provides build/test signals to gate

Principles

1. Consensus Verdicts: NO-GO requires all critical gates clear; GO requires weighted consensus
2. Transparent Scoring: Every gate signal weighted and scored; full report available
3. Actionable Failures: Each failure includes remediation path and resolution time estimate
4. Audit Trail: All overrides require approval from release-manager; tracked for postmortems
5. Fast Feedback: 120s timeout ensures quick gate results
6. Skill-Driven: Gate logic and verdict algorithms managed by release-readiness-gate skill
7. Human Override: NO-GO verdicts always require human approval; automation respects human judgment

---

Related Documentation:

• ADR-183 - Governance hook architecture
• ADR-060 - MoE verification layer
• skills/release-readiness-gate/SKILL.md - Gate signals