Local-first quality gate for release readiness.
code-to-gate scans a repository locally and turns code signals into reviewable
artifacts: findings, risks, test seeds, SARIF, and release-readiness evidence.
It is not a replacement for a linter or SAST engine; it is the evidence and gate
layer around repository structure and imported/static signals.
Findings are review-required candidates, not confirmed vulnerabilities or
automatic release decisions. critical and high are gate severity labels used
to prioritize human review; the final release decision remains with the human
or downstream approval gate.
Language: English | 日本語
| Channel | Status |
|---|---|
package.json |
1.5.0 |
| GitHub Release | v1.5.0 latest published release |
| npm registry | Not published yet |
See Distribution Status for the release/publication matrix.
1.5.0 is available as a GitHub Release. The npm package remains unpublished,
so install from GitHub/source until npm publication is completed.
# Recommended until npm publication is complete
npm install -g github:RNA4219/code-to-gate
# From source
npm install
npm run build
npm linkThe npm package name is reserved in docs as @quality-harness/code-to-gate, but
registry publication has not been completed yet.
code-to-gate scan ./my-repo --out .qh
code-to-gate analyze ./my-repo --emit all --out .qh
code-to-gate ownership --from .qh --out .qh
code-to-gate readiness ./my-repo --policy policy.yaml --from .qh --out .qh
code-to-gate spec-drift ./my-repo --out .qh
code-to-gate test-plan --from .qh --out .qh
code-to-gate pr-review --from .qh --out .qh
code-to-gate export sarif --from .qh --out results.sarif
code-to-gate export evidence-dag --from .qh --out .qh/evidence-dag.json
code-to-gate viewer --from .qh --out public/index.html --hostedFor database migration analysis (preview surface):
code-to-gate analyze ./my-repo --database-analysis --emit all --out .qh
code-to-gate diff ./my-repo --base origin/main --head HEAD --database-analysis --out .qhDatabase artifacts are useful for review, but database analysis is still a
preview/experimental surface and should not be treated as part of the stable
ctg/v1 public contract until explicitly promoted.
| Artifact | Purpose |
|---|---|
repo-graph.json |
Repository files, symbols, dependencies, and entrypoints |
database-assets.json |
Optional DB assets and DDL operations from --database-analysis |
findings.json |
Evidence-backed findings |
risk-register.yaml |
Risks that need review |
test-seeds.json |
Suggested test ideas |
release-readiness.json |
Policy gate result |
evidence-dag.json |
Cross-artifact evidence graph |
spec-drift.json |
Docs, schema, CLI, and test drift checks |
hosted-static-report.json |
Static hosting manifest for a single-file HTML report |
schema-migration.json |
Schema migration report and validation result |
ownership-risk.json |
CODEOWNERS reviewer candidates and module ownership risk |
plugin-marketplace.json |
Validated plugin registry for marketplace/distribution review |
pr-review.json |
PR review sections for block reasons, accepted risk, tests, spec drift, and evidence links |
pr-review.md |
Markdown PR comment body generated from pr-review.json |
analysis-report.md |
Human-readable summary |
results.sarif |
GitHub Code Scanning format |
| Area | Status |
|---|---|
| TypeScript / JavaScript | Primary AST support |
| Python / Ruby / Go / Rust | Tree-sitter with --tree-sitter, regex fallback otherwise |
| Java / PHP / C# / C++ | Baseline heuristic support |
| Core rules | 17 core rules |
| Database analysis | Optional SQL / migration checks via --database-analysis |
| Schema version | ctg/v1; ctg/v1alpha1 is accepted for backward compatibility |
version: ctg/v1
blocking:
severity:
critical: true
high: true
category:
auth: true
payment: true
data: true
rules:
DB_DROP_TABLE: true
readiness:
criticalFindingStatus: blocked_input| Document | Purpose |
|---|---|
| Quickstart | First run and CI setup |
| Distribution Status | Package, GitHub release, and npm publication state |
| CLI Reference | Commands, flags, output formats |
| Policy Guide | Gate policy configuration |
| Integrations | GitHub Actions and downstream exports |
| Plugin Development | Custom rule SDK |
| Changelog | Release history |
npm install
npm run build
npm run test:smoke
npm testMIT. See LICENSE.