Problem It Solves
Closes gap: #169
Security Auditor findings are currently advisory. There is no mechanism for a finding of any severity to block workflow advancement. Teams cannot enforce a security policy through the framework — they can only rely on human vigilance.
Proposed Behavior
1. Structured severity levels in Security Auditor handoffs
The Security Auditor handoff artifact gains a structured findings section:
## Security Findings
| ID | Severity | Category | Description | File | Line |
|----|----------|----------|-------------|------|------|
| SA-001 | HIGH | Secret Leak | AWS key in environment config | config/env.go | 42 |
| SA-002 | LOW | Logging | Request body logged at DEBUG level | api/handler.go | 87 |
Valid severity levels: critical / high / medium / low / info
2. Blocking gate configuration in config.yaml
quality_gates:
security:
blocking_severity: high # findings at this level or above block gate approval
require_sign_off: true # human must explicitly acknowledge non-blocking findings3. Engine gate evaluation
At the security-auditor quality gate, the engine parses the structured findings section and compares each finding's severity against blocking_severity. If any finding meets or exceeds the threshold, the gate fails with a structured error listing the blocking findings. The gate cannot be approved until the findings are remediated or explicitly overridden with a documented reason.
Dependencies
Complexity Estimate
Medium — 4 files: Security Auditor agent template update, gate evaluation logic, config schema, CLI output for blocked security gates, tests
Problem It Solves
Closes gap: #169
Security Auditor findings are currently advisory. There is no mechanism for a finding of any severity to block workflow advancement. Teams cannot enforce a security policy through the framework — they can only rely on human vigilance.
Proposed Behavior
1. Structured severity levels in Security Auditor handoffs
The Security Auditor handoff artifact gains a structured findings section:
Valid severity levels:
critical/high/medium/low/info2. Blocking gate configuration in config.yaml
3. Engine gate evaluation
At the security-auditor quality gate, the engine parses the structured findings section and compares each finding's severity against
blocking_severity. If any finding meets or exceeds the threshold, the gate fails with a structured error listing the blocking findings. The gate cannot be approved until the findings are remediated or explicitly overridden with a documented reason.Dependencies
Complexity Estimate
Medium — 4 files: Security Auditor agent template update, gate evaluation logic, config schema, CLI output for blocked security gates, tests