feat(w21-24kl): batch 21 — ticket gate hook + RED finalize tests

Implement pre-commit-ticket-gate.sh (dso-vl19): commit-msg hook that
blocks commits without valid v3 ticket IDs (XXXX-XXXX hex), with
allowlist skip, merge exemption, and graceful degradation.

Add RED tests for _phase_finalize in cutover script (dso-rmn7): 11 tests
covering git tag creation, file removal, compaction re-enable, and
idempotent behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JoeOakhartNava

.test-index

@@ -102,4 +102,5 @@ plugins/dso/skills/validate-work/SKILL.md:plugins/dso/tests/test-sprint-skill-st
 plugins/dso/skills/validate-work/prompts/ci-status.md:tests/hooks/test-ci-status-no-jq.sh,tests/scripts/test-ci-status-auth-ratelimit.sh,tests/scripts/test-ci-status-timeout.sh,tests/scripts/test-ci-status.sh
 plugins/dso/skills/verification-before-completion/SKILL.md:plugins/dso/tests/test-sprint-skill-step10-no-merge-to-main.sh,tests/plugin/test-audit-skill-resolution.sh,tests/hooks/test-fix-bug-skill.sh,tests/hooks/test-generate-claude-md-skill.sh,tests/hooks/test-init-skill.sh,tests/scripts/test-qualify-skill-refs.sh,tests/scripts/test-skill-path-refs.sh,tests/scripts/test-check-skill-refs.sh,tests/skills/test_end_skill_final_verification_step.py,tests/skills/test_implementation_plan_skill_tdd_enforcement.py,tests/skills/test-quick-ref-skill.sh,tests/skills/test_project_setup_skill_conditional_prompts.py,tests/skills/test_fix_bug_skill.py,tests/skills/test_end_skill_summary_displays_stored_learnings.py,tests/skills/test_end_skill_learnings_step_before_commit.py,tests/skills/test-design-skills-cross-stack.sh,tests/skills/test_end_skill_dirty_worktree_resolution.py,tests/skills/test_fix_bug_skill_escalated_section.py,tests/skills/test_end_skill_bug_tickets_before_commit.py
 plugins/dso/scripts/cutover-tickets-migration.sh: tests/scripts/test-cutover-tickets-migration.sh [test_cutover_rollback_committed_uses_revert]
+plugins/dso/scripts/cutover-tickets-migration.sh: tests/scripts/test-cutover-tickets-migration-finalize.sh [test_finalize_creates_git_tag]
 plugins/dso/hooks/pre-commit-ticket-gate.sh: tests/hooks/test-pre-commit-ticket-gate.sh [test_blocks_missing_ticket_id]

.tickets/.sync-state.json

@@ -449,8 +449,8 @@
     "last_synced": "2026-03-19T18:38:35Z",
     "local_hash": "14c516947a151a3db8bdec4010e2fd6e"
   },
-  "last_pull_timestamp": "2026-03-23T20:55:35Z",
-  "last_sync_commit": "0ae161d9e098387e6596147a999ae6bcf2d32f9d",
+  "last_pull_timestamp": "2026-03-23T21:20:47Z",
+  "last_sync_commit": "7e98b2ec5ac33564d5215c742707fffffff5d706",
   "w21-5cqr": {
     "jira_hash": "bce29d76f01c58613ee99cb1dd03920d",
     "jira_key": "DIG-61",

.tickets/dso-qki2.md

@@ -1,6 +1,6 @@
 ---
 id: dso-qki2
-status: in_progress
+status: closed
 deps: []
 links: []
 created: 2026-03-23T20:26:38Z

.tickets/dso-rmn7.md

@@ -1,6 +1,6 @@
 ---
 id: dso-rmn7
-status: open
+status: in_progress
 deps: []
 links: []
 created: 2026-03-23T20:26:09Z
@@ -53,3 +53,29 @@ tests/scripts/test-cutover-tickets-migration-finalize.sh (new file)
 - [ ] .test-index entry maps cutover-tickets-migration.sh to test-cutover-tickets-migration-finalize.sh
   Verify: grep -q 'cutover-tickets-migration.sh.*test-cutover-tickets-migration-finalize.sh' $(git rev-parse --show-toplevel)/.test-index
 
+
+## Notes
+
+**2026-03-23T21:13:06Z**
+
+CHECKPOINT 1/6: Task context loaded ✓
+
+**2026-03-23T21:13:45Z**
+
+CHECKPOINT 2/6: Code patterns understood ✓
+
+**2026-03-23T21:15:11Z**
+
+CHECKPOINT 3/6: Tests written ✓
+
+**2026-03-23T21:15:34Z**
+
+CHECKPOINT 4/6: Implementation complete ✓
+
+**2026-03-23T21:16:05Z**
+
+CHECKPOINT 5/6: Validation passed ✓
+
+**2026-03-23T21:16:20Z**
+
+CHECKPOINT 6/6: Done ✓

.tickets/dso-vl19.md

@@ -1,6 +1,6 @@
 ---
 id: dso-vl19
-status: open
+status: in_progress
 deps: [dso-qki2]
 links: []
 created: 2026-03-23T20:27:05Z
@@ -66,3 +66,37 @@ DO NOT modify review-gate-allowlist.conf, pre-commit-review-gate.sh, review-gate
 - [ ] ruff format --check passes (exit 0)
   Verify: ruff format --check $(git rev-parse --show-toplevel)/plugins/dso/scripts/*.py $(git rev-parse --show-toplevel)/tests/**/*.py
 
+## ACCEPTANCE CRITERIA
+
+- [ ] plugins/dso/hooks/pre-commit-ticket-gate.sh exists and is executable
+  Verify: test -x plugins/dso/hooks/pre-commit-ticket-gate.sh
+- [ ] Bash syntax validation passes
+  Verify: bash -n plugins/dso/hooks/pre-commit-ticket-gate.sh
+- [ ] RED tests from dso-qki2 now pass (GREEN)
+  Verify: bash tests/hooks/test-pre-commit-ticket-gate.sh 2>&1 | grep -qi passed
+
+## Notes
+
+**2026-03-23T21:12:52Z**
+
+CHECKPOINT 1/6: Task context loaded ✓
+
+**2026-03-23T21:13:08Z**
+
+CHECKPOINT 2/6: Code patterns understood ✓
+
+**2026-03-23T21:13:08Z**
+
+CHECKPOINT 3/6: Tests written (none required) ✓
+
+**2026-03-23T21:13:56Z**
+
+CHECKPOINT 4/6: Implementation complete ✓
+
+**2026-03-23T21:14:10Z**
+
+CHECKPOINT 5/6: Validation passed ✓
+
+**2026-03-23T21:15:07Z**
+
+CHECKPOINT 6/6: Done ✓

plugins/dso/hooks/pre-commit-ticket-gate.sh

@@ -0,0 +1,161 @@
+#!/usr/bin/env bash
+# hooks/pre-commit-ticket-gate.sh
+# git commit-msg hook: blocks commits lacking a valid v3 ticket ID in the message.
+#
+# DESIGN:
+#   This hook runs at the commit-msg stage, receiving the commit message file
+#   path as $1 (standard git commit-msg hook convention). It checks that the
+#   commit message contains at least one valid v3 ticket ID (XXXX-XXXX hex
+#   format) that exists in the event-sourced tracker.
+#
+# LOGIC (in order):
+#   1. Fail-open on timeout (SIGTERM/SIGURG).
+#   2. Read commit message from $1 (or COMMIT_MSG_FILE_OVERRIDE for tests).
+#   3. Merge commit exemption: if MERGE_HEAD exists → exit 0.
+#   4. Get staged files via git diff --cached --name-only.
+#   5. Load allowlist from review-gate-allowlist.conf (via deps.sh).
+#   6. If ALL staged files match allowlist → exit 0 (no ticket needed).
+#   7. Graceful degradation: if tracker not mounted → warn → exit 0.
+#   8. Extract ticket IDs matching [a-z0-9]{4}-[a-z0-9]{4} from message.
+#   9. For each ID: check dir exists + CREATE event file present in tracker.
+#  10. If any valid ID found → exit 0.
+#  11. Otherwise → exit 1 with format hint and ticket creation pointer.
+#
+# INSTALL:
+#   Registered in .pre-commit-config.yaml as a commit-msg stage local hook.
+#
+# ENVIRONMENT:
+#   COMMIT_MSG_FILE_OVERRIDE  — path to commit message file (used in tests)
+#   TICKET_TRACKER_OVERRIDE   — path to tracker dir (used in tests)
+#   CONF_OVERRIDE             — path to allowlist conf (used in tests)
+
+set -uo pipefail
+
+# ── Fail-open on timeout ─────────────────────────────────────────────────────
+# pre-commit sends SIGTERM after timeout; Claude Code tool timeout sends SIGURG.
+# A gate timeout is infrastructure failure — fail open so commits aren't blocked.
+_fail_open_on_timeout() {
+    echo "pre-commit-ticket-gate: WARNING: timed out — failing open (commit allowed)" >&2
+    exit 0
+}
+trap _fail_open_on_timeout TERM URG
+
+# ── Locate hook and plugin directories ──────────────────────────────────────
+HOOK_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source shared dependency library (provides _load_allowlist_patterns, _allowlist_to_grep_regex, get_artifacts_dir)
+source "$HOOK_DIR/lib/deps.sh"
+
+# ── Read commit message ──────────────────────────────────────────────────────
+# Supports COMMIT_MSG_FILE_OVERRIDE for test injection; falls back to $1 (git standard).
+_COMMIT_MSG_FILE="${COMMIT_MSG_FILE_OVERRIDE:-${1:-}}"
+if [[ -z "$_COMMIT_MSG_FILE" || ! -f "$_COMMIT_MSG_FILE" ]]; then
+    # No commit message file available — fail open (do not block)
+    exit 0
+fi
+COMMIT_MSG=$(cat "$_COMMIT_MSG_FILE" 2>/dev/null || echo "")
+
+# ── Merge commit exemption ────────────────────────────────────────────────────
+# When MERGE_HEAD exists (in-progress merge), exit 0 unconditionally.
+if [[ -f "$(git rev-parse --git-dir 2>/dev/null)/MERGE_HEAD" ]]; then
+    exit 0
+fi
+
+# ── Get staged files ─────────────────────────────────────────────────────────
+STAGED_FILES=()
+_staged_output=$(git diff --cached --name-only 2>/dev/null || true)
+if [[ -n "$_staged_output" ]]; then
+    while IFS= read -r f; do
+        [[ -z "$f" ]] && continue
+        STAGED_FILES+=("$f")
+    done <<< "$_staged_output"
+fi
+
+# No staged files → nothing to check
+if [[ ${#STAGED_FILES[@]} -eq 0 ]]; then
+    exit 0
+fi
+
+# ── Load allowlist patterns ───────────────────────────────────────────────────
+ALLOWLIST_PATH="${CONF_OVERRIDE:-$HOOK_DIR/lib/review-gate-allowlist.conf}"
+ALLOWLIST_PATTERNS=""
+if [[ -f "$ALLOWLIST_PATH" ]]; then
+    ALLOWLIST_PATTERNS=$(_load_allowlist_patterns "$ALLOWLIST_PATH" 2>/dev/null || true)
+fi
+
+# Build a grep regex from the allowlist for fast file matching
+NON_REVIEWABLE_REGEX=""
+if [[ -n "$ALLOWLIST_PATTERNS" ]]; then
+    while IFS= read -r _regex_line; do
+        [[ -z "$_regex_line" ]] && continue
+        if [[ -z "$NON_REVIEWABLE_REGEX" ]]; then
+            NON_REVIEWABLE_REGEX="$_regex_line"
+        else
+            NON_REVIEWABLE_REGEX="${NON_REVIEWABLE_REGEX}|${_regex_line}"
+        fi
+    done <<< "$(_allowlist_to_grep_regex "$ALLOWLIST_PATTERNS")"
+fi
+
+# ── Check if all staged files are allowlisted ─────────────────────────────────
+NON_ALLOWLISTED_FILES=()
+if [[ -z "$NON_REVIEWABLE_REGEX" ]]; then
+    # No allowlist loaded — everything requires a ticket (fail-safe)
+    NON_ALLOWLISTED_FILES=("${STAGED_FILES[@]}")
+else
+    _non_allowlisted=$(printf '%s\n' "${STAGED_FILES[@]}" | grep -vE "$NON_REVIEWABLE_REGEX" 2>/dev/null || true)
+    if [[ -n "$_non_allowlisted" ]]; then
+        while IFS= read -r _classified_file; do
+            [[ -n "$_classified_file" ]] && NON_ALLOWLISTED_FILES+=("$_classified_file")
+        done <<< "$_non_allowlisted"
+    fi
+fi
+
+# All staged files are allowlisted → no ticket needed
+if [[ ${#NON_ALLOWLISTED_FILES[@]} -eq 0 ]]; then
+    exit 0
+fi
+
+# ── Resolve tracker directory ─────────────────────────────────────────────────
+REPO_ROOT=$(git rev-parse --show-toplevel 2>/dev/null || echo "")
+TRACKER_DIR="${TICKET_TRACKER_OVERRIDE:-${REPO_ROOT}/.tickets-tracker}"
+
+# Graceful degradation: if tracker is not mounted, warn and fail open
+if [[ ! -d "$TRACKER_DIR" ]]; then
+    echo "pre-commit-ticket-gate: WARNING: ticket tracker not mounted at ${TRACKER_DIR} — skipping ticket check" >&2
+    exit 0
+fi
+
+# ── Extract v3 ticket IDs from commit message ─────────────────────────────────
+# v3 format: four lowercase hex chars, dash, four lowercase hex chars: e.g. dso-78iq
+TICKET_IDS=()
+while IFS= read -r _matched_id; do
+    [[ -n "$_matched_id" ]] && TICKET_IDS+=("$_matched_id")
+done < <(echo "$COMMIT_MSG" | grep -oE '[a-z0-9]{4}-[a-z0-9]{4}' 2>/dev/null || true)
+
+# ── Validate each extracted ticket ID ────────────────────────────────────────
+for _id in "${TICKET_IDS[@]+"${TICKET_IDS[@]}"}"; do
+    _ticket_dir="${TRACKER_DIR}/${_id}"
+    if [[ -d "$_ticket_dir" ]]; then
+        # Check for a CREATE event file in the ticket directory
+        _create_file=$(ls "$_ticket_dir/"*-CREATE.json 2>/dev/null | head -1 || echo "")
+        if [[ -n "$_create_file" ]]; then
+            # Found a valid ticket — allow commit
+            exit 0
+        fi
+    fi
+done
+
+# ── No valid ticket ID found → block commit ───────────────────────────────────
+echo "" >&2
+echo "BLOCKED: commit-msg ticket gate" >&2
+echo "" >&2
+echo "  Commit message must reference a valid v3 ticket ID." >&2
+echo "  Expected format: XXXX-XXXX (hex, e.g. dso-78iq)" >&2
+echo "" >&2
+echo "  Your commit message:" >&2
+echo "    ${COMMIT_MSG}" >&2
+echo "" >&2
+echo "  To create a ticket: ticket create task \"<description>\"" >&2
+echo "  Then add the ticket ID to your commit message." >&2
+echo "" >&2
+exit 1