fix: test gate allowlist filtering and fail-open on timeout (dso-sfoc) (merge worktree-20260321-144840)

Author: JoeOakhartNava

.tickets/.index.json

@@ -91,6 +91,16 @@
     "title": "Cleanup tests",
     "type": "epic"
   },
+  "dso-5ooy": {
+    "deps": [
+      "w21-ykic",
+      "w21-ovpn"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "Conditional Security & Performance Review Overlays",
+    "type": "epic"
+  },
   "dso-6oo5": {
     "deps": [
       "dso-wqt4",
@@ -185,6 +195,42 @@
     "title": "Display Task titles during sprint batch execution",
     "type": "epic"
   },
+  "dso-b538": {
+    "deps": [
+      "dso-bxng"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Deep Sonnet C reviewer applies deep hygiene, design, and maintainability checks",
+    "type": "story"
+  },
+  "dso-b7nb": {
+    "deps": [
+      "dso-bxng"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Deep Sonnet A reviewer applies deep correctness checks with acceptance criteria validation",
+    "type": "story"
+  },
+  "dso-boct": {
+    "deps": [
+      "dso-9ltc"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Light tier haiku reviewer applies a focused 6-item checklist to low-complexity changes",
+    "type": "story"
+  },
+  "dso-bxng": {
+    "deps": [
+      "dso-9ltc"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Standard tier sonnet reviewer applies full 5-dimension checklists with researched sub-criteria",
+    "type": "story"
+  },
   "dso-cb9v": {
     "deps": [
       "dso-ocfn",
@@ -278,6 +324,15 @@
     "title": "Using-lockpicks brainstorm enforcement",
     "type": "epic"
   },
+  "dso-gfry": {
+    "deps": [
+      "dso-bxng"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Deep Sonnet B reviewer applies deep verification checks evaluating test quality and coverage",
+    "type": "story"
+  },
   "dso-gjww": {
     "deps": [],
     "priority": 4,
@@ -313,6 +368,17 @@
     "title": "Don't merge to main between batches",
     "type": "epic"
   },
+  "dso-jf62": {
+    "deps": [
+      "dso-b7nb",
+      "dso-gfry",
+      "dso-b538"
+    ],
+    "priority": 2,
+    "status": "open",
+    "title": "As a DSO practitioner, the Deep Opus architectural reviewer applies cross-cutting synthesis checks across all specialist findings",
+    "type": "story"
+  },
   "dso-jny6": {
     "deps": [
       "dso-4lbf"
@@ -461,6 +527,13 @@
     "title": "Generic agent invocations should be given descriptive names",
     "type": "epic"
   },
+  "dso-sfoc": {
+    "deps": [],
+    "priority": 1,
+    "status": "closed",
+    "title": "Bug: pre-commit test gate times out on large ticket-only commits (no allowlist filtering)",
+    "type": "bug"
+  },
   "dso-soyt": {
     "deps": [],
     "priority": 2,

.tickets/dso-5ooy.md

@@ -0,0 +1,85 @@
+---
+id: dso-5ooy
+status: open
+deps: [w21-ykic, w21-ovpn]
+links: []
+created: 2026-03-21T23:27:40Z
+type: epic
+priority: 2
+assignee: Joe Oakhart
+---
+# Conditional Security & Performance Review Overlays
+
+
+## Notes
+
+<!-- note-id: k3xxzh2r -->
+<!-- timestamp: 2026-03-21T23:28:18Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Context
+
+Security and performance concerns cut across all review dimensions but don't belong as permanent sub-criteria in every review — they waste tokens on changes with no security/performance surface. This epic adds conditional review overlays that trigger only when the classifier detects relevant signals, orthogonal to the tier system (any tier can trigger an overlay).
+
+## Brainstorm Research (to be resumed)
+
+### Architecture Decision
+- Security and performance reviews are **conditional overlays**, not permanent dimensions
+- Triggered by classifier signals alongside tier routing: classifier emits trigger flags (security_review: true, performance_review: true)
+- Any tier level can trigger an overlay — a Light tier change touching auth still gets security review
+- Each overlay has its own dedicated reviewer agent, checklist, and findings that merge into reviewer-findings.json
+
+### Security Review Triggers (proposed)
+- Code that touches external integrations
+- Code that touches data layer
+- Authentication or authorization code
+- Encryption-related code
+
+### Security Review Criteria (from research)
+Source: Anthropic claude-code-security-review (OWASP-aligned)
+- Injection attacks: SQL, command, LDAP, XPath, NoSQL, XXE
+- Authentication & authorization: broken auth, privilege escalation, insecure direct object references, auth bypass, session flaws
+- Data exposure: hardcoded secrets, sensitive data logging, information disclosure, PII handling violations
+- Cryptographic issues: weak algorithms, improper key management, insecure RNG
+- Input validation: missing validation, improper sanitization, buffer overflows
+- Business logic flaws: race conditions, TOCTOU (time-of-check-time-of-use)
+- Configuration security: insecure defaults, missing security headers, permissive CORS
+- Supply chain: vulnerable dependencies, typosquatting
+- Code execution: RCE via deserialization, pickle injection, eval injection
+- XSS: reflected, stored, DOM-based
+- Error message information leakage (OWASP): errors that reveal internal state
+
+### Performance Review Triggers (proposed)
+- Any operation more expensive than O(n)
+- Code that touches infrastructure
+- Code that touches data layer
+- Future enhancement: trigger on spike in test runtime or application latency in E2E testing (needs friction-free way to surface this data)
+
+### Performance Review Criteria (from research)
+- N+1 query problems
+- Nested loops over large datasets
+- Inefficient algorithms or database queries
+- Memory usage patterns and potential leaks
+- Bundle size and optimization opportunities
+- Sequential I/O where parallel is possible (AI-specific)
+- Image optimization
+
+### Integration Architecture (to be designed)
+Pipeline becomes: classifier → tier + overlay triggers → dispatch tier reviewer(s) + overlay reviewer(s) → merged findings → resolution loop
+- Overlay reviewers need own agent definitions and checklists
+- Findings merge into same reviewer-findings.json and scoring
+- Classifier/dispatch changes needed to trigger overlays
+- Performance runtime trigger (pytest --durations baseline comparison) deferred as future enhancement to avoid friction
+
+### Open Questions
+- Exact classifier signal thresholds for triggering overlays
+- Whether overlays should have their own severity scale or use the existing critical/important/minor
+- How overlay findings interact with the autonomous resolution loop
+- Whether the security overlay replaces or supplements the existing dso-0wi2 sensitive-info security review
+
+## Dependencies
+- w21-ykic (Tiered Review Architecture): requires classifier infrastructure to add overlay trigger signals
+- w21-ovpn (Review Intelligence & Precision): requires enriched checklist architecture (reviewer-delta files, confidence scoring, false-positive filters)
+

.tickets/dso-b538.md

@@ -0,0 +1,37 @@
+---
+id: dso-b538
+status: open
+deps: [dso-bxng]
+links: []
+created: 2026-03-21T23:20:14Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Sonnet C reviewer applies deep hygiene, design, and maintainability checks
+
+
+## Notes
+
+<!-- note-id: qbufm2gh -->
+<!-- timestamp: 2026-03-21T23:21:29Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-hygiene-design-maint.md checklist for the Deep tier Sonnet C (hygiene + design + maintainability specialist) reviewer.
+
+**Why**: Deep tier reviews high-complexity changes. Sonnet C owns three structural dimensions — the qualities that prevent long-term codebase decay. No ticket context needed because structural quality is ticket-independent.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-hygiene-design-maint.md includes all Standard hygiene/design/maintainability criteria plus:
+  - Flag functions where branching depth suggests extraction opportunities
+  - Evaluate whether new abstractions follow single responsibility
+  - Flag in-place mutation of shared data structures when immutable patterns are established in surrounding code
+- When this story is complete, the checklist includes no ticket context instructions (structural quality is ticket-independent)
+- When this story is complete, build-review-agents.sh regenerates the deep hygiene/design/maintainability reviewer agent successfully
+

.tickets/dso-b7nb.md

@@ -0,0 +1,40 @@
+---
+id: dso-b7nb
+status: open
+deps: [dso-bxng]
+links: []
+created: 2026-03-21T23:20:11Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Deep Sonnet A reviewer applies deep correctness checks with acceptance criteria validation
+
+
+## Notes
+
+<!-- note-id: 6sefb1v1 -->
+<!-- timestamp: 2026-03-21T23:21:18Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-deep-correctness.md checklist for the Deep tier Sonnet A (correctness specialist) reviewer.
+
+**Why**: Deep tier reviews high-complexity changes (classifier score 7+). Sonnet A owns correctness with full ticket context, enabling acceptance criteria validation that other reviewers can't perform.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-deep-correctness.md includes all Standard correctness criteria plus:
+  - Acceptance criteria validation against ticket (when ticket context available)
+  - Deeper edge-case analysis with explicit escape hatch: if code handles edge cases adequately, state so — do not manufacture findings
+  - Inaccurate naming elevated from minor to important severity (name implies different behavior than implementation)
+- When this story is complete, the checklist includes ticket context instructions: use full ticket (minus verbose status update notes) when available; do not block on missing ticket context
+- When this story is complete, build-review-agents.sh regenerates the deep correctness reviewer agent successfully
+
+## Constraints
+- Must reference Standard checklist criteria by inclusion, not duplication — the build process composes base + standard + deep-correctness
+

.tickets/dso-boct.md

@@ -0,0 +1,46 @@
+---
+id: dso-boct
+status: open
+deps: []
+links: []
+created: 2026-03-21T23:20:00Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Light tier haiku reviewer applies a focused 6-item checklist to low-complexity changes
+
+
+## Notes
+
+<!-- note-id: t9c2dk6q -->
+<!-- timestamp: 2026-03-21T23:20:49Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-light.md checklist for the Light tier haiku reviewer with exactly 6 high-signal items.
+
+**Why**: Light tier reviews low-complexity changes (classifier score 0-2). Haiku has limited context budget — the checklist must focus on what delivers value for small changes without codebase research.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-light.md contains exactly 6 checklist items:
+  1. Silent failures: swallowed exceptions, empty catch blocks
+  2. Tolerance/assertion weakening: changes that relax existing validation
+  3. Test-code correspondence: production change without test change in same diff (binary check)
+  4. Type system escape hatches: Any/any/interface{} without justifying comment
+  5. Dead code introduced in the diff: unused imports, unreachable branches
+  6. Non-descriptive names in the diff: single letters, generic words (data, temp, result, process, handle)
+- When this story is complete, the checklist includes no codebase research instructions (no Grep/Read)
+- When this story is complete, the checklist includes no similarity pipeline or ticket context references
+- When this story is complete, the checklist includes escape hatch language: if no issues found, state so explicitly rather than manufacturing findings
+- When this story is complete, build-review-agents.sh regenerates the light reviewer agent successfully
+
+## Constraints
+- No codebase research tools — haiku doesn't have the context budget
+- Items must be evaluable from the diff alone
+

.tickets/dso-bxng.md

@@ -0,0 +1,44 @@
+---
+id: dso-bxng
+status: open
+deps: []
+links: []
+created: 2026-03-21T23:20:06Z
+type: story
+priority: 2
+assignee: Joe Oakhart
+parent: w21-ovpn
+---
+# As a DSO practitioner, the Standard tier sonnet reviewer applies full 5-dimension checklists with researched sub-criteria
+
+
+## Notes
+
+<!-- note-id: 2k8hj2b0 -->
+<!-- timestamp: 2026-03-21T23:21:05Z -->
+<!-- origin: agent -->
+<!-- sync: unsynced -->
+
+
+## Description
+
+**What**: Create the reviewer-delta-standard.md checklist for the Standard tier sonnet reviewer with full 5-dimension coverage and researched sub-criteria.
+
+**Why**: Standard tier handles ~30-40% of reviews. This is the most common reviewer and needs comprehensive criteria across all dimensions. Condensed ticket context reduces false positives without exhausting context budget.
+
+## Acceptance Criteria
+
+- When this story is complete, reviewer-delta-standard.md contains sub-criteria for all 5 dimensions:
+  - Correctness: edge cases/failure states with escape hatch, race conditions in async operations, silent failures, tolerance/assertion weakening, over-engineering/YAGNI
+  - Verification: behavior-driven not implementation-driven tests, test-code correspondence in same changeset, assertion quality (meaningful vs trivial), arrange-act-assert structure, test smells (naming, fixture bloat)
+  - Hygiene: type system escape hatches without justification, nesting depth >2 levels (suggest early returns/extraction), dead code, suppression scrutiny (noqa/type:ignore with justifying comments), explicit exclusion of linter-catchable issues
+  - Design: SOLID adherence, architectural pattern adherence, correct file/folder placement, Rule of Three duplication via similarity pipeline, coupling/dependency direction, reuse of existing utilities
+  - Maintainability: codebase consistency (local patterns — error handling style, return type patterns, abstraction level — not linter rules), clear and accurate naming (non-descriptive AND inaccurate), comments explain why not what, doc correspondence for public interface changes (minor severity — only when specific existing doc artifact is stale)
+- When this story is complete, the checklist includes anti-shortcut distribution: noqa/type:ignore -> hygiene, skipped tests -> verification, tolerances/assertions -> correctness
+- When this story is complete, consolidation findings are severity=minor with orchestrator ticket creation
+- When this story is complete, the checklist includes ticket context instructions: use condensed summary (title + acceptance criteria) when available; do not block on missing ticket context
+- When this story is complete, build-review-agents.sh regenerates the standard reviewer agent successfully
+
+## Research Sources
+Google engineering practices, OWASP, test smell literature, 5 Claude Code review plugins (Anthropic official, Claude Command Suite, claude-code-skills, claude-code-showcase, wshobson commands)
+