qa-gateslisted

# QA Gates — the multi-lens quality model Quality is gated, not assumed. No feature closes and nothing ships without the lenses confirming. Evidence-based only: a lens "passes" when it has actually run and verified, never on assertion (#8). Each lens fixes what it finds (or files it precisely) before declaring pass. ## Fits in the pipeline - **Stage 7** (`/feature-check`) — runs before closing EACH feature. - **Stage 8** (`/ship-check`) — final pass + UAT + smoke before shipping to end users. ## Stage 7 — per-feature gate (QA lenses + UX + performance, IN PARALLEL) Before a feature is marked done, dispatch these agents **in parallel**; all must pass: 1. **`security-engineer`** — OWASP + cyber best practices: authz at boundaries, input validation/ output encoding, secrets handling, dependency/SCA scan, no injection sinks. (See `secure-coding`.) 2. **`code-quality-reviewer`** — refactor/simplify where warranted: anti-overeagerness, dead code, duplication, readability, surgical-change discipline. Simpler-where-simpler-is-correct. 3. **`adversarial-tester`** — flaw-finding: attack the feature, hunt edge cases, boundary conditions, race conditions, malformed input; find and fix defects. 4. **`qa-engineer`** — functional QA from frontend, backend, USER, and code perspectives. Verifies it works as intended AND runs the **consistency / no-orphans check** — using **graphify, NOT grep**, for every call-site/dependency/orphan/impact question (`G="$(cat .graphify-path