| name | execute |
| description | Primary pipeline execution step after /prd-to-issues or for clearly scoped implementation work. Use to build, verify, and commit a concrete slice, delegating to /tdd for backend work and behavior-heavy frontend logic when red-green-refactor will reduce risk. Not for shaping or pre-merge review. |
| sources | {"secondary":["The Checklist Manifesto — Atul Gawande","Extreme Programming Explained — Kent Beck","Continuous Delivery — Jez Humble & David Farley","The Twelve-Factor App — Adam Wiggins","Release It! — Michael Nygard","Growing Object-Oriented Software, Guided by Tests — Freeman & Pryce"]} |
Execute
Execute a complete unit of work: plan it, build it, verify the actual outcomes, commit it.
Invocation Position
This is a primary pipeline skill used after /prd-to-issues has produced a concrete slice, or when the user already has a clearly scoped implementation task.
Use /execute when the work is ready to build, verify, and commit.
Use HITL /execute when the slice still needs active user judgment, supervision, or acceptance decisions during implementation. Use AFK /execute only when the next slice is already durable in GitHub, unblocked, and legible from its issue, boundary map, and any linked research artifact (archive file or spike issue) or docs/solutions/ context.
See Step 0: Prerequisites below for the mandatory Ralph auto-detection and TDD marker gates.
Do not use it to replace /shape, /research, or /write-a-prd when the problem or shape is still unresolved. Do not use it as a substitute for /pre-merge once implementation is complete and ready for review.
Workflow
0. Prerequisites
Branch isolation gate. Before any implementation work, ensure you are working on a clean branch created for this specific task — not a leftover feature branch from previous work.
Isolation already provided — stand down (check this first, before the numbered rules). Some environments hand the session a dedicated, isolated worktree+branch before /execute runs — Conductor workspaces, GitHub Codespaces, devcontainers, and similar hosts each provision "one workspace = one branch, auto-forked from the base," with setup scripts already run. When that is the case the pipeline does not own provisioning: creating a worktree here would nest one inside the host's, and the host's branch (named for the workspace, not the task) is not "stale." Read the environment's signal and cede the worktree to whoever already owns it (Norman — read the world's signifier instead of carrying an in-head assumption that the pipeline always provisions; Meadows — one actor per stock, so the pipeline defers rather than adding a competing manager).
Resolve the provisioning mode from .claude/settings.json worktree.provisioning — "host" | "pipeline" | "auto", default "auto" when the key is absent (mirroring the existing research.storage precedent):
host — isolation is host-owned. Stand down unconditionally.
pipeline — the pipeline provisions. Skip this stand-down and run the numbered gate below.
auto (default) — stand down if either signal fires:
- a host environment variable is present —
[ -n "$CONDUCTOR_WORKSPACE_PATH" ], [ -n "$CODESPACES" ], or [ -n "$REMOTE_CONTAINERS" ]. This is the cheapest, primary discriminator: the pipeline's only detection mechanism is Bash, and these vars are visible in the agent's shell. (Do not detect via a .conductor directory in the cwd — Conductor keeps it under $CONDUCTOR_ROOT_PATH, not the workspace.)
- the current working tree is not the repo's primary working tree —
git rev-parse --show-toplevel differs from the first path in git worktree list --porcelain.
When standing down: skip worktree creation and EnterWorktree, and work in place on the current branch. The numbered rules below are already satisfied — in particular rule 3 does not apply (a host-provisioned branch is neither base nor task-named, but it is not stale; do not nest a worktree and do not stop). The host has already seeded git-ignored config and dependencies, so the "Worktree setup checklist" is informational only — spot-check .env.local/deps if a command fails, but do not re-provision. Continue to the issue-shape gate.
This stand-down is deliberately asymmetric with /closeout's teardown check. Inflow only needs to answer "am I already isolated?" — generic detection (toplevel ≠ primary) and the env-var hint each settle that. The outflow question — "who owns teardown?" — is stricter and cannot rely on the generic heuristic alone, because a pipeline-made worktree also satisfies toplevel ≠ primary; /closeout keys off the explicit setting or host env var only.
- Check the current branch:
git branch --show-current
- If the current branch is the base branch (e.g.,
main, prod, master), create a new feature branch for this task.
- If the current branch is a different feature branch (not the base branch and not a branch named for this task), you are on a stale branch from previous work. Do not commit new work here. Exception: if the current branch is a sibling slice branch named in this task's
Consumes from #N declaration, you are intentionally about to fork from it for a stacked-PR slice — proceed. Exception (host-provisioned): if the stand-down check above fired, this branch is the host's isolated workspace branch — it is not stale; work in place.
To create an isolated branch, use one of these approaches (in order of preference):
- Worktrunk (if
wt is available): wt switch --create <branch-name> — creates a new worktree + branch from the appropriate base and switches to it, giving full filesystem isolation. Use the /worktrunk skill for guidance.
- Plain git:
git checkout <base> && git checkout -b <branch-name> — creates a new branch from the appropriate base in the current working directory.
The appropriate base is the repo's own base branch by default — whatever the repo declares (git symbolic-ref refs/remotes/origin/HEAD). Do not assume main. For a slice with an unmerged Consumes from #N dependency that produces symbols this slice imports, branch from that sibling slice's branch instead so the stacked PR can target the sibling's PR (Hammant Trunk-Based Development Ch. 13: multiple PRs per story; the sibling's PR must still merge to the repo's base branch within 2 days).
Derive the branch name from the task: e.g., issue-5-landing-page, landing-page, or the issue slug. Do not reuse branch names from previous work.
Enter the worktree as a session (when you created a worktree). Creating the worktree is not the same as the session running inside it — wt switch --create resets the shell cwd back to the project root after each command, so without a further step the session stays anchored at the original checkout and the reported cwd lies about where work is happening. After creating the worktree, enter it with the harness EnterWorktree tool so the session's working directory genuinely is the worktree:
- Call
EnterWorktree { path: <absolute-worktree-path> }. The path must already appear in git worktree list for this repo (it will, because you just created it). This persistently switches the session into the worktree.
- Keep the creation step exactly as above —
wt switch --create / git worktree add runs the worktrunk pre-start hooks that seed .env.local and dependencies. EnterWorktree only switches the cwd; it does not run those hooks. Create first (to seed env/deps), then enter.
- This puts the knowledge in the world, not the head: the cwd tells the truth about where edits and commits land (a watching operator can see it), and there is no per-command
cd prefix to forget — eliminating the slip class where one un-prefixed command writes to the wrong tree.
- The Plain git option (
git checkout -b, no worktree) creates the branch in the current checkout — there is no worktree to enter, so skip EnterWorktree and work in place.
AFK / headless fallback. If EnterWorktree is unavailable (headless runs, AFK Ralph, cron), fall back to cwd-prefix discipline: the shell cwd resets to the project root after every Bash command, so prefix every Bash call in this session with cd <absolute-worktree-path> &&. Use this only when the harness tool is genuinely unavailable — it is the old workaround, retained for environments without the native mechanism.
This worktree's teardown is owned by /closeout at the pipeline tail — after the PR merges, /closeout re-anchors the shell to the base checkout, removes the worktree, and prunes the merged branch. /execute is the inflow side of the worktree lifecycle; /closeout is the outflow. Step 6 cleanup below removes only the .tdd-* markers — it deliberately does not remove the worktree.
After creating the worktree, set it up. A new worktree inherits tracked files but not git-ignored ones (.env.local, per-worktree deps, build caches). Two paths:
Preferred — configure once via worktrunk hooks (.config/wt.toml in the project):
[pre-start]
copy = "wt step copy-ignored"
install = "pnpm install"
pre-start hooks are blocking — the worktree is not reported ready until they finish. Use pre-start (not post-start) for both, because post-start runs in the background and subsequent commands that need .env.local or node_modules will race the hook. See /worktrunk for the full recipe. One-time per project.
Fallback — manual setup for plain git worktree add (no worktrunk):
cp <source-repo>/.env.local <worktree>/.env.local (and any other git-ignored config the project uses).
- Run the project's install command (
pnpm install, npm ci, pip install -r requirements.txt, etc.) from the worktree.
Worktree setup checklist (DO-CONFIRM — perform each step, then verify before proceeding). Applies regardless of how the worktree was created:
Issue-shape detection gate. If the task is a GitHub issue, verify it is a slice (implementation-ready), not an undecomposed PRD. Run gh issue view <n> --comments and check for a comment matching ^Decomposed into: #\d+.
- If such a comment exists: proceed. The PRD has been decomposed; the operator is presumably working on one of its child slices (and should have supplied that slice's number, not the PRD's).
- If no such comment exists AND the issue body contains shaped-pitch markers (sections named
Appetite, Rabbit Holes, No-gos, User Stories, or Implementation Decisions): halt. This is an undecomposed PRD. Invoke /prd-to-issues <this-issue-number> to produce implementation-ready slices, then restart /execute against one of the child slice issues.
- If multiple
Decomposed into: comments exist, read the most recent; /prd-to-issues is responsible for ensuring only one is authoritative.
Skip this gate for one-off tasks not tied to a GitHub issue.
Ralph auto-detection gate. Evaluate all three conditions:
If all three are true, invoke /setup-ralph-loop now. Do not proceed to Step 1 until Ralph setup is complete or the conditions are not met.
Pipeline hooks gate. If .claude/hooks/enforce-classification.sh does not exist in this project, invoke /init-pipeline now to scaffold enforcement hooks.
TDD classification gate. Step 3 requires classifying the work before writing any code. /tdd automatically creates .claude/.tdd-active via harness preprocessing when loaded (not LLM-dependent); visual frontend creates .claude/.tdd-skipped. A PreToolUse hook blocks all .ts file writes unless one of these markers exists. Step 6 removes both markers after commit.
Trivial-task exception. For single-commit cleanups unrelated to active feature work — typo fixes, dead code removal, comment-only changes, formatting-only changes, dependency version bumps without API surface changes — you may skip classification by creating .claude/.tdd-skipped directly. This exception applies only when all of the following are true:
- The task is not tied to an open GitHub issue, PRD, slice issue, or QA bug
- The task is not part of an active feature branch created for multi-slice work
- The change is expected to be a single commit (not a sequence of logical units)
- The change does not touch behavior — no new conditionals, no new state, no new exported symbols, no schema or migration changes
If any of these is false, go through the normal classification gate. When in doubt, use the gate — the cost of one extra /tdd invocation is lower than the cost of an unverified behavior change slipping through as "trivial."
Assumptions validation gate. If the task is a GitHub issue with an "Assumptions from Parent PRD" section, spend 60 seconds checking each listed assumption against current reality before proceeding. For each:
- Is the external service still available at the expected API and pricing tier?
- Does the parent PRD's approach still hold given what you now know?
- Are the packages this slice depends on still at compatible versions and entrypoints? A subpath swap (e.g.
pkg → pkg/http, or any pkg/<sub> → pkg/<other-sub>) for a multi-runtime package is a runtime-affecting change disguised as a type-only diff — treat it as an assumption shift, not a free-pass type-equivalent edit.
If all assumptions still hold, proceed to Step 1. If any assumption has changed, stop and flag it to the user — this slice needs a targeted /research + mini-PRD cycle before execution, not a patch during implementation. Do not proceed with stale assumptions and attempt to work around them mid-execution.
Skip this gate entirely for one-off tasks without an "Assumptions from Parent PRD" section.
Un-discharged feasibility check (advisory). If the task's research artifact (archive file or spike issue) still carries Uncertain or Speculative assumptions whose verdicts are cheaply settled by 10 lines of throwaway code — does the library actually expose this, does the streaming path emit partial tags, does this format render where we need it — surface them now and suggest /prototype FEASIBILITY before main implementation. This is advisory, not blocking (per XP's slack principle); the user may have a reason to proceed and discover the answer mid-implementation. But the cost asymmetry is real (XP's Defect Cost Increase): a spike at this moment costs minutes, while the same assumption discovered mid-implementation costs hours of pivot. State the un-discharged assumptions explicitly and let the user decide. Skip this check for one-off tasks without a research artifact or when every assumption is already tagged Verified / Refuted.
Consumes verification gate. Only for issue-based slice work. If the task comes from a GitHub issue created by /prd-to-issues, and its ## Boundary Map / ### Consumes section references an already-closed upstream slice, spend 60 seconds verifying each listed symbol exists at the declared path in the current tree. This catches upstream boundary-map drift before implementation starts.
For each Consumes entry:
- If it names a file path — check the file exists.
- If it names a function, type, or exported symbol — grep for the export.
- If it names a shape (e.g. "Effect Layer", "Zod schema", "React component", "Context provider") — confirm the shape matches, not just the name. A pure helper function does not satisfy a claim of "Effect Layer." A plain object does not satisfy a claim of "Zod schema."
- If the Consumes entry names a typed symbol from a sibling slice (per
/prd-to-issues Boundary Map guidance), confirm the consumer code derives its input type from the producer via import type (or the language's equivalent) rather than re-declaring the shape. A local re-declaration that happens to match the producer is a DRY violation that will silently drift when the producer evolves; the typed import is the structural fix that makes that drift class impossible.
If any Consumes symbol is missing or wrong-shaped, stop. The upstream boundary map is stale. Choose one of:
- Expand scope in this slice to fill the gap. Note the expansion in the first commit's message, in the PR description, and file a post-hoc correction comment on the upstream closed issue so future slices don't trust the stale claim.
- Backtrack via
/correct-course to update the upstream boundary map and reshape the affected slices.
- File a new slice for the missing work and block this one on it.
Do not silently absorb the gap — leave a breadcrumb for the next slice.
Skip this gate for one-off tasks, sibling slices still being planned, or issues without upstream Consumes entries.
This gate is scoped to intra-repo symbols (paths, exports, shapes). The mirror check for externally-resolvable declarations — package names, public API symbols, and pinned versions against the research snapshot — runs at /pre-merge Dimension 4 under "Spec-reality check." Step 0 sees the registry at slice-start; /pre-merge sees it at merge time. Both windows are intentional; do not widen this gate to duplicate the review-time check.
1. Understand the Task
Read any referenced plan, PRD, or GitHub issue. Explore the codebase to understand the relevant files, patterns, and conventions. If the task is ambiguous, ask the user to clarify scope before proceeding.
Read the issue comment thread (issue-based work only). When the task is a GitHub issue, read its comment thread before implementing — do not stop at the body. Step 0's issue-shape detection gate already ran gh issue view <n> --comments, so the thread is in context; reuse it rather than re-fetching. The comments are where the pipeline's continuation state lives: prior-iteration handoff notes (what was done, what remains, the exact error output a previous context window hit), plateau-stop notes naming what did not advance, post-hoc correction comments filed against this issue when an upstream boundary map drifted, and explicit human scope changes added after the issue was authored. In AFK Ralph loops this is load-bearing — iteration N+1 is designed to continue from what iteration N wrote into the thread, so skipping it re-derives or repeats work the previous iteration already explained.
Precedence rule. The issue body remains the durable contract. Comments augment it; they do not silently override it. A comment is an authoritative addition only when it is (a) a pipeline-authored continuation or correction comment, or (b) an explicit human scope change. Freeform discussion is context, never an override. If a comment appears to contradict the body on scope, and it is not a clear pipeline-authored correction or human scope change, flag the conflict to the user rather than acting on the comment.
Skip this read for one-off tasks not tied to a GitHub issue (the same scope guard Step 0 uses).
Read the research artifact for this feature. The PRD's "Research Reference" section names where it lives — one of two locations depending on the project's research.storage mode:
-
Spike-issue mode — the PRD references a closed research-labeled GitHub issue (Refs #<spike-issue-number>). Read it with:
gh issue view <spike-issue-number>
This works on any machine — fresh clones, CI sandboxes, recovered laptops, or contributor environments.
-
Archive mode (default) — the PRD references ~/.claude/research/<repo-slug>/<feature-slug>-<YYYY-MM-DD>.md. Read the file directly. If you are running on a machine other than the one that produced the research, the file will not exist; flag this to the user and either re-run /research or proceed with explicit acknowledgment of the missing context.
Some legacy PRDs may still reference research.md in the repo root or plans/ — read it if present. Whatever the location, the research artifact contains cached technical research that should inform your approach. Do not re-research what has already been decided.
Consult docs/solutions/ for relevant past solutions before starting implementation:
grep -rl "relevant-keyword" docs/solutions/ 2>/dev/null
If past solutions exist for this problem domain, incorporate their lessons and avoid their documented pitfalls.
Artifact precedence: When the research artifact and docs/solutions/ give conflicting guidance, follow the research artifact — it was verified against the current installed versions. Storage location does not affect trust: a spike issue and an archive entry carry equivalent authority. If the conflict is significant enough that you are uncertain, flag it to the user before proceeding. Load docs/solutions/ selectively: grep for relevant keywords first, then read only matching files.
2. Plan the Implementation (optional)
If the task has not already been planned, create a plan for it. If the GitHub issue includes boundary maps (Produces/Consumes sections), use them to understand the interfaces you need to implement or code against.
Stack-Specific References
Before implementing, check the project's stack and load relevant best practices.
- Next.js / React projects: If
package.json includes next or react, load these skills before writing code:
/vercel-react-best-practices — performance optimization and React Server Component guidance
/vercel-composition-patterns — component composition patterns that scale without prop sprawl
/next-best-practices — file conventions, data patterns, metadata, and error handling
/next-cache-components — cache components, use cache, cacheLife, and cacheTag
3. Implement
STOP — classify before writing any code:
A PreToolUse hook blocks all .ts file writes unless one of these markers exists. Do not write implementation code until you have classified the work.
If /tdd is not available, follow this minimum discipline:
- Write a single failing test for the smallest vertical slice of behavior
- Run the test — confirm it fails (red)
- Write the minimum code to make it pass (green)
- Repeat from step 1 for the next slice of behavior
- Refactor if needed while keeping tests green
Do not write all tests upfront — write one, make it pass, then move to the next.
[TypeScript projects] Library callback returns. When a logical unit implements a callback the library asks the application to provide (agent hooks, middleware, proxy, tool handlers, render props, lifecycle methods), anchor the returned value to the library's declared return type with satisfies LibraryReturnType, a fresh object literal, or a derived type (ReturnType<typeof …>). Never return a typed local variable — TypeScript's excess-property check does not run on returns of typed values, so fields the library's signature does not declare are silently dropped at runtime. See /tdd Refactor step for the full rationale; if the research artifact (archive file or spike issue) carries a Library Callback Contracts snapshot (/research Phase 1.25), use its accepted-fields list as the pinned source.
Commit after each logical unit
Do not accumulate all changes into one commit. Commit after each self-contained unit of progress. A logical unit is the smallest change that leaves the codebase in a working state — typecheck passes, tests pass, nothing is half-wired. Examples:
- One red-green-refactor TDD cycle (test + implementation for one behavior)
- A new module, type, or schema with its tests
- A wiring change (route registration, dependency injection, config)
- A refactor that improves structure without changing behavior
- A migration or seed file
- A cross-file type or interface refactor whose intermediate per-file steps would leave typecheck broken — the whole ripple is one logical unit
After completing each logical unit:
- Run
pnpm run typecheck and pnpm run test (or the project's equivalent). Fix any failures before committing.
- Stage only the files for that unit — do not stage unrelated changes.
- Commit with a message that says what this unit accomplished, not "WIP" or "progress".
If a unit touches both a test and its implementation, they belong in the same commit. If a refactor was triggered by the unit but is conceptually separate, commit the refactor separately.
4. Verify
"All steps done" is NOT verification. Check the actual outcomes.
By this point, each logical unit has already been committed with passing typecheck and tests. Step 4 is the full-slice verification pass — confirming the whole feature works end-to-end, not just that individual units pass.
Run the full feedback loops one final time:
pnpm run typecheck
pnpm run test
Fix any issues. If fixes are needed, commit them as a separate commit (e.g., "fix integration between X and Y").
Then apply the verification ladder — use the strongest tier you can reach:
Tier 1: Static Verification
- Files that should exist actually exist
- Exports are present (not just declared but actually exported)
- Imports between modules are wired correctly (not importing from a path that doesn't resolve)
- Implementation is substantive (not stubs, not console.log placeholders, not TODO comments where real code should be)
Deletion Completeness (only when the slice body contains a ### Deletes section). For each deleted module, enumerate its external consumer surfaces — the symbolic names callers were taught to emit for it to consume, beyond its exports. Typical surfaces:
- DOM data-attributes the module read (
data-*)
- CSS class names and selectors the module applied or queried
- Global or custom event names (
addEventListener('foo-bar'), dispatchEvent(new CustomEvent('foo-bar')))
window, localStorage, or sessionStorage keys
- Route names, config keys, or feature-flag names the module owned
Infer surfaces from the module body as it existed before deletion (git show, or the Deletes bullet's accompanying notes). Grep the merged tree for each surface across every source-text file type the project uses — templates, source code, styles, config, docs. Do not restrict to a fixed extension list; the relevant surfaces depend on the stack (.py/.rb/.go/.rs for imports, .vue/.svelte/.astro/.tsx for templates, .css/.scss/.sass/.less/.styl for styles, .yml/.toml/.json for config, .md/.mdx for docs that ship). Zero matches required to pass. Non-zero matches: restore the module, migrate the consumers, or declare them as intentionally inert and track the cleanup as a follow-up slice. Imports alone are the narrowest possible definition of "consumer"; the surface may be wider.
Upstream shape sweep. After the consumer-surface sweep above, list each export touched on a shared module in this slice (context fields, builder return-type fields, interface or type members, schema fields, exported map or record entries). For each such export, grep the post-delete tree for non-self-reference reads. Zero matches required to pass. Non-zero matches: confirm the readers are live and intentional. Zero matches: drop the export in the same PR — the migration window closes the moment the legacy consumer is deleted, and a retained-but-unread export widens the import contract so a future cleanup becomes a breaking change rather than a silent removal. Dead-export linters (knip, ts-prune, TypeScript noUnusedLocals) cover many shapes of this but not exported context, interface, or schema fields — those are read by the type itself and look live to the tool, so the targeted post-delete grep is doing work the linter cannot.
Tier 2: Command Verification
- Tests pass (not just "no test failures" — confirm tests actually exist and ran)
- Test wall-clock duration didn't unexpectedly jump. A sudden multi-second increase in a previously fast test, especially after adding retry, sleep, backoff, or interval code, signals a real-time primitive was introduced without being injected. See
/tdd § Timing-coupled primitives. Fix via injection, not testTimeout bumps.
- Build succeeds
- Lint is clean
- Any CLI commands the feature exposes actually work when invoked
Tier 2.5: Runtime Startup Verification
Mandatory when the slice touches schema, migrations, environment config, server initialization, or new routes. Skip only for pure-logic changes to existing modules where nothing about app startup changed.
- Database is ready: run pending migrations or
db:push — do not assume the dev database has the latest schema just because tests passed (tests often use in-memory databases that run their own migrations)
- Dev server starts from cold without errors:
pnpm run dev (or equivalent) boots and responds, not just builds
- The new or changed routes load without 500 errors:
curl -s -o /dev/null -w '%{http_code}' http://localhost:<port>/ returns 200
- Required environment variables are present and valid (check
.env.local or equivalent)
- No unhandled errors in the server console output during startup
If you cannot start the dev server (e.g., missing external services), note which checks you skipped and why in the Step 5 checklist so the user can verify them.
Tier 2.6: Non-Dry Path Sanity Check (CLI + orchestration slices only)
Mandatory when the slice ships a CLI, scheduled job, cron worker, or orchestration entrypoint that has a dry-run or preview mode.
Dry-run success does not imply real-run success. A dry-run can short-circuit before storage or side-effects and hide placeholder functions wired into the production path.
For each function wired as a default in the production code path (layer construction, DI container, config object, CLI flag handler), check:
- Is the function named, documented, or commented as a placeholder, stub, TODO, or follow-up?
- If yes, is it either (a) guarded by a fail-fast check that throws in non-dry mode, or (b) bound only to the dry-run code path?
If any placeholder is wired as the default for a non-dry path without a fail-fast guard, flag it now. Options:
- Add a runtime guard:
if (!process.env.ALLOW_PLACEHOLDER) throw new Error(...) or equivalent
- Bind the stub only when
dryRun === true and require a real implementation for the non-dry path
- Gate the slice on the real implementation (larger scope but eliminates the silent-degradation window entirely)
This is a silent-degradation check: if an operator ran this without --dry-run, would the output be real, or would placeholder data flow through the production path?
Tier 2.7: Production-Runtime Parity (deploy-runtime ≠ test-runtime slices only)
Conditional — never universal. This rung fires only when at least one of the following holds, and is skipped entirely otherwise. A slice whose tests run in the same runtime it deploys to (most Node-to-Node and Node-to-Vercel work) never sees it.
- The slice's deploy runtime differs from its test runtime — e.g. workerd vs miniflare/Node, a real browser vs jsdom, an edge/Lambda runtime vs the local dev server.
- The slice ships published or static assets whose paths resolve at deploy time — absolute-path
<link>/<script>/<img> references, a publish/copy step, a CDN or worker public root.
- The platform imposes a limit the test runtime does not enforce — crypto iteration caps, request/response size, CPU/time budgets, bundle size, or APIs present in the test runtime but absent in production.
Why this rung exists — and why it is a feedback loop, not an inspection layer. Green tests certify behavior in the environment the tests model, not the one the code deploys to. When the test runtime is more permissive than the deploy runtime, or a seam is mocked away from the real artifact, "tests pass" is not evidence of "works in production." This is the dev/prod parity gap (Twelve-Factor Factor X: keep the dev↔prod gap small along the tools dimension) and the missing automated feedback loop that Continuous Delivery closes with a smoke test against a production-like environment. The job here is not to add ceremony — it is to make the manual "someone ran the deployed thing and it worked" step structural, so the safety net is the pipeline rather than a person's diligence.
Run it against the real artifact, not the test build:
- Build and run the released artifact in (or against) the runtime it deploys to —
wrangler dev / the platform's emulator that uses the production runtime, a preview deploy, or the production build served the way it will actually be served — not just pnpm run dev.
- Exercise end-to-end the path the failing seam lives on: submit the login, load the published page in a browser and confirm its linked sub-resources (
/_astro/*, /assets/*, fonts, favicon) each return 200, invoke the platform API the test mocked. A 200 on the HTML is not enough if its sub-resources 404.
- If a test passed only because the test runtime is more permissive than production (a limit not enforced, an API present that production lacks), treat that as a blind test, not a green one — pin the production limit in the assertion and re-verify against the real runtime.
The deeper fix usually lives upstream in /tdd: a seam that had to be mocked to stay green (a platform crypto API, the filesystem, the deploy copy) is exactly the seam GOOS says you should not mock — wrap external types you don't own in a thin adapter and integration-test the adapter. This rung catches the parity gap; owned adapters plus a faithful test runtime keep it from recurring.
Review-cadence note. Added on convergent grounds (Continuous Delivery's smoke-against-production-like-environment, Twelve-Factor Factor X, Release It! "Design for Deployment", the GOOS walking skeleton) plus one triggering incident (mimir audit-publish slices #8/#9, 2026-06-25 — both green under the test suite, both broke only in the workerd/deployed runtime). If after a reasonable sample of slices this rung fires <10% of the time on diffs that had no other issue, demote it to advisory or remove it rather than leave it as ceremony.
Tier 3: Behavioral Verification
- API endpoints return the expected responses (use curl or httpie to verify)
- Browser flows work end-to-end (if applicable and you can verify)
- Data flows correctly from input to storage to output
Tier 4: Human Verification
- Ask the user only when you genuinely cannot verify yourself
- Be specific about what you need them to check: "Can you verify that the presence indicator shows your name when you open lesson 3 in a second browser tab?"
- Never use human verification as a substitute for Tiers 1-3
If verification reveals gaps, fix them and commit the fix as its own commit. Do not amend a prior commit — the history should show what was built and what was corrected.
Bug-Fix Verification (when the task is a fix, not a feature)
If this unit of work is fixing a bug, apply these additional checks before committing:
- Classify the fix: Is this a correction (removes the defect — the code error that caused the problem) or a workaround (suppresses the failure while the defect remains)? If a workaround is the pragmatic choice, note it in the commit message and leave the issue open or create a follow-up for the correction.
- Structural sibling search: Search the codebase for the same pattern that caused the defect. If found in other locations, fix all instances or file issues for them. A defect fixed in one location but present in three others is 75% unfixed.
- Two-condition confirmation: Confirm both that (a) the corrupted state is no longer produced, AND (b) the original failure no longer occurs. If only the failure is suppressed but the underlying state is still wrong, the fix is a workaround, not a correction.
5. Manual Verification Checklist
Before handing off to /pre-merge, present the user with a verification checklist so they can confirm the work is ready.
Preparation: Summarize what was built — list the commits made and key files changed. If the task originated from a GitHub issue with acceptance criteria, pull those criteria into the checklist so the user doesn't have to cross-reference.
Present the checklist:
Behavior Review
Code Quality
Acceptance Criteria
If the task originated from a GitHub issue or PRD with acceptance criteria, read them and generate a concrete verification step for each one. Each step should tell the user exactly what to do and what to expect — not just restate the criterion.
If the slice issue has a User Stories Addressed section referencing the parent PRD, read the parent PRD user stories the slice claims to cover. Derived matrix entries (from /prd-to-issues Step 5) surface here as verification targets — each mapped commitment needs a concrete step the user can check. Unmapped commitments from the slice are not in scope for this checklist; they belong to other slices or to the post-merge /pre-merge reconciliation.
Example — if the AC says "user can reset their password via email":
After the generated steps, always include:
Write verified status back to the issue (forcing function). The slice issue's ## Acceptance Criteria checklist — authored by /prd-to-issues — is the durable contract for "what must be true before this slice merges." Each time a criterion is confirmed verified (by your Step 4 verification or the user's confirmation here), persist that tick to the issue so the tracker reflects reality without anyone reading the chat log. This is not a separate "remember to do it" step: it rides on the verification you already performed, so there is no new judgment to make.
Edit safely — toggle only the checkbox lines you actually verified, and never regenerate the body. gh issue edit --body* replaces the entire body, so read the current body, flip just the confirmed - [ ] lines to - [x], and write it back via --body-file:
BODY_FILE=$(mktemp)
gh issue view <slice-issue-number> --json body -q .body > "$BODY_FILE"
gh issue edit <slice-issue-number> --body-file "$BODY_FILE"
rm -f "$BODY_FILE"
Do not flip a box you did not actually verify, and do not touch lines outside the criteria you confirmed — a careless edit can corrupt issue content. /execute is the single writer for these boxes; /pre-merge reads them but never writes, so there is no second editor to contradict this one.
Ready for PR Review
Wait for the user to review and confirm. If they flag items that need fixing, address them, commit the fixes, and re-present the checklist. Only proceed to Step 6 after user confirmation.
Optional comprehension pass before review. If the person who will merge this branch did not author it, or wants to internalize it commit-by-commit before approving, /walk-commits is an option before /pre-merge — an interactive per-commit walkthrough (intent, riskiest line, deliberate oddities, what's absent by design, per-commit sign-off). It is optional and never auto-invoked; name it as a choice, do not run it automatically.
How the "Ready for PR Review" item drives the handoff: If the user confirms this final item, Step 6 runs cleanup and then automatically invokes /pre-merge with the PRD issue number (if the task originated from one). If the user confirms the behavior, code quality, and acceptance criteria items but answers "no" to the PR review item — because they want to batch with more work, are waiting on external input, or plan to sit on the branch — Step 6 runs cleanup and /execute exits cleanly. The user invokes /pre-merge manually when ready.
6. Cleanup and Handoff
All commits should already be done by this point. This step handles post-implementation cleanup and the transition to /pre-merge. It removes only the classification markers — it deliberately does not tear down the worktree or branch. That is /closeout's job at the pipeline tail, after the PR merges; removing the worktree here would destroy the branch before it is reviewed and merged.
Remove the classification markers:
rm -f "$CLAUDE_PROJECT_DIR/.claude/.tdd-active" "$CLAUDE_PROJECT_DIR/.claude/.tdd-skipped"
AFK runs persist verified AC too. AFK Ralph iterations skip the Step 5 user checklist, so the writeback that rides on it never fires. Before an AFK iteration exits, persist any acceptance criterion verified during Step 4 back to the slice issue using the same gh issue edit --body-file toggle described in Step 5 (read body, flip only confirmed - [ ] lines, write back). AFK is the mode that most needs at-a-glance legibility — leaving its issues fully unchecked despite verified work is exactly the gap this closes.
Auto-invoke /pre-merge. If Step 5 ran and the user confirmed the "Ready for PR Review" item, invoke /pre-merge now. If the task originated from a PRD issue, pass the issue number so /pre-merge can gather slice lineage and verify boundary map contracts without asking the user for it again. If the user answered "no" to the PR review item, or Step 5 was skipped entirely (AFK Ralph iterations, trivial-task flows that never reached a user checklist), /execute exits here and the user invokes /pre-merge manually when ready.
Next-step menu at the manual exits. When /execute stops without auto-invoking /pre-merge — the user answered "no" to the PR-review item, or is batching more work — do not drop to a bare text box. Offer the next step as a single AskUserQuestion (see references/next-step-menu.md) with the recommended step first: → /pre-merge now (recommended), Batch more work / exit, /walk-commits first. Beyond the pipeline successor, include 1–3 follow-ups drawn from this run — e.g. "verify acceptance criterion N in the running app," "show the diff for the riskiest change" — mirroring /walk-commits's commit-specific deep-dives. The platform's free-text "Other" option is the escape hatch — don't add one. This menu does not apply when Step 5 already confirmed PR review (auto-invoke handles that) or on AFK Ralph iterations (no user to ask).
Print the runtime handoff line. Whether /pre-merge is auto-invoked or the user is exiting to invoke it manually later, print the line so a fresh session can open by copy-paste:
**Next session:** /pre-merge
**Input:** the verified commits on branch <branch-name>
Substitute <branch-name> with the actual branch the commits live on (git branch --show-current).
If you cannot complete the task in this context window, leave a comment on the GitHub issue with:
- What was done
- What remains
- Any gotchas or tricky parts for the next iteration
- If the failure was caused by an error (build failure, test failure, unexpected API behavior), include the exact error output — the next iteration benefits from the real error, not a summary
If the error suggests the approach from the research artifact or the PRD is wrong, say so in the comment — this is a signal to backtrack, not to keep retrying the same approach.
AFK progress and plateau detection. When running under Ralph, progress is epistemic state advancement, not activity. An iteration counts as progress only if at least one of these transitions from unresolved to resolved:
- an unmet acceptance criterion on the active slice
- a failing check (typecheck, test, or verification gate) becoming a passing check
- a named unknown or rabbit hole from the research artifact or the PRD being closed
Code churn without such a transition is a stationary dot. Red flags: the same slice staying active across multiple iterations, tests still failing but "in different ways," recurring error classes with superficial code rewrites, no acceptance checkbox or gate advancing.
Plateau stop rule. If two consecutive iterations on the same slice produce stationary dots, stop and leave an issue comment (same shape as the repeated-failure comment above) naming what did not advance. Do not start a third iteration. Hysteresis: a single recovering iteration — at least one of the transitions above — resets the stationary counter. This rule complements the existing repeated-failure rule; it is not a replacement.
This applies to AFK Ralph iterations only. HITL /execute runs are paced by user judgment and do not need the heuristic.
Handoff
- Expected input: a concrete task, issue, or slice with enough scope clarity to implement safely, plus durable upstream artifacts if this is being run AFK
- Produces: verified code changes as compartmentalized commits (one per logical unit), and implementation context for the next reviewer or iteration
- May invoke:
/tdd for backend work and behavior-heavy frontend logic, plus stack-specific reference skills when the project stack warrants them
- Auto-invokes:
/init-pipeline when enforcement hooks are missing, /setup-ralph-loop when the task comes from a multi-slice GitHub issue and no Ralph scripts exist in the repo, and /pre-merge at the end of Step 6 when Step 5 ran and the user confirmed the "Ready for PR Review" checklist item
- Comes next by default:
/pre-merge — auto-invoked after Step 5 user confirmation in HITL mode; user invokes it manually after AFK Ralph iterations or when they answered "no" to the PR review item