lesavka/docs/quality-gate.md

# Lesavka quality gate

Lesavka follows the Atlas gate order, with one extra lane for media reliability because the product is latency-sensitive and hardware-facing.

Strict order:

1. `style/docs` via `scripts/ci/hygiene_gate.sh`
2. `LOC/naming` via `scripts/ci/hygiene_gate.sh`
3. `coverage` via `scripts/ci/quality_gate.sh`
4. `tests` via `scripts/ci/test_gate.sh`
5. `media_reliability` via `scripts/ci/media_reliability_gate.sh`
6. `gate_glue` via `scripts/ci/gate_glue_gate.sh`
7. `sonarqube` via `scripts/ci/sonarqube_gate.sh`
8. `supply_chain` and artifact security via `scripts/ci/supply_chain_gate.sh`

The Jenkinsfile runs those checks in that order. Gate artifacts are archived under `target/*-gate/` and release artifacts under `dist/`.

## Repository Hygiene

The hygiene gate fails if generated output is committed, `Cargo.lock` is missing from git, workspace members drift away from `common`, `client`, `server`, and `testing`, direct-run shell scripts are not executable, manual scripts are not marked manual, or new `LESAVKA_*` variables are missing from `docs/operational-env.md`.

Manual probes live under `scripts/manual/`. They are useful field tools, but they are not CI dependencies unless converted into deterministic tests.

## Media Reliability

`media_reliability` is not just a test alias. It protects the pieces that keep video moving without accumulating latency:

- bounded appsrc/appsink queues
- stale-frame dropping over latency buildup
- local monotonic sink timestamps
- IDR/keyframe recovery after drops
- HDMI/UVC sink construction
- preview telemetry for FPS, drops, queue depth, and inter-frame gaps

Real hardware evidence still matters. Put manual soak evidence in `target/media-reliability-gate/manual-soak.json` when validating Zoom/Teams/Slack-class consumers or the Theia HDMI -> UGREEN -> Tethys USB path.

## Supply Chain And Artifacts

`scripts/ci/supply_chain_gate.sh` always generates dependency metadata, a dependency tree, secret-scan evidence, and artifact checksums when `dist/*.tar.gz` exists. It runs `cargo-audit` and `cargo-deny` when those tools are installed. Set `LESAVKA_SUPPLY_CHAIN_ENFORCE_TOOLS=1` to hard-fail when either tool is unavailable.

`build-dist.sh` writes `dist/SHA256SUMS` and a provenance JSON file with version, branch, commit, build URL, toolchain, target, and timestamp.

## SonarQube

`scripts/ci/sonarqube_gate.sh` emits explicit `not_applicable` metrics when scanner configuration is absent. Set `LESAVKA_SONAR_ENFORCE=1` in CI once SonarQube credentials and `sonar-scanner` are installed to hard-fail missing or failed Sonar analysis.
ci: add lesavka hygiene gate and launcher crash guard 2026-04-23 01:13:29 -03:00			`# Lesavka quality gate`

			`Lesavka follows the Atlas gate order, with one extra lane for media reliability because the product is latency-sensitive and hardware-facing.`

			`Strict order:`

			1. `style/docs` via `scripts/ci/hygiene_gate.sh`
			2. `LOC/naming` via `scripts/ci/hygiene_gate.sh`
			3. `coverage` via `scripts/ci/quality_gate.sh`
			4. `tests` via `scripts/ci/test_gate.sh`
			5. `media_reliability` via `scripts/ci/media_reliability_gate.sh`
			6. `gate_glue` via `scripts/ci/gate_glue_gate.sh`
			7. `sonarqube` via `scripts/ci/sonarqube_gate.sh`
			8. `supply_chain` and artifact security via `scripts/ci/supply_chain_gate.sh`

			The Jenkinsfile runs those checks in that order. Gate artifacts are archived under `target/*-gate/` and release artifacts under `dist/`.

			`## Repository Hygiene`

			The hygiene gate fails if generated output is committed, `Cargo.lock` is missing from git, workspace members drift away from `common`, `client`, `server`, and `testing`, direct-run shell scripts are not executable, manual scripts are not marked manual, or new `LESAVKA_*` variables are missing from `docs/operational-env.md`.

			Manual probes live under `scripts/manual/`. They are useful field tools, but they are not CI dependencies unless converted into deterministic tests.

			`## Media Reliability`

			`media_reliability` is not just a test alias. It protects the pieces that keep video moving without accumulating latency:

			`- bounded appsrc/appsink queues`
			`- stale-frame dropping over latency buildup`
			`- local monotonic sink timestamps`
			`- IDR/keyframe recovery after drops`
			`- HDMI/UVC sink construction`
			`- preview telemetry for FPS, drops, queue depth, and inter-frame gaps`

			Real hardware evidence still matters. Put manual soak evidence in `target/media-reliability-gate/manual-soak.json` when validating Zoom/Teams/Slack-class consumers or the Theia HDMI -> UGREEN -> Tethys USB path.

			`## Supply Chain And Artifacts`

			`scripts/ci/supply_chain_gate.sh` always generates dependency metadata, a dependency tree, secret-scan evidence, and artifact checksums when `dist/*.tar.gz` exists. It runs `cargo-audit` and `cargo-deny` when those tools are installed. Set `LESAVKA_SUPPLY_CHAIN_ENFORCE_TOOLS=1` to hard-fail when either tool is unavailable.

			`build-dist.sh` writes `dist/SHA256SUMS` and a provenance JSON file with version, branch, commit, build URL, toolchain, target, and timestamp.

			`## SonarQube`

			`scripts/ci/sonarqube_gate.sh` emits explicit `not_applicable` metrics when scanner configuration is absent. Set `LESAVKA_SONAR_ENFORCE=1` in CI once SonarQube credentials and `sonar-scanner` are installed to hard-fail missing or failed Sonar analysis.