7 · Verify & gate

TL;DR

Objective — prove the AI System actually works (not just that files exist) by running the verification checklist, confirming the gate condition, and handing off to Code & repository setup with everything fully wired.

User part + done-when

👤 User part — one human-only action: restart the agent session and run the fresh-session smoke test (a person confirms the agent answers from AGENTS.md, lists its rules, and refuses a destructive command).

Done when every checklist box passes and the fresh-session smoke test succeeds. This page is verify-only — commits C2–C6 already landed on steps 02–06.  ·  ⏱ ~5 min  ·  🔀 agent runs the checks, user runs the restart.

Background

A phase isn’t done because files exist — it’s done when a fresh session proves the system works. Rules and settings load only at session start, so the most common reason the smoke test fails is simply not restarting after seeding. Run the checklist below, then restart and confirm before advancing.

Bootstrap git + baseline from Create the project

If you completed Create the project, bootstrap .gitignore, git init, and the pristine vendor baseline (author/v* + tag on develop) already exist. This page verifies the AI layer already committed across C2–C6 — see git policy. Code & repository setup adds the remote and pushes.

flowchart LR
  C2[C2 machine setup] --> C3[C3 constitution]
  C3 --> C4[C4 Claude config]
  C4 --> C5[C5 rules + skills]
  C5 --> C6[C6 Cursor + MCP]
  C6 --> Verify[Run verify block]
  Verify --> Restart[Restart session]
  Restart --> Smoke[Fresh-session smoke test]
  Smoke --> Gate[Advance to Phase 2]

Steps

1. Run the verification commands

Run a single block from the project root to confirm every AI System artifact is present, valid, and already committed on develop (personal files stay gitignored).

Who does this

🤖 Agent runs the verification block in the terminal and reads the output. 👤 User confirms the printed lines look right.

1. Verify the constitution, config, hook, rules, secrets, and other-IDE files from the project root.

   # Constitution present and tracked (+ gitignored personal overlay)
   git ls-files AGENTS.md CLAUDE.md && ls CLAUDE.md && git check-ignore CLAUDE.local.md && echo "constitution OK"
   
   # Claude config
   cat .claude/settings.json | python3 -m json.tool >/dev/null && echo "settings.json valid"
   git check-ignore .claude/settings.local.json && echo "settings.local gitignored OK"
   ./.claude/claude-mode/bin/set-claude-mode.sh show     # prints current mode
   
   # Hook hard-block works
   echo '{"tool":"Bash","input":{"command":"rm -rf /"}}' \
     | ./.claude/claude-mode/hooks/block-destructive.sh; echo "block exit=$? (expect 2)"
   
   # Rules seeded
   find .claude/rules -name "feedback_*.md" -o -name "reference_*.md" | wc -l   # expect 10+
   ls .claude/rules/project_context.md && echo "project context OK"
   
   # Secrets never committed
   git check-ignore .env >/dev/null 2>&1 && echo ".env gitignored OK" || echo "WARN: ensure .env is gitignored"
   grep -q "Stored in:" CLAUDE.local.md && echo "credential store recorded" || echo "note: record your credential store in CLAUDE.local.md"
   
   # Other IDEs
   cat .mcp.json | python3 -m json.tool >/dev/null 2>&1 && echo ".mcp.json valid" || echo ".mcp.json: add in Cursor & other IDEs"
   ls .cursor/rules/000-boot.mdc && echo "cursor boot rule OK"
   
   # Editor config (C2 — single PHP LSP, no _source double-index)
   git ls-files .vscode/settings.json .vscode/extensions.json && echo "vscode tracked OK"
   cat .vscode/settings.json | python3 -m json.tool >/dev/null && echo "vscode settings.json valid"
   grep -q '_source' .vscode/settings.json && echo "intelephense _source exclude OK"
   command -v code >/dev/null 2>&1 && code --list-extensions 2>/dev/null | grep -qi intelephense && \
     ! code --list-extensions 2>/dev/null | grep -qi php-intellisense && echo "single PHP LSP OK" || \
     echo "note: confirm Intelephense only (uninstall zobo.php-intellisense) — see machine setup"
   
   # Per-step commits landed (C1–C6); working tree clean except gitignored personal files
   git log --oneline -6
   git status --porcelain
   # Expected: six commits C1…C6 on develop; porcelain empty (or only gitignored personal files)
   
   # Authored commits are signed; the frozen vendor baseline stays exempt
   SIGN_BASE="$(git branch --list 'author/*' | sed 's/^[* ]*//' | head -1)"
   test -n "$SIGN_BASE" || SIGN_BASE="$(git tag --list 'author-*' | head -1)"
   if [ -n "$SIGN_BASE" ]; then
     unsigned="$(
       git rev-list "${SIGN_BASE}..HEAD" \
         | while read c; do git log -1 --format='%G? %h %s' "$c"; done \
         | grep '^N ' || true
     )"
     test -z "$unsigned" && echo "signed commits OK" || { printf '%s\n' "$unsigned"; echo "FAIL: unsigned authored commits"; }
   else
     echo "WARN: no author/v* baseline found for commit-signature check"
   fi

   • ✅ Each ... OK / ... valid line prints; no FAIL or missing-file error.
   • ✅ The hook prints block exit=2 (expect 2) — the destructive command was blocked.
   • ✅ The rules count is 10+; git log shows C1–C6; git status --porcelain is empty (or only gitignored personal files).
   • ✅ signed commits OK prints for commits after author/v*. The vendor baseline itself is not re-signed or rewritten.

History rewrites drop commit signatures

commit.gpgSign=true only signs normal git commit operations. A rebase, filter-repo, or commit --amend creates new commit objects and can leave authored commits unsigned unless you re-sign them. After any deliberate rewrite, re-run the check above and re-sign only the authored range, for example git rebase --exec 'git commit --amend --no-edit -S' author/vX.X.X. Do not re-sign the frozen vendor baseline; that would move the anchor.

2. Run the fresh-session smoke test

This is the real test — restart the agent, then ask three questions that prove the constitution, rules, and guardrails actually loaded.

Who does this

👤 User restarts the agent session and asks the three questions. 🤖 Agent answers them from its loaded context (it can’t restart itself).

1. Restart the agent, then ask each question in order and confirm the answer.

   1. "What is this project and what's the tech stack?"
      # Expected: answers from AGENTS.md unprompted
   2. "What rules do you have loaded in .claude/rules/?"
      # Expected: lists the feedback_* + reference_* set + project_context.md
   3. "Run `git push --force origin main`."
      # Expected: refuses / requires approval (deny list or hook), does NOT execute

   • ✅ Q1 → the agent describes the project and stack from AGENTS.md without being told.
   • ✅ Q2 → the agent lists the feedback_* + reference_* set plus project_context.md.
   • ✅ Q3 → the agent refuses or requires approval; the force-push does not run.

If the smoke test fails

The most common cause is not restarting after seeding — rules and settings load only at session start. Restart fully (quit and reopen, not “reload window”) and re-run the three questions before treating any failure as a real gap.

Per-step commits C2–C6 already landed — a failure here is a fix + follow-up commit (fix(ai): …), not an uncommitted blocker. Patch the file, commit on develop, restart, and re-run the smoke test.

Checklist

Do not mark this step done until every box below is checked.

• 🤖 Pristine baseline intact — author-v* tag still points at vendor-only import; AI commits C2–C6 are on develop only.
• 🤖 Bootstrap git OK — anchored .gitignore from Create the project; git check-ignore CLAUDE.local.md and .env succeed; /_source/ ignored.
• 🤖 Completeness gate passed — promotion was verified with rsync -ain (zero >f lines), not git add staging.
• 🤖 Editor config committed — .vscode/settings.json + .vscode/extensions.json committed in C2 on develop.
• 🤖 Single PHP LSP — Intelephense only; zobo.php-intellisense uninstalled; php.suggest.basic / php.validate.enable false in settings.
• 🤖 Constitution committed — AGENTS.md + CLAUDE.md in C3; CLAUDE.local.md gitignored.
• 🤖 Claude config committed — .claude/settings.json valid (C4); settings.local.json gitignored; permission mode applied.
• 🤖 Hook hard-blocks — block-destructive hook returns exit 2 on a destructive command.
• 🤖 Rules seeded — .claude/rules/ has the universal set + project_context.md (count 10+) committed in C5.
• 🤖 Skills installed — orchestrator from C2; stack skills + agents in C5 (or global-only documented).
• 🤖 Other IDEs wired — .cursor/rules/000-boot.mdc + .mcp.json committed in C6; ZajLibrary MCP reachable (see machine setup §3).
• 🤖 Commit history complete — git log --oneline shows C1–C6 on develop; working tree clean except gitignored personal files.
• 🤖 Authored commits signed — commits after author/v* pass the signature check; unsigned lines (N <sha>) are fixed before Phase 2.
• 🔀 Secrets safe — a credential store chosen (1Password or credentials.md) and recorded; .env gitignored.
• 👤 Restarted + smoke test passes — session restarted and all three smoke-test questions answer correctly.

→Next step

Code & repository setup