feat(P04): verification intelligence — git-native coverage, npm audit, TS compilation

---ci---
project: ci
phase: 4
milestone: v0.5
status: complete
decisions:
  - id: D-028
    decision: Phase 4 Verification Intelligence complete
    rationale: All INTEL requirements covered; 31 suites, 355 tests
    confidence: 0.95
    alternatives: []
requirements:
  covered: [INTEL-01, INTEL-02, INTEL-03]
---/ci---

src/agents/orchestrator.ts

@@ -224,7 +224,8 @@ export class OrchestratorAgent extends BaseAgent {
                 cwd: context.project_path,
                 stdio: "pipe",
               });
-            } catch {
+            } catch (err) {
+              this.warn(`Specify commit failed: ${err instanceof Error ? err.message : String(err)}`);
             }
           }
         } else {
@@ -275,6 +276,21 @@ export class OrchestratorAgent extends BaseAgent {
         this.log("Researching project domain...");
         this.decisionEngine!.setPhase(1);
 
+        const archMd = this.ciFiles!.readArchitectureMd();
+        if (!archMd) {
+          this.log("No ARCHITECTURE.md found — mechanical research cannot proceed without backend");
+          return {
+            phase: this.pipelineState!.current_phase,
+            stage: "research",
+            success: false,
+            artifacts_created: artifactsCreated,
+            decisions_made: decisionsMade,
+            escalations_raised: escalationsRaised,
+            duration_ms: Date.now() - stageStart,
+            error: "Research stage requires intelligence backend or existing ARCHITECTURE.md",
+          };
+        }
+
         if (this.config.git.auto_commit && this.gitContext!.isGitRepo()) {
           const researchCommit = CommitBuilder.buildResearchCommit(
             1,
@@ -288,7 +304,8 @@ export class OrchestratorAgent extends BaseAgent {
               cwd: context.project_path,
               stdio: "pipe",
             });
-          } catch {
+          } catch (err) {
+            this.warn(`Research commit failed: ${err instanceof Error ? err.message : String(err)}`);
           }
         }
 
@@ -309,11 +326,42 @@ export class OrchestratorAgent extends BaseAgent {
 
       case "execute":
         this.log("Executing implementation...");
+        if (!context.backend) {
+          this.log("No backend available — mechanical execution cannot implement code changes");
+          return {
+            phase: this.pipelineState!.current_phase,
+            stage: "execute",
+            success: false,
+            artifacts_created: artifactsCreated,
+            decisions_made: decisionsMade,
+            escalations_raised: escalationsRaised,
+            duration_ms: Date.now() - stageStart,
+            error: "Execute stage requires intelligence backend for code implementation",
+          };
+        }
         this.pipelineState!.execute_completed = true;
         break;
 
       case "verify": {
         this.log("Running verification...");
+
+        const { VerificationPipeline } = await import("../verification/index.js");
+        const verification = new VerificationPipeline(context.project_path);
+        const verifyResult = await verification.run(this.pipelineState!.current_phase || 1);
+
+        if (!verifyResult.all_passed) {
+          return {
+            phase: this.pipelineState!.current_phase,
+            stage: "verify",
+            success: false,
+            artifacts_created: artifactsCreated,
+            decisions_made: decisionsMade,
+            escalations_raised: escalationsRaised,
+            duration_ms: Date.now() - stageStart,
+            error: `Verification failed: ${verifyResult.escalations_needed.join("; ")}`,
+          };
+        }
+
         this.pipelineState!.verify_completed = true;
 
         if (this.config.git.auto_commit && this.gitContext!.isGitRepo()) {
@@ -329,7 +377,8 @@ export class OrchestratorAgent extends BaseAgent {
               cwd: context.project_path,
               stdio: "pipe",
             });
-          } catch {
+          } catch (err) {
+            this.warn(`Verify commit failed: ${err instanceof Error ? err.message : String(err)}`);
           }
         }
 
@@ -354,7 +403,8 @@ export class OrchestratorAgent extends BaseAgent {
               cwd: context.project_path,
               stdio: "pipe",
             });
-          } catch {
+          } catch (err) {
+            this.warn(`Completion commit failed: ${err instanceof Error ? err.message : String(err)}`);
           }
         }
 

src/core/error-recovery.ts

@@ -1,3 +1,4 @@
+import { execSync } from "node:child_process";
 import { CIConfig } from "../types/config.js";
 
 export interface RetryConfig {
@@ -67,12 +68,39 @@ export class ErrorRecovery {
   }
 
   async rollback(phase: number, reason: string): Promise<RecoveryResult> {
-    return {
-      recovered: true,
-      strategy: "rollback",
-      attempts: 1,
-      message: `Rolled back phase ${phase}: ${reason}`,
-    };
+    try {
+      const phaseBranch = `phase/${String(phase).padStart(2, "0")}`;
+      const branches = this.git("branch --list");
+      const branchExists = branches.split("\n").some((b) => b.trim().replace(/^\*?\s+/, "") === phaseBranch);
+
+      if (branchExists) {
+        const currentBranch = this.git("rev-parse --abbrev-ref HEAD");
+        if (currentBranch === phaseBranch) {
+          this.git("checkout main");
+        }
+        this.git(`branch -D ${phaseBranch}`);
+      }
+
+      const tag = `v0.5.${phase}`;
+      const tags = this.git("tag -l").split("\n").map((t) => t.trim());
+      if (tags.includes(tag)) {
+        this.git(`tag -d ${tag}`);
+      }
+
+      return {
+        recovered: true,
+        strategy: "rollback",
+        attempts: 1,
+        message: `Rolled back phase ${phase}: ${reason}. Branch ${branchExists ? `${phaseBranch} deleted` : "not found"}. Tag ${tags.includes(tag) ? `${tag} deleted` : "not found"}.`,
+      };
+    } catch (err) {
+      return {
+        recovered: false,
+        strategy: "rollback",
+        attempts: 1,
+        message: `Rollback failed for phase ${phase}: ${err instanceof Error ? err.message : String(err)}`,
+      };
+    }
   }
 
   canAutoDebug(error: string, confidence: number): boolean {
@@ -86,4 +114,16 @@ export class ErrorRecovery {
   getMaxRevisions(): number {
     return this.config.autonomy.max_revision_iterations;
   }
+
+  private git(args: string): string {
+    try {
+      return execSync(`git ${args}`, {
+        cwd: this.projectPath,
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"],
+      }).trim();
+    } catch {
+      return "";
+    }
+  }
 }

src/verification/behavioral.test.ts

@@ -49,10 +49,33 @@ describe("BehavioralVerification", () => {
     expect(testFilesCheck?.status).toBe("pass");
   });
 
-  it("passes with specification and requirements", async () => {
+  it("passes with REQUIREMENTS.md", async () => {
     const ciDir = path.join(tempDir, ".ci");
     fs.mkdirSync(ciDir, { recursive: true });
-    fs.writeFileSync(path.join(ciDir, "specification.md"), "# Test\n## Objective\nBuild it\n\n## Requirements\n- Must have auth\n- Shall support CRUD\n");
+    fs.writeFileSync(path.join(ciDir, "REQUIREMENTS.md"), "# Requirements\n\n| REQ-ID | Requirement | Priority | Phase | Status |\n|--------|-------------|----------|-------|--------|\n| REQ-01 | Must have auth | P0 | 1 | pending |\n");
+
+    const verifier = new BehavioralVerification();
+    const result = await verifier.verify(tempDir, 1);
+
+    const specCheck = result.checks.find((c) => c.name === "Specification requirements traceable");
+    expect(specCheck?.status).toBe("pass");
+  });
+
+  it("skips when no REQUIREMENTS.md or PROJECT.md", async () => {
+    const ciDir = path.join(tempDir, ".ci");
+    fs.mkdirSync(ciDir, { recursive: true });
+
+    const verifier = new BehavioralVerification();
+    const result = await verifier.verify(tempDir, 1);
+
+    const specCheck = result.checks.find((c) => c.name === "Specification requirements traceable");
+    expect(specCheck?.status).toBe("skipped");
+  });
+
+  it("passes with PROJECT.md when no REQUIREMENTS.md", async () => {
+    const ciDir = path.join(tempDir, ".ci");
+    fs.mkdirSync(ciDir, { recursive: true });
+    fs.writeFileSync(path.join(ciDir, "PROJECT.md"), "# Test\n\n## What This Is\nBuild it\n\n## Requirements\n\n### Active\n\n- [ ] Must have auth\n- [ ] Shall support CRUD\n");
 
     const verifier = new BehavioralVerification();
     const result = await verifier.verify(tempDir, 1);

src/verification/behavioral.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { execSync } from "node:child_process";
 import { VerificationLayer, VerificationResult, VerificationCheck } from "./types.js";
 
 const TEST_FRAMEWORK_PATTERNS = [
@@ -26,6 +27,7 @@ export class BehavioralVerification extends VerificationLayer {
     checks.push(this.checkSpecificationRequirements(projectPath));
     checks.push(this.checkPlanMustHaves(projectPath, phase));
     checks.push(this.checkCodeHasExports(projectPath));
+    checks.push(this.checkRequirementTestCoverage(projectPath));
 
     const passed = checks.every((c) => c.status !== "fail");
     return {
@@ -106,15 +108,59 @@ export class BehavioralVerification extends VerificationLayer {
   }
 
   private checkSpecificationRequirements(projectPath: string): VerificationCheck {
-    const specPath = path.join(projectPath, ".ci", "specification.md");
+    const reqPath = path.join(projectPath, ".ci", "REQUIREMENTS.md");
+    const projectPath_md = path.join(projectPath, ".ci", "PROJECT.md");
+
+    const specPath = reqPath;
     if (!fs.existsSync(specPath)) {
+      const altPath = projectPath_md;
+      if (!fs.existsSync(altPath)) {
+        return this.check(
+          "Specification requirements traceable",
+          "skipped",
+          "No REQUIREMENTS.md or PROJECT.md found"
+        );
+      }
+      return this.checkFromProjectMd(altPath);
+    }
+
+    const content = fs.readFileSync(specPath, "utf-8");
+    const requirements = content
+      .split("\n")
+      .filter((line) => /^\|.*\|.*\|.*\|/.test(line) && !line.includes("REQ-ID") && !line.includes("---"))
+      .map((line) => {
+        const cols = line.split("|").map((c) => c.trim()).filter(Boolean);
+        return cols.length >= 2 ? cols[1] : "";
+      })
+      .filter(Boolean);
+
+    if (requirements.length === 0) {
+      const listRequirements = content
+        .split("\n")
+        .filter((line) => line.trim().startsWith("- "))
+        .map((line) => line.trim().slice(2));
+      if (listRequirements.length === 0) {
+        return this.check(
+          "Specification requirements traceable",
+          "warning",
+          "No requirements found in REQUIREMENTS.md"
+        );
+      }
       return this.check(
         "Specification requirements traceable",
-        "skipped",
-        "No specification file found"
+        "pass",
+        `Found ${listRequirements.length} requirement(s)`
       );
     }
 
+    return this.check(
+      "Specification requirements traceable",
+      "pass",
+      `Found ${requirements.length} requirement(s) in REQUIREMENTS.md`
+    );
+  }
+
+  private checkFromProjectMd(specPath: string): VerificationCheck {
     const content = fs.readFileSync(specPath, "utf-8");
     const requirements = content
       .split("\n")
@@ -129,7 +175,7 @@ export class BehavioralVerification extends VerificationLayer {
       return this.check(
         "Specification requirements traceable",
         "warning",
-        "No requirements found in specification"
+        "No requirements found in PROJECT.md"
       );
     }
 
@@ -174,6 +220,98 @@ export class BehavioralVerification extends VerificationLayer {
     );
   }
 
+  private checkRequirementTestCoverage(projectPath: string): VerificationCheck {
+    const isGitRepo = fs.existsSync(path.join(projectPath, ".git"));
+    if (!isGitRepo) {
+      return this.check(
+        "Requirement test coverage via git log",
+        "skipped",
+        "Not a git repository — cannot check requirement coverage from commit history"
+      );
+    }
+
+    try {
+      const raw = execSync(
+        `git log --all --max-count=100 --format="%B%x01"`,
+        { cwd: projectPath, encoding: "utf-8", stdio: ["pipe", "pipe", "pipe"], timeout: 5000 }
+      );
+
+      const coveredReqs = new Set<string>();
+      const ciBlockRegex = /---ci---[\s\S]*?---\/ci---/g;
+      const entries = raw.split("\x01").filter(Boolean);
+
+      for (const entry of entries) {
+        let match;
+        while ((match = ciBlockRegex.exec(entry)) !== null) {
+          const reqMatch = match[0].match(/covered:\s*\[([^\]]*)\]/);
+          if (reqMatch) {
+            const reqs = reqMatch[1].split(",").map((r: string) => r.trim().replace(/['"]/g, "")).filter(Boolean);
+            for (const req of reqs) coveredReqs.add(req);
+          }
+        }
+        ciBlockRegex.lastIndex = 0;
+      }
+
+      const reqPath = path.join(projectPath, ".ci", "REQUIREMENTS.md");
+      if (!fs.existsSync(reqPath)) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "skipped",
+          "No REQUIREMENTS.md found to check coverage against"
+        );
+      }
+
+      const content = fs.readFileSync(reqPath, "utf-8");
+      const allReqs = content
+        .split("\n")
+        .filter((line) => /^\|.*\|.*\|.*\|/.test(line) && !line.includes("REQ-ID") && !line.includes("---"))
+        .map((line) => {
+          const cols = line.split("|").map((c) => c.trim()).filter(Boolean);
+          return cols.length >= 1 ? cols[0] : "";
+        })
+        .filter(Boolean);
+
+      if (allReqs.length === 0) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "skipped",
+          "No requirements with REQ-IDs found in REQUIREMENTS.md"
+        );
+      }
+
+      const covered = allReqs.filter((r) => coveredReqs.has(r));
+      const coveragePct = Math.round((covered.length / allReqs.length) * 100);
+
+      if (coveragePct >= 80) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "pass",
+          `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%)`
+        );
+      }
+
+      if (coveragePct >= 50) {
+        return this.check(
+          "Requirement test coverage via git log",
+          "warning",
+          `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%) — target ≥80%`
+        );
+      }
+
+      return this.check(
+        "Requirement test coverage via git log",
+        "warning",
+        `${covered.length}/${allReqs.length} requirements covered (${coveragePct}%) — significant gaps`
+      );
+    } catch {
+      return this.check(
+        "Requirement test coverage via git log",
+        "skipped",
+        "Could not read git log for requirement coverage"
+      );
+    }
+  }
+
   private checkCodeHasExports(projectPath: string): VerificationCheck {
     const srcDir = path.join(projectPath, "src");
     if (!fs.existsSync(srcDir)) {

src/verification/quality.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { execSync } from "node:child_process";
 import { VerificationLayer, VerificationResult, VerificationCheck } from "./types.js";
 
 interface CodeFinding {
@@ -66,6 +67,7 @@ export class QualityVerification extends VerificationLayer {
     checks.push(this.checkP2P3Findings(p2p3Findings));
     checks.push(this.checkTypeScriptStrictness(projectPath));
     checks.push(this.checkConsistentNaming(projectPath));
+    checks.push(this.checkTypeScriptCompilation(projectPath));
 
     const hasP0Fail = p0Findings.length > 3;
     const passed = !hasP0Fail;
@@ -226,6 +228,32 @@ export class QualityVerification extends VerificationLayer {
     );
   }
 
+  private checkTypeScriptCompilation(projectPath: string): VerificationCheck {
+    const tsconfigPath = path.join(projectPath, "tsconfig.json");
+    if (!fs.existsSync(tsconfigPath)) {
+      return this.check("TypeScript compilation", "skipped", "No tsconfig.json found");
+    }
+
+    try {
+      execSync("npx tsc --noEmit 2>&1", {
+        cwd: projectPath,
+        encoding: "utf-8",
+        timeout: 60000,
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+      return this.check("TypeScript compilation", "pass", "TypeScript compiles without errors");
+    } catch (err) {
+      const execErr = err as { stdout?: string };
+      const output = execErr.stdout || "";
+      const errorCount = (output.match(/error TS/g) || []).length;
+      return this.check(
+        "TypeScript compilation",
+        errorCount > 5 ? "fail" : "warning",
+        `${errorCount} TypeScript compilation error(s)`
+      );
+    }
+  }
+
   private collectFiles(dir: string, files: string[]): void {
     const entries = fs.readdirSync(dir, { withFileTypes: true });
     for (const entry of entries) {

src/verification/security.ts

@@ -1,5 +1,6 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { execSync } from "node:child_process";
 import { VerificationLayer, VerificationResult, VerificationCheck } from "./types.js";
 
 interface ThreatEntry {
@@ -250,24 +251,80 @@ export class SecurityVerification extends VerificationLayer {
   }
 
   private checkDependencyVulnerabilities(projectPath: string): VerificationCheck {
-    const packageLockPath = path.join(projectPath, "package-lock.json");
-    if (!fs.existsSync(packageLockPath)) {
-      return this.check(
-        "Dependency audit",
-        "skipped",
-        "No package-lock.json found — cannot audit dependencies"
-      );
-    }
-
     const packageJsonPath = path.join(projectPath, "package.json");
     if (!fs.existsSync(packageJsonPath)) {
       return this.check("Dependency audit", "skipped", "No package.json found");
     }
 
-    return this.check(
-      "Dependency audit",
-      "pass",
-      "Dependency structure available for audit (run `npm audit` for full check)"
-    );
+    try {
+      const result = execSync("npm audit --json 2>/dev/null", {
+        cwd: projectPath,
+        encoding: "utf-8",
+        timeout: 30000,
+        stdio: ["pipe", "pipe", "pipe"],
+      });
+      const audit = JSON.parse(result);
+      const vulnerabilities = audit.metadata?.vulnerabilities || {};
+      const high = vulnerabilities.high || 0;
+      const critical = vulnerabilities.critical || 0;
+      const medium = vulnerabilities.moderate || 0;
+      const low = vulnerabilities.low || 0;
+      const total = high + critical + medium + low;
+
+      if (total === 0) {
+        return this.check("Dependency audit", "pass", "No known vulnerabilities in dependencies");
+      }
+
+      if (critical > 0 || high > 0) {
+        return this.check(
+          "Dependency audit",
+          "fail",
+          `${total} vulnerabilities (critical: ${critical}, high: ${high}, medium: ${medium}, low: ${low})`
+        );
+      }
+
+      return this.check(
+        "Dependency audit",
+        "warning",
+        `${total} vulnerabilities (medium: ${medium}, low: ${low}) — no critical/high`
+      );
+    } catch (err) {
+      const output = (err as { stdout?: string }).stdout;
+      if (output) {
+        try {
+          const audit = JSON.parse(output);
+          const vulnerabilities = audit.metadata?.vulnerabilities || {};
+          const high = vulnerabilities.high || 0;
+          const critical = vulnerabilities.critical || 0;
+          const medium = vulnerabilities.moderate || 0;
+          const low = vulnerabilities.low || 0;
+          const total = high + critical + medium + low;
+
+          if (total === 0) {
+            return this.check("Dependency audit", "pass", "No known vulnerabilities in dependencies");
+          }
+
+          if (critical > 0 || high > 0) {
+            return this.check(
+              "Dependency audit",
+              "fail",
+              `${total} vulnerabilities (critical: ${critical}, high: ${high}, medium: ${medium}, low: ${low})`
+            );
+          }
+
+          return this.check(
+            "Dependency audit",
+            "warning",
+            `${total} vulnerabilities (medium: ${medium}, low: ${low}) — no critical/high`
+          );
+        } catch {}
+      }
+
+      return this.check(
+        "Dependency audit",
+        "skipped",
+        "npm audit not available — run manually for full check"
+      );
+    }
   }
 }