Enforce zero-tolerance quality standards. Ship code that actually works.
9-Gate Quality Pipeline Β· Workflow Engine Β· Skill Modules Β· CLI Tool Reference
Quick Start Β· How It Works Β· Quality Gates Β· Skill Modules Β· Problems Solved
Modern software projects suffer from the same recurring quality issues. Whether you're a solo developer, a growing startup, or an established team β these 25 critical flaws keep shipping to production:
| # | Flaw | Impact |
|---|---|---|
| 1 | Poor code quality | Bugs, crashes, maintenance nightmares |
| 2 | UI doesn't match specs | Wasted iterations, broken designs |
| 3 | Files lost during refactors | Missing code, broken functionality |
| 4 | Incomplete bug fixes | Partial solutions, recurring bugs |
| 5 | Mock/fake data in production | Unusable software, security risks |
| 6 | Infinite loops & hangs | Frozen applications, CPU waste |
| 7 | Unprofessional UI | Bad user experience, no adoption |
| 8 | Security vulnerabilities | OWASP Top 10, data breaches |
| 9 | Unverified assumptions | Non-existent APIs, wrong solutions |
| 10 | No type safety | Runtime errors, unpredictable behavior |
| 11 | Missing error handling | Crashes, data loss |
| 12 | No tests | Unverified code, regression risk |
| 13 | Hardcoded secrets | Credential leaks, security breaches |
| 14 | No input validation | Injection attacks, data corruption |
| 15 | Missing documentation | Unmaintainable codebase |
| 16 | No CI/CD | Manual processes, human error |
| 17 | No containerization | Deployment failures |
| 18 | No rate limiting | DoS vulnerability |
| 19 | No authentication | Unauthorized access |
| 20 | Circular dependencies | Build failures, runtime errors |
| 21 | Memory leaks | Degraded performance, crashes |
| 22 | No observability | Blind to production issues |
| 23 | Breaking changes | Unstable APIs, broken consumers |
| 24 | No database patterns | N+1 queries, data inconsistency |
| 25 | Non-standard commits | Unreadable git history |
Every single one of these is solvable through enforcement.
Deerflow is a single repository you git clone that enforces production-grade standards through 3 layers:
- TypeScript strict mode (zero
any, no implicit anything) - ESLint with custom mock-data detection plugin
- Prettier for consistent formatting
- Vitest with 80% coverage thresholds
- Zod for runtime validation
pre-commit: Secrets scan, mock data check, lint, type-check, testscommit-msg: Conventional Commits enforcement
- 5 parallel jobs: typecheck, lint, test+coverage, build, security
- Coverage threshold check (80%)
- npm audit + Trivy security scanning
- Secret detection in source code
git clone https://github.com/ntd25022006q/deerflow.git
cd deerflow
npm install
cp .env.example .env.local
make enforce # Install enforcement tools
make quality-gate # Verify everything works
npm run dev # Start developmentThe 8-phase pipeline that every contributor MUST follow:
βββββββββββ ββββββββ ββββββββββββ βββββββββββββ ββββββββββββ ββββββββ ββββββββββββ ββββββββββββββββ
β ANALYZE ββββΆβ PLAN ββββΆβ SCAFFOLD ββββΆβ IMPLEMENT ββββΆβ VALIDATE ββββΆβ TEST ββββΆβ SECURITY ββββΆβ QUALITY GATE β
βββββββββββ ββββββββ ββββββββββββ βββββββββββββ ββββββββββββ ββββββββ ββββββββββββ ββββββββββββββββ
β β β β β β β β
Read code Write ADR Use templates Follow patterns Type+Lint β₯80% OWASP+ 9/9
Understand Design Create files Repository Pat. Zero err coverage secrets PASS
- ANALYZE: Read requirements, understand domain, identify patterns
- PLAN: Design solution, write DECISIONS.md entry
- SCAFFOLD: Create files from
templates/ - IMPLEMENT: Write code following Repository Pattern
- VALIDATE: Type-check + lint on every changed file
- TEST: Write tests, achieve β₯80% coverage
- SECURITY: Scan for OWASP Top 10, secrets, vulnerabilities
- QUALITY GATE: All 9 gates must pass β DEPLOY BLOCKED if any fail
Each phase has built-in validation. Failures block progression. Max 3 retries before escalating.
5 specialized modules that enforce specific quality domains:
| Skill | Purpose | Key Checks |
|---|---|---|
π code-review |
Code quality enforcement | Zero any, no mock data, proper patterns, no empty catches |
π security |
OWASP Top 10 scanning | SQL injection, XSS, secrets, CORS, auth, npm audit |
π§ͺ test |
Test coverage validation | Missing tests, empty tests, weak assertions, coverage β₯80% |
π¨ ui |
UI/UX quality | Accessibility (WCAG 2.1), responsive design, design system |
π search |
Verify before coding | API docs, security advisories, best practices, version checks |
The 9 gates that ALL must pass before any code is accepted:
| Gate | Check | Command | Blocking |
|---|---|---|---|
| 1 | Build | npm run build |
β Yes |
| 2 | Lint | eslint . --max-warnings=0 |
β Yes |
| 3 | Type Check | tsc --noEmit |
β Yes |
| 4 | Test + Coverage | vitest run --coverage (β₯80%) |
β Yes |
| 5 | Security Audit | npm audit --audit-level=moderate |
β Yes |
| 6 | Docker Build | docker build . |
β Yes |
| 7 | Smoke Test | Health endpoint check | β Yes |
| 8 | Format Check | prettier --check . |
β Yes |
| 9 | Secret Detection | Regex scan for hardcoded secrets | β Yes |
Result: JSON report at .agent/reports/quality-report.json
Exit code: 0 = DEPLOY APPROVED, 1 = DEPLOY BLOCKED
deerflow/
βββ .github/workflows/ # CI/CD pipelines
β βββ ci.yml # Main CI (typecheck, lint, test, build, security)
β βββ release.yml # Release pipeline with changelog
βββ .husky/ # Git hooks
β βββ pre-commit # Secrets + mock + lint + type-check + tests
β βββ commit-msg # Conventional Commits enforcement
βββ deerflow/ # π¦ Core Framework
β βββ workflow.ts # Workflow Engine (8 phases)
β βββ skills/ # Skill Modules
β β βββ code-review.skill.ts
β β βββ security.skill.ts
β β βββ test.skill.ts
β β βββ ui.skill.ts
β β βββ search.skill.ts
β βββ index.ts # Framework entry point
βββ scripts/
β βββ quality-gate.sh # 9-gate quality check script
βββ src/ # Application source code
β βββ services/ # Business logic
β βββ controllers/ # Request handlers
β βββ routes/ # API route definitions
β βββ models/ # Domain entities & schemas
β βββ middleware/ # Auth, validation, error handling
β βββ utils/ # Helper functions
β βββ types/ # Shared TypeScript types
β βββ config/ # Configuration management
βββ templates/ # Code templates (copy & rename)
β βββ service.template.ts # Repository Pattern template
β βββ route.template.ts # API route with validation + auth
β βββ component.template.ts # React component with a11y
βββ tests/ # Test files
β βββ unit/ # Unit tests
β βββ integration/ # Integration tests
β βββ e2e/ # End-to-end tests
βββ docker/ # Docker configuration
β βββ nginx.conf # Nginx reverse proxy config
βββ AGENT_RULES.md # π¨ 12 Mandatory Rules for contributors
βββ DECISIONS.md # Architecture Decision Records
βββ CODEOWNERS # Code ownership rules
βββ cli-tools.json # CLI tool reference (NOT MCP servers)
βββ docker-compose.yml # Dev environment (app + postgres + redis + nginx)
βββ Dockerfile # Multi-stage build (deps β builder β runner)
βββ Makefile # Central command hub
βββ package.json # Dependencies & scripts
βββ tsconfig.json # Strict TypeScript config
βββ eslint.config.js # ESLint flat config + custom mock detection
βββ .prettierrc # Code formatting rules
βββ vitest.config.ts # Test config with 80% coverage threshold
| Problem | Deerflow Solution | Enforcement |
|---|---|---|
| Poor code quality | Repository Pattern templates + strict TypeScript | ESLint + type-check |
| UI mismatches | UI Skill (accessibility + responsive checks) | ui.skill.ts |
| Files lost during refactors | Full file read rule (Rule #7) | AGENT_RULES.md |
| Incomplete fixes | Quality Gate blocks until ALL pass | quality-gate.sh |
| Mock/fake data | Custom ESLint plugin detects mock patterns | eslint.config.js + pre-commit |
| Infinite loops | Performance lint rules | lint:perf |
| Unprofessional UI | UI Skill + design system consistency | ui.skill.ts |
| Security flaws | Security Skill (OWASP Top 10 scanner) | security.skill.ts + CI |
| Unverified assumptions | Search Skill (verify APIs before use) | search.skill.ts + Rule #10 |
| No type safety | TypeScript strict mode + zero any rule |
tsconfig.json + ESLint |
| Missing error handling | Route template with typed error handling | route.template.ts |
| No tests | Test Skill + 80% coverage threshold | vitest.config.ts |
| Hardcoded secrets | Secret detection in pre-commit + CI | .husky/pre-commit + CI |
| No input validation | Zod schemas in all templates | route.template.ts |
| No CI/CD | GitHub Actions with 5 parallel jobs | .github/workflows/ |
| No Docker | Multi-stage Dockerfile + compose | Dockerfile + Gate 6 |
| No rate limiting | Nginx config with rate limiting | docker/nginx.conf |
| No authentication | Route template with auth checks | route.template.ts |
| Circular dependencies | ESLint import/no-cycle rule | eslint.config.js |
| Memory leaks | Performance lint + review skill | code-review.skill.ts |
| Non-standard commits | Conventional Commits enforcement | .husky/commit-msg |
# Quality & Enforcement
make enforce # Install all enforcement tools
make quality-gate # Run all 9 quality gates
make verify # Verify rules compliance
make fix # Auto-fix lint and format issues
# Development
npm run dev # Start development server
npm run build # Build for production
npm run start # Run production build
# Testing
make test # Run all tests with coverage
make test:unit # Run unit tests
make test:integration # Run integration tests
make test:e2e # Run e2e tests
# Code Quality
make lint # Run linter
make lint:fix # Fix lint issues
make type-check # TypeScript type checking
make format # Format code with Prettier
make format:check # Check formatting without fixing
# Security
make security # Run security audit
# Docker
make docker:build # Build Docker image
make docker:up # Start all services
make docker:down # Stop all services
# Release
make release:patch # Bump patch version (1.0.x)
make release:minor # Bump minor version (1.x.0)
make release:major # Bump major version (x.0.0)
# Utilities
make clean # Remove build artifacts
make fresh # Clean install from scratch
make help # Show all available commandsDeerflow includes a reference configuration for CLI tools commonly used in development. These are standard CLI tools invoked via subprocess, NOT MCP (Model Context Protocol) servers. MCP servers require JSON-RPC 2.0 over stdio or HTTP/SSE β see https://modelcontextprotocol.io for the MCP specification.
| Tool | Purpose |
|---|---|
| Docker | Build, run, manage containers and services |
| PostgreSQL | Execute queries, run migrations, inspect schema |
| Redis | Cache operations, pub/sub, health checks |
| Git | Commits, branches, tags, diffs |
| Vitest | Run unit/integration/e2e tests with coverage |
| NPM Audit | Audit, secret scanning, OWASP checks |
| ESLint | Lint, format, type-check code |
This project is licensed under the MIT License β see the LICENSE file for details.
π¦ Clone it. Quality is non-negotiable.