Review fortress¶
The review fortress is the eleven-phase quality-assurance sweep (Phases 15-25) that every project passes through before the Phase 26 completion attestation. Each phase runs a dedicated audit command against one quality axis.
The eleven axes¶
| Phase | Command | Axis | Standard |
|---|---|---|---|
| 15 | /code-review | Code quality | Per-file craft review |
| 16 | /code-audit | Code corpus | Cross-file forensics |
| 17 | /security-audit | Security | OWASP ASVS v4 + Top 10 |
| 18 | /perf-audit | Performance | Core Web Vitals + USE method |
| 19 | /architecture-review | Architecture | Design artifact conformance |
| 20 | /ux-review | Dev experience | CLI ergonomics + onboarding |
| 21 | /a11y-audit | Accessibility | WCAG 2.2 AA |
| 22 | /docs-review | Documentation | Ten-dimension quality |
| 23 | /dependency-audit | Dependencies | License + CVE + freshness |
| 24 | /supply-chain-audit | Supply chain | SLSA + Sigstore + SBOM |
| 25 | /threat-model-audit | Threat model | STRIDE + PASTA |
Three-tier convergence¶
The fortress contributes to the three-tier green-card discipline:
- TIER 1 (Phase 07): Local conformity gate — all fifteen M-bars pass locally.
- TIER 2 (Phase 13): GitHub-side verification — CI workflows green on every commit, every check.
- TIER 3 (Phase 25 exit): Full review fortress complete — all eleven axes audited, findings dispositioned, watch items documented.
Amend-and-push loop¶
Each fortress phase follows the iterate-until-green pattern: findings are triaged, fixes are applied, the audit is re-run, and the loop continues until the phase's REPORT.md records a PASS attestation.
Why a fortress¶
Software quality degrades along predictable axes. A single-axis review misses the 90% of defects that live at the intersection of axes. The fortress forces eleven orthogonal lenses on the same codebase, surfacing defects that any single reviewer would miss.