evidence-gated-cilisted

# Evidence-Gated CI Codifies the CI discipline Mick Johnson runs across Tandem, Butterfly Security, LinguaMind, and mcp-butterfly: **no claim of an external state change ships without an artifact on disk proving it happened.** No green tests on assumptions, no "it should work." ## When to use Trigger this skill when: - Adding CI to a new project that touches prod state (DBs, third-party APIs, devices, social platforms) - The user says: "evidence-gated CI", "pre-push gate", "smoketest setup", "artifact-verified", "make sure the agent isn't lying about mutations" - An agent-driven workflow needs to prove it did something external (posted a comment, revoked a key, flipped a flag) — not just claim it - Migrating a project from `npm test` only -> real production-touching CI ## The three layers of the gate Run them in this order. Each layer has a hard time budget and a hard pass/fail. No "flaky, retry." ### Layer 1: Smoketest (<30s, every push) The "is the lights-on" test. Always runs first; if it fails, skip Layer 2 + 3 to save minutes. Required checks: - HTTP healthcheck on production URL (assert 200 + expected body shape, not just 200) - DB connect + 1 trivial read (e.g., `SELECT 1` or known-row read) - Secret validity probe (call the upstream API with the secret, assert non-401) - Build hash echo (so you know which commit is actually deployed) Fail = block merge. No retries on Layer 1; flakes here mean prod is sick or the secret rotated. See `smoketest-template.md` fo