| name | ci-gatekeeper-agent |
| description | AI-powered CI Gatekeeper Agent that enforces observability standards in CI/CD pipelines. Use when: (1) Generating GitHub Actions/Jenkins pipelines for observability gates, (2) Configuring progressive enforcement policies, (3) Validating schema compatibility in CI, (4) Generating gate status reports. Triggers: "create observability gate", "configure CI enforcement", "generate gate policy", "check observability compliance". |
CI Gatekeeper Agent
The CI Gatekeeper enforces observability standards through CI pipeline checks, implementing progressive gating that converts optional adoption into migration readiness without organizational mandates.
Core Responsibilities
- Gate Policy Management: Define and enforce gate policies by tier
- CI Workflow Generation: Create GitHub Actions/Jenkins pipelines
- Schema Validation: Check schema compatibility against registry
- Status Reporting: Report gate status to PRs and event bus
- Progressive Enforcement: Manage warn → soft-fail → hard-fail transitions
Gate Policies
Gate 1: PR Merge (Pre-Merge)
Trigger: Pull Request opened/updated Requirements:
- OTel SDK in dependencies
- Asset URN tags present
- Owner metadata defined
- RUNBOOK.md exists
- Lineage spec present (Tier-1)
- Contract stub present (Tier-1)
Actions:
| Tier | On Failure |
|---|---|
| Tier-1 | Block merge |
| Tier-2+ | Warn only |
Gate 2: Migration Cutover
Trigger: Migration deployment Requirements:
- Signals live in prod (verified)
- Freshness/volume monitors configured
- On-call route established
- Blast radius queryable in Neptune
Actions:
| Tier | On Failure |
|---|---|
| All | Block cutover |
Gate 3: Post-Cutover (14 days)
Trigger: Stability review Requirements:
- Schema change events wired
- Lineage edges present in Neptune
- DQ checks configured (2+ high-value)
- No critical incidents in window
Actions:
| Tier | On Failure |
|---|---|
| Tier-1 | Leadership review |
| Tier-2+ | Warn only |
GitHub Actions Workflow
Generate .github/workflows/observability-gate.yaml:
name: Observability Gate
on: [pull_request]
jobs:
gate-1-baseline:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check OTel SDK
id: otel-check
run: |
# Detect language and check appropriate dependency file
if [ -f "pom.xml" ]; then
grep -q "opentelemetry" pom.xml && echo "otel_present=true" >> $GITHUB_OUTPUT
elif [ -f "go.mod" ]; then
grep -q "opentelemetry" go.mod && echo "otel_present=true" >> $GITHUB_OUTPUT
elif [ -f "requirements.txt" ]; then
grep -q "opentelemetry" requirements.txt && echo "otel_present=true" >> $GITHUB_OUTPUT
fi
- name: Check Lineage Spec
id: lineage-check
run: |
[ -d "lineage" ] && ls lineage/*.yaml && echo "lineage_present=true" >> $GITHUB_OUTPUT
- name: Check Contract Stub
id: contract-check
run: |
[ -d "contracts" ] && ls contracts/*.yaml && echo "contract_present=true" >> $GITHUB_OUTPUT
- name: Check RUNBOOK
id: runbook-check
run: |
[ -f "RUNBOOK.md" ] && echo "runbook_present=true" >> $GITHUB_OUTPUT
- name: Enforce by Tier
run: |
TIER=$(yq '.service.tier' lineage/*.yaml 2>/dev/null || echo "2")
if [ "$TIER" == "1" ]; then
# Hard fail for Tier-1
[ "${{ steps.otel-check.outputs.otel_present }}" == "true" ] || exit 1
[ "${{ steps.lineage-check.outputs.lineage_present }}" == "true" ] || exit 1
fi
Schema Compatibility Check
- name: Schema Compatibility
run: |
SCHEMAS=$(find . -name "*.avsc" -o -name "*.proto")
for SCHEMA in $SCHEMAS; do
SUBJECT=$(basename $SCHEMA .avsc)
curl -X POST \
-H "Content-Type: application/vnd.schemaregistry.v1+json" \
--data "{\"schema\": \"$(cat $SCHEMA | jq -Rs .)\"}" \
"$SCHEMA_REGISTRY_URL/compatibility/subjects/$SUBJECT-value/versions/latest"
done
Gate Status Event
Emit to event bus for tracking:
{
"event_type": "GateStatusReport",
"timestamp": "2026-01-04T10:45:00Z",
"repository": "orders-enricher",
"pr_number": 142,
"commit_sha": "abc123def",
"gate": "gate-1",
"status": "PASSED",
"tier": 1,
"checks": {
"otel_sdk": {"status": "PASS", "details": "OTel 1.32.0 found"},
"lineage_spec": {"status": "PASS", "details": "lineage/orders-enricher.yaml"},
"contract_stub": {"status": "PASS", "details": "contracts/orders_enriched.yaml"},
"schema_compat": {"status": "PASS", "details": "BACKWARD compatible"},
"runbook": {"status": "PASS", "details": "RUNBOOK.md present"}
},
"next_gate": "gate-2",
"next_gate_requirements": [
"Signals live in prod for 7 days",
"On-call route configured"
]
}
Scripts
scripts/generate_workflow.py: GitHub Actions generatorscripts/check_gate.py: Local gate check runnerscripts/report_status.py: Status reporter to PR and event bus
References
references/gate-policies.md: Complete gate policy definitionsreferences/workflow-templates/: CI workflow templatesreferences/schema-registry.md: Schema Registry integration guide
Configuration
ci_gatekeeper:
enabled: true
gate_1:
enforce_tier_1: true
enforce_tier_2: false # Warn only
gate_2:
stability_window_days: 7
gate_3:
grace_period_days: 14
schema_registry:
url: "https://schema-registry.internal:8081"
event_bus:
topic: "autopilot-events"
Integration Points
| System | Integration | Purpose |
|---|---|---|
| GitHub | Webhooks + API | PR events, status checks |
| GitLab | Webhooks + API | Alternative VCS support |
| Schema Registry | REST API | Compatibility validation |
| Event Bus | Kafka producer | Gate status events |
| Neptune | Gremlin API | Lineage edge verification |