Auth file exists

Client file exists

Fetcher file exists

Builder file exists

Domain entity file exists

Auth self.default

Auth token caching

Client::Error class

Client constants

Fetcher DI constructor

Fetcher constants

Builder attribute filtering

Entity ATTRIBUTES constant

Entity DEFAULT_QUERY constant

README present

Auth includes HTTParty

Auth credential validation

No hardcoded credentials

Auth token caching

Client::Error class

HTTP error wrapping

JSON error wrapping

Timeout configured

Missing config raises Client::Error

Retry constant

Spec covers error path

Builder initializer attributes

Builder attribute filtering

Builder response parsing

Entity ATTRIBUTES constant

Entity DEFAULT_QUERY constant

Entity SEARCH_QUERY constant

Entity self.fetcher wiring

sanitize_sql usage

FactoryBot hash factory

Factory in correct directory

ShelterApi module namespace

No raw interpolation in queries

Self.call delegation

Instance call method

Success response key

Success response nesting

Error response key

Error response nesting

File location

Frozen string literal

Module namespace

No raw exceptions returned

Early input validation

Specific rescue clauses

StandardError rescue

Error logged

Error hash returned

No exception leakage

Partial success response

Frozen string literal

Response format consistency

Backtrace logged for unexpected errors

Transaction present

Transaction scope correct

SQL sanitization used

No SQL string interpolation

Module namespace

File path correct

README present

Frozen string literal

Response format

Error constants

Orchestrator call length

Sub-services extracted

Orchestrator delegates, not implements

No HTTP response returned

Data-only return

Single responsibility

Frozen string literal

File structure

Response format

Error handling

Error message constants

YARD on self.call

YARD on other public methods

Class-only service used

No instance state in class-only service

README present

Frozen string literal

Response format

Module namespace matches directory

Constants not duplicated inline

process_log.md exists

Spec content before implementation

Expected failure documented

Test design phase present

Implementation plan before code

No implementation code before spec phase

At least three distinct phases

Spec file exists

Implementation file exists

Spec uses describe/context structure

type: :request used

type: :controller NOT used

Model spec file exists

type: :model used

No system or feature spec

Request spec in spec/requests/

Endpoint URL in describe

Endpoint success case covered

Endpoint failure case covered

Model uniqueness validation tested

Spec file at mirrored path

RSpec.describe uses module::class

describe for method

context for scenario variations

let used for test data

No let! for non-setup data

No 'and' in example descriptions

Frozen string literal

Subject defined

let_it_be NOT used

Factory attributes minimal

SendgridClient mocked

No real HTTP/email calls

ActiveRecord finders NOT mocked

Factory file exists

SendgridClient failure case tested

RecordNotFound case tested

let used for factory setup

External mock at class method level

Factory attributes match service usage

shared_examples defined

shared_examples consumed twice or more

travel_to used

Expiry true at >30 days

Expiry false at <30 days

let_it_be NOT used

Shared examples in spec/support/

403 response asserted in shared behavior

Model spec path correct

Pass ID not object

Load record in perform

Idempotency check present

Side effect after guard

retry_on with attempts

discard_on permanent error

Thin perform — service delegation

Recurring in recurring.yml

Solid Queue adapter

Spec covers idempotency

Spec written for job

Class-level summary

self.call @param

@option for hash keys

self.call @return

@raise for InvalidPlanError

@raise for PaymentGatewayError

supported_plans @return

English only

No logic changes

initialize documented

@example present

Dataloader for association

Field-level guard on sensitive field

No type-only auth for sensitive field

Mutation returns errors array

Mutation no unhandled raise

Introspection disabled in production

max_depth set

max_complexity set

Dedicated resolver class

Connection type for paginated list

schema.execute in specs

descriptions on fields

Feature branch task 0.0

TDD write-spec sub-task

TDD run-spec-fail sub-task

TDD implement sub-task

TDD run-spec-pass sub-task

Exact file paths in sub-tasks

Saved in /tasks/ with correct name

YARD post-implementation gate

Documentation update task

Code review gate

Relevant Files section

isolate_namespace used

configure block pattern

Configuration class

Configurable user class

No hard-coded host constant

Migrations not auto-applied

Host contract documented

lib/audit_trail.rb minimal

Dummy app routes mount engine

Model namespaced

Engine type justified

Stable behavior statement

Characterization tests before refactoring

Characterization tests target current code

Smallest safe sequence proposed

Test run evidence per step

No behavior mixed with structure

Temporary compatibility noted

No forbidden confidence claims

One boundary extracted per step

SERVICE_MAP constant

Factory NullService fallback

NullService never raises

Correct file structure

Single entry point API

Concrete overrides should_calculate?

Concrete overrides compute_result

NullService spec context

Variant spec coverage

Frozen string literal

SERVICE_MAP key type consistency

Correct severity levels used

permit! flagged Critical

N+1 query identified

Missing index flagged

Business logic in controller flagged

Review covers multiple areas

Each finding includes mitigation

Re-review explicitly required

html_safe / raw usage flagged

Severity action prescribed per level

File saved to /tasks/

Introduction section

Goals section

User Stories section

Functional Requirements section

Non-Goals section

Design and Technical Considerations

Implementation Surface section

Success Metrics section

Open Questions section

No implementation code

What/why focus

Next steps suggestion

Postman v2.1 schema

Correct file location

base_url variable used

All endpoints present

HTTP methods correct

Headers included

Body examples for POST/PUT

Syntactically valid JSON

URL path parameters

Auth/authz reviewed first

Parameter handling reviewed

Query safety reviewed

High severity: SQL injection identified

High severity: missing authz identified

Medium severity finding identified

Attack path per finding

Affected file per finding

Mitigation per finding

Exploitability focus

Secrets and output reviewed

Entry points identified first

Domain logic layer checked

Models and callbacks inspected

High: business logic in callbacks

High: controller multi-step workflow

Boundary problems prioritised

Medium finding identified

Affected files per finding

Risk described per finding

Improvement per finding

Concerns and helpers checked

Version constant updated

CHANGELOG updated

Upgrade notes produced

Semantic version bump correct

Version bump reasoning provided

Gemspec verified

Test suite mentioned

Blockers called out

CHANGELOG entries are specific

No release without CHANGELOG