No code ships without an approved plan (Gate 1) and a passing review (Gate 2). The agent cannot self-approve.
Strict failing-test-first when --tdd is set. Spikes stay fast.
Prompt injection defense across input boundary, instruction anchoring, context isolation, and output validation.