[Feature] Quality gate hooks on agent file writes

[smonett]

Problem

When agents write or edit files (via Write/Edit tools), there is no automated quality check. Agents can introduce syntax errors, security vulnerabilities, or lint violations without immediate feedback.

Workaround

I built cc-quality-gate.py, a PostToolUse hook that runs ruff (lint) + bandit (security) on every Python file written by the agent. Findings are annotated into the transcript as warnings — never blocks, only annotates so the agent can self-correct.

Proposed Solution

A configurable quality gate hook system:

{
  "tools": {
    "qualityGates": {
      "enabled": true,
      "rules": [
        { "glob": "*.py", "command": "ruff check {file}", "action": "annotate" },
        { "glob": "*.py", "command": "bandit -r {file}", "action": "annotate" },
        { "glob": "*.js", "command": "node --check {file}", "action": "annotate" }
      ]
    }
  }
}

The gate runs after each file write, injects findings into the agent's context, and lets the agent self-correct.

Impact

Low-medium. Improves code quality from agent-written files. Especially useful for autonomous coding workflows.

Environment

• OpenClaw 2026.4.10 (npm, macOS)

[smonett]

Consolidated into #65824 and closing. The meta issue contains this request (with 4.15 audit notes) plus 9 others — please review there.