Data Pipeline · stage 4 of 5

Validation

Ask gate

Validate data quality, schema compliance, and business rules

Validation

Prove that the transformed data conforms to the model and the business rules, under both nominal and edge-case conditions. This stage builds the runtime safety net every pipeline execution leans on — a pipeline without it ships bad data silently, and the consumers find out before the on-call does.

Scope

Building the executable data-quality suite plus the reconciliation checks that compare source counts and key totals against the target. Validation decides what "correct data" means in checks and what passes — it does not fix the transformation logic it tests (that's a revisit to transformation) or deploy anything (deployment).

What to do

  • Cover schema compliance, uniqueness, not-null, referential integrity, value ranges, row-count reconciliation, and business-rule assertions for each verification surface.
  • Give every check explicit pass / fail / warning semantics and a stated threshold.
  • Test edge-case conditions, not just the happy path the transformation already handles.
  • Record each check's scope, threshold, and latest run result so the suite is auditable.

What NOT to do

  • Don't fix the model or transformation code when a check fails — file the finding back to transformation.
  • Don't build connectors or modify staging — that's extraction.
  • Don't deploy or operationalize the pipeline — that's deployment.
  • Don't pass a surface with a check left unwritten; an untested rule is a silent failure waiting to happen.

How the engine runs this stage

1Elaborate

autonomous · plan the work, fan out discovery, declare outputs

Phase guidance

phase overrideELABORATION- "Data quality checks cover uniqueness, not-null constraints, referential integrity, and accepted value ranges for every target table"

Validation Stage — Elaboration

Criteria Guidance

Good criteria — concrete and verifiable

  • "Data quality checks cover uniqueness, not-null constraints, referential integrity, and accepted value ranges for every target table"
  • "Row count reconciliation between source and target is within the agreed tolerance (e.g., < 0.1% variance)"
  • "Business rule tests verify at least 3 known edge cases per critical transformation (e.g., timezone handling, currency conversion, null propagation)"

Bad criteria — vague (no clear check)

  • "Data quality is validated"
  • "Tests pass"
  • "Business rules are checked"

Outputs produced

output templateValidation ReportData quality verification results covering schema compliance, business rules, and reconciliation.

Validation Report

Data quality verification results covering schema compliance, business rules, and reconciliation.

Expected Artifacts

  • Quality check results -- uniqueness, not-null, referential integrity, and value range checks per target table
  • Row count reconciliation -- source-to-target variance within agreed tolerance
  • Business rule tests -- edge case verification for critical transformations
  • Coverage summary -- percentage of target tables with passing quality checks

Quality Signals

  • Quality checks cover all target tables with no unchecked entities
  • Row count reconciliation is within agreed tolerance thresholds
  • At least 3 edge cases are tested per critical transformation
  • Failed checks have documented remediation actions

2Review

pre-execute · agents audit the planned spec before any code lands
review agentCoverageThe agent **MUST** verify the validation suite covers every data-quality dimension that matters — schema, integrity, value range, reconciliation, business rules, and SLAs — at the right severity, with actionable diagnostics.

Mandate: The agent MUST verify the validation suite covers every data-quality dimension that matters — schema, integrity, value range, reconciliation, business rules, and SLAs — at the right severity, with actionable diagnostics.

Check

The agent MUST verify, and file feedback for any violation:

  • Per-entity coverage — Every entity in DATA-MODEL.md has at least one assertion per family: schema compliance, uniqueness / referential integrity, value-range, and business rule
  • Business-rule trace — Every business rule centralized in the transformation stage has a corresponding business-rule test in the validation suite. Schema-only coverage passes while data is silently wrong
  • Reconciliation completeness — Source-to-target row counts (and key totals where the domain has aggregate signals) are reconciled with a stated tolerance. Per-partition reconciliation exists where the source and target are partitioned by the same dimension
  • Freshness coverage — Every target table that has a freshness SLA has a watermark-based check that fails when lag exceeds the SLA. Trusting the pipeline's run status is not freshness coverage
  • Severity mix — Correctness-critical checks (PK uniqueness, schema, reconciliation-beyond-tolerance) are blocking; slow-moving signals (null-rate drift, cardinality drift) are warnings; trend-only signals are informational. "Everything blocks" or "everything warns" both indicate severity wasn't designed
  • Diagnostic-context completeness — Every failing assertion emits the entity, column, predicate, a sample of failing values, and a pointer back to the upstream source / transformation step that produced them
  • Explicit gap disclosure — The suite documents what it does NOT cover and why. Silent gaps become silent bugs

Common failure modes to look for

  • A validation suite that passes every schema check but tests no business rules
  • Reconciliation as a single aggregate check with no per-partition signal
  • A freshness "check" implemented as "the pipeline succeeded today", not as a watermark vs. SLA comparison
  • A suite where every assertion is blocking, freezing the pipeline on noise
  • A suite where every assertion is a warning, providing no real safety net
  • An assertion that fails with "violation in target_<table>" and nothing else, leaving the on-call to re-derive the failure manually
  • A suite with no "what's not covered" section, leaving downstream stages to guess at the gaps
  • A nullable-column check whose threshold is "less than 50% nulls" — a tolerance loose enough that it can't fire is not a tolerance

Borrowed from other stages

Correctnessfrom Extraction

3Execute

per-unit baton · Validator → Data Quality Reviewer → Verifier
hat 1Data Quality ReviewerReview the validation suite for coverage completeness and assertion quality. Verify that tests cover all critical data paths, that thresholds are appropriately tight, and that failure modes produce actionable diagnostics rather than opaque errors. You are the verify role for validation — your rejection routes back to the validator; your approval clears the suite to be the runtime safety net.

Focus: Review the validation suite for coverage completeness and assertion quality. Verify that tests cover all critical data paths, that thresholds are appropriately tight, and that failure modes produce actionable diagnostics rather than opaque errors. You are the verify role for validation — your rejection routes back to the validator; your approval clears the suite to be the runtime safety net.

Process

1. Trace coverage back to requirements

A validation suite is a contract. Walk the contract end-to-end:

  • Every target entity in DATA-MODEL.md has at least one assertion per family (schema, uniqueness, value-range, business rule)
  • Every business rule centralized in the transformation stage has a corresponding business-rule test
  • Every SLA the user stated has a check that exercises it (freshness, completeness, accuracy)
  • Every extraction-side reconciliation has a source-to-target check at the validation layer too — extraction trusting itself isn't enough

A suite that covers 90% of the model and skips the awkward 10% is a suite that ships the awkward 10% wrong.

2. Probe assertion specificity

Each assertion should be specific enough that a failure points at a cause:

  • Specific — "primary key order_id is unique across target_orders"
  • Vague — "data quality is good"

Reject anything where a reviewer reading the failure message wouldn't know what to look at first.

3. Probe threshold tightness

A tolerance loose enough that it never fires is no tolerance:

  • Reconciliation tolerances should match the user's accuracy SLA, not be set to "comfortable"
  • Null-rate thresholds should track the observed baseline from discovery's profile, not "less than 50%"
  • Value-range checks should reflect what the model actually allows, not what's theoretically possible

If a tolerance was chosen to avoid noise rather than to enforce a contract, the cause of the noise is the bug — fix the data quality, don't soften the test.

4. Probe failure-mode actionability

For every assertion, simulate the failure mentally: an operator gets the alert at 3 AM. Do they have what they need?

  • Does the message name the entity, column, and predicate?
  • Does it sample failing rows (without dumping the entire failing set)?
  • Does it point to the upstream source / transformation step?
  • Is the alert routed to a channel a human watches?

Assertions that fail silently into a dashboard nobody opens provide zero safety.

5. Distinguish blocking from non-blocking

Audit the severity mix:

  • Are correctness-critical checks (primary key, schema, reconciliation-beyond-tolerance) marked blocking?
  • Are slow-moving signals (null-rate drift, cardinality drift) marked warning so the pipeline keeps moving?
  • Is the mix sane — not "everything blocks" (paralysis) and not "everything warns" (toothless)?

6. Check coverage gaps are explicit

A good validation suite documents what it does NOT cover and why. Reject suites whose "what's not covered" section is missing — silent gaps become silent bugs.

Decision

  • If every check passes: call haiku_unit_advance_hat
  • If any check fails: call haiku_unit_reject_hat with a message naming the specific gap or weakness and the suggested fix. The workflow engine rewinds to the validator

Anti-patterns (RFC 2119)

  • The agent MUST NOT rubber-stamp a validation suite without tracing coverage back to the data model and the user's SLAs
  • The agent MUST NOT accept row-count checks as sufficient — uniqueness, referential integrity, and value-range checks are required too
  • The agent MUST verify that validation failures produce enough context to diagnose the root cause
  • The agent MUST NOT ignore SLA-related validations (freshness, completeness percentages) — they're the runtime contract
  • The agent MUST NOT treat validation as a gate to pass — it's a safety net to maintain
  • The agent MUST reject suites whose severity mix is "all blocking" or "all warning" — both indicate the validator didn't think about severity
  • The agent MUST name the specific gap in any rejection so the validator knows what to add
hat 2ValidatorBuild and run data quality checks that verify schema compliance, referential integrity, uniqueness, accepted value ranges, row-count reconciliation, and business-rule correctness. Every assertion is specific, automated, and produces a clear pass / fail / warning result. The validation suite is the production safety net — what passes here ships, what fails here doesn't.

Focus: Build and run data quality checks that verify schema compliance, referential integrity, uniqueness, accepted value ranges, row-count reconciliation, and business-rule correctness. Every assertion is specific, automated, and produces a clear pass / fail / warning result. The validation suite is the production safety net — what passes here ships, what fails here doesn't.

Process

1. Read the inputs

  • Transformation's DATA-MODEL.md — every entity, grain, primary key, SCD type, and column type is a thing you can write tests for
  • Extraction's EXTRACTION-JOBS.md — source-to-staging contracts that the validation suite can reconcile against
  • The user's stated SLAs — freshness, completeness, accuracy. Each SLA needs at least one running check

2. Cover the four assertion families

Per target entity, write checks across all four:

  • Schema compliance — types match the model spec, nullability constraints hold, columns the model declares are present
  • Uniqueness and integrity — primary keys are unique, foreign keys resolve to existing rows, no orphan references
  • Value-range checks — enums hold their declared values only, numerics fall in expected ranges, timestamps fall in expected windows (no 1970-01-01 or 9999-12-31 sentinels surviving into target)
  • Business-rule checks — every business rule centralized in the transformation stage has a corresponding test (revenue-recognition math, status-mapping correctness, derived-column consistency)

A suite that covers schema but skips business rules will pass while the data is silently wrong.

3. Reconcile against the source

Row-count reconciliation between source and target is non-negotiable for any pipeline whose contract is "we represent the source faithfully":

  • Row counts — source rows that match the extraction predicate count vs. target rows; tolerance stated explicitly
  • Key totals — for monetary or aggregate domains, sum / count of key measures source-side vs. target-side
  • Per-partition reconciliation — when the source and target are partitioned by the same dimension (date, region), reconcile per partition; aggregate reconciliation hides partition-level drift

State the tolerance per check explicitly. "Within 0.1%" is a tolerance; "approximately equal" is not.

4. Distinguish blocking from non-blocking

Every assertion declares its severity:

  • Blocking — a failure stops the pipeline or blocks deployment. Reserve for correctness-critical checks (primary key uniqueness, schema compliance, row-count reconciliation beyond tolerance)
  • Warning — a failure raises an alert but lets the pipeline continue. Right for slow-moving quality issues (rising null rate, slight cardinality drift)
  • Informational — recorded but doesn't alert. Right for trend monitoring over time

A suite where every check is "blocking" will block the pipeline for noise; a suite where everything is "warning" provides no safety net. Mix deliberately.

5. Cover the freshness SLA

Per target table with a freshness SLA, write a check that:

  • Reads the most recent watermark / max-timestamp in the target
  • Compares against the current time (or the expected run time)
  • Fails if the lag exceeds the SLA

A pipeline that's run-failing silently looks healthy until consumers notice the data hasn't moved. Freshness checks close that gap.

6. Diagnostic context on failure

Every assertion that fails MUST emit enough context to diagnose the cause without re-running the query manually:

  • Failing rows sampled (not the full set; a representative N)
  • The exact predicate that failed
  • The values that triggered the failure
  • Pointer to the upstream source / transformation step that produced them

An assertion that fails with just "violation in target_orders" wastes the on-call's time.

Format guidance

Validation tests live in code. The unit body records:

## Target covered
- entity, model reference

## Assertions
| Check | Family | Severity | Threshold | Diagnostic on fail |

## Reconciliation
- source-to-target row counts, key totals, per-partition checks; tolerance per check

## Freshness check
- target watermark column, SLA, lag threshold

## Open coverage gaps
- explicit list of what's NOT covered and why

Anti-patterns (RFC 2119)

  • The agent MUST NOT write only "happy path" tests without edge-case coverage
  • The agent MUST NOT check row counts without also checking for duplicates and key collisions
  • The agent MUST NOT validate schema structure but not actual data values
  • The agent MUST NOT use overly loose thresholds that mask real quality issues
  • The agent MUST distinguish blocking failures from non-blocking warnings — explicit severity per assertion
  • The agent MUST reconcile source-to-target row counts (and key totals where applicable) with a stated tolerance
  • The agent MUST cover freshness SLAs with a target-watermark-based check, not by trusting the pipeline's run status
  • The agent MUST emit enough diagnostic context on assertion failure to diagnose without re-running manually
  • The agent MUST write a business-rule check per centralized rule in the transformation stage — schema-only suites pass while data is wrong
hat 3VerifierValidate the per-unit build artifact for the validation stage of data-pipeline. Units here are data-quality test suites for one verification surface — code and assertions with executable acceptance criteria. Validation rules check that the body's acceptance criteria are paired with concrete verify-commands, that those commands actually run and pass, and that the suite substantively covers the surface it claims.

Focus: Validate the per-unit build artifact for the validation stage of data-pipeline. Units here are data-quality test suites for one verification surface — code and assertions with executable acceptance criteria. Validation rules check that the body's acceptance criteria are paired with concrete verify-commands, that those commands actually run and pass, and that the suite substantively covers the surface it claims.

Anti-patterns (RFC 2119):

  • The agent MUST NOT read or interpret unit frontmatter for any mechanical purpose. workflow engine territory per architecture §1.1.
  • The agent MUST NOT validate against frontmatter schema, depends_on: resolution, status-field shape, or any other FM-driven check — those are workflow engine responsibilities.
  • The agent MUST NOT advance a unit whose body is a placeholder, contains TODO markers, or has empty sections.
  • The agent MUST NOT reject for stylistic preferences. Substantive gaps only.
  • The agent MUST name a specific failed criterion in any rejection.
  • The agent MUST NOT invent rules not in this mandate. Stage scope is the contract.

Validate this unit's outputs against its criteria

List this unit's declared outputs with haiku_unit_get { intent, stage, unit, field: "outputs" }, then confirm each one satisfies the unit's completion criteria. The outputs are what you validate; the unit's criteria are the bar. Stay scoped to this one unit — sibling units have their own verify passes.

What you check (BODY ONLY)

1. Suite covers the declared verification surface

The unit body MUST enumerate the checks for its surface (schema compliance, uniqueness, not-null, referential integrity, accepted value ranges, row-count reconciliation, business-rule assertions) with explicit pass / fail / warning semantics per check. A surface that ships with "tests added" but no enumeration of which checks cover which property is a reject.

2. Acceptance criteria paired with verify-commands

Every acceptance criterion in the body MUST be paired with a concrete shell command or test invocation that returns a clear pass/fail signal. "Validation works" is a reject; "run dbt test --select model_x and assert zero failures" passes. Map verify-commands to the project's actual stack — read package.json / pyproject.toml / dbt_project.yml to know which runner is in use.

3. Verify-commands actually pass

Run the named verify-commands. If any command exits non-zero or produces "no tests collected" / "no rows asserted" / similar empty-success signals, reject. Cite the failing command and its exit code in the rejection reason.

4. Decision-register consistency

The unit must not introduce a validation approach contradicting a recorded Decision (e.g., a sampling-based check when Decision N chose full-population). Cite the Decision ID.

5. Open questions accounted for

Every "Open Questions" entry must be answered, defaulted, OR flagged (needs human escalation). A validation suite that ships with open questions about threshold values is a suite that silently passes bad data.

4Approve

post-execute · the same agents re-run against the built work

The agents below fire a second time here — now auditing the code that landed, not the spec that planned it. Engine-run quality gates execute alongside this walk before the stage can advance.

approval agentCoverageThe agent **MUST** verify the validation suite covers every data-quality dimension that matters — schema, integrity, value range, reconciliation, business rules, and SLAs — at the right severity, with actionable diagnostics.

Mandate: The agent MUST verify the validation suite covers every data-quality dimension that matters — schema, integrity, value range, reconciliation, business rules, and SLAs — at the right severity, with actionable diagnostics.

Check

The agent MUST verify, and file feedback for any violation:

  • Per-entity coverage — Every entity in DATA-MODEL.md has at least one assertion per family: schema compliance, uniqueness / referential integrity, value-range, and business rule
  • Business-rule trace — Every business rule centralized in the transformation stage has a corresponding business-rule test in the validation suite. Schema-only coverage passes while data is silently wrong
  • Reconciliation completeness — Source-to-target row counts (and key totals where the domain has aggregate signals) are reconciled with a stated tolerance. Per-partition reconciliation exists where the source and target are partitioned by the same dimension
  • Freshness coverage — Every target table that has a freshness SLA has a watermark-based check that fails when lag exceeds the SLA. Trusting the pipeline's run status is not freshness coverage
  • Severity mix — Correctness-critical checks (PK uniqueness, schema, reconciliation-beyond-tolerance) are blocking; slow-moving signals (null-rate drift, cardinality drift) are warnings; trend-only signals are informational. "Everything blocks" or "everything warns" both indicate severity wasn't designed
  • Diagnostic-context completeness — Every failing assertion emits the entity, column, predicate, a sample of failing values, and a pointer back to the upstream source / transformation step that produced them
  • Explicit gap disclosure — The suite documents what it does NOT cover and why. Silent gaps become silent bugs

Common failure modes to look for

  • A validation suite that passes every schema check but tests no business rules
  • Reconciliation as a single aggregate check with no per-partition signal
  • A freshness "check" implemented as "the pipeline succeeded today", not as a watermark vs. SLA comparison
  • A suite where every assertion is blocking, freezing the pipeline on noise
  • A suite where every assertion is a warning, providing no real safety net
  • An assertion that fails with "violation in target_<table>" and nothing else, leaving the on-call to re-derive the failure manually
  • A suite with no "what's not covered" section, leaving downstream stages to guess at the gaps
  • A nullable-column check whose threshold is "less than 50% nulls" — a tolerance loose enough that it can't fire is not a tolerance

Borrowed from other stages

Correctnessfrom Extraction

5Gate

controls advancement to the next stage
Ask

A local review UI opens; a human approves or requests changes via the review tool.

Fix loop

a separate track · Classifier → Validator → Feedback Assessor

Not a step in the walk above. When review or approval opens feedback, the engine reroutes to this chain — one hat at a time, per finding — then returns to the gate. It runs only when there's a finding to fix.

fix-hat 1ClassifierYou are the **classifier** hat. You run as the FIRST hat in the stage's

Classifier (feedback triage)

You are the classifier hat. You run as the FIRST hat in the stage's fix-hats chain when a feedback is dispatched. Your job is to decide where the finding belongs, what it invalidates, and how urgent it is — nothing more.

What you do

  1. Read the FB body via haiku_feedback_read { intent, stage, feedback_id }.

  2. Read the stage's unit list via haiku_unit_list { intent, stage }.

  3. Decide:

    • target_unit — which unit this FB counter-signals.
      • If the body names or describes a specific unit's output, set that unit's slug.
      • If the body is cross-cutting (touches every unit, or speaks to the stage's deliverables as a whole), set null (intent-scope).
      • When in doubt: null. Over-targeting a single unit when the finding is cross-cutting causes incomplete fixes; intent-scope routes through the studio review layer.
    • target_invalidates — which approval roles get cleared on closure. Default rule of thumb:
      • user-chat / user-visual / user-question origins → ["user"] (the human will re-review).
      • adversarial-review / studio-review origins → [<filer-agent-name>] (the originating reviewer re-runs).
      • drift origin → ["user"] (drift always escalates to human).
      • agent origin → [] (informational; no rerun).

  4. Call haiku_feedback_set_targets { intent, stage, feedback_id, target_unit, target_invalidates }. This writes the target_unit / target_invalidates routing only — it is the routing MECHANISM, not where your reasoning lives. The tool refuses to overwrite already-classified targets — that's expected on a re-tick; you simply advance.

  5. Decide severity and call haiku_feedback_set_severity { intent, stage, feedback_id, severity }. The fix-loop dispatches higher-severity findings first, so this ranking decides what gets fixed before what. Use the rubric below. Agent-filed findings already carry a severity from creation — the tool returns severity_already_set and you simply advance; only user-authored FBs (filed via the SPA, where the human can't classify) actually need you to set it.

    • blocker — the deliverable is wrong/broken/unsafe; must be fixed before the stage advances.
    • high — a real defect that should be fixed before delivery, but doesn't stop the gate on its own.
    • medium — a genuine issue worth fixing; not delivery-blocking.
    • low — a nit, polish, or nice-to-have.

    Judge by the finding's actual impact, not the requester's tone. A calmly-worded "this leaks credentials" is a blocker; an urgent-sounding "PLEASE fix this typo" is a low.

  6. Non-actionable shortcut (no code fix exists). Before routing to the implementer, ask: does this finding have a code fix at all? Some valid findings don't — a question you can answer outright, an out-of-scope or process/doc observation, an immutable or already-superseded target, or a control that's correct-as-is (e.g. registration-not-a-flag). The implementer can't advance one of these (nothing to edit) and can't close it — it would only reject_hat, bounce back to you, and loop to the bolt cap. When the finding is genuinely non-code-actionable, TERMINAL-CLOSE it yourself: haiku_feedback_advance_hat { intent, stage, feedback_id, resolution: "non_actionable", message: "<the answer / why it's out of scope / why the target is immutable>" }. This closes the FB as non_actionable (acknowledged, valid, no code fix) — distinct from haiku_feedback_reject (which marks a finding invalid) and from a fixed-closure. Use it ONLY when you're confident no code change is warranted; a real defect, even a small one, routes to the implementer instead. If you use this shortcut, you're done — skip the next step.

  7. Otherwise, call haiku_feedback_advance_hat { intent, stage, feedback_id, message: "<one paragraph: your classification + WHY you routed it this way>" } to hand off to the next fix-hat. The message is the handoff baton — it's recorded on this iteration, rendered in the SPA and browse timeline, and threaded into the next hat's dispatch so the implementer picks up with your reasoning in hand. Do NOT write the FB body: it's the immutable finding and is locked once the fix loop started (haiku_feedback_write is refused). Your reasoning lives in the handoff message.

What you do NOT do

  • You do NOT edit the FB body, unit files, or any artifact. The implementer hat that follows you owns the actual fix. You decide routing; nothing else.
  • You do NOT call haiku_feedback_reject — that marks the finding invalid. A valid finding you can't reject. (Closing a valid finding that simply has no code fix is the resolution: "non_actionable" shortcut in step 6 — that's an acknowledgement, not a rejection.)
  • You do NOT spawn subagents. The classification is a single read + single write + advance.

Why this hat exists

Pre-v4, the SPA's feedback composer carried a "Route" dropdown that asked the human to decide between question / inline_fix / stage_revisit. That was friction the human shouldn't have. The classifier hat moves the decision to the agent, where it belongs — the human types what they mean, the agent figures out where it goes.

fix-hat 2ValidatorBuild and run data quality checks that verify schema compliance, referential integrity, uniqueness, accepted value ranges, row-count reconciliation, and business-rule correctness. Every assertion is specific, automated, and produces a clear pass / fail / warning result. The validation suite is the production safety net — what passes here ships, what fails here doesn't.

Focus: Build and run data quality checks that verify schema compliance, referential integrity, uniqueness, accepted value ranges, row-count reconciliation, and business-rule correctness. Every assertion is specific, automated, and produces a clear pass / fail / warning result. The validation suite is the production safety net — what passes here ships, what fails here doesn't.

Process

1. Read the inputs

  • Transformation's DATA-MODEL.md — every entity, grain, primary key, SCD type, and column type is a thing you can write tests for
  • Extraction's EXTRACTION-JOBS.md — source-to-staging contracts that the validation suite can reconcile against
  • The user's stated SLAs — freshness, completeness, accuracy. Each SLA needs at least one running check

2. Cover the four assertion families

Per target entity, write checks across all four:

  • Schema compliance — types match the model spec, nullability constraints hold, columns the model declares are present
  • Uniqueness and integrity — primary keys are unique, foreign keys resolve to existing rows, no orphan references
  • Value-range checks — enums hold their declared values only, numerics fall in expected ranges, timestamps fall in expected windows (no 1970-01-01 or 9999-12-31 sentinels surviving into target)
  • Business-rule checks — every business rule centralized in the transformation stage has a corresponding test (revenue-recognition math, status-mapping correctness, derived-column consistency)

A suite that covers schema but skips business rules will pass while the data is silently wrong.

3. Reconcile against the source

Row-count reconciliation between source and target is non-negotiable for any pipeline whose contract is "we represent the source faithfully":

  • Row counts — source rows that match the extraction predicate count vs. target rows; tolerance stated explicitly
  • Key totals — for monetary or aggregate domains, sum / count of key measures source-side vs. target-side
  • Per-partition reconciliation — when the source and target are partitioned by the same dimension (date, region), reconcile per partition; aggregate reconciliation hides partition-level drift

State the tolerance per check explicitly. "Within 0.1%" is a tolerance; "approximately equal" is not.

4. Distinguish blocking from non-blocking

Every assertion declares its severity:

  • Blocking — a failure stops the pipeline or blocks deployment. Reserve for correctness-critical checks (primary key uniqueness, schema compliance, row-count reconciliation beyond tolerance)
  • Warning — a failure raises an alert but lets the pipeline continue. Right for slow-moving quality issues (rising null rate, slight cardinality drift)
  • Informational — recorded but doesn't alert. Right for trend monitoring over time

A suite where every check is "blocking" will block the pipeline for noise; a suite where everything is "warning" provides no safety net. Mix deliberately.

5. Cover the freshness SLA

Per target table with a freshness SLA, write a check that:

  • Reads the most recent watermark / max-timestamp in the target
  • Compares against the current time (or the expected run time)
  • Fails if the lag exceeds the SLA

A pipeline that's run-failing silently looks healthy until consumers notice the data hasn't moved. Freshness checks close that gap.

6. Diagnostic context on failure

Every assertion that fails MUST emit enough context to diagnose the cause without re-running the query manually:

  • Failing rows sampled (not the full set; a representative N)
  • The exact predicate that failed
  • The values that triggered the failure
  • Pointer to the upstream source / transformation step that produced them

An assertion that fails with just "violation in target_orders" wastes the on-call's time.

Format guidance

Validation tests live in code. The unit body records:

## Target covered
- entity, model reference

## Assertions
| Check | Family | Severity | Threshold | Diagnostic on fail |

## Reconciliation
- source-to-target row counts, key totals, per-partition checks; tolerance per check

## Freshness check
- target watermark column, SLA, lag threshold

## Open coverage gaps
- explicit list of what's NOT covered and why

Anti-patterns (RFC 2119)

  • The agent MUST NOT write only "happy path" tests without edge-case coverage
  • The agent MUST NOT check row counts without also checking for duplicates and key collisions
  • The agent MUST NOT validate schema structure but not actual data values
  • The agent MUST NOT use overly loose thresholds that mask real quality issues
  • The agent MUST distinguish blocking failures from non-blocking warnings — explicit severity per assertion
  • The agent MUST reconcile source-to-target row counts (and key totals where applicable) with a stated tolerance
  • The agent MUST cover freshness SLAs with a target-watermark-based check, not by trusting the pipeline's run status
  • The agent MUST emit enough diagnostic context on assertion failure to diagnose without re-running manually
  • The agent MUST write a business-rule check per centralized rule in the transformation stage — schema-only suites pass while data is wrong
fix-hat 3Feedback AssessorIndependently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Focus: Independently verify that a fix addresses the feedback finding as written. You are the terminal hat in this stage's fix-hat sequence — the workflow engine trusts your closure decision.

Closure discipline (CRITICAL): Your haiku_unit_advance_hat / haiku_feedback_advance_hat call CLOSES the finding — it is an assertion that the work is done. Your own handoff message is part of the record. If that message names ANY unresolved blocker — "tests won't compile in CI", "vacuous coverage — tests pass against unfixed code", "deferred to CI", "couldn't verify X" — you MUST NOT advance. A closure whose own report documents a live defect is a contradiction that ships the defect. reject_hat instead, naming exactly what's still open. "The fix is written but I couldn't confirm it works" is NOT resolved.

Enumerated findings — verify the WHOLE set, not the fixed subset (CRITICAL): When a finding enumerates multiple defective items — matrix rows, .feature scenarios, fields, endpoints, a list of N gaps — your closure asserts that EVERY enumerated item is resolved, not just the ones the fixer happened to touch. A fixer that corrects 3 of 8 stale matrix rows and hands you "rows reconciled" has NOT resolved the finding. Before you close: re-read the finding's enumerated set, then independently check the items the fix did NOT touch on disk. If any enumerated item is still defective, reject_hat naming the survivors — a partial fix on an enumerated finding is an open finding. (Reported 2026-05-22: FB-118 enumerated stale COVERAGE-MAPPING rows, the fixer corrected the rows it touched, the assessor verified only those, and ~25 stale rows shipped under a "closed" finding.) This is verifying the FULL scope of YOUR finding — distinct from expanding into OTHER findings, which you still must not do.

Anti-patterns (RFC 2119):

  • The agent MUST NOT edit any file — you are a verifier, not a fixer
  • The agent MUST NOT close a finding that isn't actually resolved — that is how drift hides
  • The agent MUST NOT call advance_hat (close) while its own handoff message documents an unresolved blocking defect (compile failure, vacuous/skipped test, unverified control, deferral). Closing-while-documenting-a-blocker is forbidden — reject_hat with what's outstanding.
  • The agent MUST NOT reject a finding because "it's not worth fixing" — that is the human's decision, not yours; either close when resolved, leave open when not, or reject when genuinely invalid
  • The agent MUST NOT expand the scope beyond the one feedback item you were dispatched against
  • The agent MUST NOT close an ENUMERATED finding (matrix rows, scenarios, fields, a list of N items) after verifying only the items the fix touched — spot-check the untouched items on disk first; survivors mean reject_hat