diff --git a/app/git.js b/app/git.js
new file mode 100644
index 0000000..ed80d20
--- /dev/null
+++ b/app/git.js
@@ -0,0 +1,38 @@
+import { spawnSync } from 'child_process';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
+
+function git(args, cwd) {
+  const result = spawnSync('git', args, { cwd, encoding: 'utf8' });
+  if (result.error) throw result.error;
+  if (result.status !== 0) throw new Error(result.stderr || result.stdout);
+  return (result.stdout || '').trim();
+}
+
+/**
+ * Commit findings.json 並 push 到 PR 來源分支
+ */
+export function commitAndPush(workspace) {
+  const repoDir = `${workspace}/${GITEA_REPOSITORY}`;
+  const remoteUrl = GITEA_SERVER_URL.replace(/\/$/, '').replace('https://', `https://${GITEA_TOKEN}@`) + `/${GITEA_REPOSITORY}.git`;
+
+  try {
+    git(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+    git(['config', 'user.name', 'AI Review Bot'], repoDir);
+    git(['fetch', 'origin', PR_HEAD_BRANCH], repoDir);
+    git(['checkout', PR_HEAD_BRANCH], repoDir);
+    git(['add', FINDINGS_PATH], repoDir);
+
+    const status = git(['status', '--porcelain'], repoDir);
+    if (!status) {
+      console.log('  findings.json 無變更，跳過 commit');
+      return;
+    }
+
+    const out = git(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+    const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
+    git(['push', remoteUrl, PR_HEAD_BRANCH], repoDir);
+    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+  } catch (e) {
+    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
+  }
+}
diff --git a/app/main.js b/app/main.js
index de466f7..4e6f88c 100644
--- a/app/main.js
+++ b/app/main.js
@@ -3,6 +3,7 @@ import { loadRoles, getRoleIntro } from './roles.js';
 import { getPRDiff, postComment } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
+import { commitAndPush } from './git.js';
 
 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
 
@@ -88,11 +89,19 @@ async function main() {
     console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
   }
 
-  console.log('\n💾 Step5: 記憶區 Commit/Push（待實作）');
-  console.log('  [stub] commit & push findings.json...');
+  // Step5: commit/push findings.json 到來源分支
+  console.log('\n💾 Step5: 記憶區 Commit/Push');
+  commitAndPush(WORKSPACE);
 
-  console.log('\n🚦 Step6: 嚴重問題檢查（待實作）');
-  console.log('  [stub] 檢查 critical findings...');
+  // Step6: 有 critical 問題則 exit 1
+  console.log('\n🚦 Step6: 嚴重問題檢查');
+  const criticalCount = sorted.filter(f => f.level === 'critical').length;
+  if (criticalCount > 0) {
+    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
+    console.log('='.repeat(60));
+    process.exit(1);
+  }
+  console.log('  ✅ 無嚴重問題');
 
   console.log('\n✅ Pipeline 完成');
   console.log('='.repeat(60));