diff --git a/app/git.js b/app/git.js
new file mode 100644
index 0000000..7634ffb
--- /dev/null
+++ b/app/git.js
@@ -0,0 +1,44 @@
+import { execSync } from 'child_process';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
+
+function exec(cmd, cwd) {
+  return execSync(cmd, { cwd, stdio: 'pipe' }).toString().trim();
+}
+
+/**
+ * Commit findings.json 並 push 到 PR 來源分支
+ */
+export function commitAndPush(workspace) {
+  const repoDir = `${workspace}/${GITEA_REPOSITORY}`;
+  const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`
+    .replace('https://', `https://${GITEA_TOKEN}@`);
+
+  try {
+    // 設定 git 身份
+    exec('git config user.email "ai-review[bot]@gitea"', repoDir);
+    exec('git config user.name "AI Review Bot"', repoDir);
+
+    // 切換到來源分支
+    exec(`git fetch origin ${PR_HEAD_BRANCH}`, repoDir);
+    exec(`git checkout ${PR_HEAD_BRANCH}`, repoDir);
+
+    // 確認 findings.json 存在
+    exec(`git add ${FINDINGS_PATH}`, repoDir);
+
+    // 檢查是否有變更
+    const status = exec('git status --porcelain', repoDir);
+    if (!status) {
+      console.log('  findings.json 無變更，跳過 commit');
+      return;
+    }
+
+    const commitMsg = 'chore: update ai-review findings [skip ci]';
+    const commitHash = exec(`git commit -m "${commitMsg}"`, repoDir)
+      .match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
+
+    exec(`git push ${remoteUrl} ${PR_HEAD_BRANCH}`, repoDir);
+    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+  } catch (e) {
+    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
+  }
+}
diff --git a/app/main.js b/app/main.js
index de466f7..4e6f88c 100644
--- a/app/main.js
+++ b/app/main.js
@@ -3,6 +3,7 @@ import { loadRoles, getRoleIntro } from './roles.js';
 import { getPRDiff, postComment } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
+import { commitAndPush } from './git.js';
 
 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
 
@@ -88,11 +89,19 @@ async function main() {
     console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
   }
 
-  console.log('\n💾 Step5: 記憶區 Commit/Push（待實作）');
-  console.log('  [stub] commit & push findings.json...');
+  // Step5: commit/push findings.json 到來源分支
+  console.log('\n💾 Step5: 記憶區 Commit/Push');
+  commitAndPush(WORKSPACE);
 
-  console.log('\n🚦 Step6: 嚴重問題檢查（待實作）');
-  console.log('  [stub] 檢查 critical findings...');
+  // Step6: 有 critical 問題則 exit 1
+  console.log('\n🚦 Step6: 嚴重問題檢查');
+  const criticalCount = sorted.filter(f => f.level === 'critical').length;
+  if (criticalCount > 0) {
+    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
+    console.log('='.repeat(60));
+    process.exit(1);
+  }
+  console.log('  ✅ 無嚴重問題');
 
   console.log('\n✅ Pipeline 完成');
   console.log('='.repeat(60));