renatocaliari/skills/local/cali-testing
skills/local/cali-testing/SKILL.md
--- name: cali-testing description: Run post-implementation testing protocol. Triggers when: user says "test this", "run tests", "QA", "dogfood", "check quality", user finishes implementing a feature, or when a PR is ready for review. Also triggers on mentions of: test coverage, accessibility audit, WCAG, design review, code review, subagent review. Covers: parallel review via subagents, UI quality audit, accessibility check, and browser testing. --- # Testing Protocol After implementing any f
$ install --global
skillsauthnpx skillsauth add renatocaliari/agent-sync-public-skills skills/local/cali-testingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 28, 2026, 4:07 AM13.3s2 files scanned
SKILL.md
- name:
- cali-testing
- description:
- Run post-implementation testing protocol. Triggers when: user says "test this", "run tests", "QA", "dogfood", "check quality", user finishes implementing a feature, or when a PR is ready for review. Also triggers on mentions of: test coverage, accessibility audit, WCAG, design review, code review, subagent review. Covers: parallel review via subagents, UI quality audit, accessibility check, and browser testing.
Testing Protocol
After implementing any feature, run this protocol before marking complete.
Contents
| Phase | What | When to skip | |-------|------|--------------| | Phase 1: Unit Tests | Run test suite, block on failure | Never | | Phase 2: Code Review | Parallel subagent review | <3 files changed | | Phase 3: UI Quality | Accessibility + design audit | Non-visual features | | Phase 4: Browser Testing | Interactive QA | Non-interactive features | | Phase 5: Final Checklist | Pre-completion verification | Never |
Phase 1: Unit Tests
Run the project's test suite first:
# Go
go test ./...
# Node
npm test
# Python
pytest
Block until tests pass. Do not proceed with failing tests.
Phase 2: Parallel Code Review via Subagents
Launch fresh-context reviewers in parallel:
subagent({
tasks: [
{
agent: "reviewer",
task: "Review this diff for correctness, regressions, and edge cases. Focus on: logic errors, missing error handling, security issues, performance regressions. Provide specific line references.",
output: false
},
{
agent: "reviewer",
task: "Review this diff for simplicity and code quality. Focus on: unnecessary complexity, dead code, naming clarity, adherence to project conventions. Remove slop and verbosity.",
output: false
}
],
concurrency: 2,
context: "fresh"
})
When to use subagents:
- Diff touches 3+ files
- Feature involves multiple components
- Changes affect critical paths (auth, payments, data)
When to skip:
- Single-file typo fix
- Config-only change
- Documentation update
Phase 3: UI Quality (if visual)
Only if the scope involves a visual interface.
Accessibility Audit
Load the audit skill for WCAG compliance:
/audit
Checks:
- Color contrast ratios
- Keyboard navigation
- Screen reader compatibility
- ARIA attributes
- Focus management
Design Review
Load the critique skill for design quality:
/critique
Checks:
- Cognitive load
- Visual hierarchy
- Consistency with existing patterns
- AI slop detection (over-generated UI)
Phase 4: Browser Testing (if interactive)
Load agent-browser and dogfood skills for interactive testing:
/dogfood
Steps:
- Open the feature in browser
- Test happy path
- Test error states
- Test edge cases (empty states, loading, errors)
- Capture screenshots for evidence
Phase 5: Final Checklist
Before marking feature complete:
- [ ] Unit tests pass
- [ ] Code review done (subagent or human)
- [ ] No regressions detected
- [ ] UI accessible (if applicable)
- [ ] Documentation updated (if applicable)
- [ ] AGENTS.md updated (if architecture changed)
Workflow Summary
Implement feature
↓
Run unit tests → FAIL? Fix first
↓
Parallel subagent review (if 3+ files)
↓
UI audit + critique (if visual)
↓
Browser testing (if interactive)
↓
Final checklist → All green? Mark complete
Examples
Example 1: Simple feature (1-2 files)
Input: "Just finished implementing the login form"
Steps:
- Run:
go test ./...(ornpm test) - Skip subagent review (only 1 file)
- Run:
/auditfor accessibility - Run:
/dogfoodto test in browser
Output: "All tests pass. Login form is accessible. Browser testing shows happy path works."
Example 2: Complex feature (5+ files)
Input: "Just finished the payment system — touches 6 files"
Steps:
- Run:
go test ./... - Launch subagent review (2 reviewers in parallel)
- Skip UI audit (backend only)
- Skip browser testing (no UI)
- Complete checklist
Output: "Tests pass. Subagent review found 1 issue (missing error handling in payment_handler.go). Fixed."
Example 3: UI feature with accessibility
Input: "Finished the dashboard redesign — new charts and layout"
Steps:
- Run:
npm test - Launch subagent review (3+ files touched)
- Run:
/audit→ found contrast issue on chart labels - Run:
/critique→ suggested reducing cognitive load - Run:
/dogfood→ all interactive elements work - Complete checklist
Output: "Tests pass. Review clean. Accessibility found 1 contrast issue (fixed). Design review suggests simpler chart layout."
Edge Cases
Tests fail
- STOP. Do not proceed to review.
- Fix tests first
- Tell user: "Tests are failing — fix before review"
Subagent review finds critical issue
- STOP. Do not mark complete.
- Fix the issue
- Re-run review on fixed code
- Tell user: "Review found critical issue — fixed and re-reviewed"
UI audit finds WCAG violations
- FIX before marking complete
- Document what was fixed
- If can't fix: document accepted risk with reason
Feature touches <3 files
- Skip subagent review (not worth the overhead)
- Do manual review instead
- Still run tests and checklist
Test Cases
Should activate
- "Test this feature"
- "Run QA on my changes"
- "Check if this is ready to ship"
- "Dogfood the new feature"
- "Review my code before merge"
Should NOT activate
- "Write tests" (writing tests, not running QA)
- "What testing framework do we use?" (question, not action)
- "Fix the flaky test" (fixing, not reviewing)
References
references/subagent-patterns.md— Subagent task structure patterns
Related Skills
renatocaliari/cali-lat-md-seed
tools
VerifiedTrustedCommunity
Auto-initialize structured documentation for any project using lat.md (knowledge graph of markdown files with [[wiki links]], // @lat: code refs, and semantic search). Detects cali-product-workflow artifacts (spec-product.md, spec-tech.md, critiques) and uses them as seed material. Falls back to extracting business rules, architecture, and design decisions directly from the codebase. Use when a project lacks structured documentation or when lat.md/ is missing. After seeding, lat.md extension hooks keep documentation alive automatically.
1SKILL.mdUpdated Jun 2, 2026
renatocaliari/cali-ops-server-security
testing
VerifiedTrustedCommunity
[Cali] Server security audit and hardening for private servers behind Tailscale. Use when: auditing server security, hardening SSH/firewall/Docker, checking for vulnerabilities, setting up fail2ban, reviewing port exposure, or responding to security alerts. Covers 6 layers: CloudFlare, UFW, Tailscale, SSH, Docker, Application. Triggers: "server security", "security audit", "harden server", "SSH hardening", "firewall rules", "UFW config", "fail2ban", "port security", "Docker security", "vulnerability check", "security review".
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-package-audit
tools
VerifiedTrustedCommunity
Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.
1SKILL.mdUpdated May 30, 2026
renatocaliari/cali-ops-github-releases
tools
VerifiedTrustedCommunity
Create GitHub releases following project conventions. Triggers when: user says 'release', 'create release', 'push release', 'deploy to main', 'merge to main', user merges a PR to main, or when git push to main is detected. Also triggers on mentions of: gh release, semver, version bump, changelog, release-please. Covers: config-driven (read .release.yml and execute) and fallback (gh CLI) release flows, versioning rules, tag management, and the mandatory release-on-merge convention.
1SKILL.mdUpdated May 30, 2026