svenja-dev/qa-checklist
skills/qa-checklist/SKILL.md
Formal Quality Assurance Checklist before every Merge/Deploy. 6-phase validation with Build Verification, Test Suite, No-Touch Zones, Region Check, Security Review, and QA Report generation. Activate on "merge", "deploy", "release", "production", or /qa command.
$ install --global
skillsauthnpx skillsauth add svenja-dev/claude-code-skills qa-checklistInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 15, 2026, 4:16 AM22.4s1 file scanned
SKILL.md
- name:
- qa-checklist
- description:
- Formal Quality Assurance Checklist before every Merge/Deploy. 6-phase validation with Build Verification, Test Suite, No-Touch Zones, Region Check, Security Review, and QA Report generation. Activate on "merge", "deploy", "release", "production", or /qa command.
QA Checklist
Formal Quality Assurance Checklist before every Merge/Deploy
Trigger
This skill activates automatically on:
git commit(after production code changes)- Deploy commands (
vercel --prod,npm run deploy, etc.) /qacommand- Trigger words: "merge", "deploy", "release", "production"
Configuration
Customize these values for your project:
# Add to your project's CLAUDE.md or settings
no_touch_zones:
- "src/auth/**" # Authentication logic
- "src/core/**" # Core business logic
- "config/production.*" # Production config
required_region: "your-region" # e.g., fra1, us-east-1
deploy_timeout: 60 # seconds
PHASE 1: Build Verification (BLOCKING)
1.1 TypeScript Compilation
npx tsc --noEmit
Expected: No errors
| Status | Action | |--------|--------| | PASS | Continue to 1.2 | | FAIL | STOP - Fix type errors |
1.2 Production Build
npm run build
Expected: Build successful, no warnings
| Status | Action | |--------|--------| | PASS | Continue to Phase 2 | | FAIL | STOP - Fix build errors |
PHASE 2: Test Suite (BLOCKING)
2.1 Unit Tests
npm run test
Expected: All tests green
2.2 E2E Tests (optional but recommended)
npm run test:e2e
Expected: Critical flows working
PHASE 3: No-Touch Zones Check (BLOCKING)
Check if protected files were modified:
# Replace with your no-touch zones
git diff --name-only HEAD~1 | grep -E "(auth|core|production)"
Expected: No matches (or explicit approval present)
| File Pattern | Modification Allowed? |
|--------------|----------------------|
| **/auth/** | ONLY with explicit request |
| **/core/** | ONLY with explicit request |
| config/production.* | ONLY with explicit request |
PHASE 4: Region/Environment Check (BLOCKING on Deploy)
4.1 Before Production Deploy
Verify deployment target matches requirements:
# Vercel example
npx vercel inspect <preview-url> --wait
# AWS example
aws configure get region
# Check environment
echo $NODE_ENV
Expected: Correct region/environment
4.2 After Production Deploy
# Verify production deployment
curl -s -o /dev/null -w "%{http_code}" https://your-domain.com/health
Expected: 200 OK
PHASE 5: Security Review (WARNING)
5.1 No Secrets in Code
git diff HEAD~1 | grep -iE "(password|secret|api_key|token|private_key)" | grep -v "process\.env\|\.env\|example"
Expected: No matches
5.2 No Unsafe Types
# TypeScript: Check for untyped any
git diff HEAD~1 --name-only -- "*.ts" "*.tsx" | xargs grep -l ": any" 2>/dev/null
Expected: No new any types (or documented reason)
5.3 Dependency Check
npm audit --production
Expected: No high/critical vulnerabilities
PHASE 6: QA Report
After completing all checks, generate a report:
## QA Validation Report
**Date:** [ISO Timestamp]
**Branch:** [Branch Name]
**Commit:** [Commit Hash]
### Results
| Check | Status | Details |
|-------|--------|---------|
| TypeScript | PASS/FAIL | [Error count] |
| Build | PASS/FAIL | [Build time] |
| Unit Tests | PASS/FAIL | [X/Y passed] |
| E2E Tests | PASS/FAIL/SKIP | [X/Y passed] |
| No-Touch Zones | PASS/FAIL | [Affected files] |
| Region | PASS/FAIL/N/A | [Current region] |
| Security | PASS/WARN | [Issues found] |
### Verdict
**Status:** APPROVED / REJECTED
**Next Steps:**
- [If APPROVED: Merge/Deploy allowed]
- [If REJECTED: List of issues to fix]
Workflow Integration
Before Every Commit
- Run Phase 1-3
- On PASS: Commit allowed
- On FAIL: Fix issues, re-run
Before Production Deploy
- Run Phase 1-5
- On PASS: Deploy allowed
- On FAIL: Fix issues, re-run
- After Deploy: Phase 4.2 (Verification)
QA Loop (max 3 iterations)
1. Run checks
2. On failure: Implement fix
3. Return to step 1
4. After 3 iterations: Escalate to user
Integration with Other Skills
- code-quality-gate: Can be used together for comprehensive checks
- strict-typescript-mode: Enforces Phase 5.2 automatically
- security-scan hook: Automates Phase 5.1
Origin
Originally developed for fabrikIQ - AI-powered manufacturing data analysis.
License
MIT - Free to use and modify
Related Skills
svenja-dev/ui-freeze
development
VerifiedTrustedCommunity
Protects design and theme files from unintended changes. Locks tailwind.config, global CSS, and theme variables. Requires explicit confirmation before modifying UI components. Activate on changes to CSS, theme config, or layout components.
35SKILL.mdUpdated May 15, 2026
svenja-dev/token-budget-advisor
tools
VerifiedTrustedCommunity
Proactive token budget assessment and task chunking strategy. Use this skill when queries involve multiple large file uploads, requests for comprehensive multi-document analysis, complex multi-step workflows with heavy research (10+ tool calls), phrases like "complete analysis", "full audit", "thorough review", "deep dive", or tasks combining extensive research with large output artifacts. This skill helps assess token consumption risk early and recommend chunking strategies before beginning work.
35SKILL.mdUpdated May 15, 2026
svenja-dev/tdd-strict
development
VerifiedTrustedCommunity
Erzwingt striktes Test-Driven Development mit Red-Green-Refactor Zyklus. Blockiert Code-Generierung ohne vorherige Tests. Dokumentiert 13 ungueltige Rationalisierungen. Aktivieren bei neuen Features, Bug Fixes, Refactoring.
35SKILL.mdUpdated May 15, 2026
svenja-dev/strict-typescript-mode
development
VerifiedTrustedCommunity
Enforces TypeScript best practices when writing code. Automatically enables strict typing for TypeScript projects, prevents `any` usage, and recommends generic constraints. Activate on TS/TSX files, new features, code reviews.
35SKILL.mdUpdated May 15, 2026