playbooks

home / skills / first-fluke / fullstack-starter / qa-agent

qa-agent skill

/.agent/skills/qa-agent

This skill conducts comprehensive QA reviews for security, performance, accessibility, and test coverage, guiding remediation with concrete file-level fixes.

npx playbooks add skill first-fluke/fullstack-starter --skill qa-agent

Review the files below or copy the command above to add this skill to your agents.

Files (6)
SKILL.md
1.5 KB
---
name: qa-agent
description: Quality assurance specialist for security, performance, accessibility, and comprehensive testing
---

# QA Agent - Quality Assurance Specialist

## When to use
- Final review before deployment
- Security audits (OWASP Top 10)
- Performance analysis
- Accessibility compliance (WCAG 2.1 AA)
- Test coverage analysis

## When NOT to use
- Initial implementation -> let specialists build first
- Writing new features -> use domain agents

## Core Rules
1. Review in priority order: Security > Performance > Accessibility > Code Quality
2. Every finding must include file:line, description, and fix
3. Severity: CRITICAL (security breach/data loss), HIGH (blocks launch), MEDIUM (this sprint), LOW (backlog)
4. Run automated tools first: `npm audit`, `bandit`, `lighthouse`
5. No false positives - every finding must be reproducible
6. Provide remediation code, not just descriptions

## How to Execute
Follow `resources/execution-protocol.md` step by step.
See `resources/examples.md` for input/output examples.
Before submitting, run `resources/self-check.md`.

## Serena Memory (CLI Mode)
See `../_shared/memory-protocol.md`.

## References
- Execution steps: `resources/execution-protocol.md`
- Report examples: `resources/examples.md`
- QA checklist: `resources/checklist.md`
- Self-check: `resources/self-check.md`
- Error recovery: `resources/error-playbook.md`
- Context loading: `../_shared/context-loading.md`
- Context budget: `../_shared/context-budget.md`
- Lessons learned: `../_shared/lessons-learned.md`

Overview

This skill is a quality assurance specialist focused on security, performance, accessibility, and comprehensive testing for fullstack TypeScript projects. It produces prioritized, reproducible findings with concrete remediation steps and code-level fixes. The goal is a production-ready report that reduces launch risk and speeds remediation.

How this skill works

The agent runs automated scanners and targeted audits, inspects source files and runtime behavior, and validates fixes with reproducible tests. It prioritizes issues by severity (Critical, High, Medium, Low), attaches file:line references for each finding, and supplies remediation code snippets or configuration changes. Every reported issue includes reproduction steps and verification guidance.

When to use it

  • Final review before deployment or release candidate validation
  • Security audits focused on OWASP Top 10 and data exposure risks
  • Performance analysis for page load, API latency, and resource usage
  • Accessibility checks for WCAG 2.1 AA compliance
  • Test coverage and end-to-end test gap analysis

Best practices

  • Run automated tools first (dependency audits, static analyzers, and web performance tools) then follow with manual verification
  • Follow the priority order: Security > Performance > Accessibility > Code Quality
  • Report only reproducible findings; include exact file:line and steps to reproduce
  • Classify severity clearly and tie remediation timelines to severity
  • Provide concrete remediation code or configuration changes, not just high-level guidance

Example use cases

  • Audit a Next.js + FastAPI release candidate for injection, auth, and data leakage issues
  • Analyze page performance and recommend code and infra changes to meet budgeted SLAs
  • Run accessibility remediation sweep and supply patch-level fixes for ARIA/semantic issues
  • Assess test coverage and supply unit/integration test examples to close gaps
  • Scan IaC (Terraform) for misconfigurations that can lead to privilege escalation

FAQ

What counts as a reproducible finding?

A reproducible finding includes exact file:line, input or steps to trigger it, and a deterministic verification method that any reviewer can follow.

How are severities determined?

Severities map to impact: CRITICAL for data loss or breach, HIGH for launch-blocking problems, MEDIUM for sprint-timed fixes, and LOW for backlog items.

Do reports include code fixes?

Yes. Every actionable finding includes suggested code, tests, or configuration changes and instructions to verify the fix.