qa-checklist
Scannednpx machina-cli add skill freitasp1/claude-code-skills/qa-checklist --openclawQA Checklist
Formal Quality Assurance Checklist before every Merge/Deploy
Trigger
This skill activates automatically on:
git commit(after production code changes)- Deploy commands (
vercel --prod,npm run deploy, etc.) /qacommand- Trigger words: "merge", "deploy", "release", "production"
Configuration
Customize these values for your project:
# Add to your project's CLAUDE.md or settings
no_touch_zones:
- "src/auth/**" # Authentication logic
- "src/core/**" # Core business logic
- "config/production.*" # Production config
required_region: "your-region" # e.g., fra1, us-east-1
deploy_timeout: 60 # seconds
PHASE 1: Build Verification (BLOCKING)
1.1 TypeScript Compilation
npx tsc --noEmit
Expected: No errors
| Status | Action |
|---|---|
| PASS | Continue to 1.2 |
| FAIL | STOP - Fix type errors |
1.2 Production Build
npm run build
Expected: Build successful, no warnings
| Status | Action |
|---|---|
| PASS | Continue to Phase 2 |
| FAIL | STOP - Fix build errors |
PHASE 2: Test Suite (BLOCKING)
2.1 Unit Tests
npm run test
Expected: All tests green
2.2 E2E Tests (optional but recommended)
npm run test:e2e
Expected: Critical flows working
PHASE 3: No-Touch Zones Check (BLOCKING)
Check if protected files were modified:
# Replace with your no-touch zones
git diff --name-only HEAD~1 | grep -E "(auth|core|production)"
Expected: No matches (or explicit approval present)
| File Pattern | Modification Allowed? |
|---|---|
**/auth/** | ONLY with explicit request |
**/core/** | ONLY with explicit request |
config/production.* | ONLY with explicit request |
PHASE 4: Region/Environment Check (BLOCKING on Deploy)
4.1 Before Production Deploy
Verify deployment target matches requirements:
# Vercel example
npx vercel inspect <preview-url> --wait
# AWS example
aws configure get region
# Check environment
echo $NODE_ENV
Expected: Correct region/environment
4.2 After Production Deploy
# Verify production deployment
curl -s -o /dev/null -w "%{http_code}" https://your-domain.com/health
Expected: 200 OK
PHASE 5: Security Review (WARNING)
5.1 No Secrets in Code
git diff HEAD~1 | grep -iE "(password|secret|api_key|token|private_key)" | grep -v "process\.env\|\.env\|example"
Expected: No matches
5.2 No Unsafe Types
# TypeScript: Check for untyped any
git diff HEAD~1 --name-only -- "*.ts" "*.tsx" | xargs grep -l ": any" 2>/dev/null
Expected: No new any types (or documented reason)
5.3 Dependency Check
npm audit --production
Expected: No high/critical vulnerabilities
PHASE 6: QA Report
After completing all checks, generate a report:
## QA Validation Report
**Date:** [ISO Timestamp]
**Branch:** [Branch Name]
**Commit:** [Commit Hash]
### Results
| Check | Status | Details |
|-------|--------|---------|
| TypeScript | PASS/FAIL | [Error count] |
| Build | PASS/FAIL | [Build time] |
| Unit Tests | PASS/FAIL | [X/Y passed] |
| E2E Tests | PASS/FAIL/SKIP | [X/Y passed] |
| No-Touch Zones | PASS/FAIL | [Affected files] |
| Region | PASS/FAIL/N/A | [Current region] |
| Security | PASS/WARN | [Issues found] |
### Verdict
**Status:** APPROVED / REJECTED
**Next Steps:**
- [If APPROVED: Merge/Deploy allowed]
- [If REJECTED: List of issues to fix]
Workflow Integration
Before Every Commit
- Run Phase 1-3
- On PASS: Commit allowed
- On FAIL: Fix issues, re-run
Before Production Deploy
- Run Phase 1-5
- On PASS: Deploy allowed
- On FAIL: Fix issues, re-run
- After Deploy: Phase 4.2 (Verification)
QA Loop (max 3 iterations)
1. Run checks
2. On failure: Implement fix
3. Return to step 1
4. After 3 iterations: Escalate to user
Integration with Other Skills
- code-quality-gate: Can be used together for comprehensive checks
- strict-typescript-mode: Enforces Phase 5.2 automatically
- security-scan hook: Automates Phase 5.1
Origin
Originally developed for fabrikIQ - AI-powered manufacturing data analysis.
License
MIT - Free to use and modify
Source
git clone https://github.com/freitasp1/claude-code-skills/blob/main/skills/qa-checklist/SKILL.mdView on GitHub Overview
QA-checklist enforces a six-phase gate before merging or deploying code. It validates builds, runs tests, checks no-touch zones and region settings, performs a security review, and generates a QA report. It triggers automatically on merge, deploy, release, production, or /qa commands.
How This Skill Works
The skill runs through six phases: Build Verification, Test Suite, No-Touch Zones, Region/Environment Check, Security Review, and QA Report. Each phase has defined pass/fail criteria and blocking actions; a failure halts the process. It reads project-config values like no_touch_zones and required_region to tailor validations for your environment.
When to Use It
- Before opening a pull request to merge into the main branch
- Before executing a production deployment or release
- When you need to ensure critical files aren’t touched (No-Touch Zones) before deploy
- When validating deployment region and environment alignment
- When preparing a formal QA Validation Report for governance
Quick Start
- Step 1: Add qa-checklist to your CLAUDE.md with no_touch_zones and required_region
- Step 2: Wire triggers for git commits, deploy commands, and /qa in your workflow
- Step 3: Run the QA process on merge/deploy and review the generated QA Validation Report
Best Practices
- Define explicit no_touch_zones per project and review changes against them
- Keep required_region up to date and aligned with target environments
- Run both unit tests and end-to-end tests to satisfy Phase 2
- Treat any Phase 1–5 failure as a blocking issue and address before deployment
- Incorporate the QA Validation Report into PRs and deployment docs
Example Use Cases
- A PR automatically halts on Phase 1 when TypeScript compilation fails
- A production deploy only proceeds after a successful 200 OK health check post-deploy
- No secrets are found in code during Phase 5 checks
- No-touch zones are violated unless explicit approval is present
- A QA Validation Report is generated and included in the release notes
