@appsforgood/next-supabase-kit 0.1.0

package/research/summaries/maturity-model-patterns.md

@@ -0,0 +1,29 @@
+# Maturity Model Patterns
+
+Generated from a focused follow-up pass after the 100-repo scan showed that popularity and broad research volume do not prove best-practice readiness.
+
+## Why This Pass Was Needed
+
+The initial scan identified repeated gaps in Supabase/Auth/RLS discoverability, AI-agent handoff maturity, accessibility evidence, and explicit security expectations. Follow-up review of public production, repository-health, supply-chain, and visual-testing guidance showed that mature projects make quality evidence durable across docs, automation, release, and review settings.
+
+## Generalized Practices
+
+- Use an explicit maturity model instead of treating any green build as best-practice readiness.
+- Separate baseline setup, strong team/agent delivery, and best-practice release evidence.
+- Require evidence for council routing, architecture decisions, security boundaries, Supabase/RLS, frontend quality, accessibility, testing, deployment, and repository health.
+- Treat research findings as inputs only; promote them into installed assets, audit checks, tests, release gates, or documented decisions before counting them as kit behavior.
+- Keep production-readiness expectations broad enough to cover framework behavior, data access, user experience, security, observability, and release integrity.
+- Keep repository operations visible through issue/PR templates, CODEOWNERS, dependency update automation, code scanning, dependency review, provenance expectations, support, conduct, and governance.
+
+## Promoted Updates
+
+- Added `templates/next-supabase/QUALITY_GATES.md`.
+- Added `QUALITY_GATES.md` to installed root docs and manifest hashing.
+- Added audit coverage for baseline, strong, best-practice, evidence, and multi-area maturity expectations.
+- Added tests that warn when the maturity model is hollowed out.
+- Added audit warnings when starter placeholders remain in evidence docs, so clean installation is not confused with completed project evidence.
+- Added a minimum-readiness CLI gate so downstream projects can enforce baseline or best-practice thresholds in CI.
+- Added an audit-report JSON Schema so downstream CI, dashboards, and repo-health tools can validate audit output shape.
+- Updated public docs and roadmap to make best-practice readiness evidence-based rather than research-volume-based.
+
+Do not copy source, policy wording, or brand systems from reviewed repositories or documentation. Adopt only generalized practices with clear rationale.

package/research/summaries/nextjs-patterns.md

@@ -0,0 +1,65 @@
+# Next.js Patterns
+
+Generated from 39 relevant repository findings.
+
+## Focus Areas
+- architecture
+- ciDeployment
+- documentation
+
+## Aggregate Evidence
+- Average normalized focus score: 0.39
+- Repositories considered: 39
+
+## Strongest Repositories For This Topic
+- vercel/next-forge (official-nextjs) - focus score 10, total 23/45
+- triggerdotdev/trigger.dev (production-saas) - focus score 9, total 32/45
+- keyshade-xyz/keyshade (production-saas) - focus score 9, total 25/45
+- cossistantcom/cossistant (production-saas) - focus score 9, total 24/45
+- vercel/chatbot (official-nextjs) - focus score 9, total 23/45
+- vercel/next.js (official-nextjs) - focus score 8, total 30/45
+- vercel/ai (official-nextjs) - focus score 8, total 29/45
+- formbricks/formbricks (production-saas) - focus score 8, total 29/45
+- boxyhq/saas-starter-kit (production-saas) - focus score 8, total 25/45
+- nextacular/nextacular (production-saas) - focus score 8, total 23/45
+- nextify-limited/saasfly (production-saas) - focus score 8, total 20/45
+- dubinc/dub (production-saas) - focus score 7, total 27/45
+
+## Repeated Strengths
+- Frontend implementation shows reusable components, states, and design-system signals. (20)
+- Security posture is explicit through docs, validation, CI, or review tooling. (12)
+- Test setup includes meaningful automated and browser-level coverage. (11)
+- Documentation is strong enough for external contributors or agents to onboard. (8)
+
+## Repeated Gaps
+- Supabase RLS/Auth practices are not clearly discoverable. (39)
+- Agent handoff and AI-workflow instructions are not mature. (30)
+- Accessibility signals are weak or absent. (26)
+- Security expectations are implicit or incomplete. (23)
+
+## Source Findings
+- research/findings/vercel__next-forge.md
+- research/findings/cossistantcom__cossistant.md
+- research/findings/keyshade-xyz__keyshade.md
+- research/findings/triggerdotdev__trigger.dev.md
+- research/findings/vercel__chatbot.md
+- research/findings/boxyhq__saas-starter-kit.md
+- research/findings/formbricks__formbricks.md
+- research/findings/nextacular__nextacular.md
+- research/findings/nextify-limited__saasfly.md
+- research/findings/vercel__ai.md
+- research/findings/vercel__next.js.md
+- research/findings/documenso__documenso.md
+- research/findings/dodopayments__billingsdk.md
+- research/findings/dubinc__dub.md
+- research/findings/vercel__examples.md
+- research/findings/zenstackhq__zenstack.md
+- research/findings/Blazity__next-saas-starter.md
+- research/findings/cruip__open-react-template.md
+- research/findings/ixartz__SaaS-Boilerplate.md
+- research/findings/michaelshimeles__nextjs-starter-kit.md
+- research/findings/nextjs__saas-starter.md
+- research/findings/revokslab__ShipFree.md
+- research/findings/vercel__nextjs-postgres-nextauth-tailwindcss-template.md
+- research/findings/vercel__platforms.md
+- research/findings/vercel__swr.md

package/research/summaries/repo-health-patterns.md

@@ -0,0 +1,41 @@
+# Repo Health Patterns
+
+Generated from a focused public OSS repository-health pass.
+
+## Focused Sources Reviewed
+
+- GitHub issue and pull request template documentation: issue forms belong in `.github/ISSUE_TEMPLATE`, and PR templates can live in `.github/pull_request_template.md`.
+- GitHub CODEOWNERS documentation: `.github/CODEOWNERS` is the first location GitHub checks and supports automatic owner review requests.
+- GitHub Dependabot documentation: `.github/dependabot.yml` configures npm and GitHub Actions update PRs.
+- GitHub CodeQL documentation: JavaScript and TypeScript projects can run CodeQL through GitHub Actions.
+- GitHub branch protection and environment documentation: required status checks, required reviews, environment reviewers, and deployment branch restrictions are repository settings that must be reviewed outside git.
+- GitHub private vulnerability reporting documentation: public repositories can expose private vulnerability reporting through Security Advisories.
+- High-signal OSS repos commonly expose structured contribution, security, release, and review workflows rather than relying on maintainer memory.
+
+## Repeated Patterns To Adopt
+
+- Use issue forms to collect enough evidence for maintainers to reproduce bugs and evaluate reusable feature proposals.
+- Use a PR template that ties changes to scope, tests, docs, security, and release impact.
+- Use CODEOWNERS for review ownership of source, templates, schemas, and workflows.
+- Use Dependabot for npm and GitHub Actions updates.
+- Use CodeQL or equivalent code scanning for JavaScript/TypeScript repositories.
+- Publish support, conduct, and governance docs so contributor expectations are explicit.
+- Keep required labels and PR labeler rules in the repo.
+- Document branch protection, environment protection, security advisory, private vulnerability reporting, and label setup because those settings are not fully represented by package files.
+
+## Promoted Updates
+
+- Added `.github/ISSUE_TEMPLATE/config.yml`.
+- Added bug, feature-request, and research-promotion issue forms.
+- Added `.github/pull_request_template.md`.
+- Added `.github/CODEOWNERS`.
+- Added `.github/dependabot.yml`.
+- Added `.github/labels.yml`.
+- Added `.github/labeler.yml` and PR labeler workflow.
+- Added `.github/workflows/codeql.yml`.
+- Added `CODE_OF_CONDUCT.md`, `SUPPORT.md`, and `GOVERNANCE.md`.
+- Added `REPOSITORY_SETTINGS.md`.
+- Added repo-health public-readiness tests.
+- Added repo-health scoring and discovery signals to the research scanner.
+
+Research and repo examples are used only for generalized practices. Do not copy third-party source or project-specific policy wording.

package/research/summaries/scan-overview.md

@@ -0,0 +1,46 @@
+# Research Scan Overview
+
+Generated from 100 parsed repository findings.
+
+## Category Coverage
+- production-saas: 24
+- design-systems: 17
+- testing-docs-agents: 16
+- official-nextjs: 15
+- supabase-nextjs: 15
+- security-quality: 13
+
+## Highest Total Scores
+- supabase/supabase (supabase-nextjs) - 35/45
+- trycompai/comp (security-quality) - 33/45
+- triggerdotdev/trigger.dev (production-saas) - 32/45
+- onlook-dev/onlook (supabase-nextjs) - 31/45
+- thedaviddias/llms-txt-hub (supabase-nextjs) - 31/45
+- vercel/next.js (official-nextjs) - 30/45
+- better-auth/better-auth (security-quality) - 30/45
+- vercel/ai (official-nextjs) - 29/45
+- formbricks/formbricks (production-saas) - 29/45
+- thedaviddias/souls-directory (testing-docs-agents) - 29/45
+- mui/base-ui (design-systems) - 28/45
+- shadcn-ui/ui (design-systems) - 27/45
+- dubinc/dub (production-saas) - 27/45
+- documenso/documenso (production-saas) - 27/45
+- carbon-design-system/carbon (design-systems) - 27/45
+- unkeyed/unkey (security-quality) - 27/45
+- nextauthjs/next-auth (security-quality) - 26/45
+- midday-ai/midday (supabase-nextjs) - 26/45
+- chakra-ui/zag (design-systems) - 26/45
+- vercel/examples (official-nextjs) - 26/45
+
+## Most Repeated Strengths
+- Frontend implementation shows reusable components, states, and design-system signals. (42)
+- Documentation is strong enough for external contributors or agents to onboard. (36)
+- Security posture is explicit through docs, validation, CI, or review tooling. (29)
+- Test setup includes meaningful automated and browser-level coverage. (27)
+- Supabase authorization appears to be handled close to the data boundary. (6)
+
+## Most Repeated Gaps
+- Supabase RLS/Auth practices are not clearly discoverable. (88)
+- Agent handoff and AI-workflow instructions are not mature. (66)
+- Accessibility signals are weak or absent. (57)
+- Security expectations are implicit or incomplete. (54)

package/research/summaries/security-patterns.md

@@ -0,0 +1,64 @@
+# Security Patterns
+
+Generated from 52 relevant repository findings.
+
+## Focus Areas
+- security
+
+## Aggregate Evidence
+- Average normalized focus score: 0.53
+- Repositories considered: 52
+
+## Strongest Repositories For This Topic
+- trycompai/comp (security-quality) - focus score 5, total 33/45
+- onlook-dev/onlook (supabase-nextjs) - focus score 5, total 31/45
+- thedaviddias/llms-txt-hub (supabase-nextjs) - focus score 5, total 31/45
+- better-auth/better-auth (security-quality) - focus score 5, total 30/45
+- formbricks/formbricks (production-saas) - focus score 5, total 29/45
+- dubinc/dub (production-saas) - focus score 5, total 27/45
+- midday-ai/midday (supabase-nextjs) - focus score 5, total 26/45
+- keyshade-xyz/keyshade (production-saas) - focus score 5, total 25/45
+- cossistantcom/cossistant (production-saas) - focus score 5, total 24/45
+- supabase/supabase (supabase-nextjs) - focus score 4, total 35/45
+- triggerdotdev/trigger.dev (production-saas) - focus score 4, total 32/45
+- documenso/documenso (production-saas) - focus score 4, total 27/45
+
+## Repeated Strengths
+- Frontend implementation shows reusable components, states, and design-system signals. (32)
+- Security posture is explicit through docs, validation, CI, or review tooling. (20)
+- Documentation is strong enough for external contributors or agents to onboard. (18)
+- Test setup includes meaningful automated and browser-level coverage. (12)
+- Supabase authorization appears to be handled close to the data boundary. (6)
+
+## Repeated Gaps
+- Supabase RLS/Auth practices are not clearly discoverable. (40)
+- Agent handoff and AI-workflow instructions are not mature. (38)
+- Accessibility signals are weak or absent. (31)
+- Security expectations are implicit or incomplete. (25)
+
+## Source Findings
+- research/findings/better-auth__better-auth.md
+- research/findings/cossistantcom__cossistant.md
+- research/findings/dubinc__dub.md
+- research/findings/formbricks__formbricks.md
+- research/findings/keyshade-xyz__keyshade.md
+- research/findings/midday-ai__midday.md
+- research/findings/onlook-dev__onlook.md
+- research/findings/thedaviddias__llms-txt-hub.md
+- research/findings/trycompai__comp.md
+- research/findings/403errors__repomind.md
+- research/findings/arcjet__arcjet-js.md
+- research/findings/aspen-cloud__triplit.md
+- research/findings/documenso__documenso.md
+- research/findings/jakejarvis__domainstack.io.md
+- research/findings/nextacular__nextacular.md
+- research/findings/nextauthjs__next-auth.md
+- research/findings/supabase__supabase.md
+- research/findings/triggerdotdev__trigger.dev.md
+- research/findings/unkeyed__unkey.md
+- research/findings/zenstackhq__zenstack.md
+- research/findings/LubomirGeorgiev__cloudflare-workers-nextjs-saas-template.md
+- research/findings/boxyhq__saas-starter-kit.md
+- research/findings/dodopayments__billingsdk.md
+- research/findings/ibelick__zola.md
+- research/findings/nextify-limited__saasfly.md

package/research/summaries/supabase-rls-patterns.md

@@ -0,0 +1,54 @@
+# Supabase RLS Patterns
+
+Generated from 15 relevant repository findings.
+
+## Focus Areas
+- supabaseAuthRls
+
+## Aggregate Evidence
+- Average normalized focus score: 0.65
+- Repositories considered: 15
+
+## Strongest Repositories For This Topic
+- supabase/supabase (supabase-nextjs) - focus score 5, total 35/45
+- srizzon/git-city (supabase-nextjs) - focus score 5, total 23/45
+- firecrawl/open-scouts (supabase-nextjs) - focus score 5, total 23/45
+- devtodollars/mvp-boilerplate (supabase-nextjs) - focus score 5, total 20/45
+- supabase-community/nextjs-openai-doc-search (supabase-nextjs) - focus score 5, total 18/45
+- onlook-dev/onlook (supabase-nextjs) - focus score 3, total 31/45
+- ibelick/zola (supabase-nextjs) - focus score 3, total 21/45
+- gokulkrishh/expense.fyi (supabase-nextjs) - focus score 3, total 19/45
+- ShenSeanChen/launch-mvp-stripe-nextjs-supabase (supabase-nextjs) - focus score 3, total 18/45
+- braydoncoyer/braydoncoyer.dev (supabase-nextjs) - focus score 3, total 16/45
+- midday-ai/midday (supabase-nextjs) - focus score 2, total 26/45
+- aspen-cloud/triplit (supabase-nextjs) - focus score 2, total 25/45
+
+## Repeated Strengths
+- Frontend implementation shows reusable components, states, and design-system signals. (10)
+- Documentation is strong enough for external contributors or agents to onboard. (7)
+- Security posture is explicit through docs, validation, CI, or review tooling. (5)
+- Supabase authorization appears to be handled close to the data boundary. (5)
+- Test setup includes meaningful automated and browser-level coverage. (3)
+
+## Repeated Gaps
+- Agent handoff and AI-workflow instructions are not mature. (11)
+- Accessibility signals are weak or absent. (8)
+- Security expectations are implicit or incomplete. (8)
+- Supabase RLS/Auth practices are not clearly discoverable. (5)
+
+## Source Findings
+- research/findings/devtodollars__mvp-boilerplate.md
+- research/findings/firecrawl__open-scouts.md
+- research/findings/srizzon__git-city.md
+- research/findings/supabase-community__nextjs-openai-doc-search.md
+- research/findings/supabase__supabase.md
+- research/findings/ShenSeanChen__launch-mvp-stripe-nextjs-supabase.md
+- research/findings/braydoncoyer__braydoncoyer.dev.md
+- research/findings/gokulkrishh__expense.fyi.md
+- research/findings/ibelick__zola.md
+- research/findings/onlook-dev__onlook.md
+- research/findings/aspen-cloud__triplit.md
+- research/findings/imbhargav5__nextbase-nextjs-supabase-starter.md
+- research/findings/midday-ai__midday.md
+- research/findings/supabase__auth-helpers.md
+- research/findings/thedaviddias__llms-txt-hub.md

package/research/summaries/supply-chain-patterns.md

@@ -0,0 +1,38 @@
+# Supply Chain Patterns
+
+Generated from a focused public package supply-chain pass.
+
+## Focused Sources Reviewed
+
+- npm Trusted Publishing documentation: GitHub Actions OIDC can publish without long-lived automation tokens, and public trusted publishes generate provenance attestations automatically.
+- npm provenance documentation: provenance links package artifacts to source and build instructions so consumers can verify origin.
+- GitHub Dependency Review action documentation: pull requests that change dependencies can be checked for vulnerabilities and policy issues.
+- OpenSSF Scorecard action documentation: repository security posture can be measured and published as code-scanning evidence.
+- GitHub artifact attestation documentation: release evidence can bind an SBOM to a specific package artifact.
+- GitHub workflow security patterns: least-privilege permissions, explicit concurrency, and non-persistent checkout credentials reduce accidental workflow risk.
+
+## Repeated Patterns To Adopt
+
+- Prefer OIDC Trusted Publishing over long-lived npm publish tokens.
+- Document provenance expectations in package release docs.
+- Add dependency review for pull requests that change dependency graphs.
+- Add Scorecard or equivalent repository security posture checks.
+- Keep CodeQL and dependency update automation active.
+- Generate an SBOM for release artifacts and attest it against the exact artifact being published.
+- Treat workflow edits as release-risk changes.
+- Validate manual publish paths so accidental non-main publishes are not accepted.
+
+## Promoted Updates
+
+- Added `SUPPLY_CHAIN.md`.
+- Added `.github/workflows/dependency-review.yml`.
+- Added `.github/workflows/scorecard.yml`.
+- Hardened workflow checkout with `persist-credentials: false`.
+- Added workflow concurrency.
+- Added manual publish ref validation for release workflow dispatches.
+- Added lockfile-derived CycloneDX SBOM validation.
+- Added release-workflow SBOM attestation for the exact npm tarball being published.
+- Added supply-chain scanner score and research category.
+- Added public-readiness tests for supply-chain files and release controls.
+
+Do not treat provenance as a complete guarantee of safety. Provenance proves origin and workflow context; maintainers still need dependency review, workflow review, branch/environment controls, and post-publish verification.

package/research/summaries/testing-patterns.md

@@ -0,0 +1,63 @@
+# Testing Patterns
+
+Generated from 55 relevant repository findings.
+
+## Focus Areas
+- testing
+
+## Aggregate Evidence
+- Average normalized focus score: 0.44
+- Repositories considered: 55
+
+## Strongest Repositories For This Topic
+- triggerdotdev/trigger.dev (production-saas) - focus score 5, total 32/45
+- vercel/next.js (official-nextjs) - focus score 5, total 30/45
+- vercel/ai (official-nextjs) - focus score 5, total 29/45
+- thedaviddias/souls-directory (testing-docs-agents) - focus score 5, total 29/45
+- dubinc/dub (production-saas) - focus score 5, total 27/45
+- documenso/documenso (production-saas) - focus score 5, total 27/45
+- vercel/examples (official-nextjs) - focus score 5, total 26/45
+- microsoft/skills (testing-docs-agents) - focus score 5, total 26/45
+- boxyhq/saas-starter-kit (production-saas) - focus score 5, total 25/45
+- zero-one-group/monorepo (testing-docs-agents) - focus score 5, total 22/45
+- ixartz/Next-js-Boilerplate (testing-docs-agents) - focus score 5, total 21/45
+- ixartz/SaaS-Boilerplate (production-saas) - focus score 5, total 19/45
+
+## Repeated Strengths
+- Frontend implementation shows reusable components, states, and design-system signals. (22)
+- Test setup includes meaningful automated and browser-level coverage. (18)
+- Documentation is strong enough for external contributors or agents to onboard. (15)
+- Security posture is explicit through docs, validation, CI, or review tooling. (14)
+
+## Repeated Gaps
+- Supabase RLS/Auth practices are not clearly discoverable. (55)
+- Agent handoff and AI-workflow instructions are not mature. (38)
+- Accessibility signals are weak or absent. (37)
+- Security expectations are implicit or incomplete. (31)
+
+## Source Findings
+- research/findings/boxyhq__saas-starter-kit.md
+- research/findings/connectrpc__examples-es.md
+- research/findings/documenso__documenso.md
+- research/findings/dubinc__dub.md
+- research/findings/ixartz__Next-js-Boilerplate.md
+- research/findings/ixartz__SaaS-Boilerplate.md
+- research/findings/microsoft__skills.md
+- research/findings/thedaviddias__souls-directory.md
+- research/findings/triggerdotdev__trigger.dev.md
+- research/findings/vercel__ai.md
+- research/findings/vercel__examples.md
+- research/findings/vercel__next.js.md
+- research/findings/vercel__swr.md
+- research/findings/zero-one-group__monorepo.md
+- research/findings/formbricks__formbricks.md
+- research/findings/kaje94__menufic.md
+- research/findings/vercel__chatbot.md
+- research/findings/wasp-lang__open-saas.md
+- research/findings/Piebald-AI__tweakcc.md
+- research/findings/antiwork__shortest.md
+- research/findings/brocoders__extensive-react-boilerplate.md
+- research/findings/keyshade-xyz__keyshade.md
+- research/findings/vercel__next-devtools-mcp.md
+- research/findings/zenstackhq__zenstack.md
+- research/findings/LubomirGeorgiev__cloudflare-workers-nextjs-saas-template.md

package/research/summaries/upgrade-lifecycle-patterns.md

@@ -0,0 +1,26 @@
+# Upgrade Lifecycle Patterns
+
+Generated from a focused follow-up pass on upgrade and migration practices in high-signal framework and tooling projects.
+
+## Why This Pass Was Needed
+
+The kit is intended to be reused like an installable package. Initial install, audit, and release gates are not enough unless existing projects can safely adopt future template, agent, schema, and workflow updates.
+
+## Generalized Practices
+
+- Keep a visible upgrade guide with preflight, diff, update, verification, and rollback steps.
+- Separate initial installation from upgrade review.
+- Provide dry-run or diff flows before changing project-owned files.
+- Treat framework upgrades, codemods, schema migrations, and generated types as explicit review items.
+- Require rollback notes and owner/date evidence before claiming an upgrade is complete.
+- Keep local overrides documented so a package update does not silently erase project-specific decisions.
+
+## Promoted Updates
+
+- Added root `UPGRADE.md` for package maintainers.
+- Added installed `templates/next-supabase/UPGRADE.md` for downstream projects.
+- Added `skills/upgrade-maintenance.md`, `checklists/upgrade.md`, and `prompts/upgrade-review.md`.
+- Added audit coverage for upgrade lifecycle evidence.
+- Added tests so upgrade guidance cannot be removed from public package readiness.
+
+Do not copy source, policy wording, or brand systems from reviewed repositories or documentation. Adopt only generalized practices with clear rationale.

package/research/summaries/visual-qa-patterns.md

@@ -0,0 +1,39 @@
+# Visual QA And Regression Patterns
+
+Generated from a focused follow-up review of visual testing and component-state practices after the content-first design hardening pass.
+
+## Why This Pass Was Needed
+
+The kit required desktop/mobile screenshots and screenshot review, but a best-practice repo also needs a repeatable strategy for visual state coverage, baseline approval, and visual regression when UI risk is high.
+
+## Focused Sources Reviewed
+
+- `storybookjs/storybook`: stories act as reusable UI state cases for render, interaction, accessibility, and visual tests.
+- `storybookjs/test-runner`: turns stories into executable tests and supports CI execution against built Storybooks.
+- `storybookjs/design-system`: uses Storybook for component docs and visual QA infrastructure for a shared design system.
+- `chromaui/chromatic-cli` and Chromatic docs: visual testing for Storybook, responsive viewports, PR checks, and baseline review.
+- `argos-ci/argos`: open-source visual testing platform with Playwright, Cypress, and Storybook integrations.
+- `oblador/loki`: open-source visual regression testing for Storybook.
+- Playwright visual comparison docs: `toHaveScreenshot()` and committed baselines, with cautions about deterministic environments.
+
+## Repeated Patterns To Adopt
+
+- Treat stories or screenshot cases as visual state specifications.
+- Capture both reusable component states and critical workflow screens.
+- Cover at least one mobile/narrow viewport and one desktop viewport.
+- Stabilize dynamic content before comparing pixels.
+- Review baseline updates as intentional product changes.
+- Keep semantic, accessibility, keyboard, auth, and data tests separate from visual comparisons.
+- Choose the smallest reliable visual QA tier instead of forcing heavy tooling onto every project.
+
+## Promoted Updates
+
+- Add Visual Regression QA skill.
+- Add visual-regression checklist.
+- Add visual QA planning prompt.
+- Update `TESTING.md` with baseline, strong, and mature visual QA tiers.
+- Require visual QA evidence in frontend workflow outputs.
+- Add audit warnings when testing docs omit visual QA or visual-regression evidence.
+- Update research scanner terms to look for Storybook, `toHaveScreenshot`, Chromatic, Argos, Loki, and visual-regression signals.
+
+Do not adopt a third-party SaaS as a required default. The kit should stay provider-neutral and support manual screenshots, Playwright, Storybook, Chromatic, Argos, Loki, or equivalent evidence depending on project risk.