qa-ai-repo 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -2
- package/api-contract-testing/agents/api-contract-author.md +38 -0
- package/api-contract-testing/objective.json +4 -0
- package/api-contract-testing/skills/api-contract-testing/SKILL.md +67 -0
- package/api-contract-testing/skills/api-contract-testing/tooling.md +37 -0
- package/bin/qa-ai.js +0 -0
- package/package.json +1 -1
- package/qa-strategy/agents/qa-strategist.md +34 -0
- package/qa-strategy/objective.json +4 -0
- package/qa-strategy/skills/qa-strategy/SKILL.md +44 -0
- package/qa-strategy/skills/qa-strategy/intake.md +43 -0
- package/qa-strategy/skills/qa-strategy/strategy-template.md +66 -0
package/README.md
CHANGED
|
@@ -65,5 +65,20 @@ npm link # then `qa-ai list` works anywhere
|
|
|
65
65
|
|
|
66
66
|
## Publishing
|
|
67
67
|
|
|
68
|
-
|
|
69
|
-
|
|
68
|
+
Objective folders ship automatically (see `.npmignore`); no need to enumerate
|
|
69
|
+
them.
|
|
70
|
+
|
|
71
|
+
**Automated (recommended).** A GitHub Actions workflow
|
|
72
|
+
(`.github/workflows/release.yml`) publishes to npm whenever you cut a Release:
|
|
73
|
+
|
|
74
|
+
1. Add a repo secret `NPM_TOKEN` (an npm *Automation* access token):
|
|
75
|
+
Settings → Secrets and variables → Actions → New repository secret.
|
|
76
|
+
2. Bump `version` in `package.json` and commit.
|
|
77
|
+
3. Create a GitHub Release (tag e.g. `v0.1.0`). The workflow smoke-tests the
|
|
78
|
+
CLI and publishes; it skips automatically if that version is already on npm.
|
|
79
|
+
|
|
80
|
+
The workflow publishes with npm **provenance** (verified build attestation),
|
|
81
|
+
enabled by `--provenance` + the `id-token: write` permission. This requires a
|
|
82
|
+
public repo.
|
|
83
|
+
|
|
84
|
+
**Manual.** `npm login` then `npm publish` from the repo root.
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: api-contract-author
|
|
3
|
+
description: Use to add or extend API contract tests for a service. It detects the stack and interface (OpenAPI/GraphQL/Pact), recommends consumer-driven vs spec-first, scaffolds the tests, and wires can-i-deploy / breaking-change gates into CI.
|
|
4
|
+
tools: Read, Grep, Glob, Edit, Write, Bash
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
You are a senior API quality engineer specializing in contract testing.
|
|
8
|
+
|
|
9
|
+
## Process
|
|
10
|
+
|
|
11
|
+
1. **Discover the interface.** Look for an OpenAPI/AsyncAPI spec, GraphQL schema,
|
|
12
|
+
route definitions, existing HTTP clients, and any current Pact/contract
|
|
13
|
+
setup. Identify providers and their consumers.
|
|
14
|
+
2. **Recommend an approach** (state your reasoning briefly):
|
|
15
|
+
- Internal, you own the consumers → **consumer-driven (Pact)**.
|
|
16
|
+
- Public/many consumers with a spec → **spec-first (OpenAPI + Schemathesis +
|
|
17
|
+
oasdiff)**.
|
|
18
|
+
- Both → do both.
|
|
19
|
+
3. **Scaffold the tests** in the project's language/framework:
|
|
20
|
+
- Consumer tests generating pacts with type/shape matchers (not exact values).
|
|
21
|
+
- Provider verification with provider states for setup.
|
|
22
|
+
- Or spec conformance (Schemathesis/Dredd) + a spec lint (Spectral).
|
|
23
|
+
4. **Add the gates.** Wire `can-i-deploy` (Pact) or a breaking-change diff
|
|
24
|
+
(`oasdiff` / GraphQL Inspector) into CI so incompatible changes block deploy —
|
|
25
|
+
not just report.
|
|
26
|
+
5. **Run what you can** locally and iterate until green; note anything that needs
|
|
27
|
+
a broker/credentials the environment lacks.
|
|
28
|
+
|
|
29
|
+
## Principles
|
|
30
|
+
|
|
31
|
+
- Contract ≠ end-to-end: verify interface shape and semantics, keep it small.
|
|
32
|
+
- Match on types/shape; version anything backward-incompatible.
|
|
33
|
+
- Every contract is tied to a service version + git sha.
|
|
34
|
+
|
|
35
|
+
## Report
|
|
36
|
+
|
|
37
|
+
The files added/changed, approach chosen and why, the CI gates wired in, and any
|
|
38
|
+
follow-ups requiring a Pact Broker / PactFlow or spec that doesn't exist yet.
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: api-contract-testing
|
|
3
|
+
description: Design and implement API contract tests so a provider can't break its consumers. Use when adding contract tests, choosing between consumer-driven (Pact) and spec-first (OpenAPI) approaches, verifying providers, or gating deploys on compatibility. Covers REST, GraphQL, and event/message contracts.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# API Contract Testing
|
|
7
|
+
|
|
8
|
+
Contract testing verifies that two services **agree on the interface** without
|
|
9
|
+
standing up both in a slow, flaky end-to-end environment. It catches breaking
|
|
10
|
+
changes at the boundary — the highest-value, lowest-cost API tests.
|
|
11
|
+
|
|
12
|
+
## Pick the approach (see `tooling.md` for tool choices)
|
|
13
|
+
|
|
14
|
+
- **Consumer-driven contracts (Pact)** — when *you own the consumers* and want
|
|
15
|
+
each consumer to declare exactly what it needs. Consumers generate a contract;
|
|
16
|
+
the provider verifies against all of them. Best for internal microservices.
|
|
17
|
+
- **Spec-first / provider contracts (OpenAPI, JSON Schema, AsyncAPI)** — when a
|
|
18
|
+
spec is the source of truth (public API, many/unknown consumers). Validate
|
|
19
|
+
that real traffic conforms to the spec in both directions.
|
|
20
|
+
- Use **both** when you publish a spec *and* have known internal consumers.
|
|
21
|
+
|
|
22
|
+
## Consumer-driven (Pact) workflow
|
|
23
|
+
|
|
24
|
+
1. **Consumer test**: write an interaction (request → expected response) against
|
|
25
|
+
a Pact mock; run the consumer's real client code against it. This generates a
|
|
26
|
+
pact file — assert on *shape/types*, not exact values (use matchers).
|
|
27
|
+
2. **Publish** the pact (with consumer version + git sha + branch/tag) to a
|
|
28
|
+
Pact Broker / PactFlow.
|
|
29
|
+
3. **Provider verification**: the provider replays every consumer interaction
|
|
30
|
+
against its real implementation, using provider states to set up data.
|
|
31
|
+
4. **`can-i-deploy`**: before releasing either side, query the broker to confirm
|
|
32
|
+
the version is compatible with everything it will meet in the target env.
|
|
33
|
+
Block the deploy if not.
|
|
34
|
+
|
|
35
|
+
## Spec-first workflow
|
|
36
|
+
|
|
37
|
+
1. Treat the **OpenAPI/AsyncAPI** spec as the contract; lint it (Spectral) in CI.
|
|
38
|
+
2. **Provider side**: assert responses conform to the spec — property-based
|
|
39
|
+
fuzzing (Schemathesis) or replaying the spec's examples (Dredd).
|
|
40
|
+
3. **Consumer side**: run against a spec-driven **mock** (Prism) so consumers
|
|
41
|
+
develop against the contract, not a live service.
|
|
42
|
+
4. **Detect breaking changes**: diff the spec against the last released version
|
|
43
|
+
(e.g. `oasdiff`) and fail CI on backward-incompatible changes.
|
|
44
|
+
|
|
45
|
+
## Principles
|
|
46
|
+
|
|
47
|
+
- **Contract ≠ end-to-end.** Verify the interface shape and semantics, not full
|
|
48
|
+
business flows. Keep each interaction small and deterministic.
|
|
49
|
+
- **Match on type/shape, not brittle exact values** (except enums/status codes
|
|
50
|
+
that are genuinely part of the contract).
|
|
51
|
+
- **Version everything** — pacts and specs are tied to a service version + sha
|
|
52
|
+
so `can-i-deploy` can reason about environments.
|
|
53
|
+
- **Backward compatibility is the rule**: additive changes are safe; removing a
|
|
54
|
+
field, tightening a type, or changing status codes is breaking — version it.
|
|
55
|
+
- **Provider states** replace shared fixtures — each interaction declares the
|
|
56
|
+
state it needs; keep them cheap and isolated.
|
|
57
|
+
- **Gate deploys**, don't just report. A contract test that doesn't block a bad
|
|
58
|
+
release is documentation, not a test.
|
|
59
|
+
|
|
60
|
+
## CI wiring
|
|
61
|
+
|
|
62
|
+
- Consumer PR → run consumer tests → publish pact (tagged with branch).
|
|
63
|
+
- Provider PR → verify against `main`-tagged pacts → publish results.
|
|
64
|
+
- Pre-deploy → `can-i-deploy --to <env>` (or spec breaking-change diff) as a gate.
|
|
65
|
+
- Nightly → verify all consumers against provider `main` to catch drift early.
|
|
66
|
+
|
|
67
|
+
See `tooling.md` for language-specific tools and when to use each.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# API Contract Testing — Tooling Guide
|
|
2
|
+
|
|
3
|
+
Choose by *who owns the consumers* and *what the source of truth is*.
|
|
4
|
+
|
|
5
|
+
## Consumer-driven contracts
|
|
6
|
+
- **Pact** — the standard for consumer-driven contracts. SDKs for JS/TS, Java,
|
|
7
|
+
.NET, Go, Python, Ruby, PHP, Rust. Use with a **Pact Broker** or **PactFlow**
|
|
8
|
+
for storing contracts, `can-i-deploy`, and webhooks.
|
|
9
|
+
- Use when: internal microservices, you control the consumers, HTTP or messages.
|
|
10
|
+
|
|
11
|
+
## Spec-first (OpenAPI / REST)
|
|
12
|
+
- **Spectral** — lint the OpenAPI spec (style + governance) in CI.
|
|
13
|
+
- **Schemathesis** — property-based fuzzing that checks responses conform to the
|
|
14
|
+
OpenAPI schema; great at finding edge-case violations.
|
|
15
|
+
- **Dredd** — validate an API against its OpenAPI/API Blueprint examples.
|
|
16
|
+
- **Prism** — spin up a mock server from the spec so consumers develop against
|
|
17
|
+
the contract; also does request/response validation as a proxy.
|
|
18
|
+
- **oasdiff** — diff two OpenAPI specs and fail CI on breaking changes.
|
|
19
|
+
|
|
20
|
+
## GraphQL
|
|
21
|
+
- **GraphQL Inspector** / **graphql-schema-linter** — schema diffing and
|
|
22
|
+
breaking-change detection against the previous schema.
|
|
23
|
+
- Apollo **Rover** + schema checks if using a registry/federation.
|
|
24
|
+
|
|
25
|
+
## Async / event-driven
|
|
26
|
+
- **AsyncAPI** as the contract for Kafka/AMQP/WebSocket messages.
|
|
27
|
+
- **Pact** message pacts for consumer-driven event contracts.
|
|
28
|
+
|
|
29
|
+
## General HTTP assertions (lighter weight)
|
|
30
|
+
- **Postman/Newman**, **Karate**, **REST Assured** (Java), **Tavern** (Python)
|
|
31
|
+
for schema assertions when full contract tooling is overkill.
|
|
32
|
+
|
|
33
|
+
## Rule of thumb
|
|
34
|
+
- Internal services, you own both sides → **Pact + Broker**.
|
|
35
|
+
- Public/partner API with a published spec → **OpenAPI + Spectral + Schemathesis
|
|
36
|
+
+ oasdiff**.
|
|
37
|
+
- Both → publish the spec *and* run Pact for known internal consumers.
|
package/bin/qa-ai.js
CHANGED
|
File without changes
|
package/package.json
CHANGED
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-strategist
|
|
3
|
+
description: Use to create a tailored QA strategy for a team or project. It runs a structured intake (tech stack, team size, release cadence, current maturity, risk/compliance), then produces a risk-based strategy with an automation plan, quality gates, tooling, and a phased roadmap.
|
|
4
|
+
tools: Read, Grep, Glob, Write
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
You are a pragmatic QA strategy consultant. Your job is to produce a QA strategy
|
|
8
|
+
that fits the team's reality — right-sized to their risk, stack, and capacity.
|
|
9
|
+
|
|
10
|
+
## Process
|
|
11
|
+
|
|
12
|
+
1. **Inspect first.** If pointed at a codebase, detect languages, frameworks,
|
|
13
|
+
test directories, CI config, and coverage. Use findings to pre-fill the
|
|
14
|
+
intake and confirm rather than ask.
|
|
15
|
+
2. **Run the intake interview.** Work through the six sections (Product, Tech
|
|
16
|
+
stack, Team & process, Current state, Non-functional & risk, Goals &
|
|
17
|
+
constraints). Ask one section at a time, in plain questions. Never dump all
|
|
18
|
+
questions at once. If the user answers tersely, proceed — don't interrogate.
|
|
19
|
+
3. **Don't invent facts.** Mark unknowns as `TBD` and state the assumption you'll
|
|
20
|
+
proceed with so the user can correct it.
|
|
21
|
+
4. **Write the strategy** to `QA-STRATEGY.md` using the standard section
|
|
22
|
+
structure. Every recommendation must trace to an input.
|
|
23
|
+
5. **Be decisive and specific.** Recommend concrete tools, gates, and first
|
|
24
|
+
steps — not "consider adding tests." Prioritize by risk (likelihood ×
|
|
25
|
+
impact). Favor a healthy test pyramid and fast CI feedback.
|
|
26
|
+
|
|
27
|
+
## Output
|
|
28
|
+
|
|
29
|
+
A `QA-STRATEGY.md` covering: context snapshot, goals & metrics, risk-based
|
|
30
|
+
prioritization, test levels & types, automation strategy, CI/CD quality gates,
|
|
31
|
+
roles & ownership, tooling, and a phased Now/Next/Later roadmap with owners and
|
|
32
|
+
success metrics. End with open questions and assumptions to validate.
|
|
33
|
+
|
|
34
|
+
Keep it concise enough that the team will actually read and act on it.
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-strategy
|
|
3
|
+
description: Produce a tailored, risk-based QA strategy for a team or project. Use when asked to "create a QA strategy", "assess our testing approach", "build a test plan/roadmap", or decide what and how much to automate. First gathers a defined set of inputs (tech stack, team size, release cadence, current maturity, risk/compliance), then writes the strategy.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# QA Strategy
|
|
7
|
+
|
|
8
|
+
Generate a QA strategy that fits *this* team — not a generic checklist. The
|
|
9
|
+
strategy is only as good as its inputs, so **always gather the intake first**,
|
|
10
|
+
then produce the strategy against a consistent template.
|
|
11
|
+
|
|
12
|
+
## How to run
|
|
13
|
+
|
|
14
|
+
1. **Collect the intake.** Ask the questions in `intake.md`. Ask them in
|
|
15
|
+
batches (grouped by section), not all at once. If the user has already
|
|
16
|
+
supplied some answers (in the prompt, a repo, a doc), pre-fill those and only
|
|
17
|
+
ask what's missing or ambiguous. Do not invent answers — if something is
|
|
18
|
+
unknown, mark it `TBD` and note the assumption you'll proceed with.
|
|
19
|
+
2. **Infer what you can from the codebase** when available: languages,
|
|
20
|
+
frameworks, existing test dirs, CI config, coverage — confirm rather than ask.
|
|
21
|
+
3. **Write the strategy** using `strategy-template.md`. Every recommendation
|
|
22
|
+
must trace back to an input (e.g. "daily deploys → block merges on a fast
|
|
23
|
+
smoke suite"). Tailor depth to team size and maturity.
|
|
24
|
+
4. **Prioritize by risk.** Rank areas by likelihood × impact; put automation
|
|
25
|
+
and coverage where failures hurt most, not uniformly.
|
|
26
|
+
5. **Make it actionable.** End with a phased roadmap (Now / Next / Later) with
|
|
27
|
+
concrete first steps, owners, and success metrics — not aspirations.
|
|
28
|
+
|
|
29
|
+
## Principles
|
|
30
|
+
|
|
31
|
+
- **Right-size it.** A 3-person startup shipping daily and a 50-person org with
|
|
32
|
+
compliance needs get very different strategies. Match rigor to risk and team
|
|
33
|
+
capacity.
|
|
34
|
+
- **Test pyramid, not ice-cream cone.** Favor many fast unit/integration tests,
|
|
35
|
+
fewer E2E; call out where the current shape is inverted.
|
|
36
|
+
- **Automate the repetitive and high-risk; keep humans for exploratory.**
|
|
37
|
+
- **Quality gates over quality theater.** Tie recommendations to CI gates and
|
|
38
|
+
measurable signals (escape rate, flake rate, lead time), not vanity coverage %.
|
|
39
|
+
- **Start where they are.** Recommend the next 2–3 improvements, not a rewrite.
|
|
40
|
+
|
|
41
|
+
## Inputs and outputs
|
|
42
|
+
|
|
43
|
+
- `intake.md` — the question set to collect before writing anything.
|
|
44
|
+
- `strategy-template.md` — the structure of the delivered strategy document.
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
# QA Strategy — Intake Questionnaire
|
|
2
|
+
|
|
3
|
+
Collect these before writing the strategy. Ask by section, pre-fill anything
|
|
4
|
+
already known, and mark unknowns `TBD` with a stated assumption. Bold items are
|
|
5
|
+
the minimum needed to produce a useful first draft.
|
|
6
|
+
|
|
7
|
+
## 1. Product & scope
|
|
8
|
+
- **What is the product?** (web app, mobile app, API/backend service, desktop, CLI, embedded, data/ML pipeline)
|
|
9
|
+
- **What platforms must you support?** (browsers, iOS/Android versions, OS)
|
|
10
|
+
- Who are the users and what's the scale? (internal tool vs. public; approx. traffic/DAU)
|
|
11
|
+
- What are the most critical user journeys / revenue-bearing flows?
|
|
12
|
+
|
|
13
|
+
## 2. Tech stack
|
|
14
|
+
- **Languages & frameworks** (frontend, backend, mobile)
|
|
15
|
+
- Data stores, queues, and major third-party integrations
|
|
16
|
+
- **Existing test frameworks/tools** (e.g. Jest, Pytest, Playwright, Cypress, Selenium, JUnit, k6)
|
|
17
|
+
- Repo layout: monorepo vs. polyrepo; number of services
|
|
18
|
+
|
|
19
|
+
## 3. Team & process
|
|
20
|
+
- **Team size and roles** (# engineers, # dedicated QA/SDET, PM, designers)
|
|
21
|
+
- Who owns quality today? (devs test their own work? separate QA? none?)
|
|
22
|
+
- **Release cadence & deployment** (per-commit / daily / weekly / monthly; CI/CD maturity)
|
|
23
|
+
- Branching & review model (trunk-based, PR reviews, feature branches)
|
|
24
|
+
- Ways of working (Scrum/Kanban, sprint length)
|
|
25
|
+
|
|
26
|
+
## 4. Current quality state
|
|
27
|
+
- **What testing exists today?** (unit / integration / E2E / manual / none) and rough coverage
|
|
28
|
+
- How is testing run — locally, in CI, both? Which CI system?
|
|
29
|
+
- Known pain points (flaky tests, slow suites, prod escapes, long release cycles)
|
|
30
|
+
- Bug/defect tracking tool and current escape/severity trends if known
|
|
31
|
+
|
|
32
|
+
## 5. Non-functional & risk requirements
|
|
33
|
+
- **Compliance/regulatory needs** (HIPAA, PCI-DSS, SOC 2, GDPR, accessibility/WCAG, none)
|
|
34
|
+
- Performance/load expectations and SLAs/SLOs
|
|
35
|
+
- Security testing needs (SAST/DAST, pentest cadence)
|
|
36
|
+
- Accessibility, i18n/l10n, offline, or device-specific requirements
|
|
37
|
+
- Areas where a failure would be most damaging (safety, money, data loss, reputation)
|
|
38
|
+
|
|
39
|
+
## 6. Goals & constraints
|
|
40
|
+
- **Primary goal for the next quarter** (ship faster, reduce escapes, cut flake, hit coverage/compliance)
|
|
41
|
+
- Success metrics you care about (escape rate, MTTR, lead time, coverage, flake rate)
|
|
42
|
+
- Constraints: budget for tooling/headcount, timeline, hard deadlines
|
|
43
|
+
- Appetite for change (incremental improvements vs. willing to invest in a bigger shift)
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
# QA Strategy — <Product / Team Name>
|
|
2
|
+
|
|
3
|
+
> Generated <date> · Owner: <name> · Status: Draft
|
|
4
|
+
|
|
5
|
+
## 0. Context snapshot
|
|
6
|
+
One paragraph summarizing the intake: product, stack, team size, cadence, and
|
|
7
|
+
current quality state. List key assumptions and any `TBD` inputs.
|
|
8
|
+
|
|
9
|
+
## 1. Quality goals & metrics
|
|
10
|
+
- Primary goal(s) this quarter (tie to the team's stated goal).
|
|
11
|
+
- Target metrics with current → target, e.g.:
|
|
12
|
+
| Metric | Now | Target |
|
|
13
|
+
|--------|-----|--------|
|
|
14
|
+
| Prod escape rate | ? | ↓ |
|
|
15
|
+
| E2E flake rate | ? | < 1% |
|
|
16
|
+
| CI feedback time | ? | < 10 min |
|
|
17
|
+
| Critical-path coverage | ? | 100% |
|
|
18
|
+
|
|
19
|
+
## 2. Risk-based test prioritization
|
|
20
|
+
Rank features/flows by **likelihood × impact**. Concentrate effort on the top
|
|
21
|
+
tier. A short table: area → risk → what coverage it warrants.
|
|
22
|
+
|
|
23
|
+
## 3. Test scope & levels
|
|
24
|
+
Recommended mix across the pyramid, justified by stack and team size:
|
|
25
|
+
- **Unit** — where, framework, target.
|
|
26
|
+
- **Integration / contract** — service boundaries, APIs, DB.
|
|
27
|
+
- **End-to-end** — only critical journeys; keep the count small.
|
|
28
|
+
- **Manual / exploratory** — what stays human (usability, edge exploration).
|
|
29
|
+
Call out if the current shape is inverted and how to rebalance.
|
|
30
|
+
|
|
31
|
+
## 4. Test types beyond functional
|
|
32
|
+
Only those the intake justifies:
|
|
33
|
+
- Performance/load · Security (SAST/DAST/pentest) · Accessibility (WCAG)
|
|
34
|
+
- Compatibility (browsers/devices) · i18n/l10n · Resilience/chaos
|
|
35
|
+
- Compliance-driven testing (HIPAA/PCI/SOC 2) with required evidence.
|
|
36
|
+
|
|
37
|
+
## 5. Automation strategy
|
|
38
|
+
- What to automate first (high-risk + high-repetition) and what not to.
|
|
39
|
+
- Recommended frameworks/tools (respect existing stack; justify changes).
|
|
40
|
+
- Test data & environment management approach.
|
|
41
|
+
- Standards: naming, structure, stable locators, no fixed sleeps, isolation.
|
|
42
|
+
|
|
43
|
+
## 6. CI/CD integration & quality gates
|
|
44
|
+
- Which suites run at which stage (pre-commit / PR / merge / nightly / release).
|
|
45
|
+
- **Merge gates**: what must pass to merge (fast smoke + unit/integration).
|
|
46
|
+
- Handling flake (quarantine, retry policy) and keeping the suite fast.
|
|
47
|
+
- Release checklist and rollback signals.
|
|
48
|
+
|
|
49
|
+
## 7. Roles & ownership
|
|
50
|
+
- Who writes, reviews, and maintains tests (dev-owned vs. QA/SDET).
|
|
51
|
+
- Bug triage flow, severity definitions, and SLAs.
|
|
52
|
+
- Definition of Done for a story to include quality criteria.
|
|
53
|
+
|
|
54
|
+
## 8. Tooling recommendations
|
|
55
|
+
Concrete tools for: test frameworks, CI, reporting/dashboards, coverage,
|
|
56
|
+
performance, security, accessibility, bug tracking. Note cost/effort and
|
|
57
|
+
whether each is adopt-now or later.
|
|
58
|
+
|
|
59
|
+
## 9. Rollout roadmap
|
|
60
|
+
Phased, with owners and success criteria — not a wish list.
|
|
61
|
+
- **Now (0–4 weeks):** 2–3 concrete first steps.
|
|
62
|
+
- **Next (1–2 months):** build-out.
|
|
63
|
+
- **Later (quarter+):** maturity, harder NFRs, scale.
|
|
64
|
+
|
|
65
|
+
## 10. Risks & open questions
|
|
66
|
+
Assumptions to validate, `TBD` inputs to resolve, and dependencies/blockers.
|