qa-workflow-cc 1.0.0

package/skills/qa/templates/security-checklist-owasp.md

@@ -0,0 +1,451 @@
+# Security Checklist -- OWASP API Top 10 (Generic Template)
+
+Category B template for QA bootstrapping. Contains the universal OWASP API Security Top 10 (2023) framework with `{{variable}}` placeholders for project-specific content.
+
+Reference: OWASP API Security Top 10 (2023) -- owasp.org/API-Security
+
+## Variables
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `{{routerMatrix}}` | Complete list of API routers/endpoints with auth types and isolation requirements | lead.ts: 11 procedures, protected, tenantId required |
+| `{{authTypes}}` | Authentication mechanisms used in this project | Clerk JWT, Magic Link sessions, API keys |
+| `{{externalAPIs}}` | Third-party APIs consumed by the backend | Twilio, Stripe, Cloudinary, OpenAI |
+| `{{tenantIsolationField}}` | The database field used for multi-tenant isolation | orgId, tenantId, workspaceId, userId |
+| `{{projectName}}` | Name of the project | TruLine, Acme CRM |
+| `{{procedureTypes}}` | Named procedure types in the API framework | protectedProcedure, publicProcedure, adminProcedure |
+
+---
+
+## 1. Tenant Isolation Matrix (CRITICAL)
+
+Every API router/endpoint must be verified for tenant isolation using the `{{tenantIsolationField}}` field. This is the single most important security check for any multi-tenant application.
+
+Status values: `VERIFIED` / `UNVERIFIED` / `VIOLATION` / `N/A` (public endpoint)
+
+### Router Isolation Audit
+
+{{routerMatrix}}
+
+<!-- BOOTSTRAP INSTRUCTIONS:
+     Replace {{routerMatrix}} with a complete audit of every router/controller in your API.
+     To generate this list, scan your API source code for all route handlers.
+
+     For tRPC projects:
+       grep -r "router(" apps/api/src/trpc/routers/ --include="*.ts" -l
+
+     For Express/Fastify projects:
+       grep -r "router\.\(get\|post\|put\|delete\|patch\)" apps/api/src/ --include="*.ts" -l
+
+     For Next.js API routes:
+       find apps/*/app/api -name "route.ts" -o -name "route.js"
+
+     Format each router as a row in this table:
+
+| Router | File | Procedures/Endpoints | Auth Type | {{tenantIsolationField}} Required |
+|--------|------|---------------------|-----------|----------------------------------|
+| user | routers/user.ts | 5 | protected | YES -- all queries |
+| auth | routers/auth.ts | 3 | public | NO -- authentication endpoints |
+| billing | routers/billing.ts | 4 | protected | YES -- org-scoped billing |
+| webhook | routers/webhook.ts | 2 | webhook-signature | N/A -- validated via signature |
+
+     Auth type values:
+     - "protected" -- requires authenticated session
+     - "public" -- no auth required
+     - "mixed" -- some procedures public, some protected
+     - "webhook-signature" -- validated via webhook signature verification
+     - "api-key" -- validated via API key
+     - (use your project's {{authTypes}} names)
+
+     {{tenantIsolationField}} Required values:
+     - "YES -- {reason}" -- every query must filter by this field
+     - "NO -- {reason}" -- public/global data, no tenant scoping needed
+     - "MIXED -- {explanation}" -- some procedures need it, some don't
+-->
+
+### Isolation Verification Pattern
+
+For each procedure/endpoint, verify that tenant isolation is enforced at the data access layer:
+
+```
+// READ: Must include {{tenantIsolationField}} in WHERE clause
+db.model.findMany({ where: { {{tenantIsolationField}}: ctx.{{tenantIsolationField}}, ... } })
+
+// CREATE: Must set {{tenantIsolationField}} from authenticated context
+db.model.create({ data: { {{tenantIsolationField}}: ctx.{{tenantIsolationField}}, ... } })
+
+// UPDATE: Must verify ownership before updating
+const record = await db.model.findFirst({
+  where: { id, {{tenantIsolationField}}: ctx.{{tenantIsolationField}} }
+})
+if (!record) throw new AuthorizationError('Not found')
+
+// DELETE: Must verify ownership before deleting
+const record = await db.model.findFirst({
+  where: { id, {{tenantIsolationField}}: ctx.{{tenantIsolationField}} }
+})
+if (!record) throw new AuthorizationError('Not found')
+
+// TRANSACTION: Must use {{tenantIsolationField}} inside transaction
+db.$transaction(async (tx) => {
+  const record = await tx.model.findFirst({
+    where: { id, {{tenantIsolationField}}: ctx.{{tenantIsolationField}} }
+  })
+  // ...
+})
+```
+
+### Common Isolation Violations to Check
+
+| Violation Pattern | Risk | How to Detect |
+|-------------------|------|---------------|
+| Missing WHERE clause filter | Cross-tenant data leak | Search for `findMany` without `{{tenantIsolationField}}` |
+| ID-only lookups (no tenant check) | Direct object reference attack | Search for `findUnique({ where: { id } })` |
+| Aggregation without tenant scope | Cross-tenant analytics leak | Search for `aggregate`, `groupBy`, `count` without tenant filter |
+| Nested relation traversal | Indirect data leak | Check if `include` relations cross tenant boundaries |
+| Raw SQL without tenant filter | SQL injection + data leak | Search for `$queryRaw`, `$executeRaw` |
+| Batch operations without scope | Mass data modification | Search for `updateMany`, `deleteMany` without tenant filter |
+
+---
+
+## 2. Authentication Boundary Matrix
+
+### Procedure/Middleware Types
+
+{{authTypes}}
+
+<!-- BOOTSTRAP INSTRUCTIONS:
+     Replace {{authTypes}} with your project's authentication mechanisms.
+
+     Example for a project using JWT + API keys:
+
+| Type | Auth Mechanism | Context Fields Available |
+|------|---------------|------------------------|
+| `authenticatedProcedure` | Bearer JWT (Auth0/Clerk/etc.) | ctx.userId, ctx.orgId, ctx.userRole |
+| `apiKeyProcedure` | X-API-Key header | ctx.apiKeyId, ctx.orgId, ctx.scopes |
+| `webhookProcedure` | Webhook signature verification | ctx.webhookSource |
+| `publicProcedure` | None | ctx.db only |
+
+     Example for a project using session auth + magic links:
+
+| Type | Auth Mechanism | Context Fields Available |
+|------|---------------|------------------------|
+| `protectedProcedure` | Session cookie (NextAuth/Lucia) | ctx.userId, ctx.tenantId, ctx.role |
+| `magicLinkProcedure` | Token in URL -> session | ctx.customerId, ctx.tenantId |
+| `publicProcedure` | None | ctx.db only |
+
+     Example for a simple API key project:
+
+| Type | Auth Mechanism | Context Fields Available |
+|------|---------------|------------------------|
+| `authenticatedRoute` | Bearer token / API key | ctx.userId, ctx.orgId |
+| `publicRoute` | None | ctx.db only |
+-->
+
+### Auth Boundary Checks (Universal)
+
+These checks apply regardless of which authentication system you use.
+
+| Check | Test Method | Expected Result |
+|-------|-------------|-----------------|
+| Protected routes reject unauthenticated requests | Call without auth token/session | 401 UNAUTHORIZED |
+| Token expiration is enforced | Call with expired token | 401 UNAUTHORIZED |
+| Invalid tokens are rejected | Call with malformed/tampered token | 401 UNAUTHORIZED |
+| Public routes do not leak tenant data | Inspect response body of public endpoints | No tenant IDs, no user data, no internal references |
+| Role checks on privileged operations | Call admin endpoint as regular user | 403 FORBIDDEN |
+| Session invalidation works | Call after explicit logout | 401 UNAUTHORIZED |
+| Rate limiting on auth endpoints | Send 100+ requests to login/token endpoint | 429 TOO MANY REQUESTS |
+
+### Known Public Endpoints (Verify These Do Not Expose Sensitive Data)
+
+<!-- BOOTSTRAP INSTRUCTIONS:
+     List all endpoints/procedures that do NOT require authentication.
+     For each one, assess the sensitive data risk.
+
+     Example:
+
+| Router/Path | Procedure/Method | Purpose | Sensitive Data Risk |
+|------------|-----------------|---------|-------------------|
+| auth | register | User registration | LOW -- writes only |
+| auth | login | User authentication | MEDIUM -- returns token |
+| health | check | Health check endpoint | NONE -- status only |
+| webhook | stripe | Stripe webhook receiver | LOW -- signature verified |
+| public | productList | Public product listing | NONE -- public data |
+-->
+
+---
+
+## 3. OWASP API Security Top 10 (2023) Checks
+
+### API1: Broken Object Level Authorization (BOLA)
+
+The most common and impactful API vulnerability. Every endpoint that accesses a resource by ID must verify the caller owns or has permission to access that resource.
+
+| Check | How to Test |
+|-------|-------------|
+| Direct object reference | Verify `GET /resource/{id}` checks tenant ownership |
+| Nested object access | Verify `GET /parent/{id}/children` checks parent belongs to tenant |
+| Bulk operations | Verify batch status changes filter by tenant |
+| Related object traversal | Verify linked resources (parent -> child -> grandchild) maintain isolation at every level |
+| ID enumeration | Verify sequential/guessable IDs cannot be used to access other tenants' data |
+| Cross-reference integrity | Verify assigning resource A to resource B checks both belong to same tenant |
+
+#### BOLA Testing Script (Conceptual)
+
+```
+1. Authenticate as Tenant A
+2. Create a resource (get resource_id)
+3. Authenticate as Tenant B
+4. Attempt to GET /resource/{resource_id}     -> Must return 404 or 403
+5. Attempt to PUT /resource/{resource_id}     -> Must return 404 or 403
+6. Attempt to DELETE /resource/{resource_id}  -> Must return 404 or 403
+7. Attempt to list resources                  -> Must NOT include Tenant A's resources
+```
+
+### API2: Broken Authentication
+
+| Check | How to Test |
+|-------|-------------|
+| Token/session validation | Verify auth is validated on every protected request |
+| Token/session expiration | Verify expired credentials are rejected |
+| Session invalidation on logout | Verify tokens/sessions are revoked on logout |
+| Credential stuffing protection | Verify rate limiting on login/auth endpoints |
+| Sensitive tokens not in URLs | Verify tokens are not passed as URL query parameters (except one-time use) |
+| Token not in server logs | Verify auth tokens are redacted in application logs |
+| Password/credential rotation | Verify API keys can be rotated without downtime |
+
+### API3: Broken Object Property Level Authorization
+
+| Check | How to Test |
+|-------|-------------|
+| Mass assignment prevention | Verify input schemas restrict writable fields (no extra fields accepted) |
+| Excessive data exposure | Verify responses do not include internal fields (createdById, internalNotes, etc.) |
+| Role-based field access | Verify regular users cannot set privileged fields (role, permissions, billing tier) |
+| Partial update restrictions | Verify PATCH endpoints only allow updating permitted fields |
+| Hidden field injection | Send unexpected fields in request body, verify they are ignored |
+
+### API4: Unrestricted Resource Consumption
+
+| Check | How to Test |
+|-------|-------------|
+| Pagination limits enforced | All list queries have a maximum limit (e.g., 100 items) |
+| Upload size limits | File uploads have size caps enforced server-side |
+| Query complexity bounds | No unbounded JOINs, recursive queries, or unlimited aggregations |
+| Rate limiting on all public endpoints | Public endpoints return 429 after threshold |
+| Request body size limits | API rejects oversized payloads (e.g., > 10MB) |
+| Concurrent request limits | Per-user/per-IP connection limits enforced |
+| Timeout enforcement | Long-running requests are terminated after timeout |
+
+### API5: Broken Function Level Authorization
+
+| Check | How to Test |
+|-------|-------------|
+| Role enforcement on admin routes | Non-admin users cannot access admin-only endpoints |
+| Feature gating by subscription | Free-tier users cannot access premium features |
+| Privilege escalation prevention | Regular user cannot promote themselves to admin |
+| Horizontal privilege separation | User A cannot perform actions as User B within same tenant |
+| Method-level authorization | Verify read-only roles cannot call mutation endpoints |
+
+### API6: Unrestricted Access to Sensitive Business Flows
+
+| Check | How to Test |
+|-------|-------------|
+| Resource creation rate limiting | Cannot mass-create resources via automated scripts |
+| Transactional operation protection | Financial/billing operations have additional confirmation |
+| AI/LLM abuse prevention | Rate limit on AI generation endpoints |
+| Communication abuse prevention | Rate limit on email/SMS/notification sending |
+| Export/download throttling | Cannot bulk-export all data via repeated API calls |
+| Account creation abuse | Registration has CAPTCHA or rate limiting |
+
+### API7: Server Side Request Forgery (SSRF)
+
+| Check | How to Test |
+|-------|-------------|
+| User-supplied URL validation | Verify URLs are validated against allowlist |
+| Internal network protection | Verify requests cannot reach internal services (169.254.x.x, 10.x.x.x, localhost) |
+| URL scheme restriction | Only allow https:// (block file://, ftp://, gopher://) |
+| Redirect following | Verify redirects do not lead to internal resources |
+| Image/media URL construction | Verify CDN URLs are constructed server-side, not from user input |
+| Webhook URL validation | Verify webhook destination URLs are validated |
+| Integration callback URLs | Verify OAuth/integration callbacks use whitelisted URLs |
+
+### API8: Security Misconfiguration
+
+| Check | How to Test |
+|-------|-------------|
+| Error detail leakage | Production errors do not expose stack traces, file paths, or SQL |
+| CORS configuration | Only explicitly allowed origins can make cross-origin requests |
+| Debug endpoints in production | Test/debug endpoints are disabled or gated in production |
+| Default credentials | No hardcoded API keys, passwords, or tokens in source code |
+| HTTPS enforcement | All production traffic requires HTTPS, HTTP redirects to HTTPS |
+| Security headers | X-Content-Type-Options, X-Frame-Options, CSP, HSTS present |
+| Server version headers | Server software version not exposed in response headers |
+| Directory listing disabled | Web server does not expose directory listings |
+| Source maps in production | JavaScript source maps not publicly accessible |
+
+#### Security Headers Checklist
+
+| Header | Expected Value |
+|--------|---------------|
+| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` |
+| `X-Content-Type-Options` | `nosniff` |
+| `X-Frame-Options` | `DENY` or `SAMEORIGIN` |
+| `Content-Security-Policy` | Appropriate CSP for your app |
+| `Referrer-Policy` | `strict-origin-when-cross-origin` |
+| `Permissions-Policy` | Restrict unused browser features |
+| `X-XSS-Protection` | `0` (rely on CSP instead) |
+
+### API9: Improper Inventory Management
+
+| Check | How to Test |
+|-------|-------------|
+| No unused/deprecated endpoints mounted | Audit all registered routes against active features |
+| Debug/test procedures gated | Test endpoints (ping, health-debug, test-error) gated behind env flag |
+| API documentation not exposed | Swagger/OpenAPI docs not publicly accessible in production |
+| Old API versions decommissioned | No /v1/ routes serving data if /v2/ is current |
+| Shadow/undocumented endpoints | All endpoints appear in the route inventory |
+| Orphaned middleware | No authentication middleware that is registered but not enforcing |
+
+### API10: Unsafe Consumption of APIs
+
+{{externalAPIs}}
+
+<!-- BOOTSTRAP INSTRUCTIONS:
+     Replace {{externalAPIs}} with checks for each third-party API your project consumes.
+
+     For each external API, verify:
+     1. Response validation -- do you validate the structure before using the data?
+     2. Error handling -- do you handle malformed/unexpected responses gracefully?
+     3. Credential security -- are API keys stored in env vars, not code?
+     4. Webhook signature verification -- if receiving webhooks, do you verify signatures?
+     5. Timeout handling -- do you set timeouts on outbound requests?
+     6. Data sanitization -- do you sanitize data from external APIs before storing/displaying?
+
+     Example:
+
+| External API | Response Validated | Webhook Signature Verified | Timeout Set | Credentials in Env |
+|-------------|-------------------|---------------------------|-------------|-------------------|
+| Stripe | Verify event structure | Yes (stripe-signature header) | 10s | Yes (STRIPE_SECRET_KEY) |
+| OpenAI/Anthropic | Handle malformed AI responses | N/A | 30s | Yes (OPENAI_API_KEY) |
+| Twilio | Validate webhook body | Yes (X-Twilio-Signature) | 10s | Yes (TWILIO_AUTH_TOKEN) |
+| Cloudinary | Validate upload response | N/A | 15s | Yes (CLOUDINARY_API_SECRET) |
+| SendGrid/Brevo | Validate send response | Yes (if receiving events) | 10s | Yes (SENDGRID_API_KEY) |
+| AWS S3 | Validate presigned URL response | N/A | 10s | Yes (AWS credentials) |
+
+     If your project consumes no external APIs, replace this section with:
+     "No external APIs consumed. This section is not applicable."
+-->
+
+---
+
+## 4. Data Protection Checks (Universal)
+
+These checks apply to every project regardless of technology stack.
+
+| Check | How to Verify | Severity if Violated |
+|-------|---------------|---------------------|
+| PII not logged in plain text | Search logs for email/phone patterns; review logging middleware | Critical |
+| Secrets in environment variables, not code | `grep -r "sk_live\|password\|secret" --include="*.ts" --include="*.js"` | Critical |
+| Session tokens stored securely | Verify HttpOnly, Secure, SameSite cookie flags | Major |
+| No custom password hashing | Use auth provider's hashing; verify no bcrypt/argon2 DIY code | Major |
+| Data retention policies implemented | Verify cleanup jobs for old sessions, logs, temporary data | Minor |
+| PII encryption at rest | Verify sensitive fields are encrypted in database or use encrypted storage | Major |
+| Backup security | Database backups encrypted, access-controlled | Major |
+| Data export controls | User data export (GDPR) does not leak other users' data | Critical |
+| Soft delete for audit trail | Verify hard deletes are not used for auditable records | Minor |
+| Input sanitization | Verify HTML/script injection is prevented in user inputs | Major |
+
+### Secrets Scanning Checklist
+
+| Pattern to Search For | What It Indicates |
+|-----------------------|-------------------|
+| `sk_live_`, `sk_test_` | Stripe API keys in code |
+| `AKIA`, `ASIA` | AWS access keys in code |
+| `ghp_`, `gho_` | GitHub tokens in code |
+| `-----BEGIN RSA PRIVATE KEY-----` | Private keys in code |
+| `password`, `passwd`, `pwd` (as string values) | Hardcoded passwords |
+| `Bearer ` (in source, not test files) | Hardcoded auth tokens |
+| `.env` files committed to git | Environment file exposure |
+| Base64-encoded secrets | Obfuscated but not secured credentials |
+
+---
+
+## 5. Severity Guide for Security Findings (Universal)
+
+| Severity | Definition | Response Time | Release Impact |
+|----------|-----------|---------------|----------------|
+| **Critical** | Cross-tenant data access, authentication bypass, data leak to unauthorized party, remote code execution | Fix immediately. Stop all other work. | Blocks release unconditionally. |
+| **Major** | Missing auth on sensitive route, weak input validation on mutation, CSRF vulnerability, privilege escalation | Fix before release. | Blocks release. |
+| **Minor** | Missing rate limit on non-sensitive endpoint, verbose error messages in production, minor information disclosure | Fix within 1 sprint. | Does not block release. |
+| **Info** | Best practice suggestion, defense-in-depth improvement, future-proofing recommendation | Track in backlog. | Does not block release. |
+
+### Escalation Matrix
+
+| Finding | Action |
+|---------|--------|
+| Any Critical finding | Immediately notify project lead. Halt deploys until fixed. |
+| 3+ Major findings in same area | Consider architectural review of that module. |
+| Pattern of Minor findings | Investigate root cause (e.g., missing middleware, incomplete code review). |
+| External dependency vulnerability | Check if exploitable in current usage; upgrade if yes. |
+
+---
+
+## 6. Testing Methodology
+
+### Static Analysis (Code Review)
+
+For each router/controller in `{{routerMatrix}}`:
+
+1. Open the source file
+2. List every procedure/endpoint
+3. For each procedure, verify:
+   - [ ] Authentication middleware is applied (or intentionally public)
+   - [ ] `{{tenantIsolationField}}` is in every database query WHERE clause
+   - [ ] Input is validated with a schema (Zod, Joi, class-validator, etc.)
+   - [ ] Output does not include internal-only fields
+   - [ ] Error handling does not leak internal details
+   - [ ] No raw SQL without parameterization
+
+### Dynamic Testing (Runtime)
+
+1. Set up two test tenant accounts (Tenant A and Tenant B)
+2. For each protected endpoint:
+   - [ ] Call as Tenant A, verify success
+   - [ ] Call as Tenant B with Tenant A's resource IDs, verify rejection
+   - [ ] Call without authentication, verify rejection
+3. For each public endpoint:
+   - [ ] Verify response contains no tenant-specific data
+   - [ ] Verify rate limiting is active
+4. For each webhook endpoint:
+   - [ ] Send request without valid signature, verify rejection
+   - [ ] Send request with valid signature, verify acceptance
+
+### Automated Scanning
+
+| Tool | Purpose | Run Frequency |
+|------|---------|---------------|
+| npm audit / pnpm audit | Dependency vulnerability scan | Every CI run |
+| Semgrep / ESLint security rules | Static code analysis | Every CI run |
+| OWASP ZAP (lightweight scan) | Dynamic application security testing | Weekly or pre-release |
+| Trivy / Snyk | Container and dependency scanning | Every CI run |
+| git-secrets / trufflehog | Secrets detection in git history | Every CI run |
+
+---
+
+## Report Format
+
+When reporting security audit findings, use this format for each finding:
+
+```
+### SEC-{NNN}: {Finding Title}
+
+- **OWASP Category:** API{1-10} -- {Category Name}
+- **Severity:** Critical / Major / Minor / Info
+- **Router/Endpoint:** {router name or endpoint path}
+- **File:** {file path}:{line number}
+- **Description:** {what the vulnerability is}
+- **Proof of Concept:** {steps to reproduce or code showing the issue}
+- **Impact:** {what an attacker could do}
+- **Remediation:** {specific fix with code example}
+- **Status:** OPEN / FIXED / ACCEPTED RISK
+```

package/skills/qa/templates/stop-points/bootstrap-complete.md

@@ -0,0 +1,36 @@
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ QA ► BOOTSTRAP COMPLETE
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+**{project.name}** — {N} files generated
+
+| Category | Details |
+|----------|---------|
+| Apps | {app list with frameworks} |
+| Test runner | {testRunner} / E2E: {e2eFramework} |
+| Auth | {authMethods} / Multi-tenant: {yes/no} |
+| PRD | {found at path / not found — testing inferred features} |
+| Domain | {domain label} |
+| Anthropic docs | {Verified current / Using local copies} |
+
+---
+
+## ▶ Next Up
+
+**QA Cycle 1** — full test suite against {N} feature categories
+
+`/qa:full`
+
+<sub>`/clear` first → fresh context window</sub>
+
+---
+
+**Also available:**
+- `/qa:full api` — API/backend tests only
+- `/qa:full security` — security audit only
+- `/qa:full ux` — UX heuristic evaluation only
+- `/qa:status` — check current state
+
+---
+If session interrupted → `/qa:resume`
+---

package/skills/qa/templates/stop-points/certified.md

@@ -0,0 +1,25 @@
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ QA ► CERTIFIED ✓
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+**{project.name}** — QA complete in {N} cycle(s)
+
+{pass}/{total} tests passing ({percent}%)
+All exit criteria met
+
+| Gate | Threshold | Result |
+|------|-----------|--------|
+{for each gate: threshold, actual value, ✓}
+
+Certification: `docs/qa-reports/final-certification-{date}.md`
+
+---
+
+## ✓ QA Complete
+
+**Also available:**
+- `/qa:full cycle-{N+1}` — start a new cycle (regression testing after changes)
+- `/qa:status` — review full cycle history
+- `cat docs/qa-reports/final-certification-{date}.md` — view certification report
+
+---

package/skills/qa/templates/stop-points/escalated.md

@@ -0,0 +1,32 @@
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ QA ► BLOCKED — MANUAL INTERVENTION NEEDED
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+**Cycle {N}:** {pass}/{total} passing ({percent}%)
+**Stuck defects:** {n} defects unchanged across {m} cycles
+
+### Stuck Defects
+
+{For each stuck defect:}
+- **{defect-id}** ({severity}): {description}
+  Attempted: {what was tried across cycles}
+
+Analysis: `docs/qa-reports/escalation-cycle-{N}.md`
+
+---
+
+## ▶ Next Up
+
+**Manual intervention required.** After resolving stuck defects:
+
+`/qa:full cycle-{N+1}`
+
+<sub>`/clear` first → fresh context window</sub>
+
+---
+
+**Also available:**
+- `cat docs/qa-reports/escalation-cycle-{N}.md` — full escalation analysis
+- `/qa:status` — review cycle history and defect trends
+
+---

package/skills/qa/templates/stop-points/fix-ready.md

@@ -0,0 +1,43 @@
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ QA ► CYCLE {N} — FIX PLAN READY
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+**Cycle {N}:** {pass}/{total} passing ({percent}%)
+
+| Severity | Count |
+|----------|-------|
+| Critical | {n} |
+| Major | {n} |
+| Minor | {n} |
+| Cosmetic | {n} |
+
+### Fix Plan Summary
+
+{For each fix batch:}
+**P{X} Batch** ({n} fixes):
+{For each fix: one-line summary — severity, file, approach}
+
+Full report: `docs/qa-reports/cycle-{N}-{date}.md`
+Fix plan: `docs/qa-reports/fix-plan-cycle-{N}.md`
+
+---
+
+## ▶ Next Up
+
+**Execute fixes** — applies {N} fixes, verifies each, then re-tests automatically
+
+`/qa:continue`
+
+<sub>`/clear` first → fresh context window</sub>
+
+---
+
+**Also available:**
+- `cat docs/qa-reports/fix-plan-cycle-{N}.md` — review full fix plan before approving
+- `cat docs/qa-reports/cycle-{N}-{date}.md` — review full test report
+- `/qa:full cycle-{N}` — re-test without fixing (if you made manual changes)
+- `/qa:status` — check current state
+
+---
+If session interrupted → `/qa:resume`
+---

package/skills/qa/templates/stop-points/phase-transition.md

@@ -0,0 +1,4 @@
+───────────────────────────────────────────────────────────────
+Phase {X} complete → continuing autonomously to Phase {Y}...
+If session interrupted → `/qa:resume`
+───────────────────────────────────────────────────────────────

package/skills/qa/templates/stop-points/status-dashboard.md

@@ -0,0 +1,32 @@
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+ QA ► STATUS
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+**{project.name}** — Cycle {N}, Phase: {phase label}
+
+| Cycle | Date | Pass Rate | Defects | Verdict |
+|-------|------|-----------|---------|---------|
+{for each cycle: summary row}
+
+**Current state:** {human-readable phase description}
+**Blocked defects:** {n} ({list if any})
+
+---
+
+## ▶ Next Action
+
+{Based on current state.phase:}
+
+- bootstrap_complete → `/qa:full` — start first QA cycle
+- testing → `/qa:resume` — test agents may still be running
+- testing_complete → `/qa:resume` — consolidate results
+- reporting_complete → `/qa:resume` — evaluate exit criteria
+- awaiting_fix_approval → `/qa:continue` — execute approved fixes
+- fixing → `/qa:resume` — resume fix execution
+- verifying → `/qa:resume` — resume verification
+- certified → `/qa:full cycle-{N+1}` — start new cycle
+- escalated → review `docs/qa-reports/escalation-cycle-{N}.md`
+
+<sub>`/clear` first → fresh context window</sub>
+
+---