qa-workflow-cc 1.0.0

package/skills/qa/templates/domain-research-queries.md

@@ -0,0 +1,101 @@
+# Domain Research Query Templates
+
+Used by B2 research agents during bootstrap. Variables like `{version}` and `{year}` are substituted at runtime from the detected profile and current date.
+
+---
+
+## By Framework
+
+| Framework | Testing Queries |
+|-----------|----------------|
+| nextjs | `"Next.js {version} testing best practices {year}"`, `"Next.js App Router testing patterns vitest {year}"` |
+| expo | `"Expo React Native testing patterns {year}"`, `"React Native Testing Library best practices {year}"` |
+| fastify | `"Fastify API testing vitest {year}"`, `"Fastify route testing patterns"` |
+| express | `"Express.js API testing patterns {year}"`, `"supertest express integration testing"` |
+| remix | `"Remix testing best practices {year}"`, `"Remix loader action testing patterns"` |
+| astro | `"Astro component testing {year}"`, `"Astro SSG testing patterns"` |
+| nuxt | `"Nuxt 3 testing best practices {year}"`, `"Nuxt vitest component testing"` |
+
+## By Test Runner
+
+| Runner | Queries |
+|--------|---------|
+| vitest | `"vitest best practices advanced patterns {year}"` |
+| jest | `"jest testing patterns {year} performance"` |
+| playwright | `"Playwright E2E testing patterns {year}"`, `"Playwright component testing best practices"` |
+| cypress | `"Cypress testing patterns {year}"`, `"Cypress component testing best practices"` |
+
+## By Auth Provider
+
+| Provider | Security Queries |
+|----------|-----------------|
+| supabase | `"Supabase RLS security best practices"`, `"Supabase Row Level Security testing patterns"` |
+| clerk | `"Clerk authentication testing patterns"`, `"Clerk JWT security best practices"` |
+| next-auth | `"NextAuth.js security best practices {year}"`, `"NextAuth session testing"` |
+| passport | `"Passport.js security audit checklist"`, `"Passport strategy testing patterns"` |
+
+## By ORM
+
+| ORM | Security Queries |
+|-----|-----------------|
+| prisma | `"Prisma security best practices {year}"`, `"Prisma query injection prevention"` |
+| drizzle | `"Drizzle ORM security patterns"`, `"Drizzle query safety best practices"` |
+| mongoose | `"Mongoose NoSQL injection prevention"`, `"MongoDB security best practices {year}"` |
+
+## By Domain
+
+### safety-critical
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"crisis app testing methodology"`, `"safety-critical web application QA"`, `"accessibility testing for vulnerable populations"` |
+| Security | `"DV survivor app privacy requirements"`, `"safety app browser history clearing"`, `"no-tracking web application privacy"` |
+| UX | `"crisis UX patterns stress-aware design"`, `"trauma-informed design principles"`, `"quick exit button UX best practices"` |
+
+### healthcare
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"HIPAA compliance testing checklist"`, `"healthcare application QA methodology"` |
+| Security | `"healthcare app security audit HIPAA"`, `"PHI encryption at rest and transit requirements"`, `"BAA compliance third-party services"` |
+| UX | `"healthcare UX accessibility best practices"`, `"patient portal usability standards"` |
+
+### e-commerce
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"e-commerce testing checkout flows best practices"`, `"payment integration testing patterns"` |
+| Security | `"PCI DSS compliance web application"`, `"e-commerce security audit checklist {year}"`, `"payment tokenization best practices"` |
+| UX | `"e-commerce conversion UX best practices {year}"`, `"checkout flow optimization patterns"` |
+
+### multi-tenant-saas
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"multi-tenant data isolation testing methodology"`, `"SaaS application testing patterns"` |
+| Security | `"SaaS security tenant isolation best practices"`, `"multi-tenant authorization testing"`, `"cross-tenant data leak prevention"` |
+| UX | `"SaaS dashboard UX patterns {year}"`, `"multi-tenant admin panel best practices"` |
+
+### education
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"LMS application testing methodology"`, `"FERPA compliance testing checklist"` |
+| Security | `"education app FERPA security requirements"`, `"student data privacy best practices"` |
+| UX | `"educational platform accessibility WCAG"`, `"LMS usability best practices"` |
+
+### fintech
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"fintech application testing methodology"`, `"financial transaction testing patterns"` |
+| Security | `"fintech security audit checklist {year}"`, `"KYC AML compliance testing"`, `"transaction integrity testing"` |
+| UX | `"fintech UX trust signals best practices"`, `"banking application accessibility standards"` |
+
+### general
+
+| Category | Queries |
+|----------|---------|
+| Testing | `"web application testing best practices {year}"`, `"modern frontend testing patterns"` |
+| Security | `"OWASP web application security {year}"`, `"OWASP Top 10 testing methodology"` |
+| UX | `"WCAG 2.2 compliance checklist {year}"`, `"web accessibility best practices {year}"` |

package/skills/qa/templates/domain-security-profiles.md

@@ -0,0 +1,182 @@
+# Security Profiles by Domain
+
+Used during B6 agent generation. The matching domain profile is injected into `{{SECURITY_PROFILE}}` in the qa-security-auditor agent alongside (not replacing) the existing tenant isolation audit.
+
+---
+
+## safety-critical
+
+**Priority:** Privacy > Session Security > Data Integrity
+
+### Must-Verify Checklist
+
+- [ ] No user tracking or analytics scripts (Google Analytics, Mixpanel, etc.)
+- [ ] No fingerprinting libraries or behavioral tracking
+- [ ] Session data clears completely on exit/quick-exit
+- [ ] Browser history uses `replaceState` not `pushState` for sensitive pages
+- [ ] No persistent `localStorage` or `sessionStorage` with identifiable data
+- [ ] CSP headers configured — no inline scripts, no unsafe-eval
+- [ ] Referrer policy set to `no-referrer` or `same-origin`
+- [ ] Quick exit button does not leave breadcrumbs (no confirmation dialogs, immediate redirect)
+- [ ] No auto-complete on sensitive form fields
+- [ ] Metadata (page titles, tab names) does not reveal app purpose when visible to others
+- [ ] External links open in new tab with `rel="noopener noreferrer"`
+- [ ] No geolocation or camera/microphone access unless explicitly consented
+- [ ] Error messages do not reveal internal system details
+
+### Severity Adjustments
+
+Any tracking/privacy violation → **Critical** (not Minor)
+Session data persistence after exit → **Critical**
+Missing quick exit → **Major**
+
+---
+
+## healthcare
+
+**Priority:** HIPAA Compliance > Audit Logging > Access Control
+
+### Must-Verify Checklist
+
+- [ ] PHI encrypted at rest (database-level encryption or field-level)
+- [ ] PHI encrypted in transit (TLS 1.2+ enforced)
+- [ ] Access logging for all PHI read/write operations
+- [ ] Audit trail immutable and tamper-evident
+- [ ] BAA compliance verified for all third-party services handling PHI
+- [ ] Minimum necessary access principle enforced (role-based access)
+- [ ] Session timeout for inactive users (configurable, default 15 min)
+- [ ] PHI not included in error messages, logs, or stack traces
+- [ ] Data export includes only authorized fields
+- [ ] De-identification applied when PHI used for analytics
+- [ ] Breach notification mechanism exists
+
+### Severity Adjustments
+
+PHI exposure without encryption → **Critical**
+Missing audit log for PHI access → **Critical**
+BAA missing for PHI-handling service → **Major**
+
+---
+
+## e-commerce
+
+**Priority:** PCI DSS > Payment Security > Customer Data Protection
+
+### Must-Verify Checklist
+
+- [ ] Payment card data NEVER stored client-side (not even temporarily)
+- [ ] PCI DSS compliance for checkout flow (tokenized processing)
+- [ ] Payment forms served over HTTPS with valid certificates
+- [ ] Credit card fields use dedicated iframes (Stripe Elements, etc.)
+- [ ] Order confirmation does not display full card number
+- [ ] Secure session management during checkout (no session fixation)
+- [ ] CSRF protection on all payment endpoints
+- [ ] Rate limiting on checkout/payment endpoints
+- [ ] Price manipulation prevented (server-side validation of totals)
+- [ ] Inventory race conditions handled (optimistic locking or reservations)
+- [ ] Refund/void operations require elevated authorization
+
+### Severity Adjustments
+
+Payment data stored client-side → **Critical**
+Price manipulation possible → **Critical**
+Missing CSRF on payment endpoints → **Critical**
+
+---
+
+## multi-tenant-saas
+
+**Priority:** Tenant Isolation > Authorization > Authentication
+
+### Must-Verify Checklist
+
+- [ ] Every database query filters by tenant field from authenticated context
+- [ ] No cross-tenant data leaks in list views, detail views, or search results
+- [ ] Tenant field set on all CREATE operations from authenticated context
+- [ ] UPDATE/DELETE operations verify record belongs to authenticated tenant
+- [ ] Admin vs user role separation enforced at API level
+- [ ] API rate limiting applied per tenant (not just per IP)
+- [ ] Tenant-scoped file uploads (no shared storage without isolation)
+- [ ] Invitation/sharing flows validate target tenant context
+- [ ] Webhook payloads include tenant context for verification
+- [ ] Database indexes include tenant field for performance
+- [ ] Raw SQL queries (if any) include tenant filter
+
+### Severity Adjustments
+
+Cross-tenant data access → **Critical**
+Missing tenant filter on any query → **Critical**
+Role bypass (user accessing admin) → **Critical**
+
+---
+
+## education
+
+**Priority:** FERPA Compliance > Student Data Privacy > Access Control
+
+### Must-Verify Checklist
+
+- [ ] Student records (PII) encrypted at rest and in transit
+- [ ] Parental consent mechanisms for minors (if applicable)
+- [ ] Directory information opt-out respected
+- [ ] Access limited to "legitimate educational interest"
+- [ ] Student data not shared with third parties without consent
+- [ ] Grades/assessments visible only to authorized roles
+- [ ] Audit trail for student record access
+- [ ] Data retention policies enforced (auto-deletion after period)
+- [ ] Export functionality limited to authorized administrators
+
+### Severity Adjustments
+
+Student PII exposure → **Critical**
+Unauthorized grade access → **Critical**
+Missing parental consent for minors → **Major**
+
+---
+
+## fintech
+
+**Priority:** Transaction Integrity > KYC/AML Compliance > Audit Trail
+
+### Must-Verify Checklist
+
+- [ ] Transaction operations are atomic and idempotent
+- [ ] Idempotency keys enforced on all mutation endpoints
+- [ ] Double-spend prevention mechanisms in place
+- [ ] KYC verification flow enforced before financial operations
+- [ ] AML screening integration for flagged transactions
+- [ ] Complete audit trail for all financial operations (immutable)
+- [ ] Monetary calculations use decimal/BigInt (not floating point)
+- [ ] Currency handling explicit (no implicit conversions)
+- [ ] Account balance reconciliation mechanisms exist
+- [ ] Withdrawal limits enforced server-side
+- [ ] API rate limiting on financial endpoints
+
+### Severity Adjustments
+
+Double-spend possible → **Critical**
+Floating-point money calculations → **Critical**
+Missing idempotency on mutations → **Major**
+KYC bypass → **Critical**
+
+---
+
+## general
+
+**Priority:** Authentication > Authorization > Input Validation
+
+### Must-Verify Checklist
+
+- [ ] OWASP Top 10 baseline checks (see security-checklist-owasp.md)
+- [ ] Input validation at all system boundaries (user input, API params)
+- [ ] Output encoding to prevent XSS
+- [ ] SQL/NoSQL injection prevention (parameterized queries)
+- [ ] Authentication tokens properly managed (HttpOnly, Secure, SameSite)
+- [ ] CORS configured to allow only expected origins
+- [ ] Error responses do not leak internal details (stack traces, DB schema)
+- [ ] Dependency audit (no known vulnerabilities in production deps)
+- [ ] Rate limiting on authentication endpoints
+
+### Severity Adjustments
+
+Standard OWASP severity mapping applies. No domain-specific adjustments.