qa-skills

Discover all screens, confirm the manifest with the user, then dispatch QA agents to every screen

Create or refresh Playwright authentication profiles for the current project

Actively tries to break the app — wrong inputs, unexpected sequences, auth bypasses, race conditions, state corruption. Finds edge cases and vulnerabilities.

Comprehensive mobile UX audit at 393x852 viewport covering iOS native feel, touch targets, Safari quirks, mobile typography, form UX, gestures, and animation quality. Applies 10-category rubric with 56 quantifiable checks and produces binary scorecard for before/after comparison.

Measures runtime Web Vitals (LCP, CLS, INP, FCP, TTFB, TBT), DOM health, resource loading, and static code anti-patterns for Next.js apps. Report-only — produces per-route metrics table, binary scorecard, and prioritized findings. No fixes applied.

Systematic security posture audit against OWASP Top 10. Measures 83 checks across 10 categories via browser inspection and code scanning. Produces weighted binary scorecard (X/83) with per-category grades. Report-only — no fixes applied.

Quick functional check of app workflows via Playwright. Walks through steps, verifies each passes, produces pass/fail report.

Thorough UX quality check of screens or workflows. Applies comprehensive rubric to spacing, states, copy, accessibility, consistency, and interactions.

Validates generated workflow markdown files independently. Runs mechanical checks, judgment observations, route coverage gaps, CRUD entity gaps, and produces validation-report.md.

Audits SaaS and usage-based web apps for adversarial usage patterns — accidental, opportunistic, and deliberate. Use this when the user says "adversarial audit", "abuse case audit", "idiot-proof this app", "find usage exploits", "business logic audit", or "how could users break this". Explores the codebase to map the economic surface area (pricing tiers, usage limits, free trials, costly resources), then generates abuse cases where user behavior — intentional or not — could break assumptions, bypass limits, amplify costs, or corrupt state. Produces a prioritized markdown report with findings, code locations, and fix recommendations, then optionally verifies findings interactively in a browser.

Generates desktop browser workflow documentation by exploring the app's codebase, then walking through the live app with the user step-by-step via Playwright to co-author verifications. Use when the user says "generate desktop workflows", "create desktop workflows", "update desktop workflows", or "generate browser workflows".

Converts desktop workflow markdown into a self-contained Playwright test project with authentication scaffolding and CI workflow. Use when the user says "convert desktop workflows to playwright", "translate desktop workflows to CI", "generate desktop playwright tests", or wants to promote desktop workflows to automated CI tests.

Analyzes an app's codebase and cross-references Google Search Console, PostHog, and Google Keyword Planner to identify low-competition keyword footholds and track expansion into adjacent terms. This skill should be used when the user says "keyword wedge", "find keyword opportunities", "seo analysis", "keyword strategy", "find search wedges", "keyword research for my app", "grow organic traffic", "what keywords should I target", "SEO for my app", "organic search strategy", or "how to rank higher". Generates markdown and HTML reports and maintains state across runs for expansion tracking.

Generates mobile browser workflow documentation by exploring the app's codebase, then walking through the live app with the user step-by-step via Playwright in a mobile viewport (393x852) to co-author verifications. Use when the user says "generate mobile workflows", "create mobile workflows", "update mobile workflows", or "generate mobile browser workflows". Produces numbered workflow markdown files that feed into the mobile converter and Playwright runner. Includes iOS HIG awareness and mobile UX anti-pattern detection.

Converts mobile workflow markdown into a self-contained Playwright test project with mobile viewports (Chromium + WebKit), authentication scaffolding, UX anti-pattern assertions, and CI workflow. Use when the user says "convert mobile workflows to playwright", "translate mobile workflows to CI", or "generate mobile playwright tests".

Converts multi-user workflow markdown into a self-contained Playwright test project with per-persona authentication, multi-context test patterns, and CI workflow. Use when the user says "convert multi-user workflows to playwright", "translate multi-user workflows to CI", or "generate multi-user playwright tests".

Executes workflow markdown files interactively via Playwright CLI, stepping through each workflow action in a real browser. Use when the user says "run workflows", "run playwright", "test workflows", "execute workflows", or wants to interactively test their app against workflow documentation. Supports desktop, mobile, and multi-user workflows with authentication.

Audits web apps for resilience against unexpected user behavior — accidental, edge-case, and chaotic. Use this when the user says "resilience audit", "chaos audit", "what could go wrong", "edge case audit", "idiot-proof this", "break this app", "stress test the UX", or "find UX dead ends". Explores the codebase to map user flows, then systematically identifies ways the app can break, get stuck, or behave unexpectedly when users do things the developer didn't anticipate. Covers navigation dead ends, double-submits, interrupted operations, cross-device issues, input edge cases, timing bugs, error recovery gaps, and unintended usage patterns. Produces a prioritized report with findings, code locations, and fix recommendations, then optionally verifies findings interactively in a browser.

Synthesizes accumulated QA learnings from .qa-learnings/ledger.md into prioritized, actionable plugin improvements. Use when the user says "review learnings", "what have we learned", "improve the plugin", "learnings report", or "synthesize QA feedback".

Filters and submits accumulated QA learnings as a GitHub issue (with optional PR) on the plugin repo. Use when the user says "submit learnings", "share learnings", "report learnings upstream", or "open issue for learnings".

Analyzes web apps for free-value trust-building opportunities — features, tools, and offerings that demonstrate genuine utility before asking for commitment. Use this when the user says "trust builder", "trust audit", "find free offerings", "free value analysis", "trust building opportunities", or "how can I build trust with users". Explores the codebase and live app, interviews the user about audience and goals, then generates a prioritized report with full mini-specs for the top trust-building features.

Load saved Playwright storageState authentication profiles before browser automation. Activates when `.playwright/profiles.json` exists and browser work begins on authenticated pages. Trigger phrases include "use profile", "load profile", "browser as [role]", "authenticated browser", "logged in browser session".