agent-skills/dogfood/references/qa-dimensions-checklist.md

Comprehensive QA Dimensions Checklist

Use this checklist when the user asks for "full", "complete", or "comprehensive" QA testing. Each dimension should appear as a section in the test plan with at least 1 test case.

Core Functional (always cover)

• Page loads (HTTP 200) for all public pages
• Navigation links work (header, footer, sidebar)
• CRUD operations (create, read, update, delete)
• Form submissions (valid data, empty data, invalid data)
• Search/filter functionality
• Pagination
• Error pages (404, 500)

Auth & Permissions

• Login page loads and form works
• Valid credentials → success + cookie set
• Invalid credentials → error message
• Logout clears cookie
• Cross-service cookie propagation (shared domain cookies)
• Admin pages: admin user can access
• Admin pages: regular user gets denied
• Admin pages: unauthenticated user redirects to login
• RBAC: different roles see different features
• Permission checks on API endpoints

Input Validation

• Empty form submissions (browser validation or server error)
• Boundary values (min/max length, special chars)
• Password strength requirements
• Username format validation
• Email format validation (if applicable)
• Invite code validation (if invite-based registration)

Security — Cookie

• Auth cookie: HttpOnly=true
• Auth cookie: Secure=true (production)
• Auth cookie: SameSite=Lax or Strict
• Auth cookie: Max-Age is reasonable (not infinite)
• Auth cookie: Domain scope correct (e.g., .example.com for subdomains)
• CSRF cookie: HttpOnly=false (by design, JS needs to read it)

Security — CSRF

• All state-changing POST endpoints require CSRF token
• CSRF token matches between form field and cookie
• CSRF token expires (check timestamp-based expiry)
• Missing/invalid CSRF token returns 403 or error

Security — Redirect

• redirect parameter accepts valid same-domain URLs
• redirect parameter rejects external domains (open redirect prevention)
• redirect parameter rejects protocol-relative URLs (//evil.com)
• Default redirect when parameter is empty/invalid

Security — Rate Limiting

• Login rate limit (e.g., 5/minute per IP)
• Registration rate limit (e.g., 5/hour per IP)
• API rate limits (comments, likes, uploads)
• Account lockout after N failed attempts
• IP-based lockout after N failed attempts
• Rate limit returns 429 status

Security — File Upload

• Allowed file types enforced (extension check)
• File size limit enforced
• Filename sanitized (no path traversal)
• Uploaded files stored safely (UUID names, outside web root or in controlled dir)
• Image processing (resize, format conversion) doesn't crash on malformed files

Security — Input Injection

• XSS: user input rendered as text, not HTML (test <script>alert(1)</script>)
• Path traversal: slug validation prevents ../ sequences
• SQL injection: parameterized queries (verify from source code)

Session & Token

• Token expiration: expired token redirects to login
• Token format validation (reject malformed tokens)
• Role changes: DB role takes precedence over token role
• Token max-age from configuration

Content & Rendering

• Empty state (no content) shows appropriate message
• Long content doesn't break layout
• Special characters (CJK, emoji, HTML entities) render correctly
• Markdown rendering (code blocks, tables, lists)
• LaTeX/MathJax rendering (if applicable)
• Code syntax highlighting (if applicable)

Encoding

• No BOM markers in HTML templates (ef bb bf)
• No leading whitespace before <!DOCTYPE>
• UTF-8 charset declared in meta tag
• Python source files: no BOM

SEO & Metadata

• <title> tag present and descriptive on each page
• <meta name="description"> present
• Open Graph tags (og:title, og:description, og:url, og:image)
• Twitter Card tags
• Canonical URL (<link rel="canonical">)
• robots.txt exists
• sitemap.xml exists and is valid
• RSS feed (if blog) exists and is valid XML

Accessibility

• All <img> have alt text (or aria-hidden for decorative)
• No user-scalable=no in viewport meta
• Sufficient color contrast (text vs background)
• Skip-to-content link (visually hidden)
• Keyboard navigation: Tab order logical
• ARIA labels on interactive elements without visible text
• Form labels associated with inputs

Performance

• All static assets return 200 (CSS, JS, images)
• No broken links (404s in static resources)
• CDN reliability (especially for users in China — jsDelivr may timeout)
• Page load doesn't hang on slow external resources
• Resource count reasonable (no excessive requests)

Responsive Design

• Layout at 375px (mobile) — no horizontal overflow
• Layout at 768px (tablet) — breakpoint works
• Layout at 1440px (desktop) — content centered
• Touch targets large enough (44x44px minimum)

Cross-Browser

• Chrome/Chromium rendering
• Firefox rendering
• Safari rendering (WebKit differences)
• Edge rendering

Operations

• /health endpoint returns {"status":"ok"} per service
• 404 page is custom (not default framework error)
• 500 errors don't leak stack traces to users
• Audit log captures admin actions (verify from source)
• Audit log captures login attempts (success/failure)

Consistency (cross-service)

• All pages include same CSS files (mobile.css, etc.)
• All pages include same JS files (loader.js, etc.)
• All pages have site-wide navigation bar
• All pages have same security headers
• All pages have same viewport meta

Security Headers

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: strict-origin-when-cross-origin
• Content-Security-Policy present and reasonable
• No unsafe-eval in CSP (check for 'unsafe-eval')