agent-skills/dogfood/references/qa-dimensions-checklist.md

# Comprehensive QA Dimensions Checklist

Use this checklist when the user asks for "full", "complete", or "comprehensive" QA testing.
Each dimension should appear as a section in the test plan with at least 1 test case.

## Core Functional (always cover)
- [ ] Page loads (HTTP 200) for all public pages
- [ ] Navigation links work (header, footer, sidebar)
- [ ] CRUD operations (create, read, update, delete)
- [ ] Form submissions (valid data, empty data, invalid data)
- [ ] Search/filter functionality
- [ ] Pagination
- [ ] Error pages (404, 500)

## Auth & Permissions
- [ ] Login page loads and form works
- [ ] Valid credentials → success + cookie set
- [ ] Invalid credentials → error message
- [ ] Logout clears cookie
- [ ] Cross-service cookie propagation (shared domain cookies)
- [ ] Admin pages: admin user can access
- [ ] Admin pages: regular user gets denied
- [ ] Admin pages: unauthenticated user redirects to login
- [ ] RBAC: different roles see different features
- [ ] Permission checks on API endpoints

## Input Validation
- [ ] Empty form submissions (browser validation or server error)
- [ ] Boundary values (min/max length, special chars)
- [ ] Password strength requirements
- [ ] Username format validation
- [ ] Email format validation (if applicable)
- [ ] Invite code validation (if invite-based registration)

## Security — Cookie
- [ ] Auth cookie: HttpOnly=true
- [ ] Auth cookie: Secure=true (production)
- [ ] Auth cookie: SameSite=Lax or Strict
- [ ] Auth cookie: Max-Age is reasonable (not infinite)
- [ ] Auth cookie: Domain scope correct (e.g., `.example.com` for subdomains)
- [ ] CSRF cookie: HttpOnly=false (by design, JS needs to read it)

## Security — CSRF
- [ ] All state-changing POST endpoints require CSRF token
- [ ] CSRF token matches between form field and cookie
- [ ] CSRF token expires (check timestamp-based expiry)
- [ ] Missing/invalid CSRF token returns 403 or error

## Security — Redirect
- [ ] `redirect` parameter accepts valid same-domain URLs
- [ ] `redirect` parameter rejects external domains (open redirect prevention)
- [ ] `redirect` parameter rejects protocol-relative URLs (`//evil.com`)
- [ ] Default redirect when parameter is empty/invalid

## Security — Rate Limiting
- [ ] Login rate limit (e.g., 5/minute per IP)
- [ ] Registration rate limit (e.g., 5/hour per IP)
- [ ] API rate limits (comments, likes, uploads)
- [ ] Account lockout after N failed attempts
- [ ] IP-based lockout after N failed attempts
- [ ] Rate limit returns 429 status

## Security — File Upload
- [ ] Allowed file types enforced (extension check)
- [ ] File size limit enforced
- [ ] Filename sanitized (no path traversal)
- [ ] Uploaded files stored safely (UUID names, outside web root or in controlled dir)
- [ ] Image processing (resize, format conversion) doesn't crash on malformed files

## Security — Input Injection
- [ ] XSS: user input rendered as text, not HTML (test `<script>alert(1)</script>`)
- [ ] Path traversal: slug validation prevents `../` sequences
- [ ] SQL injection: parameterized queries (verify from source code)

## Session & Token
- [ ] Token expiration: expired token redirects to login
- [ ] Token format validation (reject malformed tokens)
- [ ] Role changes: DB role takes precedence over token role
- [ ] Token max-age from configuration

## Content & Rendering
- [ ] Empty state (no content) shows appropriate message
- [ ] Long content doesn't break layout
- [ ] Special characters (CJK, emoji, HTML entities) render correctly
- [ ] Markdown rendering (code blocks, tables, lists)
- [ ] LaTeX/MathJax rendering (if applicable)
- [ ] Code syntax highlighting (if applicable)

## Encoding
- [ ] No BOM markers in HTML templates (`ef bb bf`)
- [ ] No leading whitespace before `<!DOCTYPE>`
- [ ] UTF-8 charset declared in meta tag
- [ ] Python source files: no BOM

## SEO & Metadata
- [ ] `<title>` tag present and descriptive on each page
- [ ] `<meta name="description">` present
- [ ] Open Graph tags (`og:title`, `og:description`, `og:url`, `og:image`)
- [ ] Twitter Card tags
- [ ] Canonical URL (`<link rel="canonical">`)
- [ ] `robots.txt` exists
- [ ] `sitemap.xml` exists and is valid
- [ ] RSS feed (if blog) exists and is valid XML

## Accessibility
- [ ] All `<img>` have `alt` text (or `aria-hidden` for decorative)
- [ ] No `user-scalable=no` in viewport meta
- [ ] Sufficient color contrast (text vs background)
- [ ] Skip-to-content link (visually hidden)
- [ ] Keyboard navigation: Tab order logical
- [ ] ARIA labels on interactive elements without visible text
- [ ] Form labels associated with inputs

## Performance
- [ ] All static assets return 200 (CSS, JS, images)
- [ ] No broken links (404s in static resources)
- [ ] CDN reliability (especially for users in China — jsDelivr may timeout)
- [ ] Page load doesn't hang on slow external resources
- [ ] Resource count reasonable (no excessive requests)

## Responsive Design
- [ ] Layout at 375px (mobile) — no horizontal overflow
- [ ] Layout at 768px (tablet) — breakpoint works
- [ ] Layout at 1440px (desktop) — content centered
- [ ] Touch targets large enough (44x44px minimum)

## Cross-Browser
- [ ] Chrome/Chromium rendering
- [ ] Firefox rendering
- [ ] Safari rendering (WebKit differences)
- [ ] Edge rendering

## Operations
- [ ] `/health` endpoint returns `{"status":"ok"}` per service
- [ ] 404 page is custom (not default framework error)
- [ ] 500 errors don't leak stack traces to users
- [ ] Audit log captures admin actions (verify from source)
- [ ] Audit log captures login attempts (success/failure)

## Consistency (cross-service)
- [ ] All pages include same CSS files (mobile.css, etc.)
- [ ] All pages include same JS files (loader.js, etc.)
- [ ] All pages have site-wide navigation bar
- [ ] All pages have same security headers
- [ ] All pages have same viewport meta

## Security Headers
- [ ] `X-Content-Type-Options: nosniff`
- [ ] `X-Frame-Options: DENY`
- [ ] `Referrer-Policy: strict-origin-when-cross-origin`
- [ ] `Content-Security-Policy` present and reasonable
- [ ] No `unsafe-eval` in CSP (check for `'unsafe-eval'`)