lcbp3/.windsurf/skills/verification-loop/SKILL.md

name, description, version, scope, depends-on, handoffs-to, user-invocable

name	description	version	scope	depends-on	handoffs-to	user-invocable
verification-loop	A comprehensive verification system for LCBP3-DMS development sessions with build, type check, lint, test, security scan, and diff review phases.	1.9.0	verification		speckit-checker speckit-tester	true

Verification Loop Skill

A comprehensive verification system for LCBP3-DMS development sessions.

LCBP3 Context

See _LCBP3-CONTEXT.md for project-specific verification requirements:

• Backend: NestJS with TypeScript strict mode
• Frontend: Next.js with TypeScript strict mode
• Package manager: pnpm
• Coverage goals: Backend 70%+, Business Logic 80%+
• Security: ADR-016, ADR-018, ADR-019, ADR-023 compliance

When to Use

Invoke this skill:

• After completing a feature or significant code change
• Before creating a PR
• When you want to ensure quality gates pass
• After refactoring
• Before deploying to staging/production

Verification Phases

Phase 1: Build Verification

# Backend build
cd backend
pnpm build 2>&1 | tail -20

# Frontend build
cd frontend
pnpm build 2>&1 | tail -20

If build fails, STOP and fix before continuing.

Phase 2: Type Check

# Backend TypeScript
cd backend
pnpm typecheck 2>&1 | head -30

# Frontend TypeScript
cd frontend
pnpm typecheck 2>&1 | head -30

Report all type errors. Fix critical ones before continuing.

Phase 3: Lint Check

# Backend lint
cd backend
pnpm lint 2>&1 | head -30

# Frontend lint
cd frontend
pnpm lint 2>&1 | head -30

Phase 4: Test Suite

# Backend tests with coverage
cd backend
pnpm test -- --coverage 2>&1 | tail -50

# Frontend unit tests
cd frontend
pnpm test 2>&1 | tail -50

# Frontend E2E tests (if applicable)
cd frontend
npx playwright test 2>&1 | tail -50

Report:

• Total tests: X
• Passed: X
• Failed: X
• Coverage: X%

Phase 5: Security Scan

# Check for hardcoded secrets
grep -rn "sk-" --include="*.ts" --include="*.tsx" . 2>/dev/null | head -10
grep -rn "api_key" --include="*.ts" --include="*.tsx" . 2>/dev/null | head -10
grep -rn "password" --include="*.ts" --include="*.tsx" . 2>/dev/null | head -10

# Check for console.log (forbidden in committed code)
grep -rn "console.log" --include="*.ts" --include="*.tsx" backend/src/ frontend/src/ 2>/dev/null | head -10

# Check for any types (forbidden)
grep -rn ": any" --include="*.ts" --include="*.tsx" backend/src/ frontend/src/ 2>/dev/null | head -10

# Check for parseInt on UUID (ADR-019 violation)
grep -rn "parseInt(" --include="*.ts" --include="*.tsx" backend/src/ frontend/src/ 2>/dev/null | head -10

Phase 6: ADR Compliance Check

# Check for id ?? '' fallback (ADR-019 violation)
grep -rn "id ?? ''" --include="*.ts" --include="*.tsx" frontend/src/ 2>/dev/null | head -10

# Check for Number() on UUID (ADR-019 violation)
grep -rn "Number(" --include="*.ts" --include="*.tsx" frontend/src/ 2>/dev/null | head -10

# Check for + operator on UUID (ADR-019 violation)
grep -rn "+ publicId\|+ id" --include="*.ts" --include="*.tsx" frontend/src/ 2>/dev/null | head -10

Phase 7: Diff Review

# Show what changed
git diff --stat
git diff HEAD~1 --name-only

# Show detailed changes
git diff

Review each changed file for:

• Unintended changes
• Missing error handling (ADR-007)
• Potential edge cases
• UUID handling (ADR-019)
• Security vulnerabilities (ADR-016)
• AI boundary violations (ADR-018/023)

Output Format

After running all phases, produce a verification report:

VERIFICATION REPORT
==================

Build:     [PASS/FAIL]
Types:     [PASS/FAIL] (X errors)
Lint:      [PASS/FAIL] (X warnings)
Tests:     [PASS/FAIL] (X/Y passed, Z% coverage)
Security:  [PASS/FAIL] (X issues)
ADR:       [PASS/FAIL] (X violations)
Diff:      [X files changed]

Overall:   [READY/NOT READY] for PR

Issues to Fix:
1. ...
2. ...

Continuous Mode

For long sessions, run verification every 15 minutes or after major changes:

Set a mental checkpoint:
- After completing each function
- After finishing a component
- Before moving to next task

Run: /verify

Integration with LCBP3 Skills

This skill complements:

• speckit-checker: Runs static analysis (lint, typecheck)
• speckit-tester: Runs tests with coverage verification
• speckit-security-audit: Performs security review against OWASP Top 10

This skill provides a unified verification loop that combines all checks into a single report.

LCBP3-Specific Checks

Tier 1 — CRITICAL (CI BLOCKER)

• Security: Auth, RBAC, Validation implemented
• UUID Strategy (ADR-019): No parseInt / Number / + on UUID
• Database correctness: Schema verified before writing queries
• File upload security: ClamAV + whitelist implemented
• AI validation boundary (ADR-018/023): AI via DMS API only
• Error handling (ADR-007): Layered error classification
• Forbidden patterns: Zero any, zero console.log, UUID misuse

Tier 2 — IMPORTANT (CODE REVIEW)

• Architecture patterns: Thin controller, business logic in service
• Test coverage: 80%+ business logic, 70%+ backend overall
• Cache invalidation: Implemented when data modified
• Naming conventions: Follow domain terminology

Tier 3 — GUIDELINES

• Code style: Prettier formatting
• Comment completeness: Thai comments, JSDoc on public methods
• Minor optimizations: Performance improvements where applicable

References

• LCBP3 AGENTS.md: AGENTS.md (repo root)
• ADR-007 Error Handling: specs/06-Decision-Records/ADR-007-error-handling-strategy.md
• ADR-016 Security: specs/06-Decision-Records/ADR-016-security-authentication.md
• ADR-019 UUID: specs/06-Decision-Records/ADR-019-hybrid-identifier-strategy.md
• ADR-018 AI Boundary: specs/06-Decision-Records/ADR-018-ai-boundary.md
• ADR-023 AI Architecture: specs/06-Decision-Records/ADR-023-unified-ai-architecture.md