From 977df2180f054300dd3ca65db700a2edacb4214f Mon Sep 17 00:00:00 2001 From: Hoid Date: Tue, 24 Feb 2026 11:13:32 +0000 Subject: [PATCH] enforce Red/Green TDD in CEO base prompt for all products --- projects/snapapi/memory/bugs.md | 7 ++++++ projects/snapapi/memory/sessions.md | 30 ++++++++++++++++++++++++++ projects/snapapi/memory/state.json | 2 +- skills/ceo-common/CEO-BASE.md | 33 +++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+), 1 deletion(-) diff --git a/projects/snapapi/memory/bugs.md b/projects/snapapi/memory/bugs.md index 7d61fae..b2a22bd 100644 --- a/projects/snapapi/memory/bugs.md +++ b/projects/snapapi/memory/bugs.md @@ -69,3 +69,10 @@ - **Fix:** Staggered initial `lastRestartTime` per browser + one-at-a-time restart guard in `acquirePage()` - **Deployed to staging:** Yes (commit e49c4073). Verified playground returns 200. - **Production:** Awaiting investor approval for v* tag + +### BUG-011: No URL length limit (HIGH) — FIXED (staging) +- **Found:** Session 17 QA +- **Impact:** Extremely long URLs could waste server resources +- **Fix:** Added 2048 character URL length limit in SSRF validation (returns 400) +- **Deployed to staging:** Yes (commit 5ec8c92). Verified: 2100-char URL returns 400, normal URL returns 200. +- **Production:** Awaiting investor approval for v* tag diff --git a/projects/snapapi/memory/sessions.md b/projects/snapapi/memory/sessions.md index 0480bab..10a0579 100644 --- a/projects/snapapi/memory/sessions.md +++ b/projects/snapapi/memory/sessions.md @@ -1,5 +1,35 @@ # SnapAPI Session Log +## Session 18 — 2026-02-24 11:00 UTC (QA + BUG-011 Fix) + +**Goal:** Production QA, fix bugs found. + +### What Was Done + +1. **Full QA on production** (snapapi-qa-1): + - 15 tests across desktop, mobile, all links, playground, legal pages, docs, security + - Confirmed all previous bug fixes working in production + - Zero console errors + - 1 new bug found: BUG-011 (no URL length limit) + +2. **Fixed BUG-011** — URL length limit: + - Added 2048-char limit in SSRF validation + - Returns 400 with clear error message + - Commit 5ec8c92, deployed to staging, verified + +### Investor Test — Session 18 +1. Trust? **Yes** — QA confirmed core flows work +2. Data loss on crash? **No** +3. Free tier abuse? **Low** — 5/hr IP limit + watermark + now URL length limit +4. Key recovery? **Not yet** (needs Stripe portal) +5. Website features work? **Yes** — QA verified all 15 test areas + +### QA Summary +- 15 tests passed, 1 new bug found and fixed (staging) +- Overall: CONDITIONALLY READY (pending prod deploy of accumulated fixes) + +--- + ## Session 17 — 2026-02-24 08:00 UTC (GET Endpoint + Response Caching) **Goal:** Add competitive features — GET endpoint for image embedding, response caching. diff --git a/projects/snapapi/memory/state.json b/projects/snapapi/memory/state.json index bb0fb0b..346138b 100644 --- a/projects/snapapi/memory/state.json +++ b/projects/snapapi/memory/state.json @@ -76,6 +76,6 @@ "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS" } }, - "lastSession": "2026-02-24T08:00:00Z", + "lastSession": "2026-02-24T11:00:00Z", "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git" } diff --git a/skills/ceo-common/CEO-BASE.md b/skills/ceo-common/CEO-BASE.md index 98e2e02..9f62970 100644 --- a/skills/ceo-common/CEO-BASE.md +++ b/skills/ceo-common/CEO-BASE.md @@ -120,6 +120,36 @@ Every frontend change must maintain or improve accessibility: **Documentation ships with the feature.** If you build it but don't document it, it's not done. +## Development Method — Red/Green TDD (MANDATORY) + +**All development MUST follow Red/Green Test-Driven Development.** No exceptions, no shortcuts. + +### The Cycle +1. **RED** — Write a failing test FIRST that describes the desired behavior +2. **GREEN** — Write the minimum code to make the test pass +3. **REFACTOR** — Clean up while keeping tests green +4. Repeat + +### Rules +- **No production code without a failing test first.** If there's no test, it doesn't get built. +- **Tests must actually fail before writing implementation.** Don't write tests after the fact — that's not TDD. +- **Sub-agents must follow TDD too.** Include this requirement in every dev brief. If a sub-agent delivers code without tests, reject the work. +- **Bug fixes start with a test.** Write a test that reproduces the bug (RED), then fix it (GREEN). +- **QA agents verify test coverage** as part of their review. + +### What counts as a test +- Unit tests for business logic, validation, utilities +- Integration tests for API endpoints (request → response) +- E2E tests for critical user flows where practical + +### Anti-patterns +- Writing code first, tests after ("test-after" is not TDD) +- Skipping tests for "simple" changes (simple changes break too) +- Tests that don't actually assert behavior (rubber-stamp tests) +- Mocking everything so tests pass but nothing actually works + +**This applies to ALL products, ALL sub-agents, ALL future development.** + ## What "Done" Means 1. Works end-to-end for the user @@ -129,6 +159,7 @@ Every frontend change must maintain or improve accessibility: 5. QA verified on live site 6. A paying customer would not be confused 7. **Documented** — developer docs, user docs, or both as appropriate +8. **Tests exist and pass** — written before the implementation (TDD) ## Verification — MANDATORY @@ -158,4 +189,6 @@ Every frontend change must maintain or improve accessibility: - **Deploying infrastructure that is explicitly marked as managed externally** - **Featuring constraints instead of value** — only advertise what customers gain, never what limits them. If it doesn't make someone want to buy, it doesn't belong on the landing page. - **Skipping interactive QA on the website** — every session that touches the frontend must test ALL interactive elements (buttons, links, accordions, modals, forms) +- **Shipping code without tests** — if it's not tested, it's not done +- **Accepting sub-agent work that skipped TDD** — send it back - **Shipping without full link audit** — every QA pass must crawl ALL internal links (nav, footer, legal pages, CTAs) and verify none return 404. A broken link on a live site is inexcusable.