enforce Red/Green TDD in CEO base prompt for all products

2026-02-24 11:13:32 +00:00 · 2026-02-24 11:13:32 +00:00 · 977df2180f
commit 977df2180f
parent ec83af5e1f
4 changed files with 71 additions and 1 deletions
--- a/projects/snapapi/memory/bugs.md
+++ b/projects/snapapi/memory/bugs.md
@ -69,3 +69,10 @@
 - **Fix:** Staggered initial `lastRestartTime` per browser + one-at-a-time restart guard in `acquirePage()`
 - **Deployed to staging:** Yes (commit e49c4073). Verified playground returns 200.
 - **Production:** Awaiting investor approval for v* tag
 ### BUG-011: No URL length limit (HIGH) — FIXED (staging)
 - **Found:** Session 17 QA
 - **Impact:** Extremely long URLs could waste server resources
 - **Fix:** Added 2048 character URL length limit in SSRF validation (returns 400)
 - **Deployed to staging:** Yes (commit 5ec8c92). Verified: 2100-char URL returns 400, normal URL returns 200.
 - **Production:** Awaiting investor approval for v* tag
--- a/projects/snapapi/memory/sessions.md
+++ b/projects/snapapi/memory/sessions.md
@ -1,5 +1,35 @@
 # SnapAPI Session Log
 ## Session 18 — 2026-02-24 11:00 UTC (QA + BUG-011 Fix)
 **Goal:** Production QA, fix bugs found.
 ### What Was Done
 1. **Full QA on production** (snapapi-qa-1):
   - 15 tests across desktop, mobile, all links, playground, legal pages, docs, security
   - Confirmed all previous bug fixes working in production
   - Zero console errors
   - 1 new bug found: BUG-011 (no URL length limit)
 2. **Fixed BUG-011** — URL length limit:
   - Added 2048-char limit in SSRF validation
   - Returns 400 with clear error message
   - Commit 5ec8c92, deployed to staging, verified
 ### Investor Test — Session 18
 1. Trust? **Yes** — QA confirmed core flows work
 2. Data loss on crash? **No**
 3. Free tier abuse? **Low** — 5/hr IP limit + watermark + now URL length limit
 4. Key recovery? **Not yet** (needs Stripe portal)
 5. Website features work? **Yes** — QA verified all 15 test areas
 ### QA Summary
 - 15 tests passed, 1 new bug found and fixed (staging)
 - Overall: CONDITIONALLY READY (pending prod deploy of accumulated fixes)
 ---
 ## Session 17 — 2026-02-24 08:00 UTC (GET Endpoint + Response Caching)
 **Goal:** Add competitive features — GET endpoint for image embedding, response caching.
--- a/projects/snapapi/memory/state.json
+++ b/projects/snapapi/memory/state.json
@ -76,6 +76,6 @@
      "priceId": "price_1T2XHpRtlDv9c8GoThHfd8kS"
    }
  },
-  "lastSession": "2026-02-24T08:00:00Z",
+  "lastSession": "2026-02-24T11:00:00Z",
  "codeLocation": "Forgejo repo openclawd/SnapAPI. Clone: git clone forgejo-snapapi:openclawd/SnapAPI.git"
 }
--- a/skills/ceo-common/CEO-BASE.md
+++ b/skills/ceo-common/CEO-BASE.md
@ -120,6 +120,36 @@ Every frontend change must maintain or improve accessibility:
 **Documentation ships with the feature.** If you build it but don't document it, it's not done.
 ## Development Method — Red/Green TDD (MANDATORY)
 **All development MUST follow Red/Green Test-Driven Development.** No exceptions, no shortcuts.
 ### The Cycle
 1. **RED** — Write a failing test FIRST that describes the desired behavior
 2. **GREEN** — Write the minimum code to make the test pass
 3. **REFACTOR** — Clean up while keeping tests green
 4. Repeat
 ### Rules
 - **No production code without a failing test first.** If there's no test, it doesn't get built.
 - **Tests must actually fail before writing implementation.** Don't write tests after the fact — that's not TDD.
 - **Sub-agents must follow TDD too.** Include this requirement in every dev brief. If a sub-agent delivers code without tests, reject the work.
 - **Bug fixes start with a test.** Write a test that reproduces the bug (RED), then fix it (GREEN).
 - **QA agents verify test coverage** as part of their review.
 ### What counts as a test
 - Unit tests for business logic, validation, utilities
 - Integration tests for API endpoints (request → response)
 - E2E tests for critical user flows where practical
 ### Anti-patterns
 - Writing code first, tests after ("test-after" is not TDD)
 - Skipping tests for "simple" changes (simple changes break too)
 - Tests that don't actually assert behavior (rubber-stamp tests)
 - Mocking everything so tests pass but nothing actually works
 **This applies to ALL products, ALL sub-agents, ALL future development.**
 ## What "Done" Means
 1. Works end-to-end for the user
@ -129,6 +159,7 @@ Every frontend change must maintain or improve accessibility:
 5. QA verified on live site
 6. A paying customer would not be confused
 7. **Documented** — developer docs, user docs, or both as appropriate
 8. **Tests exist and pass** — written before the implementation (TDD)
 ## Verification — MANDATORY
@ -158,4 +189,6 @@ Every frontend change must maintain or improve accessibility:
 - **Deploying infrastructure that is explicitly marked as managed externally**
 - **Featuring constraints instead of value** — only advertise what customers gain, never what limits them. If it doesn't make someone want to buy, it doesn't belong on the landing page.
 - **Skipping interactive QA on the website** — every session that touches the frontend must test ALL interactive elements (buttons, links, accordions, modals, forms)
 - **Shipping code without tests** — if it's not tested, it's not done
 - **Accepting sub-agent work that skipped TDD** — send it back
 - **Shipping without full link audit** — every QA pass must crawl ALL internal links (nav, footer, legal pages, CTAs) and verify none return 404. A broken link on a live site is inexcusable.