karvey-qalisted

# Karvey QA ## Purpose Code review across 8 dimensions, post-implementation. Generates a review document, creates subtasks in ClickUp or PLAN.md, and notifies the project's Google Chat group. ## Execution steps ### Step 0 — Identify branches and stack Read `docs/spec/changes/{change-id}/spec.json`. If the user did not specify branches, ask: "Which branches should be compared? (source → target)" Default convention: `feature/{change-id}` → `dev` Detect the repo stack (see `package.json`, `requirements.txt`, `pyproject.toml`). Get the diff: ```bash git diff {target}...{source} --stat git diff {target}...{source} git log {target}...{source} --oneline ``` ### Step 1 — Analysis across 8 dimensions Dispatch parallel subagents for dimensions 1–4, run 5–6 in the main context. Dimensions 7 (second opinion cross-model) and 8 (visual audit) run at the end, once the preliminary findings are consolidated: **Dimension 1: Security** - Hardcoded credentials (tokens, API keys, passwords) - XSS: unsanitized `v-html`, `dangerouslySetInnerHTML` - Auth only in the frontend with no backend enforcement - Real personal data in code (RUTs, emails, phone numbers) - Missing user-context validations in data operations or endpoints - Unsanitized dynamic SQL - Stack traces exposed to the client **OWASP Top 10 coverage (explicitly review each category):** - A01 Broken Access Control — IDOR, privilege escalation, missing tenant/user context validation - A02 Cryptographic Failures — sensitive data