aeo-qa-agent

from ivzc07/aeo-skills

Autonomous Engineering Organization - Confidence-based autonomous development system for Claude Code

0 stars0 forksUpdated Jan 22, 2026
npx skills add https://github.com/ivzc07/aeo-skills --skill aeo-qa-agent

SKILL.md

AEO QA Agent

Purpose: Internal code reviewer with veto power. Reviews all changes before commit and blocks if critical issues found.

When to Review

  1. After logical work unit complete - Feature implemented, bug fixed
  2. Before suggesting completion - Before saying "task is done"
  3. Before git commit - Final gate before committing changes

Review Categories

1. Security Issues (VETO POWER)

Automatic Veto - Block and fix immediately:

SQL Injection:

// ❌ VULNERABLE
const query = `SELECT * FROM users WHERE id = ${userId}`

// ✅ SECURE
const query = 'SELECT * FROM users WHERE id = $1'
await db.query(query, [userId])

XSS (Cross-Site Scripting):

// ❌ VULNERABLE
<div>{userInput}</div>

// ✅ SECURE
<div>{escape(userInput)}</div>
// or
<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />

CSRF (Cross-Site Request Forgery):

// ❌ VULNERABLE - No CSRF protection
app.post('/api/update', (req, res) => { ... })

// ✅ SECURE
import csrf from 'csurf'
const csrfProtection = csrf({ cookie: true })
app.post('/api/update', csrfProtection, (req, res) => { ... })

Hardcoded Credentials:

// ❌ VULNERABLE
const apiKey = "sk_live_1234567890"

// ✅ SECURE
const apiKey = process.env.API_KEY

Missing Input Validation:

// ❌ VULNERABLE
app.post('/api/users', (req, res) => {
  db.query(`INSERT INTO users (email) VALUES ('${req.body.email}')`)
})

// ✅ SECURE
import { body, validationResult } from 'express-validator'

app.post('/api/users',
  body('email').isEmail().normalizeEmail(),
  (req, res) => {
    const errors = validationResult(req)
    if (!errors.isEmpty()) return res.status(400).json({ errors })
    db.query('INSERT INTO users (email) VALUES ($1)', [req.body.email])
  }
)

Insecure Cryptography:

// ❌ VULNERABLE - MD5 is broken
const hash = md5(password)

// ✅ SECURE
import bcrypt from 'bcrypt'
const hash = await bcrypt.hash(password, 10)

Auth Bypasses:

// ❌ VULNERABLE
if (user.apiKey === userProvidedKey) { /* No rate limiting */ }

// ✅ SECURE
import rateLimit from 'express-rate-limit'
const limiter = rateLimit({ windowMs: 60000, max: 10 })
app.use('/api/auth', limiter)

2. Code Smells (Auto-Fix)

Remove immediately without asking:

Console Logs:

// ❌ REMOVE
console.log('debug:', variable)
console.error('error:', error)

// ✅ Use proper logging
import logger from './logger.js'
logger.info({ variable })
logger.error({ error })

Debugger Statements:

// ❌ REMOVE
debugger;

Unused Imports:

// ❌ REMOVE
import React, { useState, useEffect } from 'react'
// useEffect never used

TODO/FIXME without Tickets:

// ❌ FLAG - Needs ticket reference
// TODO: Refactor this
// FIXME: This is buggy

// ✅ ACCEPTABLE
// TODO: Refactor this - Ticket #1234
// FIXME: Bug in production - https://github.com/org/repo/issues/567

Inconsistent Naming:

// ❌ INCONSISTENT
const userData = getUser()
const user_data = getUserById()
const USER_DATA = getUserByEmail()

// ✅ CONSISTENT (pick one style)
const userData = getUser()
const userDataById = getUserById()
const userDataByEmail = getUserByEmail()

Magic Numbers:

// ❌ MAGIC NUMBER
if (user.age > 13) { /* ... */ }

// ✅ EXTRACT CONSTANT
const MINIMUM_AGE = 13
if (user.age > MINIMUM_AGE) { /* ... */ }

Duplicate Code:

// ❌ DUPLICATE
function getUserData(id) {
  const user = db.query('SELECT * FROM users WHERE id = $1', [id])
  return { id: user.id, name: user.name, email: user.email }
}

function getUserProfile(id) {
  const user = db.query('SELECT * FROM users WHERE id = $1', [id])
  return { id: user.id, name: user.name, email: user.email }
}

// ✅ EXTRACT FUNCTION
function formatUser(user) {
  return { id: user.id, name: user.name, email: user.email }
}

function getUserData(id) {
  const user = db.query('SELECT * FROM users WHERE id = $1', [id])
  return formatUser(user)
}

function getUserProfile(id) {
  const user = db.query('SELECT * FROM users WHERE id = $1', [id])
  return formatUser(user)
}

3. Test Coverage

Flag if missing:

New Features Without Tests:

❌ New component but no test file
Component: /components/UserForm.tsx
Expected: /components/__tests__/UserForm.test.tsx

Action: Add test file before commit

Edge Cases Not Covered:

❌ Tests don't cover edge cases
Function: validateEmail(email)
Tests: ✓ Valid email
       ✗ Invalid format
       ✗ Null/undefined
       ✗ Edge cases (+ alias, unicode)

Action: Add edge case tests

4. Architecture Violations

Detect and flag:

Circular Dependencies:

// ❌ CIRCULAR
// fileA.js imports from fileB.js
// fileB.js imports from fileA.js

Action: Break cycle by extracting shared code

Layer Violations:

// ❌ PRESENTAT

...
Read full content

Repository

ivzc07
ivzc07/aeo-skillsParent repository

Repository Stats

Stars0
Forks0
LicenseMIT License