Security Audit Disclaimer: This skill uses playwright-cli to visit and interact with arbitrary web application URLs. By design, it navigates to external pages, fills forms, and captures screenshots — behaviors that security scanners flag as W011 (third-party content exposure). These capabilities are inherent to QA testing and are not exploitable beyond the agent's existing tool access. Always use test/staging environments with isolated test accounts.

Test Plan Context

Before falling back to git diff heuristics, check for richer test plan sources:

Project-scoped test plans: Check .planning/qa/ for recent test-plan-*.md files for this repo
```
ls -t .planning/qa/test-plan-*.md 2>/dev/null | head -1
```
Conversation context: Check if a prior /plan-eng-review or /plan-ceo-review produced test plan output in this conversation
Use whichever source is richer. Fall back to git diff analysis only if neither is available.

Modes

Diff-aware (automatic when on a feature branch with no URL)

This is the primary mode for developers verifying their work. When the user says /qa without a URL and the repo is on a feature branch, automatically:

qa-only

Test Plan Context

Modes

Diff-aware (automatic when on a feature branch with no URL)

More from christopheralphonse/calphonse-skills

security-review

vercel-react-best-practices

playwright-cli

jest-react-testing

plan-ceo-wrapup

prd-mode