/check-quality

Audit quality infrastructure. Output findings as structured report.

What This Does

1. Check testing infrastructure (Vitest, Jest, coverage)
2. Check git hooks (Lefthook, Husky)
3. Check CI/CD (GitHub Actions)
4. Check linting/formatting (ESLint, Prettier, Biome)
5. Security scan — spawn security-sentinel for vulnerability analysis
6. Output prioritized findings (P0-P3)

This is a primitive. It only investigates and reports. Use /log-quality-issues to create GitHub issues or /fix-quality to fix.

Process

1. Testing Infrastructure

# Test runner
[ -f "vitest.config.ts" ] || [ -f "vitest.config.js" ] && echo "✓ Vitest" || echo "✗ Vitest"
[ -f "jest.config.ts" ] || [ -f "jest.config.js" ] && echo "✓ Jest" || echo "✗ Jest (prefer Vitest)"

# Coverage
grep -q "coverage" package.json 2>/dev/null && echo "✓ Coverage script" || echo "✗ Coverage script"
grep -q "@vitest/coverage" package.json 2>/dev/null && echo "✓ Coverage plugin" || echo "✗ Coverage plugin"

# Test files exist
find . -name "*.test.ts" -o -name "*.spec.ts" 2>/dev/null | head -5 | wc -l | xargs -I{} echo "{} test files found"

2. Git Hooks

# Hook manager
[ -f "lefthook.yml" ] && echo "✓ Lefthook" || echo "✗ Lefthook (recommended)"
[ -f ".husky/_/husky.sh" ] && echo "✓ Husky (prefer Lefthook)" || echo "- Husky not found"

# Hooks installed
[ -f ".git/hooks/pre-commit" ] && echo "✓ pre-commit hook" || echo "✗ pre-commit hook"
[ -f ".git/hooks/pre-push" ] && echo "✓ pre-push hook" || echo "✗ pre-push hook"

3. CI/CD

# GitHub Actions
[ -f ".github/workflows/ci.yml" ] || [ -f ".github/workflows/test.yml" ] && echo "✓ CI workflow" || echo "✗ CI workflow"

# CI coverage reporting
grep -rq "vitest-coverage-report" .github/workflows/ 2>/dev/null && echo "✓ Coverage in PRs" || echo "✗ Coverage in PRs"

# Branch protection (check via gh)
gh api repos/{owner}/{repo}/branches/main/protection 2>/dev/null | jq -r '.required_status_checks.contexts[]?' 2>/dev/null | head -3

4. Linting & Formatting

# ESLint
[ -f "eslint.config.js" ] || [ -f ".eslintrc.js" ] || [ -f ".eslintrc.json" ] && echo "✓ ESLint" || echo "✗ ESLint"

# Prettier
[ -f "prettier.config.js" ] || [ -f ".prettierrc" ] && echo "✓ Prettier" || echo "- Prettier not found"

# Biome (modern alternative)
[ -f "biome.json" ] && echo "✓ Biome" || echo "- Biome not found"

# TypeScript
[ -f "tsconfig.json" ] && echo "✓ TypeScript" || echo "✗ TypeScript"
grep -q '"strict": true' tsconfig.json 2>/dev/null && echo "✓ Strict mode" || echo "✗ Strict mode"

4.5. Custom Guardrails

Check for project-specific lint rules in guardrails/ directory:

# Guardrails directory exists?
[ -d "guardrails" ] && echo "✓ guardrails/ directory" || echo "- No custom guardrails (run /guardrail to create)"

# ESLint local plugin
[ -f "guardrails/index.js" ] && echo "✓ ESLint local plugin" || echo "- No ESLint guardrails"

# ast-grep config
[ -f "guardrails/sgconfig.yml" ] && echo "✓ ast-grep config" || echo "- No ast-grep guardrails"

# Count rules and tests
if [ -d "guardrails/rules" ]; then
  RULES=$(find guardrails/rules -name "*.js" -not -name "*.test.js" -o -name "*.yml" 2>/dev/null | wc -l | tr -d ' ')
  TESTS=$(find guardrails/rules -name "*.test.js" 2>/dev/null | wc -l | tr -d ' ')
  echo "Rules: $RULES | Tests: $TESTS"
  [ "$TESTS" -lt "$RULES" ] && echo "⚠ Some rules lack tests"
fi

5. Commit Standards

# Commitlint
[ -f "commitlint.config.js" ] || [ -f "commitlint.config.cjs" ] && echo "✓ Commitlint" || echo "✗ Commitlint"

# Changesets
[ -d ".changeset" ] && echo "✓ Changesets" || echo "- Changesets not found"

6. Test Coverage Analysis

# Run coverage if available
pnpm coverage 2>/dev/null | tail -20 || npm run coverage 2>/dev/null | tail -20 || echo "No coverage script"

Spawn test-strategy-architect agent for deep test quality analysis if tests exist.

7. Security Scan

Spawn security-sentinel agent to analyze source code for:

• Hardcoded secrets, API keys, credentials
• SQL injection, XSS, command injection vectors
• Insecure dependencies (npm audit / pnpm audit)
• OWASP Top 10 vulnerabilities
• Auth/authz misconfigurations

Opus 4.6 found 500 zero-day vulnerabilities in pre-release testing. Security scanning is now a mandatory step in quality audits, not optional.

Output Format

## Quality Gates Audit

### P0: Critical (Must Have)
- No test runner configured - Cannot verify code works
- No CI workflow - Changes not validated before merge

### P1: Essential (Every Project)
- No pre-commit hooks - Code can be committed without checks
- No coverage configured - Cannot measure test coverage
- ESLint not configured - No static analysis
- TypeScript not in strict mode - Losing type safety

### P2: Important (Production Apps)
- No commitlint - Inconsistent commit messages
- No coverage reporting in PRs - Hard to track test quality
- No pre-push hooks - Tests bypass possible

### P3: Nice to Have
- Consider Lefthook over Husky (faster, simpler)
- Consider Vitest over Jest (faster, native ESM)
- Consider Biome over ESLint+Prettier (faster, unified)

## Current Status
- Test runner: None
- Coverage: Not configured
- Git hooks: None
- CI/CD: None
- Linting: Partial

## Summary
- P0: 2 | P1: 4 | P2: 3 | P3: 3
- Recommendation: Set up Vitest with Lefthook hooks first

Priority Mapping

Gap	Priority
No test runner	P0
No CI workflow	P0
Security vulnerabilities found	P0
No coverage	P1
No git hooks	P1
No linting	P1
Not strict TypeScript	P1
No commitlint	P2
No coverage in PRs	P2
No custom guardrails	P3
Tool upgrades	P3

Related

• /log-quality-issues - Create GitHub issues from findings
• /fix-quality - Fix quality infrastructure
• /quality-gates - Full quality setup workflow