====== Quality Assurance ======

Overview of QA processes and checks for WvdS FPC RAD Studio.

<note>These checklists apply to **all developers** - both for manual reviews and AI-assisted audits.</note>

===== QA Workflow =====

Every change goes through these 5 verification steps:

^ Step ^ Check ^ Checklist ^
| 1 | **Production-Ready** | No TODOs, stubs, mocks |
| 2 | **Security** | KRITIS/NIS2, OWASP |
| 3 | **Code Quality** | Naming, DRY, error handling |
| 4 | **SSOT** | Common libraries instead of local copies |
| 5 | **Documentation** | PasDoc comments, API docs |

===== Profile Matrix =====

Which checklists to apply depending on project type:

^ Project Type ^ Required ^ Optional ^
| VSCode Extension | Core, Cross-Platform, VSCode Stack | Security, Logging |
| Desktop App | Core, Build, Logging | i18n, Security |
| TUI/CLI | Core, CLI Stack, Cross-Platform | Security, Performance |
| Library | Core, Naming, Functions, Build | Security, Cross-Platform |
| Web API | Core, Security, Logging | Performance, SQL |

===== Detailed Checklists =====

^ Document ^ Content ^ When to Apply ^
| [[.:audit-core|Core Checklist]] | Production-ready, error handling, logging | **Always** |
| [[.:audit-sicherheit|Security Checklist]] | KRITIS/NIS2, OWASP, crypto | For network, auth, crypto |
| [[.:audit-codequalitaet|Code Quality Checklist]] | Naming, functions, DRY | For API changes |
| [[.:kommentierung|Documentation Standards]] | PasDoc, XMLDoc, principles | For new units |
| [[.:audit-vscode|VSCode Checklist]] | Extension-specific, pas2js | For extension work |

===== Zero-Tolerance Rules =====

<note warning>These rules are **non-negotiable** - code with violations will be rejected.</note>

==== Forbidden in Production Code ====

<code>
FORBIDDEN                        REQUIRED
─────────────────────────────────────────────────
// TODO: ...                  →  Complete implementation
// FIXME: ...                 →  Fixed code
raise ENotImplemented         →  Working code
Stub functions                →  Real implementations
Mock implementations          →  Production code
Placeholder values            →  Real values
Hardcoded strings             →  Resource strings (i18n)
Empty exception handlers      →  Specific error handling
Magic numbers                 →  Named constants
</code>

==== Security Basics ====

<code>
FORBIDDEN                        REQUIRED
─────────────────────────────────────────────────
SQL string concatenation      →  Parameterized queries
Secrets in logs               →  Zeroization after use
Hardcoded credentials         →  Environment variables
Error messages with paths     →  Sanitized messages
</code>

===== Review Process =====

==== Step 1: Core Checklist ====

<code>
[ ] No TODO/FIXME comments
[ ] No stub or mock functions
[ ] All functions fully implemented
[ ] No empty exception handlers
[ ] Errors logged BEFORE handling
[ ] Resources released deterministically
[ ] No duplicated code (DRY)
[ ] No magic numbers
</code>

==== Step 2: Security (if applicable) ====

<code>
[ ] Input validated at all boundaries
[ ] SQL parameterized (no concatenation)
[ ] No secrets in logs
[ ] Error messages sanitized (no paths/versions)
[ ] Secrets cleared after use (zeroization)
[ ] Timeouts for external operations
</code>

==== Step 3: SSOT Check ====

<code>
[ ] NodeJS APIs via ~/sources/common/web/nodejs/
[ ] VSCode APIs via ~/sources/common/web/vscode/
[ ] Logging via WvdS.System.Logging
[ ] No direct require() calls in extensions
[ ] No duplicates of common units
</code>

==== Step 4: Documentation ====

<code>
[ ] Public API has PasDoc comments
[ ] Comments explain WHY, not WHAT
[ ] No outdated comments
[ ] Comments in English
</code>

===== AI-Assisted Audits =====

The same checklists are used for automated AI audits:

<code bash>
# Audit tasks (see docs/automated-test-tasks.txt)

1. IMPLEMENT ALL STUBS/MOCKS
   - Create inventory of all units
   - Identify stubs/mocks
   - Implement production-ready

2. EXECUTE QUALITY/SECURITY AUDIT
   - Identify security risks
   - Find SoC violations
   - Fix according to standards

3. ADD CODE COMMENTS
   - Identify missing comments
   - Write PasDoc comments

4. SSOT CHECK
   - Find local require() calls
   - Replace with common library calls

5. BUILD EXTENSIONS
   - Compile and test
   - Create VSIX
</code>

===== Logging =====

All audit steps are logged in stack trace format:

<code>
[2026-01-13 10:30:22.001] Audit started
   at TWvdSAudit.Initialize(Audit.Service.pas:42)
   Scope: sources/extensions/**

[2026-01-13 10:30:22.015] Found: TODO comment
   at extension_main.pas:156
   Text: "// TODO: Implement error handling"
   Action: Implementation required

[2026-01-13 10:30:22.042] Fixed: TODO comment removed
   at extension_main.pas:156
   Change: Complete error handling implemented
</code>

===== See also =====

  * [[.:audit-core|Core Checklist]]
  * [[.:audit-sicherheit|Security Checklist]]
  * [[.:audit-codequalitaet|Code Quality Checklist]]
  * [[.:kommentierung|Documentation Standards]]
  * [[.:audit-vscode|VSCode Extension Checklist]]
  * [[.:sicherheit|Security Guidelines]]
  * [[.:code-konventionen|Code Conventions]]