AIssistLab

QA Evidence History

This file preserves detailed historical local QA notes. Keep the short current status in latest-local-qa-evidence.md, keep repeatable commands in release-candidate-runbook.md, and keep public-facing release changes in release-notes.md.

Updated: 2026-07-02, Asia/Manila

This note records the latest local, privacy-safe verification state for the V1 release candidate. It is intentionally generic: no API keys, account identifiers, OAuth paths, full home paths, or raw Claude profile folders are included.

Current Checkpoint

Automated Verification

The latest full release gate passed:

npm run verify:release

That run covered 165 test files and still reported manual external QA as required for native OS picker visibility, visible Open Login, and real account-backed chat.

An earlier nested full release gate also passed through the parent workspace verifier:

.\scripts\verify-workspace.ps1 -FullRelease

Covered by that gate:

Latest focused checks for the current cleanup and smoke-helper pass:

npm run smoke:buttons
npm run smoke:local
npm run build
npm run smoke:production
npm run qa:manual:auto
npx --yes tsx src/lib/routes/api-inventory-docs.test.ts
npx --yes tsx src/lib/routes/api-routes.test.ts
npx --yes tsx src/lib/routes/app-routes.test.ts
npx --yes tsx src/lib/routes/route-literal-ownership.test.ts
npx --yes tsx src/lib/test-utils/static-source.test.ts
node scripts/lib/command.test.mjs
npx --yes tsx scripts/cleanup/local-artifacts.test.mjs
npx --yes tsx scripts/smoke/static/local.test.mjs
npx --yes tsx scripts/smoke/helpers/browser-init.test.mjs
npx --yes tsx scripts/smoke/helpers/browser-issues.test.mjs
node scripts/smoke/helpers/server-process.test.mjs
npx --yes tsx scripts/smoke/mocks/chat.test.mjs
npx --yes tsx scripts/smoke/mocks/claude.test.mjs
npx --yes tsx scripts/smoke/mocks/index.test.mjs
npx --yes tsx scripts/smoke/mocks/settings.test.mjs
npx --yes tsx scripts/smoke/mocks/skills.test.mjs
npx --yes tsx scripts/smoke/mocks/release.test.mjs
npx --yes tsx scripts/smoke/helpers/route-fulfill.test.mjs
npm run audit:assets
npm run audit:docs
npm run audit:dead-code
npm run audit:exports
npm run cleanup:artifacts:dry-run
npm run cleanup:project:dry-run
git diff --check

Before the passing run, Playwright Chromium revision 1228 was installed into the machine-level Playwright cache because the existing cache only had revision 1223 and this repo uses Playwright 1.61.0.

Diagnostics Privacy Evidence

The diagnostics ZIP route test now rejects these unsafe patterns in diagnostics output:

The full release privacy scan also passed with no private local paths, account identifiers, API keys, auth paths, or bearer tokens found.

Claude Profile API Privacy Evidence

The Claude CLI profiles route now maps an explicit public response shape before serialization. The route test verifies that profile API output omits internal config fields, raw profile directory names, account emails, token-shaped values, and full local paths while preserving generic labels such as Profile 1 and ~\.claude-profiles\<hidden>.

Process Hygiene

The latest cleanup dry-run found no repo-owned stale Next, smoke, test, release, or manual QA helper processes:

npm run cleanup:project:dry-run

A final scoped process scan found no leftover project servers.

Ignored local build and smoke artifacts can be removed after verification with:

npm run cleanup:artifacts:dry-run
npm run cleanup:artifacts

Dev V1 Polish Evidence

Latest dev polish added an explicit Skipped Manual QA Evidence state for checks intentionally not verified and fixed inactive editor tab panels so Preview hides the edit textarea instead of leaving both panels visible. Skipped is tracked separately from Passed, does not make the summary complete, and is covered by local helper tests plus local and production smoke interactions.

The current release-package pass refreshed release docs, added the V1 ship checklist, expanded production smoke guard coverage for mutating skill/guided endpoints, added built-production path-picker and Manual QA Evidence persistence coverage, added /editor to the safe-button smoke, redacted Settings API secret-like env responses with placeholder-preserving saves, sanitized chat stream error output, expanded privacy scans to catch account identifiers and generic API-key-shaped values, added sanitized release evidence output, added a finite release:prepare wrapper, and tightened readiness recovery action copy.

The final npm run release:prepare pass from commit 1341938 passed. The run covered all 163 test files, lint, production build, production smoke, dependency audit, local browser/API smoke, safe button smoke, manual QA helper auto smoke, project cleanup dry-runs, artifact cleanup dry-run, asset/docs/dead-code/unused-export audits, diff whitespace, untracked release-text hygiene, privacy scan, and sanitized release evidence output.

Manual Gates Still Required

These remain manual or account-backed by design:

  1. Native OS folder picker visibility.
  2. Visible Claude login launch.
  3. Real account-backed chat/auth.

Latest npm run qa:manual:auto refreshed sanitized local status and confirmed the helper still leaves those three checks as manual-only. It reported release readiness and chat readiness blocked by local configuration, runtime provider anthropic_api, and discovered Claude profiles without exposing account identifiers, raw auth paths, or secrets.

Use the release-candidate runbook manual QA section for the device/account checks.