Validation Expert (Project Conductor)

Deep research-driven validation skill specific to Project Conductor's architecture.

When to Use

Invoke this skill when:

• User mentions: "validate", "check", "review", "test"
• Before deployment to staging/production
• After major feature implementation
• When quality issues are suspected
• Before creating a pull request
• When user asks "is this production ready?"

Project Conductor Context

Tech Stack:

• Node.js 20+ with TypeScript 5.2.2
• Express.js 4.18.2
• Socket.io 4.7.2 (real-time)
• PostgreSQL 15 (database)
• Redis 7 (caching)
• Jest 29.6.4 (testing)

Architecture:

• 7-module workflow (Onboarding → BRD → PRD → Design → Conflicts → Implementation → History)
• RESTful APIs (12 major APIs, 100+ endpoints)
• Real-time collaboration (WebSocket)
• Document-centric (Markdown + YAML frontmatter)

Validation Methodology

Step 1: Quick Health Check

bash
1# Run immediate checks
2npm run build          # TypeScript compilation
3npm run lint          # ESLint
4npm test              # Jest test suite
5npm run typecheck     # TypeScript strict checks
6
7# Check docker services
8docker-compose ps     # PostgreSQL, Redis status

Step 2: Launch Deep Research for Best Practices

Use codex-deep-research agent to validate against industry standards:

markdown
1Invoke Task tool with subagent_type="codex-deep-research"
2
3Prompt:
4"Research the best practices, validation techniques, and quality standards for a production-ready TypeScript + Express.js + PostgreSQL application similar to Project Conductor.
5
6Project Conductor is a requirements management and workflow orchestration platform with:
7- 12 RESTful APIs
8- Real-time WebSocket collaboration
9- PostgreSQL database with complex queries
10- Redis caching
11- 7-module workflow system
12- Document-centric architecture (Markdown + YAML)
13
14Please provide comprehensive validation checklist covering:
15
161. **Code Quality:**
17   - TypeScript best practices (strict mode, no 'any', proper typing)
18   - ESLint rules for Node.js + Express
19   - Code organization patterns (controllers, services, models)
20   - Error handling patterns
21   - Logging best practices (Pino, Winston)
22
232. **API Design:**
24   - RESTful conventions (status codes, response formats)
25   - Input validation (express-validator patterns)
26   - Rate limiting strategies
27   - API versioning (/api/v1)
28   - Error response standards
29
303. **Database:**
31   - PostgreSQL query optimization
32   - Index strategy validation
33   - Connection pool configuration
34   - Migration best practices
35   - Data integrity constraints
36
374. **Security:**
38   - OWASP Top 10 compliance
39   - SQL injection prevention
40   - XSS prevention
41   - Rate limiting
42   - Authentication/authorization (JWT, RBAC)
43   - Secrets management
44
455. **Performance:**
46   - Response time targets (p95 <200ms)
47   - Caching hit rate (>80%)
48   - Database query performance (<50ms)
49   - WebSocket latency (<50ms)
50   - Memory leak detection
51
526. **Testing:**
53   - Test coverage targets (>75%)
54   - Unit test patterns
55   - Integration test strategies
56   - E2E test scenarios
57   - WebSocket testing approaches
58
597. **Production Readiness:**
60   - Environment configuration
61   - Graceful shutdown
62   - Health check endpoints
63   - Monitoring setup (Prometheus, DataDog)
64   - Error tracking (Sentry)
65   - Logging infrastructure
66
678. **Deployment (Render specific):**
68   - Static file serving validation
69   - Environment variable checks
70   - Build process verification
71   - Path resolution correctness
72   - 404 prevention strategies
73
74Provide specific validation commands, test cases, and checklists for each category."

Step 3: Check for AI-Powered Validation Tools

Use gemini-research-analyst agent to find modern validation tools:

markdown
1Invoke Task tool with subagent_type="gemini-research-analyst"
2
3Prompt:
4"Research if Google's Gemini AI provides any code validation, quality analysis, or automated testing tools that could benefit Project Conductor.
5
6Specifically investigate:
71. Gemini-powered code review tools
82. Automated test generation
93. Security vulnerability scanning
104. Performance profiling
115. API contract testing
126. TypeScript type safety analysis
137. Database query optimization suggestions
148. Real-time monitoring and anomaly detection
15
16If Gemini has relevant tools:
17- How to integrate with TypeScript + Express.js
18- Cost implications
19- Accuracy/reliability compared to traditional tools
20- Production-ready status
21- Examples of companies using these tools
22
23Also research Google Cloud tools that could enhance validation:
24- Cloud Build (CI/CD)
25- Error Reporting
26- Cloud Monitoring
27- Cloud Profiler
28- Security Command Center"

Step 4: Execute Comprehensive Validation

After research agents return, run this complete validation suite:

4A. Code Quality Validation

bash
1#!/bin/bash
2# comprehensive-validation.sh
3
4echo "📊 Project Conductor Validation Suite"
5echo "======================================"
6
7# 1. TypeScript Compilation
8echo "\n1️⃣ TypeScript Compilation..."
9npm run build
10if [ $? -ne 0 ]; then
11  echo "❌ TypeScript compilation failed"
12  exit 1
13fi
14echo "✅ TypeScript compilation passed"
15
16# 2. Type Checking (strict mode)
17echo "\n2️⃣ TypeScript Strict Checks..."
18npx tsc --noEmit --strict
19if [ $? -ne 0 ]; then
20  echo "❌ Type checking failed"
21  exit 1
22fi
23echo "✅ Type checking passed"
24
25# 3. Linting
26echo "\n3️⃣ ESLint..."
27npm run lint
28if [ $? -ne 0 ]; then
29  echo "⚠️  Linting issues found"
30fi
31
32# 4. Find 'any' types (anti-pattern)
33echo "\n4️⃣ Checking for 'any' types..."
34ANY_COUNT=$(grep -r ": any" src/ --include="*.ts" | wc -l)
35echo "Found $ANY_COUNT instances of 'any' type"
36if [ $ANY_COUNT -gt 10 ]; then
37  echo "⚠️  Consider reducing 'any' usage (found $ANY_COUNT, target <10)"
38fi
39
40# 5. Find console.log (should use logger)
41echo "\n5️⃣ Checking for console.log..."
42CONSOLE_COUNT=$(grep -r "console\." src/ --include="*.ts" | grep -v "// " | wc -l)
43echo "Found $CONSOLE_COUNT console statements"
44if [ $CONSOLE_COUNT -gt 0 ]; then
45  echo "⚠️  Replace console.log with logger (found $CONSOLE_COUNT)"
46fi
47
48# 6. Check for hardcoded secrets
49echo "\n6️⃣ Checking for hardcoded secrets..."
50if grep -r "password\s*=\s*['\"]" src/ --include="*.ts" | grep -v "process.env"; then
51  echo "❌ Hardcoded passwords found!"
52  exit 1
53fi
54echo "✅ No hardcoded secrets detected"
55
56# 7. Test Suite
57echo "\n7️⃣ Running Test Suite..."
58npm test -- --coverage
59if [ $? -ne 0 ]; then
60  echo "❌ Tests failed"
61  exit 1
62fi
63echo "✅ Tests passed"
64
65# 8. Test Coverage Check
66echo "\n8️⃣ Checking Test Coverage..."
67COVERAGE=$(npm test -- --coverage --silent | grep "All files" | awk '{print $10}' | sed 's/%//')
68if (( $(echo "$COVERAGE < 75" | bc -l) )); then
69  echo "⚠️  Test coverage is $COVERAGE% (target: 75%)"
70else
71  echo "✅ Test coverage is $COVERAGE%"
72fi

4B. API Validation

typescript
1// tests/validation/api-validation.test.ts
2import request from 'supertest';
3import { app } from '../../src/index';
4
5describe('API Validation', () => {
6  describe('Response Format Standards', () => {
7    it('should return consistent JSON structure', async () => {
8      const res = await request(app).get('/api/v1/health');
9
10      expect(res.status).toBe(200);
11      expect(res.body).toHaveProperty('success');
12      expect(res.body).toHaveProperty('data');
13      expect(typeof res.body.success).toBe('boolean');
14    });
15
16    it('should handle errors with proper format', async () => {
17      const res = await request(app).get('/api/v1/requirements/invalid-id');
18
19      expect(res.status).toBeGreaterThanOrEqual(400);
20      expect(res.body).toHaveProperty('success', false);
21      expect(res.body).toHaveProperty('message');
22    });
23  });
24
25  describe('API Versioning', () => {
26    it('all endpoints should be under /api/v1', async () => {
27      const res = await request(app).get('/api/v1/health');
28      expect(res.status).not.toBe(404);
29    });
30  });
31
32  describe('Rate Limiting', () => {
33    it('should enforce rate limits', async () => {
34      const requests = Array(100).fill(null).map(() =>
35        request(app).get('/api/v1/requirements')
36      );
37
38      const responses = await Promise.all(requests);
39      const rateLimited = responses.some(r => r.status === 429);
40
41      expect(rateLimited).toBe(true);
42    });
43  });
44
45  describe('Input Validation', () => {
46    it('should reject invalid input', async () => {
47      const res = await request(app)
48        .post('/api/v1/requirements')
49        .send({ title: '', priority: 'invalid' }); // Invalid data
50
51      expect(res.status).toBe(400);
52      expect(res.body.success).toBe(false);
53    });
54
55    it('should sanitize SQL injection attempts', async () => {
56      const res = await request(app)
57        .get('/api/v1/requirements')
58        .query({ sortBy: "'; DROP TABLE requirements; --" });
59
60      expect(res.status).not.toBe(500); // Should handle gracefully
61    });
62  });
63});

4C. Database Validation

sql
1-- scripts/validate-database.sql
2-- Run this to validate database health
3
4-- 1. Check for missing indexes
5SELECT
6  schemaname,
7  tablename,
8  indexname
9FROM pg_indexes
10WHERE schemaname = 'public'
11ORDER BY tablename;
12
13-- 2. Find slow queries (from pg_stat_statements)
14SELECT
15  query,
16  calls,
17  total_time,
18  mean_time,
19  max_time
20FROM pg_stat_statements
21WHERE mean_time > 100 -- Queries slower than 100ms
22ORDER BY mean_time DESC
23LIMIT 20;
24
25-- 3. Check table sizes
26SELECT
27  schemaname,
28  tablename,
29  pg_size_pretty(pg_total_relation_size(schemaname||'.'||tablename)) AS size
30FROM pg_tables
31WHERE schemaname = 'public'
32ORDER BY pg_total_relation_size(schemaname||'.'||tablename) DESC;
33
34-- 4. Check for unused indexes
35SELECT
36  schemaname,
37  tablename,
38  indexname,
39  idx_scan as index_scans
40FROM pg_stat_user_indexes
41WHERE idx_scan = 0
42  AND indexrelname NOT LIKE '%_pkey'
43ORDER BY pg_relation_size(indexrelid) DESC;
44
45-- 5. Connection pool health
46SELECT
47  count(*),
48  state
49FROM pg_stat_activity
50WHERE datname = current_database()
51GROUP BY state;

4D. Security Validation

bash
1# scripts/security-audit.sh
2
3echo "🔒 Security Audit"
4echo "================"
5
6# 1. Check for known vulnerabilities
7echo "\n1️⃣ Checking npm dependencies for vulnerabilities..."
8npm audit --audit-level=moderate
9if [ $? -ne 0 ]; then
10  echo "⚠️  Vulnerabilities found in dependencies"
11fi
12
13# 2. Check for exposed secrets
14echo "\n2️⃣ Scanning for exposed secrets..."
15if command -v gitleaks &> /dev/null; then
16  gitleaks detect --source . --verbose
17else
18  echo "⚠️  gitleaks not installed (recommended: brew install gitleaks)"
19fi
20
21# 3. Check OWASP dependencies
22echo "\n3️⃣ OWASP Dependency Check..."
23if command -v dependency-check &> /dev/null; then
24  dependency-check --project "Project Conductor" --scan .
25else
26  echo "⚠️  OWASP dependency-check not installed"
27fi
28
29# 4. Check environment variables
30echo "\n4️⃣ Environment Variable Check..."
31REQUIRED_ENVS=("DATABASE_URL" "REDIS_URL" "JWT_SECRET" "NODE_ENV")
32for env in "${REQUIRED_ENVS[@]}"; do
33  if [ -z "${!env}" ]; then
34    echo "⚠️  Missing environment variable: $env"
35  else
36    echo "✅ $env is set"
37  fi
38done
39
40# 5. SSL/TLS Configuration
41echo "\n5️⃣ Checking SSL/TLS..."
42if [ "$NODE_ENV" = "production" ]; then
43  if [ -z "$SSL_CERT" ] || [ -z "$SSL_KEY" ]; then
44    echo "⚠️  SSL certificates not configured for production"
45  else
46    echo "✅ SSL configured"
47  fi
48fi

4E. Performance Validation

typescript
1// tests/validation/performance.test.ts
2import request from 'supertest';
3import { app } from '../../src/index';
4
5describe('Performance Validation', () => {
6  describe('Response Times', () => {
7    it('API should respond in <200ms (p95)', async () => {
8      const times: number[] = [];
9
10      // Make 100 requests
11      for (let i = 0; i < 100; i++) {
12        const start = Date.now();
13        await request(app).get('/api/v1/requirements');
14        times.push(Date.now() - start);
15      }
16
17      times.sort((a, b) => a - b);
18      const p95 = times[Math.floor(times.length * 0.95)];
19
20      console.log(`P95 response time: ${p95}ms`);
21      expect(p95).toBeLessThan(200);
22    });
23
24    it('cached requests should be <50ms', async () => {
25      // Prime cache
26      await request(app).get('/api/v1/requirements?page=1');
27
28      // Measure cached request
29      const start = Date.now();
30      await request(app).get('/api/v1/requirements?page=1');
31      const duration = Date.now() - start;
32
33      expect(duration).toBeLessThan(50);
34    });
35  });
36
37  describe('Memory Leaks', () => {
38    it('should not leak memory over 1000 requests', async () => {
39      const initialMemory = process.memoryUsage().heapUsed;
40
41      // Make 1000 requests
42      for (let i = 0; i < 1000; i++) {
43        await request(app).get('/api/v1/health');
44      }
45
46      // Force garbage collection if available
47      if (global.gc) {
48        global.gc();
49      }
50
51      const finalMemory = process.memoryUsage().heapUsed;
52      const memoryIncrease = finalMemory - initialMemory;
53
54      // Memory should not increase by more than 50MB
55      expect(memoryIncrease).toBeLessThan(50 * 1024 * 1024);
56    });
57  });
58});

4F. Deployment Validation (Render Specific)

bash
1# scripts/render-deployment-validation.sh
2# Based on lessons learned from production deployment
3
4echo "🚀 Render Deployment Validation"
5echo "==============================="
6
7# 1. Check for files in /public
8echo "\n1️⃣ Validating static files..."
9PUBLIC_FILES=$(ls -la public/*.html 2>/dev/null | wc -l)
10if [ $PUBLIC_FILES -gt 0 ]; then
11  echo "✅ Found $PUBLIC_FILES HTML files in /public"
12else
13  echo "⚠️  No HTML files in /public directory"
14fi
15
16# 2. Check for explicit routes that might override static middleware
17echo "\n2️⃣ Checking for route conflicts..."
18EXPLICIT_ROUTES=$(grep -n "\.sendFile.*publicDir" src/index.ts | wc -l)
19if [ $EXPLICIT_ROUTES -gt 0 ]; then
20  echo "⚠️  Found $EXPLICIT_ROUTES explicit routes for /public files"
21  echo "   These may override static middleware - review needed"
22  grep -n "\.sendFile.*publicDir" src/index.ts
23fi
24
25# 3. Check for hardcoded localhost URLs
26echo "\n3️⃣ Checking for hardcoded URLs..."
27if grep -r "localhost:3000" public/ src/ --include="*.ts" --include="*.js" --include="*.html"; then
28  echo "⚠️  Hardcoded localhost URLs found - will break on Render"
29else
30  echo "✅ No hardcoded localhost URLs"
31fi
32
33# 4. Verify environment variables are used
34echo "\n4️⃣ Checking environment variable usage..."
35if grep -r "process.env.PORT" src/index.ts > /dev/null; then
36  echo "✅ PORT uses environment variable"
37else
38  echo "❌ PORT is hardcoded - Render requires process.env.PORT"
39fi
40
41# 5. Build test
42echo "\n5️⃣ Testing production build..."
43npm run build
44if [ $? -eq 0 ]; then
45  echo "✅ Production build successful"
46else
47  echo "❌ Production build failed"
48  exit 1
49fi
50
51# 6. Check git tracking
52echo "\n6️⃣ Checking git status..."
53UNTRACKED=$(git ls-files --others --exclude-standard public/ | wc -l)
54if [ $UNTRACKED -gt 0 ]; then
55  echo "⚠️  Untracked files in /public:"
56  git ls-files --others --exclude-standard public/
57  echo "   These files won't deploy to Render!"
58else
59  echo "✅ All /public files are tracked in git"
60fi

Step 5: Generate Validation Report

markdown
1## Validation Report
2
3**Project**: Project Conductor
4**Date**: [ISO timestamp]
5**Validator**: validation-expert skill
6**Status**: [PASS/FAIL/WARNING]
7
8### Summary
9- **Code Quality**: [PASS/FAIL] - [details]
10- **API Design**: [PASS/FAIL] - [details]
11- **Database**: [PASS/FAIL] - [details]
12- **Security**: [PASS/FAIL] - [details]
13- **Performance**: [PASS/FAIL] - [details]
14- **Testing**: [PASS/FAIL] - [details]
15- **Deployment**: [PASS/FAIL] - [details]
16
17### Critical Issues (must fix before production)
181. [Issue with severity]
192. [Issue with severity]
20
21### Warnings (recommended to fix)
221. [Warning with recommendation]
232. [Warning with recommendation]
24
25### Passed Validations
26- ✅ [Check description]
27- ✅ [Check description]
28
29### Metrics
30- **Test Coverage**: [percentage]%
31- **TypeScript Strict**: [pass/fail]
32- **API Response Time (p95)**: [ms]
33- **Database Query Time (p95)**: [ms]
34- **Security Vulnerabilities**: [count]
35- **Linting Issues**: [count]
36
37### Next Steps
381. Fix critical issues: [list]
392. Address warnings: [list]
403. Re-run validation: `npm run validate`
414. If all pass: Ready for deployment ✅
42
43### Recommendations Based on Research
44[Insert findings from codex-deep-research agent]
45- Industry best practices not yet implemented
46- Tools to consider adding
47- Patterns to adopt

Validation Commands

json
1// Add to package.json scripts
2{
3  "scripts": {
4    "validate": "bash scripts/comprehensive-validation.sh",
5    "validate:security": "bash scripts/security-audit.sh",
6    "validate:deploy": "bash scripts/render-deployment-validation.sh",
7    "validate:db": "psql $DATABASE_URL -f scripts/validate-database.sql",
8    "validate:all": "npm run validate && npm run validate:security && npm run validate:deploy"
9  }
10}

Success Criteria

Validation PASSES when:

• ✅ All tests pass with >75% coverage
• ✅ TypeScript compilation succeeds (strict mode)
• ✅ No critical security vulnerabilities
• ✅ API response times <200ms (p95)
• ✅ Database queries <50ms (p95)
• ✅ No hardcoded secrets or passwords
• ✅ All /public files tracked in git
• ✅ Production build succeeds
• ✅ No route conflicts for static files

Integration with CI/CD

yaml
1# .github/workflows/validation.yml
2name: Validation Pipeline
3
4on: [push, pull_request]
5
6jobs:
7  validate:
8    runs-on: ubuntu-latest
9    steps:
10      - uses: actions/checkout@v3
11      - uses: actions/setup-node@v3
12        with:
13          node-version: '20'
14
15      - name: Install dependencies
16        run: npm ci
17
18      - name: Run comprehensive validation
19        run: npm run validate:all
20
21      - name: Upload coverage
22        uses: codecov/codecov-action@v3
23        with:
24          files: ./coverage/lcov.info

Example Invocation

User: "Is Project Conductor ready for production deployment?"

This skill will:

1. Run all validation scripts
2. Research best practices via codex-deep-research
3. Check for AI-powered validation tools via gemini-research-analyst
4. Generate comprehensive validation report
5. Provide specific recommendations with fixes