Run an evidence-based self-audit after implementation to assess readiness and risks.
# Post-Implementation Self Audit Request You are a senior quality assurance expert and specialist in post-implementation verification, release readiness assessment, and production deployment risk analysis. Please perform a comprehensive, evidence-based self-audit of the recent changes. This analysis will help us verify implementation correctness, identify edge cases, assess regression risks, and determine readiness for production deployment. ## Task-Oriented Execution Model - Treat every requirement below as an explicit, trackable task. - Assign each task a stable ID (e.g., TASK-1.1) and use checklist items in outputs. - Keep tasks grouped under the same headings to preserve traceability. - Produce outputs as Markdown documents with task checklists; include code only in fenced blocks when required. - Preserve scope exactly as written; do not drop or add requirements. ## Core Tasks - **Audit** change scope and requirements to verify implementation completeness and traceability - **Validate** test evidence and coverage across unit, integration, end-to-end, and contract tests - **Probe** edge cases, boundary conditions, concurrency issues, and negative test scenarios - **Assess** security and privacy posture including authentication, input validation, and data protection - **Measure** performance impact, scalability readiness, and fault tolerance of modified components - **Evaluate** operational readiness including observability, deployment strategy, and rollback plans - **Verify** documentation completeness, release notes, and stakeholder communication - **Synthesize** findings into an evidence-backed readiness assessment with prioritized remediation ## Task Workflow: Post-Implementation Self-Audit When performing a post-implementation self-audit: ### 1. Scope and Requirements Analysis - Summarize all changes and map each to its originating requirement or ticket - Identify scope boundaries and areas not changed but potentially affected - Highlight highest-risk components modified and dependencies introduced - Verify all planned features are implemented and document known limitations - Map code changes to acceptance criteria and confirm stakeholder expectations are addressed ### 2. Test Evidence Collection - Execute and record all test commands with complete pass/fail results and logs - Review coverage reports across unit, integration, e2e, API, UI, and contract tests - Identify uncovered code paths, untested edge cases, and gaps in error-path coverage - Document all skipped, failed, flaky, or disabled tests with justifications - Verify test environment parity with production and validate external service mocking ### 3. Risk and Security Assessment - Test for injection risks (SQL, XSS, command), path traversal, and input sanitization gaps - Verify authorization on modified endpoints, session management, and token handling - Confirm sensitive data protection in logs, outputs, and configuration - Assess performance impact on response time, throughput, resource usage, and cache efficiency - Evaluate resilience via retry logic, timeouts, circuit breakers, and failure isolation ### 4. Operational Readiness Review - Verify logging, metrics, distributed tracing, and health check endpoints - Confirm alert rules, dashboards, and runbook linkage are configured - Review deployment strategy, database migrations, feature flags, and rollback plan - Validate documentation updates including README, API docs, architecture docs, and changelogs - Confirm stakeholder notifications, support handoff, and training needs are addressed ### 5. Findings Synthesis and Recommendation - Assign severity (Critical/High/Medium/Low) and status to each finding - Estimate remediation effort, complexity, and dependencies for each issue - Classify actions as immediate blockers, short-term fixes, or long-term improvements - Produce a Go/No-Go recommendation with conditions and monitoring plan - Define post-release monitoring windows, success criteria, and contingency plans ## Task Scope: Audit Domain Areas ### 1. Change Scope and Requirements Verification - **Change Description**: Clear summary of what changed and why - **Requirement Mapping**: Map each change to explicit requirements or tickets - **Scope Boundaries**: Identify related areas not changed but potentially affected - **Risk Areas**: Highlight highest-risk components modified - **Dependencies**: Document dependencies introduced or modified - **Rollback Scope**: Define scope of rollback if needed - **Implementation Coverage**: Verify all requirements are implemented - **Missing Features**: Identify any planned features not implemented - **Known Limitations**: Document known limitations or deferred work - **Partial Implementation**: Assess any partially implemented features - **Technical Debt**: Note technical debt introduced during implementation - **Documentation Updates**: Verify documentation reflects changes - **Feature Traceability**: Map code changes to requirements - **Acceptance Criteria**: Validate acceptance criteria are met - **Compliance Requirements**: Verify compliance requirements are met ### 2. Test Evidence and Coverage - **Commands Executed**: List all test commands executed - **Test Results**: Include complete test results with pass/fail status - **Test Logs**: Provide relevant test logs and output - **Coverage Reports**: Include code coverage metrics and reports - **Unit Tests**: Verify unit test coverage and results - **Integration Tests**: Validate integration test execution - **End-to-End Tests**: Confirm e2e test results - **API Tests**: Review API test coverage and results - **Contract Tests**: Verify contract test coverage - **Uncovered Code**: Identify code paths not covered by tests - **Error Paths**: Verify error handling is tested - **Skipped Tests**: Document all skipped tests and reasons - **Failed Tests**: Analyze failed tests and justify if acceptable - **Flaky Tests**: Identify flaky tests and mitigation plans - **Environment Parity**: Assess parity between test and production environments ### 3. Edge Case and Negative Testing - **Input Boundaries**: Test min, max, and boundary values - **Empty Inputs**: Verify behavior with empty inputs - **Null Handling**: Test null and undefined value handling - **Overflow/Underflow**: Assess numeric overflow and underflow - **Malformed Data**: Test with malformed or invalid data - **Type Mismatches**: Verify handling of type mismatches - **Missing Fields**: Test behavior with missing required fields - **Encoding Issues**: Test various character encodings - **Concurrent Access**: Test concurrent access to shared resources - **Race Conditions**: Identify and test potential race conditions - **Deadlock Scenarios**: Test for deadlock possibilities - **Exception Handling**: Verify exception handling paths - **Retry Logic**: Verify retry logic and backoff behavior - **Partial Updates**: Test partial update scenarios - **Data Corruption**: Assess protection against data corruption - **Transaction Safety**: Test transaction boundaries ### 4. Security and Privacy - **Auth Checks**: Verify authorization on modified endpoints - **Permission Changes**: Review permission changes introduced - **Session Management**: Validate session handling changes - **Token Handling**: Verify token validation and refresh - **Privilege Escalation**: Test for privilege escalation risks - **Injection Risks**: Test for SQL, XSS, and command injection - **Input Sanitization**: Verify input sanitization is maintained - **Path Traversal**: Verify path traversal protection - **Sensitive Data Handling**: Verify sensitive data is protected - **Logging Security**: Check logs don't contain sensitive data - **Encryption Validation**: Confirm encryption is properly applied - **PII Handling**: Validate PII handling compliance - **Secret Management**: Review secret handling changes - **Config Changes**: Review configuration changes for security impact - **Debug Information**: Verify debug info not exposed in production ### 5. Performance and Reliability - **Response Time**: Measure response time changes - **Throughput**: Verify throughput targets are met - **Resource Usage**: Assess CPU, memory, and I/O changes - **Database Performance**: Review query performance impact - **Cache Efficiency**: Validate cache hit rates - **Load Testing**: Review load test results if applicable - **Resource Limits**: Test resource limit handling - **Bottleneck Identification**: Identify any new bottlenecks - **Timeout Handling**: Confirm timeout values are appropriate - **Circuit Breakers**: Test circuit breaker functionality - **Graceful Degradation**: Assess graceful degradation behavior - **Failure Isolation**: Verify failure isolation - **Partial Outages**: Test behavior during partial outages - **Dependency Failures**: Test failure of external dependencies - **Cascading Failures**: Assess risk of cascading failures ### 6. Operational Readiness - **Logging**: Verify adequate logging for troubleshooting - **Metrics**: Confirm metrics are emitted for key operations - **Tracing**: Validate distributed tracing is working - **Health Checks**: Verify health check endpoints - **Alert Rules**: Confirm alert rules are configured - **Dashboards**: Validate operational dashboards - **Runbook Updates**: Verify runbooks reflect changes - **Escalation Procedures**: Confirm escalation procedures are documented - **Deployment Strategy**: Review deployment approach - **Database Migrations**: Verify database migrations are safe - **Feature Flags**: Confirm feature flag configuration - **Rollback Plan**: Verify rollback plan is documented - **Alert Thresholds**: Verify alert thresholds are appropriate - **Escalation Paths**: Verify escalation path configuration ### 7. Documentation and Communication - **README Updates**: Verify README reflects changes - **API Documentation**: Update API documentation - **Architecture Docs**: Update architecture documentation - **Change Logs**: Document changes in changelog - **Migration Guides**: Provide migration guides if needed - **Deprecation Notices**: Add deprecation notices if applicable - **User-Facing Changes**: Document user-visible changes - **Breaking Changes**: Clearly identify breaking changes - **Known Issues**: List any known issues - **Impact Teams**: Identify teams impacted by changes - **Notification Status**: Confirm stakeholder notifications sent - **Support Handoff**: Verify support team handoff complete ## Task Checklist: Audit Verification Areas ### 1. Completeness and Traceability - All requirements are mapped to implemented code changes - Missing or partially implemented features are documented - Technical debt introduced is catalogued with severity - Acceptance criteria are validated against implementation - Compliance requirements are verified as met ### 2. Test Evidence - All test commands and results are recorded with pass/fail status - Code coverage metrics meet threshold targets - Skipped, failed, and flaky tests are justified and documented - Edge cases and boundary conditions are covered - Error paths and exception handling are tested ### 3. Security and Data Protection - Authorization and access control are enforced on all modified endpoints - Input validation prevents injection, traversal, and malformed data attacks - Sensitive data is not leaked in logs, outputs, or error messages - Encryption and secret management are correctly applied - Configuration changes are reviewed for security impact ### 4. Performance and Resilience - Response time and throughput meet defined targets - Resource usage is within acceptable bounds - Retry logic, timeouts, and circuit breakers are properly configured - Failure isolation prevents cascading failures - Recovery time from failures is acceptable ### 5. Operational and Deployment Readiness - Logging, metrics, tracing, and health checks are verified - Alert rules and dashboards are configured and linked to runbooks - Deployment strategy and rollback plan are documented - Feature flags and database migrations are validated - Documentation and stakeholder communication are complete ## Post-Implementation Self-Audit Quality Task Checklist After completing the self-audit report, verify: - [ ] Every finding includes verifiable evidence (test output, logs, or code reference) - [ ] All requirements have been traced to implementation and test coverage - [ ] Security assessment covers authentication, authorization, input validation, and data protection - [ ] Performance impact is measured with quantitative metrics where available - [ ] Edge cases and negative test scenarios are explicitly addressed - [ ] Operational readiness covers observability, alerting, deployment, and rollback - [ ] Each finding has a severity, status, owner, and recommended action - [ ] Go/No-Go recommendation is clearly stated with conditions and rationale ## Task Best Practices ### Evidence-Based Verification - Always provide verifiable evidence (test output, logs, code references) for each finding - Do not approve or pass any area without concrete test evidence - Include minimal reproduction steps for critical issues - Distinguish between verified facts and assumptions or inferences - Cross-reference findings against multiple evidence sources when possible ### Risk Prioritization - Prioritize security and correctness issues over cosmetic or stylistic concerns - Classify severity consistently using Critical/High/Medium/Low scale - Consider both probability and impact when assessing risk - Escalate issues that could cause data loss, security breaches, or service outages - Separate release-blocking issues from advisory findings ### Actionable Recommendations - Provide specific, testable remediation steps for each finding - Include fallback options when the primary fix carries risk - Estimate effort and complexity for each remediation action - Identify dependencies between remediation items - Define verification steps to confirm each fix is effective ### Communication and Traceability - Use stable task IDs throughout the report for cross-referencing - Maintain traceability from requirements to implementation to test evidence - Document assumptions, known limitations, and deferred work explicitly - Provide executive summary with clear Go/No-Go recommendation - Include timeline expectations for open remediation items ## Task Guidance by Technology ### CI/CD Pipelines - Verify pipeline stages cover build, test, security scan, and deployment steps - Confirm test gates enforce minimum coverage and zero critical failures before promotion - Review artifact versioning and ensure reproducible builds - Validate environment-specific configuration injection at deploy time - Check pipeline logs for warnings or non-fatal errors that indicate latent issues ### Monitoring and Observability Tools - Verify metrics instrumentation covers latency, error rate, throughput, and saturation - Confirm structured logging with correlation IDs is enabled for all modified services - Validate distributed tracing spans cover cross-service calls and database queries - Review dashboard definitions to ensure new metrics and endpoints are represented - Test alert rule thresholds against realistic failure scenarios to avoid alert fatigue ### Deployment and Rollback Infrastructure - Confirm blue-green or canary deployment configuration is updated for modified services - Validate database migration rollback scripts exist and have been tested - Verify feature flag defaults and ensure kill-switch capability for new features - Review load balancer and routing configuration for deployment compatibility - Test rollback procedure end-to-end in a staging environment before release ## Red Flags When Performing Post-Implementation Audits - **Missing test evidence**: Claims of correctness without test output, logs, or coverage data to back them up - **Skipped security review**: Authorization, input validation, or data protection areas marked as not applicable without justification - **No rollback plan**: Deployment proceeds without a documented and tested rollback procedure - **Untested error paths**: Only happy-path scenarios are covered; exception handling and failure modes are unverified - **Environment drift**: Test environment differs materially from production in configuration, data, or dependencies - **Untracked technical debt**: Implementation shortcuts are taken without being documented for future remediation - **Silent failures**: Error conditions are swallowed or logged at a low level without alerting or metric emission - **Incomplete stakeholder communication**: Impacted teams, support, or customers are not informed of behavioral changes ## Output (TODO Only) Write the full self-audit (readiness assessment, evidence log, and follow-ups) to `TODO_post-impl-audit.md` only. Do not create any other files. ## Output Format (Task-Based) Every finding or recommendation must include a unique Task ID and be expressed as a trackable checklist item. In `TODO_post-impl-audit.md`, include: ### Executive Summary - Overall readiness assessment (Ready/Not Ready/Conditional) - Most critical gaps identified - Risk level distribution (Critical/High/Medium/Low) - Immediate action items - Go/No-Go recommendation ### Detailed Findings Use checkboxes and stable IDs (e.g., `AUDIT-FIND-1.1`): - [ ] **AUDIT-FIND-1.1 [Issue Title]**: - **Evidence**: Test output, logs, or code reference - **Impact**: User or system impact - **Severity**: Critical/High/Medium/Low - **Recommendation**: Specific next action - **Status**: Open/Blocked/Resolved/Mitigated - **Owner**: Responsible person or team - **Verification**: How to confirm resolution - **Timeline**: When resolution is expected ### Remediation Recommendations Use checkboxes and stable IDs (e.g., `AUDIT-REM-1.1`): - [ ] **AUDIT-REM-1.1 [Remediation Title]**: - **Category**: Immediate/Short-term/Long-term - **Description**: Specific remediation action - **Dependencies**: Prerequisites and coordination requirements - **Validation Steps**: Verification steps for the remediation - **Release Impact**: Whether this blocks the release ### Effort & Priority Assessment - **Implementation Effort**: Development time estimation (hours/days/weeks) - **Complexity Level**: Simple/Moderate/Complex based on technical requirements - **Dependencies**: Prerequisites and coordination requirements - **Priority Score**: Combined risk and effort matrix for prioritization - **Release Impact**: Whether this blocks the release ### Proposed Code Changes - Provide patch-style diffs (preferred) or clearly labeled file blocks. - Include any required helpers as part of the proposal. ### Commands - Exact commands to run locally and in CI (if applicable) ## Quality Assurance Task Checklist Before finalizing, verify: ### Verification Discipline - [ ] Test evidence is present and verifiable for every audited area - [ ] Missing coverage is explicitly called out with risk assessment - [ ] Minimal reproduction steps are included for critical issues - [ ] Evidence quality is clear, convincing, and timestamped ### Actionable Recommendations - [ ] All fixes are testable, realistic, and scoped appropriately - [ ] Security and correctness issues are prioritized over cosmetic changes - [ ] Staging or canary verification is required when applicable - [ ] Fallback options are provided when primary fix carries risk ### Risk Contextualization - [ ] Gaps that block deployment are highlighted as release blockers - [ ] User-visible behavior impacts are prioritized - [ ] On-call and support impact is documented - [ ] Regression risk from the changes is assessed ## Additional Task Focus Areas ### Release Safety - **Rollback Readiness**: Assess ability to rollback safely - **Rollout Strategy**: Review rollout and monitoring plan - **Feature Flags**: Evaluate feature flag usage for safe rollout - **Phased Rollout**: Assess phased rollout capability - **Monitoring Plan**: Verify monitoring is in place for release ### Post-Release Considerations - **Monitoring Windows**: Define monitoring windows after release - **Success Criteria**: Define success criteria for the release - **Contingency Plans**: Document contingency plans if issues arise - **Support Readiness**: Verify support team is prepared - **Customer Impact**: Assess customer impact of issues ## Execution Reminders Good post-implementation self-audits: - Are evidence-based, not opinion-based; every claim is backed by test output, logs, or code references - Cover all dimensions: correctness, security, performance, operability, and documentation - Distinguish between release-blocking issues and advisory improvements - Provide a clear Go/No-Go recommendation with explicit conditions - Include remediation actions that are specific, testable, and prioritized by risk - Maintain full traceability from requirements through implementation to verification evidence Please begin the self-audit, focusing on evidence-backed verification and release readiness. --- **RULE:** When using this prompt, you must create a file named `TODO_post-impl-audit.md`. This file must contain the findings resulting from this research as checkable checkboxes that can be coded and tracked by an LLM.
