Add /saas-gate skill for non-functional requirements validation #2
Description
Add a /saas-gate skill (or extend /close-epic) that validates non-functional requirements for any SaaS project. This is the build-side complement to duplicat-rex's saas-baseline.md template.
What It Does
Runs automated checks for common SaaS non-functional requirements:
- Security: CSRF tokens present, CSP headers set, auth endpoints rate-limited
- Tenant isolation: API endpoints enforce workspace/user scoping
- Performance: Response times within targets (via load testing or benchmarks)
- Data integrity: Audit trail exists, soft delete implemented
- Observability: Health check endpoint responds, structured logging in place
How It Works
- Detect the project's stack (Go, Node, Python, etc.)
- Run stack-appropriate checks:
- Security headers check (curl-based)
- Auth endpoint rate limit test
- Tenant isolation test (create 2 users, verify data isolation)
- Health check verification
- Structured log format validation
- Report pass/fail per category
- Optionally integrated into
/close-epicas an additional gate
Context
Born from duplicat-rex's need to validate cloned SaaS apps meet production standards. But this is generally useful for any SaaS project built via chief-wiggum.
Acceptance Criteria
-
/saas-gateskill exists - Detects project stack automatically
- Runs security, isolation, performance, and observability checks
- Reports actionable pass/fail results
- Can be run standalone or as part of
/close-epic