Systematically QA test a web application with browser-based bug fixing. Four modes: diff-aware (automatic on feature branches), full (systematic exploration), quick (30-second smoke test), regression (compare against baseline). Atomic bug-fix workflow with regression testing. Health scoring across 8 categories.

Infrastructure-first security audit across 14 phases: attack surface mapping, secrets archaeology (git history), supply chain analysis, CI/CD pipeline security, LLM/AI threat detection, OWASP Top 10, STRIDE threat modeling. Confidence gates, exploit scenarios, parallel verification, trend tracking. Read-only.

Fully automated ship workflow: pre-flight, merge base, run tests, coverage audit, pre-landing review, design review, adversarial review, version bump, CHANGELOG generation, TODOS.md update, bisectable commits, push and PR creation, auto-sync docs via document-release.

Multi-AI second opinion via OpenAI Codex CLI. Three modes: Review (pass/fail gate), Challenge (adversarial edge-case finder), Consult (freeform with session continuity). Read-only with streaming output and thinking traces. Cross-model analysis when review has already run.

Combines careful + freeze. Dual protection: destructive command warnings plus edit boundary enforcement.

Weekly engineering retrospective. Analyzes commit history, work patterns, and code quality metrics. Per-person breakdowns with praise and growth areas. Modes: default 7d, 24h, 14d, 30d, compare, global cross-project. Shipping streaks and tweetable summary.

Headless Chromium CLI for QA testing and site dogfooding. 100-200ms per command after startup. Persistent state with cookies, tabs, sessions. Snapshot system with element refs. Navigate, interact, verify page state, take screenshots, check responsive layouts, test forms, handle dialogs.

Post-deploy monitoring. Watches live app via headless browser for console errors, performance regressions, page failures, visual anomalies. Alert on deltas not absolutes, transient tolerance (2+ consecutive checks). Default 10-minute monitoring window. Baseline capture mode.

Restricts file edits to a specified directory. Pre-tool hooks intercept Edit and Write operations. Trailing-slash matching prevents partial path collisions.

Pre-landing PR review with two-pass checklist. Pass 1 critical: SQL safety, race conditions, LLM trust boundaries, enum completeness. Pass 2 informational: side effects, magic numbers, dead code, test gaps. Adversarial review auto-scaled by diff size. Scope drift detection.

Warns before destructive commands (rm -rf, DROP TABLE, force-push, git reset --hard, kubectl delete, docker force-rm). Session-scoped. Exceptions for common temp dirs (node_modules, .next, __pycache__).

Report-only QA — same browser-based testing as qa but documents bugs with screenshots and repro steps only, no code changes. Health score formula weighted across 8 categories. Outputs to .gstack/qa-reports/.

Fully automated review pipeline: CEO, Design, and Eng reviews with auto-decisions using 6 principles (completeness, boil lakes, pragmatic, DRY, explicit over clever, bias toward action). Only pauses for premise confirmation. Classifies decisions as Mechanical (silent) or Taste (surfaced at final gate).

Removes freeze boundary. Hooks remain registered but allow everything.

Performance regression detection. Captures TTFB, FCP, LCP, bundle sizes, request counts. Regression thresholds: timing >50% or >500ms. Baseline comparison, trend tracking, budget compliance scorecard.

Systematic root-cause debugging. Iron Law: no fixes without root cause investigation first. Four phases: Root Cause Investigation, Pattern Analysis (6 known patterns), Hypothesis Testing (3-strike rule), Implementation. Structured debug report output.

YC Office Hours — product idea diagnostic before writing code. Two modes: Startup (6 forcing questions with rigorous pushback) and Builder (generative brainstorming). Outputs design doc. Includes landscape research, premise challenge, alternatives generation, visual wireframe sketching, and optional cross-model second opinion.

One-time deployment configuration. Detects platform, gathers URLs and health checks, persists to CLAUDE.md for future land-and-deploy runs.

Live-site visual QA audit with fix loop. 10-category checklist (~80 items) including AI Slop Detection (10 blacklisted patterns). Atomic commits per fix. Before/after screenshots. A-F grading. Parallel cross-model code-level design audit. Modes: Full, Quick, Deep, Diff-aware, Regression.

Self-update mechanism. Detects git vs vendored install. Auto-upgrade option with escalating snooze backoff. Syncs global and local copies. Extracts CHANGELOG bullets post-upgrade.

Merge PR, wait for deploy, verify production health. 10-step workflow: pre-flight, CI check, readiness gate, merge (respects merge queue), detect platform, wait for deploy, canary verification, revert option, deploy report. Auto-detects Fly, Render, Vercel, Netlify, Heroku, GitHub Actions.

CEO/founder-mode plan review. Four modes: scope expansion, selective expansion, hold scope, scope reduction. 10 review sections from architecture through long-term trajectory. Nuclear scope challenge, dream state mapping, error and rescue registry. Optional cross-model outside voice.

Eng manager-mode plan review. Scope challenge, architecture review, code quality review, detailed test coverage diagram, performance review. Produces test plan artifact for downstream QA. Optional cross-model outside voice.

Post-ship documentation sync. Updates README, ARCHITECTURE, CONTRIBUTING, CHANGELOG, TODOS, VERSION. Auto-applies factual corrections, asks for risky rewrites. CHANGELOG voice polish. Cross-doc consistency checks.

Design critique with 7 rated passes: Information Architecture, Interaction State Coverage, User Journey and Emotional Arc, AI Slop Risk (10-item blacklist), Design System Alignment, Responsive and Accessibility, Unresolved Decisions. Each rated 0-10 with gap-fill loop. Parallel cross-model design voices.

Build a complete design system from scratch. Competitive research via web search and browse. SAFE/RISK breakdown of choices. Self-contained HTML preview page. Outputs DESIGN.md as project design source of truth.

Import cookies from your real browser (Comet, Chrome, Arc, Brave, Edge) into the headless browse session for testing authenticated pages. Interactive picker UI or direct domain import. macOS Keychain integration.