Skill: verification (Cross-cutting — Run/Check Before “Done”)
You are performing verification of changes before declaring a task/feature complete.
This skill standardizes the minimum checks to reduce “it works on my machine” failures across:
- •Django + DRF backend
- •Next.js frontend
- •Postgres migrations
- •Auth + CORS
- •API/Frontend contract alignment
When to use this skill
Use this skill whenever:
- •You changed code (frontend or backend)
- •You introduced/changed an API endpoint or contract
- •You changed a model or migrations
- •You touched auth, permissions, CORS, or environment variables
Inputs
- •The implemented code changes
- •
docs/features/<feature-slug>/02-design.md(expected behavior/contracts) - •
docs/features/<feature-slug>/03-implementation-notes.md(what you claim you changed)
Output expectations
In docs/features/<feature-slug>/03-implementation-notes.md (or your response if not using artifacts), include:
- •What you actually verified (explicit)
- •Commands you ran (or commands to run if you did not run them)
- •Any known gaps (e.g., “tests not run: reason”)
Hard rules
- •Do NOT claim verification you did not perform.
- •Prefer the smallest set of checks that gives high confidence.
- •Verification must cover the changed surface area.
Verification levels (choose appropriately)
Level 0 — Trivial doc-only change
- •Confirm docs render and links are valid.
Level 1 — Smoke (default for most PR-sized changes)
Goal: prove app boots, core path works, and no obvious breakage.
Level 2 — Targeted tests
Goal: add confidence for logic-heavy changes, auth, migrations, and contracts.
Level 3 — Full suite (when risk is high)
Goal: run the full test/lint/typecheck suite(s) if they exist.
Minimum smoke checklist (Level 1)
Backend (Django/DRF)
- •Server boots (no startup exceptions).
- •Any new/changed endpoint responds correctly for:
- •happy path
- •at least one expected error case (400/401/403/404 depending)
- •Auth expectations match the contract:
- •unauth endpoints are unauth
- •protected endpoints require auth
- •CORS behavior is correct for browser calls (no CORS errors when using expected origins).
Database & migrations
- •If models changed:
- •migration files exist and are sane
- •migration plan is safe (see
skills/migrations-data-model-changes/skill.md)
- •If you applied migrations locally, record that.
- •If you did not apply migrations locally, state that and provide the exact command(s).
Frontend (Next.js)
- •App boots.
- •Core UI path related to the change renders without runtime errors.
- •Browser-side API call path works (when relevant), including auth headers and error states.
Contracts (FE/BE)
- •Confirm request/response fields used by the frontend match what the backend returns.
- •Confirm error shapes used by the frontend match what the backend returns.
Targeted verification (Level 2) — What to add when relevant
Auth / Permissions / Security
- •Attempt an authz bypass scenario relevant to the change.
- •Confirm 401 vs 403 semantics are correct.
- •Confirm token refresh flow does not loop or deadlock (if applicable).
Migrations / Backfills
- •Verify on a representative dataset size if possible.
- •Ensure backfills are idempotent and chunkable.
- •Call out locking risk and rollback plan.
Forms & validation
- •Confirm server-side validation errors are surfaced.
- •Confirm frontend handles validation errors gracefully.
Tooling checks (run when available and relevant)
- •Backend: tests, lint, formatting (if configured)
- •Frontend:
lint,typecheck, unit tests (if configured)
If the repo lacks these checks, do not invent them; document the gap.
Reporting template (copy into implementation notes)
- •Verified:
- •Backend: <what you ran / checked>
- •Frontend: <what you ran / checked>
- •Migrations: <generated/applied/deferred>
- •Contracts: <what you compared>
- •Commands run:
- • <commands>
- •Not run (and why):
- • <gaps>
- •Smoke steps performed:
- • <manual steps>