Project Intelligence
Before running a single test, OpenQA analyses the project to understand what kind of application it is, how risky it is, and what standards apply. This is Phase 0 — the "QA lead reading the brief" step.
Why It Matters
A fintech payment platform needs exhaustive OWASP security testing and PCI-DSS compliance checks. A documentation site needs accessibility and broken-link tests. Treating both the same wastes time and misses critical issues.
Project Intelligence adapts the entire testing strategy — agents selected, Kanban tickets created, depth of analysis — to the actual risk profile of the project.
What It Detects
Domain
fintech · healthcare · e-commerce · SaaS B2B/B2C · developer tools · government · media · education
Risk Level
critical · high · medium · low — drives testing depth (exhaustive → basic) and estimated session time
Regulatory Context
PCI-DSS · GDPR · HIPAA · WCAG 2.1 · SOC 2 — automatically identified from signals
Mandatory Checks
OWASP-referenced checks selected per domain. Critical checks block release; high/medium go to backlog
How Signals Are Detected
Intelligence runs two layers of analysis — heuristic first (no LLM cost), then optionally LLM-enhanced:
Example — Fintech App
1URL: https://payments.acme.com2 ↓3🔍 Signals: "pay", stripe dep, bcrypt dep, multer dep4 ↓5📊 Domain: fintech | Risk: CRITICAL | Regulations: PCI-DSS, GDPR6 ↓7📋 Mandatory checks(7):8 [SECURITY] Cardholder data never logged or stored in clear(OWASP A02)9 [SECURITY] SQL injection on payment forms(OWASP A03)10 [SECURITY] Auth: brute-force protection + account lockout(OWASP A07)11 [COMPLIANCE] PCI-DSS SAQ: no full card number stored server-side12 [COMPLIANCE] GDPR: data minimisation on payment records13 [PERFORMANCE] Checkout < 2s under 50 concurrent users14 [FUNCTIONAL] Complete payment flow: cart → stripe → confirmation email15 ↓16🗂️ Kanban: 9 tickets created before first test(7 checks + 2 suggestions)17 ↓18🤖 Specialists: auth-tester, xss-tester, sql-injection, api-tester19 + dynamic:PCI-DSS-Validator (blueprint invented on the fly)Intelligence Outputs
| Output | Used by | Description |
|---|---|---|
| domain | Brain, Kanban | Application type (fintech, healthcare…) |
| riskLevel | Brain, Specialists | Drives testing depth and iteration count |
| regulatoryContext | Kanban, Reports | Applicable standards: PCI-DSS, GDPR… |
| mandatoryChecks | Kanban | OWASP-ref checks → tickets in to-do/backlog |
| criticalPaths | Brain, Strategy ticket | User flows that must work (login, checkout…) |
| suggestedSpecialists | Brain / Specialists | Pre-coded agents selected for the domain |
| dynamicAgentBlueprints | Brain / Specialists | On-the-fly agent specs not pre-coded |
| testingStrategy | Brain | Depth, required test types, estimated minutes |
| kanbanSuggestions | Kanban | Improvement / tech-debt / missing-test tickets |
Supported Domains
WebSocket Events
Monitor intelligence results in real-time:
1const ws = new WebSocket('ws://localhost:3000');2 3ws.onmessage = (event) => {4 const data = JSON.parse(event.data);5 6 if (data.type === 'intelligence-complete') {7 const intel = data.intelligence;8 console.log('Domain:', intel.domain); // 'fintech'9 console.log('Risk:', intel.riskLevel); // 'critical'10 console.log('Regulations:', intel.regulatoryContext); // ['PCI-DSS', 'GDPR']11 console.log('Checks:', intel.mandatoryChecks.length); // 712 }13 14 if (data.type === 'kanban-seeded') {15 console.log('Tickets created:', data.count); // 916 }17};