I use long prompts when the job is not creative guessing but release discipline. A Chrome Web Store submission is one of those jobs. The point is not to get an encouraging summary from an assistant. The point is to force a strict pre-submission review that separates proven facts from optimistic assumptions.
This is the submission-readiness prompt I use for A11Y Cat before private beta or public Chrome Web Store release. It is intentionally demanding because browser extensions sit inside real user pages, request permissions, process page content, and can easily overclaim what automated accessibility testing proves.
More info: A11Y Cat extension documentation.
Why this prompt exists
Most release reviews fail because they accept a narrow signal as proof of readiness. A build passed, so the package must be ready. A unit test passed, so the scanner must be trustworthy. A ZIP exists, so it must be clean. A README says privacy-first, so the implementation must match it.
That is not good enough for a Chrome extension. The final gate has to test the actual MV3 extension path, inspect the generated package, check permissions, verify the scanner output model, review documentation, confirm privacy claims, and identify whether public production claims are supported by evidence.
The review standard
The prompt below tells the reviewer to behave like a principal engineer, accessibility specialist, QA lead, security reviewer, privacy reviewer, UX reviewer, documentation reviewer, build engineer, and enterprise product reviewer at the same time. That is deliberate. A release decision crosses all of those areas.
- No Playwright extension-path verification means not ready.
- No final package audit means not ready.
- No scanner trust means not ready.
- A dirty working tree means not ready.
- An unproven release gate means not ready.
The language is strict because soft review language produces soft release decisions. If something is partial, the report must say partial. If something was not run, the report must say not run. If manual assistive technology evidence is pending, the public-readiness claim must be blocked.
The prompt
Copy and paste this prompt when you need a strict final release gate. It is formatted as an operational prompt, not a loose checklist, so the reviewer has to return evidence, command results, risk tables, and clear readiness verdicts.
# A11Y Cat Final Chrome Web Store Submission Readiness Review
## Role
You are performing the final Google Chrome Web Store submission readiness review for A11Y Cat.
Act as:
- principal front-end engineer
- Chrome extension release reviewer
- accessibility specialist
- QA lead
- security reviewer
- privacy reviewer
- UX/UI reviewer
- documentation reviewer
- build/release engineer
- enterprise product reviewer
This is the final full test gate before any Chrome Web Store private beta or public submission.
## Objective
Determine whether the A11Y Cat extension, final Chrome Store package, scanner behaviour, UI, documentation, privacy posture, code quality, project hygiene, output quality, and release process are ready for Google Chrome Web Store submission.
Answer these final questions clearly:
1. Can this be submitted to Chrome Web Store private beta today?
2. Can this be submitted publicly today?
3. Can this be used for an enterprise/company pilot today?
4. Can this make production-readiness claims today?
5. What exactly blocks submission, if anything?
## Non-Negotiable Rules
Do not assume the project is ready because previous gates passed.
Do not trust previous summaries without re-verifying.
Do not only inspect source.
Do not only run automated tests.
Do not only check the final ZIP.
Do not only check documentation.
Do not skip Playwright.
Do not request elevated execution repeatedly instead of fixing the test setup.
Do not claim a feature works unless it was tested in the MV3 extension path or explicitly marked as not proven.
Do not merge Node tests, package checks, and browser tests into one vague "tests passed" statement.
Do not submit or recommend submission unless the final Chrome Store package is tested and clean.
Do not make changes unless explicitly asked after this review.
Hard rule:
- No Playwright extension-path verification means NOT READY.
- No final package audit means NOT READY.
- No scanner trust means NOT READY.
- Dirty working tree means NOT READY.
- Unproven release gate means NOT READY.
## Required Review Scope
Review the entire project, not just one feature.
Inspect at minimum:
- manifest.json
- extension/
- extension/background/
- extension/content/
- extension/icons/
- extension/PERMISSIONS.md
- src/runtime/modules/
- shared/
- vendor/
- generated dist-extension/
- generated dist-extension-test/
- final store-submission ZIP
- scanner pipeline
- feature modules
- documentation
- build and release scripts
- release artefacts
- tests
- Git state
## Clean Release State
Start from a clean repository state.
Run:
```bash
git status --short
git branch --show-current
git rev-parse HEAD
git rev-parse origin/main
```
Required output:
| Check | Result | Notes |
| --- | --- | --- |
| Branch | | |
| HEAD commit | | |
| origin/main commit | | |
| Working tree clean | PASS / FAIL | |
If the tree is dirty:
1. List every changed file.
2. Classify each change as source, test, docs, generated artefact, package metadata, or accidental rubbish.
3. Do not package until changes are committed, reverted, or explicitly excluded.
4. Do not use --allow-dirty for final release proof.
## Environment Proof
Run:
```bash
node --version
npm --version
npx playwright --version
google-chrome --version || true
chromium --version || true
uname -a
```
Also report:
- OS
- shell
- Node path
- npm path
- browser used for Playwright
- headed or headless
- temporary profile usage
- whether tests use final package or test package
- whether any command required elevated execution
- whether Playwright used a local server and which host/port
Required output:
| Tool | Version/path | Result |
| --- | --- | --- |
| Node | | |
| npm | | |
| Playwright | | |
| Chrome/Chromium | | |
| OS | | |
## Playwright Infrastructure Gate
Playwright browser tests are mandatory.
Run:
```bash
npm run check:playwright-env
```
If no preflight exists, manually verify:
- local test server binds to 127.0.0.1, not 0.0.0.0
- no hard-coded port collision
- no full headed suite
- no personal Chrome profile
- temporary user data directory
- headless by default
- one worker for headed debug only
- no repeated elevated execution
- no multiple workers binding to the same port
- webServer/reuseExistingServer config is safe
- tests can run in normal sandbox without elevated execution
Required output:
| Playwright infra check | Result | Evidence |
| --- | --- | --- |
| Runs without elevation | PASS / FAIL | |
| Uses temp profile | PASS / FAIL | |
| Headless default | PASS / FAIL | |
| Port binding stable | PASS / FAIL | |
| Extension path testable | PASS / FAIL | |
If Playwright cannot run, stop and mark browser user-path verification NOT PROVEN.
## Static Gates
Run each command separately and report each result:
```bash
npm ci
npm run check:syntax
npm run lint
npm run check:generated-core
npm run check:repo-discipline
npm run check:docs
npm run build
npm run build:extension
npm run check:package
npm run check:dist
```
Required output:
| Command | Exit code | Result | Blocking? | Notes |
| --- | --- | --- | --- | --- |
If a command does not exist, report it as unavailable. If an equivalent exists, run the equivalent and explain.
## Release Gate
Run:
```bash
npm run verify:release
```
This must pass from a clean tree.
Required output:
| Release gate | Exit code | Result | Notes |
| --- | --- | --- | --- |
| npm run verify:release | | PASS / FAIL | |
If it fails, report the exact failing sub-command and exact error. Do not claim readiness.
## Final Chrome Store Package Audit
Run:
```bash
npm run package:store-submission
npm run check:store-submission
```
Record:
- package filename
- package path
- package size
- SHA-256
- build time
- commit SHA
Extract the ZIP to a temporary folder.
Required files must be present:
- manifest.json
- background/service-worker.js
- required background helpers
- content scripts
- scanner bundle
- vendor/axe.min.js
- required spelling/dictionary assets if spelling is active
- icons 16/32/48/128
- PERMISSIONS.md if intentionally shipped
Forbidden files must be absent:
- node_modules
- tests
- Playwright files
- test fixtures
- tmp
- test-results
- docs site files unless intentionally part of extension package
- private prompts
- current-prompt.md
- current-review.md
- internal reviews
- assistant-backend
- local assistant code
- localhost bridge
- Playwright bridge
- old bookmarklet files
- old release zips
- .env
- secrets
- API keys
- .git
- .github
- __MACOSX
- .DS_Store
Search extracted ZIP for:
- bookmarklet
- assistant-backend
- /api/assistant
- localhost
- 127.0.0.1
- Playwright bridge
- a11y_cat_pw_
- X-A11Y-Cat-Token
- A11Y_CAT_ASSISTANT_ALLOWED_ORIGINS
- OPENAI
- ANTHROPIC
- GEMINI
- API_KEY
- SECRET
- TOKEN
- PASSWORD
- TODO
- FIXME
- Screenshot pending
- Not available in this release
- eval
- new Function
- import(
- cdn
- unpkg
- jsdelivr
- googletagmanager
- google-analytics
- Sentry
- PostHog
- Mixpanel
Required output for matches:
| Match | File | Context | Safe / Needs review / Blocker | Reason |
| --- | --- | --- | --- | --- |
Required verdict:
Final package clean: PASS / FAIL
## Manifest And Permissions
Inspect manifest.json from the extracted final ZIP, not only source.
Report:
- manifest_version
- name
- version
- description
- permissions
- optional_permissions
- host_permissions
- action config
- background service worker
- content scripts
- web_accessible_resources
- externally_connectable
- content_security_policy
- icons
- commands
Required verdicts:
- Manifest: PASS / FAIL
- Permissions: PASS / FAIL / PARTIAL
Permission matrix:
| Permission | Feature requiring it | Why needed | Can remove? | Can optional? | User explanation | Verdict |
| --- | --- | --- | --- | --- | --- | --- |
## Security And Privacy
Search source and final package for risky patterns:
- eval
- new Function
- innerHTML
- insertAdjacentHTML
- document.write
- chrome.scripting.executeScript
- runtime.onMessage
- tabs.sendMessage
- postMessage
- fetch(
- XMLHttpRequest
- WebSocket
- localStorage
- sessionStorage
- chrome.storage
- indexedDB
- API_KEY
- TOKEN
- SECRET
- PASSWORD
- localhost
- assistant
- backend
- telemetry
- analytics
- Sentry
- PostHog
- Mixpanel
- Google Analytics
- OpenAI
- Anthropic
- Gemini
For each risky match:
| File | Pattern | Context | Release package? | Safe / Review / Blocker | Reason |
| --- | --- | --- | --- | --- | --- |
Verify:
- no developer database
- no developer server
- no analytics/telemetry
- no hosted AI API
- no hidden upload
- no remote code
- no secrets
- no page text transmission
- same-origin broken-link request behaviour documented
- local storage documented
- clear local data works
- exports are local
- exported snippets/URLs are disclosed
- sensitive debug logging not present in production
Required verdicts:
- Security: PASS / FAIL / PARTIAL
- Privacy/local-only: PASS / FAIL / PARTIAL
- No-cost posture: PASS / FAIL / PARTIAL
## Mandatory MV3 Extension Tests
Run real MV3 extension-path Playwright tests.
Use these commands if available:
```bash
npm run test:extension
npm run test:extension:smoke
npm run test:scanner
npm run test:real-axe
npm run test:detection-quality
npm run test:representative-pages
npm run test:stateful-interaction
npm run test:hostile-css
npm run test:ui:contrast
npm run test:spelling
npm run test:metadata
npm run test:links
```
For every Playwright command:
| Command | Exit code | Result | Tests run | Failures | Notes |
| --- | --- | --- | --- | --- | --- |
If any Playwright extension-path test fails or is blocked:
Private beta readiness: NOT READY
## Manual Packaged-Extension Smoke Test
Load the final package or release-equivalent build as a Chrome extension.
Test:
1. simple static page
2. page with known axe violations
3. valid accessible controls
4. forms
5. images
6. headings
7. language mismatch fixture
8. spelling fixture
9. metadata fixture
10. broken links fixture
11. contrast fixture
12. hostile CSS page
13. restricted page such as chrome:// or Chrome Web Store page
14. file:// disabled
15. file:// enabled if supported
For each page:
| Page/scenario | Expected | Actual | Pass/fail | Notes |
| --- | --- | --- | --- | --- |
## Feature-By-Feature Functional Test
Test every visible extension feature.
Required feature table:
| Feature | Visible? | Expected behaviour | Actual behaviour | Tested via Playwright? | Tested manually? | Final package? | Pass/fail | Blocker? |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
Include toolbar launch, panel open/close/resize/move, theme toggle, main scan, results, filters, review buttons, compare previous scan, highlight element, copy selector, turn into ticket, workflow status, CSV export, JSON export, issue-state import/export, local data clear, history, broken links, metadata, language mismatch, spelling, contrast, page text scale/reflow, alt text, heading structure, manual checks, screen reader review, automated review, diagnostics, and visible experimental features.
If a visible feature fails:
- fix before submission
- or hide it from beta
- or mark private beta NOT READY
## Scanner Trust
Test axe integration, false positives, false negatives, exclusions, classification, suppression logging, WCAG mapping, severity mapping, result shaping, exports, local history, diagnostics, manual review generation, and previous scan comparison.
Required verdict:
Scanner trust: PASS / FAIL / PARTIAL
## Contrast
Verify axe contrast, passing contrast, hidden content, disabled/inactive content, gradient/image/video/canvas ambiguity, BugHerd exclusion, A11Y Cat UI exclusion, source separation, export classification, and no custom ambiguous findings in confirmed WCAG failures.
Required verdict:
Contrast feature: READY / NOT READY / PARTIAL
## Language And Spelling
Verify separate Language Mismatch and Spelling Check tabs, keyboard accessibility, result separation, concise summaries, collapsed technical details, expected/actual comparison, MV3 spelling path, real misspelling detection, brand/technical term allow-list, unsupported language handling, unknown language handling, JSON separation, and no stale nspell/coursers-style false positives.
Required verdict:
Language/spelling feature: READY / NOT READY / PARTIAL
## Export Quality
Test CSV issue export, JSON evidence export, issue-state export/import, support diagnostics, screen reader review export, filenames, structures, provenance, classification, selector traceability, contrast source separation, language/spelling separation, and sensitive snippet/URL disclosure.
Required verdict:
Export quality: PASS / FAIL / PARTIAL
## UI, UX, And Accessibility
Review visual hierarchy, layout, spacing, typography, button visibility, icons, focus states, keyboard operation, themes, resize/move, full-width/full-height panels, section order, loading/running states, error states, empty states, result grouping, tables, exports, screen reader review layout, manual checks, diagnostics, previous scan explanation, local data clear, zoom 200%, narrow viewport, dark mode, light mode, focus order, labels, tab controls, status messages, contrast, and reduced motion.
Required verdicts:
- Extension UI quality: PASS / FAIL / PARTIAL
- Keyboard usability: PASS / FAIL / PARTIAL
- Extension accessibility: PASS / FAIL / PARTIAL
## Documentation
Review README, docs site, privacy/local data pages, known limitations, installation, beta testing, changelog/release status, accessibility statement, troubleshooting/FAQ, screenshots/videos, PERMISSIONS.md, and Chrome Store listing docs.
Reject:
- Screenshot pending
- Not available in this release
- TODO/FIXME/TBD placeholders
- internal process notes
- old bookmarklet primary messaging
- unsupported production/WCAG/AT claims
- raw markdown as primary public docs
- broken links
- analytics or external scripts
- temporary video artefacts
Required verdicts:
- Docs: PASS / FAIL / PARTIAL
- README: PASS / FAIL / PARTIAL
- Public docs site: PASS / FAIL / PARTIAL
## Code Quality And Project Hygiene
Assess module boundaries, extension-first architecture, legacy bookmarklet paths, assistant/backend remnants, shared runtime complexity, dead code, duplicated helpers, globals, message schema validation, error handling, constants, feature flags, build-time stripping, generated core consistency, docs site quality, CSS quality, testability, unused dependencies, old files, stale artefacts, temp files, duplicate screenshots, old release zips, debug logs, placeholder files, raw captures, old icons, unused docs aliases, unused CSS, and unused JS.
Return:
| Area | Issue | Severity | Evidence | Required fix |
| --- | --- | --- | --- | --- |
Required verdicts:
- Code quality: PASS / FAIL / PARTIAL
- Project hygiene: PASS / FAIL / PARTIAL
- Maintainability: PASS / FAIL / PARTIAL
## Test Quality
Identify tests that only prove wiring, use bookmarklet/shared paths instead of extension paths, use dev/test bridges, skip final package testing, miss output assertions, allow false positives, allow false negatives, require headed mode, use personal profiles, are not CI-safe, or are skipped due to Playwright port binding.
Required verdicts:
- Test suite reliability: PASS / FAIL / PARTIAL
- Release gate meaningful: PASS / FAIL / PARTIAL
## Chrome Web Store Readiness
Check final ZIP cleanliness, MV3 compliance, permissions, remote hosted code, forbidden files, privacy policy, store listing copy, screenshots/icons, promotional images if required, version/build consistency, single purpose, data disclosures, misleading claims, AI/backend claims, unsupported features, support URL, website/docs URL, beta distribution plan, known limitations, manual AT status, no full WCAG compliance claim, no replacement-for-manual-testing claim, and no real screen-reader-validation claim without evidence.
Required verdicts:
- Chrome Store private beta readiness: READY / NOT READY
- Chrome Store public listing readiness: READY / NOT READY
## Manual AT Evidence
Assess VoiceOver, NVDA, JAWS, keyboard-only, zoom 200%, reflow/narrow viewport, reduced motion, high contrast/forced colours, screen reader announcement behaviour, and focus management.
Required output:
| Environment | Required | Evidence | Current status | Blocks private beta? | Blocks public release? |
| --- | --- | --- | --- | --- | --- |
Expected:
Manual VoiceOver/NVDA/JAWS may remain pending for private beta if disclosed. They block public production/broad rollout.
## Cost Audit
Check backend, cloud storage, AI APIs, OCR APIs, email services, analytics, telemetry, monitoring paid services, hosted databases, external processing, paid spellcheck APIs, paid link-check APIs, server queues, and serverless functions.
Required output:
| Service/path | Present? | Runtime? | Cost risk | Evidence |
| --- | --- | --- | --- | --- |
Required verdict:
No-cost developer posture: PASS / FAIL / PARTIAL
## Risk Register
Return:
| Risk ID | Area | Severity | Description | Evidence | Impact | Blocks private beta? | Blocks public release? | Required fix | Owner/file area |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
Severity values:
- Critical
- High
- Medium
- Low
## Final Report Structure
Return one full final pre-submission review titled:
# A11Y Cat Final Pre-Submission Review
Use this structure:
1. Executive verdict
2. Evidence summary
3. Environment
4. Release/package verdict
5. Manifest/permissions verdict
6. Security verdict
7. Privacy/data verdict
8. Scanner trust verdict
9. Contrast verdict
10. Language/spelling verdict
11. Feature-by-feature verdict
12. Output quality verdict
13. Extension UI/UX verdict
14. Documentation verdict
15. README verdict
16. Code quality/project hygiene verdict
17. Test quality verdict
18. Chrome Store readiness verdict
19. Manual AT evidence verdict
20. Cost verdict
21. Risk register
22. Must fix before private beta submission today
23. Must fix before public listing
24. Must fix before production claims
25. Recommended next implementation tasks
26. Final verdict table
Use this final verdict table exactly:
Clean working tree: PASS / FAIL
npm ci: PASS / FAIL
Static checks: PASS / FAIL / PARTIAL
Release gate verify:release: PASS / FAIL
Playwright extension-path tests: PASS / FAIL / NOT RUN
Final package clean: PASS / FAIL
Manifest MV3 compliant: PASS / FAIL
Permissions minimal and justified: PASS / FAIL / PARTIAL
Security posture: PASS / FAIL / PARTIAL
Privacy/local-only posture: PASS / FAIL / PARTIAL
No-cost posture: PASS / FAIL / PARTIAL
Scanner trust: PASS / FAIL / PARTIAL
Axe integration: PASS / FAIL / PARTIAL
False-positive risk acceptable: PASS / FAIL / PARTIAL
False-negative risk acceptable: PASS / FAIL / PARTIAL
Contrast feature: PASS / FAIL / PARTIAL
Language/spelling feature: PASS / FAIL / PARTIAL
Feature functionality: PASS / FAIL / PARTIAL
Output quality: PASS / FAIL / PARTIAL
Extension UI quality: PASS / FAIL / PARTIAL
Extension accessibility: PASS / FAIL / PARTIAL
Documentation completeness: PASS / FAIL / PARTIAL
Documentation enterprise polish: PASS / FAIL / PARTIAL
README quality: PASS / FAIL / PARTIAL
Docs site quality: PASS / FAIL / PARTIAL
Code quality: PASS / FAIL / PARTIAL
Project hygiene: PASS / FAIL / PARTIAL
Test quality: PASS / FAIL / PARTIAL
Manual AT evidence: PASS / FAIL / PENDING ACCEPTABLE FOR PRIVATE BETA
Chrome Store private beta readiness: READY / NOT READY
Chrome Store public readiness: READY / NOT READY
Enterprise pilot readiness: READY / NOT READY
Production readiness: READY / NOT READY
## Strict Conclusion Rules
Do not soften the final verdict.
If scanner trust is partial, say partial.
If release gate is not proven, say fail.
If Playwright did not run, say NOT RUN and mark private beta NOT READY.
If final package was not inspected, say NOT READY.
If documentation is still draft-like, say NOT READY.
If UI is not polished, say so.
If code has old rubbish, say so.
If tests give false confidence, say so.
If manual AT is pending, say public production is blocked.
If privacy docs do not match implementation, say NOT READY.
If Chrome Store package contains forbidden files, say NOT READY.
If beta can proceed with caveats, state exactly which caveats.
Do not say "ready" unless the evidence supports it.
This review decides whether the extension should be submitted to Google Chrome Web Store today.
Be strict.
Be factual.
Be complete.What I want this to catch
The most important thing this prompt catches is false confidence. It prevents a reviewer from saying “ready” because source code looked clean while the final Chrome Store ZIP still contains development artefacts. It prevents scanner claims from being accepted without fixture evidence. It prevents automated accessibility checks from being described as a full accessibility verdict.
It also makes the release decision explicit. Private beta, public listing, enterprise pilot, and production-readiness claims are not the same decision. A build can be good enough for a private beta while still being blocked from public production claims because manual AT evidence is incomplete or documentation is not polished enough.
The useful pattern
The pattern is reusable: define the role, define the evidence, define the commands, define what blocks release, and force the final answer into a verdict table. That makes the review harder to dodge and easier to act on.
For A11Y Cat, the point is simple. If the extension is going to ask users to trust its accessibility findings, the release process has to be at least as strict as the product.
