Generate Your PRD Free — No account required
Try PRD Generator →
Context Ark Logo
Context Ark
Back to Blog
engineering

Definition of Done Checklist for AI-Built Apps

Definition of Done Checklist for AI-Built Apps

The complete Definition of Done checklist for AI-generated code. Quality gates from feature complete to production deploy. Prevent bugs, security holes, and tech debt.

Context Ark Team
40 min read

TL;DR: AI-generated code needs validation before shipping. This Definition of Done checklist ensures features are complete, tested, secure, and documented before they hit production.

Table of Contents

  1. Why You Need a DoD
  2. The Checklist
  3. Tier 1: Feature Complete
  4. Tier 2: Code Quality
  5. Tier 3: Testing
  6. Tier 4: Security
  7. Tier 5: Documentation
  8. Tier 6: Deployment
  9. DoD by Project Size
  10. Download

Why You Need a DoD for AI Code

AI coding tools produce code fast—but fast doesn't mean done. Common issues with AI output:

Issue Impact
Looks complete, isn't Missing edge cases
No tests Regressions on change
Wrong patterns Tech debt
Security gaps Vulnerabilities
No docs Knowledge loss

The DoD Fix

A Definition of Done is a quality gate. The feature isn't done until every checkbox is checked.

The Checklist 

## Definition of Done — [Feature Name]

## Tier 1: Feature Complete

- [ ] Implements all acceptance criteria from PRD
- [ ] Matches API spec (if applicable)
- [ ] Uses correct database schema
- [ ] No hallucinated endpoints/columns/imports
- [ ] No scope creep (features not in PRD)

## Tier 2: Code Quality

- [ ] Follows project patterns (per architecture doc)
- [ ] No TypeScript errors
- [ ] No ESLint warnings
- [ ] No hardcoded secrets/credentials
- [ ] Proper error handling
- [ ] Loading states for async operations

## Tier 3: Testing

- [ ] Unit tests for business logic
- [ ] Integration tests for API endpoints
- [ ] E2E test for critical paths
- [ ] Tests passing locally
- [ ] Tests passing in CI

## Tier 4: Security

- [ ] Auth required for protected routes
- [ ] Input validation server-side
- [ ] No SQL injection vectors
- [ ] No XSS vectors
- [ ] Sensitive data logged at appropriate level

## Tier 5: Documentation

- [ ] PRD marked complete
- [ ] API docs updated (if new endpoints)
- [ ] Schema docs updated (if migrations)
- [ ] README updated (if setup changed)
- [ ] Changelog entry added

## Tier 6: Deployment

- [ ] Migrations applied to staging
- [ ] Verified on staging/preview
- [ ] No console errors in browser
- [ ] Performance acceptable (<200ms API, <2s LCP)
- [ ] Rollback plan documented

## Sign-off

- [ ] Self-reviewed against checklist
- [ ] Peer reviewed (if team)
- [ ] PM/stakeholder approved (if user-facing)

Tier 1: Feature Complete

What It Means

The feature does what the PRD says. Every acceptance criterion is met.

Validation Steps

  1. Open the PRD for this feature
  2. Check each acceptance criterion
  3. Verify with Given/When/Then testing
  4. Confirm no extra features were added

Common AI Failures

  • Missing edge cases from acceptance criteria
  • Added "bonus" features not in scope
  • Hallucinated endpoints (not in API spec)

Example

US-001: As a user, I can create a project

Acceptance Criteria:

- [x] Given logged in, when I click "New Project", then modal opens
- [x] Given modal open, when I enter name and submit, then project created
- [x] Given empty name, when I submit, then show validation error
- [ ] Given name > 100 chars, when I submit, then show validation error ← MISSED

→ Not done until all four are checked.

Tier 2: Code Quality

What It Means

The code follows your project's standards and patterns.

Validation Steps

## TypeScript
npm run typecheck

## ESLint
npm run lint

## Prettier (if using)
npm run format:check

Pattern Checks

  • Uses the ORM defined in tech stack (not raw SQL if you use Prisma)
  • Uses the auth pattern defined in architecture
  • Uses the error handling pattern defined in guidelines
  • Uses the component patterns from component inventory

Common AI Failures

  • Mixed patterns (REST + GraphQL)
  • Wrong ORM syntax
  • Inline styles when design system exists
  • Hardcoded values that should be env vars

Tier 3: Testing

What It Means

The feature is tested at appropriate levels.

Testing Pyramid for AI Code

              /\
             /  \
            / E2E \           ← Critical paths only
           /______\
          /        \
         /   INT    \         ← API endpoints
        /____________\
       /              \
      /     UNIT       \      ← Business logic
     /__________________\

Minimum Tests

Feature Type Minimum Tests
Business logic 3+ unit tests
API endpoint 1 happy path + 1 error
Critical path 1 E2E test

AI Test Validation

AI writes tests, but verify:

  • Tests actually fail when code breaks
  • Tests check correct behavior
  • Tests don't mock everything (integration value)

Tier 4: Security

What It Means

The feature doesn't introduce vulnerabilities.

Security Checklist

## Authentication

- [ ] Route is protected (if should be)
- [ ] User can only access own data (RLS/checks)
- [ ] Admin routes check admin role

## Input Validation

- [ ] All inputs validated server-side
- [ ] File uploads restricted (type, size)
- [ ] SQL queries parameterized

## Output

- [ ] No sensitive data in responses
- [ ] Errors don't leak stack traces
- [ ] Logs don't contain secrets

## Common AI Failures

- [ ] Forgot to add auth check to new endpoint
- [ ] Client-side only validation
- [ ] Exposing user IDs in URLs without ownership check

Tier 5: Documentation

What It Means

Docs are updated so the next person (or AI) knows what exists.

Doc Updates

Change Doc Update
New endpoint api-spec.yaml
New table/column schema.md
New component component inventory
New pattern architecture.md
Feature shipped PRD (mark complete)

Why This Matters for AI

If docs aren't updated, the next AI prompt will hallucinate because it references outdated specs.

Tier 6: Deployment

What It Means

The feature works in a production-like environment.

Staging Validation

  • Deployed to staging/preview
  • Migrations ran successfully
  • Feature works end-to-end
  • No console errors
  • Performance acceptable

Rollback Plan

Always document:

  • How to rollback (which migration, which deploy)
  • What breaks if we rollback
  • Who to contact

DoD by Project Size

Solo / Prototype

Use Tiers 1, 2, 3 (core only):

- [ ] Implements acceptance criteria
- [ ] No TypeScript errors
- [ ] Basic happy-path test

Small Team

Use Tiers 1-5:

- [ ] Feature complete per PRD
- [ ] Code quality (lint, types)
- [ ] Unit + integration tests
- [ ] Security basics
- [ ] Docs updated

Production App

Use All Tiers:

- [ ] Full feature validation
- [ ] Full code quality checks
- [ ] Full test coverage
- [ ] Security review
- [ ] Complete documentation
- [ ] Staging verification + rollback plan

Download

Markdown Template

Copy the full checklist into your project at /docs/dod-template.md.

Related Resources

Complete specs lead to complete features. Generate your spec pack →

Last updated: January 2026

checklistsqualitybest-practicesdeployment
Share this article
C

Context Ark Team

Writing about AI, documentation, and developer tools

Turn Brain Dumps into PRDs

Don't let AI guess your requirements. Generate a structured PRD with acceptance criteria instantly.

Generate Free PRDView Templates