@agile-vibe-coding/avc 0.1.1 → 0.3.1

package/cli/checks/story/security.json

@@ -0,0 +1,198 @@
+{
+  "perspective": "security",
+  "scope": "story",
+  "checks": [
+    {
+      "id": "sec-story-01",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-security",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve authentication or session management? (Does it handle login, cookies, tokens, or sessions?)",
+      "question": "Do cookies use httpOnly, SameSite=Strict (or Lax with documented reason), and Secure?",
+      "failDescription": "Cookie security attributes are not specified or incomplete",
+      "failSuggestion": "Specify cookie attributes: httpOnly (prevents JS access), SameSite=Strict, Secure (HTTPS only)"
+    },
+    {
+      "id": "sec-story-02",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-security",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have state-mutating cookie-authenticated endpoints?",
+      "question": "Is CSRF protection stated for any state-mutating cookie-authenticated endpoint?",
+      "failDescription": "CSRF protection is not stated for state-mutating endpoints",
+      "failSuggestion": "State CSRF protection strategy: SameSite cookies alone are insufficient for all browsers — add CSRF token or double-submit"
+    },
+    {
+      "id": "sec-story-03",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-security",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve sessions or tokens that can be invalidated?",
+      "question": "Is the token/session revocation condition stated (what invalidates a session)?",
+      "failDescription": "Session revocation condition is not stated — unclear what invalidates a session",
+      "failSuggestion": "State revocation conditions: deactivation, explicit logout, token rotation, or administrative revocation"
+    },
+    {
+      "id": "sec-story-04",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authentication-session-security",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve public (unauthenticated) login or credential endpoints?",
+      "question": "Is brute-force/rate-limit protection specified for public login/credential endpoints?",
+      "failDescription": "Brute-force protection is not specified for public login endpoints",
+      "failSuggestion": "Specify rate limiting for public auth endpoints: e.g. '5 attempts per minute per IP, lockout after 10 failures'"
+    },
+    {
+      "id": "sec-story-05",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "authorization-access-control",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve accessing user-owned resources? (Can user A potentially access user B's data?)",
+      "question": "Is IDOR/BOLA risk addressed — does the story define per-record ownership checks?",
+      "failDescription": "IDOR/BOLA risk is not addressed — no per-record ownership check defined",
+      "failSuggestion": "Define per-record ownership check: verify requesting user owns the resource, return 404 if not owner"
+    },
+    {
+      "id": "sec-story-06",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authorization-access-control",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve role-based operations? (Does it have different behavior for different roles?)",
+      "question": "Is horizontal privilege escalation prevented — can staff elevate to admin via parameter tampering?",
+      "failDescription": "Horizontal privilege escalation prevention is not addressed",
+      "failSuggestion": "Prevent privilege escalation: validate role from JWT claims server-side, reject role changes via request parameters"
+    },
+    {
+      "id": "sec-story-07",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authorization-access-control",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve endpoints that return different responses based on authorization?",
+      "question": "Is the 403 vs 404 decision documented (existence-hiding uses 404, known-forbidden uses 403)?",
+      "failDescription": "403 vs 404 decision is not documented — unclear whether to hide resource existence",
+      "failSuggestion": "Document the 403 vs 404 decision: use 404 to hide existence, use 403 when caller knows resource exists"
+    },
+    {
+      "id": "sec-story-08",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "authorization-access-control",
+      "universal": false,
+      "applicabilityQuestion": "Does this story describe access control using role-based phrases?",
+      "question": "Are all role boundaries stated precisely (no 'permitted users' — exact condition required)?",
+      "failDescription": "Role boundaries use vague phrases — exact role conditions are required",
+      "failSuggestion": "Replace 'permitted users' with exact conditions: e.g. 'users with role === admin'"
+    },
+    {
+      "id": "sec-story-09",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "input-validation-injection",
+      "universal": false,
+      "applicabilityQuestion": "Does this story accept user input? (Does it have form fields, query parameters, or request bodies?)",
+      "question": "Are all user-supplied fields validated server-side with type, format, and length constraints in ACs?",
+      "failDescription": "Server-side input validation constraints are missing from acceptance criteria",
+      "failSuggestion": "Add server-side validation: type (string, number), format (email, E.164), length (min/max) for all user-supplied fields"
+    },
+    {
+      "id": "sec-story-10",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "major",
+      "category": "input-validation-injection",
+      "universal": false,
+      "applicabilityQuestion": "Does this story accept user input that could be used for injection attacks?",
+      "question": "Are injection vectors addressed for the story's data type (SQL injection, path traversal, XSS)?",
+      "failDescription": "Injection vectors are not addressed for the story's data type",
+      "failSuggestion": "Address injection vectors: parameterized queries (SQL injection), path sanitization (traversal), output encoding (XSS)"
+    },
+    {
+      "id": "sec-story-11",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "input-validation-injection",
+      "universal": false,
+      "applicabilityQuestion": "Does this story accept input that could have multiple formats? (e.g. phone numbers, emails, URLs)",
+      "question": "Are normalization rules explicit (e.g. phone to E.164, email to lowercase)?",
+      "failDescription": "Normalization rules are not explicit — bypass via alternate formats is possible",
+      "failSuggestion": "Define normalization rules: e.g. email -> lowercase, phone -> E.164 format before validation"
+    },
+    {
+      "id": "sec-story-12",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection-privacy",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return PII or user data in API responses?",
+      "question": "Are PII fields minimized in responses — only returning what the caller needs?",
+      "failDescription": "PII fields may not be minimized in responses",
+      "failSuggestion": "Minimize PII in responses: only return fields the caller needs, exclude unnecessary personal data"
+    },
+    {
+      "id": "sec-story-13",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "critical",
+      "category": "data-protection-privacy",
+      "universal": false,
+      "applicabilityQuestion": "Does this story handle passwords, tokens, or secret keys?",
+      "question": "Are sensitive fields (passwords, tokens) never returned in responses?",
+      "failDescription": "Sensitive fields may be returned in API responses",
+      "failSuggestion": "Ensure passwords, tokens, and secret keys are never included in API responses"
+    },
+    {
+      "id": "sec-story-14",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "data-protection-privacy",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve logging or audit trails?",
+      "question": "Is log redaction addressed — secrets and PII not written to application logs?",
+      "failDescription": "Log redaction is not addressed — secrets or PII may be written to logs",
+      "failSuggestion": "Address log redaction: ensure passwords, tokens, and PII are not written to application logs"
+    },
+    {
+      "id": "sec-story-15",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "security-testing-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve security-sensitive operations?",
+      "question": "Does at least one AC cover an abuse/attack scenario (wrong credentials, forged token, unauthorized access)?",
+      "failDescription": "No AC covers an abuse or attack scenario",
+      "failSuggestion": "Add at least one abuse scenario AC: wrong credentials, forged token, unauthorized resource access, or injection attempt"
+    },
+    {
+      "id": "sec-story-16",
+      "tier": 1,
+      "perspective": "security",
+      "severity": "minor",
+      "category": "security-testing-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return error responses?",
+      "question": "Do error responses avoid leaking implementation details (no stack traces, no user enumeration)?",
+      "failDescription": "Error responses may leak implementation details",
+      "failSuggestion": "Ensure error responses use generic messages: no stack traces, consistent error format, no user enumeration via 404 vs 401"
+    }
+  ]
+}

package/cli/checks/story/solution-architect.json

@@ -0,0 +1,230 @@
+{
+  "perspective": "solution-architect",
+  "scope": "story",
+  "checks": [
+    {
+      "id": "sa-story-01",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "critical",
+      "category": "api-contract-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story define or modify API endpoints? (Does it involve HTTP requests, REST endpoints, or API operations?)",
+      "question": "Does every API endpoint in this story have: HTTP method + path + success status code + key response fields?",
+      "failDescription": "API endpoint contract is incomplete — missing HTTP method, path, status code, or response fields",
+      "failSuggestion": "Complete the API contract for every endpoint: HTTP method, path pattern, success status code, and key response field names"
+    },
+    {
+      "id": "sa-story-02",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "api-contract-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story define or modify API endpoints?",
+      "question": "Does at least one error scenario per endpoint specify a status code and error body shape (e.g. { error: 'CODE' })?",
+      "failDescription": "Error scenarios lack specific status codes and error body shapes",
+      "failSuggestion": "Add at least one error scenario per endpoint with status code and error body shape: e.g. 422 { error: 'VALIDATION_ERROR', field: 'email' }"
+    },
+    {
+      "id": "sa-story-03",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "critical",
+      "category": "api-contract-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story define access control or authorization rules for endpoints?",
+      "question": "Is the authorization rule precise — exact role(s), what restricted callers receive (403 vs 404), and what unauthenticated callers receive (401)?",
+      "failDescription": "Authorization rule is imprecise — missing exact roles, 403/404 decision, or 401 response for unauthenticated callers",
+      "failSuggestion": "Specify authorization precisely: exact role names, what restricted callers receive (403 or 404), and unauthenticated callers receive 401"
+    },
+    {
+      "id": "sa-story-04",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "api-contract-completeness",
+      "universal": false,
+      "applicabilityQuestion": "Does this story describe access control using role-based phrases?",
+      "question": "Does the story avoid vague authorization phrases ('permitted users', 'authorized staff', 'users with access') and instead use exact conditions?",
+      "failDescription": "Story uses vague authorization phrases that are unimplementable — exact role names required",
+      "failSuggestion": "Replace vague phrases with exact conditions: instead of 'permitted users', use 'users with role admin or staff'"
+    },
+    {
+      "id": "sa-story-05",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "auth-session-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve tokens or sessions? (Does it handle login, session creation, refresh tokens, or cookies?)",
+      "question": "Does the story state cookie attributes (httpOnly, SameSite, Secure, Path)?",
+      "failDescription": "Cookie attributes are not stated for auth/session story",
+      "failSuggestion": "State cookie attributes: httpOnly; SameSite=Strict; Secure; Path=/"
+    },
+    {
+      "id": "sa-story-06",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "auth-session-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve tokens or sessions?",
+      "question": "Are token lifetimes explicit (e.g. '15-min JWT access token', '7-day refresh token')?",
+      "failDescription": "Token lifetimes are not explicit",
+      "failSuggestion": "State explicit token lifetimes: e.g. '15-min JWT access token', '7-day refresh token'"
+    },
+    {
+      "id": "sa-story-07",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "auth-session-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve JWT tokens?",
+      "question": "Are JWT claims enumerated (e.g. { sub: userId, role: 'admin'|'staff', exp })?",
+      "failDescription": "JWT claims are not enumerated",
+      "failSuggestion": "Enumerate JWT claims: e.g. { sub: userId, role: 'admin'|'staff', iat, exp }"
+    },
+    {
+      "id": "sa-story-08",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "auth-session-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve session management or token revocation?",
+      "question": "Is the session revocation condition specified (e.g. tokens issued before user.deactivated_at result in 401)?",
+      "failDescription": "Session revocation condition is not specified",
+      "failSuggestion": "Specify session revocation: e.g. 'tokens issued before user.deactivated_at return 401 SESSION_REVOKED'"
+    },
+    {
+      "id": "sa-story-09",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "auth-session-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve refresh tokens?",
+      "question": "Is concurrent session handling or token rotation behavior specified for refresh stories?",
+      "failDescription": "Concurrent session handling or token rotation behavior is not specified",
+      "failSuggestion": "Specify concurrent session handling: allow multiple sessions, or rotate tokens (invalidate old on refresh)"
+    },
+    {
+      "id": "sa-story-10",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "paginated-list-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return a paginated list? (Does it involve listing, searching, or paginating through collections?)",
+      "question": "Does the story specify cursor field and encoding (e.g. opaque base64 of (createdAt, id))?",
+      "failDescription": "Cursor field and encoding are not specified for paginated list",
+      "failSuggestion": "Specify cursor encoding: e.g. 'opaque base64 of (createdAt, id)' for cursor-based pagination"
+    },
+    {
+      "id": "sa-story-11",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "paginated-list-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return a paginated list?",
+      "question": "Are default and maximum page size stated?",
+      "failDescription": "Default and maximum page size are not stated",
+      "failSuggestion": "State pagination limits: e.g. 'default: 20, max: 100'"
+    },
+    {
+      "id": "sa-story-12",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "paginated-list-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return a paginated list?",
+      "question": "Are stable sort column(s) defined to prevent row skips on insert between pages?",
+      "failDescription": "Stable sort columns are not defined — pagination may skip or duplicate rows",
+      "failSuggestion": "Define stable sort: e.g. 'ORDER BY createdAt DESC, id DESC' to ensure deterministic pagination"
+    },
+    {
+      "id": "sa-story-13",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "paginated-list-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return a paginated list?",
+      "question": "Is the invalid/tampered cursor error specified (e.g. 422 { error: 'INVALID_CURSOR' })?",
+      "failDescription": "Invalid cursor error response is not specified",
+      "failSuggestion": "Specify invalid cursor response: 422 { error: 'INVALID_CURSOR' }"
+    },
+    {
+      "id": "sa-story-14",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "paginated-list-stories",
+      "universal": false,
+      "applicabilityQuestion": "Does this story return a paginated list?",
+      "question": "Is the empty result shape specified (e.g. { data: [], nextCursor: null })?",
+      "failDescription": "Empty result shape is not specified",
+      "failSuggestion": "Specify empty result shape: { data: [], nextCursor: null }"
+    },
+    {
+      "id": "sa-story-15",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Does each acceptance criterion define exactly one observable, deterministic outcome?",
+      "failDescription": "One or more acceptance criteria define multiple outcomes or are non-deterministic",
+      "failSuggestion": "Split compound ACs into single-outcome criteria: each AC should have exactly one testable, deterministic result"
+    },
+    {
+      "id": "sa-story-16",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "major",
+      "category": "acceptance-criteria-testability",
+      "universal": false,
+      "applicabilityQuestion": "Does this story define error scenarios for API endpoints?",
+      "question": "Do error ACs include status code AND error body shape (not just 'returns error')?",
+      "failDescription": "Error ACs are vague — missing status code or error body shape",
+      "failSuggestion": "Specify error ACs with status code and body shape: e.g. '422 { error: \"INVALID_EMAIL\", field: \"email\" }'"
+    },
+    {
+      "id": "sa-story-17",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "acceptance-criteria-testability",
+      "universal": true,
+      "question": "Are edge cases covered (invalid IDs -> 404/422, empty datasets -> 200 with empty array, concurrent writes -> conflict or idempotent result)?",
+      "failDescription": "Edge cases are not covered in acceptance criteria",
+      "failSuggestion": "Add edge case ACs: invalid IDs (404/422), empty datasets (200 []), concurrent writes (409 or idempotent)"
+    },
+    {
+      "id": "sa-story-18",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "scope-dependencies",
+      "universal": true,
+      "question": "Is the story feasibly implementable (not requiring months of work)?",
+      "failDescription": "Story scope appears too large for feasible implementation",
+      "failSuggestion": "Reduce story scope to a single cohesive capability — split broader work into multiple focused stories"
+    },
+    {
+      "id": "sa-story-19",
+      "tier": 1,
+      "perspective": "solution-architect",
+      "severity": "minor",
+      "category": "scope-dependencies",
+      "universal": true,
+      "question": "Do dependencies reference specific story IDs and what contract they provide?",
+      "failDescription": "Dependencies do not reference specific story IDs or contracts",
+      "failSuggestion": "Reference specific story IDs in dependencies and state what contract each provides"
+    }
+  ]
+}

package/cli/checks/story/test-architect.json

@@ -0,0 +1,210 @@
+{
+  "perspective": "test-architect",
+  "scope": "story",
+  "checks": [
+    {
+      "id": "ta-story-01",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "acceptance-criteria-quality",
+      "universal": false,
+      "applicabilityQuestion": "Does this story define acceptance criteria that require test architecture review?",
+      "question": "Is each acceptance criterion testable and measurable with deterministic, automatable assertions?",
+      "failDescription": "Acceptance criteria lack deterministic, automatable assertions — test architect cannot design reliable test suites",
+      "failSuggestion": "Rewrite each AC with automatable assertions: exact HTTP codes, specific UI element states, precise database record changes"
+    },
+    {
+      "id": "ta-story-02",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "acceptance-criteria-quality",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve functionality with multiple execution paths?",
+      "question": "Do criteria cover happy path, edge cases, and error scenarios with enough detail for comprehensive test coverage?",
+      "failDescription": "Criteria do not cover sufficient paths for comprehensive test coverage design",
+      "failSuggestion": "Add ACs for each path: happy path (normal flow), edge cases (boundary values, concurrent access), error scenarios (validation, timeout, permission)"
+    },
+    {
+      "id": "ta-story-03",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "acceptance-criteria-quality",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have multiple acceptance criteria that could overlap?",
+      "question": "Are acceptance criteria independent and non-overlapping — can each be mapped to a distinct test suite?",
+      "failDescription": "Acceptance criteria overlap — cannot map to distinct, non-redundant test suites",
+      "failSuggestion": "Refactor ACs so each maps to one test suite: separate functional, integration, and non-functional criteria"
+    },
+    {
+      "id": "ta-story-04",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "critical",
+      "category": "acceptance-criteria-quality",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have test architecture requirements (test strategy, framework, or infrastructure)?",
+      "question": "Are test architecture requirements explicitly stated — test framework, test infrastructure, and test strategy decisions?",
+      "failDescription": "Test architecture requirements are not explicitly stated",
+      "failSuggestion": "State test architecture needs: test framework choice, required test infrastructure (containers, mocks, fixtures), and test strategy (pyramid, diamond)"
+    },
+    {
+      "id": "ta-story-05",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "implementation-clarity",
+      "universal": false,
+      "applicabilityQuestion": "Does this story require test architecture design decisions?",
+      "question": "Does the story provide enough detail for test architecture design — component boundaries, integration points, and mock requirements?",
+      "failDescription": "Insufficient detail for test architecture design — component boundaries or integration points are unclear",
+      "failSuggestion": "Add test architecture details: component boundaries for unit test isolation, integration points requiring test doubles, and external service mock requirements"
+    },
+    {
+      "id": "ta-story-06",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "implementation-clarity",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have technical constraints affecting test design?",
+      "question": "Are technical constraints and assumptions explicit — performance baselines, concurrency requirements, and infrastructure dependencies?",
+      "failDescription": "Technical constraints are not explicit — cannot design performance or load tests",
+      "failSuggestion": "State technical constraints: response time baselines, concurrent user targets, infrastructure dependencies, and resource limits"
+    },
+    {
+      "id": "ta-story-07",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "implementation-clarity",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve test patterns or approaches that need architectural guidance?",
+      "question": "Are test architecture patterns and approaches specified — test pyramid levels, contract testing, snapshot testing, or property-based testing?",
+      "failDescription": "Test architecture patterns are not specified — unclear which testing approaches to use",
+      "failSuggestion": "Specify test patterns: test pyramid level allocation, contract testing for APIs, snapshot testing for UI, property-based testing for data transformations"
+    },
+    {
+      "id": "ta-story-08",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "testability",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have functionality testable at multiple levels?",
+      "question": "Can the story be tested at multiple levels with clear test boundaries — unit (isolated logic), integration (component interaction), e2e (user workflow)?",
+      "failDescription": "Test boundaries between unit, integration, and e2e levels are unclear",
+      "failSuggestion": "Define test boundaries: unit tests for pure business logic, integration tests for DB/API interactions, e2e tests for complete user workflows"
+    },
+    {
+      "id": "ta-story-09",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "testability",
+      "universal": false,
+      "applicabilityQuestion": "Does this story require test data management?",
+      "question": "Are test data requirements clear — fixture design, factory patterns, seed data, and data isolation between test runs?",
+      "failDescription": "Test data requirements are unclear — no fixture design, factory patterns, or data isolation strategy",
+      "failSuggestion": "Define test data strategy: fixture/factory patterns, seed data scripts, test data isolation (per-test DB, transactions), and cleanup procedures"
+    },
+    {
+      "id": "ta-story-10",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "testability",
+      "universal": false,
+      "applicabilityQuestion": "Does this story produce outcomes that need test verification?",
+      "question": "Are expected outcomes precisely defined — deterministic assertions, tolerance ranges for async operations, and observable state changes?",
+      "failDescription": "Expected outcomes are not precisely defined — cannot write deterministic test assertions",
+      "failSuggestion": "Define precise outcomes: deterministic assertions (exact values), tolerance ranges (async timing), observable state changes (DB records, events, UI states)"
+    },
+    {
+      "id": "ta-story-11",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "scope-dependencies",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve test architecture work that could span multiple days?",
+      "question": "Is the story appropriately scoped — test architecture effort focused on a single cohesive capability including test design, infrastructure, and implementation?",
+      "failDescription": "Story may be too broad — test architecture effort spans too many concerns",
+      "failSuggestion": "Split large stories: separate test infrastructure setup, test framework configuration, and test implementation into individual stories"
+    },
+    {
+      "id": "ta-story-12",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "scope-dependencies",
+      "universal": false,
+      "applicabilityQuestion": "Does this story depend on test infrastructure, frameworks, or other stories?",
+      "question": "Are dependencies on test infrastructure, CI/CD pipelines, or other stories explicitly identified?",
+      "failDescription": "Dependencies on test infrastructure or CI/CD pipelines are not explicitly identified",
+      "failSuggestion": "List all dependencies: test framework versions, CI/CD pipeline requirements, prerequisite test infrastructure, and external service test environments"
+    },
+    {
+      "id": "ta-story-13",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "scope-dependencies",
+      "universal": false,
+      "applicabilityQuestion": "Does this story deliver test architecture incrementally?",
+      "question": "Is the story independent enough to be delivered incrementally without breaking existing test suites?",
+      "failDescription": "Story may not be independently deliverable — risk of breaking existing test suites",
+      "failSuggestion": "Ensure backward compatibility: verify existing test suites still pass, define migration plan for test framework changes"
+    },
+    {
+      "id": "ta-story-14",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "best-practices",
+      "universal": false,
+      "applicabilityQuestion": "Does this story involve test architecture implementation?",
+      "question": "Does the story follow test architecture best practices — test isolation, deterministic tests, fast feedback loops, and maintainable test code?",
+      "failDescription": "Story does not address test architecture best practices",
+      "failSuggestion": "Address best practices: test isolation (no shared state), deterministic tests (no flaky assertions), fast feedback (parallel execution), maintainable code (page objects, builders)"
+    },
+    {
+      "id": "ta-story-15",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "minor",
+      "category": "best-practices",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have test approaches that could lead to anti-patterns?",
+      "question": "Does the story avoid test architecture anti-patterns — no ice-cream cone testing, no shared mutable test state, no sleep-based waits?",
+      "failDescription": "Story may contain test architecture anti-patterns",
+      "failSuggestion": "Check for anti-patterns: ice-cream cone (too many e2e, too few unit), shared mutable state (use fixtures), sleep-based waits (use polling/events)"
+    },
+    {
+      "id": "ta-story-16",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "acceptance-criteria-quality",
+      "universal": false,
+      "applicabilityQuestion": "Does this story use vague language in its acceptance criteria?",
+      "question": "Do all ACs avoid vague phrases ('handle gracefully', 'validate properly', 'appropriate response') without specifying concrete outcomes?",
+      "failDescription": "ACs use vague language without specifying concrete, automatable test outcomes",
+      "failSuggestion": "Replace vague phrases with automatable outcomes: instead of 'handle errors gracefully', specify 'return { error: \"INVALID_INPUT\", code: 422 }'"
+    },
+    {
+      "id": "ta-story-17",
+      "tier": 1,
+      "perspective": "test-architect",
+      "severity": "major",
+      "category": "testability",
+      "universal": false,
+      "applicabilityQuestion": "Does this story have logic paths that need testing?",
+      "question": "Does at least one AC explicitly list concrete test scenarios (named test cases, boundary values, or error paths)?",
+      "failDescription": "Story lacks a test-boundary AC — no AC names the specific scenarios a developer must test",
+      "failSuggestion": "Add one AC: 'Developer tests must cover: (1) happy path, (2) missing required field, (3) domain-specific error, (4) authentication failure, (5) authorization failure'"
+    }
+  ]
+}