@hiver/skills 1.0.7 → 1.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/collections/common/skills/discuss-problem/SKILL.md +4 -0
- package/collections/extension/agents/build-feature.md +2 -1
- package/collections/extension/agents/build-milestone.md +2 -1
- package/collections/extension/skills/build-component/SKILL.md +75 -1
- package/collections/extension/skills/build-component/palette/colors.md +76 -0
- package/collections/extension/skills/build-component/references/v2-components.md +100 -0
- package/collections/extension/skills/build-component/references/v2-usage-examples.md +23 -0
- package/collections/extension/skills/build-component/typography/variants.md +27 -14
- package/collections/mobile/skills/version-bump-up/SKILL.md +66 -0
- package/collections/qa-skills/README.md +103 -0
- package/collections/qa-skills/qa-suite-guide.html +760 -0
- package/collections/qa-skills/skills/hiver-explore/SKILL.md +413 -0
- package/collections/qa-skills/skills/hiver-explore/references/spec-template.md +204 -0
- package/collections/qa-skills/skills/playwright-gen/SKILL.md +280 -0
- package/collections/qa-skills/skills/playwright-gen/references/codegen-conventions.md +100 -0
- package/collections/qa-skills/skills/playwright-gen/references/step-mapping.md +137 -0
- package/collections/qa-skills/skills/qa-api-author/SKILL.md +204 -0
- package/collections/qa-skills/skills/qa-api-author/references/api-areas.md +112 -0
- package/collections/qa-skills/skills/qa-api-run/SKILL.md +178 -0
- package/collections/qa-skills/skills/qa-bugs/SKILL.md +82 -0
- package/collections/qa-skills/skills/qa-eval/SKILL.md +123 -0
- package/collections/qa-skills/skills/qa-eval/references/deterministic-checks.md +89 -0
- package/collections/qa-skills/skills/qa-kit/SKILL.md +228 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/INDEX.md +31 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/INDEX.md +90 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/account-security.md +44 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/apps-integrations.md +43 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/automate-workflows.md +65 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/collaborate.md +36 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/customer-relationships.md +20 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/getting-started.md +31 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/hiver-ai.md +79 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/multichannel-support.md +82 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/reporting-analytics.md +35 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/self-service.md +23 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/sla-policies.md +30 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/troubleshooting.md +27 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/INDEX.md +45 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/account-security.md +13 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/apps-integrations.md +15 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/automate-workflows.md +26 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/collaborate.md +11 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/customer-relationships.md +9 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/getting-started.md +21 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/hiver-ai.md +13 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/identity-access.md +23 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/multichannel-support.md +47 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/reporting-analytics.md +13 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/self-service.md +11 -0
- package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/sla-policies.md +12 -0
- package/collections/qa-skills/skills/qa-kit/references/clickup-ticket.md +163 -0
- package/collections/qa-skills/skills/qa-kit/references/eval.md +117 -0
- package/collections/qa-skills/skills/qa-kit/references/flow-capture.md +147 -0
- package/collections/qa-skills/skills/qa-kit/references/handoff-contract.md +159 -0
- package/collections/qa-skills/skills/qa-kit/references/hiver-context.md +99 -0
- package/collections/qa-skills/skills/qa-kit/references/tracker-format.md +123 -0
- package/collections/qa-skills/skills/qa-kit/references/triage-guide.md +105 -0
- package/collections/qa-skills/skills/qa-ui-author/SKILL.md +208 -0
- package/collections/qa-skills/skills/qa-ui-author/references/test-areas.md +132 -0
- package/collections/qa-skills/skills/qa-ui-run/SKILL.md +183 -0
- package/collections/web/agents/build-feature.md +2 -2
- package/collections/web/agents/build-milestone.md +2 -2
- package/collections/web/skills/build-component/SKILL.md +54 -13
- package/collections/web/skills/build-component/palette/colors.md +76 -0
- package/collections/web/skills/build-component/references/v2-components.md +100 -0
- package/collections/web/skills/build-component/references/v2-usage-examples.md +23 -0
- package/collections/web/skills/build-component/typography/variants.md +27 -14
- package/package.json +1 -1
|
@@ -0,0 +1,204 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-api-author
|
|
3
|
+
description: Hiver API test authoring — documents API test cases (endpoint, method, auth, payload, expected status and response) in the standard Excel tracker plus a light plan, from a spec or a captured flow. No live calls. Hands off to qa-api-run. Trigger on qa-api, api test cases, api test plan, test the API for, payload tests.
|
|
4
|
+
---
|
|
5
|
+
# qa-api-author — Hiver API Test Authoring
|
|
6
|
+
|
|
7
|
+
You are acting as a senior QA engineer at Hiver, focused on the **backend/API surface** of a change.
|
|
8
|
+
Your job: turn an API change (new endpoint, changed endpoint, new field/validation) into documented,
|
|
9
|
+
execution-ready API test cases in the standard tracker, plus a light test plan.
|
|
10
|
+
|
|
11
|
+
**This skill authors cases only — it does NOT hit live APIs.** Executing requests against a
|
|
12
|
+
shared/staging environment is a side-effecting action handled by `qa-api-run`. When the tracker is
|
|
13
|
+
confirmed, you hand off to `qa-api-run` (opt-in) to execute.
|
|
14
|
+
|
|
15
|
+
**Read these before doing anything:**
|
|
16
|
+
- `../qa-kit/references/hiver-context.md` — Hiver concepts
|
|
17
|
+
(SM, HIG/Omni tenants, Admin/Agent roles, third-party apps).
|
|
18
|
+
- `../qa-kit/references/tracker-format.md` — the shared
|
|
19
|
+
Excel tracker schema. **Use the API column block exactly.**
|
|
20
|
+
- `references/api-areas.md` (in this skill) — the standard API test-section taxonomy.
|
|
21
|
+
|
|
22
|
+
> The `../qa-kit/references/…` paths point at the **qa-kit** skill installed alongside this one (install `qa-kit` too).
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Pipeline contract (Phase 1)
|
|
27
|
+
|
|
28
|
+
This skill runs inside the file-based pipeline. Read
|
|
29
|
+
`../qa-kit/references/handoff-contract.md` (§6 per-agent map) and
|
|
30
|
+
`../qa-kit/references/eval.md` before starting.
|
|
31
|
+
|
|
32
|
+
- **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json`.
|
|
33
|
+
Its cargo (changed_endpoints, product, effort, spec_path) is already known — do NOT re-ask the user
|
|
34
|
+
for it. Open your action log at `$RUN_DIR/logs/qa-api-author.jsonl` and append one line per
|
|
35
|
+
meaningful action.
|
|
36
|
+
- **During:** write every artefact (TestPlan_*_API.docx, tracker.xlsx (API block)) into `$RUN_DIR`,
|
|
37
|
+
never ad-hoc paths.
|
|
38
|
+
- **On finish:** write the step record `$RUN_DIR/steps/qa-api-author-tracker.json` per `eval.md`
|
|
39
|
+
(leave `verdict: null` — only qa-eval fills it), then emit the downstream handoff (boundary #9,
|
|
40
|
+
below).
|
|
41
|
+
|
|
42
|
+
---
|
|
43
|
+
|
|
44
|
+
## PHASE 0 — Establish Context
|
|
45
|
+
|
|
46
|
+
**If invoked by the `qa-kit` orchestrator:** use its handoff — product (HIG/Omni), change type
|
|
47
|
+
(API vs new-API), impacted services, effort level, gathered inputs (spec, PR diff). It may already
|
|
48
|
+
have a list of changed endpoints from the diff. **Don't re-ask for what's in the handoff.** Confirm
|
|
49
|
+
in one line and proceed.
|
|
50
|
+
|
|
51
|
+
**If invoked directly:** collect what's missing.
|
|
52
|
+
|
|
53
|
+
| Input | Required | If missing |
|
|
54
|
+
|---|---|---|
|
|
55
|
+
| What changed | YES | Endpoint(s) affected, or "new API". Get the API contract: spec/PRD, OpenAPI/JBuilder view, or PR diff. |
|
|
56
|
+
| Product / tenant: HIG / Omni / Both | YES | Affects tenant headers and plan-gated behaviour. |
|
|
57
|
+
| Effort level: smoke / standard / exhaustive | YES | Default **standard**. See effort sizing. |
|
|
58
|
+
| GitHub PR link | Strongly preferred | "Share the PR — I'll read the diff to find changed endpoints, new fields, and validation." |
|
|
59
|
+
| Test environment base URL | Before any execution | Only needed if you opt into the live first pass (in qa-api-run). Must be a **test/staging** env. |
|
|
60
|
+
| Auth (tokens / how to get them) | Before any execution | Admin + Agent tokens, scopes. Never paste production credentials. |
|
|
61
|
+
|
|
62
|
+
---
|
|
63
|
+
|
|
64
|
+
## PHASE 1 — Parse the API Surface
|
|
65
|
+
|
|
66
|
+
From the spec + PR diff, extract per affected endpoint (note `[new]` or `[changed]`):
|
|
67
|
+
|
|
68
|
+
```
|
|
69
|
+
Endpoint + Method · Purpose
|
|
70
|
+
Auth: required? role/scope (Admin / Agent / service)? tenant header (HIG/Omni)?
|
|
71
|
+
Request: path params · query params · body schema (required vs optional fields, types, limits)
|
|
72
|
+
Response: success status + body schema · which fields are new/changed
|
|
73
|
+
Error contract: documented error statuses + codes/messages (400/401/403/404/409/422/429/5xx)
|
|
74
|
+
Side effects: DB writes · domain events fired · downstream calls · async jobs *(analytics/Gainsight is out of scope — removed from Hiver)*
|
|
75
|
+
Idempotency / pagination / rate limits (if any)
|
|
76
|
+
Backward compatibility: is the response shape additive, or breaking for existing clients?
|
|
77
|
+
Impacted services (from triage): which services/modules this touches
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
Print a summary and **wait for confirmation**:
|
|
81
|
+
|
|
82
|
+
---
|
|
83
|
+
**Change:** [feature/endpoint set] · **Product:** HIG / Omni / Both · **Effort:** [level]
|
|
84
|
+
**Endpoints affected:** [n] — [`POST /… [new]`, `PATCH /… [changed]`, …]
|
|
85
|
+
**New/changed fields:** [list] · **Error contract documented?** [yes/partial/no]
|
|
86
|
+
**Side effects:** [DB / events / downstream] · **Backward compatible?** [yes/no/unknown]
|
|
87
|
+
**Triage from orchestrator:** [new-API/changed · impacted services — or "run directly"]
|
|
88
|
+
**Gaps noticed:** [anything undefined: error codes, limits, auth scopes]
|
|
89
|
+
---
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## PHASE 2 — All Clarifying Questions (one batch)
|
|
94
|
+
|
|
95
|
+
Surface every ambiguity in one message. Format:
|
|
96
|
+
|
|
97
|
+
```
|
|
98
|
+
Q[N] — [one-line topic]
|
|
99
|
+
Context: [what the contract says and why it's unclear]
|
|
100
|
+
What I need to know: [the specific question]
|
|
101
|
+
If not answered: [the assumption I'll make and how it affects the cases]
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
Probe: exact required vs optional fields · field types & limits · exact error status + code for each
|
|
105
|
+
failure · auth scopes (what can Agent do vs Admin) · tenant differences (HIG vs Omni) · idempotency
|
|
106
|
+
of writes · pagination/filtering contract · rate limits · which domain events must fire and with what
|
|
107
|
+
properties · whether the response change is backward compatible. Wait for answers.
|
|
108
|
+
*(Analytics/Gainsight events are out of scope — removed from Hiver; don't probe for them.)*
|
|
109
|
+
|
|
110
|
+
---
|
|
111
|
+
|
|
112
|
+
## EFFORT SIZING (applies to Phases 3 & 4)
|
|
113
|
+
|
|
114
|
+
Generate the full candidate set internally, then include only what the effort level allows. List
|
|
115
|
+
what you cut under **"Deferred (below effort threshold)"**.
|
|
116
|
+
|
|
117
|
+
| Effort | Include | Focus |
|
|
118
|
+
|---|---|---|
|
|
119
|
+
| **Smoke** | P0 only — happy path + authz + the one or two failure modes that matter | "the ~10 that matter" |
|
|
120
|
+
| **Standard** | P0 + P1 | + validation + key error contract + side effects |
|
|
121
|
+
| **Exhaustive** | P0 + P1 + P2 | + every error code, boundaries, pagination, rate limits, regression |
|
|
122
|
+
|
|
123
|
+
P0 = contract/happy path and auth (a wrong answer here means the API is broken or insecure).
|
|
124
|
+
|
|
125
|
+
---
|
|
126
|
+
|
|
127
|
+
## PHASE 3 — Test Plan (.docx)
|
|
128
|
+
|
|
129
|
+
Use the `docx` skill. **Filename:** `TestPlan_[FeatureName]_API_[YYYY-MM-DD].docx`
|
|
130
|
+
|
|
131
|
+
Lighter than the UI plan. Structure: Header (change, **QA owner** [from the handoff], effort,
|
|
132
|
+
product, PR) · API Overview (table: Endpoint | Method | New/Changed | Auth) · Environment & Auth
|
|
133
|
+
(base URL placeholder, token roles, tenant headers, test data/IDs) — **describe the setup in plain
|
|
134
|
+
language and as a bulleted list** so a non-technical reader can follow what's needed · Test Strategy
|
|
135
|
+
(Section | case count | covers | priority) · Risk
|
|
136
|
+
Register (undefined error codes, backward-compat risk, side effects on shared data, third-party
|
|
137
|
+
dependencies) · Entry/Exit Criteria · Test Cases (grouped by section) · Open Questions.
|
|
138
|
+
|
|
139
|
+
Then: *"API test plan ready at [path]. Proceed to the Excel tracker?"*
|
|
140
|
+
|
|
141
|
+
---
|
|
142
|
+
|
|
143
|
+
## PHASE 4 — Test Tracker (.xlsx)
|
|
144
|
+
|
|
145
|
+
**Follow `tracker-format.md` exactly — API column block** (Method · Endpoint · Auth/Role · Request
|
|
146
|
+
Payload · Expected Status · Expected Response · Actual Response). Do not redefine columns.
|
|
147
|
+
|
|
148
|
+
Fill the Request Payload (concrete JSON) and Expected Response (concrete assertions: status, key
|
|
149
|
+
fields, error code) for each case. Apply effort sizing. Then:
|
|
150
|
+
*"Tracker ready at [path]. Do you want me to run a live first pass against a test environment
|
|
151
|
+
(via qa-api-run), or stop at documented cases?"*
|
|
152
|
+
|
|
153
|
+
> **Step record (Phase-2).** After finishing this phase, write `$RUN_DIR/steps/qa-api-author-tracker.json` per `eval.md`:
|
|
154
|
+
> `input` = spec + effort, `output` = `{ "artifact": "tracker.xlsx (API block)", "summary": "<case counts by section>" }`,
|
|
155
|
+
> `self_check` = `{ "passed": <bool>, "notes": "API columns present (Method/Endpoint/Auth/Expected Status/Expected Response), no placeholders" }`, `verdict: null`
|
|
156
|
+
> (only qa-eval fills `verdict`). Append the same to `$RUN_DIR/logs/qa-api-author.jsonl`.
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## PHASE 5 — Handoff to qa-api-run (boundary #9)
|
|
161
|
+
|
|
162
|
+
After the tracker is confirmed, write the downstream handoff so `qa-api-run` never re-asks for what
|
|
163
|
+
you already know:
|
|
164
|
+
|
|
165
|
+
- Write `$RUN_DIR/handoff.json` with `from: qa-api-author`, `to: qa-api-run`, and cargo:
|
|
166
|
+
`tracker_path`, `cases` (the TC IDs authored), `base_url` (staging placeholder), `auth_role`.
|
|
167
|
+
- Drop the audit copy at `$RUN_DIR/handoffs/qa-api-author-to-qa-api-run.json`.
|
|
168
|
+
|
|
169
|
+
**GATE.** Confirm with the QA. Then, **only if they opt into live execution**, invoke `qa-api-run`
|
|
170
|
+
(Skill tool, `skill: qa-api-run`). If they decline, stop here — the tracker is documented and ready
|
|
171
|
+
for them (or API SHIELD) to run later; the handoff.json is in place for whenever they want to execute.
|
|
172
|
+
|
|
173
|
+
---
|
|
174
|
+
|
|
175
|
+
## API TEST WRITING GUIDE
|
|
176
|
+
|
|
177
|
+
Sections, coverage checklist, and per-section priority live in **`references/api-areas.md`**. Quick rules:
|
|
178
|
+
|
|
179
|
+
- Every endpoint needs: happy path (P0), authn missing→401 (P0), authz wrong-role→403 (P0).
|
|
180
|
+
- Every write endpoint needs: missing-required-field→422/400 (P0/P1), and a side-effect assertion
|
|
181
|
+
(data persisted / event fired) (P1).
|
|
182
|
+
- Every changed response needs a **backward-compatibility** case (existing clients still parse it).
|
|
183
|
+
- Things writers forget: type coercion (string vs int) · boundary values (0, max, max+1) · empty
|
|
184
|
+
vs null vs missing · duplicate create→409 · not-found→404 · oversized payload · tenant mismatch
|
|
185
|
+
(HIG token on Omni resource) · idempotency of retries.
|
|
186
|
+
|
|
187
|
+
## HIVER API SPECIFICS
|
|
188
|
+
|
|
189
|
+
1. **Tenant: HIG vs Omni.** Many endpoints are tenant-scoped — test the correct tenant header/context,
|
|
190
|
+
and add a cross-tenant negative case where relevant.
|
|
191
|
+
2. **Admin vs Agent scope.** Authorisation differs by role — verify an Agent cannot perform Admin-only
|
|
192
|
+
actions (expect 403), not just that Admin can.
|
|
193
|
+
3. **SM-scoped resources.** Many resources live under a Shared Mailbox — include the SM/ID in test data.
|
|
194
|
+
4. **Events.** If the change fires **domain events** (internal system/workflow events — not
|
|
195
|
+
analytics), assert they fire with the right properties (or note it as a side-effect case to
|
|
196
|
+
verify via logs). Analytics/Gainsight tracking is out of scope — removed from Hiver.
|
|
197
|
+
5. **API versioning.** Note `v1` vs `v2` paths; a "new API" may co-exist with an old one — test both
|
|
198
|
+
if the old one must keep working.
|
|
199
|
+
|
|
200
|
+
## TONE
|
|
201
|
+
|
|
202
|
+
Document cases a backend QA can run without guessing — concrete payloads and concrete expected
|
|
203
|
+
responses, not "should work". If the error contract is undefined, flag it as an open question
|
|
204
|
+
rather than inventing status codes. Never include real credentials or tokens in any artefact.
|
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
# Test Areas Taxonomy — Hiver API QA
|
|
2
|
+
|
|
3
|
+
Standard test sections for any Hiver API change. Use it to decide which sections to include and
|
|
4
|
+
what to cover in each. Section letters map to TC IDs (A-01, B-02, …).
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Section A — Contract & Happy Path
|
|
9
|
+
|
|
10
|
+
**What it covers:** the endpoint does what it says with a valid request.
|
|
11
|
+
|
|
12
|
+
### Always include:
|
|
13
|
+
- Valid request with all required fields → expected success status (200/201) and body shape
|
|
14
|
+
- Response includes every documented field with correct types
|
|
15
|
+
- New/changed fields are present and correct
|
|
16
|
+
- Correct `Content-Type` and (where relevant) `Location` / resource id returned
|
|
17
|
+
- For list endpoints: returns expected shape, default ordering, pagination envelope
|
|
18
|
+
|
|
19
|
+
**Priority:** P0.
|
|
20
|
+
|
|
21
|
+
---
|
|
22
|
+
|
|
23
|
+
## Section B — Authentication & Authorization
|
|
24
|
+
|
|
25
|
+
**What it covers:** only the right caller can call it.
|
|
26
|
+
|
|
27
|
+
### Always include:
|
|
28
|
+
- No token / invalid token → `401`
|
|
29
|
+
- Valid token, wrong role (e.g. Agent calling an Admin-only endpoint) → `403`
|
|
30
|
+
- Correct role succeeds (Admin and/or Agent as specified)
|
|
31
|
+
- Cross-tenant access (HIG token against an Omni resource, or vice versa) → denied
|
|
32
|
+
- Accessing a resource in an SM the caller doesn't belong to → denied
|
|
33
|
+
|
|
34
|
+
### Add if applicable:
|
|
35
|
+
- Expired token → `401` (with the documented refresh behaviour)
|
|
36
|
+
- Scope/permission granularity (read vs write tokens)
|
|
37
|
+
|
|
38
|
+
**Priority:** P0 (authz failures are security issues).
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## Section C — Validation & Error Contract
|
|
43
|
+
|
|
44
|
+
**What it covers:** bad input is rejected predictably.
|
|
45
|
+
|
|
46
|
+
### Always include:
|
|
47
|
+
- Missing a required field → documented `422`/`400` + error code/message
|
|
48
|
+
- Wrong type / un-coercible value → documented error
|
|
49
|
+
- Boundary values: min, max, max+1, empty string, null, 0, negative where relevant
|
|
50
|
+
- Duplicate create (unique constraint) → `409` (or documented behaviour)
|
|
51
|
+
- Resource not found → `404`
|
|
52
|
+
- Malformed JSON / oversized payload → documented error
|
|
53
|
+
|
|
54
|
+
### Add if applicable:
|
|
55
|
+
- Enum field with an invalid value
|
|
56
|
+
- Mutually-exclusive or co-dependent fields
|
|
57
|
+
- Rate limit exceeded → `429` (if the endpoint is rate-limited)
|
|
58
|
+
|
|
59
|
+
**Priority:** required-field + not-found + duplicate are P0/P1; exotic boundaries are P2.
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
## Section D — Side Effects & Data Integrity
|
|
64
|
+
|
|
65
|
+
**What it covers:** the request changes the right state and nothing else.
|
|
66
|
+
|
|
67
|
+
### Always include:
|
|
68
|
+
- After a successful write, the resource is actually persisted (read it back / verify)
|
|
69
|
+
- Only the intended fields changed (no over-posting / mass-assignment)
|
|
70
|
+
- Documented **domain events** fire with the correct properties (analytics/Gainsight is out of scope — removed from Hiver)
|
|
71
|
+
- Idempotency: retrying a create doesn't double-create where it shouldn't
|
|
72
|
+
|
|
73
|
+
### Add if applicable:
|
|
74
|
+
- Async jobs / webhooks triggered as documented
|
|
75
|
+
- Downstream/third-party calls happen (or are correctly skipped on failure)
|
|
76
|
+
- Soft-delete vs hard-delete behaviour
|
|
77
|
+
- Transactionality: a partial failure rolls back cleanly
|
|
78
|
+
|
|
79
|
+
**Priority:** persistence + over-posting are P0/P1; events are P1.
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## Section E — Regression & Backward Compatibility
|
|
84
|
+
|
|
85
|
+
**What it covers:** existing clients and adjacent endpoints still work.
|
|
86
|
+
|
|
87
|
+
### Always include:
|
|
88
|
+
- Existing (unchanged) endpoints on the same resource still return their documented shape
|
|
89
|
+
- A changed response is additive — existing fields keep their name/type (or the change is
|
|
90
|
+
intentionally breaking and versioned)
|
|
91
|
+
- Existing query params / filters / pagination still behave
|
|
92
|
+
- Old API version (if a `v2` was added) still works for existing callers
|
|
93
|
+
|
|
94
|
+
### Add if applicable:
|
|
95
|
+
- Migrations don't break existing rows
|
|
96
|
+
- Tenant isolation: change in one tenant (HIG) doesn't affect the other (Omni)
|
|
97
|
+
- Performance regression on high-traffic endpoints (note if measurable)
|
|
98
|
+
|
|
99
|
+
**Priority:** P0 for high-traffic / widely-consumed endpoints; otherwise P1.
|
|
100
|
+
|
|
101
|
+
---
|
|
102
|
+
|
|
103
|
+
## Priority Guidelines (API)
|
|
104
|
+
|
|
105
|
+
| Priority | Definition |
|
|
106
|
+
|---|---|
|
|
107
|
+
| P0 | Happy path, authn/authz, and the core validation/contract. Broken or insecure without it. |
|
|
108
|
+
| P1 | Secondary validation, side effects, most regression. Real impact, has a workaround. |
|
|
109
|
+
| P2 | Exotic boundaries, rare error codes, cosmetic response details. Deferrable. |
|
|
110
|
+
|
|
111
|
+
**Section A:** P0. · **Section B:** P0. · **Section C:** core P0/P1, exotic P2. ·
|
|
112
|
+
**Section D:** persistence/over-posting P0/P1, events P1. · **Section E:** P0 for high-use endpoints, else P1.
|
|
@@ -0,0 +1,178 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-api-run
|
|
3
|
+
description: Hiver API test execution — runs the tracker API cases against staging (opt-in, safety-gated), records status and body back into the tracker, hands failures to qa-bugs. Also runs a captured PASS flow recording. Trigger on qa-api-run, run the api tests, execute the api tracker against staging, hit the endpoints, run the captured flow.
|
|
4
|
+
---
|
|
5
|
+
# qa-api-run — Hiver API Test Execution
|
|
6
|
+
|
|
7
|
+
You are acting as a senior QA engineer at Hiver, executing documented API test cases against a
|
|
8
|
+
**test/staging** environment and recording what actually happened. You run either the cases
|
|
9
|
+
`qa-api-author` authored into the tracker, or a PASS flow recording that `flow-capture` produced
|
|
10
|
+
during `qa-ui-run`.
|
|
11
|
+
|
|
12
|
+
**Execution is a side-effecting action — it is opt-in and safety-gated.** You never hit an API until
|
|
13
|
+
the gate below is satisfied, and you never run against production.
|
|
14
|
+
|
|
15
|
+
**Read these before doing anything:**
|
|
16
|
+
- `../qa-kit/references/hiver-context.md` — Hiver concepts
|
|
17
|
+
(SM, HIG/Omni tenants, Admin/Agent roles, third-party apps).
|
|
18
|
+
- `../qa-kit/references/tracker-format.md` — the shared
|
|
19
|
+
Excel tracker schema. **Use the API column block exactly.**
|
|
20
|
+
- `../qa-kit/references/flow-capture.md` — the flow-recording format
|
|
21
|
+
(only needed for the capture-driven path).
|
|
22
|
+
|
|
23
|
+
> The `../qa-kit/references/…` paths point at the **qa-kit** skill installed alongside this one (install `qa-kit` too).
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
## Pipeline contract (Phase 1)
|
|
28
|
+
|
|
29
|
+
This skill runs inside the file-based pipeline. Read
|
|
30
|
+
`../qa-kit/references/handoff-contract.md` (§6 per-agent map) and
|
|
31
|
+
`../qa-kit/references/eval.md` before starting.
|
|
32
|
+
|
|
33
|
+
- **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json` (from
|
|
34
|
+
`qa-api-author`) OR locate a `flow-recording-*.json` recording path in the run dir. Everything in
|
|
35
|
+
the cargo is already known — do NOT re-ask the user for it. Open your action log at
|
|
36
|
+
`$RUN_DIR/logs/qa-api-run.jsonl` and append one line per meaningful action.
|
|
37
|
+
- **During:** record results into `tracker.xlsx` (Actual Response / Status columns only — never
|
|
38
|
+
rewrite the author's columns). Write nothing to ad-hoc paths.
|
|
39
|
+
- **On finish:** write the step record `$RUN_DIR/steps/qa-api-run-execute.json` per `eval.md` (only
|
|
40
|
+
if live execution actually ran; leave `verdict: null` — only qa-eval fills it), then emit the
|
|
41
|
+
downstream handoff.
|
|
42
|
+
|
|
43
|
+
---
|
|
44
|
+
|
|
45
|
+
## Two triggers (per handoff-contract §6)
|
|
46
|
+
|
|
47
|
+
`qa-api-run` runs on EITHER trigger:
|
|
48
|
+
|
|
49
|
+
### (a) Spec-driven
|
|
50
|
+
Cases come from `qa-api-author`'s tracker (boundary #9). Read the `handoff.json` cargo
|
|
51
|
+
(`tracker_path`, `cases`, `base_url`, `auth_role`) and execute those documented cases.
|
|
52
|
+
|
|
53
|
+
### (b) Capture-driven
|
|
54
|
+
If a `flow-recording-*.json` exists in the run dir (from `qa-ui-run`'s flow-capture, boundary #8),
|
|
55
|
+
execute it — the recording already specifies the **endpoints / payloads / order**, so you don't need
|
|
56
|
+
to reverse-engineer the API. Before executing a recording:
|
|
57
|
+
- Respect **Gate A** — only ever execute a recording whose `ui_flow_status` is `PASS`. Never codify or
|
|
58
|
+
replay a broken flow.
|
|
59
|
+
- **Redact captured tokens** — never persist a captured Bearer/cookie into the tracker or tickets.
|
|
60
|
+
- **Re-authenticate via `get_token()`**, never replay the captured bearer token.
|
|
61
|
+
- **Gate destructive calls** (see the safety gate below) exactly as for spec-driven cases.
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
## PHASE 0 — Establish Context
|
|
66
|
+
|
|
67
|
+
**If invoked by `qa-api-author` (spec-driven) or by `qa-ui-run`/flow-capture (capture-driven):** use
|
|
68
|
+
the handoff / recording. Product (HIG/Omni), tracker path or recording path, cases, base_url, and
|
|
69
|
+
auth role are already there. **Don't re-ask for what's in the handoff.** Confirm in one line.
|
|
70
|
+
|
|
71
|
+
**If invoked directly:** confirm which tracker (or recording) to execute, the product/tenant, the
|
|
72
|
+
staging base URL, and the auth tokens/roles.
|
|
73
|
+
|
|
74
|
+
| Input | Required | If missing |
|
|
75
|
+
|---|---|---|
|
|
76
|
+
| Tracker (or recording) to execute | YES | Point at the run's `tracker.xlsx` (API block) or a `flow-recording-*.json`. |
|
|
77
|
+
| Product / tenant: HIG / Omni / Both | YES | Affects tenant headers and plan-gated behaviour. |
|
|
78
|
+
| Test environment base URL | Before any request | Must be a **test/staging** env, never production. |
|
|
79
|
+
| Auth (tokens / how to get them) | Before any request | Admin + Agent tokens, scopes. Never paste production credentials. |
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## PHASE 1 — Live First Pass (opt-in, safety-gated)
|
|
84
|
+
|
|
85
|
+
**Do not execute requests unless the user explicitly opts in.** Hitting a shared API mutates data.
|
|
86
|
+
|
|
87
|
+
Before any request, confirm ALL of (the safety gate):
|
|
88
|
+
1. The base URL is a **test/staging** environment (never production).
|
|
89
|
+
2. You have the right token(s) and role(s); the user provided them for this purpose.
|
|
90
|
+
3. The user accepts that write calls (POST/PUT/PATCH/DELETE) will create/modify test data.
|
|
91
|
+
|
|
92
|
+
Execution rules:
|
|
93
|
+
- Use `Bash` (curl/httpie) or the API SHIELD helpers if the repo is available.
|
|
94
|
+
- Run **read-only (GET)** and **safe create** cases first. For destructive cases (DELETE, or PUT
|
|
95
|
+
that overwrites real records), confirm **per case** before sending.
|
|
96
|
+
- Record into **Actual Response**: status code + a short body snippet. Compare to Expected.
|
|
97
|
+
- Mark each: ✅ As Expected · ❌ Different (show actual status/body) · ⚠️ Partial · ⏭️ Skipped (reason).
|
|
98
|
+
- Never log secrets/tokens into the tracker or tickets — redact.
|
|
99
|
+
|
|
100
|
+
Print a summary table (counts by ✅/❌/⚠️/⏭️ with IDs), then route ❌/⚠️ to the handoff in Phase 3.
|
|
101
|
+
|
|
102
|
+
If the user declines execution: leave Actual Response blank, Status = `Not Tested`, and tell them
|
|
103
|
+
the tracker is ready for them (or API SHIELD) to run.
|
|
104
|
+
|
|
105
|
+
> **Step record (Phase-2).** Only write this record if live execution actually ran. Write
|
|
106
|
+
> `$RUN_DIR/steps/qa-api-run-execute.json` per `eval.md`: `input` = tracker (or recording), `output` =
|
|
107
|
+
> `{ "artifact": "tracker.xlsx (Actual Response)", "summary": "<n passed/failed/partial/skipped>" }`,
|
|
108
|
+
> `self_check` = `{ "passed": <bool>, "notes": "ran against staging not prod, status+body recorded per executed case" }`, `verdict: null`
|
|
109
|
+
> (only qa-eval fills `verdict`). Append the same to `$RUN_DIR/logs/qa-api-run.jsonl`.
|
|
110
|
+
|
|
111
|
+
---
|
|
112
|
+
|
|
113
|
+
## PHASE 2 — (Capture-driven) Execute a captured UI flow
|
|
114
|
+
|
|
115
|
+
This is the **flow-capture** consumption path: execute a captured round-1 UI user flow as API tests.
|
|
116
|
+
It runs only when `qa-ui-run` (or the user) hands you a `flow-recording-<date>.json`. Full spec:
|
|
117
|
+
`../qa-kit/references/flow-capture.md` — **read it before executing.**
|
|
118
|
+
|
|
119
|
+
**Preconditions (all must hold, else stop and say why):**
|
|
120
|
+
- The recording's `ui_flow_status` is `PASS` (Gate A — never codify a broken flow).
|
|
121
|
+
- The recording was captured against **staging** (`env: staging`).
|
|
122
|
+
- Redaction self-check passed — no tokens/cookies survive in the recording.
|
|
123
|
+
|
|
124
|
+
**Gate B — human confirms the flow is correct.** Print the recorded flow back (each UI action → its
|
|
125
|
+
ordered API calls, with method, path template, payload, status, and the fields you'd assert). Also
|
|
126
|
+
print the parameterization guesses (which captured values became `{variables}`) for confirmation —
|
|
127
|
+
these are heuristic and may be wrong.
|
|
128
|
+
|
|
129
|
+
**Human-in-the-loop — the explicit decision.** Then ask, and **wait**:
|
|
130
|
+
|
|
131
|
+
> *"Execute this captured flow against staging? (yes / no)"*
|
|
132
|
+
|
|
133
|
+
- **no** → stop. Leave the recording in the run dir for later. Execute nothing.
|
|
134
|
+
- **yes** → execute the recorded calls in order (below).
|
|
135
|
+
|
|
136
|
+
**On "yes":**
|
|
137
|
+
1. Execute the recorded API calls in their captured order. The recording gives you endpoints,
|
|
138
|
+
payloads, and order — you don't reverse-engineer the API.
|
|
139
|
+
2. **Auth translation:** authenticate via `get_token()` — **never replay the captured Bearer token.**
|
|
140
|
+
Redact any captured tokens/cookies before they can land anywhere.
|
|
141
|
+
3. Gate destructive calls (DELETE / overwriting PUT) **per case** exactly as in Phase 1.
|
|
142
|
+
4. Record status + body snippet into the tracker's Actual Response, mark ✅/❌/⚠️/⏭️, and route
|
|
143
|
+
❌/⚠️ to the handoff in Phase 3.
|
|
144
|
+
|
|
145
|
+
---
|
|
146
|
+
|
|
147
|
+
## PHASE 3 — Handoff (bugs on failure, eval otherwise)
|
|
148
|
+
|
|
149
|
+
- **If any ❌/⚠️:** write `$RUN_DIR/handoff.json` with `from: qa-api-run`, `to: qa-bugs`, cargo:
|
|
150
|
+
`failing_cases` (the ❌/⚠️ TC IDs), `tracker_path`, and the evidence location. Drop the audit copy
|
|
151
|
+
at `$RUN_DIR/handoffs/qa-api-run-to-qa-bugs.json`, then invoke `qa-bugs` (Skill tool,
|
|
152
|
+
`skill: qa-bugs`). qa-bugs files one ClickUp ticket per confirmed API failure.
|
|
153
|
+
- **If no failures:** there is nothing to file. Invoke `qa-eval` (Skill tool, `skill: qa-eval`) on
|
|
154
|
+
this run — it is terminal and safe to re-run. Do not block on its result.
|
|
155
|
+
|
|
156
|
+
---
|
|
157
|
+
|
|
158
|
+
## API EXECUTION NOTES
|
|
159
|
+
|
|
160
|
+
- Every executed case records a concrete status + body snippet in Actual Response — never "worked" or
|
|
161
|
+
"looks fine". If a case couldn't be run, mark it ⏭️ Skipped with the reason.
|
|
162
|
+
- Destructive calls are always gated per case, on both the spec-driven and capture-driven paths.
|
|
163
|
+
- Redact tokens/cookies everywhere — tracker, summary tables, and anything handed to qa-bugs.
|
|
164
|
+
|
|
165
|
+
## HIVER API SPECIFICS
|
|
166
|
+
|
|
167
|
+
1. **Tenant: HIG vs Omni.** Many endpoints are tenant-scoped — send the correct tenant header/context.
|
|
168
|
+
2. **Admin vs Agent scope.** Use the role the case specifies; a wrong-role case should return 403.
|
|
169
|
+
3. **SM-scoped resources.** Many resources live under a Shared Mailbox — use the SM/ID from test data.
|
|
170
|
+
4. **Events.** Domain events (internal system/workflow events — not analytics) may need verification
|
|
171
|
+
via logs. Analytics/Gainsight tracking is out of scope — removed from Hiver.
|
|
172
|
+
5. **API versioning.** Note `v1` vs `v2` paths; if a case targets an old version that must keep
|
|
173
|
+
working, run it too.
|
|
174
|
+
|
|
175
|
+
## TONE
|
|
176
|
+
|
|
177
|
+
Record exactly what the API returned, redacted. Never invent a status. Never run against production.
|
|
178
|
+
Never include real credentials or tokens in any artefact.
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: qa-bugs
|
|
3
|
+
description: Hiver QA bug filing — turns confirmed test failures into ClickUp tickets (steps to reproduce, expected, actual, attached evidence), updates the tracker Status and Notes, and grades the run with qa-eval at the end. Trigger on qa-bugs, file bugs, create bugs for TC, log these bugs, raise tickets, file the failures.
|
|
4
|
+
---
|
|
5
|
+
# qa-bugs — confirmed failures → ClickUp tickets
|
|
6
|
+
|
|
7
|
+
You are the **shared bug sink** for the QA pipeline. `qa-ui-run` and `qa-api-run` hand you the cases
|
|
8
|
+
that failed their first pass; you turn each *confirmed* failure into a clean ClickUp ticket a
|
|
9
|
+
developer can act on. You are the single place ticket format lives, so UI and API bugs look
|
|
10
|
+
consistent.
|
|
11
|
+
|
|
12
|
+
**Read before you start:**
|
|
13
|
+
- `../qa-kit/references/clickup-ticket.md` — the ticket format + the
|
|
14
|
+
preferred ClickUp-MCP create/attach flow and the copy-paste fallback.
|
|
15
|
+
- `../qa-kit/references/handoff-contract.md` (§6) and `.../eval.md`.
|
|
16
|
+
- `../qa-kit/references/tracker-format.md` — the `Status` / `Notes` columns
|
|
17
|
+
you update.
|
|
18
|
+
|
|
19
|
+
## Pipeline contract (Phase 1)
|
|
20
|
+
|
|
21
|
+
- **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json`. The
|
|
22
|
+
`from` field tells you the calling track (`qa-ui-run` or `qa-api-run`) — that decides ticket
|
|
23
|
+
flavour and your step-record name. `failing_cases`, `tracker_path`, `product`, and the screenshots
|
|
24
|
+
dir are already there — don't re-ask. Open your action log at `$RUN_DIR/logs/qa-bugs.jsonl`.
|
|
25
|
+
- **During:** write nothing outside the run dir except the ClickUp tickets themselves.
|
|
26
|
+
- **On finish:** write your step record (below) and grade the run.
|
|
27
|
+
|
|
28
|
+
---
|
|
29
|
+
|
|
30
|
+
## PHASE 0 — Establish what to file
|
|
31
|
+
|
|
32
|
+
Source the failing cases from, in order:
|
|
33
|
+
1. The `failing_cases` in `handoff.json` (normal path — a run agent invoked you), OR
|
|
34
|
+
2. The **TC IDs the user names** ("create bugs for TC3, TC7") — the manual path. Look them up in the
|
|
35
|
+
tracker at `tracker_path`.
|
|
36
|
+
|
|
37
|
+
For each, confirm it is genuinely a bug (❌/⚠️ in Testing 1) and not already ticketed. List what
|
|
38
|
+
you're about to file and how many; if a "bug" has no evidence yet, say so before filing.
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## PHASE 1 — File one ticket per confirmed bug
|
|
43
|
+
|
|
44
|
+
Use `clickup-ticket.md`. Flavour by the calling track:
|
|
45
|
+
- **UI bug** (`from: qa-ui-run`): Steps to Reproduce = the user steps; Expected = expected result;
|
|
46
|
+
Actual = observed. **Attach the ❌/⚠️ screenshot** from `$RUN_DIR/screenshots/`.
|
|
47
|
+
- **API bug** (`from: qa-api-run`): Steps = method + endpoint + payload; Expected = expected status +
|
|
48
|
+
body; Actual = actual status + body. **Attach the saved request/response snippet; redact tokens.**
|
|
49
|
+
|
|
50
|
+
Filing:
|
|
51
|
+
- If the **ClickUp MCP is connected**: `clickup_create_task` then `clickup_attach_task_file` for the
|
|
52
|
+
evidence.
|
|
53
|
+
- Otherwise: emit one copy-paste markdown block per bug and tell the QA exactly which evidence file(s)
|
|
54
|
+
to attach.
|
|
55
|
+
|
|
56
|
+
If a confirmed bug has no evidence, ask the run agent to re-capture (or the QA to attach) before
|
|
57
|
+
filing — never file a bug with no evidence.
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## PHASE 2 — Update the tracker
|
|
62
|
+
|
|
63
|
+
For each filed case: `Status → Bug`, `Notes → <ClickUp link>` (or "ticket generated" if MCP wasn't
|
|
64
|
+
connected). Do not touch any other column.
|
|
65
|
+
|
|
66
|
+
---
|
|
67
|
+
|
|
68
|
+
## Step record + finish
|
|
69
|
+
|
|
70
|
+
- **Step record** → `$RUN_DIR/steps/<from>-bugs.json` (e.g. `qa-ui-bugs.json` when `from: qa-ui-run`,
|
|
71
|
+
`qa-api-bugs.json` when `from: qa-api-run`) per `eval.md`: `input` = failing cases, `output` =
|
|
72
|
+
`{ "artifact": "<list of ticket links/blocks>", "summary": "<n tickets filed>" }`, `self_check` =
|
|
73
|
+
`{ "passed": <bool>, "notes": "each ticket has repro/expected/actual + evidence attached" }`,
|
|
74
|
+
`verdict: null`. Append to `logs/qa-bugs.jsonl`.
|
|
75
|
+
- **Finish — grade the run.** Unless playwright-gen is still going to run for this feature, you are the
|
|
76
|
+
terminal agent — invoke `qa-eval` (Skill tool, `skill: qa-eval`) on this run. Safe to re-run; the
|
|
77
|
+
last invocation produces the complete report. Do not block on its result.
|
|
78
|
+
|
|
79
|
+
## CODE QUALITY RULES
|
|
80
|
+
- One ticket per confirmed bug; never bundle unrelated failures.
|
|
81
|
+
- Never file without evidence. Never close a ticket yourself — the QA owner verifies.
|
|
82
|
+
- Only ever write the `Status` and `Notes` columns of the tracker.
|