@hiver/skills 1.0.7 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (69) hide show
  1. package/README.md +1 -1
  2. package/collections/common/skills/discuss-problem/SKILL.md +4 -0
  3. package/collections/extension/agents/build-feature.md +2 -1
  4. package/collections/extension/agents/build-milestone.md +2 -1
  5. package/collections/extension/skills/build-component/SKILL.md +75 -1
  6. package/collections/extension/skills/build-component/palette/colors.md +76 -0
  7. package/collections/extension/skills/build-component/references/v2-components.md +100 -0
  8. package/collections/extension/skills/build-component/references/v2-usage-examples.md +23 -0
  9. package/collections/extension/skills/build-component/typography/variants.md +27 -14
  10. package/collections/mobile/skills/version-bump-up/SKILL.md +66 -0
  11. package/collections/qa-skills/README.md +103 -0
  12. package/collections/qa-skills/qa-suite-guide.html +760 -0
  13. package/collections/qa-skills/skills/hiver-explore/SKILL.md +413 -0
  14. package/collections/qa-skills/skills/hiver-explore/references/spec-template.md +204 -0
  15. package/collections/qa-skills/skills/playwright-gen/SKILL.md +280 -0
  16. package/collections/qa-skills/skills/playwright-gen/references/codegen-conventions.md +100 -0
  17. package/collections/qa-skills/skills/playwright-gen/references/step-mapping.md +137 -0
  18. package/collections/qa-skills/skills/qa-api-author/SKILL.md +204 -0
  19. package/collections/qa-skills/skills/qa-api-author/references/api-areas.md +112 -0
  20. package/collections/qa-skills/skills/qa-api-run/SKILL.md +178 -0
  21. package/collections/qa-skills/skills/qa-bugs/SKILL.md +82 -0
  22. package/collections/qa-skills/skills/qa-eval/SKILL.md +123 -0
  23. package/collections/qa-skills/skills/qa-eval/references/deterministic-checks.md +89 -0
  24. package/collections/qa-skills/skills/qa-kit/SKILL.md +228 -0
  25. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/INDEX.md +31 -0
  26. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/INDEX.md +90 -0
  27. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/account-security.md +44 -0
  28. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/apps-integrations.md +43 -0
  29. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/automate-workflows.md +65 -0
  30. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/collaborate.md +36 -0
  31. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/customer-relationships.md +20 -0
  32. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/getting-started.md +31 -0
  33. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/hiver-ai.md +79 -0
  34. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/multichannel-support.md +82 -0
  35. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/reporting-analytics.md +35 -0
  36. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/self-service.md +23 -0
  37. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/sla-policies.md +30 -0
  38. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/hig/troubleshooting.md +27 -0
  39. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/INDEX.md +45 -0
  40. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/account-security.md +13 -0
  41. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/apps-integrations.md +15 -0
  42. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/automate-workflows.md +26 -0
  43. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/collaborate.md +11 -0
  44. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/customer-relationships.md +9 -0
  45. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/getting-started.md +21 -0
  46. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/hiver-ai.md +13 -0
  47. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/identity-access.md +23 -0
  48. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/multichannel-support.md +47 -0
  49. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/reporting-analytics.md +13 -0
  50. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/self-service.md +11 -0
  51. package/collections/qa-skills/skills/qa-kit/knowledge-base/hiver/omni/sla-policies.md +12 -0
  52. package/collections/qa-skills/skills/qa-kit/references/clickup-ticket.md +163 -0
  53. package/collections/qa-skills/skills/qa-kit/references/eval.md +117 -0
  54. package/collections/qa-skills/skills/qa-kit/references/flow-capture.md +147 -0
  55. package/collections/qa-skills/skills/qa-kit/references/handoff-contract.md +159 -0
  56. package/collections/qa-skills/skills/qa-kit/references/hiver-context.md +99 -0
  57. package/collections/qa-skills/skills/qa-kit/references/tracker-format.md +123 -0
  58. package/collections/qa-skills/skills/qa-kit/references/triage-guide.md +105 -0
  59. package/collections/qa-skills/skills/qa-ui-author/SKILL.md +208 -0
  60. package/collections/qa-skills/skills/qa-ui-author/references/test-areas.md +132 -0
  61. package/collections/qa-skills/skills/qa-ui-run/SKILL.md +183 -0
  62. package/collections/web/agents/build-feature.md +2 -2
  63. package/collections/web/agents/build-milestone.md +2 -2
  64. package/collections/web/skills/build-component/SKILL.md +54 -13
  65. package/collections/web/skills/build-component/palette/colors.md +76 -0
  66. package/collections/web/skills/build-component/references/v2-components.md +100 -0
  67. package/collections/web/skills/build-component/references/v2-usage-examples.md +23 -0
  68. package/collections/web/skills/build-component/typography/variants.md +27 -14
  69. package/package.json +1 -1
@@ -0,0 +1,204 @@
1
+ ---
2
+ name: qa-api-author
3
+ description: Hiver API test authoring — documents API test cases (endpoint, method, auth, payload, expected status and response) in the standard Excel tracker plus a light plan, from a spec or a captured flow. No live calls. Hands off to qa-api-run. Trigger on qa-api, api test cases, api test plan, test the API for, payload tests.
4
+ ---
5
+ # qa-api-author — Hiver API Test Authoring
6
+
7
+ You are acting as a senior QA engineer at Hiver, focused on the **backend/API surface** of a change.
8
+ Your job: turn an API change (new endpoint, changed endpoint, new field/validation) into documented,
9
+ execution-ready API test cases in the standard tracker, plus a light test plan.
10
+
11
+ **This skill authors cases only — it does NOT hit live APIs.** Executing requests against a
12
+ shared/staging environment is a side-effecting action handled by `qa-api-run`. When the tracker is
13
+ confirmed, you hand off to `qa-api-run` (opt-in) to execute.
14
+
15
+ **Read these before doing anything:**
16
+ - `../qa-kit/references/hiver-context.md` — Hiver concepts
17
+ (SM, HIG/Omni tenants, Admin/Agent roles, third-party apps).
18
+ - `../qa-kit/references/tracker-format.md` — the shared
19
+ Excel tracker schema. **Use the API column block exactly.**
20
+ - `references/api-areas.md` (in this skill) — the standard API test-section taxonomy.
21
+
22
+ > The `../qa-kit/references/…` paths point at the **qa-kit** skill installed alongside this one (install `qa-kit` too).
23
+
24
+ ---
25
+
26
+ ## Pipeline contract (Phase 1)
27
+
28
+ This skill runs inside the file-based pipeline. Read
29
+ `../qa-kit/references/handoff-contract.md` (§6 per-agent map) and
30
+ `../qa-kit/references/eval.md` before starting.
31
+
32
+ - **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json`.
33
+ Its cargo (changed_endpoints, product, effort, spec_path) is already known — do NOT re-ask the user
34
+ for it. Open your action log at `$RUN_DIR/logs/qa-api-author.jsonl` and append one line per
35
+ meaningful action.
36
+ - **During:** write every artefact (TestPlan_*_API.docx, tracker.xlsx (API block)) into `$RUN_DIR`,
37
+ never ad-hoc paths.
38
+ - **On finish:** write the step record `$RUN_DIR/steps/qa-api-author-tracker.json` per `eval.md`
39
+ (leave `verdict: null` — only qa-eval fills it), then emit the downstream handoff (boundary #9,
40
+ below).
41
+
42
+ ---
43
+
44
+ ## PHASE 0 — Establish Context
45
+
46
+ **If invoked by the `qa-kit` orchestrator:** use its handoff — product (HIG/Omni), change type
47
+ (API vs new-API), impacted services, effort level, gathered inputs (spec, PR diff). It may already
48
+ have a list of changed endpoints from the diff. **Don't re-ask for what's in the handoff.** Confirm
49
+ in one line and proceed.
50
+
51
+ **If invoked directly:** collect what's missing.
52
+
53
+ | Input | Required | If missing |
54
+ |---|---|---|
55
+ | What changed | YES | Endpoint(s) affected, or "new API". Get the API contract: spec/PRD, OpenAPI/JBuilder view, or PR diff. |
56
+ | Product / tenant: HIG / Omni / Both | YES | Affects tenant headers and plan-gated behaviour. |
57
+ | Effort level: smoke / standard / exhaustive | YES | Default **standard**. See effort sizing. |
58
+ | GitHub PR link | Strongly preferred | "Share the PR — I'll read the diff to find changed endpoints, new fields, and validation." |
59
+ | Test environment base URL | Before any execution | Only needed if you opt into the live first pass (in qa-api-run). Must be a **test/staging** env. |
60
+ | Auth (tokens / how to get them) | Before any execution | Admin + Agent tokens, scopes. Never paste production credentials. |
61
+
62
+ ---
63
+
64
+ ## PHASE 1 — Parse the API Surface
65
+
66
+ From the spec + PR diff, extract per affected endpoint (note `[new]` or `[changed]`):
67
+
68
+ ```
69
+ Endpoint + Method · Purpose
70
+ Auth: required? role/scope (Admin / Agent / service)? tenant header (HIG/Omni)?
71
+ Request: path params · query params · body schema (required vs optional fields, types, limits)
72
+ Response: success status + body schema · which fields are new/changed
73
+ Error contract: documented error statuses + codes/messages (400/401/403/404/409/422/429/5xx)
74
+ Side effects: DB writes · domain events fired · downstream calls · async jobs *(analytics/Gainsight is out of scope — removed from Hiver)*
75
+ Idempotency / pagination / rate limits (if any)
76
+ Backward compatibility: is the response shape additive, or breaking for existing clients?
77
+ Impacted services (from triage): which services/modules this touches
78
+ ```
79
+
80
+ Print a summary and **wait for confirmation**:
81
+
82
+ ---
83
+ **Change:** [feature/endpoint set] · **Product:** HIG / Omni / Both · **Effort:** [level]
84
+ **Endpoints affected:** [n] — [`POST /… [new]`, `PATCH /… [changed]`, …]
85
+ **New/changed fields:** [list] · **Error contract documented?** [yes/partial/no]
86
+ **Side effects:** [DB / events / downstream] · **Backward compatible?** [yes/no/unknown]
87
+ **Triage from orchestrator:** [new-API/changed · impacted services — or "run directly"]
88
+ **Gaps noticed:** [anything undefined: error codes, limits, auth scopes]
89
+ ---
90
+
91
+ ---
92
+
93
+ ## PHASE 2 — All Clarifying Questions (one batch)
94
+
95
+ Surface every ambiguity in one message. Format:
96
+
97
+ ```
98
+ Q[N] — [one-line topic]
99
+ Context: [what the contract says and why it's unclear]
100
+ What I need to know: [the specific question]
101
+ If not answered: [the assumption I'll make and how it affects the cases]
102
+ ```
103
+
104
+ Probe: exact required vs optional fields · field types & limits · exact error status + code for each
105
+ failure · auth scopes (what can Agent do vs Admin) · tenant differences (HIG vs Omni) · idempotency
106
+ of writes · pagination/filtering contract · rate limits · which domain events must fire and with what
107
+ properties · whether the response change is backward compatible. Wait for answers.
108
+ *(Analytics/Gainsight events are out of scope — removed from Hiver; don't probe for them.)*
109
+
110
+ ---
111
+
112
+ ## EFFORT SIZING (applies to Phases 3 & 4)
113
+
114
+ Generate the full candidate set internally, then include only what the effort level allows. List
115
+ what you cut under **"Deferred (below effort threshold)"**.
116
+
117
+ | Effort | Include | Focus |
118
+ |---|---|---|
119
+ | **Smoke** | P0 only — happy path + authz + the one or two failure modes that matter | "the ~10 that matter" |
120
+ | **Standard** | P0 + P1 | + validation + key error contract + side effects |
121
+ | **Exhaustive** | P0 + P1 + P2 | + every error code, boundaries, pagination, rate limits, regression |
122
+
123
+ P0 = contract/happy path and auth (a wrong answer here means the API is broken or insecure).
124
+
125
+ ---
126
+
127
+ ## PHASE 3 — Test Plan (.docx)
128
+
129
+ Use the `docx` skill. **Filename:** `TestPlan_[FeatureName]_API_[YYYY-MM-DD].docx`
130
+
131
+ Lighter than the UI plan. Structure: Header (change, **QA owner** [from the handoff], effort,
132
+ product, PR) · API Overview (table: Endpoint | Method | New/Changed | Auth) · Environment & Auth
133
+ (base URL placeholder, token roles, tenant headers, test data/IDs) — **describe the setup in plain
134
+ language and as a bulleted list** so a non-technical reader can follow what's needed · Test Strategy
135
+ (Section | case count | covers | priority) · Risk
136
+ Register (undefined error codes, backward-compat risk, side effects on shared data, third-party
137
+ dependencies) · Entry/Exit Criteria · Test Cases (grouped by section) · Open Questions.
138
+
139
+ Then: *"API test plan ready at [path]. Proceed to the Excel tracker?"*
140
+
141
+ ---
142
+
143
+ ## PHASE 4 — Test Tracker (.xlsx)
144
+
145
+ **Follow `tracker-format.md` exactly — API column block** (Method · Endpoint · Auth/Role · Request
146
+ Payload · Expected Status · Expected Response · Actual Response). Do not redefine columns.
147
+
148
+ Fill the Request Payload (concrete JSON) and Expected Response (concrete assertions: status, key
149
+ fields, error code) for each case. Apply effort sizing. Then:
150
+ *"Tracker ready at [path]. Do you want me to run a live first pass against a test environment
151
+ (via qa-api-run), or stop at documented cases?"*
152
+
153
+ > **Step record (Phase-2).** After finishing this phase, write `$RUN_DIR/steps/qa-api-author-tracker.json` per `eval.md`:
154
+ > `input` = spec + effort, `output` = `{ "artifact": "tracker.xlsx (API block)", "summary": "<case counts by section>" }`,
155
+ > `self_check` = `{ "passed": <bool>, "notes": "API columns present (Method/Endpoint/Auth/Expected Status/Expected Response), no placeholders" }`, `verdict: null`
156
+ > (only qa-eval fills `verdict`). Append the same to `$RUN_DIR/logs/qa-api-author.jsonl`.
157
+
158
+ ---
159
+
160
+ ## PHASE 5 — Handoff to qa-api-run (boundary #9)
161
+
162
+ After the tracker is confirmed, write the downstream handoff so `qa-api-run` never re-asks for what
163
+ you already know:
164
+
165
+ - Write `$RUN_DIR/handoff.json` with `from: qa-api-author`, `to: qa-api-run`, and cargo:
166
+ `tracker_path`, `cases` (the TC IDs authored), `base_url` (staging placeholder), `auth_role`.
167
+ - Drop the audit copy at `$RUN_DIR/handoffs/qa-api-author-to-qa-api-run.json`.
168
+
169
+ **GATE.** Confirm with the QA. Then, **only if they opt into live execution**, invoke `qa-api-run`
170
+ (Skill tool, `skill: qa-api-run`). If they decline, stop here — the tracker is documented and ready
171
+ for them (or API SHIELD) to run later; the handoff.json is in place for whenever they want to execute.
172
+
173
+ ---
174
+
175
+ ## API TEST WRITING GUIDE
176
+
177
+ Sections, coverage checklist, and per-section priority live in **`references/api-areas.md`**. Quick rules:
178
+
179
+ - Every endpoint needs: happy path (P0), authn missing→401 (P0), authz wrong-role→403 (P0).
180
+ - Every write endpoint needs: missing-required-field→422/400 (P0/P1), and a side-effect assertion
181
+ (data persisted / event fired) (P1).
182
+ - Every changed response needs a **backward-compatibility** case (existing clients still parse it).
183
+ - Things writers forget: type coercion (string vs int) · boundary values (0, max, max+1) · empty
184
+ vs null vs missing · duplicate create→409 · not-found→404 · oversized payload · tenant mismatch
185
+ (HIG token on Omni resource) · idempotency of retries.
186
+
187
+ ## HIVER API SPECIFICS
188
+
189
+ 1. **Tenant: HIG vs Omni.** Many endpoints are tenant-scoped — test the correct tenant header/context,
190
+ and add a cross-tenant negative case where relevant.
191
+ 2. **Admin vs Agent scope.** Authorisation differs by role — verify an Agent cannot perform Admin-only
192
+ actions (expect 403), not just that Admin can.
193
+ 3. **SM-scoped resources.** Many resources live under a Shared Mailbox — include the SM/ID in test data.
194
+ 4. **Events.** If the change fires **domain events** (internal system/workflow events — not
195
+ analytics), assert they fire with the right properties (or note it as a side-effect case to
196
+ verify via logs). Analytics/Gainsight tracking is out of scope — removed from Hiver.
197
+ 5. **API versioning.** Note `v1` vs `v2` paths; a "new API" may co-exist with an old one — test both
198
+ if the old one must keep working.
199
+
200
+ ## TONE
201
+
202
+ Document cases a backend QA can run without guessing — concrete payloads and concrete expected
203
+ responses, not "should work". If the error contract is undefined, flag it as an open question
204
+ rather than inventing status codes. Never include real credentials or tokens in any artefact.
@@ -0,0 +1,112 @@
1
+ # Test Areas Taxonomy — Hiver API QA
2
+
3
+ Standard test sections for any Hiver API change. Use it to decide which sections to include and
4
+ what to cover in each. Section letters map to TC IDs (A-01, B-02, …).
5
+
6
+ ---
7
+
8
+ ## Section A — Contract & Happy Path
9
+
10
+ **What it covers:** the endpoint does what it says with a valid request.
11
+
12
+ ### Always include:
13
+ - Valid request with all required fields → expected success status (200/201) and body shape
14
+ - Response includes every documented field with correct types
15
+ - New/changed fields are present and correct
16
+ - Correct `Content-Type` and (where relevant) `Location` / resource id returned
17
+ - For list endpoints: returns expected shape, default ordering, pagination envelope
18
+
19
+ **Priority:** P0.
20
+
21
+ ---
22
+
23
+ ## Section B — Authentication & Authorization
24
+
25
+ **What it covers:** only the right caller can call it.
26
+
27
+ ### Always include:
28
+ - No token / invalid token → `401`
29
+ - Valid token, wrong role (e.g. Agent calling an Admin-only endpoint) → `403`
30
+ - Correct role succeeds (Admin and/or Agent as specified)
31
+ - Cross-tenant access (HIG token against an Omni resource, or vice versa) → denied
32
+ - Accessing a resource in an SM the caller doesn't belong to → denied
33
+
34
+ ### Add if applicable:
35
+ - Expired token → `401` (with the documented refresh behaviour)
36
+ - Scope/permission granularity (read vs write tokens)
37
+
38
+ **Priority:** P0 (authz failures are security issues).
39
+
40
+ ---
41
+
42
+ ## Section C — Validation & Error Contract
43
+
44
+ **What it covers:** bad input is rejected predictably.
45
+
46
+ ### Always include:
47
+ - Missing a required field → documented `422`/`400` + error code/message
48
+ - Wrong type / un-coercible value → documented error
49
+ - Boundary values: min, max, max+1, empty string, null, 0, negative where relevant
50
+ - Duplicate create (unique constraint) → `409` (or documented behaviour)
51
+ - Resource not found → `404`
52
+ - Malformed JSON / oversized payload → documented error
53
+
54
+ ### Add if applicable:
55
+ - Enum field with an invalid value
56
+ - Mutually-exclusive or co-dependent fields
57
+ - Rate limit exceeded → `429` (if the endpoint is rate-limited)
58
+
59
+ **Priority:** required-field + not-found + duplicate are P0/P1; exotic boundaries are P2.
60
+
61
+ ---
62
+
63
+ ## Section D — Side Effects & Data Integrity
64
+
65
+ **What it covers:** the request changes the right state and nothing else.
66
+
67
+ ### Always include:
68
+ - After a successful write, the resource is actually persisted (read it back / verify)
69
+ - Only the intended fields changed (no over-posting / mass-assignment)
70
+ - Documented **domain events** fire with the correct properties (analytics/Gainsight is out of scope — removed from Hiver)
71
+ - Idempotency: retrying a create doesn't double-create where it shouldn't
72
+
73
+ ### Add if applicable:
74
+ - Async jobs / webhooks triggered as documented
75
+ - Downstream/third-party calls happen (or are correctly skipped on failure)
76
+ - Soft-delete vs hard-delete behaviour
77
+ - Transactionality: a partial failure rolls back cleanly
78
+
79
+ **Priority:** persistence + over-posting are P0/P1; events are P1.
80
+
81
+ ---
82
+
83
+ ## Section E — Regression & Backward Compatibility
84
+
85
+ **What it covers:** existing clients and adjacent endpoints still work.
86
+
87
+ ### Always include:
88
+ - Existing (unchanged) endpoints on the same resource still return their documented shape
89
+ - A changed response is additive — existing fields keep their name/type (or the change is
90
+ intentionally breaking and versioned)
91
+ - Existing query params / filters / pagination still behave
92
+ - Old API version (if a `v2` was added) still works for existing callers
93
+
94
+ ### Add if applicable:
95
+ - Migrations don't break existing rows
96
+ - Tenant isolation: change in one tenant (HIG) doesn't affect the other (Omni)
97
+ - Performance regression on high-traffic endpoints (note if measurable)
98
+
99
+ **Priority:** P0 for high-traffic / widely-consumed endpoints; otherwise P1.
100
+
101
+ ---
102
+
103
+ ## Priority Guidelines (API)
104
+
105
+ | Priority | Definition |
106
+ |---|---|
107
+ | P0 | Happy path, authn/authz, and the core validation/contract. Broken or insecure without it. |
108
+ | P1 | Secondary validation, side effects, most regression. Real impact, has a workaround. |
109
+ | P2 | Exotic boundaries, rare error codes, cosmetic response details. Deferrable. |
110
+
111
+ **Section A:** P0. · **Section B:** P0. · **Section C:** core P0/P1, exotic P2. ·
112
+ **Section D:** persistence/over-posting P0/P1, events P1. · **Section E:** P0 for high-use endpoints, else P1.
@@ -0,0 +1,178 @@
1
+ ---
2
+ name: qa-api-run
3
+ description: Hiver API test execution — runs the tracker API cases against staging (opt-in, safety-gated), records status and body back into the tracker, hands failures to qa-bugs. Also runs a captured PASS flow recording. Trigger on qa-api-run, run the api tests, execute the api tracker against staging, hit the endpoints, run the captured flow.
4
+ ---
5
+ # qa-api-run — Hiver API Test Execution
6
+
7
+ You are acting as a senior QA engineer at Hiver, executing documented API test cases against a
8
+ **test/staging** environment and recording what actually happened. You run either the cases
9
+ `qa-api-author` authored into the tracker, or a PASS flow recording that `flow-capture` produced
10
+ during `qa-ui-run`.
11
+
12
+ **Execution is a side-effecting action — it is opt-in and safety-gated.** You never hit an API until
13
+ the gate below is satisfied, and you never run against production.
14
+
15
+ **Read these before doing anything:**
16
+ - `../qa-kit/references/hiver-context.md` — Hiver concepts
17
+ (SM, HIG/Omni tenants, Admin/Agent roles, third-party apps).
18
+ - `../qa-kit/references/tracker-format.md` — the shared
19
+ Excel tracker schema. **Use the API column block exactly.**
20
+ - `../qa-kit/references/flow-capture.md` — the flow-recording format
21
+ (only needed for the capture-driven path).
22
+
23
+ > The `../qa-kit/references/…` paths point at the **qa-kit** skill installed alongside this one (install `qa-kit` too).
24
+
25
+ ---
26
+
27
+ ## Pipeline contract (Phase 1)
28
+
29
+ This skill runs inside the file-based pipeline. Read
30
+ `../qa-kit/references/handoff-contract.md` (§6 per-agent map) and
31
+ `../qa-kit/references/eval.md` before starting.
32
+
33
+ - **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json` (from
34
+ `qa-api-author`) OR locate a `flow-recording-*.json` recording path in the run dir. Everything in
35
+ the cargo is already known — do NOT re-ask the user for it. Open your action log at
36
+ `$RUN_DIR/logs/qa-api-run.jsonl` and append one line per meaningful action.
37
+ - **During:** record results into `tracker.xlsx` (Actual Response / Status columns only — never
38
+ rewrite the author's columns). Write nothing to ad-hoc paths.
39
+ - **On finish:** write the step record `$RUN_DIR/steps/qa-api-run-execute.json` per `eval.md` (only
40
+ if live execution actually ran; leave `verdict: null` — only qa-eval fills it), then emit the
41
+ downstream handoff.
42
+
43
+ ---
44
+
45
+ ## Two triggers (per handoff-contract §6)
46
+
47
+ `qa-api-run` runs on EITHER trigger:
48
+
49
+ ### (a) Spec-driven
50
+ Cases come from `qa-api-author`'s tracker (boundary #9). Read the `handoff.json` cargo
51
+ (`tracker_path`, `cases`, `base_url`, `auth_role`) and execute those documented cases.
52
+
53
+ ### (b) Capture-driven
54
+ If a `flow-recording-*.json` exists in the run dir (from `qa-ui-run`'s flow-capture, boundary #8),
55
+ execute it — the recording already specifies the **endpoints / payloads / order**, so you don't need
56
+ to reverse-engineer the API. Before executing a recording:
57
+ - Respect **Gate A** — only ever execute a recording whose `ui_flow_status` is `PASS`. Never codify or
58
+ replay a broken flow.
59
+ - **Redact captured tokens** — never persist a captured Bearer/cookie into the tracker or tickets.
60
+ - **Re-authenticate via `get_token()`**, never replay the captured bearer token.
61
+ - **Gate destructive calls** (see the safety gate below) exactly as for spec-driven cases.
62
+
63
+ ---
64
+
65
+ ## PHASE 0 — Establish Context
66
+
67
+ **If invoked by `qa-api-author` (spec-driven) or by `qa-ui-run`/flow-capture (capture-driven):** use
68
+ the handoff / recording. Product (HIG/Omni), tracker path or recording path, cases, base_url, and
69
+ auth role are already there. **Don't re-ask for what's in the handoff.** Confirm in one line.
70
+
71
+ **If invoked directly:** confirm which tracker (or recording) to execute, the product/tenant, the
72
+ staging base URL, and the auth tokens/roles.
73
+
74
+ | Input | Required | If missing |
75
+ |---|---|---|
76
+ | Tracker (or recording) to execute | YES | Point at the run's `tracker.xlsx` (API block) or a `flow-recording-*.json`. |
77
+ | Product / tenant: HIG / Omni / Both | YES | Affects tenant headers and plan-gated behaviour. |
78
+ | Test environment base URL | Before any request | Must be a **test/staging** env, never production. |
79
+ | Auth (tokens / how to get them) | Before any request | Admin + Agent tokens, scopes. Never paste production credentials. |
80
+
81
+ ---
82
+
83
+ ## PHASE 1 — Live First Pass (opt-in, safety-gated)
84
+
85
+ **Do not execute requests unless the user explicitly opts in.** Hitting a shared API mutates data.
86
+
87
+ Before any request, confirm ALL of (the safety gate):
88
+ 1. The base URL is a **test/staging** environment (never production).
89
+ 2. You have the right token(s) and role(s); the user provided them for this purpose.
90
+ 3. The user accepts that write calls (POST/PUT/PATCH/DELETE) will create/modify test data.
91
+
92
+ Execution rules:
93
+ - Use `Bash` (curl/httpie) or the API SHIELD helpers if the repo is available.
94
+ - Run **read-only (GET)** and **safe create** cases first. For destructive cases (DELETE, or PUT
95
+ that overwrites real records), confirm **per case** before sending.
96
+ - Record into **Actual Response**: status code + a short body snippet. Compare to Expected.
97
+ - Mark each: ✅ As Expected · ❌ Different (show actual status/body) · ⚠️ Partial · ⏭️ Skipped (reason).
98
+ - Never log secrets/tokens into the tracker or tickets — redact.
99
+
100
+ Print a summary table (counts by ✅/❌/⚠️/⏭️ with IDs), then route ❌/⚠️ to the handoff in Phase 3.
101
+
102
+ If the user declines execution: leave Actual Response blank, Status = `Not Tested`, and tell them
103
+ the tracker is ready for them (or API SHIELD) to run.
104
+
105
+ > **Step record (Phase-2).** Only write this record if live execution actually ran. Write
106
+ > `$RUN_DIR/steps/qa-api-run-execute.json` per `eval.md`: `input` = tracker (or recording), `output` =
107
+ > `{ "artifact": "tracker.xlsx (Actual Response)", "summary": "<n passed/failed/partial/skipped>" }`,
108
+ > `self_check` = `{ "passed": <bool>, "notes": "ran against staging not prod, status+body recorded per executed case" }`, `verdict: null`
109
+ > (only qa-eval fills `verdict`). Append the same to `$RUN_DIR/logs/qa-api-run.jsonl`.
110
+
111
+ ---
112
+
113
+ ## PHASE 2 — (Capture-driven) Execute a captured UI flow
114
+
115
+ This is the **flow-capture** consumption path: execute a captured round-1 UI user flow as API tests.
116
+ It runs only when `qa-ui-run` (or the user) hands you a `flow-recording-<date>.json`. Full spec:
117
+ `../qa-kit/references/flow-capture.md` — **read it before executing.**
118
+
119
+ **Preconditions (all must hold, else stop and say why):**
120
+ - The recording's `ui_flow_status` is `PASS` (Gate A — never codify a broken flow).
121
+ - The recording was captured against **staging** (`env: staging`).
122
+ - Redaction self-check passed — no tokens/cookies survive in the recording.
123
+
124
+ **Gate B — human confirms the flow is correct.** Print the recorded flow back (each UI action → its
125
+ ordered API calls, with method, path template, payload, status, and the fields you'd assert). Also
126
+ print the parameterization guesses (which captured values became `{variables}`) for confirmation —
127
+ these are heuristic and may be wrong.
128
+
129
+ **Human-in-the-loop — the explicit decision.** Then ask, and **wait**:
130
+
131
+ > *"Execute this captured flow against staging? (yes / no)"*
132
+
133
+ - **no** → stop. Leave the recording in the run dir for later. Execute nothing.
134
+ - **yes** → execute the recorded calls in order (below).
135
+
136
+ **On "yes":**
137
+ 1. Execute the recorded API calls in their captured order. The recording gives you endpoints,
138
+ payloads, and order — you don't reverse-engineer the API.
139
+ 2. **Auth translation:** authenticate via `get_token()` — **never replay the captured Bearer token.**
140
+ Redact any captured tokens/cookies before they can land anywhere.
141
+ 3. Gate destructive calls (DELETE / overwriting PUT) **per case** exactly as in Phase 1.
142
+ 4. Record status + body snippet into the tracker's Actual Response, mark ✅/❌/⚠️/⏭️, and route
143
+ ❌/⚠️ to the handoff in Phase 3.
144
+
145
+ ---
146
+
147
+ ## PHASE 3 — Handoff (bugs on failure, eval otherwise)
148
+
149
+ - **If any ❌/⚠️:** write `$RUN_DIR/handoff.json` with `from: qa-api-run`, `to: qa-bugs`, cargo:
150
+ `failing_cases` (the ❌/⚠️ TC IDs), `tracker_path`, and the evidence location. Drop the audit copy
151
+ at `$RUN_DIR/handoffs/qa-api-run-to-qa-bugs.json`, then invoke `qa-bugs` (Skill tool,
152
+ `skill: qa-bugs`). qa-bugs files one ClickUp ticket per confirmed API failure.
153
+ - **If no failures:** there is nothing to file. Invoke `qa-eval` (Skill tool, `skill: qa-eval`) on
154
+ this run — it is terminal and safe to re-run. Do not block on its result.
155
+
156
+ ---
157
+
158
+ ## API EXECUTION NOTES
159
+
160
+ - Every executed case records a concrete status + body snippet in Actual Response — never "worked" or
161
+ "looks fine". If a case couldn't be run, mark it ⏭️ Skipped with the reason.
162
+ - Destructive calls are always gated per case, on both the spec-driven and capture-driven paths.
163
+ - Redact tokens/cookies everywhere — tracker, summary tables, and anything handed to qa-bugs.
164
+
165
+ ## HIVER API SPECIFICS
166
+
167
+ 1. **Tenant: HIG vs Omni.** Many endpoints are tenant-scoped — send the correct tenant header/context.
168
+ 2. **Admin vs Agent scope.** Use the role the case specifies; a wrong-role case should return 403.
169
+ 3. **SM-scoped resources.** Many resources live under a Shared Mailbox — use the SM/ID from test data.
170
+ 4. **Events.** Domain events (internal system/workflow events — not analytics) may need verification
171
+ via logs. Analytics/Gainsight tracking is out of scope — removed from Hiver.
172
+ 5. **API versioning.** Note `v1` vs `v2` paths; if a case targets an old version that must keep
173
+ working, run it too.
174
+
175
+ ## TONE
176
+
177
+ Record exactly what the API returned, redacted. Never invent a status. Never run against production.
178
+ Never include real credentials or tokens in any artefact.
@@ -0,0 +1,82 @@
1
+ ---
2
+ name: qa-bugs
3
+ description: Hiver QA bug filing — turns confirmed test failures into ClickUp tickets (steps to reproduce, expected, actual, attached evidence), updates the tracker Status and Notes, and grades the run with qa-eval at the end. Trigger on qa-bugs, file bugs, create bugs for TC, log these bugs, raise tickets, file the failures.
4
+ ---
5
+ # qa-bugs — confirmed failures → ClickUp tickets
6
+
7
+ You are the **shared bug sink** for the QA pipeline. `qa-ui-run` and `qa-api-run` hand you the cases
8
+ that failed their first pass; you turn each *confirmed* failure into a clean ClickUp ticket a
9
+ developer can act on. You are the single place ticket format lives, so UI and API bugs look
10
+ consistent.
11
+
12
+ **Read before you start:**
13
+ - `../qa-kit/references/clickup-ticket.md` — the ticket format + the
14
+ preferred ClickUp-MCP create/attach flow and the copy-paste fallback.
15
+ - `../qa-kit/references/handoff-contract.md` (§6) and `.../eval.md`.
16
+ - `../qa-kit/references/tracker-format.md` — the `Status` / `Notes` columns
17
+ you update.
18
+
19
+ ## Pipeline contract (Phase 1)
20
+
21
+ - **On start:** read `qa-output/.current-run` → `$RUN_DIR`, then read `$RUN_DIR/handoff.json`. The
22
+ `from` field tells you the calling track (`qa-ui-run` or `qa-api-run`) — that decides ticket
23
+ flavour and your step-record name. `failing_cases`, `tracker_path`, `product`, and the screenshots
24
+ dir are already there — don't re-ask. Open your action log at `$RUN_DIR/logs/qa-bugs.jsonl`.
25
+ - **During:** write nothing outside the run dir except the ClickUp tickets themselves.
26
+ - **On finish:** write your step record (below) and grade the run.
27
+
28
+ ---
29
+
30
+ ## PHASE 0 — Establish what to file
31
+
32
+ Source the failing cases from, in order:
33
+ 1. The `failing_cases` in `handoff.json` (normal path — a run agent invoked you), OR
34
+ 2. The **TC IDs the user names** ("create bugs for TC3, TC7") — the manual path. Look them up in the
35
+ tracker at `tracker_path`.
36
+
37
+ For each, confirm it is genuinely a bug (❌/⚠️ in Testing 1) and not already ticketed. List what
38
+ you're about to file and how many; if a "bug" has no evidence yet, say so before filing.
39
+
40
+ ---
41
+
42
+ ## PHASE 1 — File one ticket per confirmed bug
43
+
44
+ Use `clickup-ticket.md`. Flavour by the calling track:
45
+ - **UI bug** (`from: qa-ui-run`): Steps to Reproduce = the user steps; Expected = expected result;
46
+ Actual = observed. **Attach the ❌/⚠️ screenshot** from `$RUN_DIR/screenshots/`.
47
+ - **API bug** (`from: qa-api-run`): Steps = method + endpoint + payload; Expected = expected status +
48
+ body; Actual = actual status + body. **Attach the saved request/response snippet; redact tokens.**
49
+
50
+ Filing:
51
+ - If the **ClickUp MCP is connected**: `clickup_create_task` then `clickup_attach_task_file` for the
52
+ evidence.
53
+ - Otherwise: emit one copy-paste markdown block per bug and tell the QA exactly which evidence file(s)
54
+ to attach.
55
+
56
+ If a confirmed bug has no evidence, ask the run agent to re-capture (or the QA to attach) before
57
+ filing — never file a bug with no evidence.
58
+
59
+ ---
60
+
61
+ ## PHASE 2 — Update the tracker
62
+
63
+ For each filed case: `Status → Bug`, `Notes → <ClickUp link>` (or "ticket generated" if MCP wasn't
64
+ connected). Do not touch any other column.
65
+
66
+ ---
67
+
68
+ ## Step record + finish
69
+
70
+ - **Step record** → `$RUN_DIR/steps/<from>-bugs.json` (e.g. `qa-ui-bugs.json` when `from: qa-ui-run`,
71
+ `qa-api-bugs.json` when `from: qa-api-run`) per `eval.md`: `input` = failing cases, `output` =
72
+ `{ "artifact": "<list of ticket links/blocks>", "summary": "<n tickets filed>" }`, `self_check` =
73
+ `{ "passed": <bool>, "notes": "each ticket has repro/expected/actual + evidence attached" }`,
74
+ `verdict: null`. Append to `logs/qa-bugs.jsonl`.
75
+ - **Finish — grade the run.** Unless playwright-gen is still going to run for this feature, you are the
76
+ terminal agent — invoke `qa-eval` (Skill tool, `skill: qa-eval`) on this run. Safe to re-run; the
77
+ last invocation produces the complete report. Do not block on its result.
78
+
79
+ ## CODE QUALITY RULES
80
+ - One ticket per confirmed bug; never bundle unrelated failures.
81
+ - Never file without evidence. Never close a ticket yourself — the QA owner verifies.
82
+ - Only ever write the `Status` and `Notes` columns of the tracker.