npm - @skyramp/mcp - Versions diffs - 0.0.63-rc.5 → 0.0.63-rc.7 - Mend

@skyramp/mcp 0.0.63-rc.5 → 0.0.63-rc.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/build/index.js CHANGED Viewed

@@ -23,6 +23,7 @@ import { registerRecommendTestsPrompt } from "./prompts/test-recommendation/regi
 import { registerModularizationTool } from "./tools/code-refactor/modularizationTool.js";
 import { registerCodeReuseTool } from "./tools/code-refactor/codeReuseTool.js";
 import { registerScenarioTestTool } from "./tools/generate-tests/generateScenarioRestTool.js";
+import { registerMockTool } from "./tools/generate-tests/generateMockRestTool.js";
 import { registerAnalyzeChangesTool, registerAnalyzeTestHealthTool, registerExecuteTestsTool, registerActionsTool, registerStateCleanupTool, } from "./tools/test-management/index.js";
 import { registerTestbotPrompt, registerTestbotResource, } from "./prompts/testbot/testbot-prompts.js";
 import { registerSubmitReportTool } from "./tools/submitReportTool.js";
@@ -177,6 +178,7 @@ const testGenerationTools = [
     registerE2ETestTool,
     registerUITestTool,
     registerScenarioTestTool,
+    registerMockTool,
 ];
 testGenerationTools.forEach((registerTool) => registerTool(server));
 // Register modularization and code quality tools

package/build/prompts/test-recommendation/analysisOutputPrompt.js CHANGED Viewed

@@ -14,9 +14,14 @@ Read \`package.json\` / \`requirements.txt\`, \`docker-compose.yml\`, route/cont
 and model/schema files (Zod schemas, Pydantic models, TypeScript interfaces, DTOs)
 to understand the tech stack, endpoint shapes, auth mechanisms, and request/response schemas.
-### Step 2: Identify resource relationships
+### Step 2: Identify resource relationships and parameter locations
 Map how endpoints relate to each other — which POST creates resources consumed by other endpoints?
 **Resolve nested/sub-router paths** from the Router Mounting section above.
+**CRITICAL — Distinguish query params vs request body:** For each endpoint, determine whether
+parameters are sent as URL query params (typical for GET search/filter/list) or request body
+(typical for POST/PUT/PATCH). Look at FastAPI \`Query()\` annotations, Express \`req.query\` usage,
+Spring \`@RequestParam\`, Flask \`request.args\`, etc. Populate \`queryParams\` in interactions
+for GET endpoints that accept search/filter/pagination parameters.
 ${nextStep}`;
     }
@@ -28,7 +33,11 @@ ${nextStep}`;
 Read handler code for the changed endpoints and their model/schema files (Zod schemas,
 Pydantic models, DTOs) to understand request/response shapes. Find related endpoints via
 imports, shared models, adjacent route files. Resolve nested/sub-router paths from Router
-Mounting context.`
+Mounting context.
+**CRITICAL — Query params vs body:** For GET endpoints (especially search/filter/list),
+identify which parameters are URL query params vs request body. Look at framework-specific
+annotations (FastAPI \`Query()\`, Express \`req.query\`, Spring \`@RequestParam\`, etc.).
+Pass these as \`queryParams\` (not \`requestBody\`) when generating scenarios.`
         : isUIOnly
             ? `### Step 2: Identify consumed API endpoints
 UI-only PR — read changed components to find API calls (fetch, axios, hooks).`
@@ -50,11 +59,13 @@ Call \`skyramp_analyze_test_health\` with \`stateFile: "${p.stateFile ?? p.sessi
         : `### Step 3: Draft integration scenarios
 Draft multi-step scenarios simulating realistic user workflows:
 - **Cross-resource data flow**: Foreign key relationships, parent→child creation, verification
-- **Search/filter verification**: Create data, search, verify results
+- **Search/filter verification**: Create data, search for it using \`queryParams\`, verify results
 - **Negative/error paths**: Invalid references → appropriate errors
 - **UI user journeys**: Concrete browser steps for frontend changes
-**Quality:** Realistic request bodies, response data verification, actual field names for chaining.
+**Quality:** Realistic request bodies for POST/PUT/PATCH, \`queryParams\` for GET search/filter,
+response data verification, actual field names for chaining.
+**Parameter placement:** GET search/filter endpoints MUST use \`queryParams\`, not \`requestBody\`.
 ### Step 4: Call recommend tests
 Call \`skyramp_recommend_tests\` with \`sessionId: "${p.sessionId}"\``;

package/build/prompts/test-recommendation/recommendationSections.js CHANGED Viewed

@@ -20,6 +20,9 @@ export function getAuthSnippets(authHeaderValue) {
     }
     return { authSchemeSnippet: "", authTokenSnippet: "" };
 }
+export const PATH_PARAM_UUID_GUIDANCE = `**Path parameters:** keep the placeholder in \`endpointURL\` (e.g. \`/coupons/{coupon_id}\`). ` +
+    `Pass the value via \`pathParams\` (e.g. \`coupon_id=<random-uuid-v4>\`). ` +
+    `Use example values from the OpenAPI schema if available; otherwise generate a fresh random UUID v4 — not all-zeros or repeated-digit patterns.`;
 export function buildPrioritizationDimensions() {
     return `## Prioritization Dimensions (evaluate each candidate test)
@@ -145,7 +148,27 @@ replace them with accurate ones.
 **Available test types:**
 - **Integration** — multi-endpoint workflows that chain data across resources
-- **Contract** — response schema validation for new/changed endpoints
+- **Contract** — validates API contracts between services. Two distinct modes — choose based on role:
+  - **Provider contract test** (\`providerMode: true\`): Recommend when this codebase IS the API provider/owner.
+    Use when: new endpoints are added, existing responses are modified, an OpenAPI spec exists to validate against,
+    or you need to verify the implementation still honors its contracts after a code change.
+    The test calls the real provider and asserts the response conforms to the spec.
+  - **Consumer contract test** (\`consumerMode: true\`): Recommend when this codebase CALLS another service's API.
+    Use when: the service makes outbound HTTP calls to downstream APIs, you need to verify outbound requests
+    conform to the downstream contract, or you want to catch consumer-side drift before it reaches the provider.
+    The test uses a request-aware mock as the provider — no live downstream service needed.
+  - **Both modes** (\`providerMode: true, consumerMode: true\`): Recommend for service boundaries where this
+    codebase is simultaneously an API owner (upstream) AND a client of another service (downstream).
+  - **Default (neither set)**: generates a standard contract test equivalent to both modes. Use only when
+    the role is unclear or as a fallback when no spec is available.
+**Signal for consumer contract test:** Look for outbound HTTP client code (fetch, axios, httpx, requests, http.Client),
+service client classes, or calls to external base URLs in the codebase. If an endpoint's implementation
+makes downstream calls, that downstream boundary is a consumer contract test candidate.
+**Signal for provider contract test:** Look for new or modified endpoint handlers, route changes, response
+shape modifications, or the presence of an OpenAPI spec. If the diff adds/changes an endpoint this service owns,
+that is a provider contract test candidate.
 **Do NOT recommend Fuzz tests.** Fuzz testing is available as a manual tool but must not appear in automated recommendations.
 - **E2E** — user journeys spanning frontend to backend (needs Playwright traces)
@@ -170,7 +193,11 @@ export function buildToolWorkflows(authHeaderValue, authTypeValue = "") {
     let authGuidance;
     let authParams;
     if (noAuth) {
-        authGuidance = "";
+        authGuidance = `**Auth Verification Required:** The workspace config indicates no authentication, but you MUST verify this independently before omitting auth:
+1. **OpenAPI spec** \u2192 check \`securitySchemes\` / \`securityDefinitions\` for \`type: http\`, \`type: apiKey\`, or \`type: oauth2\`
+2. **Source code** \u2192 look for auth middleware (\`passport\`, \`jwt.verify\`, \`authMiddleware\`, \`@requires_auth\`, \`Depends(get_current_user)\`, \`@UseGuards\`), route guards, or token extraction logic
+3. **Route definitions** \u2192 check if routes have auth decorators or middleware applied
+If you find auth requirements, pass the appropriate \`authHeader\` (e.g., "Authorization") and \`authScheme\` (e.g., "Bearer") to EVERY tool call. Only pass \`authHeader: ""\` if you confirm the API is truly unauthenticated.`;
         authParams = { authHeader: "" };
     }
     else if (isAuthorizationHeader) {
@@ -203,7 +230,7 @@ To skip auth for unauthenticated endpoints, pass \`authHeader: ""\`.`;
     }
     const authCallParams = serializeAuthCallParams(authParams);
     const authHeaderLine = noAuth
-        ? `**No Auth:** This API does not require authentication. Pass \`authHeader: ""\` or omit auth params.`
+        ? `**No Auth (from workspace config):** Workspace indicates no authentication. **Verify independently** — if you find auth in the OpenAPI spec or source code, override with the correct \`authHeader\` and \`authScheme\`.`
         : `**Auth params:** \`${authCallParams}\` — pass to EVERY tool call below.`;
     return `## How to Generate Tests — Tool Workflows
@@ -212,10 +239,14 @@ ${authGuidance}
 **For multi-endpoint workflows (integration tests) — Scenario → Integration pipeline:**
 1. Call \`skyramp_scenario_test_generation\` once per step: \`scenarioName\`, \`destination\`,
-   \`baseURL\`, \`method\`, \`path\`, \`requestBody\`, \`responseBody\`, \`${authCallParams}\`.
+   \`baseURL\`, \`method\`, \`path\`, \`requestBody\` OR \`queryParams\`, \`responseBody\`, \`${authCallParams}\`.
    \`statusCode\` is optional — defaults: POST→201, DELETE→204, GET/PUT/PATCH→200. Only override for non-standard codes.
    **OpenAPI spec is NOT required.** \`apiSchema\` is OPTIONAL — omit it if no spec exists.
-   \`requestBody\` should use realistic field values from source code schemas (Zod, Pydantic, DTOs).
+   **CRITICAL — Query params vs request body:**
+   - For **POST/PUT/PATCH**: use \`requestBody\` with realistic field values from source code schemas.
+   - For **GET/DELETE with search/filter/pagination**: use \`queryParams\` (JSON string, e.g., \`{"q": "bear", "limit": 10}\`).
+     NEVER put query parameters in \`requestBody\` for GET requests — GET request bodies are non-standard and may be ignored or rejected.
+   - For **GET by ID**: no \`requestBody\` or \`queryParams\` needed — the ID is in the path.
    \`responseBody\` should match the actual API response shape from source code (including all fields
    returned by the controller — e.g., \`id\`, \`ownerId\`, \`createdAt\`, included relations like \`collection\`, \`tags\`).
    Wrap in \`{"response": ...}\` if the API uses an envelope pattern. If omitted, a synthetic response is generated.
@@ -233,6 +264,16 @@ ${authGuidance}
 If an OpenAPI spec exists, ALSO pass \`apiSchema\` — it enables schema-aware validation
 (contract tests verify response structure against the spec).
 Without a spec, \`endpointURL\` alone is sufficient.
+${PATH_PARAM_UUID_GUIDANCE}
+**Contract test mode selection — set based on this service's role at the boundary:**
+- \`providerMode: true\` — this service IS the API; validates the implementation matches the spec.
+  Use for new or modified endpoints this codebase owns, especially when an OpenAPI spec is present.
+- \`consumerMode: true\` — this service CALLS another API; validates outbound requests conform to the downstream contract.
+  Use when the endpoint's implementation makes HTTP calls to external services (look for fetch/axios/httpx/http.Client/service clients).
+  A request-aware mock stands in for the real downstream service — no live dependency needed.
+- Both — use when the service boundary is both a provider (owns an API) and a consumer (calls a downstream API).
+- Neither (default) — use only when the role is ambiguous or no spec is available.
 **For UI tests (no Playwright recording):**
 1. \`skyramp_start_trace_collection\` (playwright: true)

package/build/prompts/test-recommendation/test-recommendation-prompt.js CHANGED Viewed

@@ -108,9 +108,10 @@ Affected services: ${diffContext.affectedServices.join(", ") || "N/A"}
         const detailBlocks = detailEndpoints
             .flatMap((ep) => (ep.methods ?? []).flatMap((m) => (m.interactions ?? []).map((i) => {
             const reqBody = i.request.body ? `\n    requestBody: ${JSON.stringify(i.request.body)}` : "";
+            const qParams = i.request.queryParams ? `\n    queryParams: ${JSON.stringify(i.request.queryParams)}` : "";
             const resBody = i.response.body ? `\n    responseBody: ${JSON.stringify(i.response.body)}` : "";
             const headers = i.request.headers ? `\n    headers: ${JSON.stringify(i.request.headers)}` : "";
-            return `  ${m.method} ${ep.path} → ${i.response.statusCode} (${i.type}): ${i.description}${reqBody}${resBody}${headers}`;
+            return `  ${m.method} ${ep.path} → ${i.response.statusCode} (${i.type}): ${i.description}${reqBody}${qParams}${resBody}${headers}`;
         })))
             .join("\n");
         interactionSection = `
@@ -118,7 +119,7 @@ Affected services: ${diffContext.affectedServices.join(", ") || "N/A"}
 ${summaryLines}
 ### Detailed (request/response bodies)
-${isDiffScope ? "Changed endpoints only. " : ""}Use source code schemas (Zod/Pydantic/DTOs) for actual request bodies.
+${isDiffScope ? "Changed endpoints only. " : ""}Use source code schemas (Zod/Pydantic/DTOs) for actual request bodies and query parameters.
 ${detailBlocks}
 `;
     }
@@ -131,24 +132,51 @@ ${detailBlocks}
             const scenarioBlocks = scenarios
                 .map((s) => {
                 const stepLines = s.steps.map((st) => `      ${st.order ?? ""}. **${st.method} ${st.path}** → ${st.expectedStatusCode ?? 200}: ${st.description || ""}`).join("\n");
-                const toolCalls = s.steps.map((st) => `      skyramp_scenario_test_generation({ scenarioName: "${s.scenarioName}", destination: "${s.scenarioName}", baseURL: "${baseUrl}", method: "${st.method}", path: "${st.path}", statusCode: ${st.expectedStatusCode ?? 200}, authHeader: "${authHeaderValue}"${authSchemeSnippet}${authTokenSnippet}, requestBody: <from source schemas for ${st.method} ${st.path}> })`).join("\n");
+                const toolCalls = s.steps.map((st) => {
+                    const isBodyMethod = ["POST", "PUT", "PATCH"].includes(st.method);
+                    const hasQueryParams = st.queryParams && Object.keys(st.queryParams).length > 0;
+                    const isIdPath = /\{\w+\}$/.test(st.path);
+                    let dataParam;
+                    if (isBodyMethod) {
+                        dataParam = `requestBody: <from source schemas for ${st.method} ${st.path}>`;
+                    }
+                    else if (hasQueryParams) {
+                        dataParam = `queryParams: '${JSON.stringify(st.queryParams)}'`;
+                    }
+                    else if (isIdPath) {
+                        dataParam = "";
+                    }
+                    else {
+                        dataParam = `queryParams: <derive from source code for ${st.method} ${st.path} as a JSON string of URL query params>`;
+                    }
+                    const dataSnippet = dataParam ? `, ${dataParam}` : "";
+                    const authSnippet = authHeaderValue
+                        ? `, authHeader: "${authHeaderValue}"${authSchemeSnippet}${authTokenSnippet}`
+                        : `, authHeader: <determine from OpenAPI spec securitySchemes or source code auth middleware — use "" ONLY if confirmed unauthenticated>`;
+                    return `      skyramp_scenario_test_generation({ scenarioName: "${s.scenarioName}", destination: "${s.scenarioName}", baseURL: "${baseUrl}", method: "${st.method}", path: "${st.path}", statusCode: ${st.expectedStatusCode ?? 200}${authSnippet}${dataSnippet} })`;
+                }).join("\n");
                 return (`  ### ${s.scenarioName} (${s.category}, ${s.priority})\n` +
                     `  ${s.description}\n` +
                     `  **Steps:**\n${stepLines}\n` +
                     `  **Chaining keys:** ${s.chainingKeys.join(", ") || "none"}\n` +
                     `  **Tool calls:**\n${toolCalls}\n` +
-                    `  Then: skyramp_integration_test_generation({ scenarioFile: "scenario_${s.scenarioName}.json", authHeader: "${authHeaderValue}"${authSchemeSnippet}${authTokenSnippet} })`);
+                    `  Then: skyramp_integration_test_generation({ scenarioFile: "scenario_${s.scenarioName}.json"${authHeaderValue ? `, authHeader: "${authHeaderValue}"${authSchemeSnippet}${authTokenSnippet}` : `, authHeader: <same auth as scenario calls above>`} })`);
             })
                 .join("\n\n");
+            const authWarning = !authHeaderValue
+                ? `\n**WARNING — No auth configured.** Before generating scenarios without auth, verify the API does not require authentication by checking the OpenAPI spec \`securitySchemes\` and source code auth middleware. If auth is needed, include \`authHeader\` (and \`authScheme\` if applicable) in every \`skyramp_scenario_test_generation\` call.\n`
+                : "";
             scenarioSection = `
 ## Drafted Scenarios
-**Base URL:** \`${baseUrl}\` | **Auth:** \`${authHeaderValue}\`${authTypeValue ? ` | **Auth type:** \`${authTypeValue}\`` : ""}
+**Base URL:** \`${baseUrl}\` | **Auth:** \`${authHeaderValue || "none (verify independently)"}\`${authTypeValue ? ` | **Auth type:** \`${authTypeValue}\`` : ""}${authWarning}
 Only use scenarios where resources are ACTUALLY related in the codebase. Replace any
 scenario that pairs unrelated resources with one reflecting real foreign key relationships.
 **Quality bar:** Realistic request bodies, actual foreign keys for chaining, response data
 verification (not just status codes), realistic test data (not "test product").
+**Query vs Body:** For GET/DELETE requests, use \`queryParams\` (not \`requestBody\`) for search terms,
+filters, pagination. Only POST/PUT/PATCH use \`requestBody\`.
 **Path verification:** Cross-reference paths against Router Mounting context — use correct
 nested paths. **Request bodies:** Replace placeholders with actual schemas from source code.
@@ -164,7 +192,8 @@ Draft at least 2-3 MEANINGFUL scenarios based on your codebase analysis:
 2. **Search/filter + verify** — create data, search, verify results
 3. **Error handling** — invalid cross-resource references → appropriate errors
-Use base URL: \`${analysis.apiEndpoints.baseUrl}\` and auth: \`${authHeaderValue}\`${authTypeValue ? ` (auth type: \`${authTypeValue}\`)` : ""}.
+Use base URL: \`${analysis.apiEndpoints.baseUrl}\` and auth: \`${authHeaderValue || "none — verify independently from OpenAPI spec and source code"}\`${authTypeValue ? ` (auth type: \`${authTypeValue}\`)` : ""}.
+${!authHeaderValue ? "**Verify auth requirements** from OpenAPI spec and source code before omitting auth headers." : ""}
 `;
         }
     }

package/build/prompts/test-recommendation/test-recommendation-prompt.test.js CHANGED Viewed

@@ -2,7 +2,7 @@ jest.mock("@skyramp/skyramp", () => ({
     WorkspaceConfigManager: { create: jest.fn() },
 }));
 import { buildRecommendationPrompt } from "./test-recommendation-prompt.js";
-import { buildCoverageChecklist, MAX_CRITICAL_TESTS, MAX_TESTS_TO_GENERATE } from "./recommendationSections.js";
+import { buildCoverageChecklist, PATH_PARAM_UUID_GUIDANCE, MAX_CRITICAL_TESTS, MAX_TESTS_TO_GENERATE } from "./recommendationSections.js";
 // ---------------------------------------------------------------------------
 // Minimal fixtures
 // ---------------------------------------------------------------------------
@@ -242,6 +242,7 @@ describe("buildRecommendationPrompt — PR History section", () => {
         expect(getOccurrences).toBe(1);
         expect(recSection).toContain("contract — POST /api/items");
     });
+    // Ensure de-duplicates across different scenarios independently
     it("de-duplicates across different scenarios independently", () => {
         const ctx = makePRContext({
             previousRecommendations: [
@@ -286,3 +287,42 @@ describe("buildCoverageChecklist — Recommendation Stability section", () => {
         expect(checklist).toContain(`up to ${Math.min(MAX_CRITICAL_TESTS, MAX_TESTS_TO_GENERATE)} of the ${MAX_TESTS_TO_GENERATE} generated tests MUST be from critical categories`);
     });
 });
+// ---------------------------------------------------------------------------
+// Tests — PATH_PARAM_UUID_GUIDANCE (no hardcoded UUID anchor)
+// ---------------------------------------------------------------------------
+const UUID_V4_REGEX = /[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/i;
+describe("PATH_PARAM_UUID_GUIDANCE — no hardcoded UUID anchor", () => {
+    it("contains no hardcoded UUID that the LLM could anchor to", () => {
+        expect(PATH_PARAM_UUID_GUIDANCE).not.toMatch(UUID_V4_REGEX);
+    });
+    it("uses <random-uuid-v4> as the placeholder in the pathParams example", () => {
+        expect(PATH_PARAM_UUID_GUIDANCE).toContain("<random-uuid-v4>");
+    });
+    it("instructs the LLM to generate a fresh UUID v4", () => {
+        expect(PATH_PARAM_UUID_GUIDANCE).toContain("generate a fresh random UUID v4");
+    });
+    it("is included in the recommendation prompt for an endpoint with a UUID path param", () => {
+        const analysis = minimalAnalysis({
+            apiEndpoints: {
+                totalCount: 1,
+                baseUrl: "http://localhost:3000",
+                endpoints: [{
+                        path: "/api/items/{item_id}",
+                        resourceGroup: "items",
+                        pathParams: [{ name: "item_id", type: "string", required: true }],
+                        methods: [{
+                                method: "GET",
+                                description: "Get item by ID",
+                                queryParams: [],
+                                authRequired: false,
+                                sourceFile: "routes/items.ts",
+                                interactions: [{ description: "success", type: "success", request: {}, response: { statusCode: 200, description: "OK" } }],
+                            }],
+                    }],
+            },
+        });
+        const prompt = buildRecommendationPrompt(analysis, "current_branch_diff", 10);
+        expect(prompt).toContain("<random-uuid-v4>");
+        expect(prompt).not.toMatch(UUID_V4_REGEX);
+    });
+});

package/build/prompts/testbot/testbot-prompts.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { ResourceTemplate, } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
 import { logger } from "../../utils/logger.js";
 import { AnalyticsService } from "../../services/AnalyticsService.js";
-import { MAX_TESTS_TO_GENERATE, MAX_RECOMMENDATIONS, MAX_CRITICAL_TESTS } from "../test-recommendation/recommendationSections.js";
+import { MAX_TESTS_TO_GENERATE, MAX_RECOMMENDATIONS, MAX_CRITICAL_TESTS, PATH_PARAM_UUID_GUIDANCE } from "../test-recommendation/recommendationSections.js";
 function getTestbotPrompt(prTitle, prDescription, diffFile, testDirectory, summaryOutputFile, repositoryPath, baseBranch, maxRecommendations = MAX_RECOMMENDATIONS, maxGenerate = MAX_TESTS_TO_GENERATE, maxCritical = MAX_CRITICAL_TESTS, prNumber, userPrompt) {
     const promptSection = userPrompt ? `## Follow-up Request via @skyramp-testbot
@@ -119,6 +119,7 @@ Generate a net-new test. Use a unique descriptive filename to avoid overwriting
   For internal/microservice APIs: add \`providerMode: true\` to verify implementation matches the contract.
   For client-facing APIs consumed by frontend: add \`consumerMode: true\`.
   For critical service boundaries: pass both \`providerMode\` and \`consumerMode\`.
+- ${PATH_PARAM_UUID_GUIDANCE}
 - **E2E/UI**: only if relevant Playwright traces exist in \`${testDirectory}\`, repo root, or \`.skyramp/\`.
   Without traces, move to \`additionalRecommendations\`. Do NOT suggest calling \`skyramp_ui_test_generation\`
   or \`skyramp_e2e_test_generation\` — those require traces. Instead, tell the user to record Playwright

package/build/services/ScenarioGenerationService.js CHANGED Viewed

@@ -134,6 +134,29 @@ ${JSON.stringify(traceRequest, null, 2)}
         const requestHeaders = {
             "Content-Type": ["application/json"],
         };
+        let queryParams = {};
+        if (params.queryParams) {
+            try {
+                const parsed = JSON.parse(params.queryParams);
+                if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+                    for (const [k, v] of Object.entries(parsed)) {
+                        queryParams[k] = Array.isArray(v)
+                            ? v.map(String)
+                            : [String(v)];
+                    }
+                }
+                else {
+                    logger.warning("queryParams JSON is not a plain object, ignoring", {
+                        queryParams: params.queryParams,
+                    });
+                }
+            }
+            catch {
+                logger.warning("Could not parse queryParams, ignoring", {
+                    queryParams: params.queryParams,
+                });
+            }
+        }
         const authHeaderName = params.authHeader ?? "";
         if (authHeaderName) {
             if (params.authToken) {
@@ -158,7 +181,7 @@ ${JSON.stringify(traceRequest, null, 2)}
             ResponseHeaders: responseHeaders,
             Method: method,
             Path: basePath ? basePath + params.path : params.path,
-            QueryParams: {},
+            QueryParams: queryParams,
             StatusCode: statusCode,
             Port: port,
             Timestamp: timestamp,

package/build/services/TestExecutionService.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { logger } from "../utils/logger.js";
 import { buildContainerEnv } from "./containerEnv.js";
 const DEFAULT_TIMEOUT = 300000; // 5 minutes
 const MAX_CONCURRENT_EXECUTIONS = 5;
-export const EXECUTOR_DOCKER_IMAGE = "skyramp/executor:v1.3.13";
+export const EXECUTOR_DOCKER_IMAGE = "skyramp/executor:v1.3.14";
 const DOCKER_PLATFORM = "linux/amd64";
 const EXECUTION_PROGRESS_INTERVAL = 10000; // 10 seconds between progress updates during execution
 // Temp file with valid empty JSON — used instead of /dev/null for .json config files

package/build/services/TestGenerationService.js CHANGED Viewed

@@ -277,6 +277,7 @@ ${result}`;
             generateInsecure: params.insecure,
             entrypoint: getEntryPoint(),
             chainingKey: params.chainingKey,
+            mockPort: params.mockPort ?? 0,
         };
     }
 }

package/build/tools/executeSkyrampTestTool.js CHANGED Viewed

@@ -99,7 +99,7 @@ For detailed documentation visit: https://www.skyramp.dev/docs/quickstart`,
                                     `Cannot determine SKYRAMP_TEST_BASE_URL — test file matches multiple services:`,
                                     ...candidates.map((c) => `  • ${c.serviceName}: ${c.baseUrl}`),
                                     ``,
-                                    `Re-invoke with SKYRAMP_TEST_BASE_URL set to the correct service URL, or make each service's outputDir unique in .skyramp/workspace.yml.`,
+                                    `Re-invoke with SKYRAMP_TEST_BASE_URL set to the correct service URL, or make each service's testDirectory unique in .skyramp/workspace.yml.`,
                                 ].join("\n"),
                             }],
                         isError: true,

package/build/tools/generate-tests/generateContractRestTool.js CHANGED Viewed

@@ -4,6 +4,13 @@ import { TestGenerationService, } from "../../services/TestGenerationService.js"
 import { AnalyticsService } from "../../services/AnalyticsService.js";
 const contractTestSchema = {
     ...baseTestSchema,
+    pathParams: z
+        .string()
+        .default("")
+        .describe("Comma-separated path parameter values in the form 'key=value,key2=value2' (e.g., 'id=1,name=John'). " +
+        "IMPORTANT: If the user-provided URL contains path parameter placeholders (e.g., '/products/{product_id}'), do NOT fill in values for them here — pass the URL as-is and leave pathParams empty. " +
+        "The backend resolves path parameters automatically via the parent provisioning mechanism (parentRequestData). " +
+        "Only populate this field if the user has explicitly stated specific path parameter values to use."),
     assertOptions: z
         .string()
         .optional()
@@ -57,6 +64,63 @@ export class ContractTestService extends TestGenerationService {
     getTestType() {
         return TestType.CONTRACT;
     }
+    async generateTest(params) {
+        const result = await super.generateTest(params);
+        if (result.isError)
+            return result;
+        const postInstructions = this.buildSampleDataInstructions(params);
+        if (!postInstructions)
+            return result;
+        return {
+            ...result,
+            content: [
+                ...result.content,
+                { type: "text", text: postInstructions },
+            ],
+        };
+    }
+    buildSampleDataInstructions(params) {
+        const sections = [];
+        sections.push("- **Request body sample data**: the inline JSON/dict literal passed as the request body in the test function.");
+        if (!params.skipProvisionParents) {
+            sections.push("- **Parent provisioning request data**: the inline JSON/dict literals passed as request bodies inside setup/teardown functions that create parent resources.");
+        }
+        return `
+⏭️ **CRITICAL NEXT STEP — Replace unrealistic placeholder values in sample data only:**
+Inspect the following locations in the generated file and replace any placeholder values with realistic ones:
+${sections.join("\n")}
+**A value is a placeholder if it is any of the following — regardless of where it came from:**
+- A JSON/OpenAPI type name: "string", "integer", "number", "boolean", "object", "array"
+- A format descriptor: "uuid", "date", "date-time", "email", "uri", "url", "binary", "byte", "password"
+- A generic filler: "example", "sample", "test", "foo", "bar", "baz", "value", "unknown", "none", "null", "N/A"
+- An integer that is exactly 0 or 1 with no semantic meaning from the field name
+- Any value that is clearly a type name or format name rather than a real datum
+**How to replace:**
+- Use the field name, OpenAPI schema descriptions/enums, and repository context to infer a realistic value.
+- Examples: an "email" field → "user@example.com"; a "price" field → 29.99; a "status" field → the first valid enum value from the spec; a "uuid" value for an "id" field → "a1b2c3d4-e5f6-7890-abcd-ef1234567890".
+**Exactly what to do:**
+1. Open the generated file.
+2. Find only the inline JSON/dict literals identified above.
+3. Replace every placeholder value using the rules above.
+4. Leave all realistic values unchanged.
+5. Write the updated file. Stop there.
+**What NOT to do — any of these is a violation:**
+- Do NOT change function signatures, method names, class names, imports, or variable names.
+- Do NOT add, remove, or reorder any functions, classes, or test cases.
+- Do NOT change assertion logic, HTTP methods, URLs, headers, or status code checks.
+- Do NOT reformat, reorder, or rewrite any code outside the identified JSON/dict literals.
+- Do NOT add comments or docstrings.
+- Do NOT extract, hoist, or expose any request body or data as a global variable, module-level constant, or shared fixture — keep all data inline exactly where it already is.
+- Do NOT reference or reuse request body data across functions for comparison or any other purpose.
+- Do NOT make any other "improvements" beyond the value replacements described above.
+`;
+    }
     validateInputs(params) {
         const errList = super.validateInputs(params);
         if (errList.isError)
@@ -115,10 +179,12 @@ Contract tests ensure your API implementation matches its OpenAPI/Swagger specif
 **IMPORTANT: If an apiSchema parameter (OpenAPI/Swagger file path or URL) is provided, DO NOT attempt to read or analyze the file contents. These files can be very large. Simply pass the path/URL to the tool - the backend will handle reading and processing the schema file.**
+**IMPORTANT: If the endpoint URL contains path parameter placeholders (e.g., \`/products/{product_id}/reviews\`), pass the URL exactly as provided — do NOT substitute values for the placeholders. Leave \`pathParams\` empty unless the user has explicitly provided specific values.**
 **Modes:**
-- Default (no mode set): generates a standard contract test against the API.
-- \`providerMode\`: generates a provider-side contract test that validates the API implementation against the contract. Optionally specify \`providerOutput\` for the output file path.
-- \`consumerMode\`: generates a consumer-side contract test that validates consumer expectations against the API. Optionally specify \`consumerOutput\` for the output file path.
+- Default (no mode set): both \`providerMode\` and \`consumerMode\` default to false. Do NOT set either unless the user explicitly mentions "provider" or "consumer".
+- \`providerMode\`: set to true ONLY if the user explicitly requests a provider-side contract test. Optionally specify \`providerOutput\` for the output file path.
+- \`consumerMode\`: set to true ONLY if the user explicitly requests a consumer-side contract test. Optionally specify \`consumerOutput\` for the output file path.
 - Both \`providerMode\` and \`consumerMode\` can be enabled simultaneously to generate both sides.
 **Chaining (requires \`apiSchema\`):**