@skyramp/mcp 0.0.65 → 0.1.0-rc.2

package/build/utils/scenarioDrafting.test.js

@@ -1,5 +1,5 @@
 // @ts-ignore
-import { isRealResource, draftScenariosFromEndpoints, draftDiffDirectScenarios, draftUniqueConstraintScenarios, draftCascadeDeleteScenarios, draftPermissionBoundaryScenarios, inferResourceRelationships, } from "./scenarioDrafting.js";
+import { isRealResource, draftScenariosFromEndpoints, draftDiffDirectScenarios, inferResourceRelationships, } from "./scenarioDrafting.js";
 describe("isRealResource", () => {
     it("accepts normal resource names", () => {
         expect(isRealResource("users")).toBe(true);
@@ -44,182 +44,33 @@ describe("draftScenariosFromEndpoints — irregular plural singularization", ()
             { path: "/api/items", methods: [{ method: "GET" }, { method: "POST" }] },
             { path: "/api/items/{id}", methods: [{ method: "GET" }, { method: "DELETE" }] },
         ];
-        const scenarios = draftScenariosFromEndpoints(endpoints);
+        const scenarios = draftScenariosFromEndpoints(endpoints, [{ method: "POST", path: "/api/categories" }]);
         const allText = JSON.stringify(scenarios);
         expect(allText).not.toContain("categorie_id");
         expect(allText).not.toContain("\"categorie\"");
-        // The CRUD scenario description should use "category"
-        const crudScenario = scenarios.find((s) => s.scenarioName === "categories-crud-lifecycle");
-        expect(crudScenario).toBeDefined();
-        expect(crudScenario.steps[0].description).toContain("category");
+        // The diff-direct integration scenario description should use "category" (singular)
+        const integrationScenario = scenarios.find((s) => s.scenarioName === "categories-post-lifecycle");
+        expect(integrationScenario).toBeDefined();
+        expect(integrationScenario.steps[0].description).toContain("category");
     });
     it("uses 'status' (not 'statu') in FK field names for -ses plurals", () => {
         const endpoints = [
             { path: "/api/statuses", methods: [{ method: "GET" }, { method: "POST" }] },
             { path: "/api/statuses/{id}", methods: [{ method: "GET" }, { method: "DELETE" }] },
         ];
-        const scenarios = draftScenariosFromEndpoints(endpoints);
+        const scenarios = draftScenariosFromEndpoints(endpoints, [{ method: "POST", path: "/api/statuses" }]);
         const allText = JSON.stringify(scenarios);
         expect(allText).not.toContain("statu_id");
-        const crudScenario = scenarios.find((s) => s.scenarioName === "statuses-crud-lifecycle");
-        expect(crudScenario).toBeDefined();
-        expect(crudScenario.steps[0].description).toContain("status");
+        // The diff-direct integration scenario description should use "status" (singular)
+        const integrationScenario = scenarios.find((s) => s.scenarioName === "statuses-post-lifecycle");
+        expect(integrationScenario).toBeDefined();
+        expect(integrationScenario.steps[0].description).toContain("status");
     });
 });
 describe("draftScenariosFromEndpoints", () => {
     it("returns empty array for no endpoints", () => {
         expect(draftScenariosFromEndpoints([])).toEqual([]);
     });
-    it("generates CRUD scenario for resource with multiple methods", () => {
-        const endpoints = [
-            { path: "/api/products", methods: [{ method: "GET" }, { method: "POST" }] },
-            { path: "/api/products/{id}", methods: [{ method: "GET" }, { method: "PUT" }, { method: "DELETE" }] },
-        ];
-        const scenarios = draftScenariosFromEndpoints(endpoints);
-        expect(scenarios.length).toBeGreaterThan(0);
-        const crudScenario = scenarios.find((s) => /crud/i.test(s.scenarioName) || /products/i.test(s.scenarioName));
-        expect(crudScenario).toBeDefined();
-    });
-    it("generates cross-resource scenario when multiple resources exist", () => {
-        const endpoints = [
-            { path: "/api/users", methods: [{ method: "GET" }, { method: "POST" }] },
-            { path: "/api/users/{id}", methods: [{ method: "GET" }] },
-            { path: "/api/products", methods: [{ method: "GET" }, { method: "POST" }] },
-            { path: "/api/products/{id}", methods: [{ method: "GET" }] },
-            { path: "/api/orders", methods: [{ method: "GET" }, { method: "POST" }] },
-            { path: "/api/orders/{id}", methods: [{ method: "GET" }] },
-        ];
-        const scenarios = draftScenariosFromEndpoints(endpoints);
-        const crossResource = scenarios.find((s) => /integration/i.test(s.scenarioName) && s.category === "workflow");
-        expect(crossResource).toBeDefined();
-    });
-});
-describe("draftUniqueConstraintScenarios", () => {
-    function makeGroups(resources) {
-        const map = new Map();
-        for (const [name, info] of Object.entries(resources)) {
-            map.set(name, { basePath: info.basePath, methods: new Set(info.methods), paramPath: info.paramPath });
-        }
-        return map;
-    }
-    it("generates unique constraint scenario for POST-able resources", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["GET", "POST"], paramPath: "/api/users/{id}" },
-        });
-        const scenarios = draftUniqueConstraintScenarios(groups);
-        expect(scenarios).toHaveLength(1);
-        expect(scenarios[0].scenarioName).toBe("users-unique-constraint");
-        expect(scenarios[0].category).toBe("business_rule");
-        expect(scenarios[0].steps[1].expectedStatusCode).toBe(409);
-    });
-    it("skips resources without POST", () => {
-        const groups = makeGroups({
-            products: { basePath: "/api/products", methods: ["GET"], paramPath: "/api/products/{id}" },
-        });
-        expect(draftUniqueConstraintScenarios(groups)).toHaveLength(0);
-    });
-    it("caps output at MAX_DRAFTED_SCENARIOS_PER_CATEGORY", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["POST"] },
-            products: { basePath: "/api/products", methods: ["POST"] },
-            orders: { basePath: "/api/orders", methods: ["POST"] },
-            tags: { basePath: "/api/tags", methods: ["POST"] },
-            comments: { basePath: "/api/comments", methods: ["POST"] },
-            reviews: { basePath: "/api/reviews", methods: ["POST"] },
-        });
-        expect(draftUniqueConstraintScenarios(groups).length).toBeLessThanOrEqual(4);
-    });
-    it("skips action-like resources", () => {
-        const groups = makeGroups({
-            login: { basePath: "/api/login", methods: ["POST"] },
-            users: { basePath: "/api/users", methods: ["POST"] },
-        });
-        const scenarios = draftUniqueConstraintScenarios(groups);
-        expect(scenarios.every((s) => !s.scenarioName.includes("login"))).toBe(true);
-    });
-});
-describe("draftCascadeDeleteScenarios", () => {
-    function makeGroups(resources) {
-        const map = new Map();
-        for (const [name, info] of Object.entries(resources)) {
-            map.set(name, { basePath: info.basePath, methods: new Set(info.methods), paramPath: info.paramPath });
-        }
-        return map;
-    }
-    it("generates both cascade and delete-blocked scenarios for resource pairs", () => {
-        const groups = makeGroups({
-            collections: { basePath: "/api/collections", methods: ["GET", "POST", "DELETE"], paramPath: "/api/collections/{id}" },
-            links: { basePath: "/api/links", methods: ["GET", "POST", "DELETE"], paramPath: "/api/links/{id}" },
-        });
-        const scenarios = draftCascadeDeleteScenarios(groups);
-        expect(scenarios).toHaveLength(2);
-        expect(scenarios[0].scenarioName).toContain("cascade-delete");
-        expect(scenarios[0].category).toBe("data_integrity");
-        // Cascade: step 4 expects 404
-        expect(scenarios[0].steps[3].expectedStatusCode).toBe(404);
-        // Blocked: step 3 expects 409, step 4 expects 200
-        expect(scenarios[1].scenarioName).toContain("delete-blocked");
-        expect(scenarios[1].steps[2].expectedStatusCode).toBe(409);
-        expect(scenarios[1].steps[3].expectedStatusCode).toBe(200);
-    });
-    it("requires both POST and DELETE", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["GET", "POST"], paramPath: "/api/users/{id}" },
-            orders: { basePath: "/api/orders", methods: ["GET", "POST"], paramPath: "/api/orders/{id}" },
-        });
-        expect(draftCascadeDeleteScenarios(groups)).toHaveLength(0);
-    });
-    it("requires paramPath on both resources", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["GET", "POST", "DELETE"] },
-            orders: { basePath: "/api/orders", methods: ["GET", "POST", "DELETE"], paramPath: "/api/orders/{id}" },
-        });
-        expect(draftCascadeDeleteScenarios(groups)).toHaveLength(0);
-    });
-});
-describe("draftPermissionBoundaryScenarios", () => {
-    function makeGroups(resources) {
-        const map = new Map();
-        for (const [name, info] of Object.entries(resources)) {
-            map.set(name, { basePath: info.basePath, methods: new Set(info.methods), paramPath: info.paramPath });
-        }
-        return map;
-    }
-    it("generates auth boundary scenario for mutable resources", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["GET", "POST"], paramPath: "/api/users/{id}" },
-        });
-        const scenarios = draftPermissionBoundaryScenarios(groups);
-        expect(scenarios.length).toBeGreaterThanOrEqual(1);
-        expect(scenarios[0].scenarioName).toBe("users-auth-boundary");
-        expect(scenarios[0].category).toBe("security_boundary");
-        expect(scenarios[0].steps[0].expectedStatusCode).toBe(401);
-    });
-    it("generates cross-user isolation scenario when resource has GET+POST+paramPath", () => {
-        const groups = makeGroups({
-            documents: { basePath: "/api/documents", methods: ["GET", "POST"], paramPath: "/api/documents/{id}" },
-        });
-        const scenarios = draftPermissionBoundaryScenarios(groups);
-        const crossUser = scenarios.find((s) => s.scenarioName.includes("cross-user"));
-        expect(crossUser).toBeDefined();
-        expect(crossUser.steps[1].expectedStatusCode).toBe(403);
-    });
-    it("skips read-only resources", () => {
-        const groups = makeGroups({
-            reports: { basePath: "/api/reports", methods: ["GET"], paramPath: "/api/reports/{id}" },
-        });
-        expect(draftPermissionBoundaryScenarios(groups)).toHaveLength(0);
-    });
-    it("caps output at MAX_DRAFTED_SCENARIOS_PER_CATEGORY", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["POST"], paramPath: "/api/users/{id}" },
-            products: { basePath: "/api/products", methods: ["POST"], paramPath: "/api/products/{id}" },
-            orders: { basePath: "/api/orders", methods: ["POST"], paramPath: "/api/orders/{id}" },
-            tags: { basePath: "/api/tags", methods: ["POST"], paramPath: "/api/tags/{id}" },
-            reviews: { basePath: "/api/reviews", methods: ["POST"], paramPath: "/api/reviews/{id}" },
-        });
-        expect(draftPermissionBoundaryScenarios(groups).length).toBeLessThanOrEqual(4);
-    });
 });
 describe("inferResourceRelationships", () => {
     it("returns empty map for endpoints with no nesting or FK fields", () => {
@@ -263,49 +114,6 @@ describe("inferResourceRelationships", () => {
         expect(rel.get("orders")?.size ?? 0).toBe(0);
     });
 });
-describe("draftCascadeDeleteScenarios — with relationships parameter", () => {
-    function makeGroups(resources) {
-        const map = new Map();
-        for (const [name, info] of Object.entries(resources)) {
-            map.set(name, { basePath: info.basePath, methods: new Set(info.methods), paramPath: info.paramPath });
-        }
-        return map;
-    }
-    it("skips pairs with no detected relationship when a non-empty relationships map is provided", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["POST", "DELETE"], paramPath: "/api/users/{id}" },
-            products: { basePath: "/api/products", methods: ["POST", "DELETE"], paramPath: "/api/products/{id}" },
-        });
-        // Non-empty map that knows about orders→users but says nothing about products↔users
-        const rel = new Map();
-        rel.set("orders", new Set(["users"])); // unrelated to our test pair
-        expect(draftCascadeDeleteScenarios(groups, rel)).toHaveLength(0);
-    });
-    it("uses heuristic pairing (first=parent) when relationships map is empty", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["POST", "DELETE"], paramPath: "/api/users/{id}" },
-            products: { basePath: "/api/products", methods: ["POST", "DELETE"], paramPath: "/api/products/{id}" },
-        });
-        const rel = new Map();
-        // Empty map → falls back to heuristic: generates scenarios for all pairs
-        expect(draftCascadeDeleteScenarios(groups, rel).length).toBeGreaterThan(0);
-    });
-    it("uses relationship direction to set correct parent→child order", () => {
-        const groups = makeGroups({
-            users: { basePath: "/api/users", methods: ["POST", "DELETE"], paramPath: "/api/users/{id}" },
-            orders: { basePath: "/api/orders", methods: ["POST", "DELETE"], paramPath: "/api/orders/{id}" },
-        });
-        // orders depends on users (orders is the child)
-        const rel = new Map();
-        rel.set("orders", new Set(["users"]));
-        const scenarios = draftCascadeDeleteScenarios(groups, rel);
-        expect(scenarios.length).toBeGreaterThan(0);
-        // Parent should be users, child should be orders
-        expect(scenarios[0].scenarioName).toContain("users");
-        expect(scenarios[0].scenarioName).toContain("orders");
-        expect(scenarios[0].steps[0].path).toBe("/api/users"); // POST parent first
-    });
-});
 describe("draftDiffDirectScenarios", () => {
     const makeGroups = (defs) => new Map(Object.entries(defs).map(([k, v]) => [k, { ...v, methods: new Set(v.methods) }]));
     it("returns empty array when newEndpoints is empty", () => {
@@ -317,21 +125,18 @@ describe("draftDiffDirectScenarios", () => {
             orders: { basePath: "/api/orders", methods: ["GET", "POST", "PUT"], paramPath: "/api/orders/{order_id}" },
         });
         const scenarios = draftDiffDirectScenarios([{ method: "PUT", path: "/api/orders/{order_id}" }], groups);
+        // PUT generates: mutation-recalc, contract, not-found (3 scenarios)
+        // Note: we intentionally skip the redundant "happy-path" integration for PUT/PATCH
+        // because mutation-recalc already provides comprehensive happy-path coverage
         expect(scenarios.length).toBeGreaterThanOrEqual(3);
-        for (const s of scenarios) {
-            expect(s.category).toBe("new_endpoint");
-        }
+        const newEndpointScenarios = scenarios.filter(s => s.category === "new_endpoint");
+        expect(newEndpointScenarios.length).toBeGreaterThanOrEqual(2);
         // Mutation-recalculation scenario is drafted first for PUT/PATCH
-        const mutationRecalc = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("add-items-recalculate"));
+        const mutationRecalc = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("mutation-verify"));
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.steps.some(st => st.method === "PUT")).toBe(true);
-        expect(mutationRecalc.description).toContain("recalculation");
-        // Integration happy path includes the PUT step
-        const integration = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("happy-path"));
-        expect(integration).toBeDefined();
-        expect(integration.steps.some(st => st.method === "PUT")).toBe(true);
-        // Description prompts LLM to discover prerequisites from source code
-        expect(integration.description).toContain("prerequisites");
+        expect(mutationRecalc.description).toContain("Mutation test");
+        // Note: happy-path integration removed for PUT/PATCH - mutation-recalc covers this
         // Contract test
         const contract = scenarios.find(s => s.testType === "contract" && s.steps[0].expectedStatusCode === 200);
         expect(contract).toBeDefined();
@@ -345,21 +150,19 @@ describe("draftDiffDirectScenarios", () => {
         });
         const scenarios = draftDiffDirectScenarios([{ method: "PATCH", path: "/api/orders/{order_id}" }], groups);
         // Mutation-recalculation scenario is drafted for PATCH
-        const mutationRecalc = scenarios.find(s => s.scenarioName === "orders-patch-add-items-recalculate");
+        const mutationRecalc = scenarios.find(s => s.scenarioName === "orders-patch-mutation-verify");
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.testType).toBe("integration");
         expect(mutationRecalc.category).toBe("new_endpoint");
         expect(mutationRecalc.priority).toBe("high");
-        expect(mutationRecalc.description).toContain("recalculation");
-        expect(mutationRecalc.description).toContain("derived totals");
+        expect(mutationRecalc.description).toContain("Mutation test");
+        expect(mutationRecalc.description).toContain("derived calculations");
         // Should have 3 steps: POST (create) → PATCH (add items) → GET (verify)
         expect(mutationRecalc.steps).toHaveLength(3);
         expect(mutationRecalc.steps[0].method).toBe("POST");
         expect(mutationRecalc.steps[1].method).toBe("PATCH");
         expect(mutationRecalc.steps[2].method).toBe("GET");
-        // Happy-path integration scenario is also still present
-        const happyPath = scenarios.find(s => s.scenarioName.includes("happy-path") && s.testType === "integration");
-        expect(happyPath).toBeDefined();
+        // Note: happy-path integration removed for PUT/PATCH - mutation-recalc covers this
     });
     it("integration scenario minimum steps: POST resource then PUT — LLM discovers prereqs from source code", () => {
         const groups = makeGroups({
@@ -367,18 +170,13 @@ describe("draftDiffDirectScenarios", () => {
         });
         const scenarios = draftDiffDirectScenarios([{ method: "PUT", path: "/api/orders/{order_id}" }], groups);
         // Mutation-recalculation scenario comes first
-        const mutationRecalc = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("add-items-recalculate"));
+        const mutationRecalc = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("mutation-verify"));
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.steps.some(st => st.method === "POST" && st.path === "/api/orders")).toBe(true);
         expect(mutationRecalc.steps.some(st => st.method === "PUT")).toBe(true);
-        // Happy-path integration scenario
-        const integration = scenarios.find(s => s.testType === "integration" && s.scenarioName.includes("happy-path"));
-        expect(integration).toBeDefined();
-        // Minimum steps: create the resource + call the new endpoint
-        expect(integration.steps.some(st => st.method === "POST" && st.path === "/api/orders")).toBe(true);
-        expect(integration.steps.some(st => st.method === "PUT")).toBe(true);
-        // No prerequisite steps pre-computed — LLM is instructed to discover them
-        expect(integration.steps[0].path).toBe("/api/orders"); // first step is the resource itself, not a prereq
+        // Note: happy-path integration removed for PUT/PATCH
+        // mutation-recalc already provides comprehensive happy-path coverage with POST → PUT → GET
+        // The minimum steps (POST + PUT) are already verified in the mutationRecalc check above
     });
     it("generates 3 scenarios for a new POST endpoint", () => {
         const groups = makeGroups({
@@ -420,7 +218,7 @@ describe("draftDiffDirectScenarios", () => {
         const scenarios = draftDiffDirectScenarios([{ method: "PATCH", path: "/{order_id}" }], groups);
         expect(scenarios.length).toBeGreaterThanOrEqual(3);
         // Mutation-recalculation scenario is drafted
-        const mutationRecalc = scenarios.find(s => s.scenarioName === "orders-patch-add-items-recalculate");
+        const mutationRecalc = scenarios.find(s => s.scenarioName === "orders-patch-mutation-verify");
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.testType).toBe("integration");
         expect(mutationRecalc.category).toBe("new_endpoint");
@@ -465,23 +263,23 @@ describe("draftDiffDirectScenarios", () => {
         ];
         const newEndpoints = [{ method: "PATCH", path: "/{order_id}" }];
         const allScenarios = draftScenariosFromEndpoints(endpoints, newEndpoints);
-        // The diff-direct scenarios should include orders-patch-add-items-recalculate
-        const mutationRecalc = allScenarios.find(s => s.scenarioName === "orders-patch-add-items-recalculate");
+        // The diff-direct scenarios should include orders-patch-mutation-verify
+        const mutationRecalc = allScenarios.find(s => s.scenarioName === "orders-patch-mutation-verify");
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.category).toBe("new_endpoint"); // → CRITICAL priority tier
         expect(mutationRecalc.steps).toHaveLength(3);
         expect(mutationRecalc.steps[0].method).toBe("POST");
         expect(mutationRecalc.steps[1].method).toBe("PATCH");
         expect(mutationRecalc.steps[2].method).toBe("GET");
-        expect(mutationRecalc.description).toContain("derived totals");
+        expect(mutationRecalc.description).toContain("derived calculations");
         // Verify it outranks all non-new_endpoint scenarios (cascade-delete, unique-constraint, etc.)
         const newEndpointScenarios = allScenarios.filter(s => s.category === "new_endpoint");
         const otherScenarios = allScenarios.filter(s => s.category !== "new_endpoint");
         expect(newEndpointScenarios.length).toBeGreaterThanOrEqual(3);
         // All new_endpoint scenarios should include our mutation-recalculate
-        expect(newEndpointScenarios.some(s => s.scenarioName === "orders-patch-add-items-recalculate")).toBe(true);
+        expect(newEndpointScenarios.some(s => s.scenarioName === "orders-patch-mutation-verify")).toBe(true);
         // Non-new_endpoint scenarios should NOT include mutation-recalculate
-        expect(otherScenarios.every(s => s.scenarioName !== "orders-patch-add-items-recalculate")).toBe(true);
+        expect(otherScenarios.every(s => s.scenarioName !== "orders-patch-mutation-verify")).toBe(true);
     });
 });
 describe("diffDirectMutationRecalc — diverse app types (no hardcoded field names)", () => {
@@ -561,7 +359,7 @@ describe("diffDirectMutationRecalc — diverse app types (no hardcoded field nam
     it.each(testCases)("$name — produces valid mutation-recalc scenario", ({ resource, group, method, expectedParamName }) => {
         const groups = makeGroups({ [resource]: group });
         const scenarios = draftDiffDirectScenarios([{ method, path: group.paramPath ?? group.basePath }], groups);
-        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-add-items-recalculate"));
+        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-mutation-verify"));
         expect(mutationRecalc).toBeDefined();
         expect(mutationRecalc.category).toBe("new_endpoint");
         expect(mutationRecalc.testType).toBe("integration");
@@ -572,17 +370,9 @@ describe("diffDirectMutationRecalc — diverse app types (no hardcoded field nam
         // Step 2: PUT/PATCH with mutation
         const mutationStep = mutationRecalc.steps[1];
         expect(mutationStep.method).toBe(method);
-        expect(mutationStep.bodyMustInclude).toBeDefined();
-        expect(mutationStep.bodyMustInclude.length).toBe(3);
+        // Note: bodyMustInclude removed in intent-based refactor - LLM discovers fields from source
         // Verify NO hardcoded domain-specific field names
-        for (const hint of mutationStep.bodyMustInclude) {
-            expect(hint).not.toBe("items");
-            expect(hint).not.toBe("product_id");
-            expect(hint).not.toBe("quantity");
-            expect(hint).not.toBe("total_amount");
-        }
         // Verify hints are descriptive (contain "e.g." or similar guidance)
-        expect(mutationStep.bodyMustInclude.some(h => h.includes("e.g."))).toBe(true);
         // Chaining uses the actual path param name (only when paramPath exists)
         if (group.paramPath) {
             expect(mutationStep.chainsFrom).toBeDefined();
@@ -599,27 +389,21 @@ describe("diffDirectMutationRecalc — diverse app types (no hardcoded field nam
             expect(mutationRecalc.steps).toHaveLength(3);
             const getStep = mutationRecalc.steps[2];
             expect(getStep.method).toBe("GET");
-            expect(getStep.expectedResponseFields).toBeDefined();
-            // Verify NO hardcoded domain-specific field names in response fields
-            for (const field of getStep.expectedResponseFields) {
-                expect(field).not.toBe("items");
-                expect(field).not.toMatch(/^items\.\*/);
-                expect(field).not.toBe("total_amount");
-            }
+            // Note: expectedResponseFields removed in intent-based refactor
         }
         // chainingKeys uses the actual path param name, not hardcoded singular_id
         expect(mutationRecalc.chainingKeys).toContain("id");
         expect(mutationRecalc.chainingKeys).toContain(expectedParamName);
         // Description is domain-agnostic
-        expect(mutationRecalc.description).toContain("derived totals");
-        expect(mutationRecalc.description).toContain("Mutation recalculation");
+        expect(mutationRecalc.description).toContain("Mutation test");
+        expect(mutationRecalc.description).toContain("derived calculations");
     });
     it("no paramPath: PATCH step targets basePath, no GET verification, fallback param name", () => {
         const groups = makeGroups({
             items: { basePath: "/items", methods: ["GET", "POST", "PATCH"] },
         });
         const scenarios = draftDiffDirectScenarios([{ method: "PATCH", path: "/items" }], groups);
-        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-add-items-recalculate"));
+        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-mutation-verify"));
         expect(mutationRecalc).toBeDefined();
         // No paramPath → PATCH targets basePath, no GET step
         expect(mutationRecalc.steps).toHaveLength(2);
@@ -632,7 +416,7 @@ describe("diffDirectMutationRecalc — diverse app types (no hardcoded field nam
             configs: { basePath: "/api/configs", methods: ["GET", "PATCH"], paramPath: "/api/configs/{config_id}" },
         });
         const scenarios = draftDiffDirectScenarios([{ method: "PATCH", path: "/api/configs/{config_id}" }], groups);
-        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-add-items-recalculate"));
+        const mutationRecalc = scenarios.find(s => s.scenarioName.endsWith("-mutation-verify"));
         expect(mutationRecalc).toBeDefined();
         // No POST → starts with PATCH directly, no chaining
         expect(mutationRecalc.steps[0].method).toBe("PATCH");
@@ -641,4 +425,155 @@ describe("diffDirectMutationRecalc — diverse app types (no hardcoded field nam
         expect(mutationRecalc.steps[1].method).toBe("GET");
         expect(mutationRecalc.steps[1].chainsFrom).toBeUndefined();
     });
+    it("generates auth-boundary scenario for each new endpoint (security_boundary, not new_endpoint)", () => {
+        const groups = makeGroups({
+            orders: { basePath: "/api/orders", methods: ["GET", "POST", "PUT"], paramPath: "/api/orders/{order_id}" },
+        });
+        const scenarios = draftDiffDirectScenarios([{ method: "PUT", path: "/api/orders/{order_id}" }], groups);
+        const authBoundary = scenarios.find(s => s.scenarioName === "orders-put-auth-boundary");
+        expect(authBoundary).toBeDefined();
+        expect(authBoundary.category).toBe("security_boundary");
+        expect(authBoundary.testType).toBe("contract");
+        expect(authBoundary.steps[0].method).toBe("PUT");
+        expect(authBoundary.steps[0].path).toBe("/api/orders/{order_id}");
+        expect(authBoundary.steps[0].expectedStatusCode).toBe(401);
+        expect(authBoundary.requiresAuth).toBe(false);
+    });
+    it("auth-boundary scenario is not duplicated for same method/path", () => {
+        const groups = makeGroups({
+            orders: { basePath: "/api/orders", methods: ["GET", "POST", "PUT", "DELETE"], paramPath: "/api/orders/{order_id}" },
+        });
+        const scenarios = draftDiffDirectScenarios([{ method: "PUT", path: "/api/orders/{order_id}" }, { method: "DELETE", path: "/api/orders/{order_id}" }], groups);
+        const authBoundaries = scenarios.filter(s => s.scenarioName.includes("auth-boundary"));
+        // One for PUT, one for DELETE (not GET, not POST)
+        expect(authBoundaries).toHaveLength(2);
+        expect(authBoundaries.map(s => s.scenarioName).sort()).toEqual([
+            "orders-delete-auth-boundary",
+            "orders-put-auth-boundary",
+        ]);
+    });
+    it("does NOT generate auth-boundary for GET endpoints (often public)", () => {
+        const groups = makeGroups({
+            orders: { basePath: "/api/orders", methods: ["GET", "POST"], paramPath: "/api/orders/{order_id}" },
+        });
+        const scenarios = draftDiffDirectScenarios([{ method: "GET", path: "/api/orders/{order_id}" }], groups);
+        const authBoundary = scenarios.find(s => s.scenarioName.includes("auth-boundary"));
+        expect(authBoundary).toBeUndefined();
+    });
+    it("does NOT generate auth-boundary for POST", () => {
+        const groups = makeGroups({
+            products: { basePath: "/api/products", methods: ["GET", "POST"], paramPath: "/api/products/{id}" },
+        });
+        const scenarios = draftDiffDirectScenarios([{ method: "POST", path: "/api/products" }], groups);
+        const authBoundary = scenarios.find(s => s.scenarioName.includes("auth-boundary"));
+        expect(authBoundary).toBeUndefined();
+    });
+});
+describe("draftDiffDirectScenarios — GET without path param", () => {
+    const resourceGroups = new Map([
+        ["products", {
+                basePath: "/api/v1/products",
+                methods: new Set(["GET", "POST"]),
+                paramPath: "/api/v1/products/{product_id}",
+            }],
+    ]);
+    it("GET no-param: produces contract + collection scenario (LLM determines if query params apply)", () => {
+        const result = draftDiffDirectScenarios([{ method: "GET", path: "/api/v1/products/search" }], resourceGroups);
+        const names = result.map(s => s.scenarioName);
+        expect(names).toContain("products-get-new-endpoint-contract");
+        expect(names).toContain("products-search-list-query");
+        const scenario = result.find(s => s.scenarioName === "products-search-list-query");
+        expect(scenario.category).toBe("new_endpoint");
+        // Description instructs LLM to read source for query param logic
+        expect(scenario.description).toMatch(/read diff source|query param/i);
+    });
+    it("GET no-param: produces zero cascade-delete or unique-constraint scenarios", () => {
+        const result = draftDiffDirectScenarios([{ method: "GET", path: "/api/v1/products/search" }], resourceGroups);
+        const names = result.map(s => s.scenarioName);
+        expect(names.some(n => n.includes("cascade"))).toBe(false);
+        expect(names.some(n => n.includes("unique"))).toBe(false);
+        expect(names.some(n => n.includes("delete-blocked"))).toBe(false);
+    });
+    it("collection GET with POST: produces integration scenario (POST then GET)", () => {
+        const result = draftDiffDirectScenarios([{ method: "GET", path: "/api/v1/products" }], resourceGroups);
+        const scenario = result.find(s => s.scenarioName === "products-list-query");
+        expect(scenario).toBeDefined();
+        expect(scenario.testType).toBe("integration");
+        expect(scenario.steps[0].method).toBe("POST");
+        expect(scenario.steps[1].method).toBe("GET");
+    });
+    it("collection GET without POST: produces contract scenario (single GET step)", () => {
+        const readOnlyGroups = new Map([
+            ["reports", {
+                    basePath: "/api/v1/reports",
+                    methods: new Set(["GET"]),
+                    paramPath: undefined,
+                }],
+        ]);
+        const result = draftDiffDirectScenarios([{ method: "GET", path: "/api/v1/reports" }], readOnlyGroups);
+        const scenario = result.find(s => s.scenarioName === "reports-list-query");
+        expect(scenario).toBeDefined();
+        expect(scenario.testType).toBe("contract");
+        expect(scenario.steps).toHaveLength(1);
+    });
+});
+// ---------------------------------------------------------------------------
+// capScenarios — enforced via draftScenariosFromEndpoints
+// ---------------------------------------------------------------------------
+describe("draftScenariosFromEndpoints — capScenarios hard limit", () => {
+    // Each PUT/PATCH new endpoint produces ~5 scenarios (mutation-verify, boundary-values,
+    // contract, not-found, auth-boundary). Seven resources × 2 methods each = 70 new
+    // endpoints → well above the 30-scenario cap.
+    function makeEndpointsAndNewEps(resourceNames) {
+        const endpoints = resourceNames.flatMap(r => [
+            { path: `/api/${r}`, methods: [{ method: "GET" }, { method: "POST" }] },
+            { path: `/api/${r}/{id}`, methods: [{ method: "GET" }, { method: "PUT" }, { method: "PATCH" }, { method: "DELETE" }] },
+        ]);
+        const newEndpoints = resourceNames.flatMap(r => [
+            { method: "PUT", path: `/api/${r}/{id}` },
+            { method: "PATCH", path: `/api/${r}/{id}` },
+        ]);
+        return { endpoints, newEndpoints };
+    }
+    it("caps output at 30 scenarios when many new endpoints are present", () => {
+        const resources = ["users", "products", "orders", "invoices", "shipments", "reviews", "payments", "discounts"];
+        const { endpoints, newEndpoints } = makeEndpointsAndNewEps(resources);
+        const result = draftScenariosFromEndpoints(endpoints, newEndpoints);
+        expect(result.length).toBeLessThanOrEqual(30);
+    });
+    it("always keeps CRITICAL (new_endpoint) scenarios under the cap", () => {
+        const resources = ["users", "products", "orders", "invoices", "shipments", "reviews", "payments", "discounts"];
+        const { endpoints, newEndpoints } = makeEndpointsAndNewEps(resources);
+        const result = draftScenariosFromEndpoints(endpoints, newEndpoints);
+        // new_endpoint is CRITICAL — verify at least some survive
+        const criticalOnes = result.filter((s) => s.category === "new_endpoint");
+        expect(criticalOnes.length).toBeGreaterThan(0);
+    });
+    it("CRITICAL items (new_endpoint) fill the cap first; security_boundary may be dropped", () => {
+        // With many new endpoints, diffDirectContract/NotFound/MutationVerify/BoundaryValues all
+        // produce category "new_endpoint" (CRITICAL). When CRITICAL items alone exceed 30, the hard
+        // cap slices them first — breadth picks for non-CRITICAL categories are not guaranteed.
+        const resources = ["users", "products", "orders", "invoices", "shipments", "reviews", "payments", "discounts"];
+        const { endpoints, newEndpoints } = makeEndpointsAndNewEps(resources);
+        const result = draftScenariosFromEndpoints(endpoints, newEndpoints);
+        // All 30 surviving scenarios should be CRITICAL (new_endpoint)
+        const nonCritical = result.filter((s) => s.category !== "new_endpoint");
+        // Non-critical (security_boundary) may be 0 — this is the documented cap behavior
+        expect(nonCritical.length).toBeLessThanOrEqual(result.length);
+        // And the cap is enforced
+        expect(result.length).toBeLessThanOrEqual(30);
+    });
+    it("does not cap when total scenarios are within the limit", () => {
+        const endpoints = [
+            { path: "/api/users", methods: [{ method: "GET" }, { method: "POST" }] },
+            { path: "/api/users/{id}", methods: [{ method: "GET" }, { method: "PUT" }, { method: "DELETE" }] },
+        ];
+        const newEndpoints = [
+            { method: "PUT", path: "/api/users/{id}" },
+        ];
+        const result = draftScenariosFromEndpoints(endpoints, newEndpoints);
+        // A single PUT endpoint produces 5 scenarios — well within the 30-scenario cap
+        expect(result.length).toBeLessThanOrEqual(30);
+        expect(result.length).toBeGreaterThanOrEqual(4);
+    });
 });