@skyramp/mcp 0.1.5 → 0.1.6

package/build/prompts/testbot/testbot-prompts.js

@@ -5,9 +5,11 @@ import { MAX_TESTS_TO_GENERATE, MAX_RECOMMENDATIONS, MAX_CRITICAL_TESTS, PATH_PA
 import { buildDriftAnalysisPrompt } from "../test-maintenance/drift-analysis-prompt.js";
 import { getTraceRecordingPromptText } from "../../playwright/traceRecordingPrompt.js";
 import { isContractConsumerModeEnabled } from "../../utils/featureFlags.js";
+import { resolveServiceDetailsRef } from "../../utils/utils.js";
 import { readWorkspaceConfigRaw } from "../../utils/workspaceAuth.js";
-// Cached at module-load — the flag is process-wide and cannot change per call.
+// Cached at module-load — flags are process-wide and cannot change per call.
 const CONSUMER_MODE_ENABLED = isContractConsumerModeEnabled();
+const SERVICE_REFS = resolveServiceDetailsRef();
 // Mode-aware bullet block that appears inside the "How to generate each type"
 // section. When consumer mode is disabled, only provider-mode guidance is
 // surfaced so the agent never recommends or invokes consumer contract tests.
@@ -121,8 +123,8 @@ ${userPrompt ? "Generate only the tests that the user requested from the Additio
 - Critical-category tests are already ranked first by the pre-computed scores — follow the plan order.
 
 **Auth — determine ONCE, apply to EVERY tool call:**
-1. Read auth params from the Execution Plan returned by \`skyramp_analyze_changes\` — they are resolved directly from workspace.yml. **Use these as-is; do not infer or override.**
-2. If workspace shows \`authType: none\` or \`authHeader: ""\` → proceed with no auth (\`authHeader: ""\`). If tests fail due to 401/403, add to \`issuesFound\`: "Auth may be required — update \`api.authType\` in workspace.yml."
+1. Read auth params from the Execution Plan returned by \`skyramp_analyze_changes\` — they are pre-resolved from ${SERVICE_REFS.authSourceRef}. **Use these as-is; do not infer or override.**
+2. If workspace shows \`authType: none\` or \`authHeader: ""\` → proceed with no auth (\`authHeader: ""\`). If tests fail due to 401/403, add to \`issuesFound\`: "Auth may be required — update \`api.authType\` in ${SERVICE_REFS.authSourceRef}."
 3. **Auth params by header type — quick reference:**
 
    | \`authHeader\` | \`authType\` examples | \`skyramp_batch_scenario_*\` / \`skyramp_contract_*\` | \`skyramp_integration_test_generation\` (scenarioFile) |
@@ -133,7 +135,7 @@ ${userPrompt ? "Generate only the tests that the user requested from the Additio
    | none / \`""\` | \`none\` | \`authHeader: ""\` only when endpoint confirmed unauthenticated | \`authHeader: ""\` |
 
    **Omit \`authToken\` entirely** — \`SKYRAMP_PLACEHOLDER_TOKEN\` is auto-inserted at execution time.
-   The \`authScheme\` for \`Authorization\` headers is pre-resolved in the Execution Plan — use it exactly (e.g. \`"Bearer"\`, \`"Token"\`, or a custom scheme from \`api.authScheme\` in workspace.yml).
+   The \`authScheme\` for \`Authorization\` headers is pre-resolved in the Execution Plan — use it exactly (e.g. \`"Bearer"\`, \`"Token"\`, or a custom scheme from ${SERVICE_REFS.authSourceRef}).
 
    Passing auth alongside workspace \`authType\` on \`skyramp_integration_test_generation\` causes "${AUTH_CONFLICT_ERROR_MSG}" — follow the table.
 4. Only pass \`authHeader: ""\` if you can confirm the endpoint is truly unauthenticated.
@@ -141,7 +143,7 @@ ${userPrompt ? "Generate only the tests that the user requested from the Additio
 **How to generate each type (for ADD):**
 - **Integration**: call \`skyramp_batch_scenario_test_generation\` with ALL steps in a single call (pass the \`steps\` array with method, path, requestBody, statusCode for each step). Then call \`skyramp_integration_test_generation\` with the returned scenario file.
   **Use the pre-built scenario JSON from the Execution Plan** — pass the steps array directly. Do NOT read source code models to construct request bodies if the plan already provides them.
-  Scenario JSON and test files go in the \`testDirectory\` from \`workspace.yml\` (visible in the service context block at the top of this prompt). Do NOT create a new \`tests/\` directory at the repo root — use the path the workspace config specifies. If no \`testDirectory\` is configured, default to the language-conventional location (e.g. \`src/test/java/...\` for Java, \`tests/\` for Python).
+  Scenario JSON and test files go in ${SERVICE_REFS.testDirRef}. Do NOT create a new \`tests/\` directory at the repo root — use that path. If no \`testDirectory\` is configured, default to the language-conventional location (e.g. \`src/test/java/...\` for Java, \`tests/\` for Python).
   **Pipeline for speed**: Call ALL \`skyramp_batch_scenario_test_generation\` calls in one batch. When they return, call ALL \`skyramp_integration_test_generation\` calls in the next batch. Do NOT serialize per-scenario (batch→integration→batch→integration) — batch ALL scenarios first, then generate ALL integration tests.
 - **Contract**: call \`skyramp_contract_test_generation\` with \`endpointURL\`, \`method\`, and \`requestData\` for POST/PUT/PATCH.
   Pass \`apiSchema\` if an OpenAPI spec exists.

package/build/prompts/testbot/testbot-prompts.test.js

@@ -211,12 +211,12 @@ describe("drift analysis inline embedding", () => {
         expect(prompt).toContain("<drift_analysis_rules>");
         expect(prompt).toContain("</drift_analysis_rules>");
     });
-    it("includes persona inside the XML block", () => {
+    it("does not include a persona statement inside the inline XML block", () => {
         const prompt = basePrompt();
         const start = prompt.indexOf("<drift_analysis_rules>");
         const end = prompt.indexOf("</drift_analysis_rules>");
         const block = prompt.slice(start, end);
-        expect(block).toContain("You are acting as a Skyramp Integration Architect");
+        expect(block).not.toContain("You are acting as a Skyramp Integration Architect");
     });
     it("drift_analysis_rules block appears inside Task 1, before Task 2", () => {
         const prompt = basePrompt();

package/build/resources/analysisResources.js

@@ -29,6 +29,7 @@ export function registerAnalysisResources(server) {
                 return memData;
             }
         }
+        logger.warning(`Session not found in memory (sessionId=${sessionId}) — server may have restarted; falling back to state file`);
         // Fall back to state file for backward compatibility.
         // Try both "analysis" and "recommendation" prefixes since the default changed.
         const registeredPath = getSessionFilePath(sessionId);

package/build/services/ScenarioGenerationService.js

@@ -1,5 +1,6 @@
 import { AUTH_PLACEHOLDER_TOKEN } from "../types/TestTypes.js";
 import { isAuthorizationHeaderName } from "../utils/workspaceAuth.js";
+import { inferExpectedStatus } from "../utils/httpDefaults.js";
 import { logger } from "../utils/logger.js";
 import fs from "fs";
 import path from "path";
@@ -124,7 +125,7 @@ ${JSON.stringify(traceRequest, null, 2)}
         }
         const timestamp = new Date().toISOString();
         const method = params.method;
-        const statusCode = params.statusCode ?? (method === "POST" ? 201 : method === "DELETE" ? 204 : 200);
+        const statusCode = params.statusCode ?? inferExpectedStatus(method);
         const requestBody = params.requestBody ||
             (method === "GET" || method === "DELETE" ? "" : "{}");
         const responseHeaders = params.responseHeaders

package/build/tools/code-refactor/enhanceAssertionsTool.js

@@ -4,6 +4,7 @@ import { AnalyticsService } from "../../services/AnalyticsService.js";
 import { getContractProviderAssertionsPrompt } from "../../prompts/enhance-assertions/contractProviderAssertionsPrompt.js";
 import { getIntegrationAssertionsPrompt } from "../../prompts/enhance-assertions/integrationAssertionsPrompt.js";
 import { getUIAssertionsPrompt } from "../../prompts/enhance-assertions/uiAssertionsPrompt.js";
+import { isTestbotEnabled } from "../../utils/featureFlags.js";
 const TOOL_NAME = "skyramp_enhance_assertions";
 const TESTBOT_UI_CHECKS = `
 ### Additional Testbot-Specific Checks
@@ -37,7 +38,7 @@ export function registerEnhanceAssertionsTool(server) {
         let instructions;
         if (testType === TestType.UI) {
             instructions = getUIAssertionsPrompt(testFile, enhanceCtx);
-            if (process.env.SKYRAMP_FEATURE_TESTBOT === "1") {
+            if (isTestbotEnabled()) {
                 instructions += TESTBOT_UI_CHECKS;
             }
         }

package/build/tools/generate-tests/generateBatchScenarioRestTool.js

@@ -5,6 +5,7 @@ import fs from "fs";
 import { baseSchema, AUTH_PLACEHOLDER_TOKEN, HttpMethod } from "../../types/TestTypes.js";
 import { AnalyticsService } from "../../services/AnalyticsService.js";
 import { getWorkspaceAuthConfig, WorkspaceAuthType, getDefaultAuthHeader, isAuthorizationHeaderName, getAuthScheme } from "../../utils/workspaceAuth.js";
+import yaml from "js-yaml";
 import { logger } from "../../utils/logger.js";
 function isJsonValue(v) {
     if (v === undefined || v === null)
@@ -184,6 +185,126 @@ Call \`skyramp_integration_test_generation\` with the returned \`scenarioFile\`
                 logger.warning("Could not resolve auth from workspace config");
             }
         }
+        // Separate try/catch so auth errors don't silently swallow schema population.
+        // Walk up from outputDir with a sync existsSync check — one stat per level,
+        // one read+parse only when found — instead of an async readWorkspaceConfigRaw
+        // call (WorkspaceConfigManager instantiation + 2 async I/O ops) per level.
+        if (!params.apiSchema) {
+            try {
+                const WS_SUBPATH = path.join(".skyramp", "workspace.yml");
+                // Assumption: outputDir lives somewhere inside the repo tree so the walk-up
+                // eventually reaches .skyramp/workspace.yml. If outputDir is outside the repo
+                // (e.g. /tmp/skyramp-test), the loop exits at the filesystem root without finding
+                // the config — the surrounding try/catch handles this gracefully (non-critical).
+                let searchDir = path.resolve(params.outputDir);
+                let wsConfigPath = null;
+                while (searchDir !== path.dirname(searchDir)) {
+                    const candidate = path.join(searchDir, WS_SUBPATH);
+                    if (fs.existsSync(candidate)) {
+                        wsConfigPath = candidate;
+                        break;
+                    }
+                    searchDir = path.dirname(searchDir);
+                }
+                if (wsConfigPath) {
+                    const wsRaw = yaml.load(fs.readFileSync(wsConfigPath, "utf-8"));
+                    // Best-effort: picks the first service. Multi-service workspaces may have
+                    // the wrong schema if outputDir belongs to a later service — acceptable
+                    // limitation for now; the user can always pass apiSchema explicitly.
+                    const rawSchemaPath = wsRaw?.services?.[0]?.api?.schemaPath;
+                    if (rawSchemaPath && typeof rawSchemaPath === "string") {
+                        const isUrl = rawSchemaPath.startsWith("http://") || rawSchemaPath.startsWith("https://");
+                        // searchDir is the directory where workspace.yml was found — use it as
+                        // the resolution base so relative paths like "../openapi.yml" resolve
+                        // correctly regardless of outputDir depth.
+                        const schemaPath = isUrl
+                            ? rawSchemaPath
+                            : path.resolve(searchDir, rawSchemaPath);
+                        params = { ...params, apiSchema: schemaPath };
+                        logger.info("Auto-populated apiSchema from workspace config", { schemaPath });
+                    }
+                }
+            }
+            catch {
+                // non-critical
+            }
+        }
+        // ── Change 10b: Reject GraphQL endpoint steps ──
+        // Skyramp supports REST testing only; /graphql* requires introspection not implemented.
+        {
+            const graphqlSteps = params.steps.filter((s) => {
+                if (typeof s.path !== "string")
+                    return false;
+                const normalized = s.path.replace(/\/+$/, "").toLowerCase();
+                return normalized.split("/").some((seg) => seg === "graphql");
+            });
+            if (graphqlSteps.length > 0) {
+                return {
+                    isError: true,
+                    content: [{ type: "text", text: `GraphQL endpoints are not supported by Skyramp's test generation.\n` +
+                                `Affected steps: ${graphqlSteps.map((s) => `${s.method} ${s.path}`).join(", ")}\n\n` +
+                                `Skyramp supports REST API testing only. Remove GraphQL steps and use ` +
+                                `the REST endpoints for the same resource instead.`,
+                        }],
+                };
+            }
+        }
+        // ── Change 3: Soft spec path validation ──
+        // Warn when step paths are missing from the spec — proceed with generation regardless.
+        // Hard rejection was removed: specs frequently lag code (new endpoints, undocumented
+        // internal routes, stale auto-gen) so a missing path != a phantom path.
+        let specValidationWarning = "";
+        if (params.apiSchema) {
+            try {
+                const isUrl = params.apiSchema.startsWith("http://") || params.apiSchema.startsWith("https://");
+                let specText;
+                if (isUrl) {
+                    const specRes = await fetch(params.apiSchema, { signal: AbortSignal.timeout(10_000) });
+                    if (!specRes.ok) {
+                        throw new Error(`HTTP ${specRes.status} ${specRes.statusText} fetching spec at ${params.apiSchema}`);
+                    }
+                    specText = await specRes.text();
+                }
+                else {
+                    // Note: relative apiSchema paths resolve against outputDir, not the workspace root.
+                    // In practice apiSchema is always absolute (Gap Fix 2 / schema guidance), so this is safe.
+                    specText = fs.readFileSync(path.resolve(params.outputDir, params.apiSchema), "utf-8");
+                }
+                // js-yaml handles both JSON and YAML specs
+                const specLoaded = yaml.load(specText);
+                const specPaths = new Set(Object.keys((specLoaded && typeof specLoaded === "object" ? specLoaded.paths : null) ?? {}));
+                if (specPaths.size === 0) {
+                    logger.warning("Spec loaded but contains no paths — skipping path check", {
+                        apiSchema: params.apiSchema,
+                    });
+                }
+                else {
+                    const unverifiedSteps = params.steps.filter((s) => {
+                        if (typeof s.path !== "string")
+                            return false;
+                        const norm = s.path.replace(/:[a-zA-Z_][a-zA-Z0-9_]*/g, (m) => `{${m.slice(1)}}`);
+                        return !specPaths.has(s.path) && !specPaths.has(norm);
+                    });
+                    if (unverifiedSteps.length > 0) {
+                        specValidationWarning =
+                            `\n\n⚠️ **Spec warning** — the following paths were not found in \`${params.apiSchema}\` ` +
+                                `(spec may be stale or incomplete — verify paths against source before running tests):\n` +
+                                unverifiedSteps.map((s) => `  ${s.method} ${s.path}`).join("\n") +
+                                `\n\nKnown spec paths (first 20): ${[...specPaths].slice(0, 20).join(", ")}`;
+                        logger.warning("Step paths not found in spec — proceeding (spec may lag code)", {
+                            unverifiedPaths: unverifiedSteps.map((s) => s.path),
+                            apiSchema: params.apiSchema,
+                        });
+                    }
+                }
+            }
+            catch (err) {
+                logger.warning("Spec check skipped — could not load apiSchema", {
+                    apiSchema: params.apiSchema,
+                    error: err instanceof Error ? err.message : String(err),
+                });
+            }
+        }
         const service = new ScenarioGenerationService();
         const steps = params.steps;
         const scenarioSlug = params.scenarioName.toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "") || "scenario";
@@ -261,7 +382,8 @@ Call \`skyramp_integration_test_generation\` with the returned \`scenarioFile\`
                         + `**Scenario:** ${params.scenarioName}\n`
                         + `**Steps:**\n${steps.map((s, i) => `  ${i + 1}. ${s.method} ${s.path} → ${s.statusCode ?? "default"}`).join("\n")}\n\n`
                         + `**File:** ${filePath}\n\n`
-                        + `**Next:** Call \`skyramp_integration_test_generation\` with \`scenarioFile: "${filePath}"\``,
+                        + `**Next:** Call \`skyramp_integration_test_generation\` with \`scenarioFile: "${filePath}"\``
+                        + specValidationWarning,
                 },
             ],
             isError: false,

package/build/tools/generate-tests/generateBatchScenarioRestTool.test.js

@@ -1,9 +1,35 @@
-jest.mock("../../services/ScenarioGenerationService.js", () => ({ ScenarioGenerationService: jest.fn() }));
-jest.mock("../../services/AnalyticsService.js", () => ({ AnalyticsService: { pushMCPToolEvent: jest.fn() } }));
-jest.mock("../../utils/workspaceAuth.js", () => ({ getWorkspaceAuthConfig: jest.fn(), WorkspaceAuthType: { None: "none" } }));
+jest.mock("../../services/ScenarioGenerationService.js", () => ({
+    ScenarioGenerationService: jest.fn().mockImplementation(() => ({
+        generateTraceRequestFromInput: jest.fn().mockReturnValue(null),
+    })),
+}));
+jest.mock("../../services/AnalyticsService.js", () => ({ AnalyticsService: { pushMCPToolEvent: jest.fn().mockResolvedValue(undefined) } }));
+jest.mock("../../utils/workspaceAuth.js", () => ({
+    getWorkspaceAuthConfig: jest.fn().mockResolvedValue({ authHeader: undefined, authType: "none" }),
+    WorkspaceAuthType: { None: "none" },
+    getDefaultAuthHeader: jest.fn().mockReturnValue(""),
+    isAuthorizationHeaderName: jest.fn().mockReturnValue(false),
+    getAuthScheme: jest.fn().mockReturnValue(""),
+    readWorkspaceConfigRaw: jest.fn().mockResolvedValue(null),
+}));
 jest.mock("../../utils/logger.js", () => ({ logger: { info: jest.fn(), warning: jest.fn(), error: jest.fn() } }));
 jest.mock("../../prompts/personas.js", () => ({ getPersonaPrefix: () => "" }));
-import { stepSchema } from "./generateBatchScenarioRestTool.js";
+import fs from "fs";
+import { stepSchema, registerBatchScenarioTestTool } from "./generateBatchScenarioRestTool.js";
+/** Build a minimal mock McpServer, register the tool, and return the captured handler. */
+function captureHandler() {
+    let capturedHandler;
+    const mockServer = {
+        registerTool: jest.fn((_name, _meta, handler) => {
+            capturedHandler = handler;
+        }),
+    };
+    registerBatchScenarioTestTool(mockServer);
+    return capturedHandler;
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// stepSchema — requestBody validation
+// ─────────────────────────────────────────────────────────────────────────────
 describe("stepSchema — requestBody validation", () => {
     it("accepts a POST step with a non-empty requestBody", () => {
         const result = stepSchema.safeParse({
@@ -45,7 +71,6 @@ describe("stepSchema — requestBody validation", () => {
         expect(issue?.message).toContain("PUT");
     });
     it("accepts a POST step with requestBody omitted entirely", () => {
-        // The validation only rejects {} when present — omitting requestBody is still allowed
         const result = stepSchema.safeParse({
             method: "POST",
             path: "/api/v1/products",
@@ -53,13 +78,12 @@ describe("stepSchema — requestBody validation", () => {
         expect(result.success).toBe(true);
     });
     it("does not throw on requestBody: 'null' (valid JSON null)", () => {
-        // parsed === null must not cause Object.keys to throw
         const result = stepSchema.safeParse({
             method: "POST",
             path: "/api/v1/products",
             requestBody: "null",
         });
-        expect(result.success).toBe(true); // null is not an empty object — not rejected
+        expect(result.success).toBe(true);
     });
     it("accepts a GET step with no requestBody", () => {
         const result = stepSchema.safeParse({
@@ -76,8 +100,6 @@ describe("stepSchema — requestBody validation", () => {
         expect(result.success).toBe(true);
     });
     it("does not reject a GET step that happens to have an empty requestBody", () => {
-        // GET with empty body is unusual but not blocked — the validation only
-        // applies to body methods (POST/PUT/PATCH)
         const result = stepSchema.safeParse({
             method: "GET",
             path: "/api/v1/products",
@@ -86,3 +108,177 @@ describe("stepSchema — requestBody validation", () => {
         expect(result.success).toBe(true);
     });
 });
+// ─────────────────────────────────────────────────────────────────────────────
+// GraphQL step rejection (Change 10b)
+// ─────────────────────────────────────────────────────────────────────────────
+describe("generateBatchScenarioRestTool — GraphQL step rejection (Change 10b)", () => {
+    let handler;
+    const baseParams = {
+        scenarioName: "test_scenario",
+        destination: "localhost",
+        outputDir: "/tmp/skyramp-test",
+    };
+    beforeEach(() => {
+        jest.clearAllMocks();
+        handler = captureHandler();
+    });
+    it("rejects a step list containing /graphql", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "POST", path: "/graphql", requestBody: '{"query":"{ users { id } }"}' }],
+        });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("GraphQL endpoints are not supported");
+        expect(result.content[0].text).toContain("POST /graphql");
+    });
+    it("rejects a step list containing /api/graphql (nested segment)", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [
+                { method: "GET", path: "/api/v1/users" },
+                { method: "POST", path: "/api/graphql", requestBody: '{"query":"{ id }"}' },
+            ],
+        });
+        expect(result.isError).toBe(true);
+        expect(result.content[0].text).toContain("GraphQL endpoints are not supported");
+        expect(result.content[0].text).toContain("POST /api/graphql");
+    });
+    it("does not reject a path whose segment is 'graphql-config' (not an exact segment match)", async () => {
+        // 'graphql-config' !== 'graphql' — the guard uses exact segment comparison.
+        // The GraphQL rejection message must never appear, regardless of whether the
+        // handler succeeds or fails for some other reason.
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: "/api/v1/graphql-config" }],
+        });
+        expect(result.content[0].text).not.toContain("GraphQL endpoints are not supported");
+    });
+    it("does not throw on a non-string path (typeof guard)", async () => {
+        // typeof guard returns false for non-string — no crash from .replace()
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: undefined }],
+        });
+        expect(result).toBeDefined();
+        if (result.isError) {
+            expect(result.content[0].text).not.toContain("Cannot read");
+        }
+    });
+});
+// ─────────────────────────────────────────────────────────────────────────────
+// Spec path validation (Change 3)
+// ─────────────────────────────────────────────────────────────────────────────
+describe("generateBatchScenarioRestTool — spec path validation (Change 3)", () => {
+    let handler;
+    let readFileSyncSpy;
+    const fakeSpec = JSON.stringify({
+        openapi: "3.0.0",
+        paths: {
+            "/api/v1/users": {},
+            "/api/v1/users/{id}": {},
+        },
+    });
+    const baseParams = {
+        scenarioName: "test_scenario",
+        destination: "localhost",
+        outputDir: "/tmp/skyramp-test",
+        apiSchema: "/tmp/openapi.json",
+    };
+    let writeFileSyncSpy;
+    beforeEach(() => {
+        jest.clearAllMocks();
+        handler = captureHandler();
+        readFileSyncSpy = jest.spyOn(fs, "readFileSync").mockReturnValue(fakeSpec);
+        writeFileSyncSpy = jest.spyOn(fs, "writeFileSync").mockImplementation(() => { });
+        // Return a valid trace so tests reach the success path (where the warning is appended)
+        const ScenarioSvc = require("../../services/ScenarioGenerationService.js").ScenarioGenerationService;
+        ScenarioSvc.mockImplementation(() => ({
+            generateTraceRequestFromInput: jest.fn().mockReturnValue({ method: "GET", path: "/mock" }),
+        }));
+    });
+    afterEach(() => {
+        readFileSyncSpy.mockRestore();
+        writeFileSyncSpy.mockRestore();
+    });
+    it("warns (does not hard-reject) when step paths are not in the OpenAPI spec", async () => {
+        // Spec may lag code — missing path != phantom path, so we warn and proceed.
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: "/api/v1/phantom-endpoint" }],
+        });
+        expect(result.isError).toBeFalsy();
+        expect(result.content[0].text).toContain("Spec warning");
+        expect(result.content[0].text).toContain("/api/v1/phantom-endpoint");
+        expect(result.content[0].text).toContain("Known spec paths");
+    });
+    it("includes no spec warning when step path is present in the OpenAPI spec", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: "/api/v1/users" }],
+        });
+        expect(result.content[0].text).not.toContain("Spec warning");
+    });
+    it("does not warn for Express-style :param paths that normalise to a spec path", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: "/api/v1/users/:id" }],
+        });
+        expect(result.content[0].text).not.toContain("Spec warning");
+    });
+    it("does not throw on a non-string path (typeof guard)", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "GET", path: undefined }],
+        });
+        expect(result).toBeDefined();
+        expect(result.content[0].text).not.toContain("TypeError");
+        expect(result.content[0].text).not.toContain("Cannot read");
+    });
+    it("includes known spec paths hint in the warning message", async () => {
+        const result = await handler({
+            ...baseParams,
+            steps: [{ method: "POST", path: "/does/not/exist" }],
+        });
+        expect(result.isError).toBeFalsy();
+        expect(result.content[0].text).toContain("/api/v1/users");
+    });
+});
+describe("generateBatchScenarioRestTool — spec URL fetch safety (comment 3203006665)", () => {
+    let handler;
+    const baseParams = {
+        scenarioName: "test_scenario",
+        destination: "localhost",
+        outputDir: "/tmp/skyramp-test",
+        apiSchema: "https://example.com/openapi.json",
+        steps: [{ method: "GET", path: "/api/v1/users" }],
+    };
+    beforeEach(() => {
+        jest.clearAllMocks();
+        handler = captureHandler();
+    });
+    it("skips spec check (no warning emitted) when URL returns non-2xx", async () => {
+        global.fetch = jest.fn().mockResolvedValue({
+            ok: false,
+            status: 404,
+            statusText: "Not Found",
+            text: async () => "<html>Not Found</html>",
+        });
+        const result = await handler({ ...baseParams });
+        // Non-2xx throws → caught → spec check skipped entirely, no warning in output
+        expect(result.content[0].text).not.toContain("Spec warning");
+    });
+    it("skips spec check (no warning emitted) when spec has no paths", async () => {
+        global.fetch = jest.fn().mockResolvedValue({
+            ok: true,
+            status: 200,
+            statusText: "OK",
+            text: async () => JSON.stringify({ openapi: "3.0.0", info: { title: "Test", version: "1.0" } }),
+        });
+        const result = await handler({ ...baseParams });
+        expect(result.content[0].text).not.toContain("Spec warning");
+    });
+    afterEach(() => {
+        // Restore fetch
+        delete global.fetch;
+    });
+});

package/build/tools/generate-tests/generateContractRestTool.js

@@ -4,7 +4,7 @@ import { baseTestSchema, TestType } from "../../types/TestTypes.js";
 import { TestGenerationService, } from "../../services/TestGenerationService.js";
 import { AnalyticsService } from "../../services/AnalyticsService.js";
 import { getPersonaPrefix } from "../../prompts/personas.js";
-import { isContractConsumerModeEnabled } from "../../utils/featureFlags.js";
+import { isContractConsumerModeEnabled, isTestbotEnabled } from "../../utils/featureFlags.js";
 // SKYRAMP_FEATURE_CONTRACT_CONSUMER_MODE gates BOTH:
 //   1. Consumer-side contract test generation (`consumerMode` /
 //      `consumerOutput` schema fields, validation, post-gen instructions,
@@ -16,6 +16,7 @@ import { isContractConsumerModeEnabled } from "../../utils/featureFlags.js";
 //
 // `providerMode` itself is exposed regardless of the flag.
 const CONSUMER_MODE_ENABLED = isContractConsumerModeEnabled();
+const ADD_ASSERTIONS_DEFAULT = isTestbotEnabled();
 // "Requires apiSchema." plus a mode-aware "Not allowed with ..." clause for
 // the parent-provisioning fields. Generated once so wording stays in lockstep
 // with the feature flag.
@@ -23,6 +24,10 @@ const PARENT_FIELD_NOT_ALLOWED_NOTE = CONSUMER_MODE_ENABLED
     ? "Requires apiSchema. Not allowed with consumerMode or skipProvisionParents."
     : "Requires apiSchema. Not allowed with skipProvisionParents.";
 const baseContractTestSchema = {
+    enhanceAssertions: z
+        .boolean()
+        .default(ADD_ASSERTIONS_DEFAULT)
+        .describe("When true, calls skyramp_enhance_assertions after test generation to add richer response-body assertions. Disabled by default. Automatically enabled when running as testbot-feature. Do not override the default value of this parameter, unless the user explicitly asks to enable it."),
     ...baseTestSchema,
     pathParams: z
         .string()
@@ -149,7 +154,7 @@ export class ContractTestService extends TestGenerationService {
         if (params.providerMode) {
             content.push({
                 type: "text",
-                text: this.buildProviderPostGenInstructions(params),
+                text: this.buildProviderPostGenInstructions(params, params.enhanceAssertions),
             });
         }
         else {
@@ -219,27 +224,22 @@ ${step5}
     }
     buildSampleDataInstructions(params) {
         return `
-⏭️ **CRITICAL NEXT STEP — Replace placeholder sample data:**
-
-**Part 1 — Replace placeholder values in the generated file:**
+### CRITICAL NEXT STEP — Replace placeholder sample data
 
 ${this.buildPlaceholderReplacementBlock(params)}
 `;
     }
-    buildProviderPostGenInstructions(params) {
-        return `
-⏭️ **CRITICAL NEXT STEP — Replace placeholder data and enhance assertions:**
-
-⏭️ **CRITICAL — Part 1 — Replace placeholder values in the generated file:**
-
-${this.buildPlaceholderReplacementBlock(params, "continue to Part 2")}
-
----
-
-⏭️ **CRITICAL — Part 2 — Enhance response body assertions:**
-
-Call \`skyramp_enhance_assertions\` with \`testFile\` set to the absolute path of the generated provider contract test file, \`testType: "contract"\`, and \`enhanceType: "generation"\`. Apply every instruction returned to that file.
-`;
+    buildProviderPostGenInstructions(params, enhanceAssertions = false) {
+        const steps = [];
+        const nextStepNote = enhanceAssertions ? "continue to Step 2" : undefined;
+        steps.push(`### Step ${steps.length + 1} — Replace placeholder values [REQUIRED]\n\n${this.buildPlaceholderReplacementBlock(params, nextStepNote)}`);
+        if (enhanceAssertions) {
+            steps.push(`### Step ${steps.length + 1} — Enhance response body assertions [REQUIRED]\nCall \`skyramp_enhance_assertions\` with \`testFile\` set to the absolute path of the generated provider contract test file, \`testType: "contract"\`, and \`enhanceType: "generation"\`. Apply every instruction returned to that file.`);
+        }
+        const heading = enhanceAssertions
+            ? "Replace placeholder data and enhance assertions"
+            : "Replace placeholder data";
+        return `\n### CRITICAL NEXT STEP — ${heading}\n\n${steps.join("\n\n")}`;
     }
     buildConsumerStubReplacementInstructions() {
         return `

package/build/tools/generate-tests/generateIntegrationRestTool.js

@@ -4,8 +4,14 @@ import { TestGenerationService, } from "../../services/TestGenerationService.js"
 import { AnalyticsService } from "../../services/AnalyticsService.js";
 import { AUTH_CONFLICT_ERROR_MSG } from "../../prompts/test-recommendation/recommendationSections.js";
 import { getPersonaPrefix } from "../../prompts/personas.js";
+import { isTestbotEnabled } from "../../utils/featureFlags.js";
+const ADD_ASSERTIONS_DEFAULT = isTestbotEnabled();
 const integrationTestSchema = z
     .object({
+    enhanceAssertions: z
+        .boolean()
+        .default(ADD_ASSERTIONS_DEFAULT)
+        .describe("When true, calls skyramp_enhance_assertions after test generation to add richer response-body assertions. Disabled by default. Automatically enabled when running as testbot-feature. Do not override the default value of this parameter, unless the user explicitly asks to enable it."),
     ...baseTestSchema,
     chainingKey: z
         .string()
@@ -41,6 +47,8 @@ export class IntegrationTestService extends TestGenerationService {
         const result = await super.generateTest(params);
         if (result.isError)
             return result;
+        if (!params.enhanceAssertions)
+            return result;
         const content = [...result.content];
         content.push({
             type: "text",
@@ -50,8 +58,7 @@ export class IntegrationTestService extends TestGenerationService {
     }
     buildAssertionEnhancementInstructions() {
         return `
-**CRITICAL NEXT STEP — Enhance response body assertions after each request:**
-
+### CRITICAL NEXT STEP — Enhance response body assertions after each request
 Call \`skyramp_enhance_assertions\` with \`testFile\` set to the absolute path of the generated test file, \`testType: "integration"\`, and \`enhanceType: "generation"\`. Apply every instruction returned to that file.
 `;
     }