@skyramp/mcp 0.1.7 → 0.2.0-rc.1

package/build/services/ScenarioGenerationService.integration.test.js

@@ -0,0 +1,158 @@
+/**
+ * Integration test: verifies query params survive the full pipeline
+ * TS (ScenarioGenerationService) → JSON file → Go binary → generated test code
+ *
+ * Requires: @skyramp/skyramp native dylib (skips if not available)
+ */
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { ScenarioGenerationService } from "./ScenarioGenerationService.js";
+let SkyrampClient;
+try {
+    SkyrampClient = require("@skyramp/skyramp").SkyrampClient;
+}
+catch {
+    SkyrampClient = null;
+}
+// These tests require the native Go binary which is platform-specific.
+// Skip in CI or when the binary isn't available for this OS/arch.
+const isCI = Boolean(process.env.CI || process.env.GITHUB_ACTIONS);
+const describeIfBinary = SkyrampClient && !isCI ? describe : describe.skip;
+function buildTrace(overrides) {
+    const service = new ScenarioGenerationService();
+    return service.generateTraceRequestFromInput({
+        scenarioName: "integration-qp-test",
+        destination: "localhost",
+        baseURL: "http://localhost:8080",
+        method: "GET",
+        path: "/api/v1/items",
+        outputDir: os.tmpdir(),
+        authHeader: "",
+        authScheme: "",
+        ...overrides,
+    });
+}
+describeIfBinary("QueryParams integration: TS → JSON → Go binary → generated code", () => {
+    let tmpDir;
+    let outputDir;
+    let client;
+    // Go dylib cold-starts can take a few seconds
+    jest.setTimeout(15000);
+    beforeAll(() => {
+        client = new SkyrampClient();
+    });
+    afterAll(() => {
+        client?.close?.();
+    });
+    beforeEach(() => {
+        tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "skyramp-qp-integration-"));
+        outputDir = path.join(tmpDir, "output");
+        fs.mkdirSync(outputDir);
+    });
+    afterEach(() => {
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    });
+    async function generateFromTrace(trace) {
+        const traceFile = path.join(tmpDir, "scenario.json");
+        fs.writeFileSync(traceFile, JSON.stringify([trace], null, 2));
+        await client.generateRestTest({
+            testType: "integration",
+            language: "python",
+            framework: "pytest",
+            outputDir,
+            force: true,
+            traceFilePath: traceFile,
+        });
+        const files = fs.readdirSync(outputDir).filter((f) => f.endsWith(".py"));
+        if (files.length === 0)
+            throw new Error("No generated test file found");
+        return fs.readFileSync(path.join(outputDir, files[0]), "utf8");
+    }
+    it("bracket-notation keys pass through to generated test code", async () => {
+        // Simulates: GET /api/v1/items?filter[status][_eq]=published&limit=25
+        const trace = buildTrace({
+            queryParams: '{"filter[status][_eq]":"published","limit":25}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            "filter[status][_eq]": ["published"],
+            "limit": ["25"],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("filter[status][_eq]");
+        expect(code).toContain("published");
+        expect(code).toContain("limit");
+        expect(code).toContain("25");
+    });
+    it("simple flat params pass through to generated test code", async () => {
+        // Simulates: GET /api/v1/items?page=2&status=active
+        const trace = buildTrace({
+            queryParams: '{"page":2,"status":"active"}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            page: ["2"],
+            status: ["active"],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("page");
+        expect(code).toContain("2");
+        expect(code).toContain("status");
+        expect(code).toContain("active");
+    });
+    it("JSON-encoded string value (Elasticsearch-style) passes through intact", async () => {
+        // Simulates: GET /search?source={"query":{"match":{"name":"bear"}}}
+        const trace = buildTrace({
+            queryParams: '{"source":"{\\"query\\":{\\"match\\":{\\"name\\":\\"bear\\"}}}"}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            source: ['{"query":{"match":{"name":"bear"}}}'],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("source");
+        expect(code).toMatch(/query.*match.*name.*bear/);
+    });
+    it("array params are comma-joined into a single value in generated code", async () => {
+        // Simulates: GET /products?tags=sale,new
+        const trace = buildTrace({
+            queryParams: '{"tags":["sale","new"]}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            tags: ["sale,new"],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("tags");
+        expect(code).toContain("sale,new");
+    });
+    it("null params are omitted — not present in generated code", async () => {
+        // null means "don't include this param" — same as axios/fetch omitting undefined
+        const trace = buildTrace({
+            queryParams: '{"limit":10,"cursor":null}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            limit: ["10"],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("limit");
+        expect(code).toContain("10");
+        expect(code).not.toContain("cursor");
+    });
+    it("nested object fallback produces valid JSON string in generated code", async () => {
+        // LLM mistakenly sends nested object — service JSON-stringifies it
+        const trace = buildTrace({
+            queryParams: '{"filter":{"status":"active"}}',
+        });
+        expect(trace).not.toBeNull();
+        expect(trace.QueryParams).toEqual({
+            filter: ['{"status":"active"}'],
+        });
+        const code = await generateFromTrace(trace);
+        expect(code).toContain("filter");
+        expect(code).not.toContain("[object Object]");
+        expect(code).not.toContain("map[");
+    });
+});

package/build/services/ScenarioGenerationService.js

@@ -5,6 +5,10 @@ import { logger } from "../utils/logger.js";
 import { stageGeneratedPaths } from "../utils/gitStaging.js";
 import fs from "fs";
 import path from "path";
+// Keys that trigger built-in prototype setters when used as bracket-notation
+// property names on a plain object — guard against prototype pollution from
+// LLM-controlled or user-controlled JSON input.
+const PROTO_KEYS = new Set(["__proto__", "constructor", "prototype"]);
 export class ScenarioGenerationService {
     async parseScenario(params) {
         try {
@@ -40,6 +44,12 @@ export class ScenarioGenerationService {
                         existingRequests = [];
                     }
                 }
+                if (existingRequests.length > 0) {
+                    const lastTimestamp = existingRequests[existingRequests.length - 1].Timestamp;
+                    const lastMs = new Date(lastTimestamp).getTime();
+                    const newMs = Math.max(lastMs + 1000, Date.now());
+                    traceRequest.Timestamp = new Date(newMs).toISOString();
+                }
                 existingRequests.push(traceRequest);
                 fs.writeFileSync(filePath, JSON.stringify(existingRequests, null, 2), "utf8");
                 // Stage so testbot includes the generated files in its output commit.
@@ -139,15 +149,38 @@ ${JSON.stringify(traceRequest, null, 2)}
         const requestHeaders = {
             "Content-Type": ["application/json"],
         };
+        // Go backend expects url.Values (map[string][]string). We always produce
+        // single-element arrays — the Go codegen normalises multi-element string arrays
+        // into a JSON array string (e.g. ["sale","new"]), which is not what most APIs
+        // expect. Comma-joining covers the common case; APIs needing true repeated keys
+        // (e.g. ?tags=sale&tags=new) are not supported by the current Go codegen path.
         const queryParams = {};
         if (params.queryParams) {
             try {
                 const parsed = JSON.parse(params.queryParams);
                 if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
                     for (const [k, v] of Object.entries(parsed)) {
-                        queryParams[k] = Array.isArray(v)
-                            ? v.map((item) => typeof item === "object" && item !== null ? JSON.stringify(item) : String(item))
-                            : [typeof v === "object" && v !== null ? JSON.stringify(v) : String(v)];
+                        if (PROTO_KEYS.has(k))
+                            continue;
+                        if (v === null)
+                            continue;
+                        let value;
+                        if (Array.isArray(v)) {
+                            const items = v
+                                .filter((item) => item !== null)
+                                .map((item) => (typeof item === "object" ? JSON.stringify(item) : String(item)));
+                            if (items.length === 0)
+                                continue;
+                            value = items.join(",");
+                        }
+                        else if (typeof v === "object") {
+                            logger.warning("Nested object in queryParams — JSON-stringifying as fallback; LLM should provide flat keys", { key: k });
+                            value = JSON.stringify(v);
+                        }
+                        else {
+                            value = String(v);
+                        }
+                        queryParams[k] = [value];
                     }
                 }
                 else {

package/build/services/ScenarioGenerationService.test.js

@@ -1,3 +1,6 @@
+import fs from "fs";
+import os from "os";
+import path from "path";
 import { ScenarioGenerationService } from "./ScenarioGenerationService.js";
 import { AUTH_PLACEHOLDER_TOKEN } from "../types/TestTypes.js";
 const BASE_PARAMS = {
@@ -197,39 +200,145 @@ describe("ScenarioGenerationService — auth header flavors", () => {
     });
 });
 describe("ScenarioGenerationService — queryParams handling", () => {
-    it("serializes a flat primitive object correctly", () => {
-        const trace = generateTrace({ queryParams: '{"limit":"10","status":"active"}' });
-        expect(trace.QueryParams).toEqual({ limit: ["10"], status: ["active"] });
+    // --- Primitive values (strings, numbers, booleans) ---
+    it("coerces string values into single-element arrays", () => {
+        const trace = generateTrace({ queryParams: '{"status":"active"}' });
+        expect(trace.QueryParams).toEqual({ status: ["active"] });
     });
-    it("serializes numeric and boolean primitive values as strings", () => {
-        const trace = generateTrace({ queryParams: '{"page":2,"active":true}' });
-        expect(trace.QueryParams).toEqual({ page: ["2"], active: ["true"] });
+    it("coerces numeric values to string", () => {
+        const trace = generateTrace({ queryParams: '{"limit":10,"offset":0}' });
+        expect(trace.QueryParams).toEqual({ limit: ["10"], offset: ["0"] });
     });
-    it("JSON-stringifies nested object values instead of producing [object Object]", () => {
-        const trace = generateTrace({ queryParams: '{"filter":{"status":"active","min_price":10}}' });
-        expect(trace).not.toBeNull();
-        const filterVal = trace.QueryParams["filter"][0];
-        expect(filterVal).not.toBe("[object Object]");
-        expect(filterVal).toBe('{"status":"active","min_price":10}');
+    it("coerces boolean values to string", () => {
+        const trace = generateTrace({ queryParams: '{"active":true,"deleted":false}' });
+        expect(trace.QueryParams).toEqual({ active: ["true"], deleted: ["false"] });
     });
-    it("JSON-stringifies nested objects inside an array value", () => {
-        const trace = generateTrace({ queryParams: '{"ids":[{"id":1},{"id":2}]}' });
-        expect(trace).not.toBeNull();
-        expect(trace.QueryParams["ids"]).toEqual(['{"id":1}', '{"id":2}']);
+    it("coerces empty string to single-element array", () => {
+        const trace = generateTrace({ queryParams: '{"q":""}' });
+        expect(trace.QueryParams).toEqual({ q: [""] });
+    });
+    it("passes bracket-notation keys through verbatim (Directus regression)", () => {
+        // Root cause of the original P0: filter[title][_neq] must reach the Go backend
+        // as the literal key string, not as a nested object or [object Object].
+        const trace = generateTrace({
+            queryParams: '{"filter[status][_eq]":"published","filter[date_created][_gte]":"2024-01-01","limit":25}',
+        });
+        expect(trace.QueryParams["filter[status][_eq]"]).toEqual(["published"]);
+        expect(trace.QueryParams["filter[date_created][_gte]"]).toEqual(["2024-01-01"]);
+        expect(trace.QueryParams["limit"]).toEqual(["25"]);
+    });
+    // --- Null omission ---
+    it("omits null values entirely (prevents ?status=null in URL)", () => {
+        // null means "omit this param" — same convention as axios/fetch omitting undefined params
+        const trace = generateTrace({ queryParams: '{"cursor":null,"limit":20}' });
+        expect(trace.QueryParams["cursor"]).toBeUndefined();
+        expect(trace.QueryParams["limit"]).toEqual(["20"]);
+    });
+    it("omits all-null object leaving only non-null keys", () => {
+        const trace = generateTrace({ queryParams: '{"a":null,"b":null,"c":"keep"}' });
+        expect(trace.QueryParams).toEqual({ c: ["keep"] });
+    });
+    // --- Array values: filter nulls, comma-join into single element ---
+    it("array of strings joins into single comma-separated value", () => {
+        const trace = generateTrace({ queryParams: '{"tags":["sale","new","featured"]}' });
+        expect(trace.QueryParams["tags"]).toEqual(["sale,new,featured"]);
+    });
+    it("array of mixed primitives coerces each to string then joins", () => {
+        const trace = generateTrace({ queryParams: '{"ids":[1,2,"three",true,0,false]}' });
+        expect(trace.QueryParams["ids"]).toEqual(["1,2,three,true,0,false"]);
+    });
+    it("array with null items filters nulls before joining", () => {
+        const trace = generateTrace({ queryParams: '{"tags":[null,"active",null,"pending"]}' });
+        expect(trace.QueryParams["tags"]).toEqual(["active,pending"]);
+    });
+    it("array with all-null items omits the key entirely", () => {
+        const trace = generateTrace({ queryParams: '{"tags":[null,null],"limit":5}' });
+        expect(trace.QueryParams["tags"]).toBeUndefined();
+        expect(trace.QueryParams["limit"]).toEqual(["5"]);
     });
-    it("passes through an array of primitive values unchanged", () => {
-        const trace = generateTrace({ queryParams: '{"tags":["a","b","c"]}' });
-        expect(trace.QueryParams["tags"]).toEqual(["a", "b", "c"]);
+    it("empty array omits the key (no items after filtering)", () => {
+        const trace = generateTrace({ queryParams: '{"ids":[],"limit":10}' });
+        expect(trace.QueryParams["ids"]).toBeUndefined();
+        expect(trace.QueryParams["limit"]).toEqual(["10"]);
     });
-    it("produces empty QueryParams when queryParams is omitted", () => {
+    it("array containing objects JSON-stringifies each then joins", () => {
+        const trace = generateTrace({
+            queryParams: '{"filters":[{"field":"status","value":"active"},{"field":"price","op":"gte","value":"10"}]}',
+        });
+        expect(trace.QueryParams["filters"]).toEqual([
+            '{"field":"status","value":"active"},{"field":"price","op":"gte","value":"10"}',
+        ]);
+    });
+    it("array mixing objects, primitives, and nulls: filters nulls, stringifies objects, joins all", () => {
+        const trace = generateTrace({
+            queryParams: '{"mixed":[null,{"nested":true},"plain",42,null]}',
+        });
+        expect(trace.QueryParams["mixed"]).toEqual(['{"nested":true},plain,42']);
+    });
+    // --- Nested object fallback: JSON.stringify ---
+    it("nested object is JSON-stringified as fallback", () => {
+        const trace = generateTrace({
+            queryParams: '{"filter":{"status":"active","min_price":10}}',
+        });
+        expect(trace.QueryParams["filter"]).toEqual(['{"status":"active","min_price":10}']);
+    });
+    it("deeply nested object is fully JSON-stringified", () => {
+        const trace = generateTrace({
+            queryParams: '{"filter":{"title":{"_neq":"not-a-number"}}}',
+        });
+        expect(trace.QueryParams["filter"]).toEqual(['{"title":{"_neq":"not-a-number"}}']);
+    });
+    it("empty nested object is JSON-stringified to '{}'", () => {
+        const trace = generateTrace({ queryParams: '{"filter":{}}' });
+        expect(trace.QueryParams["filter"]).toEqual(["{}"]);
+    });
+    // --- JSON parsing and object validation ---
+    it("omitted queryParams produces empty QueryParams", () => {
         const trace = generateTrace({});
         expect(trace.QueryParams).toEqual({});
     });
-    it("produces empty QueryParams and does not throw for invalid JSON", () => {
-        const trace = generateTrace({ queryParams: "not-valid-json" });
+    it("invalid JSON produces empty QueryParams without throwing", () => {
+        const trace = generateTrace({ queryParams: "not-valid-json{" });
         expect(trace).not.toBeNull();
         expect(trace.QueryParams).toEqual({});
     });
+    it("JSON array (not object) produces empty QueryParams", () => {
+        const trace = generateTrace({ queryParams: '["limit","10"]' });
+        expect(trace.QueryParams).toEqual({});
+    });
+    it("JSON null produces empty QueryParams", () => {
+        const trace = generateTrace({ queryParams: "null" });
+        expect(trace.QueryParams).toEqual({});
+    });
+    it("JSON number produces empty QueryParams", () => {
+        const trace = generateTrace({ queryParams: "42" });
+        expect(trace.QueryParams).toEqual({});
+    });
+    it("JSON string produces empty QueryParams", () => {
+        const trace = generateTrace({ queryParams: '"just a string"' });
+        expect(trace.QueryParams).toEqual({});
+    });
+    it("empty object produces empty QueryParams", () => {
+        const trace = generateTrace({ queryParams: '{}' });
+        expect(trace.QueryParams).toEqual({});
+    });
+    // --- Security: PROTO_KEYS guard ---
+    it("skips __proto__ key to prevent prototype pollution via setter", () => {
+        const trace = generateTrace({
+            queryParams: '{"__proto__":{"polluted":true},"limit":10}',
+        });
+        expect(Object.hasOwn(trace.QueryParams, "__proto__")).toBe(false);
+        expect(Object.getPrototypeOf(trace.QueryParams)).toBe(Object.prototype);
+        expect(trace.QueryParams["limit"]).toEqual(["10"]);
+    });
+    it("skips constructor and prototype keys", () => {
+        const trace = generateTrace({
+            queryParams: '{"constructor":"pwned","prototype":"evil","valid":"yes"}',
+        });
+        expect(Object.hasOwn(trace.QueryParams, "constructor")).toBe(false);
+        expect(Object.hasOwn(trace.QueryParams, "prototype")).toBe(false);
+        expect(trace.QueryParams["valid"]).toEqual(["yes"]);
+    });
 });
 describe("ScenarioGenerationService — baseURL parsing", () => {
     it("parses http baseURL correctly", () => {
@@ -262,3 +371,30 @@ describe("ScenarioGenerationService — baseURL parsing", () => {
         expect(trace.Port).toBe(80);
     });
 });
+describe("ScenarioGenerationService — timestamp chaining", () => {
+    it("assigns strictly increasing timestamps across multiple parseScenario calls", async () => {
+        const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "skyramp-ts-test-"));
+        const service = new ScenarioGenerationService();
+        const baseParams = {
+            scenarioName: "timestamp-chain-test",
+            destination: "api.example.com",
+            method: "GET",
+            path: "/api/v1/items",
+            outputDir: tmpDir,
+            baseURL: "http://localhost:8000",
+        };
+        await service.parseScenario({ ...baseParams, method: "POST", path: "/api/v1/items" });
+        await service.parseScenario({ ...baseParams, method: "GET", path: "/api/v1/items/1" });
+        await service.parseScenario({ ...baseParams, method: "DELETE", path: "/api/v1/items/1" });
+        const fileName = "scenario_timestamp-chain-test.json";
+        const filePath = path.join(tmpDir, fileName);
+        const requests = JSON.parse(fs.readFileSync(filePath, "utf8"));
+        expect(requests).toHaveLength(3);
+        for (let i = 1; i < requests.length; i++) {
+            const prev = new Date(requests[i - 1].Timestamp).getTime();
+            const curr = new Date(requests[i].Timestamp).getTime();
+            expect(curr).toBeGreaterThan(prev);
+        }
+        fs.rmSync(tmpDir, { recursive: true, force: true });
+    });
+});

package/build/tools/generate-tests/generateBatchScenarioRestTool.js

@@ -48,10 +48,22 @@ export const stepSchema = z.object({
         .string()
         .optional()
         .refine(isJsonObject, { message: "queryParams must be a JSON object string (e.g. '{\"limit\":\"10\"}')." })
-        .describe("JSON string of URL query parameters (e.g., '{\"q\": \"bear\", \"limit\": 10}'). "
-        + "Use this for GET request filters, search terms, pagination, sorting — any parameter that belongs in the URL query string. "
-        + "CRITICAL: For search/filter/list endpoints (e.g., GET /products/search?q=bear&limit=10), parameters MUST go here, NOT in requestBody. "
-        + "GET request bodies are non-standard and may be ignored or rejected by servers and frameworks, so always encode these parameters in the URL query string instead of the request body."),
+        .describe(`JSON string of URL query parameters. Provide a FLAT object where each key is the exact URL parameter name and each value is a string or number (single value per key).
+
+<examples>
+  <example label="simple params">{"q": "bear", "limit": 10}</example>
+  <example label="bracket-notation keys">{"filter[title][_neq]": "not-a-number"}</example>
+  <example label="multi-value as comma-separated">{"tags": "sale,new,featured"}</example>
+  <example label="JSON-encoded string value">{"filter": "{\\\"status\\\":\\\"active\\\"}"}</example>
+</examples>
+
+For multi-value params (e.g. ?tags=sale,new), provide a comma-separated string: "tags": "sale,new". Arrays are accepted but will be comma-joined into one value — note this produces a single ?tags=sale,new param, not repeated ?tags=sale&tags=new keys.
+
+If you provide nested objects, the service JSON-stringifies them as a fallback, but you should inspect the target API source to determine the correct key format and use that directly.
+
+Use this for GET request filters, search terms, pagination, sorting — any parameter that belongs in the URL query string.
+
+CRITICAL: For search/filter/list endpoints (e.g., GET /products/search?q=bear&limit=10), parameters MUST go here, NOT in requestBody. GET request bodies are non-standard and may be ignored or rejected by servers and frameworks.`),
     responseBody: z
         .string()
         .optional()

package/build/tools/generate-tests/generateIntegrationRestTool.js

@@ -28,6 +28,8 @@ const integrationTestSchema = z
         "When provided, DO NOT also pass apiSchema or endpointURL — the scenario file already contains all endpoint information."),
     ...codeRefactoringSchema.shape,
     ...baseTestSchema,
+    apiSchema: baseTestSchema.apiSchema.describe("MUST be absolute path(/path/to/openapi.json) to the OpenAPI/Swagger schema file or a URL to the OpenAPI/Swagger schema file(e.g. https://demoshop.skyramp.dev/openapi.json). DO NOT TRY TO ASSUME THE OPENAPI SCHEMA IF NOT PROVIDED. NOTE TO AI ASSISTANTS: You do not need to read the contents of this file - simply pass the file path as the backend will read and process it. " +
+        "When an OpenAPI schema is provided, this tool automatically derives a CRUD scenario flow (Create → Read → Update → Delete) directly from the schema."),
     output: baseTestSchema.output.describe("Name of the output test file. " +
         "When scenarioFile is provided and user did not specify a name, derive it: " +
         "strip the path and 'scenario_' prefix, replace hyphens/non-alphanum with underscores, append '_integration_test' + language extension. " +

package/build/tools/generate-tests/generateUIRestTool.js

@@ -96,6 +96,8 @@ This tells you exactly which frontend files changed so you record traces for the
 
 **Typical pipeline:** Use the \`browser_*\` tools (\`browser_navigate\`, \`browser_click\`, \`browser_type\`, etc.) to record user interactions, then call \`skyramp_export_zip\` to export a trace zip, then pass the absolute path to that zip as \`playwrightInput\` here.
 
+**DOM Analyzer tools for blueprint-aware recording:** alongside the basic \`browser_*\` interaction tools, the Skyramp MCP exposes \`browser_blueprint\` (canonical PageBlueprint capture), \`browser_blueprint_diff\` (structured before/after delta), \`browser_widget_contract_lookup\` (interaction recipe for custom widgets by fingerprint), and the sitemap tools \`browser_sitemap_build\` / \`browser_sitemap_query\`. These enable semantic target selection and delta-derived assertions: capture a blueprint before each meaningful action, perform the action, then capture again — the diff between the two grounds your assertions in observable state changes rather than author guesses about what "success" looks like.
+
 **CRITICAL: Do NOT use skyramp_start_trace_collection/skyramp_stop_trace_collection for UI test recording — use browser_* tools + skyramp_export_zip instead.**`,
         inputSchema: uiTestSchema,
         _meta: {

package/build/tools/test-management/analyzeChangesTool.js

@@ -292,6 +292,11 @@ export const analyzeChangesInputSchema = {
         .refine((v) => path.isAbsolute(v), { message: "stateOutputFile must be an absolute path" })
         .optional()
         .describe("Absolute path where the state file should be written. When provided, overrides the default auto-generated temp path so the caller can locate it without log parsing."),
+    testsRepoDir: z
+        .string()
+        .refine((v) => path.isAbsolute(v), { message: "testsRepoDir must be an absolute path" })
+        .optional()
+        .describe("Absolute path to a separate test repository clone. When set, existing test discovery scans this directory instead of repositoryPath. Used in cross-repo test delivery mode where tests live in a separate repo."),
 };
 export function registerAnalyzeChangesTool(server) {
     server.registerTool(TOOL_NAME, {
@@ -504,7 +509,8 @@ to produce a unified state file for the test health workflow.
             let discoveredRelevantExternalPaths = [];
             try {
                 const testDiscoveryService = new TestDiscoveryService();
-                const discoveryResult = await testDiscoveryService.discoverTests(params.repositoryPath, { changedResources });
+                const testScanPath = params.testsRepoDir ?? params.repositoryPath;
+                const discoveryResult = await testDiscoveryService.discoverTests(testScanPath, { changedResources });
                 existingTests = discoveryResult.tests.map((test) => ({
                     testFile: test.testFile,
                     testType: test.testType,

package/build/utils/routeParsers.js

@@ -20,6 +20,18 @@ export function nextjsFileToApiPath(filePath) {
 }
 // UI component file extensions are unambiguously frontend — never route definitions.
 const UI_COMPONENT_EXT = /\.(jsx|tsx|vue|svelte)$/i;
+// Frontend-file extensions for UI-change detection (broader than UI_COMPONENT_EXT —
+// includes template/markup files that backend-only PRs won't touch). Used by
+// testbot-prompts.ts to gate the UI pre-scan and capture-act-capture sections,
+// and anywhere else that needs to ask "does this PR touch the frontend?".
+// Single source of truth for that question.
+export const UI_FILE_EXTENSIONS = ['tsx', 'jsx', 'vue', 'svelte', 'html', 'xml'];
+// Git pathspec form of the UI-file filter — usable directly with `git diff`'s
+// trailing pathspec args, no external tool needed. Avoids the "agent shell
+// has grep aliased to rg" failure mode where `grep -E` becomes `rg -E`
+// (which means `--encoding`, not extended regex). Each entry is `*.ext`;
+// pass them as `-- '*.tsx' '*.jsx' ...` to git diff.
+export const UI_FILE_GIT_PATHSPEC = UI_FILE_EXTENSIONS.map(ext => `'*.${ext}'`).join(' ');
 export function parseRouteLine(line, sourceFile) {
     const stripped = line.replace(/^[+-]\s*/, "").trim();
     const isComponent = UI_COMPONENT_EXT.test(sourceFile);

package/node_modules/playwright/ThirdPartyNotices.txt

@@ -153,8 +153,8 @@ This project incorporates components from the projects listed below. The origina
 -	node-releases@2.0.19 (https://github.com/chicoxyzzy/node-releases)
 -	normalize-path@3.0.0 (https://github.com/jonschlinkert/normalize-path)
 -	picocolors@1.1.1 (https://github.com/alexeyraspopov/picocolors)
--	picomatch@2.3.1 (https://github.com/micromatch/picomatch)
--	picomatch@4.0.3 (https://github.com/micromatch/picomatch)
+-	picomatch@2.3.2 (https://github.com/micromatch/picomatch)
+-	picomatch@4.0.4 (https://github.com/micromatch/picomatch)
 -	pretty-format@30.2.0 (https://github.com/jestjs/jest)
 -	react-is@18.3.1 (https://github.com/facebook/react)
 -	readdirp@3.6.0 (https://github.com/paulmillr/readdirp)
@@ -4491,7 +4491,7 @@ OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 =========================================
 END OF picocolors@1.1.1 AND INFORMATION
 
-%% picomatch@2.3.1 NOTICES AND INFORMATION BEGIN HERE
+%% picomatch@2.3.2 NOTICES AND INFORMATION BEGIN HERE
 =========================================
 The MIT License (MIT)
 
@@ -4515,9 +4515,9 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 =========================================
-END OF picomatch@2.3.1 AND INFORMATION
+END OF picomatch@2.3.2 AND INFORMATION
 
-%% picomatch@4.0.3 NOTICES AND INFORMATION BEGIN HERE
+%% picomatch@4.0.4 NOTICES AND INFORMATION BEGIN HERE
 =========================================
 The MIT License (MIT)
 
@@ -4541,7 +4541,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 =========================================
-END OF picomatch@4.0.3 AND INFORMATION
+END OF picomatch@4.0.4 AND INFORMATION
 
 %% pretty-format@30.2.0 NOTICES AND INFORMATION BEGIN HERE
 =========================================