@sun-asterisk/sungen 2.6.14 → 2.7.0-beta.0

package/dist/orchestrator/templates/ai-instructions/claude-skill-viewpoint.md

@@ -1,268 +1,97 @@
 ---
 name: sungen-viewpoint
-description: '10 UI patterns x 4 viewpoints — structured checklist for test case generation and review. Auto-loaded by create-test and review commands.'
+description: '17 UI patterns x 4 viewpoints — structured checklist for test case
+  generation and review. Auto-loaded by create-test and review commands.'
 user-invocable: false
 ---
 
-## 4 Viewpoints
-
-| VP | Focus | Keyword |
-|---|---|---|
-| **UI/UX** | Interface states, layout, feedback | VP-UI |
-| **Data & Validate** | Input constraints, data integrity, error messages | VP-VAL |
-| **Logic** | Business rules, interactions, state changes | VP-LOGIC |
-| **Security** | Auth, injection, permissions | VP-SEC |
-
-## Shared Checks (apply across all patterns)
-
-These appear in multiple patterns — test once per screen, not per pattern:
-
-| Check | ER |
-|---|---|
-| **Loading State** | Spinner/skeleton shown, UI interaction locked during fetch |
-| **Empty State** | Clear message when no data, layout intact |
-| **XSS/Injection** | Malicious input sanitized to plain text, never executed |
-| **URL Manipulation** | Invalid URL params fallback to defaults, no server crash |
-
----
-
-## GROUP 1: DATA ENTRY
-
-### 1. Form & Inputs
-
-**UI/UX**
-- Field States: disabled/readonly fields dimmed and locked, no interaction allowed
-- Button States: Submit disabled when form invalid, auto-enabled when valid
-- Keyboard Nav: Tab order correct, Enter submits form
-
-**Data & Validate**
-- Required/Optional: blank required field shows error; optional allows blank
-- Boundaries & Format: min/max length, format (email, number) with error messages
-- Whitespace: auto-trim or reject spaces-only input
-- Error Recovery: error at correct field, disappears immediately when user corrects data
-
-**Logic**
-- Field Dependencies: Field A value determines Field B status/options
-- Double Submit Prevention: button disabled after first click, only 1 request sent
-- Success Flow: redirect / success toast / form reset
-- Failure Flow: server error retains form data + shows system error
-
-**Security**
-- → Shared: XSS/Injection
-
----
-
-## GROUP 2: DATA MANAGEMENT
+## How to use this skill
 
-### 2. Data Table
+This skill is a **router**. The detailed checklists live in 5 group files — load only the ones relevant to the screen under test.
 
-**UI/UX**
-- → Shared: Empty State, Loading State
-- Truncation: long content shows `...` with tooltip on hover, column width stable
-- Sticky Elements: fixed header on vertical scroll, fixed action column on horizontal scroll
+1. Read the **4 Viewpoints** and **Shared Checks** below (always).
+2. Identify which UI patterns the screen contains, resolve any overlap via **Pattern selection** below, then read **only** the matching group file(s) from the routing table.
+3. Generate Tier 1 (`@high`) scenarios first, then Tier 2 (`@normal` + `@low`). Apply each Shared Check **once per screen**, not once per pattern.
 
-**Data & Validate**
-- Record Count: "Total records" on UI matches server data exactly
-- Row Limit: displayed rows never exceed configured page size
-- Cell Integrity: cell data matches database, correct format (date, currency, status label)
-
-**Logic**
-- Sorting: column sort refreshes table with correct order, updates header icon
-- Row Actions: Edit/Delete/View buttons act on correct row ID
-
-**Security**
-- RBAC: hide sensitive columns or privileged action buttons without authority
-- → Shared: XSS/Injection (data from DB displayed safely)
-
----
-
-### 3. Create / Add
-
-**UI/UX**
-- Blank Slate: all fields empty or BA-specified defaults, NO cache from previous operation
-- Required Indicator: required fields marked with visual cue (e.g., red *)
-- Unsaved Changes: navigate away with dirty form → browser/system warning popup
-
-**Data & Validate**
-- → Inherited: all Form & Inputs validation rules apply
-- Unique Constraint: duplicate unique field (e.g., Employee ID) → reject save, inline error
-- Data Dependency: selecting parent field loads correct child options
-
-**Logic**
-- Save & Close: toast notification, redirect to list, new record visible per sort rule
-- Save & Add Another: save to DB, form resets to blank for next entry
-- Double Submit Prevention: → same as Form & Inputs
-- Cancel: form closes, NO garbage record in DB, next open shows blank form
-
-**Security**
-- API Bypass / 403: unauthorized POST → system blocks (403 Forbidden), no record created
-- → Shared: XSS/Injection (persisted safely, not executed on display)
-
----
-
-### 4. Update / Edit
-
-**UI/UX**
-- Pre-fill / Data Binding: all fields display exact current DB data (text, dropdown, radio, date...)
-- Readonly Fields: identity fields (ID, username, employee code) disabled, no interaction
-- Cancel: no data changed in DB; if dirty → unsaved changes warning
-
-**Data & Validate**
-- → Inherited: all Form & Inputs validation rules apply
-- Unique Self: saving without changing unique field → success, no self-duplicate error
-- Unique Conflict: changing unique field to existing value → duplicate error, block save
-- Unchanged Submit: Save disabled until dirty, or success without DB UPDATE
-
-**Logic**
-- Update Success: toast "Updated successfully", new data reflects on UI immediately without reload
-- Concurrent Edit: another user already edited → conflict warning, require reload
-
-**Security**
-- Authorization / 403: access edit without permission → 403 page
-- Not Found / 404: edit deleted object → 404
-
----
+> All checklist items are written in English. Render scenario names, step text, and test IDs in English.
 
-### 5. Delete
+## Routing table
 
-**UI/UX**
-- Confirmation: click Delete → MUST show confirmation dialog, delete button in warning color
-- Cancel: popup closes, record intact on UI and DB, no API called
-- Success Update: toast "Deleted successfully", record disappears immediately without reload
-- Pagination Fallback: delete only record on current page → auto-navigate to previous page
-
-**Data & Validate — Dependencies**
-- Independent: delete succeeds normally
-- Referenced (Restrict): delete parent with children → blocked, clear error "in use at [Module]"
-- Referenced (Cascade): warning first, then deletes parent AND all related children
-- Referenced (Set Null): parent deleted, child reference set to Unassigned/Empty
-
-**Logic — Storage**
-- Soft Delete: record hidden from UI, DB retains with status flag (is_deleted, deleted_at)
-- Hard Delete: record removed from UI AND permanently deleted from DB
-
-**Security**
-- Deleted Access / 404: soft or hard delete → direct URL/API returns 404
-- API Bypass: API delete on restricted object → backend rejects with business error, no 500
-
----
-
-### 6. Search
-
-**UI/UX**
-- → Shared: Empty State ("No results found"), Loading State
-- Clear Action: search box empties, list reloads default data
-
-**Data & Validate**
-- Whitespace: auto-trim, results match cleaned keyword
-- Input Limits: prevent beyond max length or show error
-- Normalization: case-insensitive, handles accented characters correctly
-
-**Logic**
-- Matching: partial/exact match returns correct results, no 500
-- Multi-keyword: results based on AND/OR logic per spec
-- Debounce: ~300ms delay before API call
-
-**Security**
-- → Shared: XSS/Injection
-- Wildcards: `%`, `_`, `*` treated as literal text (escaped), not DB commands
-
----
-
-### 7. Filter
-
-**UI/UX**
-- Feedback: selected filters displayed as tags/badges
-- Persistence: collapse/expand retains selected values
-- Conflicts: conflicting conditions show "No data" message, layout intact
-
-**Data & Validate**
-- Range Validation: start > end or min > max → field error, Apply disabled
-- Dropdown Integrity: options match 100% of actual data, hide unauthorized values
-
-**Logic**
-- AND/OR Logic: results satisfy correct filter logic, total count updated
-- Dependent Filters: selecting Filter A updates Filter B options
-- Reset & Navigation: reset returns original data or preserves state per spec
-
-**Security**
-- → Shared: URL Manipulation
-
----
-
-### 8. Pagination
-
-**UI/UX**
-- Boundary States: Previous/First disabled on page 1, Next/Last disabled on last page
-- Active Page: highlighted, loading effect during page transition
-- Hidden: pagination bar hidden when data fits one page
-
-**Data & Validate**
-- Label Consistency: "Viewing X of Y" matches actual data exactly
-- Zero Records: pagination hidden, empty state displayed
-
-**Logic**
-- Navigation: loads correct dataset for page (page 2, limit 10 = records 11-20)
-- Change Page Size: shows correct quantity, resets to page 1
-- Interaction Resets: new search/filter resets to page 1
-
-**Security**
-- → Shared: URL Manipulation
-
----
-
-## GROUP 3: NAVIGATION & CONTAINERS
-
-### 9. Modal / Dialog
-
-**UI/UX**
-- Overlay: centered modal, backdrop blur, background scroll locked
-- Focus Trapping: Tab key cycles only within modal elements
-- Responsive: modal resizes, action buttons always visible or scrollable
+| UI element on the screen | Pattern | Read file |
+|---|---|---|
+| Plain input form (settings, profile, contact) | 1. Form & Inputs **(base)** | `group-a-data-entry.md` |
+| File picker / drop zone | 2. File Upload | `group-a-data-entry.md` |
+| Bulk import / export | 3. Import / Export | `group-a-data-entry.md` |
+| "Add" / "Create" / "New" | 4. Create / Add | `group-b-data-ops.md` |
+| "Edit" / pencil icon / inline edit | 5. Update / Edit | `group-b-data-ops.md` |
+| "Delete" / trash icon | 6. Delete | `group-b-data-ops.md` |
+| Rows + columns grid | 7. Data Table | `group-c-data-explore.md` |
+| Search box / search bar | 8. Search | `group-c-data-explore.md` |
+| Filter controls (dropdown, date range, checkboxes) | 9. Filter | `group-c-data-explore.md` |
+| Card / list grid, infinite scroll, "Load More" | 10. List / Card View | `group-c-data-explore.md` |
+| Charts / KPI cards / dashboard | 11. Chart / Analytics | `group-d-display.md` |
+| Overlay panel on top of the page | 12. Modal / Dialog | `group-d-display.md` |
+| Side menu / tabs / breadcrumb / top nav | 13. Navigation | `group-d-display.md` |
+| Toast / snackbar / alert / banner | 14. Notification / Toast / Alert | `group-d-display.md` |
+| Login form / logout button | 15. Login / Logout | `group-e-identity.md` |
+| Sign-up form / SSO | 16. Register | `group-e-identity.md` |
+| Forgot / reset / change password | 17. Password Management | `group-e-identity.md` |
+
+## Pattern selection (precedence & inheritance)
+
+A screen often matches several patterns at once — a login screen is *both* a form and an authentication flow. Use these rules so the choice is deterministic and scenarios are never duplicated:
+
+1. **Most specific wins.** Pick the most specialized pattern as the screen's primary section. Auth and CRUD forms route to their specific pattern, NOT to Form & Inputs:
+   - Login/logout → **15**, sign-up → **16**, forgot/reset/change password → **17**
+   - Create form → **4**, edit form → **5**
+2. **Form & Inputs (1) is a BASE pattern, not a sibling.** Generate it as its own section only for a plain form with no more-specific role (settings, profile, contact). When a specialization applies, do NOT also create a separate "Form & Inputs" section.
+3. **Inheritance.** A specialized form pattern (4, 5, 15, 16, 17) **inherits** Form & Inputs field-level validation (required, format, maxlength, whitespace, real-time error clear) and adds its own rules. Apply the inherited checks inside the specialized section — generate each check once, never twice.
+4. **Genuinely parallel pairs** — these cover different concerns; choose per the table:
+
+   | If the screen has… | Decision |
+   |---|---|
+   | A grid of records | Pick **7. Data Table** *or* **10. List/Card** by layout (rows+columns → Table; cards/tiles/infinite-scroll → List/Card) — not both for the same surface |
+   | Both a keyword box and filter controls | Apply **8. Search** *and* **9. Filter** (Search = free-text match; Filter = structured narrowing) + one combined AND-logic scenario |
+   | A form rendered inside an overlay | Apply the form's pattern (1/4/5/15…) for fields/submit **and** **12. Modal/Dialog** for open/close/focus-trap/backdrop |
 
-**Data & Validate**
-- Dismiss Actions: close via X, Cancel, Escape, backdrop click → resets data to default on reopen
+## 4 Viewpoints
 
-**Logic**
-- Submit Success: action button shows loading, modal closes, background data updated
-- Submit Failure: modal stays open, shows error message, retains entered data
-- Stacked Modals: Modal B over A has higher z-index, closing B keeps A intact
+| VP | Focus | Tag |
+|---|---|---|
+| **UI/UX** | Interface state, layout, visual feedback | VP-UI |
+| **Data & Validate** | Input constraints, data integrity, error messages | VP-VAL |
+| **Logic** | Business rules, interactions, state changes | VP-LOGIC |
+| **Security** | Authentication, authorization, injection | VP-SEC |
 
-**Security**
-- DOM Cleanup: remove HTML from DOM on close to protect sensitive data
-- Reload: handles deep linking if present
+**Classification rules:**
+- VP-UI = state that is always true regardless of what the user does (element present, layout, label)
+- VP-VAL = outcome depends on the input *value* (valid / invalid / boundary)
+- VP-LOGIC = outcome depends on the user's *action* (click, submit, navigate)
+- VP-SEC = checks access control and malicious input
 
 ---
 
-## GROUP 4: DISPLAY PATTERNS
-
-### 10. List / Card
-
-**UI/UX**
-- → Shared: Empty State, Loading State
-- Hover Effect: shadow/scale on card hover
-- Content: text truncation without breaking card height, placeholder image on broken image
+## Shared Checks
 
-**Data & Validate**
-- Integrity: data fields (price, status, tag) 100% accurate vs system
-- Total Count: matches actual database count after filtering
+Generate **once per screen**, do not repeat for each pattern.
+Each pattern only points back with "Shared checks applied: [name]".
 
-**Logic**
-- Navigation: clicking card navigates to correct detail page
-- Direct Actions: Like/Add to Cart updates immediately without reloading list
-- Infinite Scroll / Load More: appends records, maintains scroll position
-- Layout Toggle: Grid/List view switch changes UI but preserves data
+| Check | Condition → Expected | VP | Priority |
+|---|---|---|---|
+| **Loading State** | Data fetch in progress → spinner/skeleton shown, user cannot interact | UI | @normal |
+| **Empty State** | Query returns 0 records → clear message shown, layout does not break | UI | @normal |
+| **XSS** | Script tag entered into a field → rendered as literal text, not executed | SEC | @high |
+| **SQL injection** | SQL payload entered into a field → DB unaffected, no data exposed | SEC | @high |
+| **URL Manipulation** | URL params wrong/missing/out-of-range → fallback to default, no 500 crash | SEC | @high |
 
-**Security**
-- RBAC: hide sensitive data or privileged buttons from DOM
-- Network Resilience: error message + "Retry" button on connection loss
+> **SQL injection — 2 layers for search/LIKE fields**: (1) field-level: UI blocks special chars → `@high` automated; (2) API-level: if the field reaches a LIKE query (search, partial-match), send `1 OR 1=1` straight to the API endpoint (bypassing the UI) → verify a parameterized query is used → `@high @manual`. Missing layer 2 = a real attack vector is overlooked even when field validation is correct.
 
 ---
 
 ## Security Tag Rules
 
 For VP-SEC scenarios testing **unauthorized access** (no login, wrong role, direct URL):
-- Use **`@no-auth`** tag — runs without authentication to verify redirect/block.
+- Use the **`@no-auth`** tag — runs without authentication to verify the redirect/block.
 - Do NOT use `@manual` for these — they are automatable.
 
 ```gherkin

package/dist/orchestrator/templates/ai-instructions/copilot-cmd-review.md

@@ -23,23 +23,24 @@ You are a **Senior QA Reviewer**. You evaluate Gherkin test cases using the `sun
 1. **Enumerate feature files** — glob `<base>/<name>/features/*.feature`. A screen may have one main file (`<name>.feature`) plus sub-features (`<name>-<sub>.feature` like `awards-modal.feature`); a flow has a single `<name>.feature`. If zero `.feature` files found → `/sungen-create-test` first.
 2. **Review every feature file** — for each `<basename>.feature` discovered in step 1:
    - Read `<basename>.feature` and the matching `test-data/<basename>.yaml`.
-   - Apply the `sungen-tc-review` skill — score 3 dimensions: Syntax (30pts), Coverage (40pts), Viewpoint (30pts). **For flows**, also apply the "Flow Review Additions" section. Use `sungen-viewpoint` for pattern checklists.
-   - Apply the **Unverified Selectors check** — if `<base>/<name>/selectors/<basename>.yaml` exists, count lines matching `@needs-live-verify`. Include in the per-file report as a non-scoring metric. Does NOT affect the 60% threshold.
+   - Apply the `sungen-tc-review` skill — score the **7-dimension rubric (100 pts)**: Structure & Format (15), Coverage (30), Assertion Quality (20), Test Data (10), Security & Permission (10), Automation Readiness (10), Maintainability (5). **For flows**, also apply the flow-specific checks (Layer A7 "Tags & Flow"). Use `sungen-viewpoint` for pattern checklists.
+   - Apply the **Unverified Selectors check** — if `<base>/<name>/selectors/<basename>.yaml` exists, count lines matching `@needs-live-verify`. Include in the per-file report as a non-scoring metric. Does NOT affect the score or the PASS threshold.
 3. **Aggregated output** — present scores in a per-feature table, then a screen-level rollup:
 
    ```
-   Feature              Syntax  Coverage  Viewpoint  Total  Verdict
-   ──────────────────────────────────────────────────────────────────
-   home.feature           28/30    36/40      27/30   91%   PASS
-   home-modal.feature     26/30    24/40      22/30   72%   PASS
-   ──────────────────────────────────────────────────────────────────
-   Screen rollup (mean)   27/30    30/40      24.5/30 81.5% PASS
+   Feature              Total  Verdict       Unverified
+   ─────────────────────────────────────────────────────
+   home.feature           88   PASS          0
+   home-modal.feature     64   CONDITIONAL   2
+   ─────────────────────────────────────────────────────
+   Screen rollup (mean)   76   PASS
    ```
 
-   - **>= 60% per file**: PASS that file.
-   - **< 60% per file**: FAIL that file with recommendations.
-   - Show the full per-file report (recommendations, top issues) **only for files that fail**, or when the user asks for the deep report.
-4. If any file is FAIL and user confirms → update that file's test cases following `sungen-gherkin-syntax` and `sungen-tc-generation` skills, then re-review **only the failing files** (skip already-passing ones to save time).
+   - **>= 70**: PASS that file.
+   - **50–69**: CONDITIONAL — fix before execution.
+   - **< 50**: FAIL — revise & re-review.
+   - "Unverified" = count of `@needs-live-verify` selectors (non-scoring). Show the full per-file report (dimension breakdown, recommendations, top issues) **only for files that are CONDITIONAL or FAIL**, or when the user asks for the deep report.
+4. If any file is CONDITIONAL or FAIL and user confirms → update that file's test cases following `sungen-gherkin-syntax` and `sungen-tc-generation` skills, then re-review **only those files** (skip already-passing ones to save time).
 5. After all files PASS (or user decides to proceed), offer next steps:
 
 - **`/sungen-run-test ${input:name}`** — Generate selectors, compile, and run tests for **every feature** in this screen (Recommended)

package/dist/orchestrator/templates/ai-instructions/copilot-config.md

@@ -12,7 +12,7 @@ You generate 3 files for sungen — a Gherkin compiler that produces Playwright
 | `sungen-tc-generation` | Test case generation strategy, output format |
 | `sungen-test-design-techniques` | EP, BVA, Decision Table, State Transition — systematic scenario generation |
 | `sungen-tc-review` | Review scoring, quality rules, checklist |
-| `sungen-viewpoint` | 10 UI patterns x 4 viewpoints — coverage checklists |
+| `sungen-viewpoint` | 17 UI patterns x 4 viewpoints — coverage checklists |
 | `sungen-selector-keys` | YAML key generation from `[Reference]` names, suffixes, lookup priority |
 | `sungen-selector-fix` | Selector generation from live page, auto-fix strategy |
 | `sungen-delivery` | Export Gherkin + Playwright results → CSV test case deliverable |

package/dist/orchestrator/templates/ai-instructions/github-skill-sungen-delivery.md

@@ -59,7 +59,7 @@ The CLI reads the **per-target result file first** (co-located with `.spec.ts`),
 
 | CSV Column | Source |
 |------------|--------|
-| TC ID | Generated: `<SCREEN_UPPER>-<VP>-<NNN>` |
+| TC ID | Generated, namespaced per screen/flow: `<SCREEN_UPPER>-<CAT>-<NNN>` (e.g. `VP-SEC-001` on screen `login` → `LOGIN-SEC-001`). The namespace makes it globally unique — the stable key the dashboard tracks each test case by. |
 | Category 1 | Scenario name with VP prefix stripped |
 | Category 2 | VP group: `VP-SEC`→Accessing, `VP-UI`→GUI, `VP-VAL`/`VP-LOGIC`→Function |
 | Category 3 | Feature name (first line of `.feature`) |

package/dist/orchestrator/templates/ai-instructions/github-skill-sungen-gherkin-syntax.md

@@ -198,6 +198,20 @@ Any tag not listed above passes through to Playwright `{ tag: [...] }`. Feature-
 | `@auto` | Standard scenario, ready for automation |
 | Any custom | e.g., `@sprint-42`, `@team-payment` — any tag works |
 
+**Assign priority by user impact** (canonical mapping — override only when context differs):
+
+| Scenario type | Tag |
+|---|---|
+| Auth redirect / unauthenticated access | `@high` |
+| CRUD happy path (create / update / delete — success) | `@high` |
+| Core business rule, state transition | `@high` |
+| XSS, SQL injection, permission blocked | `@high` |
+| Required field error, unique/duplicate constraint | `@high` |
+| Format validation (email, phone, date…) | `@normal` |
+| Boundary value — inclusive (`<=`, `>=`) → `@high`; standard range → `@normal` | `@normal` |
+| Secondary features (search, filter, sort, pagination) | `@normal` |
+| Element presence, label, placeholder, tooltip | `@low` |
+
 **Run filtered:**
 ```bash
 npx playwright test --grep "@smoke"          # only smoke tests
@@ -352,12 +366,10 @@ Feature: User Management
   Scenario: Create user shows form
     When User click [Add User] button
     Then User see [Create User] dialog
-    # After test: overlay auto-dismissed, forms auto-cleared by base.ts
 
   Scenario: Search user by name
     When User fill [Search] field with {{search_name}}
     Then User see [User Row] row
-    # After test: search field auto-cleared by base.ts
 ```
 
 | Tag | What base.ts does after each test |
@@ -371,27 +383,9 @@ Feature: User Management
 
 Only when `@cleanup:*` tags aren't enough — feature-specific logic.
 
-```gherkin
-@auth:admin
-@cleanup:overlay
-Feature: Dashboard
-  Path: /dashboard
-
-  Background:
-    Given User is on [Dashboard] page
-
-  @afterEach
-  Scenario: Reset dashboard filters
-    When User select [Date Filter] dropdown with {{default_period}}
-
-  Scenario: Filter by last week
-    When User select [Date Filter] dropdown with {{last_week}}
-    Then User see [Revenue Chart] section
-```
-
 ### Layer 3: `@beforeAll` / `@afterAll` (optional)
 
-For one-time setup/teardown. Low priority — most e2e tests don't need these.
+For one-time setup/teardown.
 
 **Rendering order in `.spec.ts`:**
 `test.describe` → `test.use(storageState)` → `test.use(autoCleanup)` → `test.beforeAll` → `test.beforeEach` → `test.afterEach` → `test.afterAll` → `test()` blocks