npm - @sun-asterisk/sungen - Versions diffs - 2.6.15 → 2.7.0-beta.0 - Mend

@sun-asterisk/sungen 2.6.15 → 2.7.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (65) hide show

package/src/orchestrator/templates/ai-instructions/claude-skill-viewpoint.md CHANGED Viewed

@@ -1,268 +1,97 @@
 ---
 name: sungen-viewpoint
-description: '10 UI patterns x 4 viewpoints — structured checklist for test case generation and review. Auto-loaded by create-test and review commands.'
+description: '17 UI patterns x 4 viewpoints — structured checklist for test case
+  generation and review. Auto-loaded by create-test and review commands.'
 user-invocable: false
 ---
-## 4 Viewpoints
-| VP | Focus | Keyword |
-|---|---|---|
-| **UI/UX** | Interface states, layout, feedback | VP-UI |
-| **Data & Validate** | Input constraints, data integrity, error messages | VP-VAL |
-| **Logic** | Business rules, interactions, state changes | VP-LOGIC |
-| **Security** | Auth, injection, permissions | VP-SEC |
-## Shared Checks (apply across all patterns)
-These appear in multiple patterns — test once per screen, not per pattern:
-| Check | ER |
-|---|---|
-| **Loading State** | Spinner/skeleton shown, UI interaction locked during fetch |
-| **Empty State** | Clear message when no data, layout intact |
-| **XSS/Injection** | Malicious input sanitized to plain text, never executed |
-| **URL Manipulation** | Invalid URL params fallback to defaults, no server crash |
----
-## GROUP 1: DATA ENTRY
-### 1. Form & Inputs
-**UI/UX**
-- Field States: disabled/readonly fields dimmed and locked, no interaction allowed
-- Button States: Submit disabled when form invalid, auto-enabled when valid
-- Keyboard Nav: Tab order correct, Enter submits form
-**Data & Validate**
-- Required/Optional: blank required field shows error; optional allows blank
-- Boundaries & Format: min/max length, format (email, number) with error messages
-- Whitespace: auto-trim or reject spaces-only input
-- Error Recovery: error at correct field, disappears immediately when user corrects data
-**Logic**
-- Field Dependencies: Field A value determines Field B status/options
-- Double Submit Prevention: button disabled after first click, only 1 request sent
-- Success Flow: redirect / success toast / form reset
-- Failure Flow: server error retains form data + shows system error
-**Security**
-- → Shared: XSS/Injection
----
-## GROUP 2: DATA MANAGEMENT
+## How to use this skill
-### 2. Data Table
+This skill is a **router**. The detailed checklists live in 5 group files — load only the ones relevant to the screen under test.
-**UI/UX**
-- → Shared: Empty State, Loading State
-- Truncation: long content shows `...` with tooltip on hover, column width stable
-- Sticky Elements: fixed header on vertical scroll, fixed action column on horizontal scroll
+1. Read the **4 Viewpoints** and **Shared Checks** below (always).
+2. Identify which UI patterns the screen contains, resolve any overlap via **Pattern selection** below, then read **only** the matching group file(s) from the routing table.
+3. Generate Tier 1 (`@high`) scenarios first, then Tier 2 (`@normal` + `@low`). Apply each Shared Check **once per screen**, not once per pattern.
-**Data & Validate**
-- Record Count: "Total records" on UI matches server data exactly
-- Row Limit: displayed rows never exceed configured page size
-- Cell Integrity: cell data matches database, correct format (date, currency, status label)
-**Logic**
-- Sorting: column sort refreshes table with correct order, updates header icon
-- Row Actions: Edit/Delete/View buttons act on correct row ID
-**Security**
-- RBAC: hide sensitive columns or privileged action buttons without authority
-- → Shared: XSS/Injection (data from DB displayed safely)
----
-### 3. Create / Add
-**UI/UX**
-- Blank Slate: all fields empty or BA-specified defaults, NO cache from previous operation
-- Required Indicator: required fields marked with visual cue (e.g., red *)
-- Unsaved Changes: navigate away with dirty form → browser/system warning popup
-**Data & Validate**
-- → Inherited: all Form & Inputs validation rules apply
-- Unique Constraint: duplicate unique field (e.g., Employee ID) → reject save, inline error
-- Data Dependency: selecting parent field loads correct child options
-**Logic**
-- Save & Close: toast notification, redirect to list, new record visible per sort rule
-- Save & Add Another: save to DB, form resets to blank for next entry
-- Double Submit Prevention: → same as Form & Inputs
-- Cancel: form closes, NO garbage record in DB, next open shows blank form
-**Security**
-- API Bypass / 403: unauthorized POST → system blocks (403 Forbidden), no record created
-- → Shared: XSS/Injection (persisted safely, not executed on display)
----
-### 4. Update / Edit
-**UI/UX**
-- Pre-fill / Data Binding: all fields display exact current DB data (text, dropdown, radio, date...)
-- Readonly Fields: identity fields (ID, username, employee code) disabled, no interaction
-- Cancel: no data changed in DB; if dirty → unsaved changes warning
-**Data & Validate**
-- → Inherited: all Form & Inputs validation rules apply
-- Unique Self: saving without changing unique field → success, no self-duplicate error
-- Unique Conflict: changing unique field to existing value → duplicate error, block save
-- Unchanged Submit: Save disabled until dirty, or success without DB UPDATE
-**Logic**
-- Update Success: toast "Updated successfully", new data reflects on UI immediately without reload
-- Concurrent Edit: another user already edited → conflict warning, require reload
-**Security**
-- Authorization / 403: access edit without permission → 403 page
-- Not Found / 404: edit deleted object → 404
----
+> All checklist items are written in English. Render scenario names, step text, and test IDs in English.
-### 5. Delete
+## Routing table
-**UI/UX**
-- Confirmation: click Delete → MUST show confirmation dialog, delete button in warning color
-- Cancel: popup closes, record intact on UI and DB, no API called
-- Success Update: toast "Deleted successfully", record disappears immediately without reload
-- Pagination Fallback: delete only record on current page → auto-navigate to previous page
-**Data & Validate — Dependencies**
-- Independent: delete succeeds normally
-- Referenced (Restrict): delete parent with children → blocked, clear error "in use at [Module]"
-- Referenced (Cascade): warning first, then deletes parent AND all related children
-- Referenced (Set Null): parent deleted, child reference set to Unassigned/Empty
-**Logic — Storage**
-- Soft Delete: record hidden from UI, DB retains with status flag (is_deleted, deleted_at)
-- Hard Delete: record removed from UI AND permanently deleted from DB
-**Security**
-- Deleted Access / 404: soft or hard delete → direct URL/API returns 404
-- API Bypass: API delete on restricted object → backend rejects with business error, no 500
----
-### 6. Search
-**UI/UX**
-- → Shared: Empty State ("No results found"), Loading State
-- Clear Action: search box empties, list reloads default data
-**Data & Validate**
-- Whitespace: auto-trim, results match cleaned keyword
-- Input Limits: prevent beyond max length or show error
-- Normalization: case-insensitive, handles accented characters correctly
-**Logic**
-- Matching: partial/exact match returns correct results, no 500
-- Multi-keyword: results based on AND/OR logic per spec
-- Debounce: ~300ms delay before API call
-**Security**
-- → Shared: XSS/Injection
-- Wildcards: `%`, `_`, `*` treated as literal text (escaped), not DB commands
----
-### 7. Filter
-**UI/UX**
-- Feedback: selected filters displayed as tags/badges
-- Persistence: collapse/expand retains selected values
-- Conflicts: conflicting conditions show "No data" message, layout intact
-**Data & Validate**
-- Range Validation: start > end or min > max → field error, Apply disabled
-- Dropdown Integrity: options match 100% of actual data, hide unauthorized values
-**Logic**
-- AND/OR Logic: results satisfy correct filter logic, total count updated
-- Dependent Filters: selecting Filter A updates Filter B options
-- Reset & Navigation: reset returns original data or preserves state per spec
-**Security**
-- → Shared: URL Manipulation
----
-### 8. Pagination
-**UI/UX**
-- Boundary States: Previous/First disabled on page 1, Next/Last disabled on last page
-- Active Page: highlighted, loading effect during page transition
-- Hidden: pagination bar hidden when data fits one page
-**Data & Validate**
-- Label Consistency: "Viewing X of Y" matches actual data exactly
-- Zero Records: pagination hidden, empty state displayed
-**Logic**
-- Navigation: loads correct dataset for page (page 2, limit 10 = records 11-20)
-- Change Page Size: shows correct quantity, resets to page 1
-- Interaction Resets: new search/filter resets to page 1
-**Security**
-- → Shared: URL Manipulation
----
-## GROUP 3: NAVIGATION & CONTAINERS
-### 9. Modal / Dialog
-**UI/UX**
-- Overlay: centered modal, backdrop blur, background scroll locked
-- Focus Trapping: Tab key cycles only within modal elements
-- Responsive: modal resizes, action buttons always visible or scrollable
+| UI element on the screen | Pattern | Read file |
+|---|---|---|
+| Plain input form (settings, profile, contact) | 1. Form & Inputs **(base)** | `group-a-data-entry.md` |
+| File picker / drop zone | 2. File Upload | `group-a-data-entry.md` |
+| Bulk import / export | 3. Import / Export | `group-a-data-entry.md` |
+| "Add" / "Create" / "New" | 4. Create / Add | `group-b-data-ops.md` |
+| "Edit" / pencil icon / inline edit | 5. Update / Edit | `group-b-data-ops.md` |
+| "Delete" / trash icon | 6. Delete | `group-b-data-ops.md` |
+| Rows + columns grid | 7. Data Table | `group-c-data-explore.md` |
+| Search box / search bar | 8. Search | `group-c-data-explore.md` |
+| Filter controls (dropdown, date range, checkboxes) | 9. Filter | `group-c-data-explore.md` |
+| Card / list grid, infinite scroll, "Load More" | 10. List / Card View | `group-c-data-explore.md` |
+| Charts / KPI cards / dashboard | 11. Chart / Analytics | `group-d-display.md` |
+| Overlay panel on top of the page | 12. Modal / Dialog | `group-d-display.md` |
+| Side menu / tabs / breadcrumb / top nav | 13. Navigation | `group-d-display.md` |
+| Toast / snackbar / alert / banner | 14. Notification / Toast / Alert | `group-d-display.md` |
+| Login form / logout button | 15. Login / Logout | `group-e-identity.md` |
+| Sign-up form / SSO | 16. Register | `group-e-identity.md` |
+| Forgot / reset / change password | 17. Password Management | `group-e-identity.md` |
+## Pattern selection (precedence & inheritance)
+A screen often matches several patterns at once — a login screen is *both* a form and an authentication flow. Use these rules so the choice is deterministic and scenarios are never duplicated:
+1. **Most specific wins.** Pick the most specialized pattern as the screen's primary section. Auth and CRUD forms route to their specific pattern, NOT to Form & Inputs:
+   - Login/logout → **15**, sign-up → **16**, forgot/reset/change password → **17**
+   - Create form → **4**, edit form → **5**
+2. **Form & Inputs (1) is a BASE pattern, not a sibling.** Generate it as its own section only for a plain form with no more-specific role (settings, profile, contact). When a specialization applies, do NOT also create a separate "Form & Inputs" section.
+3. **Inheritance.** A specialized form pattern (4, 5, 15, 16, 17) **inherits** Form & Inputs field-level validation (required, format, maxlength, whitespace, real-time error clear) and adds its own rules. Apply the inherited checks inside the specialized section — generate each check once, never twice.
+4. **Genuinely parallel pairs** — these cover different concerns; choose per the table:
+   | If the screen has… | Decision |
+   |---|---|
+   | A grid of records | Pick **7. Data Table** *or* **10. List/Card** by layout (rows+columns → Table; cards/tiles/infinite-scroll → List/Card) — not both for the same surface |
+   | Both a keyword box and filter controls | Apply **8. Search** *and* **9. Filter** (Search = free-text match; Filter = structured narrowing) + one combined AND-logic scenario |
+   | A form rendered inside an overlay | Apply the form's pattern (1/4/5/15…) for fields/submit **and** **12. Modal/Dialog** for open/close/focus-trap/backdrop |
-**Data & Validate**
-- Dismiss Actions: close via X, Cancel, Escape, backdrop click → resets data to default on reopen
+## 4 Viewpoints
-**Logic**
-- Submit Success: action button shows loading, modal closes, background data updated
-- Submit Failure: modal stays open, shows error message, retains entered data
-- Stacked Modals: Modal B over A has higher z-index, closing B keeps A intact
+| VP | Focus | Tag |
+|---|---|---|
+| **UI/UX** | Interface state, layout, visual feedback | VP-UI |
+| **Data & Validate** | Input constraints, data integrity, error messages | VP-VAL |
+| **Logic** | Business rules, interactions, state changes | VP-LOGIC |
+| **Security** | Authentication, authorization, injection | VP-SEC |
-**Security**
-- DOM Cleanup: remove HTML from DOM on close to protect sensitive data
-- Reload: handles deep linking if present
+**Classification rules:**
+- VP-UI = state that is always true regardless of what the user does (element present, layout, label)
+- VP-VAL = outcome depends on the input *value* (valid / invalid / boundary)
+- VP-LOGIC = outcome depends on the user's *action* (click, submit, navigate)
+- VP-SEC = checks access control and malicious input
 ---
-## GROUP 4: DISPLAY PATTERNS
-### 10. List / Card
-**UI/UX**
-- → Shared: Empty State, Loading State
-- Hover Effect: shadow/scale on card hover
-- Content: text truncation without breaking card height, placeholder image on broken image
+## Shared Checks
-**Data & Validate**
-- Integrity: data fields (price, status, tag) 100% accurate vs system
-- Total Count: matches actual database count after filtering
+Generate **once per screen**, do not repeat for each pattern.
+Each pattern only points back with "Shared checks applied: [name]".
-**Logic**
-- Navigation: clicking card navigates to correct detail page
-- Direct Actions: Like/Add to Cart updates immediately without reloading list
-- Infinite Scroll / Load More: appends records, maintains scroll position
-- Layout Toggle: Grid/List view switch changes UI but preserves data
+| Check | Condition → Expected | VP | Priority |
+|---|---|---|---|
+| **Loading State** | Data fetch in progress → spinner/skeleton shown, user cannot interact | UI | @normal |
+| **Empty State** | Query returns 0 records → clear message shown, layout does not break | UI | @normal |
+| **XSS** | Script tag entered into a field → rendered as literal text, not executed | SEC | @high |
+| **SQL injection** | SQL payload entered into a field → DB unaffected, no data exposed | SEC | @high |
+| **URL Manipulation** | URL params wrong/missing/out-of-range → fallback to default, no 500 crash | SEC | @high |
-**Security**
-- RBAC: hide sensitive data or privileged buttons from DOM
-- Network Resilience: error message + "Retry" button on connection loss
+> **SQL injection — 2 layers for search/LIKE fields**: (1) field-level: UI blocks special chars → `@high` automated; (2) API-level: if the field reaches a LIKE query (search, partial-match), send `1 OR 1=1` straight to the API endpoint (bypassing the UI) → verify a parameterized query is used → `@high @manual`. Missing layer 2 = a real attack vector is overlooked even when field validation is correct.
 ---
 ## Security Tag Rules
 For VP-SEC scenarios testing **unauthorized access** (no login, wrong role, direct URL):
-- Use **`@no-auth`** tag — runs without authentication to verify redirect/block.
+- Use the **`@no-auth`** tag — runs without authentication to verify the redirect/block.
 - Do NOT use `@manual` for these — they are automatable.
 ```gherkin

package/src/orchestrator/templates/ai-instructions/copilot-cmd-review.md CHANGED Viewed

@@ -23,23 +23,24 @@ You are a **Senior QA Reviewer**. You evaluate Gherkin test cases using the `sun
 1. **Enumerate feature files** — glob `<base>/<name>/features/*.feature`. A screen may have one main file (`<name>.feature`) plus sub-features (`<name>-<sub>.feature` like `awards-modal.feature`); a flow has a single `<name>.feature`. If zero `.feature` files found → `/sungen-create-test` first.
 2. **Review every feature file** — for each `<basename>.feature` discovered in step 1:
    - Read `<basename>.feature` and the matching `test-data/<basename>.yaml`.
-   - Apply the `sungen-tc-review` skill — score 3 dimensions: Syntax (30pts), Coverage (40pts), Viewpoint (30pts). **For flows**, also apply the "Flow Review Additions" section. Use `sungen-viewpoint` for pattern checklists.
-   - Apply the **Unverified Selectors check** — if `<base>/<name>/selectors/<basename>.yaml` exists, count lines matching `@needs-live-verify`. Include in the per-file report as a non-scoring metric. Does NOT affect the 60% threshold.
+   - Apply the `sungen-tc-review` skill — score the **7-dimension rubric (100 pts)**: Structure & Format (15), Coverage (30), Assertion Quality (20), Test Data (10), Security & Permission (10), Automation Readiness (10), Maintainability (5). **For flows**, also apply the flow-specific checks (Layer A7 "Tags & Flow"). Use `sungen-viewpoint` for pattern checklists.
+   - Apply the **Unverified Selectors check** — if `<base>/<name>/selectors/<basename>.yaml` exists, count lines matching `@needs-live-verify`. Include in the per-file report as a non-scoring metric. Does NOT affect the score or the PASS threshold.
 3. **Aggregated output** — present scores in a per-feature table, then a screen-level rollup:
    ```
-   Feature              Syntax  Coverage  Viewpoint  Total  Verdict
-   ──────────────────────────────────────────────────────────────────
-   home.feature           28/30    36/40      27/30   91%   PASS
-   home-modal.feature     26/30    24/40      22/30   72%   PASS
-   ──────────────────────────────────────────────────────────────────
-   Screen rollup (mean)   27/30    30/40      24.5/30 81.5% PASS
+   Feature              Total  Verdict       Unverified
+   ─────────────────────────────────────────────────────
+   home.feature           88   PASS          0
+   home-modal.feature     64   CONDITIONAL   2
+   ─────────────────────────────────────────────────────
+   Screen rollup (mean)   76   PASS
    ```
-   - **>= 60% per file**: PASS that file.
-   - **< 60% per file**: FAIL that file with recommendations.
-   - Show the full per-file report (recommendations, top issues) **only for files that fail**, or when the user asks for the deep report.
-4. If any file is FAIL and user confirms → update that file's test cases following `sungen-gherkin-syntax` and `sungen-tc-generation` skills, then re-review **only the failing files** (skip already-passing ones to save time).
+   - **>= 70**: PASS that file.
+   - **50–69**: CONDITIONAL — fix before execution.
+   - **< 50**: FAIL — revise & re-review.
+   - "Unverified" = count of `@needs-live-verify` selectors (non-scoring). Show the full per-file report (dimension breakdown, recommendations, top issues) **only for files that are CONDITIONAL or FAIL**, or when the user asks for the deep report.
+4. If any file is CONDITIONAL or FAIL and user confirms → update that file's test cases following `sungen-gherkin-syntax` and `sungen-tc-generation` skills, then re-review **only those files** (skip already-passing ones to save time).
 5. After all files PASS (or user decides to proceed), offer next steps:
 - **`/sungen-run-test ${input:name}`** — Generate selectors, compile, and run tests for **every feature** in this screen (Recommended)

package/src/orchestrator/templates/ai-instructions/copilot-config.md CHANGED Viewed

@@ -12,7 +12,7 @@ You generate 3 files for sungen — a Gherkin compiler that produces Playwright
 | `sungen-tc-generation` | Test case generation strategy, output format |
 | `sungen-test-design-techniques` | EP, BVA, Decision Table, State Transition — systematic scenario generation |
 | `sungen-tc-review` | Review scoring, quality rules, checklist |
-| `sungen-viewpoint` | 10 UI patterns x 4 viewpoints — coverage checklists |
+| `sungen-viewpoint` | 17 UI patterns x 4 viewpoints — coverage checklists |
 | `sungen-selector-keys` | YAML key generation from `[Reference]` names, suffixes, lookup priority |
 | `sungen-selector-fix` | Selector generation from live page, auto-fix strategy |
 | `sungen-delivery` | Export Gherkin + Playwright results → CSV test case deliverable |

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-delivery.md CHANGED Viewed

@@ -59,7 +59,7 @@ The CLI reads the **per-target result file first** (co-located with `.spec.ts`),
 | CSV Column | Source |
 |------------|--------|
-| TC ID | Generated: `<SCREEN_UPPER>-<VP>-<NNN>` |
+| TC ID | Generated, namespaced per screen/flow: `<SCREEN_UPPER>-<CAT>-<NNN>` (e.g. `VP-SEC-001` on screen `login` → `LOGIN-SEC-001`). The namespace makes it globally unique — the stable key the dashboard tracks each test case by. |
 | Category 1 | Scenario name with VP prefix stripped |
 | Category 2 | VP group: `VP-SEC`→Accessing, `VP-UI`→GUI, `VP-VAL`/`VP-LOGIC`→Function |
 | Category 3 | Feature name (first line of `.feature`) |

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-gherkin-syntax.md CHANGED Viewed

@@ -198,6 +198,20 @@ Any tag not listed above passes through to Playwright `{ tag: [...] }`. Feature-
 | `@auto` | Standard scenario, ready for automation |
 | Any custom | e.g., `@sprint-42`, `@team-payment` — any tag works |
+**Assign priority by user impact** (canonical mapping — override only when context differs):
+| Scenario type | Tag |
+|---|---|
+| Auth redirect / unauthenticated access | `@high` |
+| CRUD happy path (create / update / delete — success) | `@high` |
+| Core business rule, state transition | `@high` |
+| XSS, SQL injection, permission blocked | `@high` |
+| Required field error, unique/duplicate constraint | `@high` |
+| Format validation (email, phone, date…) | `@normal` |
+| Boundary value — inclusive (`<=`, `>=`) → `@high`; standard range → `@normal` | `@normal` |
+| Secondary features (search, filter, sort, pagination) | `@normal` |
+| Element presence, label, placeholder, tooltip | `@low` |
 **Run filtered:**
 ```bash
 npx playwright test --grep "@smoke"          # only smoke tests
@@ -352,12 +366,10 @@ Feature: User Management
   Scenario: Create user shows form
     When User click [Add User] button
     Then User see [Create User] dialog
-    # After test: overlay auto-dismissed, forms auto-cleared by base.ts
   Scenario: Search user by name
     When User fill [Search] field with {{search_name}}
     Then User see [User Row] row
-    # After test: search field auto-cleared by base.ts
 ```
 | Tag | What base.ts does after each test |
@@ -371,27 +383,9 @@ Feature: User Management
 Only when `@cleanup:*` tags aren't enough — feature-specific logic.
-```gherkin
-@auth:admin
-@cleanup:overlay
-Feature: Dashboard
-  Path: /dashboard
-  Background:
-    Given User is on [Dashboard] page
-  @afterEach
-  Scenario: Reset dashboard filters
-    When User select [Date Filter] dropdown with {{default_period}}
-  Scenario: Filter by last week
-    When User select [Date Filter] dropdown with {{last_week}}
-    Then User see [Revenue Chart] section
-```
 ### Layer 3: `@beforeAll` / `@afterAll` (optional)
-For one-time setup/teardown. Low priority — most e2e tests don't need these.
+For one-time setup/teardown.
 **Rendering order in `.spec.ts`:**
 `test.describe` → `test.use(storageState)` → `test.use(autoCleanup)` → `test.beforeAll` → `test.beforeEach` → `test.afterEach` → `test.afterAll` → `test()` blocks