@sun-asterisk/sungen 2.6.5 → 2.6.7

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-tc-generation.md

@@ -12,19 +12,39 @@ Generate **focused test cases per screen section** using a **tier-based approach
 
 | Tier | Priority | What to generate | When |
 |---|---|---|---|
-| **Tier 1** (default) | `@critical` + `@high` | Happy paths, required validation, core business rules, security basics | First run of `create-test` |
+| **Tier 1** (default) | `@high` | Happy paths, required validation, core business rules, security basics | First run of `create-test` |
 | **Tier 2** (expand) | `@normal` + `@low` | UI presence, optional validation, edge cases, cosmetic checks | User runs `create-test` again with "Add viewpoints" mode |
+| **Tier 3** (deep) | `@high` + `@normal` | Extra BVA combinations, cross-field validation, negative/destructive inputs, concurrent/race conditions, complex state transitions | Recommended after Tier 2 completes |
+| **Full** (all-at-once) | All | Tier 1 + 2 + 3 combined in one run | Option at first run, **not recommended** — large output |
 
-**Round 1 (Tier 1)** targets **~10-15 scenarios per section** — enough to cover critical flows and catch real bugs. This is the default behavior.
+**Round 1 (Tier 1)** targets **~10-15 scenarios per section** — enough to cover critical flows and catch real bugs. This is the default behavior. A **Full** option is available but not recommended — it generates all tiers at once, producing very large output (~40-60 scenarios/section).
 
-**Round 2 (Tier 2)** expands to full coverage when the user explicitly chooses "Add viewpoints" or "Add new sections" update mode. Only then generate `@normal` + `@low` scenarios to fill coverage gaps.
+**Round 2 (Tier 2)** expands coverage when the user explicitly chooses "Add viewpoints" or "Add new sections" update mode. Only then generate `@normal` + `@low` scenarios to fill coverage gaps.
+
+**Round 3 (Tier 3)** deepens coverage with advanced test design techniques after Tier 2 is complete. This tier focuses on scenarios that Tier 1+2 didn't cover:
+- **Extra BVA combinations**: additional boundary points not covered in Tier 1 (e.g., `min+1`, `max-1`, typical values between boundaries)
+- **Cross-field validation**: field A value affects field B behavior (dependent fields, conditional required, cascading dropdowns)
+- **Negative/destructive inputs**: SQL injection, XSS payloads, special characters, excessively long strings, unicode edge cases
+- **Concurrent/race conditions**: double submit, back button after submit, multiple tabs, session expiry mid-action
+- **Complex state transitions**: multi-step state changes, undo/redo, conflicting state updates, transition from every non-obvious state
 
 ## Update Mode
 
-When `.feature` already has scenarios, summarize and ask:
+When `.feature` already has scenarios, summarize existing coverage and ask:
+
+**If only Tier 1 exists** (only `@high` scenarios):
 1. **Add new sections** — append new sections with Tier 2 (`@normal` + `@low`) scenarios, continue numbering
 2. **Add viewpoints** — expand existing sections with Tier 2 (`@normal` + `@low`) scenarios
-3. **Replace all** — overwrite with fresh Tier 1 (`@critical` + `@high`) generation
+3. **Replace all** — overwrite with fresh Tier 1 (`@high`) generation
+
+**If Tier 1 + 2 exist** (`@high` + `@normal` + `@low` scenarios):
+1. **Deep coverage (Tier 3)** — add advanced scenarios: extra BVA, cross-field validation, negative inputs, race conditions **(Recommended)**
+2. **Add new sections** — append new sections with Tier 2 scenarios, continue numbering
+3. **Replace all** — overwrite with fresh Tier 1 (`@high`) generation
+
+**If Tier 1 + 2 + 3 exist** (full coverage already):
+1. **Add new sections** — append new sections if screen has changed
+2. **Replace all** — overwrite with fresh Tier 1 (`@high`) generation
 
 For append: read highest `VP-<CAT>-<NNN>`, continue from next number. Never modify existing scenarios.
 
@@ -102,8 +122,15 @@ Apply `sungen-test-design-techniques` to spec-extracted conditions:
 Use `sungen-viewpoint` skill for per-pattern checklists across 4 viewpoints: UI/UX, Data & Validate, Logic, Security.
 
 **Tier-aware gap filling:**
-- **Tier 1 (first run)**: only add `@critical` and `@high` items from the checklists — core security checks (VP-SEC), required field validation (VP-VAL), key state transitions (VP-LOGIC). Skip `@normal`/`@low` items like hover states, empty states, tooltips.
+- **Tier 1 (first run)**: only add `@high` items from the checklists — core security checks (VP-SEC), required field validation (VP-VAL), key state transitions (VP-LOGIC). Skip `@normal`/`@low` items like hover states, empty states, tooltips.
 - **Tier 2 (expand run)**: add `@normal` + `@low` scenarios — UI presence, optional validation, edge cases, cosmetic checks, keyboard nav, hover effects.
+- **Tier 3 (deep run)**: do NOT use viewpoint checklists. Instead, re-apply test design techniques with deeper analysis:
+  - **BVA**: expand from 4-point to 6-point (`min-1`, `min`, `min+1`, `max-1`, `max`, `max+1`) + typical mid-range value
+  - **Decision Table**: enumerate combinations previously capped — cover remaining outcome rows
+  - **Cross-field**: identify field dependencies from spec, generate one scenario per dependency
+  - **Negative inputs**: add security-oriented inputs (SQL `' OR 1=1`, XSS `<script>`, special chars `<>&"'`, max+100 length)
+  - **Race conditions**: double-click submit, browser back after POST, concurrent edit by two users
+- **Full (all-at-once)**: apply Tier 1 + 2 + 3 rules in a single generation pass. Use all techniques at maximum depth.
 
 **Validation rule**: capture actual error messages from live page or spec.md. Use `User see {{error_var}}` — never assert just "is visible".
 
@@ -111,24 +138,29 @@ Use `sungen-viewpoint` skill for per-pattern checklists across 4 viewpoints: UI/
 
 Every scenario **MUST** have exactly one priority tag. Add it before the scenario line (after `@extend:` if present).
 
+**Rule: look at what the WHEN step does and what THEN asserts — that determines the tag.**
+
 | Tag | When to use |
 |---|---|
-| `@critical` | System unusable if fails — login/logout, authentication redirect, main create/submit/delete, permission denied |
-| `@high` | Major feature broken — required field validation, core business rules, data displays correctly, key navigation |
-| `@normal` | Degraded experience — UI layout/element presence, secondary flows, optional field validation, search/filter |
-| `@low` | Minor/cosmetic — tooltips, hover states, empty states, default sort, placeholder text |
+| `@high` | WHEN performs: login/logout, submit happy path, auth-check, primary CRUD action. THEN asserts: success state, redirect, or security gate |
+| `@normal` | WHEN provides invalid/empty input, OR scenario tests search/filter/notification/secondary flow. THEN asserts: error message, secondary feature result |
+| `@low` | THEN only asserts: element visible, text label, placeholder, tooltip, icon, layout. WHEN (if any) is navigation only |
 
 ### Auto-assign heuristics
 
-| Viewpoint + Pattern | Default priority |
+| Scenario type (by WHEN + THEN structure) | Tag |
 |---|---|
-| VP-SEC-* (all security scenarios) | `@critical` |
-| VP-LOGIC-* with create/submit/delete/login | `@critical` |
-| VP-LOGIC-* other state changes | `@high` |
-| VP-VAL-* required field / submit empty | `@high` |
-| VP-VAL-* format, boundary, optional fields | `@normal` |
-| VP-UI-* form fields present, table columns | `@normal` |
-| VP-UI-* hover, tooltip, empty state, placeholder | `@low` |
+| Auth: login / logout / protected page redirect | `@high` |
+| CRUD happy path: create / update / delete → success message or redirect | `@high` |
+| Security: unauthenticated access → redirected to login | `@high` |
+| Primary business flow step completes successfully | `@high` |
+| Validation: invalid / empty input → error message shown | `@normal` |
+| Boundary / format validation (email, length, range) | `@normal` |
+| Secondary features: search, filter, sort, pagination, notification | `@normal` |
+| State transition not on primary success path (cancel, undo, back) | `@normal` |
+| Element / component presence check (is it visible?) | `@low` |
+| Text content: label, placeholder, tooltip, warning message text | `@low` |
+| Visual / cosmetic: alignment, icon, empty state, hover style | `@low` |
 
 **`@steps:` scenarios** do NOT get a priority tag (they are setup blocks, not test cases).
 
@@ -188,11 +220,11 @@ Serial (default) is best for: CRUD flows, sequential user journeys, UI checks on
 @cleanup:forms
 Feature: kudos Screen
 
-  @critical
+  @high
   Scenario: Send kudos
     ...
 
-  @critical @no-auth
+  @high @no-auth
   Scenario: Unauthenticated user is redirected
     ...
 ```
@@ -218,9 +250,9 @@ Feature: <Screen> Screen
     When User click [Create] button
     Then User see [Form] dialog
 
-  # --- Section: Create User Form (Tier 1: @critical + @high) ---
+  # --- Section: Create User Form (Tier 1: @high) ---
 
-  @critical @extend:open_form
+  @high @extend:open_form
   Scenario: VP-LOGIC-001 Submit form with valid data creates record
     Given User is on [Form] dialog
     When User fill [Name] field with {{valid_name}}
@@ -233,7 +265,7 @@ Feature: <Screen> Screen
     When User click [Submit] button
     Then User see [Name error] message with {{name_required_error}}
 
-  # --- Section: User Table (Tier 1: @critical + @high) ---
+  # --- Section: User Table (Tier 1: @high) ---
 
   @high
   Scenario: VP-VAL-010 Table displays correct data
@@ -241,7 +273,7 @@ Feature: <Screen> Screen
       | Name       | Email        |
       | {{name_1}} | {{email_1}}  |
 
-  @critical
+  @high
   Scenario: VP-SEC-010 Unauthorized user cannot access page
     Given User is not logged in
     When User navigate to [Screen] page
@@ -250,6 +282,8 @@ Feature: <Screen> Screen
 
 **Tier 2 (expand run)** adds `@normal` + `@low` scenarios like UI field presence, hover states, tooltips, empty states.
 
+**Tier 3 (deep run)** adds advanced `@high` + `@normal` scenarios: extra BVA boundaries, cross-field validation, negative/destructive inputs, concurrent/race conditions.
+
 ### When to use DataTable vs Row Scope
 
 | Pattern | Use when |
@@ -317,14 +351,14 @@ Feature: Award Submission Flow
   Background:
     Given User is on [Login] page
 
-  @critical
+  @high
   Scenario: User login successfully
     When User fill [Login:Email] field with {{login.email}}
     And User fill [Login:Password] field with {{login.password}}
     And User click [Login:Submit] button
     Then User see [Dashboard] page
 
-  @critical
+  @high
   Scenario: User navigates to awards and submits
     Given User is on [Awards] page
     When User fill [Awards:Nominee] field with {{submission.nominee}}

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-tc-review.md

@@ -38,12 +38,12 @@ Score: `(dimensions_covered / 6) * 40`. Validate technique application with `sun
 | All applicable VP present (UI/VAL/LOGIC/SEC) | 10 |
 | Correct classification | 8 |
 | `VP-<CAT>-<NNN>` naming + section grouping | 4 |
-| Priority tag present and correct (`@critical`/`@high`/`@normal`/`@low`) | 4 |
+| Priority tag present and correct (`@high`/`@normal`/`@low`) | 4 |
 | Assertion quality (see rules below) | 4 |
 
 **Classification**: UI = static/always-same appearance. VAL = input validation/errors. LOGIC = behavior/state changes (includes persisted state without When). SEC = auth/permissions.
 
-**Tier-aware scoring**: If the feature file only contains `@critical` + `@high` scenarios (Tier 1), do NOT penalize for missing VP-UI viewpoint — UI scenarios are intentionally deferred to Tier 2. Score "All applicable VP present" based on Tier 1-relevant viewpoints only (VAL, LOGIC, SEC). Note in the review output: *"VP-UI deferred to Tier 2 — run create-test with 'Add viewpoints' to expand."*
+**Tier-aware scoring**: If the feature file only contains `@high` scenarios (Tier 1), do NOT penalize for missing VP-UI viewpoint — UI scenarios are intentionally deferred to Tier 2. Score "All applicable VP present" based on Tier 1-relevant viewpoints only (VAL, LOGIC, SEC). Note in the review output: *"VP-UI deferred to Tier 2 — run create-test with 'Add viewpoints' to expand."*
 
 ---
 
@@ -80,7 +80,7 @@ Do NOT mark `@manual` when data is visible in snapshot or documented in spec —
 2. **Misclassified VP** — UI tests behavior? Move to LOGIC. Logic tests appearance? Move to UI
 3. **Dynamic content** — exact match on counters/timestamps? Use `contains` instead
 4. **Duplicate across sections** — SEC scenario identical to UI? Remove duplicate
-5. **Missing/wrong priority tag** — every non-`@steps` scenario needs exactly one of `@critical`/`@high`/`@normal`/`@low`. SEC→`@critical`, VAL required→`@high`, UI layout→`@normal`, hover/tooltip→`@low`
+5. **Missing/wrong priority tag** — every non-`@steps` scenario needs exactly one of `@high`/`@normal`/`@low`. SEC/CRUD happy path/auth→`@high`, validation/secondary features→`@normal`, presence/cosmetic→`@low`
 6. **Always-enabled elements** — `is enabled` on never-disabled element? Remove
 7. **Test-data completeness** — every `{{var}}` must exist in test-data.yaml
 8. **Missing BVA boundaries** — spec defines min/max range but scenarios only test midpoint? Add `min-1`, `min`, `max`, `max+1`

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-test-design-techniques.md

@@ -53,7 +53,7 @@ Scenario: VP-VAL-003 Above maximum is rejected           # value = 101
 | Mode | Values | Use when |
 |---|---|---|
 | **Compact (default)** | `min-1`, `min`, `max`, `max+1` | Most fields |
-| **Full 6-point** | `min-1`, `min`, `min+1`, `max-1`, `max`, `max+1` | Critical fields with `@critical`/`@high` priority |
+| **Full 6-point** | `min-1`, `min`, `min+1`, `max-1`, `max`, `max+1` | Critical fields with `@high` priority |
 
 **How to apply** (example: "quantity must be 1-10"):
 - `min-1` = 0 -> invalid
@@ -82,7 +82,7 @@ Scenario: VP-VAL-003 Above maximum is rejected           # value = 101
 - `@normal` Form invalid + no permission → disabled
 - `@normal` Form valid + no permission → disabled
 - `@normal` Has permission + form invalid → disabled
-- `@critical` Form valid + has permission → succeeds
+- `@high` Form valid + has permission → succeeds
 
 ---
 

package/src/orchestrator/templates/ai-instructions/github-skill-sungen-viewpoint.md

@@ -266,7 +266,7 @@ For VP-SEC scenarios testing **unauthorized access** (no login, wrong role, dire
 - Do NOT use `@manual` for these — they are automatable.
 
 ```gherkin
-@critical @no-auth
+@high @no-auth
 Scenario: VP-SEC-001 Unauthenticated user cannot access admin page
   Given User is on [Admin] page
   Then User see [Login] page