@torus-engineering/tas-kit 1.8.0 → 1.9.0

package/.claude/commands/tas-apitest-plan.md

@@ -0,0 +1,173 @@
+# /tas-apitest-plan $ARGUMENTS
+
+Vai trò: SE - Software Engineer
+Generate API Test Specification (Markdown) từ API Spec (OpenAPI 3.0, Markdown, YAML) hoặc phân tích code API.
+
+## Always / Ask / Never
+
+| | Hành động |
+|---|---|
+| **Always** | Đọc toàn bộ spec hoặc phân tích code trước khi tạo test spec |
+| **Always** | Tổ chức test cases theo API version — mỗi version một section riêng |
+| **Always** | Append-only: không sửa sections trong version cũ đã tồn tại |
+| **Always** | Coverage matrix: mỗi endpoint cần ≥1 happy path + ≥1 error path |
+| **Always** | Đọc `.claude/rules/csharp/api-testing.md` để nắm convention |
+| **Ask** | Khi spec không rõ expected response schema hoặc business rule |
+| **Never** | Sử dụng version folder/syntax trong test spec file (dùng section headers thay vì) |
+| **Never** | Bỏ qua error path — mỗi endpoint cần cover validation errors |
+
+## Hành động
+
+### Bước 1 — Locate Inputs
+
+`$ARGUMENTS` là path đến:
+- API Spec file (OpenAPI 3.0 JSON/YAML, Markdown)
+- Hoặc Story ID — glob tìm `docs/epics/**/Story-{ID}*.md`
+- Hoặc path tới project code API cần phân tích
+
+Nếu không có → hỏi user:
+```
+Nhập input cho /tas-apitest-plan:
+1. Path đến API Spec file (OpenAPI/Markdown/YAML)
+2. Story ID (để tìm link spec trong Story)
+3. Path đến code API cần phân tích tự động
+```
+
+### Bước 2 — Detect Existing Test Spec
+
+Glob tìm `docs/tests/API-Test-Spec-*.md`.
+
+- **Tìm thấy**: Đọc file, detect versions đã có (tìm section headers `## v{N}`)
+- **Không tìm thấy**: Tạo mới với version v1
+
+### Bước 3 — Parse Input
+
+**Nếu là API Spec file:**
+- Đọc và parse OpenAPI/Markdown/YAML
+- Thu thập cho mỗi endpoint:
+  - HTTP method + path, path/query params, request body schema
+  - Response schemas theo từng status code
+  - Auth requirement, description/summary
+  - Tags để nhóm endpoints
+
+**Nếu là Story:**
+- Đọc Story để tìm link spec trong `## Technical Plan` hoặc `## Acceptance Criteria`
+- Parse spec như trên
+- Thêm AC mapping vào test spec
+
+**Nếu là code path:**
+- Glob tìm controller/handler files (`.cs`, `.ts`, `.py` tùy stack)
+- Phân tích attributes/routes để phát hiện endpoints
+- Extract DTO classes để biết request/response schema
+- Hỏi user confirm nếu detect không rõ
+
+### Bước 4 — Detect API Version
+
+Ưu tiên theo thứ tự:
+1. `info.version` trong OpenAPI
+2. Prefix trong URL path (v1/, v2/)
+3. Hỏi user
+
+Version format: `v1`, `v2` (không có dot).
+
+### Bước 5 — Determine Output Path
+
+Output: `docs/tests/API-Test-Spec-{slug}.md`
+
+**Slug generation:**
+- Từ `api_name` trong spec → lowercase, replace spaces với dashes
+- Hoặc hỏi user nhập slug ngắn gọn (ví dụ: `users`, `orders`, `products`)
+
+### Bước 6 — Determine Update Mode
+
+Nếu spec file đã tồn tại và version đã có:
+- **Append mode** (default): thêm test cases mới vào cuối section version hiện tại
+- Hỏi user nếu muốn tạo version mới (v2, v3...):
+
+```
+Spec file đã có với version {current}. Bạn muốn:
+1. Append test cases vào version {current} (default)
+2. Tạo version mới (v{next}) cho test cases
+```
+
+### Bước 7 — Generate Test Spec
+
+Đọc template `.tas/templates/API-Test-Spec.md` để nắm cấu trúc.
+
+**Phân tích endpoints để tạo coverage matrix:**
+
+Với mỗi endpoint, generate test cases cho:
+1. **Happy path** (2xx) — luôn có
+2. **Unauthorized** (401) — nếu endpoint yêu cầu auth
+3. **Forbidden** (403) — nếu có RBAC/ownership check
+4. **Not found** (404) — nếu có path param
+5. **Validation error** (400/422) — nếu có required fields hoặc business rules
+6. **Business rules** — từ Story ACs hoặc spec descriptions
+
+**Coverage matrix format:**
+```
+| Endpoint | Happy Path | 401 Unauthorized | 403 Forbidden | 404 Not Found | 400/422 Validation | Business Rule |
+|----------|:---------:|:----------------:|:-------------:|:-------------:|:------------------:|:-------------:|
+| GET /api/users | ✓ | ✓ | | | | |
+| POST /api/users | ✓ | ✓ | | | ✓ | |
+```
+
+**Test case detail format:**
+```
+#### TC-XXX: {Title} — {Modifier}
+- **Endpoint**: `{METHOD} {path}`
+- **Auth**: Required/Not Required
+- **Preconditions**:
+  - {List preconditions}
+- **Request Query/Path/Body**:
+  - {Request details}
+- **Expected Response**:
+  - Status: {code}
+  - Body: {schema}
+- **Assertions**:
+  - {List assertions}
+- **AC Reference**: AC-{N} (nếu có)
+- **Test Method Name**: `{Method}_{Resource}_Returns{Status}_When{Condition}`
+```
+
+### Bước 8 — Write Test Spec File
+
+**File chưa tồn tại:** Tạo mới từ template.
+
+**File đã tồn tại (append mode):**
+- Đọc file hiện tại
+- Find section `## v{N}` mà đang làm việc
+- Append test cases mới vào cuối section trước `## Version History` hoặc `## Changelog`
+- Preserve toàn bộ content cũ
+
+### Bước 9 — Summary
+
+Hiển thị:
+1. Output file path
+2. Number of endpoints detected
+3. Number of test cases generated
+4. Coverage matrix
+5. Next steps:
+   - Review test spec file
+   - Run `/tas-apitest docs/tests/API-Test-Spec-{slug}.md` để generate code
+
+```
+## API Test Spec Generated
+
+**Output**: `docs/tests/API-Test-Spec-{slug}.md`
+**Version**: v{N}
+**Endpoints**: {N}
+**Test Cases**: {N}
+
+### Coverage Matrix
+[Print coverage matrix]
+
+### Next Steps
+1. Review test spec: `docs/tests/API-Test-Spec-{slug}.md`
+2. Generate test code: `/tas-apitest docs/tests/API-Test-Spec-{slug}.md`
+3. Run tests: `dotnet test tests/ApiTests/`
+```
+
+## Bước cuối — Token Log
+
+Invoke skill `token-logger`: ghi AI Usage Log vào test spec file.

package/.claude/commands/tas-apitest.md

@@ -0,0 +1,143 @@
+# /tas-apitest $ARGUMENTS
+
+Vai trò: SE - Software Engineer
+Generate .NET xUnit automation test project cho REST API từ API Test Spec file (Markdown).
+
+## Always / Ask / Never
+
+| | Hành động |
+|---|---|
+| **Always** | Đọc toàn bộ API Test Spec file trước khi generate bất kỳ test nào |
+| **Always** | Tổ chức tests theo API version — mỗi version một folder riêng |
+| **Always** | Append-only: không sửa files trong version folder cũ đã tồn tại |
+| **Always** | URL và credentials ra `appsettings.json` — không hardcode trong code |
+| **Always** | XML doc comment trên mỗi test method |
+| **Ask** | Khi test spec không rõ expected response schema |
+| **Never** | Sửa hoặc xóa test files của version cũ hơn |
+| **Never** | Hardcode base URL, API key, credentials trong test code |
+| **Never** | Bỏ qua error path — mỗi endpoint cần ≥1 happy path + ≥1 error path |
+
+## Hành động
+
+### Bước 1 — Locate Input
+
+`$ARGUMENTS` là path đến API Test Spec file: `docs/tests/API-Test-Spec-{slug}.md`.
+
+Nếu không có → hỏi user:
+```
+Nhập path đến API Test Spec file (vd: docs/tests/API-Test-Spec-users.md)
+```
+
+### Bước 2 — Parse API Test Spec
+
+Đọc `.claude/rules/csharp/api-testing.md` để nắm convention trước khi generate.
+
+Từ API Test Spec file, thu thập:
+- API version
+- Endpoints với method, path, params
+- Test cases theo từng endpoint (TC-XXX)
+- Request/response schemas
+- Auth requirements
+- Test data requirements
+- Setup/teardown notes
+
+### Bước 3 — Detect Existing Test Project
+
+Glob tìm `**/ApiTests/*.csproj`, `**/Api.Tests/*.csproj`, `**/IntegrationTests/*.csproj`.
+
+- **Tìm thấy**: Đọc framework đang dùng (xUnit/NUnit/MSTest), glob `v*/` folders để biết versions đã có.
+- **Không tìm thấy**: Tạo mới tại `tests/ApiTests/` với xUnit + FluentAssertions (per `csharp/testing.md`).
+
+### Bước 4 — Get API Version from Spec
+
+Đọc version từ API Test Spec file (tìm frontmatter `api_version` hoặc section headers `## v{N}`).
+
+Version folder: lowercase, không có dot — `v1`, `v2` (không phải `v1.0`).
+
+### Bước 5 — Generate Infrastructure (chỉ khi tạo project mới)
+
+Đọc `.claude/rules/csharp/api-testing.md` section **Project Structure** và **Config Pattern** để generate:
+- `ApiTests.csproj` với packages chuẩn
+- `appsettings.json` (base) + `appsettings.Test.json` + `appsettings.Staging.json` với values từ spec
+- `Shared/TestBase.cs` — load config, HttpClient, helper methods
+- `Shared/ApiTestSettings.cs` — strongly typed settings
+- `.gitignore` cho `appsettings.*.local.json`
+
+### Bước 6 — Generate Test Classes từ Spec
+
+Nhóm endpoints theo resource. Mỗi nhóm → `tests/ApiTests/{version}/{Resource}ApiTests.cs`.
+
+Với mỗi test case (TC-XXX) trong spec:
+1. Đọc test case details
+2. Map sang test method với naming: `{HttpMethod}_{Resource}_Returns{Status}_When{Condition}`
+3. Generate XML doc từ test case title
+4. Generate assertions từ expected response
+5. Add AC reference comment nếu có
+
+Test class header comment:
+```csharp
+// ============================================================
+// {Resource} API Tests — v{N}
+// Spec: docs/tests/API-Test-Spec-{slug}.md
+// Generated: {YYYY-MM-DD}
+// Story: {ID} (if applicable)
+// APPEND-ONLY: không sửa methods đã tồn tại.
+// ============================================================
+```
+
+### Bước 7 — Append-Only Guard
+
+Trước khi ghi file: kiểm tra file đã tồn tại chưa.
+- **File chưa có** → tạo mới bình thường.
+- **File đã có** trong version folder → check từng test method:
+  - Method đã tồn tại (cùng tên) → **SKIP**, không ghi đè
+  - Method chưa có → append vào cuối class
+
+### Bước 8 — Generate Test Data Files (nếu spec yêu cầu)
+
+Nếu spec có `test-data.{env}.json` references:
+- Tạo `tests/ApiTests/data/test-data.Test.json` với sample data từ spec
+- Hướng dẫn user tạo `test-data.Staging.json` và `test-data.local.json`
+
+### Bước 9 — Post-Generate Review
+
+Launch `csharp-reviewer` agent:
+> Review `tests/ApiTests/{version}/`. Đọc `.claude/rules/csharp/testing.md` + `.claude/rules/csharp/api-testing.md`.
+> Tập trung: async/await, HttpClient disposal, assertion completeness, XML doc coverage.
+> Format: Critical / High / Medium / Low với file:line.
+
+Gate: Critical/High → fix ngay. Medium/Low → list gợi ý.
+
+### Bước 10 — Summary
+
+Hiển thị:
+1. Test project path
+2. Number of test classes generated
+3. Number of test methods generated
+4. Coverage matrix (so với spec)
+5. Next steps để chạy tests
+
+```
+## API Tests Generated
+
+**Project**: `tests/ApiTests/`
+**Version**: v{N}
+**Test Classes**: {N}
+**Test Methods**: {N}
+
+### Generated Files
+- tests/ApiTests/{version}/{Resource}ApiTests.cs
+- tests/ApiTests/Shared/TestBase.cs (if new project)
+
+### Coverage (vs Spec)
+[Print coverage table: spec test cases vs generated methods]
+
+### Next Steps
+1. Configure test environment: edit tests/ApiTests/appsettings.Test.json
+2. Add test data: tests/ApiTests/data/test-data.Test.json
+3. Run tests: `dotnet test tests/ApiTests/`
+```
+
+## Bước cuối — Token Log
+
+Invoke skill `token-logger`: ghi AI Usage Log vào API Test Spec file.

package/.tas/templates/API-Test-Spec.md

@@ -0,0 +1,400 @@
+---
+api_name:
+api_slug:
+api_version:
+spec_source:
+code_path:
+status:
+created_date:
+updated_date:
+executor:
+story_id:
+framework: xUnit
+---
+
+# API Test Specification: {API Name}
+
+**API Version**: v{api_version}
+**Framework**: {framework}
+**Author**: @[executor]
+**Created**: [created_date]
+**Updated**: [updated_date]
+**Status**: [status] (Draft | Review | Approved | Deprecated)
+**Spec Source**: [spec_source]
+**Code Path**: [code_path]
+**Story**: [story_id] (if applicable)
+
+---
+
+## Version History
+
+> Mỗi API version có section riêng biệt. APPEND-ONLY: không sửa version cũ.
+
+| Version | Status | Created | Description |
+|---------|--------|---------|-------------|
+| v1 | Draft | [created_date] | Initial version |
+| v2 | Draft | [updated_date] | Added new endpoints |
+
+---
+
+## Test Environment Setup
+
+### Configuration (appsettings.json)
+
+```json
+{
+  "ApiTest": {
+    "BaseUrl": "https://localhost:5001",
+    "TimeoutSeconds": 30,
+    "Auth": {
+      "Type": "Bearer",
+      "TokenEndpoint": "/api/auth/token",
+      "Username": "",
+      "Password": ""
+    }
+  }
+}
+```
+
+### Environment-Specific Overrides
+
+| Environment | BaseUrl | Notes |
+|-------------|---------|-------|
+| Local | https://localhost:5001 | Development environment |
+| Test | https://test-api.example.com | Shared test environment |
+| Staging | https://staging-api.example.com | Pre-production |
+| Production | https://api.example.com | Smoke tests only |
+
+### Test Data Requirements
+
+| Data Item | Value | Source | Environment-Specific | Notes |
+|-----------|-------|--------|---------------------|-------|
+| Test User Email | test@example.com | test-data.{env}.json | Yes | Different per env |
+| Test User Password | (from .env) | process.env.APITEST__AUTH__PASSWORD | Yes | NEVER hardcode |
+| Auth Token | Generated at runtime | POST /api/auth/token | Yes | Refresh per test class |
+| {Entity} ID | {value} | test-data.{env}.json | Yes | Pre-seeded data |
+
+### Setup/Teardown Notes
+
+**Before All Tests:**
+- Authenticate and store token for authenticated requests
+- Seed test data if required
+- Configure HttpClient with base address and timeout
+
+**After All Tests:**
+- Dispose HttpClient
+- Clean up test data (unless debugging needed)
+
+**Before Each Test:**
+- Reset state if needed (clear headers, reset counters)
+
+**After Each Test:**
+- Log test result
+- Capture response on failure for debugging
+
+---
+
+## v{N} — Test Cases
+
+### Endpoints Overview
+
+| Method | Path | Description | Auth Required |
+|--------|------|-------------|---------------|
+| GET | /api/users | List users | Yes |
+| POST | /api/users | Create user | Yes |
+| GET | /api/users/{id} | Get user by ID | Yes |
+| PUT | /api/users/{id} | Update user | Yes |
+| DELETE | /api/users/{id} | Delete user | Yes |
+
+### Coverage Matrix
+
+| Endpoint | Happy Path | 401 Unauthorized | 403 Forbidden | 404 Not Found | 400/422 Validation | Business Rule |
+|----------|:---------:|:----------------:|:-------------:|:-------------:|:------------------:|:-------------:|
+| GET /api/users | ✓ | ✓ | | | | |
+| POST /api/users | ✓ | ✓ | | | ✓ | |
+| GET /api/users/{id} | ✓ | ✓ | | ✓ | | |
+| PUT /api/users/{id} | ✓ | ✓ | | ✓ | ✓ | |
+| DELETE /api/users/{id} | ✓ | ✓ | ✓ | ✓ | | |
+
+---
+
+### Test Case Details
+
+#### GET /api/users — List Users
+
+##### TC-001: Happy Path — Returns Paginated User List
+- **Endpoint**: `GET /api/users?page=1&limit=10`
+- **Auth**: Required (Bearer token)
+- **Preconditions**:
+  - Valid authentication token
+  - At least 10 users exist in database
+- **Request Query Params**:
+  - `page`: 1
+  - `limit`: 10
+- **Expected Response**:
+  - Status: 200 OK
+  - Body:
+    ```json
+    {
+      "data": [
+        {
+          "id": "guid",
+          "email": "user@example.com",
+          "name": "John Doe",
+          "role": "User",
+          "createdAt": "2024-01-01T00:00:00Z"
+        }
+      ],
+      "total": 100,
+      "page": 1,
+      "limit": 10
+    }
+    ```
+- **Assertions**:
+  - Response status is 200
+  - `data` is array with length ≤ 10
+  - Each item has required fields: id, email, name, role, createdAt
+  - `total` ≥ 0
+  - `page` and `limit` match request
+- **AC Reference**: N/A (API spec)
+- **Test Method Name**: `Get_Users_Returns200_WhenAuthenticated`
+
+##### TC-002: Security — Returns 401 When No Token
+- **Endpoint**: `GET /api/users`
+- **Auth**: Not provided
+- **Preconditions**: None
+- **Expected Response**:
+  - Status: 401 Unauthorized
+  - Body contains error message
+- **Assertions**:
+  - Response status is 401
+- **AC Reference**: N/A
+- **Test Method Name**: `Get_Users_Returns401_WhenNotAuthenticated`
+
+##### TC-003: Edge Case — Empty List When No Users Exist
+- **Endpoint**: `GET /api/users`
+- **Auth**: Required
+- **Preconditions**:
+  - Database is empty or no users match filter
+- **Expected Response**:
+  - Status: 200 OK
+  - Body:
+    ```json
+    {
+      "data": [],
+      "total": 0,
+      "page": 1,
+      "limit": 10
+    }
+    ```
+- **Assertions**:
+  - Response status is 200
+  - `data` is empty array
+  - `total` is 0
+- **AC Reference**: N/A
+- **Test Method Name**: `Get_Users_ReturnsEmptyArray_WhenNoUsersExist`
+
+#### POST /api/users — Create User
+
+##### TC-004: Happy Path — Creates New User
+- **Endpoint**: `POST /api/users`
+- **Auth**: Required
+- **Request Body**:
+  ```json
+  {
+    "email": "newuser@example.com",
+    "name": "New User",
+    "password": "SecurePass123!",
+    "role": "User"
+  }
+  ```
+- **Expected Response**:
+  - Status: 201 Created
+  - Body contains created user with generated `id`
+  - `Location` header contains URL of new resource
+- **Assertions**:
+  - Response status is 201
+  - `id` is valid GUID
+  - `email`, `name`, `role` match request
+  - `password` is NOT in response
+  - `createdAt` is recent
+- **AC Reference**: N/A
+- **Test Method Name**: `Post_Users_Returns201_WhenValidRequest`
+
+##### TC-005: Validation — Returns 400 When Email Invalid
+- **Endpoint**: `POST /api/users`
+- **Auth**: Required
+- **Request Body**:
+  ```json
+  {
+    "email": "invalid-email",
+    "name": "Test User",
+    "password": "SecurePass123!",
+    "role": "User"
+  }
+  ```
+- **Expected Response**:
+  - Status: 400 Bad Request
+  - Body contains validation errors
+- **Assertions**:
+  - Response status is 400
+  - Error message indicates email format issue
+- **AC Reference**: N/A
+- **Test Method Name**: `Post_Users_Returns400_WhenEmailInvalid`
+
+##### TC-006: Business Rule — Returns 409 When Email Already Exists
+- **Endpoint**: `POST /api/users`
+- **Auth**: Required
+- **Preconditions**: User with email already exists
+- **Request Body**:
+  ```json
+  {
+    "email": "existing@example.com",
+    "name": "Test User",
+    "password": "SecurePass123!",
+    "role": "User"
+  }
+  ```
+- **Expected Response**:
+  - Status: 409 Conflict
+  - Body indicates email already registered
+- **Assertions**:
+  - Response status is 409
+  - Error message mentions duplicate email
+- **AC Reference**: N/A
+- **Test Method Name**: `Post_Users_Returns409_WhenEmailAlreadyExists`
+
+#### GET /api/users/{id} — Get User by ID
+
+##### TC-007: Happy Path — Returns User When ID Exists
+- **Endpoint**: `GET /api/users/{id}`
+- **Auth**: Required
+- **Path Params**: `id` = valid GUID
+- **Expected Response**:
+  - Status: 200 OK
+  - Body contains user details
+- **Assertions**:
+  - Response status is 200
+  - All required fields present
+- **AC Reference**: N/A
+- **Test Method Name**: `GetById_Users_Returns200_WhenExists`
+
+##### TC-008: Error Path — Returns 404 When ID Not Found
+- **Endpoint**: `GET /api/users/{id}`
+- **Auth**: Required
+- **Path Params**: `id` = valid but non-existent GUID
+- **Expected Response**:
+  - Status: 404 Not Found
+- **Assertions**:
+  - Response status is 404
+- **AC Reference**: N/A
+- **Test Method Name**: `GetById_Users_Returns404_WhenNotFound`
+
+#### PUT /api/users/{id} — Update User
+
+##### TC-009: Happy Path — Updates User
+- **Endpoint**: `PUT /api/users/{id}`
+- **Auth**: Required
+- **Request Body**:
+  ```json
+  {
+    "name": "Updated Name"
+  }
+  ```
+- **Expected Response**:
+  - Status: 200 OK
+  - Body contains updated user
+- **Assertions**:
+  - Response status is 200
+  - `name` matches request
+- **AC Reference**: N/A
+- **Test Method Name**: `Put_Users_Returns200_WhenValidUpdate`
+
+##### TC-010: Validation — Returns 400 When Name Empty
+- **Endpoint**: `PUT /api/users/{id}`
+- **Auth**: Required
+- **Request Body**:
+  ```json
+  {
+    "name": ""
+  }
+  ```
+- **Expected Response**:
+  - Status: 400 Bad Request
+- **Assertions**:
+  - Response status is 400
+- **AC Reference**: N/A
+- **Test Method Name**: `Put_Users_Returns400_WhenNameEmpty`
+
+#### DELETE /api/users/{id} — Delete User
+
+##### TC-011: Happy Path — Deletes User
+- **Endpoint**: `DELETE /api/users/{id}`
+- **Auth**: Required
+- **Expected Response**:
+  - Status: 204 No Content
+- **Assertions**:
+  - Response status is 204
+  - Subsequent GET returns 404
+- **AC Reference**: N/A
+- **Test Method Name**: `Delete_Users_Returns204_WhenExists`
+
+##### TC-012: Authorization — Returns 403 When Deleting Self
+- **Endpoint**: `DELETE /api/users/{id}` where id = current user's id
+- **Auth**: Required
+- **Expected Response**:
+  - Status: 403 Forbidden
+- **Assertions**:
+  - Response status is 403
+  - Error message indicates cannot delete own account
+- **AC Reference**: N/A
+- **Test Method Name**: `Delete_Users_Returns403_WhenDeletingSelf`
+
+---
+
+## Story-Specific Test Cases (Optional)
+
+> Nếu spec được generate từ Story, thêm AC mapping ở đây.
+
+| AC ID | AC Description | Test Case IDs |
+|-------|----------------|---------------|
+| AC-1 | {Given...When...Then...} | TC-001, TC-002 |
+| AC-2 | {Given...When...Then...} | TC-004, TC-005 |
+
+---
+
+## Regression Tests (Optional)
+
+> Test cases cho bugs đã được tìm thấy và fix.
+
+| Bug ID | Description | Test Case ID | Date Added |
+|--------|-------------|--------------|------------|
+| BUG-001 | User profile missing notification_settings field | TC-R001 | 2024-01-15 |
+
+### TC-R001: BUG-001 Regression — notification_settings Present in Response
+- **Endpoint**: `GET /api/users/{id}`
+- **Auth**: Required
+- **Expected Response**:
+  - Status: 200 OK
+  - Body includes `notification_settings` field
+- **Assertions**:
+  - `notification_settings` is present and not undefined
+- **Test Method Name**: `BUG_R001_NotificationSettings_IsPresent`
+
+---
+
+## Changelog
+
+| Date | Version | Changes | Author |
+|------|---------|---------|--------|
+| [created_date] | v1 | Initial API test specification | @[executor] |
+| [updated_date] | v2 | Added endpoints for user management | @[executor] |
+
+---
+
+## AI Usage Log
+
+| # | Date | Command | Input (est.) | Output (est.) |
+|---|------|---------|-------------|---------------|
+| 1 | [created_date] | /tas-apitest-plan | ~{N}k | ~{N}k |
+| **Total** | | | **~{N}k** | **~{N}k** |

package/lib/deleted-files.json

@@ -1,33 +1,36 @@
-{
-  "1.6.0": [
-    ".claude/commands/tas-dev-story.md",
-    ".claude/commands/tas-review-code.md",
-    ".claude/commands/tas-security-check.md"
-  ],
-  "1.8.0": [
-    ".claude/agents/README.md",
-    ".claude/agents/ado-agent.md",
-    ".claude/agents/code-architect.md",
-    ".claude/agents/code-simplifier.md",
-    ".claude/agents/comment-analyzer.md",
-    ".claude/agents/conversation-analyzer.md",
-    ".claude/agents/docs-lookup.md",
-    ".claude/agents/harness-optimizer.md",
-    ".claude/agents/loop-operator.md",
-    ".claude/agents/performance-optimizer.md",
-    ".claude/agents/pr-test-analyzer.md",
-    ".claude/agents/pytorch-build-resolver.md",
-    ".claude/agents/refactor-cleaner.md",
-    ".claude/agents/seo-specialist.md",
-    ".claude/agents/silent-failure-hunter.md",
-    ".claude/agents/type-design-analyzer.md",
-    ".claude/rules/common/agents.md",
-    ".claude/rules/common/coding-style.md",
-    ".claude/rules/common/development-workflow.md",
-    ".claude/rules/common/git-workflow.md",
-    ".claude/rules/common/performance.md",
-    ".claude/skills/agent-harness-construction/SKILL.md",
-    ".claude/skills/agent-introspection-debugging/SKILL.md",
-    ".claude/skills/backend-patterns/SKILL.md"
-  ]
-}
+{
+  "1.6.0": [
+    ".claude/commands/tas-dev-story.md",
+    ".claude/commands/tas-review-code.md",
+    ".claude/commands/tas-security-check.md"
+  ],
+  "1.8.0": [
+    ".claude/agents/README.md",
+    ".claude/agents/ado-agent.md",
+    ".claude/agents/code-architect.md",
+    ".claude/agents/code-simplifier.md",
+    ".claude/agents/comment-analyzer.md",
+    ".claude/agents/conversation-analyzer.md",
+    ".claude/agents/docs-lookup.md",
+    ".claude/agents/harness-optimizer.md",
+    ".claude/agents/loop-operator.md",
+    ".claude/agents/performance-optimizer.md",
+    ".claude/agents/pr-test-analyzer.md",
+    ".claude/agents/pytorch-build-resolver.md",
+    ".claude/agents/refactor-cleaner.md",
+    ".claude/agents/seo-specialist.md",
+    ".claude/agents/silent-failure-hunter.md",
+    ".claude/agents/type-design-analyzer.md",
+    ".claude/rules/common/agents.md",
+    ".claude/rules/common/coding-style.md",
+    ".claude/rules/common/development-workflow.md",
+    ".claude/rules/common/git-workflow.md",
+    ".claude/rules/common/performance.md",
+    ".claude/skills/agent-harness-construction/SKILL.md",
+    ".claude/skills/agent-introspection-debugging/SKILL.md",
+    ".claude/skills/backend-patterns/SKILL.md"
+  ],
+  "1.9.0": [
+    ".claude/commands/tas-api-test.md"
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@torus-engineering/tas-kit",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "description": "Torus Agentic SDLC Kit — Collection of commands, skills, rules, hooks, agents and workflows for modern AI-First SDLC",
   "type": "module",
   "bin": {

package/.claude/commands/tas-api-test.md

@@ -1,95 +0,0 @@
-# /tas-api-test $ARGUMENTS
-
-Vai trò: SE - Software Engineer
-Generate .NET xUnit automation test project cho REST API từ spec (OpenAPI 3.0, Markdown, YAML).
-
-## Always / Ask / Never
-
-| | Hành động |
-|---|---|
-| **Always** | Đọc toàn bộ spec trước khi generate bất kỳ test nào |
-| **Always** | Tổ chức tests theo API version — mỗi version một folder riêng |
-| **Always** | Append-only: không sửa files trong version folder cũ đã tồn tại |
-| **Always** | URL và credentials ra `appsettings.json` — không hardcode trong code |
-| **Always** | XML doc comment trên mỗi test method |
-| **Ask** | Khi spec không rõ expected response schema |
-| **Never** | Sửa hoặc xóa test files của version cũ hơn |
-| **Never** | Hardcode base URL, API key, credentials trong test code |
-| **Never** | Bỏ qua error path — mỗi endpoint cần ≥1 happy path + ≥1 error path |
-
-## Hành động
-
-### Bước 1 — Locate Inputs
-
-`$ARGUMENTS` là path đến spec file hoặc Story ID. Nếu không có → hỏi user.
-
-Nếu là Story ID: glob tìm `docs/epics/**/Story-{ID}*.md`, đọc Story để tìm link spec trong `## Technical Plan` hoặc `## Acceptance Criteria`.
-
-### Bước 2 — Parse API Spec
-
-Đọc `.claude/rules/csharp/api-testing.md` để nắm convention trước khi generate.
-
-Từ spec, thu thập cho mỗi endpoint:
-- HTTP method + path, path/query params, request body schema
-- Response schemas theo từng status code
-- Auth requirement, description/summary
-
-Nếu có Story: đọc thêm `## Acceptance Criteria` để bổ sung business rule test cases.
-
-### Bước 3 — Detect Existing Test Project
-
-Glob tìm `**/ApiTests/*.csproj`, `**/Api.Tests/*.csproj`, `**/IntegrationTests/*.csproj`.
-
-- **Tìm thấy**: Đọc framework đang dùng (xUnit/NUnit/MSTest), glob `v*/` folders để biết versions đã có.
-- **Không tìm thấy**: Tạo mới tại `tests/ApiTests/` với xUnit + FluentAssertions (per `csharp/testing.md`).
-
-### Bước 4 — Detect API Version
-
-Ưu tiên theo thứ tự: `info.version` trong OpenAPI → prefix trong URL path → hỏi user.
-Version folder: lowercase, không có dot — `v1`, `v2` (không phải `v1.0`).
-
-### Bước 5 — Generate Infrastructure (chỉ khi tạo project mới)
-
-Đọc `.claude/rules/csharp/api-testing.md` section **Project Structure** và **Config Pattern** để generate:
-- `ApiTests.csproj` với packages chuẩn
-- `appsettings.json` (base) + `appsettings.Test.json` + `appsettings.Staging.json`
-- `Shared/TestBase.cs` — load config, HttpClient, helper methods
-- `Shared/ApiTestSettings.cs` — strongly typed settings
-- `.gitignore` cho `appsettings.*.local.json`
-
-### Bước 6 — Generate Test Classes
-
-Nhóm endpoints theo resource/tag. Mỗi nhóm → `tests/ApiTests/{version}/{Resource}ApiTests.cs`.
-
-Với mỗi endpoint, generate tối thiểu:
-1. Happy path (2xx)
-2. Unauthorized (401) — nếu endpoint yêu cầu auth
-3. Not found (404) — nếu có path param
-4. Validation error (400/422) — nếu có required fields
-
-Từ Story ACs: thêm test methods tương ứng, comment rõ `// AC: {AC text}`.
-
-Đầu mỗi file: block comment ghi `Spec`, `Generated date`, `Story ID`, và nhắc **APPEND-ONLY rule**.
-
-### Bước 7 — Append-Only Guard
-
-Trước khi ghi file: kiểm tra file đã tồn tại chưa.
-- File chưa có → tạo mới bình thường.
-- File đã tồn tại trong version folder → **DỪNG**, thông báo tên file cho user tự edit thủ công.
-
-### Bước 8 — Post-Generate Review
-
-Launch `csharp-reviewer` agent:
-> Review `tests/ApiTests/{version}/`. Đọc `.claude/rules/csharp/testing.md` + `.claude/rules/csharp/api-testing.md`.
-> Tập trung: async/await, HttpClient disposal, assertion completeness, XML doc coverage.
-> Format: Critical / High / Medium / Low với file:line.
-
-Gate: Critical/High → fix ngay. Medium/Low → list gợi ý.
-
-### Bước 9 — Summary
-
-Hiển thị bảng coverage (endpoint × test type: ✓/—) và next steps để chạy tests.
-
-## Bước cuối — Token Log
-
-Invoke skill `token-logger`: ghi AI Usage Log vào spec file hoặc Story đang làm việc.