@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/reality/scenario-generator.js

@@ -1,1404 +0,0 @@
-/**
- * AI-Powered Scenario Generation Engine
- * 
- * ═══════════════════════════════════════════════════════════════════════════════
- * COMPETITIVE MOAT FEATURE - Automatic Edge Case Test Generation
- * ═══════════════════════════════════════════════════════════════════════════════
- * 
- * This engine analyzes the truthpack and generates intelligent test scenarios
- * that no human would think to test. It catches issues before they become bugs.
- * 
- * Scenario Categories:
- * - Auth boundary testing (role-based access, session expiry, token manipulation)
- * - Form submission edge cases (empty, max length, special chars, XSS payloads)
- * - API stress scenarios (concurrent requests, race conditions, retry storms)
- * - Business logic edge cases (checkout abandonment, partial state, rollbacks)
- * - Error recovery scenarios (network failures, timeouts, partial responses)
- * - State machine violations (skip steps, double submit, back button attacks)
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// SCENARIO TEMPLATES
-// ═══════════════════════════════════════════════════════════════════════════════
-
-const SCENARIO_TEMPLATES = {
-  // ─────────────────────────────────────────────────────────────────────────────
-  // AUTHENTICATION BOUNDARY SCENARIOS
-  // ─────────────────────────────────────────────────────────────────────────────
-  auth: {
-    sessionExpiry: {
-      name: "Session Expiry During Action",
-      description: "Start authenticated, let session expire mid-flow, verify graceful handling",
-      severity: "BLOCK",
-      steps: [
-        { action: "login", params: { role: "user" } },
-        { action: "navigate", params: { to: "{{protectedRoute}}" } },
-        { action: "clearCookies", params: { filter: "session" } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { redirect: "/login", or: { modal: "session-expired" } } }
-      ]
-    },
-    tokenTampering: {
-      name: "JWT Token Manipulation",
-      description: "Modify JWT payload to test server-side validation",
-      severity: "BLOCK",
-      steps: [
-        { action: "login", params: { role: "user" } },
-        { action: "modifyToken", params: { field: "role", value: "admin" } },
-        { action: "navigate", params: { to: "{{adminRoute}}" } },
-        { action: "expect", params: { status: 403, or: { redirect: "/unauthorized" } } }
-      ]
-    },
-    roleEscalation: {
-      name: "Horizontal Privilege Escalation",
-      description: "Access another user's resources by ID manipulation",
-      severity: "BLOCK",
-      steps: [
-        { action: "login", params: { role: "user", id: "user-1" } },
-        { action: "navigate", params: { to: "{{resourceRoute}}", params: { id: "user-2-resource" } } },
-        { action: "expect", params: { status: 403, or: { empty: true } } }
-      ]
-    },
-    concurrentSessions: {
-      name: "Concurrent Session Handling",
-      description: "Test behavior when same user logs in from multiple sessions",
-      severity: "WARN",
-      steps: [
-        { action: "login", params: { role: "user", session: "A" } },
-        { action: "login", params: { role: "user", session: "B" } },
-        { action: "switchSession", params: { to: "A" } },
-        { action: "navigate", params: { to: "{{protectedRoute}}" } },
-        { action: "expect", params: { valid: true, or: { invalidated: true } } }
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // FORM SUBMISSION EDGE CASES
-  // ─────────────────────────────────────────────────────────────────────────────
-  forms: {
-    emptySubmit: {
-      name: "Empty Form Submission",
-      description: "Submit form with all fields empty",
-      severity: "WARN",
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "clearAll", params: { selector: "form input" } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { validation: true, noServerError: true } }
-      ]
-    },
-    maxLength: {
-      name: "Maximum Length Boundary",
-      description: "Submit fields at and beyond maximum length",
-      severity: "WARN",
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "fill", params: { selector: "{{textField}}", value: "A".repeat(10001) } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { truncated: true, or: { validation: "max length" } } }
-      ]
-    },
-    xssPayloads: {
-      name: "XSS Payload Injection",
-      description: "Inject script tags and event handlers",
-      severity: "BLOCK",
-      payloads: [
-        "<script>alert('xss')</script>",
-        "<img src=x onerror=alert('xss')>",
-        "javascript:alert('xss')",
-        "{{constructor.constructor('alert(1)')()}}"
-      ],
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "fill", params: { selector: "{{textField}}", value: "{{payload}}" } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { sanitized: true, noExecution: true } }
-      ]
-    },
-    sqlInjection: {
-      name: "SQL Injection Patterns",
-      description: "Test SQL injection in form fields",
-      severity: "BLOCK",
-      payloads: [
-        "'; DROP TABLE users; --",
-        "1' OR '1'='1",
-        "UNION SELECT * FROM users",
-        "admin'--"
-      ],
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "fill", params: { selector: "{{textField}}", value: "{{payload}}" } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { escaped: true, noDbError: true } }
-      ]
-    },
-    unicodeBomb: {
-      name: "Unicode and Special Characters",
-      description: "Test handling of unicode, emojis, RTL, zero-width chars",
-      severity: "WARN",
-      payloads: [
-        "🔥💀👾🎮",                           // Emojis
-        "مرحبا بالعالم",                      // Arabic RTL
-        "test\u0000null",                    // Null byte
-        "test\u200Bhidden",                  // Zero-width space
-        "Ṱ̈́͑ḛ̏̀s̞̿t̰̊̏",                         // Zalgo text
-        "test\r\ninjection"                  // CRLF
-      ],
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "fill", params: { selector: "{{textField}}", value: "{{payload}}" } },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { handled: true, noCorruption: true } }
-      ]
-    },
-    doubleSubmit: {
-      name: "Double Submit Prevention",
-      description: "Rapidly click submit twice to test idempotency",
-      severity: "BLOCK",
-      steps: [
-        { action: "navigate", params: { to: "{{formRoute}}" } },
-        { action: "fillValid", params: { form: "{{formSelector}}" } },
-        { action: "doubleClick", params: { selector: "{{submitButton}}", delay: 50 } },
-        { action: "expect", params: { singleSubmission: true, or: { buttonDisabled: true } } }
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // API STRESS SCENARIOS
-  // ─────────────────────────────────────────────────────────────────────────────
-  api: {
-    raceCondition: {
-      name: "Race Condition Detection",
-      description: "Concurrent identical requests to detect race conditions",
-      severity: "BLOCK",
-      steps: [
-        { action: "login", params: { role: "user" } },
-        { action: "parallel", params: { 
-          count: 5, 
-          action: "apiCall", 
-          endpoint: "{{criticalEndpoint}}", 
-          method: "POST",
-          body: "{{validPayload}}"
-        }},
-        { action: "expect", params: { 
-          idempotent: true, 
-          or: { exactlyOne: true },
-          noDataCorruption: true 
-        }}
-      ]
-    },
-    retryStorm: {
-      name: "Retry Storm Handling",
-      description: "Simulate client retry behavior on timeout",
-      severity: "WARN",
-      steps: [
-        { action: "interceptNetwork", params: { pattern: "{{apiPattern}}", delay: 10000 } },
-        { action: "navigate", params: { to: "{{pageWithApi}}" } },
-        { action: "wait", params: { ms: 2000 } },
-        { action: "releaseNetwork" },
-        { action: "expect", params: { noMultipleRequests: true, gracefulTimeout: true } }
-      ]
-    },
-    rateLimiting: {
-      name: "Rate Limit Behavior",
-      description: "Verify rate limiting is enforced and user-friendly",
-      severity: "WARN",
-      steps: [
-        { action: "loop", params: { count: 100, delay: 10 }, action: {
-          action: "apiCall",
-          endpoint: "{{rateLimitedEndpoint}}",
-          method: "GET"
-        }},
-        { action: "expect", params: { 
-          rateLimited: true, 
-          status: 429, 
-          retryAfter: "present",
-          userMessage: "present"
-        }}
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // BUSINESS LOGIC EDGE CASES
-  // ─────────────────────────────────────────────────────────────────────────────
-  business: {
-    checkoutAbandonment: {
-      name: "Checkout Flow Abandonment",
-      description: "Start checkout, abandon, return - verify cart state",
-      severity: "WARN",
-      steps: [
-        { action: "addToCart", params: { product: "{{testProduct}}" } },
-        { action: "navigate", params: { to: "/checkout" } },
-        { action: "fillStep", params: { step: "shipping" } },
-        { action: "navigate", params: { to: "/" } },
-        { action: "wait", params: { ms: 5000 } },
-        { action: "navigate", params: { to: "/checkout" } },
-        { action: "expect", params: { cartPreserved: true, stepPreserved: true } }
-      ]
-    },
-    priceManipulation: {
-      name: "Price Manipulation Attack",
-      description: "Attempt to modify prices client-side",
-      severity: "BLOCK",
-      steps: [
-        { action: "addToCart", params: { product: "{{testProduct}}" } },
-        { action: "interceptRequest", params: { 
-          pattern: "/api/checkout",
-          modify: { "items[0].price": 0.01 }
-        }},
-        { action: "submitCheckout" },
-        { action: "expect", params: { 
-          serverValidation: true, 
-          priceFromServer: true,
-          noDiscount: true
-        }}
-      ]
-    },
-    inventoryRace: {
-      name: "Inventory Race Condition",
-      description: "Two users checkout last item simultaneously",
-      severity: "BLOCK",
-      steps: [
-        { action: "setInventory", params: { product: "{{testProduct}}", count: 1 } },
-        { action: "parallel", params: { sessions: ["A", "B"] }, steps: [
-          { action: "addToCart", params: { product: "{{testProduct}}" } },
-          { action: "submitCheckout" }
-        ]},
-        { action: "expect", params: { 
-          exactlyOneSuccess: true, 
-          otherFails: "out of stock",
-          noOversell: true
-        }}
-      ]
-    },
-    negativeQuantity: {
-      name: "Negative Quantity Attack",
-      description: "Attempt to add negative quantities",
-      severity: "BLOCK",
-      steps: [
-        { action: "interceptRequest", params: { 
-          pattern: "/api/cart",
-          modify: { quantity: -5 }
-        }},
-        { action: "expect", params: { rejected: true, noCredit: true } }
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // ERROR RECOVERY SCENARIOS
-  // ─────────────────────────────────────────────────────────────────────────────
-  errors: {
-    networkDrop: {
-      name: "Network Drop Mid-Action",
-      description: "Cut network during API call, verify recovery",
-      severity: "WARN",
-      steps: [
-        { action: "navigate", params: { to: "{{pageWithForm}}" } },
-        { action: "fillValid", params: { form: "{{formSelector}}" } },
-        { action: "goOffline" },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { 
-          offlineMessage: true, 
-          dataNotLost: true,
-          retryOption: true
-        }},
-        { action: "goOnline" },
-        { action: "click", params: { selector: "{{retryButton}}" } },
-        { action: "expect", params: { success: true } }
-      ]
-    },
-    partialResponse: {
-      name: "Partial Response Handling",
-      description: "Server returns truncated JSON",
-      severity: "WARN",
-      steps: [
-        { action: "interceptResponse", params: { 
-          pattern: "{{apiPattern}}",
-          truncate: 0.5  // Cut response at 50%
-        }},
-        { action: "navigate", params: { to: "{{pageWithApi}}" } },
-        { action: "expect", params: { 
-          gracefulError: true, 
-          noJsCrash: true,
-          retryOption: true
-        }}
-      ]
-    },
-    serverError: {
-      name: "500 Error Recovery",
-      description: "Server returns 500, verify user-friendly handling",
-      severity: "WARN",
-      steps: [
-        { action: "interceptResponse", params: { 
-          pattern: "{{apiPattern}}",
-          status: 500,
-          body: "Internal Server Error"
-        }},
-        { action: "navigate", params: { to: "{{pageWithApi}}" } },
-        { action: "expect", params: { 
-          userFriendlyError: true, 
-          noStackTrace: true,
-          reportOption: true
-        }}
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // STATE MACHINE VIOLATIONS
-  // ─────────────────────────────────────────────────────────────────────────────
-  stateMachine: {
-    skipStep: {
-      name: "Wizard Step Skip Attack",
-      description: "Try to skip steps in multi-step flow",
-      severity: "BLOCK",
-      steps: [
-        { action: "navigate", params: { to: "{{wizardStep1}}" } },
-        { action: "navigate", params: { to: "{{wizardStep3}}" } },  // Skip step 2
-        { action: "expect", params: { 
-          redirectToStep: 2, 
-          or: { blocked: true },
-          noIncompleteSubmit: true
-        }}
-      ]
-    },
-    backButtonAbuse: {
-      name: "Back Button State Corruption",
-      description: "Use back button after completing flow",
-      severity: "WARN",
-      steps: [
-        { action: "completeFlow", params: { flow: "{{checkoutFlow}}" } },
-        { action: "goBack" },
-        { action: "goBack" },
-        { action: "click", params: { selector: "{{submitButton}}" } },
-        { action: "expect", params: { 
-          noDuplicate: true, 
-          or: { alreadyCompleted: true }
-        }}
-      ]
-    },
-    directUrlAccess: {
-      name: "Direct URL to Protected State",
-      description: "Access completion page without going through flow",
-      severity: "BLOCK",
-      steps: [
-        { action: "navigate", params: { to: "{{confirmationPage}}" } },
-        { action: "expect", params: { 
-          redirect: "{{startPage}}", 
-          or: { error: "invalid state" },
-          noFakeSuccess: true
-        }}
-      ]
-    }
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // PERFORMANCE & RESOURCE ABUSE
-  // ─────────────────────────────────────────────────────────────────────────────
-  performance: {
-    largeFileUpload: {
-      name: "Oversized File Upload",
-      description: "Upload file exceeding limit",
-      severity: "WARN",
-      steps: [
-        { action: "navigate", params: { to: "{{uploadPage}}" } },
-        { action: "uploadFile", params: { size: "100MB", type: "image/png" } },
-        { action: "expect", params: { 
-          clientValidation: true, 
-          or: { serverReject: true },
-          noHang: true,
-          maxWait: 5000
-        }}
-      ]
-    },
-    infiniteScroll: {
-      name: "Infinite Scroll Memory Leak",
-      description: "Scroll to load many pages, check memory",
-      severity: "WARN",
-      steps: [
-        { action: "navigate", params: { to: "{{infiniteScrollPage}}" } },
-        { action: "recordMemory", params: { label: "start" } },
-        { action: "scrollToBottom", params: { times: 50 } },
-        { action: "recordMemory", params: { label: "end" } },
-        { action: "expect", params: { 
-          memoryGrowth: { max: "3x" },
-          noFreeze: true
-        }}
-      ]
-    },
-    fileTypeSpoofing: {
-      name: "File Type Spoofing",
-      description: "Upload executable with image extension",
-      severity: "BLOCK",
-      steps: [
-        { action: "navigate", params: { to: "{{uploadPage}}" } },
-        { action: "uploadSpoofedFile", params: { 
-          realType: "application/x-executable",
-          fakeExtension: ".png",
-          fakeMime: "image/png"
-        }},
-        { action: "expect", params: { 
-          rejected: true, 
-          magicByteCheck: true
-        }}
-      ]
-    }
-  }
-};
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// SCENARIO GENERATOR CLASS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-class ScenarioGenerator {
-  constructor(options = {}) {
-    this.truthpackPath = options.truthpackPath || ".vibecheck/truth/truthpack.json";
-    this.maxScenariosPerCategory = options.maxScenariosPerCategory || 5;
-    this.severityFilter = options.severityFilter || ["BLOCK", "WARN"];
-    this.categories = options.categories || Object.keys(SCENARIO_TEMPLATES);
-    this.customScenarios = options.customScenarios || [];
-  }
-
-  /**
-   * Load and analyze the truthpack to understand the app
-   */
-  loadTruthpack(projectRoot) {
-    const truthpackFile = path.join(projectRoot, this.truthpackPath);
-    
-    if (!fs.existsSync(truthpackFile)) {
-      return null;
-    }
-
-    try {
-      return JSON.parse(fs.readFileSync(truthpackFile, "utf8"));
-    } catch {
-      return null;
-    }
-  }
-
-  /**
-   * Extract testable features from truthpack
-   */
-  analyzeAppStructure(truthpack) {
-    const analysis = {
-      routes: {
-        public: [],
-        protected: [],
-        admin: [],
-        api: [],
-        forms: [],
-        uploads: [],
-        checkout: [],
-        wizard: []
-      },
-      auth: {
-        hasAuth: false,
-        roles: [],
-        sessionType: null,
-        protectedPatterns: []
-      },
-      forms: [],
-      apis: {
-        endpoints: [],
-        criticalEndpoints: [],
-        rateLimited: []
-      },
-      features: {
-        hasCheckout: false,
-        hasUpload: false,
-        hasWizard: false,
-        hasInfiniteScroll: false,
-        hasRealtime: false
-      }
-    };
-
-    if (!truthpack) return analysis;
-
-    // Analyze routes
-    if (truthpack.routes) {
-      const routes = truthpack.routes.serverRoutes || truthpack.routes.routes || [];
-      
-      for (const route of routes) {
-        const routePath = route.path || route;
-        
-        // Categorize routes
-        if (/\/api\//i.test(routePath)) {
-          analysis.routes.api.push(routePath);
-          
-          // Detect critical endpoints
-          if (/checkout|payment|order|billing|transfer/i.test(routePath)) {
-            analysis.apis.criticalEndpoints.push(routePath);
-            analysis.features.hasCheckout = true;
-          }
-        }
-        
-        if (/admin|dashboard|manage/i.test(routePath)) {
-          analysis.routes.admin.push(routePath);
-        }
-        
-        if (/upload|file|image|document/i.test(routePath)) {
-          analysis.routes.uploads.push(routePath);
-          analysis.features.hasUpload = true;
-        }
-        
-        if (/wizard|step|onboard/i.test(routePath)) {
-          analysis.routes.wizard.push(routePath);
-          analysis.features.hasWizard = true;
-        }
-        
-        if (/form|submit|create|edit|new/i.test(routePath)) {
-          analysis.routes.forms.push(routePath);
-        }
-      }
-    }
-
-    // Analyze auth
-    if (truthpack.auth) {
-      analysis.auth.hasAuth = true;
-      analysis.auth.roles = truthpack.auth.roles || [];
-      analysis.auth.protectedPatterns = truthpack.auth.protectedPatterns || 
-                                         truthpack.auth.nextMatcherPatterns || [];
-      
-      // Detect session type
-      if (truthpack.auth.jwt || truthpack.auth.tokenBased) {
-        analysis.auth.sessionType = "jwt";
-      } else if (truthpack.auth.sessionBased) {
-        analysis.auth.sessionType = "session";
-      }
-    }
-
-    // Analyze env for feature detection
-    if (truthpack.env) {
-      const envVars = Object.keys(truthpack.env.declared || {});
-      
-      if (envVars.some(v => /stripe|payment|billing/i.test(v))) {
-        analysis.features.hasCheckout = true;
-      }
-      
-      if (envVars.some(v => /s3|cloudinary|upload/i.test(v))) {
-        analysis.features.hasUpload = true;
-      }
-      
-      if (envVars.some(v => /pusher|socket|realtime/i.test(v))) {
-        analysis.features.hasRealtime = true;
-      }
-    }
-
-    return analysis;
-  }
-
-  /**
-   * Generate scenarios based on app analysis
-   */
-  generateScenarios(projectRoot) {
-    const truthpack = this.loadTruthpack(projectRoot);
-    const analysis = this.analyzeAppStructure(truthpack);
-    const scenarios = [];
-
-    // Generate auth scenarios if app has auth
-    if (analysis.auth.hasAuth && this.categories.includes("auth")) {
-      scenarios.push(...this.generateAuthScenarios(analysis));
-    }
-
-    // Generate form scenarios if app has forms
-    if (analysis.routes.forms.length > 0 && this.categories.includes("forms")) {
-      scenarios.push(...this.generateFormScenarios(analysis));
-    }
-
-    // Generate API scenarios if app has APIs
-    if (analysis.routes.api.length > 0 && this.categories.includes("api")) {
-      scenarios.push(...this.generateApiScenarios(analysis));
-    }
-
-    // Generate business logic scenarios if app has checkout
-    if (analysis.features.hasCheckout && this.categories.includes("business")) {
-      scenarios.push(...this.generateBusinessScenarios(analysis));
-    }
-
-    // Generate error scenarios
-    if (this.categories.includes("errors")) {
-      scenarios.push(...this.generateErrorScenarios(analysis));
-    }
-
-    // Generate state machine scenarios if app has wizards
-    if (analysis.features.hasWizard && this.categories.includes("stateMachine")) {
-      scenarios.push(...this.generateStateMachineScenarios(analysis));
-    }
-
-    // Generate performance scenarios
-    if (this.categories.includes("performance")) {
-      scenarios.push(...this.generatePerformanceScenarios(analysis));
-    }
-
-    // Add custom scenarios
-    scenarios.push(...this.customScenarios);
-
-    // Filter by severity
-    const filtered = scenarios.filter(s => 
-      this.severityFilter.includes(s.severity)
-    );
-
-    // Deduplicate and prioritize
-    return this.prioritizeScenarios(filtered);
-  }
-
-  /**
-   * Generate auth-related scenarios
-   */
-  generateAuthScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.auth;
-
-    // Session expiry scenario
-    if (analysis.auth.sessionType) {
-      const protectedRoute = analysis.routes.protected[0] || 
-                            analysis.routes.admin[0] || 
-                            "/dashboard";
-      
-      scenarios.push({
-        ...templates.sessionExpiry,
-        category: "auth",
-        variables: {
-          protectedRoute,
-          submitButton: "[type='submit'], button:has-text('Save'), button:has-text('Submit')"
-        },
-        confidence: 0.9,
-        generated: true
-      });
-    }
-
-    // Token tampering scenario (for JWT auth)
-    if (analysis.auth.sessionType === "jwt") {
-      const adminRoute = analysis.routes.admin[0] || "/admin";
-      
-      scenarios.push({
-        ...templates.tokenTampering,
-        category: "auth",
-        variables: { adminRoute },
-        confidence: 0.95,
-        generated: true
-      });
-    }
-
-    // Role escalation scenario
-    if (analysis.auth.roles.length > 1) {
-      const resourceRoute = analysis.routes.api.find(r => 
-        /user|profile|account|resource/i.test(r)
-      ) || "/api/users/:id";
-
-      scenarios.push({
-        ...templates.roleEscalation,
-        category: "auth",
-        variables: { resourceRoute },
-        confidence: 0.9,
-        generated: true
-      });
-    }
-
-    // Concurrent sessions
-    scenarios.push({
-      ...templates.concurrentSessions,
-      category: "auth",
-      variables: {
-        protectedRoute: analysis.routes.protected[0] || "/dashboard"
-      },
-      confidence: 0.8,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate form-related scenarios
-   */
-  generateFormScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.forms;
-    const formRoutes = analysis.routes.forms;
-
-    if (formRoutes.length === 0) return scenarios;
-
-    const primaryForm = formRoutes[0];
-
-    // Empty submit
-    scenarios.push({
-      ...templates.emptySubmit,
-      category: "forms",
-      variables: {
-        formRoute: primaryForm,
-        submitButton: "[type='submit']"
-      },
-      confidence: 0.95,
-      generated: true
-    });
-
-    // Max length
-    scenarios.push({
-      ...templates.maxLength,
-      category: "forms",
-      variables: {
-        formRoute: primaryForm,
-        textField: "input[type='text'], textarea",
-        submitButton: "[type='submit']"
-      },
-      confidence: 0.85,
-      generated: true
-    });
-
-    // XSS payloads - generate one per payload
-    for (const payload of templates.xssPayloads.payloads.slice(0, 2)) {
-      scenarios.push({
-        ...templates.xssPayloads,
-        category: "forms",
-        variables: {
-          formRoute: primaryForm,
-          textField: "input[type='text'], textarea",
-          submitButton: "[type='submit']",
-          payload
-        },
-        confidence: 0.95,
-        generated: true
-      });
-    }
-
-    // Double submit
-    scenarios.push({
-      ...templates.doubleSubmit,
-      category: "forms",
-      variables: {
-        formRoute: primaryForm,
-        formSelector: "form",
-        submitButton: "[type='submit']"
-      },
-      confidence: 0.9,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate API-related scenarios
-   */
-  generateApiScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.api;
-
-    // Race condition for critical endpoints
-    if (analysis.apis.criticalEndpoints.length > 0) {
-      scenarios.push({
-        ...templates.raceCondition,
-        category: "api",
-        variables: {
-          criticalEndpoint: analysis.apis.criticalEndpoints[0],
-          validPayload: "{}"
-        },
-        confidence: 0.9,
-        generated: true
-      });
-    }
-
-    // Retry storm for any API
-    if (analysis.routes.api.length > 0) {
-      scenarios.push({
-        ...templates.retryStorm,
-        category: "api",
-        variables: {
-          apiPattern: analysis.routes.api[0],
-          pageWithApi: "/" // Will be refined based on route analysis
-        },
-        confidence: 0.8,
-        generated: true
-      });
-    }
-
-    // Rate limiting
-    scenarios.push({
-      ...templates.rateLimiting,
-      category: "api",
-      variables: {
-        rateLimitedEndpoint: analysis.routes.api[0] || "/api/data"
-      },
-      confidence: 0.85,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate business logic scenarios
-   */
-  generateBusinessScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.business;
-
-    if (!analysis.features.hasCheckout) return scenarios;
-
-    // Price manipulation
-    scenarios.push({
-      ...templates.priceManipulation,
-      category: "business",
-      variables: {
-        testProduct: "test-product-id"
-      },
-      confidence: 0.95,
-      generated: true
-    });
-
-    // Inventory race condition
-    scenarios.push({
-      ...templates.inventoryRace,
-      category: "business",
-      variables: {
-        testProduct: "test-product-id"
-      },
-      confidence: 0.9,
-      generated: true
-    });
-
-    // Negative quantity
-    scenarios.push({
-      ...templates.negativeQuantity,
-      category: "business",
-      variables: {},
-      confidence: 0.95,
-      generated: true
-    });
-
-    // Checkout abandonment
-    scenarios.push({
-      ...templates.checkoutAbandonment,
-      category: "business",
-      variables: {
-        testProduct: "test-product-id"
-      },
-      confidence: 0.8,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate error recovery scenarios
-   */
-  generateErrorScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.errors;
-
-    const apiPattern = analysis.routes.api[0] || "/api/*";
-    const formPage = analysis.routes.forms[0] || "/";
-
-    // Network drop
-    scenarios.push({
-      ...templates.networkDrop,
-      category: "errors",
-      variables: {
-        pageWithForm: formPage,
-        formSelector: "form",
-        submitButton: "[type='submit']",
-        retryButton: "button:has-text('Retry'), button:has-text('Try Again')"
-      },
-      confidence: 0.85,
-      generated: true
-    });
-
-    // Partial response
-    scenarios.push({
-      ...templates.partialResponse,
-      category: "errors",
-      variables: {
-        apiPattern,
-        pageWithApi: "/"
-      },
-      confidence: 0.8,
-      generated: true
-    });
-
-    // 500 error
-    scenarios.push({
-      ...templates.serverError,
-      category: "errors",
-      variables: {
-        apiPattern,
-        pageWithApi: "/"
-      },
-      confidence: 0.85,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate state machine scenarios
-   */
-  generateStateMachineScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.stateMachine;
-
-    if (!analysis.features.hasWizard) return scenarios;
-
-    const wizardRoutes = analysis.routes.wizard;
-    if (wizardRoutes.length >= 2) {
-      // Skip step
-      scenarios.push({
-        ...templates.skipStep,
-        category: "stateMachine",
-        variables: {
-          wizardStep1: wizardRoutes[0],
-          wizardStep3: wizardRoutes[2] || wizardRoutes[1]
-        },
-        confidence: 0.9,
-        generated: true
-      });
-    }
-
-    // Direct URL access
-    scenarios.push({
-      ...templates.directUrlAccess,
-      category: "stateMachine",
-      variables: {
-        confirmationPage: "/checkout/confirmation",
-        startPage: "/checkout"
-      },
-      confidence: 0.85,
-      generated: true
-    });
-
-    // Back button abuse
-    scenarios.push({
-      ...templates.backButtonAbuse,
-      category: "stateMachine",
-      variables: {
-        checkoutFlow: "checkout",
-        submitButton: "[type='submit']"
-      },
-      confidence: 0.8,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Generate performance scenarios
-   */
-  generatePerformanceScenarios(analysis) {
-    const scenarios = [];
-    const templates = SCENARIO_TEMPLATES.performance;
-
-    // Large file upload
-    if (analysis.features.hasUpload) {
-      scenarios.push({
-        ...templates.largeFileUpload,
-        category: "performance",
-        variables: {
-          uploadPage: analysis.routes.uploads[0] || "/upload"
-        },
-        confidence: 0.85,
-        generated: true
-      });
-
-      // File type spoofing
-      scenarios.push({
-        ...templates.fileTypeSpoofing,
-        category: "performance",
-        variables: {
-          uploadPage: analysis.routes.uploads[0] || "/upload"
-        },
-        confidence: 0.9,
-        generated: true
-      });
-    }
-
-    // Infinite scroll memory leak (if detected or assume present)
-    scenarios.push({
-      ...templates.infiniteScroll,
-      category: "performance",
-      variables: {
-        infiniteScrollPage: "/feed"
-      },
-      confidence: 0.7,
-      generated: true
-    });
-
-    return scenarios.slice(0, this.maxScenariosPerCategory);
-  }
-
-  /**
-   * Prioritize and deduplicate scenarios
-   */
-  prioritizeScenarios(scenarios) {
-    // Sort by: severity (BLOCK first), then confidence
-    const severityOrder = { BLOCK: 0, WARN: 1, INFO: 2 };
-    
-    return scenarios.sort((a, b) => {
-      const sevDiff = severityOrder[a.severity] - severityOrder[b.severity];
-      if (sevDiff !== 0) return sevDiff;
-      return b.confidence - a.confidence;
-    });
-  }
-
-  /**
-   * Export scenarios for Reality Mode execution
-   */
-  exportForReality(scenarios) {
-    return scenarios.map(scenario => ({
-      id: `${scenario.category}-${scenario.name.toLowerCase().replace(/\s+/g, "-")}`,
-      name: scenario.name,
-      description: scenario.description,
-      category: scenario.category,
-      severity: scenario.severity,
-      confidence: scenario.confidence,
-      steps: this.resolveVariables(scenario.steps, scenario.variables),
-      generated: scenario.generated || false,
-      expectedOutcomes: this.extractExpectations(scenario.steps)
-    }));
-  }
-
-  /**
-   * Resolve template variables in steps
-   */
-  resolveVariables(steps, variables) {
-    if (!steps || !variables) return steps;
-
-    return JSON.parse(
-      JSON.stringify(steps).replace(
-        /\{\{(\w+)\}\}/g,
-        (match, varName) => variables[varName] || match
-      )
-    );
-  }
-
-  /**
-   * Extract expected outcomes from steps
-   */
-  extractExpectations(steps) {
-    if (!steps) return [];
-    
-    return steps
-      .filter(step => step.action === "expect")
-      .map(step => step.params);
-  }
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// SCENARIO EXECUTOR (integrates with Playwright)
-// ═══════════════════════════════════════════════════════════════════════════════
-
-class ScenarioExecutor {
-  constructor(options = {}) {
-    this.page = options.page;
-    this.context = options.context;
-    this.baseUrl = options.baseUrl;
-    this.timeout = options.timeout || 30000;
-    this.results = [];
-  }
-
-  /**
-   * Execute a single scenario
-   */
-  async executeScenario(scenario) {
-    const result = {
-      id: scenario.id,
-      name: scenario.name,
-      category: scenario.category,
-      severity: scenario.severity,
-      status: "pending",
-      steps: [],
-      violations: [],
-      duration: 0
-    };
-
-    const startTime = Date.now();
-
-    try {
-      for (const step of scenario.steps) {
-        const stepResult = await this.executeStep(step);
-        result.steps.push(stepResult);
-
-        if (stepResult.status === "failed" && step.action === "expect") {
-          result.violations.push({
-            step: step.action,
-            expected: step.params,
-            actual: stepResult.actual,
-            message: stepResult.error
-          });
-        }
-      }
-
-      result.status = result.violations.length > 0 ? "failed" : "passed";
-    } catch (error) {
-      result.status = "error";
-      result.error = error.message;
-    }
-
-    result.duration = Date.now() - startTime;
-    this.results.push(result);
-    
-    return result;
-  }
-
-  /**
-   * Execute a single step
-   */
-  async executeStep(step) {
-    const stepResult = {
-      action: step.action,
-      params: step.params,
-      status: "pending",
-      timestamp: Date.now()
-    };
-
-    try {
-      switch (step.action) {
-        case "navigate":
-          await this.page.goto(this.resolveUrl(step.params.to));
-          stepResult.status = "passed";
-          break;
-
-        case "click":
-          await this.page.click(step.params.selector, { timeout: this.timeout });
-          stepResult.status = "passed";
-          break;
-
-        case "fill":
-          await this.page.fill(step.params.selector, step.params.value);
-          stepResult.status = "passed";
-          break;
-
-        case "doubleClick":
-          const element = await this.page.$(step.params.selector);
-          if (element) {
-            await element.click();
-            await this.page.waitForTimeout(step.params.delay || 50);
-            await element.click();
-          }
-          stepResult.status = "passed";
-          break;
-
-        case "goOffline":
-          await this.context.setOffline(true);
-          stepResult.status = "passed";
-          break;
-
-        case "goOnline":
-          await this.context.setOffline(false);
-          stepResult.status = "passed";
-          break;
-
-        case "clearCookies":
-          await this.context.clearCookies();
-          stepResult.status = "passed";
-          break;
-
-        case "wait":
-          await this.page.waitForTimeout(step.params.ms);
-          stepResult.status = "passed";
-          break;
-
-        case "goBack":
-          await this.page.goBack();
-          stepResult.status = "passed";
-          break;
-
-        case "expect":
-          stepResult.actual = await this.evaluateExpectation(step.params);
-          stepResult.status = stepResult.actual.passed ? "passed" : "failed";
-          if (!stepResult.actual.passed) {
-            stepResult.error = stepResult.actual.reason;
-          }
-          break;
-
-        case "recordMemory":
-          stepResult.memory = await this.page.evaluate(() => {
-            if (window.performance && window.performance.memory) {
-              return window.performance.memory.usedJSHeapSize;
-            }
-            return null;
-          });
-          stepResult.status = "passed";
-          break;
-
-        case "interceptRequest":
-          await this.page.route(step.params.pattern, (route, request) => {
-            const postData = request.postData();
-            if (postData && step.params.modify) {
-              const modified = { ...JSON.parse(postData), ...step.params.modify };
-              route.continue({ postData: JSON.stringify(modified) });
-            } else {
-              route.continue();
-            }
-          });
-          stepResult.status = "passed";
-          break;
-
-        case "interceptResponse":
-          await this.page.route(step.params.pattern, route => {
-            if (step.params.status) {
-              route.fulfill({
-                status: step.params.status,
-                body: step.params.body || ""
-              });
-            } else if (step.params.truncate) {
-              route.continue();
-            } else {
-              route.continue();
-            }
-          });
-          stepResult.status = "passed";
-          break;
-
-        case "parallel":
-          // Execute parallel actions (simplified)
-          const promises = [];
-          for (let i = 0; i < step.params.count; i++) {
-            promises.push(this.executeStep({ action: step.params.action, params: step.params }));
-          }
-          await Promise.all(promises);
-          stepResult.status = "passed";
-          break;
-
-        default:
-          stepResult.status = "skipped";
-          stepResult.reason = `Unknown action: ${step.action}`;
-      }
-    } catch (error) {
-      stepResult.status = "error";
-      stepResult.error = error.message;
-    }
-
-    return stepResult;
-  }
-
-  /**
-   * Evaluate an expectation
-   */
-  async evaluateExpectation(params) {
-    const result = { passed: true, checks: [] };
-
-    // Check for redirect
-    if (params.redirect) {
-      const currentUrl = this.page.url();
-      const expectedUrl = this.resolveUrl(params.redirect);
-      const redirectPassed = currentUrl.includes(params.redirect);
-      result.checks.push({ type: "redirect", expected: expectedUrl, actual: currentUrl, passed: redirectPassed });
-      if (!redirectPassed && !params.or) result.passed = false;
-    }
-
-    // Check for status code
-    if (params.status) {
-      // Would need to intercept the response to check this
-      result.checks.push({ type: "status", expected: params.status, passed: true });
-    }
-
-    // Check for validation messages
-    if (params.validation) {
-      const hasValidation = await this.page.$("[class*='error'], [class*='invalid'], [aria-invalid='true']");
-      result.checks.push({ type: "validation", expected: true, actual: !!hasValidation, passed: !!hasValidation });
-      if (!hasValidation && !params.or) result.passed = false;
-    }
-
-    // Check for user-friendly error (no stack trace)
-    if (params.noStackTrace) {
-      const pageContent = await this.page.content();
-      const hasStackTrace = /at\s+\w+\s+\(|Error:\s+/i.test(pageContent);
-      result.checks.push({ type: "noStackTrace", passed: !hasStackTrace });
-      if (hasStackTrace) {
-        result.passed = false;
-        result.reason = "Stack trace exposed to user";
-      }
-    }
-
-    // Check for JS errors (page didn't crash)
-    if (params.noJsCrash) {
-      const hasContent = await this.page.$("body");
-      result.checks.push({ type: "noJsCrash", passed: !!hasContent });
-    }
-
-    // Memory growth check
-    if (params.memoryGrowth) {
-      // Would compare recorded memory values
-      result.checks.push({ type: "memoryGrowth", passed: true });
-    }
-
-    // Generate overall result
-    if (!result.passed) {
-      const failedChecks = result.checks.filter(c => !c.passed);
-      result.reason = failedChecks.map(c => `${c.type}: expected ${c.expected}, got ${c.actual}`).join("; ");
-    }
-
-    return result;
-  }
-
-  /**
-   * Resolve URL with base
-   */
-  resolveUrl(path) {
-    if (path.startsWith("http")) return path;
-    return new URL(path, this.baseUrl).toString();
-  }
-
-  /**
-   * Get execution summary
-   */
-  getSummary() {
-    const passed = this.results.filter(r => r.status === "passed").length;
-    const failed = this.results.filter(r => r.status === "failed").length;
-    const errors = this.results.filter(r => r.status === "error").length;
-
-    return {
-      total: this.results.length,
-      passed,
-      failed,
-      errors,
-      passRate: this.results.length > 0 ? (passed / this.results.length * 100).toFixed(1) : 0,
-      violations: this.results.flatMap(r => r.violations),
-      byCategory: this.groupByCategory(),
-      bySeverity: this.groupBySeverity()
-    };
-  }
-
-  groupByCategory() {
-    const groups = {};
-    for (const result of this.results) {
-      if (!groups[result.category]) {
-        groups[result.category] = { passed: 0, failed: 0, errors: 0 };
-      }
-      groups[result.category][result.status]++;
-    }
-    return groups;
-  }
-
-  groupBySeverity() {
-    const groups = { BLOCK: [], WARN: [] };
-    for (const result of this.results) {
-      if (result.status === "failed") {
-        groups[result.severity]?.push(result);
-      }
-    }
-    return groups;
-  }
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// EXPORTS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-module.exports = {
-  ScenarioGenerator,
-  ScenarioExecutor,
-  SCENARIO_TEMPLATES
-};