agentic-qe 3.8.1 → 3.8.3

package/assets/skills/README.md

@@ -0,0 +1,173 @@
+# AQE Skills Index
+
+This directory contains Quality Engineering skills managed by Agentic QE.
+
+## Summary
+
+- **Total QE Skills**: 84
+- **V2 Methodology Skills**: 62
+- **V3 Domain Skills**: 23
+- **Platform Skills**: 30 (Claude Flow managed)
+- **Validation Infrastructure**: ✅ Installed
+
+> **Note**: Platform skills (agentdb, github, flow-nexus, etc.) are managed by claude-flow.
+> Only QE-specific skills are installed/updated by `aqe init`.
+
+## V2 Methodology Skills (62)
+
+Version-agnostic quality engineering best practices from the QE community.
+
+- **a11y-ally**: Comprehensive WCAG accessibility auditing with multi-tool testing (axe-core + pa11y + Lighthouse), TRUE PARALLEL execution with Promise.allSettled, graceful degradation, retry with backoff, context-aware remediation, learning integration, and video accessibility. Uses 3-tier browser cascade: Vibium → agent-browser → Playwright+Stealth.
+- **accessibility-testing**: WCAG 2.2 compliance testing, screen reader validation, and inclusive design verification. Use when ensuring legal compliance (ADA, Section 508), testing for disabilities, or building accessible applications for 1 billion disabled users globally.
+- **agentic-quality-engineering**: AI agents as force multipliers for quality work. Core skill for all 19 QE agents using PACT principles.
+- **api-testing-patterns**: Comprehensive API testing patterns including contract testing, REST/GraphQL testing, and integration testing. Use when testing APIs or designing API test strategies.
+- **browser**: Web browser automation with AI-optimized snapshots for claude-flow agents
+- **brutal-honesty-review**: Unvarnished technical criticism combining Linus Torvalds
+- **bug-reporting-excellence**: Write high-quality bug reports that get fixed quickly. Use when reporting bugs, training teams on bug reporting, or establishing bug report standards.
+- **chaos-engineering-resilience**: Chaos engineering principles, controlled failure injection, resilience testing, and system recovery validation. Use when testing distributed systems, building confidence in fault tolerance, or validating disaster recovery.
+- **cicd-pipeline-qe-orchestrator**: Orchestrate quality engineering across CI/CD pipeline phases. Use when designing test strategies, planning quality gates, or implementing shift-left/shift-right testing.
+- **code-review-quality**: Conduct context-driven code reviews focusing on quality, testability, and maintainability. Use when reviewing code, providing feedback, or establishing review practices.
+- **compatibility-testing**: Cross-browser, cross-platform, and cross-device compatibility testing ensuring consistent experience across environments. Use when validating browser support, testing responsive design, or ensuring platform compatibility.
+- **compliance-testing**: Regulatory compliance testing for GDPR, CCPA, HIPAA, SOC2, PCI-DSS and industry-specific regulations. Use when ensuring legal compliance, preparing for audits, or handling sensitive data.
+- **consultancy-practices**: Apply effective software quality consultancy practices. Use when consulting, advising clients, or establishing consultancy workflows.
+- **context-driven-testing**: Apply context-driven testing principles where practices are chosen based on project context, not universal
+- **contract-testing**: Consumer-driven contract testing for microservices using Pact, schema validation, API versioning, and backward compatibility testing. Use when testing API contracts or coordinating distributed teams.
+- **database-testing**: Database schema validation, data integrity testing, migration testing, transaction isolation, and query performance. Use when testing data persistence, ensuring referential integrity, or validating database migrations.
+- **debug-loop**: Hypothesis-driven autonomous debugging with real command validation
+- **enterprise-integration-testing**: Orchestration skill for enterprise integration testing across SAP, middleware, WMS, and backend systems. Covers E2E enterprise flows, SAP-specific patterns (RFC, BAPI, IDoc, OData, Fiori), cross-system data validation, and enterprise quality gates.
+- **exploratory-testing-advanced**: Advanced exploratory testing techniques with Session-Based Test Management (SBTM), RST heuristics, and test tours. Use when planning exploration sessions, investigating bugs, or discovering unknown quality risks.
+- **holistic-testing-pact**: Apply the Holistic Testing Model evolved with PACT (Proactive, Autonomous, Collaborative, Targeted) principles. Use when designing comprehensive test strategies for Classical, AI-assisted, Agent based, or Agentic Systems building quality into the team, or implementing whole-team quality practices.
+- **localization-testing**: Internationalization (i18n) and localization (l10n) testing for global products including translations, locale formats, RTL languages, and cultural appropriateness. Use when launching in new markets or building multi-language products.
+- **middleware-testing-patterns**: Enterprise middleware testing patterns for message routing, transformation, DLQ, protocol mediation, ESB error handling, and EIP patterns. Use when testing middleware layers, message brokers, ESBs, or integration buses.
+- **mobile-testing**: Comprehensive mobile testing for iOS and Android platforms including gestures, sensors, permissions, device fragmentation, and performance. Use when testing native apps, hybrid apps, or mobile web, ensuring quality across 1000+ device variants.
+- **mutation-testing**: Test quality validation through mutation testing, assessing test suite effectiveness by introducing code mutations and measuring kill rate. Use when evaluating test quality, identifying weak tests, or proving tests actually catch bugs.
+- **n8n-expression-testing**: n8n expression syntax validation, context-aware testing, common pitfalls detection, and performance optimization. Use when validating n8n expressions and data transformations.
+- **n8n-integration-testing-patterns**: API contract testing, authentication flows, rate limit handling, and error scenario coverage for n8n integrations with external services. Use when testing n8n node integrations.
+- **n8n-security-testing**: Credential exposure detection, OAuth flow validation, API key management testing, and data sanitization verification for n8n workflows. Use when validating n8n workflow security.
+- **n8n-trigger-testing-strategies**: Webhook testing, schedule validation, event-driven triggers, and polling mechanism testing for n8n workflows. Use when testing how workflows are triggered.
+- **n8n-workflow-testing-fundamentals**: Comprehensive n8n workflow testing including execution lifecycle, node connection patterns, data flow validation, and error handling strategies. Use when testing n8n workflow automation applications.
+- **observability-testing-patterns**: Observability and monitoring validation patterns for dashboards, alerting, log aggregation, APM traces, and SLA/SLO verification. Use when testing monitoring infrastructure, dashboard accuracy, alert rules, or metric pipelines.
+- **pair-programming**: AI-assisted pair programming with multiple modes (driver/navigator/switch), real-time verification, quality monitoring, and comprehensive testing. Supports TDD, debugging, refactoring, and learning sessions. Features automatic role switching, continuous code review, security scanning, and performance optimization with truth-score verification.
+- **performance-testing**: Test application performance, scalability, and resilience. Use when planning load testing, stress testing, or optimizing system performance.
+- **pr-review**: Scope-aware GitHub PR review with user-friendly tone and trust tier validation
+- **qcsd-cicd-swarm**: QCSD Verification phase swarm for CI/CD pipeline quality gates using regression analysis, flaky test detection, quality gate enforcement, and deployment readiness assessment. Consumes Development outputs (SHIP/CONDITIONAL/HOLD decisions, quality metrics) and produces signals for Production monitoring.
+- **qcsd-development-swarm**: QCSD Development phase swarm for in-sprint code quality assurance using TDD adherence, code complexity analysis, coverage gap detection, and defect prediction. Consumes Refinement outputs (BDD scenarios, SFDIPOT priorities) and produces signals for Verification.
+- **qcsd-ideation-swarm**: QCSD Ideation phase swarm for Quality Criteria sessions using HTSM v6.3, Risk Storming, and Testability analysis before development begins. Uses 5-tier browser cascade: Vibium → agent-browser → Playwright+Stealth → WebFetch → WebSearch-fallback.
+- **qcsd-production-swarm**: QCSD Production Telemetry phase swarm for post-release production health assessment using DORA metrics, root cause analysis, defect prediction, and cross-phase feedback loops. Consumes CI/CD outputs (RELEASE/REMEDIATE/BLOCK decisions, release readiness metrics) and produces feedback signals to Ideation and Refinement.
+- **qcsd-refinement-swarm**: QCSD Refinement phase swarm for Sprint Refinement sessions using SFDIPOT product factors, BDD scenario generation, and requirements validation.
+- **quality-metrics**: Measure quality effectively with actionable metrics. Use when establishing quality dashboards, defining KPIs, or evaluating test effectiveness.
+- **refactoring-patterns**: Apply safe refactoring patterns to improve code structure without changing behavior. Use when cleaning up code, reducing technical debt, or improving maintainability.
+- **regression-testing**: Strategic regression testing with test selection, impact analysis, and continuous regression management. Use when verifying fixes don
+- **risk-based-testing**: Focus testing effort on highest-risk areas using risk assessment and prioritization. Use when planning test strategy, allocating testing resources, or making coverage decisions.
+- **security-testing**: Test for security vulnerabilities using OWASP principles. Use when conducting security audits, testing auth, or implementing security practices.
+- **security-visual-testing**: Security-first visual testing combining URL validation, PII detection, and visual regression with parallel viewport support. Use when testing web applications that handle sensitive data, need visual regression coverage, or require WCAG accessibility compliance.
+- **sfdipot-product-factors**: James Bach
+- **sherlock-review**: Evidence-based investigative code review using deductive reasoning to determine what actually happened versus what was claimed. Use when verifying implementation claims, investigating bugs, validating fixes, or conducting root cause analysis. Elementary approach to finding truth through systematic observation.
+- **shift-left-testing**: Move testing activities earlier in the development lifecycle to catch defects when they
+- **shift-right-testing**: Testing in production with feature flags, canary deployments, synthetic monitoring, and chaos engineering. Use when implementing production observability or progressive delivery.
+- **six-thinking-hats**: Apply Edward de Bono
+- **tdd-london-chicago**: Apply London (mock-based) and Chicago (state-based) TDD schools. Use when practicing test-driven development or choosing testing style for your context.
+- **technical-writing**: Write clear, engaging technical content from real experience. Use when writing blog posts, documentation, tutorials, or technical articles.
+- **test-automation-strategy**: Design and implement effective test automation with proper pyramid, patterns, and CI/CD integration. Use when building automation frameworks or improving test efficiency.
+- **test-data-management**: Strategic test data generation, management, and privacy compliance. Use when creating test data, handling PII, ensuring GDPR/CCPA compliance, or scaling data generation for realistic testing scenarios.
+- **test-design-techniques**: Systematic test design with boundary value analysis, equivalence partitioning, decision tables, state transition testing, and combinatorial testing. Use when designing comprehensive test cases, reducing redundant tests, or ensuring systematic coverage.
+- **test-environment-management**: Test environment provisioning, infrastructure as code for testing, Docker/Kubernetes for test environments, service virtualization, and cost optimization. Use when managing test infrastructure, ensuring environment parity, or optimizing testing costs.
+- **test-idea-rewriting**: Transform passive
+- **test-reporting-analytics**: Advanced test reporting, quality dashboards, predictive analytics, trend analysis, and executive reporting for QE metrics. Use when communicating quality status, tracking trends, or making data-driven decisions.
+- **testability-scoring**: AI-powered testability assessment using 10 principles of intrinsic testability with Playwright and optional Vibium integration. Evaluates web applications against Observability, Controllability, Algorithmic Simplicity, Transparency, Stability, Explainability, Unbugginess, Smallness, Decomposability, and Similarity. Use when assessing software testability, evaluating test readiness, identifying testability improvements, or generating testability reports.
+- **verification-quality**: Comprehensive truth scoring, code quality verification, and automatic rollback system with 0.95 accuracy threshold for ensuring high-quality agent outputs and codebase reliability.
+- **visual-testing-advanced**: Advanced visual regression testing with pixel-perfect comparison, AI-powered diff analysis, responsive design validation, and cross-browser visual consistency. Use when detecting UI regressions, validating designs, or ensuring visual consistency.
+- **wms-testing-patterns**: Warehouse Management System testing patterns for inventory operations, pick/pack/ship workflows, wave management, EDI X12/EDIFACT compliance, RF/barcode scanning, and WMS-ERP integration. Use when testing WMS platforms (Blue Yonder, Manhattan, SAP EWM).
+- **xp-practices**: Apply XP practices including pair programming, ensemble programming, continuous integration, and sustainable pace. Use when implementing agile development practices, improving team collaboration, or adopting technical excellence practices.
+
+## V3 Domain Skills (23)
+
+V3-specific implementation guides for the 12 DDD bounded contexts plus on-demand hooks, investigation runbooks, and measurement tools.
+
+- **pentest-validation**: Orchestrate security finding validation through graduated exploitation. 4-phase pipeline: recon (SAST/DAST), analysis (code review), validation (exploit proof), report (No Exploit, No Report gate). Eliminates false positives by proving exploitability.
+- **qe-chaos-resilience**: Chaos engineering and resilience testing including fault injection, load testing, and system recovery validation.
+- **qe-code-intelligence**: Knowledge graph-based code understanding with semantic search and 80% token reduction through intelligent context retrieval.
+- **qe-coverage-analysis**: O(log n) sublinear coverage gap detection with risk-weighted analysis and intelligent test prioritization.
+- **qe-defect-intelligence**: AI-powered defect prediction, pattern learning, and root cause analysis for proactive quality management.
+- **qe-iterative-loop**: Quality Engineering iteration loops for autonomous test improvement, coverage achievement, and quality gate compliance. Use when tests need to pass, coverage targets must be met, quality gates require compliance, or flaky tests need stabilization. Integrates with AQE v3 fleet agents for coordinated quality iteration.
+- **qe-learning-optimization**: Transfer learning, metrics optimization, and continuous improvement for AI-powered QE agents.
+- **qe-quality-assessment**: Comprehensive quality gates, metrics analysis, and deployment readiness assessment for continuous quality assurance.
+- **qe-requirements-validation**: Requirements traceability, acceptance criteria validation, and BDD scenario management for complete requirements coverage.
+- **qe-test-execution**: Parallel test execution orchestration with intelligent scheduling, retry logic, and comprehensive result aggregation.
+- **qe-test-generation**: AI-powered test generation using pattern recognition, code analysis, and intelligent test synthesis for comprehensive test coverage.
+- **qe-visual-accessibility**: Visual regression testing, responsive design validation, and WCAG accessibility compliance testing.
+
+### On-Demand Hooks
+
+- **strict-tdd**: Enforces strict TDD red-green-refactor discipline. Blocks code changes that lack a failing test first.
+- **no-skip**: Prevents use of .skip, .only, or xdescribe in test files. Ensures all tests are active.
+- **coverage-guard**: Blocks merges when coverage drops below configured thresholds. Enforces coverage-only-goes-up policy.
+- **freeze-tests**: Locks the test suite during stabilization periods. Prevents new test additions or modifications.
+- **security-watch**: Scans code changes for security anti-patterns (hardcoded secrets, SQL injection, etc.) on every commit.
+
+### Runbook Skills
+
+- **test-failure-investigator**: Automated runbook for investigating test failures. Gathers logs, diffs, recent changes, and flaky-test history to diagnose root cause.
+- **coverage-drop-investigator**: Automated runbook for diagnosing coverage drops. Identifies uncovered lines, maps to recent commits, and suggests targeted tests.
+
+### Product Verification
+
+- **e2e-flow-verifier**: End-to-end user flow verification against acceptance criteria. Validates critical paths through the application match expected behavior.
+
+### Data & Analysis
+
+- **test-metrics-dashboard**: Aggregates test results, coverage trends, flaky-test rates, and execution times into a unified dashboard view.
+
+### Measurement
+
+- **skill-stats**: Measures skill usage frequency, success rates, and token costs. Provides data for skill portfolio optimization.
+
+## Platform Skills (30)
+
+Claude Flow platform skills (managed separately).
+
+- agentdb-advanced
+- agentdb-learning
+- agentdb-memory-patterns
+- agentdb-optimization
+- agentdb-vector-search
+- flow-nexus-neural
+- flow-nexus-platform
+- flow-nexus-swarm
+- github-code-review
+- github-multi-repo
+- github-project-management
+- github-release-management
+- github-workflow-automation
+- hooks-automation
+- reasoningbank-agentdb
+- reasoningbank-intelligence
+- skill-builder
+- sparc-methodology
+- stream-chain
+- swarm-advanced
+- swarm-orchestration
+- v3-cli-modernization
+- v3-core-implementation
+- v3-ddd-architecture
+- v3-integration-deep
+- v3-mcp-optimization
+- v3-memory-unification
+- v3-performance-optimization
+- v3-security-overhaul
+- v3-swarm-coordination
+
+## Validation Infrastructure
+
+The `.validation/` directory contains the skill validation infrastructure (ADR-056):
+
+- **schemas/**: JSON Schema definitions for validating skill outputs
+- **templates/**: Validator script templates for creating skill validators
+- **examples/**: Example skill outputs that validate against schemas
+- **test-data/**: Test data for validator self-testing
+
+See `.validation/README.md` for usage instructions.
+
+---
+
+*Generated by AQE v3 init on 2026-03-11T09:00:19.526Z*

package/assets/skills/TRUST-TIERS.md

@@ -0,0 +1,174 @@
+# Trust Tier Badges
+
+> Generated: 2026-02-02T10:30:07.656Z
+> Policy: ADR-056 - Trust But Verify
+
+## Overview
+
+![Tier 3 (Verified)](https://img.shields.io/badge/Tier%203%20(Verified)-44-brightgreen)
+![Tier 2 (Validated)](https://img.shields.io/badge/Tier%202%20(Validated)-7-green)
+![Tier 1 (Structured)](https://img.shields.io/badge/Tier%201%20(Structured)-5-yellow)
+![Tier 0 (Advisory)](https://img.shields.io/badge/Tier%200%20(Advisory)-49-lightgrey)
+
+**Total Skills**: 105
+
+## Trust Tier Distribution
+
+| Tier | Count | Description |
+|------|-------|-------------|
+| 3 - Verified | 44 | Full evaluation test suite |
+| 2 - Validated | 7 | Has executable validator |
+| 1 - Structured | 5 | Has JSON output schema |
+| 0 - Advisory | 49 | SKILL.md only |
+
+## Validation Status
+
+| Status | Count |
+|--------|-------|
+| Passing | 44 |
+| Failing | 0 |
+| Unknown | 12 |
+| Skipped | 49 |
+
+---
+
+## Tier 3 Skills (Fully Verified)
+
+These skills have complete validation infrastructure: JSON schema, validator script, and evaluation test suite.
+
+| Skill | Category | Schema | Validator | Eval Suite | Status |
+|-------|----------|--------|-----------|------------|--------|
+| a11y-ally | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/a11y-ally.yaml` | Passing |
+| accessibility-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/accessibility-testing.yaml` | Passing |
+| api-testing-patterns | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/api-testing-patterns.yaml` | Passing |
+| chaos-engineering-resilience | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/chaos-engineering-resilience.yaml` | Passing |
+| cicd-pipeline-qe-orchestrator | infrastructure | `schemas/output.json` | `scripts/validate-config.json` | `evals/cicd-pipeline-qe-orchestrator.yaml` | Passing |
+| compatibility-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/compatibility-testing.yaml` | Passing |
+| compliance-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/compliance-testing.yaml` | Passing |
+| contract-testing | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/contract-testing.yaml` | Passing |
+| database-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/database-testing.yaml` | Passing |
+| localization-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/localization-testing.yaml` | Passing |
+| mobile-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/mobile-testing.yaml` | Passing |
+| mutation-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/mutation-testing.yaml` | Passing |
+| n8n-expression-testing | n8n-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/n8n-expression-testing.yaml` | Passing |
+| n8n-integration-testing-patterns | n8n-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/n8n-integration-testing-patterns.yaml` | Passing |
+| n8n-security-testing | n8n-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/n8n-security-testing.yaml` | Passing |
+| n8n-trigger-testing-strategies | n8n-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/n8n-trigger-testing-strategies.yaml` | Passing |
+| n8n-workflow-testing-fundamentals | n8n-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/n8n-workflow-testing-fundamentals.yaml` | Passing |
+| performance-analysis | monitoring | `schemas/output.json` | `scripts/validate-config.json` | `evals/performance-analysis.yaml` | Passing |
+| performance-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/performance-testing.yaml` | Passing |
+| qcsd-ideation-swarm | qcsd-phases | `schemas/output.json` | `scripts/validate-config.json` | `evals/qcsd-ideation-swarm.yaml` | Passing |
+| qe-chaos-resilience | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-chaos-resilience.yaml` | Passing |
+| qe-code-intelligence | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-code-intelligence.yaml` | Passing |
+| qe-coverage-analysis | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-coverage-analysis.yaml` | Passing |
+| qe-defect-intelligence | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-defect-intelligence.yaml` | Passing |
+| qe-learning-optimization | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-learning-optimization.yaml` | Passing |
+| qe-quality-assessment | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-quality-assessment.yaml` | Passing |
+| qe-requirements-validation | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-requirements-validation.yaml` | Passing |
+| qe-test-execution | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-test-execution.yaml` | Passing |
+| qe-test-generation | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-test-generation.yaml` | Passing |
+| qe-visual-accessibility | - | `schemas/output.json` | `scripts/validate-config.json` | `evals/qe-visual-accessibility.yaml` | Passing |
+| quality-metrics | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/quality-metrics.yaml` | Passing |
+| regression-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/regression-testing.yaml` | Passing |
+| risk-based-testing | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/risk-based-testing.yaml` | Passing |
+| security-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/security-testing.yaml` | Passing |
+| security-visual-testing | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/security-visual-testing.yaml` | Passing |
+| shift-left-testing | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/shift-left-testing.yaml` | Passing |
+| shift-right-testing | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/shift-right-testing.yaml` | Passing |
+| test-automation-strategy | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/test-automation-strategy.yaml` | Passing |
+| test-data-management | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/test-data-management.yaml` | Passing |
+| test-design-techniques | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/test-design-techniques.yaml` | Passing |
+| test-reporting-analytics | analytics | `schemas/output.json` | `scripts/validate-config.json` | `evals/test-reporting-analytics.yaml` | Passing |
+| testability-scoring | testing-methodologies | `schemas/output.json` | `scripts/validate-config.json` | `evals/testability-scoring.yaml` | Passing |
+| verification-quality | quality-assurance | `schemas/output.json` | `scripts/validate-config.json` | `evals/verification-quality.yaml` | Passing |
+| visual-testing-advanced | specialized-testing | `schemas/output.json` | `scripts/validate-config.json` | `evals/visual-testing-advanced.yaml` | Passing |
+
+---
+
+## Tier 2 Skills (Validated)
+
+These skills have a validator script but no evaluation test suite yet.
+
+| Skill | Category | Schema | Validator | Status |
+|-------|----------|--------|-----------|--------|
+| brutal-honesty-review | quality-review | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| bug-reporting-excellence | quality-communication | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| code-review-quality | development-practices | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| qe-iterative-loop | - | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| refactoring-patterns | development-practices | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| sherlock-review | quality-review | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+| tdd-london-chicago | development-practices | `schemas/output.json` | `scripts/validate-config.json` | Unknown |
+
+---
+
+## Tier 1 Skills (Structured)
+
+These skills have a JSON output schema but no validator yet.
+
+| Skill | Category | Schema |
+|-------|----------|--------|
+| agentic-quality-engineering | qe-core | `schemas/output.json` |
+| consultancy-practices | professional-practice | `schemas/output.json` |
+| technical-writing | communication | `schemas/output.json` |
+| test-environment-management | specialized-testing | `schemas/output.json` |
+
+---
+
+## Tier 0 Skills (Advisory)
+
+These skills have SKILL.md only, with no evaluation infrastructure yet.
+
+| Skill | Category |
+|-------|----------|
+| coverage-drop-investigator | investigation |
+| coverage-guard | on-demand-hooks |
+| e2e-flow-verifier | product-verification |
+| freeze-tests | on-demand-hooks |
+| no-skip | on-demand-hooks |
+| security-watch | on-demand-hooks |
+| skill-stats | measurement |
+| strict-tdd | on-demand-hooks |
+| test-failure-investigator | investigation |
+| test-metrics-dashboard | analytics |
+
+---
+
+## Upgrading Skills
+
+To upgrade a skill to a higher trust tier:
+
+### Tier 0 -> Tier 1 (Add Schema)
+1. Create `{skill}/schemas/output.json` with JSON Schema
+2. Add `trust_tier: 1` to frontmatter
+3. Run `npx tsx scripts/update-skill-manifest.ts`
+
+### Tier 1 -> Tier 2 (Add Validator)
+1. Create `{skill}/scripts/validate-skill.cjs` (or .ts/.js)
+2. Add `trust_tier: 2` and validation paths to frontmatter
+3. Run `npx tsx scripts/update-skill-manifest.ts`
+
+### Tier 2 -> Tier 3 (Add Evals)
+1. Create `{skill}/evals/{skill}.yaml` with test cases
+2. Add `trust_tier: 3` and eval_path to frontmatter
+3. Run `npx tsx scripts/update-skill-manifest.ts`
+
+---
+
+## CI Integration
+
+Add this to your GitHub Actions workflow:
+
+```yaml
+- name: Validate Skill Manifest
+  run: npx tsx scripts/update-skill-manifest.ts --dry-run
+
+- name: Check Tier 3 Skills Pass
+  run: |
+    for skill in api-testing-patterns security-testing performance-testing; do
+      .claude/skills/$skill/scripts/validate-skill.cjs --self-test
+    done
+```
+
+---
+
+*Generated by update-skill-manifest.ts per ADR-056*

package/assets/skills/a11y-ally/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: a11y-ally
-description: "Comprehensive WCAG accessibility auditing with multi-tool testing (axe-core + pa11y + Lighthouse), TRUE PARALLEL execution with Promise.allSettled, graceful degradation, retry with backoff, context-aware remediation, learning integration, and video accessibility. Uses 3-tier browser cascade: Vibium → agent-browser → Playwright+Stealth."
+description: "Use when running comprehensive WCAG accessibility audits with axe-core + pa11y + Lighthouse, generating context-aware remediation, or testing video accessibility. Supports 3-tier browser cascade with graceful degradation."
 category: specialized-testing
 priority: critical
 tokenEstimate: 10000
@@ -16,7 +16,6 @@ validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
   eval_path: evals/a11y-ally.yaml
-
 ---
 
 # /a11y-ally - Comprehensive Accessibility Audit
@@ -1662,3 +1661,12 @@ ROI = (Impact × Users%) / Effort_Hours
 11. **NEVER** skip video pipeline if videos detected
 12. **NEVER** complete without remediation.md
 13. **NEVER** fail audit just because 1-2 tools failed (use graceful degradation)
+
+## Gotchas
+
+- axe-core catches ~30% of WCAG issues — automated tools miss keyboard navigation, reading order, and cognitive issues
+- Agent runs Lighthouse only and reports "accessible" — Lighthouse alone is insufficient, always run axe-core + pa11y too
+- Screen reader testing requires actual screen reader interaction, not just ARIA attribute checks
+- Video accessibility (captions, audio descriptions) is frequently skipped — check every `<video>` element
+- Color contrast tools disagree on gradients and transparency — test with actual low-vision simulation
+- Playwright+Stealth may be blocked by some sites — fall back gracefully, don't skip the audit

package/assets/skills/accessibility-testing/SKILL.md

@@ -11,7 +11,6 @@ last_optimized: 2025-12-02
 dependencies: []
 quick_reference_card: true
 tags: [accessibility, wcag, a11y, screen-reader, ada, section-508, inclusive]
-
 # ADR-056 Trust Tier 3 Validation Stack
 trust_tier: 3
 validation:
@@ -22,6 +21,8 @@ validation:
 
 # Accessibility Testing
 
+> **Consolidated**: For comprehensive WCAG auditing with multi-tool testing (axe-core + pa11y + Lighthouse), video accessibility, and remediation, prefer [`/a11y-ally`](../a11y-ally/). This skill provides a quick reference card for basic accessibility testing patterns.
+
 <default_to_action>
 When testing accessibility or ensuring compliance:
 1. APPLY POUR principles: Perceivable, Operable, Understandable, Robust

package/assets/skills/agentic-quality-engineering/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: agentic-quality-engineering
-description: "AI agents as force multipliers for quality work. Core skill for all 19 QE agents using PACT principles."
+description: "Use when orchestrating QE agents, understanding PACT principles, configuring the AQE v3 fleet, or leveraging AI agents as force multipliers for quality work."
 category: qe-core
 priority: critical
 tokenEstimate: 1400
@@ -14,7 +14,6 @@ tags: [pact, agents, fleet, coordination, autonomous, foundational]
 trust_tier: 1
 validation:
   schema_path: schemas/output.json
-
 ---
 
 # Agentic Quality Engineering

package/assets/skills/api-testing-patterns/SKILL.md

@@ -297,3 +297,11 @@ await apiFleet.execute({
 API testing = verifying contracts and behavior, not implementation. Focus on what matters to consumers: correct responses, proper error handling, acceptable performance.
 
 **With Agents:** Agents automate contract validation, generate comprehensive test suites from specs, and monitor production APIs for drift. Use agents to maintain API quality at scale.
+
+## Gotchas
+
+- Agent generates tests against documented API, not actual API — always validate against running service first
+- Auth tokens expire between test runs — use fixtures with long-lived tokens or refresh before each suite
+- Rate limiting in CI causes intermittent failures — add retry with exponential backoff for 429 responses
+- GraphQL introspection may be disabled in production — test against staging schema, not production endpoint
+- Idempotency tests need unique request IDs per run — hardcoded IDs cause false passes on retry

package/assets/skills/api-testing-patterns/config.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "./config-schema.json",
+  "_description": "API Testing configuration. Auto-created on first run. Edit to customize.",
+  "api_type": null,
+  "auth_type": null,
+  "base_url": null,
+  "options": {
+    "validateSchemaOnEveryRequest": true,
+    "retryOn429": true,
+    "retryDelay": 1000,
+    "timeout": 30000
+  },
+  "_setupPrompt": "If api_type is null, ask: 'What type of API are you testing? (rest/graphql/grpc)'. If auth_type is null, ask: 'What authentication does the API use? (bearer/oauth2/api-key/basic/none)'. If base_url is null, ask: 'What is the base URL for the API under test?'"
+}

package/assets/skills/api-testing-patterns/templates/api-test-scaffold.md

@@ -0,0 +1,87 @@
+# API Test Scaffold Template
+
+## REST API Test Structure (Jest/Supertest)
+```typescript
+import request from 'supertest';
+import { app } from '../src/app';
+
+describe('{{Resource}} API', () => {
+  // Setup
+  let authToken: string;
+
+  beforeAll(async () => {
+    authToken = await getTestToken();
+  });
+
+  describe('GET /api/{{resource}}', () => {
+    it('returns paginated list with valid auth', async () => {
+      const res = await request(app)
+        .get('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .query({ page: 1, limit: 10 });
+
+      expect(res.status).toBe(200);
+      expect(res.body.data).toBeInstanceOf(Array);
+      expect(res.body.pagination).toMatchObject({
+        page: 1,
+        limit: 10,
+        total: expect.any(Number)
+      });
+    });
+
+    it('returns 401 without auth', async () => {
+      const res = await request(app).get('/api/{{resource}}');
+      expect(res.status).toBe(401);
+    });
+
+    it('returns 400 for invalid query params', async () => {
+      const res = await request(app)
+        .get('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .query({ page: -1 });
+      expect(res.status).toBe(400);
+    });
+  });
+
+  describe('POST /api/{{resource}}', () => {
+    it('creates resource with valid payload', async () => {
+      const payload = { /* valid fields */ };
+      const res = await request(app)
+        .post('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .send(payload);
+
+      expect(res.status).toBe(201);
+      expect(res.body.id).toBeDefined();
+    });
+
+    it('returns 422 for invalid payload', async () => {
+      const res = await request(app)
+        .post('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .send({});
+      expect(res.status).toBe(422);
+      expect(res.body.errors).toBeDefined();
+    });
+
+    it('is idempotent with same request ID', async () => {
+      const requestId = crypto.randomUUID();
+      const payload = { /* valid fields */ };
+
+      const res1 = await request(app)
+        .post('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .set('X-Request-ID', requestId)
+        .send(payload);
+
+      const res2 = await request(app)
+        .post('/api/{{resource}}')
+        .set('Authorization', `Bearer ${authToken}`)
+        .set('X-Request-ID', requestId)
+        .send(payload);
+
+      expect(res1.body.id).toBe(res2.body.id);
+    });
+  });
+});
+```

package/assets/skills/brutal-honesty-review/SKILL.md

@@ -15,7 +15,6 @@ trust_tier: 2
 validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
-
 ---
 
 # Brutal Honesty Review

package/assets/skills/bug-reporting-excellence/SKILL.md

@@ -15,7 +15,6 @@ trust_tier: 2
 validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
-
 ---
 
 # Bug Reporting Excellence
@@ -228,3 +227,17 @@ const bugFleet = await FleetManager.coordinate({
 Your bug report is the starting point for someone else's work. Make it **complete** (all info needed), **clear** (anyone can follow), **concise** (no noise), and **actionable** (developer knows next step).
 
 **Good bug reports = Faster fixes = Better product = Happier users**
+
+## Skill Composition
+
+- **After finding bug** → Start with `/test-failure-investigator` for root cause
+- **Prevent regression** → Use `/regression-testing` to add test preventing recurrence
+- **Track quality** → Feed into `/test-metrics-dashboard` for trend analysis
+
+## Gotchas
+
+- Agent omits environment details (OS, browser version, node version) — these are critical for reproduction
+- "Steps to reproduce" that start with "1. Open the app" are useless — specify exact URL, user role, and state
+- Agent combines multiple bugs into one report — enforce ONE BUG = ONE REPORT strictly
+- Screenshots without annotations don't help — always highlight the actual error area
+- Severity assessment is often wrong — agent marks everything as "critical" or everything as "low"

package/assets/skills/cicd-pipeline-qe-orchestrator/SKILL.md

@@ -16,7 +16,6 @@ validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
   eval_path: evals/cicd-pipeline-qe-orchestrator.yaml
-
 ---
 
 # CI/CD Pipeline QE Orchestrator

package/assets/skills/code-review-quality/SKILL.md

@@ -15,7 +15,6 @@ trust_tier: 2
 validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
-
 ---
 
 # Code Review Quality
@@ -233,3 +232,17 @@ const reviewFleet = await FleetManager.coordinate({
 **Prioritize feedback:** 🔴 Blocker → 🟡 Major → 🟢 Minor → 💡 Suggestion. Focus on bugs and security, not style. Ask questions, don't command. Review < 400 lines at a time. Fast feedback (< 24h) beats thorough feedback.
 
 **With Agents:** Agents automate security, performance, and coverage checks, freeing human reviewers to focus on logic and design. Use agents for consistent, fast initial review.
+
+## Skill Composition
+
+- **Security concerns** → Compose with `/security-testing` for security-focused review
+- **Coverage check** → Run `/qe-coverage-analysis` on changed files
+- **Ship decision** → Feed review results into `/qe-quality-assessment`
+
+## Gotchas
+
+- Agent reviews >400 lines at once and misses issues — chunk reviews to 200-400 lines maximum
+- Nitpicking style while missing logic bugs is the #1 agent review failure — prioritize correctness over formatting
+- Agent approves code that compiles but has subtle race conditions — always check shared state and async patterns
+- Review comments without suggested fixes are unhelpful — always include a proposed alternative
+- Agent doesn't check if the PR actually solves the linked issue — verify the stated problem is actually fixed