ai-core-framework 0.1.0

package/core/skills/qa-smoke-test/SKILL.md

@@ -0,0 +1,387 @@
+---
+name: qa-smoke-test
+description: Use when the user asks to run /smoke-test, perform QA smoke testing for a ticket, verify a deployed build, record test results, or file bugs for failures.
+command: /smoke-test
+display_name: "Smoke Test"
+version: 1.0.0
+owner_agent: qa-tester
+model_preference: sonnet
+args:
+  - name: ticket_id
+    required: true
+    format: "TICKET-XXX"
+    description: "Ticket to smoke test"
+  - name: environment
+    required: false
+    type: string
+    default: "staging"
+    enum: [dev, staging, pre-prod]
+    description: "Target environment"
+  - name: depth
+    required: false
+    type: string
+    default: "standard"
+    enum: [quick, standard, thorough]
+    description: "Test coverage depth"
+preconditions:
+  - ticket_exists: true
+  - ticket_status: QA
+  - environment_accessible: true
+  - build_deployed: true
+postconditions:
+  - smoke_test_completed: true
+  - test_report_saved: true
+  - ticket_status: DONE | QA (if fails)
+  - bugs_filed: "for each failure found"
+---
+
+# /smoke-test
+
+> Verify feature works end-to-end on deployed environment.
+> **Gate**: QA → DONE transition.
+
+## 🎯 Purpose
+
+After merge to develop + deploy to staging, QA verifies:
+1. All AC scenarios work in real environment
+2. No obvious regressions in related flows
+3. Non-functional aspects (performance, browser compat, security basics)
+4. Feature is production-ready
+
+Output: Pass → transition DONE, or Fail → file bugs, ticket back to IN_PROGRESS.
+
+## 🚦 Trigger
+
+**Manual**:
+```
+/smoke-test TICKET-042                      # Standard depth, staging
+/smoke-test TICKET-042 --depth=thorough     # More extensive
+/smoke-test TICKET-042 --env=pre-prod       # Pre-prod check
+/smoke-test TICKET-042 --depth=quick        # Hotfix quick verify
+```
+
+**Auto**: Optional trigger after `/merge-pr` + deploy complete (via webhook).
+
+## 📋 Preconditions
+
+### 1. Ticket in QA state
+Read ticket, verify `status = QA`. If not:
+- IN_PROGRESS/IN_REVIEW → ABORT, merge first
+- DONE → ABORT, already tested
+- BLOCKED → ABORT, unblock first
+
+### 2. Environment accessible
+```bash
+curl -sf --max-time 10 "$STAGING_URL/health" || ABORT "Staging not responding"
+```
+
+### 3. Build with fix deployed
+Check build version matches expected:
+```bash
+deployed_commit=$(curl -s "$STAGING_URL/version" | jq -r .commit)
+expected_commit=$(cat project/tickets/${TICKET_ID}.json | jq -r .merge_info.merge_commit_sha)
+# Verify deployed >= expected
+```
+
+### 4. Test environment has data
+Required test accounts / test data exist. If not, setup before testing.
+
+## 🔄 Execution Flow
+
+```
+┌──────────────────────────────────────────────────────────┐
+│ STEP 1: Load context                                     │
+│   - Ticket + AC                                          │
+│   - Grooming notes                                       │
+│   - PR/commit info                                       │
+│   - Previous QA notes (if re-test)                       │
+├──────────────────────────────────────────────────────────┤
+│ STEP 2: Verify deployment                                │
+│   - Ping environment                                     │
+│   - Confirm build version                                │
+│   - Check service health                                 │
+├──────────────────────────────────────────────────────────┤
+│ STEP 3: Execute AC scenarios                             │
+│   For each scenario in ticket.acceptance_criteria:       │
+│     a. Setup preconditions (Given)                       │
+│     b. Execute action (When)                             │
+│     c. Verify outcome (Then)                             │
+│     d. Record: PASS | FAIL | BLOCKED                     │
+│     e. If FAIL: capture evidence (logs, screenshots)     │
+├──────────────────────────────────────────────────────────┤
+│ STEP 4: Regression spot-check                            │
+│   - Identify related features (same area)                │
+│   - Quick test core flows (login, signup, main CRUD)    │
+│   - Note any surprises                                   │
+├──────────────────────────────────────────────────────────┤
+│ STEP 5: Depth-based additional tests                     │
+│   quick:    AC only, 1 browser                           │
+│   standard: AC + regression + 2 browsers + mobile        │
+│   thorough: + edge cases + performance + security skim   │
+├──────────────────────────────────────────────────────────┤
+│ STEP 6: Non-functional checks                            │
+│   - Performance (response times within target)           │
+│   - No console errors in browser                         │
+│   - No 5xx in server logs during test                    │
+│   - Security: basic auth checks                          │
+├──────────────────────────────────────────────────────────┤
+│ STEP 7: Consolidate findings                             │
+│   Categorize each failure:                               │
+│   - AC failure → must fix, ticket stays QA/back          │
+│   - Regression → file bug, stays QA                      │
+│   - Environmental → flag, retry                          │
+│   - Minor cosmetic → file low-sev bug                    │
+├──────────────────────────────────────────────────────────┤
+│ STEP 8: Decision                                         │
+│   All PASS + no new regressions:                         │
+│     → Transition ticket QA → DONE                        │
+│                                                          │
+│   Any AC FAIL:                                           │
+│     → File bug(s)                                        │
+│     → Transition ticket QA → IN_PROGRESS (back to dev)   │
+│                                                          │
+│   Regression only (AC passes):                           │
+│     → Ticket stays DONE (this feature works)             │
+│     → File separate regression bug (own ticket)          │
+├──────────────────────────────────────────────────────────┤
+│ STEP 9: Generate report                                  │
+│   Save to: project/test-runs/TICKET-XXX-YYYYMMDD.md│
+├──────────────────────────────────────────────────────────┤
+│ STEP 10: Handoff                                         │
+│   Pass → scrum-master (ready for release)                │
+│   Fail → developer (bugs to fix)                         │
+└──────────────────────────────────────────────────────────┘
+```
+
+## 🔒 Hard Rules
+
+### RULE SM-001: Must actually test
+**MUST** execute tests on real environment. No "probably works" based on code review.
+
+### RULE SM-002: Every AC scenario tested
+**MUST NOT** skip scenarios. If any scenario blocked (e.g., no test data), flag and retry — don't declare pass.
+
+### RULE SM-003: Evidence required for failures
+Every FAIL **MUST** include:
+- Steps tried
+- Expected vs actual
+- Screenshot/recording or log excerpt
+- Timestamp
+
+Without evidence, can't escalate/reproduce.
+
+### RULE SM-004: Don't fix bugs
+QA reports bugs, does NOT fix them. Even "small typo fix".
+Exception: test data cleanup (OK).
+
+### RULE SM-005: Timebox environmental issues
+If environment blocks testing:
+- 15 min troubleshooting
+- Then escalate scrum-master (not proceed ignoring)
+
+### RULE SM-006: Regression awareness
+**MUST** think: "What else could this change have broken?"
+Test at least 3 related flows.
+
+### RULE SM-007: No sign-off with open SEV-1/SEV-2
+Per RULE QA-006. Cannot transition ticket to DONE if:
+- SEV-1 bug found in this smoke test
+- SEV-2 bug in same feature area
+
+### RULE SM-008: Document browser/device matrix
+At least test 1 desktop browser + 1 mobile browser for UI changes.
+Flag in report which were tested.
+
+### RULE SM-009: Preserve test data hygiene
+Per RULE QA-008: no production data.
+
+### RULE SM-010: Honest reporting
+No "looks good" without testing. No sign-off to unblock release pressure.
+"Quality is a hill to die on."
+
+## 📤 Output Format (Pass)
+
+```markdown
+## ✅ Smoke Test PASSED: TICKET-042
+
+**Feature**: Password Reset via Email
+**Environment**: staging
+**Build**: v1.2.0-rc.3 (commit abc1234)
+**Tested by**: qa-tester-agent
+**Duration**: 28 min
+**Depth**: standard
+
+### AC Scenarios
+| # | Scenario | Result |
+|---|----------|--------|
+| 1 | Happy path | ✅ PASS |
+| 2 | Email not registered | ✅ PASS |
+| 3 | Link expired | ✅ PASS |
+| 4 | Rate limit | ✅ PASS |
+
+**Coverage**: 4/4 scenarios
+
+### Regression Spot-Check
+| Area | Result |
+|------|--------|
+| Login (regular) | ✅ Works |
+| Signup flow | ✅ Works |
+| Session persistence | ✅ Works |
+
+### Browser Matrix
+| Browser | Desktop | Mobile |
+|---------|---------|--------|
+| Chrome 134 | ✅ | ✅ |
+| Firefox 125 | ✅ | - |
+| Safari 17 | ✅ | ✅ (iOS) |
+
+### Performance
+| Endpoint | p95 | Target | Status |
+|----------|-----|--------|--------|
+| POST /auth/request-reset | 320ms | <500ms | ✅ |
+| POST /auth/reset-password | 380ms | <500ms | ✅ |
+
+### Console / Logs
+- Browser console: no errors
+- Server logs: no 5xx during test
+- Email delivery: all 10 test emails delivered within 60s
+
+### Security Spot-Check
+- [x] HTTPS enforced
+- [x] No tokens in URL query strings (in Referer header)
+- [x] Email enumeration prevented (timing-safe)
+- [x] Rate limit normalizes email case
+
+### Issues Found
+None 🎉
+
+### Decision
+✅ **READY FOR RELEASE**
+
+Ticket state: QA → DONE ✅
+
+### Test Run Record
+Saved to: `project/test-runs/TICKET-042-20260418.md`
+
+---
+HANDOFF → scrum-master
+Action: Include in next release (/release command)
+```
+
+## 📤 Output Format (Fail)
+
+```markdown
+## ❌ Smoke Test FAILED: TICKET-042
+
+**Feature**: Password Reset via Email
+**Environment**: staging
+**Build**: v1.2.0-rc.3
+**Duration**: 42 min
+**Failures**: 1 AC failure + 1 new bug
+
+### AC Scenarios
+| # | Scenario | Result |
+|---|----------|--------|
+| 1 | Happy path | ✅ PASS |
+| 2 | Email not registered | ⚠️ PARTIAL (see below) |
+| 3 | Link expired | ✅ PASS |
+| 4 | Rate limit | ❌ FAIL (see BUG-002) |
+
+### Failure Details
+
+#### ❌ Scenario 4: Rate limit
+**Expected**: 6th request within hour returns HTTP 429
+**Actual**: All 20 requests returned 200
+
+**Evidence**:
+```
+Request 1: 200 OK (0.18s)
+Request 2: 200 OK (0.15s)
+...
+Request 20: 200 OK (0.21s)
+```
+
+**Hypothesis**: Rate limit middleware not applied to route, or Redis connection failing silently.
+
+**Filed**: BUG-002 (SEV-2)
+
+#### ⚠️ Scenario 2: Email not registered (PARTIAL)
+**Working**:
+- Correct generic message shown
+- No email sent
+
+**Issue**:
+- Response time 180ms (registered email) vs 220ms (unregistered) — 40ms diff
+- Possibly distinguishable via timing attack
+
+**Filed**: BUG-003 (SEV-3, security hardening)
+
+### Other Issues Found
+
+#### BUG-004: Email HTML renders as plain text
+(See separate bug report, filed as SEV-3)
+
+### Regression Check
+No regressions found in login/signup.
+
+### Decision
+
+❌ **NOT READY** - Must fix BUG-002 before release
+
+Ticket state: QA → IN_PROGRESS (back to dev)
+
+### Action Required
+1. **Developer**: Pick up BUG-002, investigate rate limit middleware
+2. **Tech Lead**: Review whether this indicates deeper architecture issue
+3. **QA**: Will re-test once BUG-002 fix merges
+
+### Bugs Filed
+- BUG-002: Rate limit not enforced (SEV-2) — blocks release
+- BUG-003: Timing attack on email existence (SEV-3)
+- BUG-004: Email HTML not rendering (SEV-3)
+
+---
+HANDOFF → developer
+Action: /implement-task BUG-002 (SEV-2 priority)
+```
+
+## 🚨 Failure Modes
+
+| Scenario | Action |
+|----------|--------|
+| Environment down | Timebox 15 min, escalate SM |
+| Build not deployed | Wait/ask SM for deploy status |
+| Test account locked | Create fresh, document in ticket |
+| Cannot reproduce scenario | Per RULE QA-007 timebox |
+| External service failing | Flag, test what's possible, note limitations |
+| Data cleanup fails | Flag, continue testing, tech-debt ticket |
+
+## 🔗 Related Commands
+
+- **Before**: `/merge-pr` (must be merged + deployed)
+- **After**:
+  - Pass: ticket DONE, `/release` eventually
+  - Fail: `/report-bug` (usually auto-triggered)
+- **Re-test**: `/smoke-test TICKET-042` after fix
+
+## 📊 Metrics Tracked
+
+```json
+{
+  "timestamp": "2026-04-18T18:00:00Z",
+  "ticket_id": "TICKET-042",
+  "environment": "staging",
+  "depth": "standard",
+  "duration_minutes": 28,
+  "ac_scenarios_total": 4,
+  "ac_scenarios_passed": 4,
+  "regression_areas_tested": 3,
+  "bugs_filed": 0,
+  "result": "PASS",
+  "final_state": "DONE"
+}
+```
+
+---
+**Last updated**: 2026-04-18
+**Maintainer**: QA Lead

package/core/skills/qa-triage-bug/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: qa-triage-bug
+description: Use when the user asks to run /triage-bug, triage a NEW or NEEDS_MORE_INFO bug, set bug priority, identify ownership, or define the next QA action.
+command: /triage-bug
+display_name: "Triage Bug"
+version: 1.0.0
+status: READY
+owner_agent: business-analyst
+consults_agents:
+  - tech-lead
+  - qa-tester
+model_preference: sonnet
+args:
+  - name: bug_id
+    required: true
+    format: "BUG-XXX"
+preconditions:
+  - bug_exists: true
+  - bug_status_in: [NEW, NEEDS_MORE_INFO]
+postconditions:
+  - bug_priority_set: true
+  - owner_or_next_action_set: true
+---
+
+# /triage-bug
+
+> Classifies a bug by severity, priority, ownership, duplicate status, and next action.
+
+## 🎯 Purpose
+
+Turn a raw bug report into actionable work with business impact and routing.
+
+## 🔄 Execution Flow
+
+1. Load bug report and evidence.
+2. Check for duplicates and related tickets.
+3. Validate reproducer quality.
+4. Assess severity using user impact, data/security risk, workaround, and business impact.
+5. Assign priority and target fix window.
+6. Route to hotfix, sprint backlog, needs info, duplicate, or won’t fix.
+7. Update bug state and comments.
+
+## 🔒 Hard Rules
+
+- MUST justify severity.
+- MUST escalate SEV-1 immediately to Tech Lead and Scrum Master.
+- MUST NOT close as duplicate without linking original bug.
+- MUST NOT downplay security/data issues.
+
+## 📤 Outputs
+
+- Severity and priority
+- Triage decision
+- Owner
+- Linked tickets or bugs
+- Next command, often `/hotfix` or `/verify-fix`
+
+## 🔗 Related Commands
+
+- `/report-bug`
+- `/hotfix`
+- `/verify-fix`