prizmkit 1.1.84 → 1.1.86

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,5 @@
1
1
  {
2
- "frameworkVersion": "1.1.84",
3
- "bundledAt": "2026-06-30T08:08:52.840Z",
4
- "bundledFrom": "3b93824"
2
+ "frameworkVersion": "1.1.86",
3
+ "bundledAt": "2026-06-30T15:38:43.553Z",
4
+ "bundledFrom": "d83ca7c"
5
5
  }
@@ -1045,19 +1045,27 @@ prizm_recover_session_log() {
1045
1045
 
1046
1046
  local main_size=0
1047
1047
  if [[ -f "$session_log" ]]; then
1048
- main_size=$(wc -c < "$session_log" 2>/dev/null | tr -d ' ')
1048
+ main_size=$(wc -c < "$session_log" 2>/dev/null | tr -d ' ') || true
1049
1049
  fi
1050
1050
 
1051
1051
  local backup_size=0
1052
- backup_size=$(wc -c < "$backup_log" 2>/dev/null | tr -d ' ')
1052
+ backup_size=$(wc -c < "$backup_log" 2>/dev/null | tr -d ' ') || true
1053
1053
 
1054
1054
  if [[ "$main_size" -lt 1024 && "$backup_size" -gt "$main_size" ]]; then
1055
- cp "$backup_log" "$session_log"
1056
- log_info "Session log recovered from backup (${backup_size}B → $session_log)"
1055
+ # Ensure parent directory exists before copying (subagent may have
1056
+ # deleted it along with session.log).
1057
+ local log_dir
1058
+ log_dir="$(dirname "$session_log")"
1059
+ mkdir -p "$log_dir" 2>/dev/null || true
1060
+ if cp "$backup_log" "$session_log" 2>/dev/null; then
1061
+ log_info "Session log recovered from backup (${backup_size}B → $session_log)"
1062
+ else
1063
+ log_warn "Session log recovery failed: could not copy backup to $session_log"
1064
+ fi
1057
1065
  fi
1058
1066
 
1059
- # Clean up backup either way
1060
- rm -f "$backup_log"
1067
+ # Clean up backup either way (rm is safe even with set -e)
1068
+ rm -f "$backup_log" 2>/dev/null || true
1061
1069
  return 0
1062
1070
  }
1063
1071
 
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "1.1.84",
2
+ "version": "1.1.86",
3
3
  "skills": {
4
4
  "prizm-kit": {
5
5
  "description": "Full-lifecycle dev toolkit. Covers spec-driven development, Prizm context docs, code quality, debugging, deployment, and knowledge management.",
@@ -110,6 +110,8 @@ Compare what exists against what should exist, across three levels:
110
110
 
111
111
  Read `${SKILL_DIR}/references/test-generation-steps.md` for the detailed generation procedure — priority order (unit → integration → E2E), failure handling rules, and generation patterns for each test level.
112
112
 
113
+ When generating unit tests for service-like functions, use `${SKILL_DIR}/references/service-boundary-test-catalog.md` via the generation procedure so boundary cases reflect the function's business responsibility, not only generic null/empty inputs.
114
+
113
115
  ### Phase 5: Unified Report
114
116
 
115
117
  Create `.prizmkit/test/{YYYY_MM_DD_HH_MM_SS}_testresult/` directory. Read `${SKILL_DIR}/references/test-report-template.md` for the full report format and artifact list.
@@ -0,0 +1,225 @@
1
+ # Service Boundary Test Catalog
2
+
3
+ Use this catalog during `/prizmkit-test` Phase 4a when generating unit tests for service-like functions or class methods. The goal is to turn "write boundary tests" into service-specific scenarios that match the unit's business responsibility.
4
+
5
+ ## How to Use This Catalog
6
+
7
+ 1. Classify the tested unit by reading its name, module path, parameters, dependencies, state changes, and related Prizm docs/spec acceptance criteria.
8
+ 2. Select every service type that applies. A function can be both a payment service and an idempotency service, or both a repository and pagination service.
9
+ 3. Map candidate boundaries to the actual contract in code/docs. Assert behavior that is specified or clearly implied; if expected behavior is unclear, mark the case as `needs-review` instead of inventing production behavior.
10
+ 4. Mock external dependencies for unit tests: databases, network calls, file storage, queues, payment gateways, email providers, clocks, and random ID generators.
11
+ 5. Record non-applicable categories as `N/A` with a short reason in the boundary coverage report so skipped categories are explicit.
12
+
13
+ ## Service Type Detection
14
+
15
+ | Signal | Likely Service Type |
16
+ |--------|---------------------|
17
+ | login, logout, signup, password, session, token, jwt, oauth, refresh | Auth / Session / Token |
18
+ | role, permission, policy, access, entitlement, plan, quota, ownership | Authorization / Permission / Entitlement |
19
+ | payment, wallet, billing, subscription, invoice, refund, balance, currency | Payment / Wallet / Billing / Refund |
20
+ | repository, model, dao, create, read, update, delete, insert, save, remove | CRUD / Repository / Database |
21
+ | search, list, page, cursor, filter, sort, query, limit, offset | Search / List / Pagination |
22
+ | validate, parse, normalize, transform, schema, sanitize, format | Validation / Parser / Normalizer |
23
+ | upload, download, storage, file, blob, s3, image, mime, path | File Upload / Storage |
24
+ | notify, email, sms, webhook, template, recipient, provider | Notification / Email / Webhook |
25
+ | job, queue, worker, scheduler, cron, retry, backoff, task | Job / Queue / Scheduler |
26
+ | cache, ttl, rate limit, throttle, idempotency, dedupe, lock | Cache / Rate Limit / Idempotency |
27
+ | client, sdk, request, fetch, provider, api key, endpoint, response | API Client / Third-Party Integration |
28
+ | date, time, expiry, expiration, ttl, schedule, window, timezone | Date / Time / Expiration |
29
+
30
+ When names and behavior disagree, trust behavior and dependencies over names. For example, `createCheckoutSession()` is payment-related even if it lives in a controller module.
31
+
32
+ ## Universal Boundary Matrix
33
+
34
+ Apply these categories to every public function/class method before adding service-specific cases:
35
+
36
+ - **Valid input**: typical valid input, minimal valid input, and complex valid input when supported.
37
+ - **Empty input**: `null` / `undefined` / `None`, empty string, empty array/object, whitespace-only string.
38
+ - **Numeric boundaries**: zero, one, minimum allowed value, maximum allowed value, just below/above limits.
39
+ - **Collection boundaries**: zero items, one item, many items, duplicate items, first/last element behavior.
40
+ - **Type and format errors**: wrong type, malformed string, unsupported enum, missing required parameter.
41
+ - **Branch paths**: each `if/else`, `switch/case/default`, ternary side, and loop path with zero/one/many iterations.
42
+ - **State and side effects**: before/after state, writes, emitted events, dependency method calls, call count/order/arguments.
43
+ - **Dependency failures**: mocked database errors, network timeouts, storage failures, provider errors, clock/randomness behavior.
44
+
45
+ ## Service-Specific Boundary Cases
46
+
47
+ ### Auth / Session / Token Services
48
+
49
+ Generate applicable cases for:
50
+
51
+ - Missing identifier, missing password, empty credentials, malformed email/username.
52
+ - Identifier normalization: uppercase/lowercase email, leading/trailing whitespace, Unicode usernames when supported.
53
+ - User not found, wrong password, unverified account, disabled account, locked account.
54
+ - Failed login count just below/at/above lock threshold.
55
+ - Successful login creates exactly one session/token with expected expiry and persisted state.
56
+ - Token missing, malformed, invalid signature, wrong algorithm, expired, not-yet-valid, revoked.
57
+ - Refresh token rotation: old refresh token reuse, missing refresh token, expired refresh token, revoked refresh token.
58
+ - Logout idempotency: logout with valid token, already logged-out token, missing token.
59
+ - OAuth/callback flows: missing code, missing state, state mismatch, provider error, provider returns incomplete profile.
60
+ - Dependency failures: user store error, password hasher error, token signer/verifier error, clock skew.
61
+
62
+ ### Authorization / Permission / Entitlement Services
63
+
64
+ Generate applicable cases for:
65
+
66
+ - Missing principal, anonymous principal, principal without roles/permissions.
67
+ - Default-deny behavior when no policy matches.
68
+ - Role hierarchy: basic role, elevated role, admin override, deny rule precedence.
69
+ - Resource ownership: owner, non-owner, tenant mismatch, organization mismatch.
70
+ - Entitlement states: active, expired, canceled, trial, disabled feature, missing plan.
71
+ - Quota boundaries: usage below limit, exactly at limit, one over limit, reset window boundary.
72
+ - Duplicate or conflicting permissions.
73
+ - Policy conditions with missing attributes, malformed attributes, unknown action/resource.
74
+ - Dependency failures: policy store error, entitlement lookup error, quota service timeout.
75
+
76
+ ### Payment / Wallet / Billing / Refund Services
77
+
78
+ Generate applicable cases for:
79
+
80
+ - Amount zero, negative amount, minimum billable unit, maximum allowed amount, just above maximum.
81
+ - Currency precision: too many decimal places, integer minor units, rounding at half-unit boundaries.
82
+ - Balance boundaries: balance exactly equals debit amount, balance one minor unit below amount, zero balance.
83
+ - Currency mismatch between wallet, invoice, and payment request.
84
+ - Idempotency: missing key, duplicate key with same payload, duplicate key with different payload.
85
+ - Transaction states: pending, succeeded, failed, canceled, already paid, already refunded.
86
+ - Refund boundaries: zero refund, partial refund, full refund, cumulative refunds equal original amount, cumulative refunds exceed original amount.
87
+ - Concurrent debit/refund attempts against the same account or transaction.
88
+ - Subscription/billing cycles: trial start/end, expired subscription, canceled subscription, renewal at boundary time.
89
+ - Provider failures: timeout, 4xx/5xx, malformed response, duplicate provider event, out-of-order webhook.
90
+ - Side effects: ledger entry count, balance mutation, webhook/event emission, provider call arguments.
91
+
92
+ ### CRUD / Repository / Database Services
93
+
94
+ Generate applicable cases for:
95
+
96
+ - Create with missing required fields, nullable fields set to `null`, optional fields omitted.
97
+ - Duplicate unique key, generated ID collision, invalid foreign key, unknown enum value.
98
+ - Read/update/delete with nonexistent ID, malformed ID, deleted/soft-deleted ID.
99
+ - Partial update semantics: omitted field vs `undefined` vs `null`, empty patch object.
100
+ - Optimistic locking: expected version, stale version, missing version.
101
+ - Soft delete behavior: excluded by default, included only when requested, double delete idempotency.
102
+ - Transaction behavior: rollback when one write fails, no partial side effects after failure.
103
+ - Database dependency errors: connection failure, constraint violation, timeout.
104
+ - Repository side effects: correct query arguments, write count, returned entity shape.
105
+
106
+ ### Search / List / Pagination / Sorting Services
107
+
108
+ Generate applicable cases for:
109
+
110
+ - Empty query, whitespace query, special characters, Unicode query, injection-like strings treated as data.
111
+ - No results, one result, many results, duplicate ranking/sort values.
112
+ - Page/offset pagination: page 0, page 1, last page, beyond last page, negative page/offset.
113
+ - Cursor pagination: missing cursor, malformed cursor, expired cursor, cursor at final item.
114
+ - Limit boundaries: omitted limit, limit 0, limit 1, maximum limit, maximum + 1.
115
+ - Sorting: default sort, invalid sort field, invalid direction, stable ordering with ties.
116
+ - Filters: empty filter set, unknown filter, conflicting filters, inclusive/exclusive date ranges.
117
+ - Total count and hasNext/hasPrevious flags at page boundaries.
118
+ - Dependency failures: search index unavailable, database query error, stale index response.
119
+
120
+ ### Validation / Parser / Normalizer Services
121
+
122
+ Generate applicable cases for:
123
+
124
+ - Missing input, `null` / `undefined` / `None`, empty string, whitespace-only string.
125
+ - Minimum and maximum length; just below/above configured length boundaries.
126
+ - Special characters, Unicode, emoji, newline/control characters, normalization-sensitive characters.
127
+ - Wrong type, mixed-type arrays, numeric strings vs numbers, booleans represented as strings.
128
+ - Unknown fields in strict mode, extra fields in permissive mode, duplicate keys/items.
129
+ - Invalid formats: email, URL, date, UUID, JSON, CSV, phone number, currency.
130
+ - Normalization idempotency: applying the normalizer twice yields the same result.
131
+ - Error shape: path/field name, code, message, and aggregation of multiple errors.
132
+ - Parser failures: malformed payload, truncated payload, unsupported version/schema.
133
+
134
+ ### File Upload / Storage Services
135
+
136
+ Generate applicable cases for:
137
+
138
+ - Zero-byte file, one-byte file, just below max size, exactly max size, just above max size.
139
+ - MIME/type mismatch between content, extension, and declared header.
140
+ - Unsupported file type, missing extension, uppercase extension, compound extension.
141
+ - Filename boundaries: empty name, very long name, Unicode name, duplicate name, path traversal characters.
142
+ - Storage key collisions and deterministic key generation.
143
+ - Checksum/hash mismatch, corrupted stream, interrupted upload, storage write failure.
144
+ - Image/media metadata boundaries: dimensions too small/large, unsupported codec, malformed metadata.
145
+ - Delete/read behavior for missing object, already-deleted object, permission-denied object.
146
+ - Side effects: storage provider call arguments, metadata record creation, cleanup on failure.
147
+
148
+ ### Notification / Email / Webhook Services
149
+
150
+ Generate applicable cases for:
151
+
152
+ - Missing recipient, invalid email/phone/URL, empty recipient list, duplicate recipients.
153
+ - Recipient preferences: unsubscribed, disabled channel, quiet hours, blocked user.
154
+ - Template variables: missing required variable, extra variable, `null` variable, special characters/HTML escaping.
155
+ - Provider selection: unsupported channel, fallback provider, disabled provider.
156
+ - Deduplication: duplicate notification key, repeated webhook event, retry with same id.
157
+ - Provider responses: success, rate limit, timeout, 4xx/5xx, malformed response, partial multi-recipient failure.
158
+ - Webhook security: missing signature, invalid signature, timestamp outside tolerance, replayed event.
159
+ - Side effects: event status persisted, retry scheduled or suppressed, provider called with expected payload.
160
+
161
+ ### Job / Queue / Scheduler Services
162
+
163
+ Generate applicable cases for:
164
+
165
+ - Missing payload, empty payload, malformed payload, unsupported job type/version.
166
+ - Duplicate job ID, idempotent processing of already-completed job, requeue behavior.
167
+ - Retry boundaries: first failure, retry count just below max, at max, over max, poison/dead-letter path.
168
+ - Backoff calculation: zero delay, minimum delay, maximum delay, jitter bounds when deterministic/mocked.
169
+ - Schedule boundaries: run in past, run now, run in future, invalid cron, daylight-saving transition.
170
+ - Concurrency: two workers claim same job, lock acquisition failure, stale lock recovery.
171
+ - Cancellation: before start, during processing, after completion.
172
+ - Side effects: ack/nack calls, status transitions, retry scheduling, emitted events.
173
+
174
+ ### Cache / Rate Limit / Idempotency Services
175
+
176
+ Generate applicable cases for:
177
+
178
+ - Cache miss, hit, stale hit, expired entry, invalidation, key collision.
179
+ - TTL boundaries: zero TTL, negative TTL, one unit TTL, exact expiry instant, just before/after expiry.
180
+ - Serialization/deserialization failure, corrupted cached value, unsupported value type.
181
+ - Cache stampede: concurrent misses for the same key should not duplicate expensive work when guarded.
182
+ - Rate limit boundaries: count below limit, exactly at limit, one above limit, window rollover.
183
+ - Missing actor key: anonymous user, missing IP, shared tenant/global scope.
184
+ - Idempotency key: missing, malformed, reused with same payload, reused with different payload, expired record.
185
+ - Lock behavior: lock unavailable, lock timeout, release on success, release on failure.
186
+ - Backing store failures: Redis/cache down, slow response, partial write.
187
+
188
+ ### API Client / Third-Party Integration Services
189
+
190
+ Generate applicable cases for:
191
+
192
+ - Missing base URL, missing API key, malformed configuration, unsupported region/environment.
193
+ - Request building: query encoding, header inclusion, body serialization, path parameter escaping.
194
+ - Response handling: 200 with valid body, 204/no body, malformed JSON, missing required field, unknown extra field.
195
+ - Error responses: 400, 401/403, 404, 409, 429, 500/503; retryable vs non-retryable classification.
196
+ - Timeout, network error, DNS/connect failure, aborted request.
197
+ - Retry boundaries: zero retries, one retry then success, max retries exhausted, backoff capped.
198
+ - Pagination: empty page, last page, next token missing/malformed, duplicate page token.
199
+ - Auth refresh/signing: expired access token, refresh failure, invalid signature, clock skew.
200
+ - Circuit breaker or fallback behavior when present.
201
+
202
+ ### Date / Time / Expiration Services
203
+
204
+ Generate applicable cases for:
205
+
206
+ - Exact boundary: `now == startsAt`, `now == expiresAt`, one millisecond/second before and after.
207
+ - Inclusive vs exclusive interval ends according to the contract.
208
+ - Start after end, zero-length interval, negative duration, missing timezone.
209
+ - Time zones: UTC vs local time, DST jump forward/back, leap day, month end, year end.
210
+ - Clock skew tolerance for tokens, webhooks, scheduled jobs, and signed requests.
211
+ - Recurring schedules: first occurrence, last occurrence, skipped occurrence, invalid cron/expression.
212
+ - TTL/window calculations: zero TTL, negative TTL, max TTL, rollover between windows.
213
+
214
+ ## When Multiple Service Types Apply
215
+
216
+ Combine the relevant sections and remove duplicate cases. Prioritize tests that exercise business invariants over tests that only repeat generic invalid input handling. For example, a wallet debit function should cover payment amount boundaries, idempotency replay, and date/expiration behavior if it also accepts an expiring authorization.
217
+
218
+ ## N/A Rules
219
+
220
+ Mark a category `N/A` when the unit has no corresponding input, state, or dependency. Include a short reason:
221
+
222
+ - `N/A — no external provider dependency`
223
+ - `N/A — function is pure and has no stateful side effects`
224
+ - `N/A — pagination is handled by caller, not this unit`
225
+ - `N/A — concurrency safety belongs to integration test because unit has no shared mutable state`
@@ -11,12 +11,16 @@ If a test fails repeatedly after 2 fix attempts, skip it and mark as "unresolved
11
11
  ## 4a. Unit Tests (always applicable)
12
12
 
13
13
  For each uncovered interface:
14
- - Read the source file to understand function signature and logic
14
+ - Read the source file to understand function signature, branch logic, dependencies, state changes, side effects, and failure paths.
15
+ - Classify the function/class method by service responsibility using names, module path, parameters, dependencies, and related Prizm docs/spec acceptance criteria.
16
+ - Read `references/service-boundary-test-catalog.md` when the unit is service-like or has business-specific inputs — it maps service responsibilities to boundary cases such as auth/session, payment/wallet, repository, pagination, file storage, notification, queue, cache/idempotency, API client, and date/expiration behavior.
17
+ - Build a Unit Test Case Matrix before writing tests. Include generic boundaries plus every applicable service-specific boundary; mark non-applicable categories as `N/A` with a short reason instead of silently skipping them.
15
18
  - Generate test file matching project conventions (framework, naming, directory, import style, mock/fixture patterns)
16
19
  - Common naming patterns to match:
17
20
  - `src/foo.ts` → `src/__tests__/foo.test.ts` or `src/foo.spec.ts` or `tests/foo_test.py`
18
21
  - Mirror the existing pattern; if no tests exist, use the framework's default convention
19
- - Cover: happy path, edge cases (null/undefined/empty), error conditions, boundary values
22
+ - Cover: happy path, service-specific boundary cases, edge cases (null/undefined/empty), error conditions, branch paths, boundary values, state/side effects, and dependency failures.
23
+ - Verify mocks for dependency method calls, call count/order/arguments when the behavior depends on collaborators.
20
24
  - Do NOT test framework internals or third-party library behavior
21
25
  - Run tests immediately after generating
22
26
 
@@ -23,6 +23,11 @@ Used in Phase 5 of `/prizmkit-test`. Create `.prizmkit/test/{YYYY_MM_DD_HH_MM_SS
23
23
  |--------|-----------|------|--------|
24
24
  | ... | ... | unit/integration/e2e | covered / generated / needs-review / unresolved / skipped |
25
25
 
26
+ ## Boundary Coverage
27
+ | Module | Interface | Service Type | Boundary Categories Covered | N/A Categories |
28
+ |--------|-----------|--------------|-----------------------------|----------------|
29
+ | ... | ... | auth/payment/repository/etc. | happy path, service-specific, branch paths, side effects, dependency failures | concurrency — no shared mutable state |
30
+
26
31
  ## Generated Tests
27
32
  - Unit: {N} generated, {N} needs-review, {N} unresolved
28
33
  - Integration: {N} generated, {N} needs-review, {N} unresolved
@@ -110,6 +110,8 @@ Compare what exists against what should exist, across three levels:
110
110
 
111
111
  Read `${SKILL_DIR}/references/test-generation-steps.md` for the detailed generation procedure — priority order (unit → integration → E2E), failure handling rules, and generation patterns for each test level.
112
112
 
113
+ When generating unit tests for service-like functions, use `${SKILL_DIR}/references/service-boundary-test-catalog.md` via the generation procedure so boundary cases reflect the function's business responsibility, not only generic null/empty inputs.
114
+
113
115
  ### Phase 5: Unified Report
114
116
 
115
117
  Create `.prizmkit/test/{YYYY_MM_DD_HH_MM_SS}_testresult/` directory. Read `${SKILL_DIR}/references/test-report-template.md` for the full report format and artifact list.
@@ -0,0 +1,225 @@
1
+ # Service Boundary Test Catalog
2
+
3
+ Use this catalog during `/prizmkit-test` Phase 4a when generating unit tests for service-like functions or class methods. The goal is to turn "write boundary tests" into service-specific scenarios that match the unit's business responsibility.
4
+
5
+ ## How to Use This Catalog
6
+
7
+ 1. Classify the tested unit by reading its name, module path, parameters, dependencies, state changes, and related Prizm docs/spec acceptance criteria.
8
+ 2. Select every service type that applies. A function can be both a payment service and an idempotency service, or both a repository and pagination service.
9
+ 3. Map candidate boundaries to the actual contract in code/docs. Assert behavior that is specified or clearly implied; if expected behavior is unclear, mark the case as `needs-review` instead of inventing production behavior.
10
+ 4. Mock external dependencies for unit tests: databases, network calls, file storage, queues, payment gateways, email providers, clocks, and random ID generators.
11
+ 5. Record non-applicable categories as `N/A` with a short reason in the boundary coverage report so skipped categories are explicit.
12
+
13
+ ## Service Type Detection
14
+
15
+ | Signal | Likely Service Type |
16
+ |--------|---------------------|
17
+ | login, logout, signup, password, session, token, jwt, oauth, refresh | Auth / Session / Token |
18
+ | role, permission, policy, access, entitlement, plan, quota, ownership | Authorization / Permission / Entitlement |
19
+ | payment, wallet, billing, subscription, invoice, refund, balance, currency | Payment / Wallet / Billing / Refund |
20
+ | repository, model, dao, create, read, update, delete, insert, save, remove | CRUD / Repository / Database |
21
+ | search, list, page, cursor, filter, sort, query, limit, offset | Search / List / Pagination |
22
+ | validate, parse, normalize, transform, schema, sanitize, format | Validation / Parser / Normalizer |
23
+ | upload, download, storage, file, blob, s3, image, mime, path | File Upload / Storage |
24
+ | notify, email, sms, webhook, template, recipient, provider | Notification / Email / Webhook |
25
+ | job, queue, worker, scheduler, cron, retry, backoff, task | Job / Queue / Scheduler |
26
+ | cache, ttl, rate limit, throttle, idempotency, dedupe, lock | Cache / Rate Limit / Idempotency |
27
+ | client, sdk, request, fetch, provider, api key, endpoint, response | API Client / Third-Party Integration |
28
+ | date, time, expiry, expiration, ttl, schedule, window, timezone | Date / Time / Expiration |
29
+
30
+ When names and behavior disagree, trust behavior and dependencies over names. For example, `createCheckoutSession()` is payment-related even if it lives in a controller module.
31
+
32
+ ## Universal Boundary Matrix
33
+
34
+ Apply these categories to every public function/class method before adding service-specific cases:
35
+
36
+ - **Valid input**: typical valid input, minimal valid input, and complex valid input when supported.
37
+ - **Empty input**: `null` / `undefined` / `None`, empty string, empty array/object, whitespace-only string.
38
+ - **Numeric boundaries**: zero, one, minimum allowed value, maximum allowed value, just below/above limits.
39
+ - **Collection boundaries**: zero items, one item, many items, duplicate items, first/last element behavior.
40
+ - **Type and format errors**: wrong type, malformed string, unsupported enum, missing required parameter.
41
+ - **Branch paths**: each `if/else`, `switch/case/default`, ternary side, and loop path with zero/one/many iterations.
42
+ - **State and side effects**: before/after state, writes, emitted events, dependency method calls, call count/order/arguments.
43
+ - **Dependency failures**: mocked database errors, network timeouts, storage failures, provider errors, clock/randomness behavior.
44
+
45
+ ## Service-Specific Boundary Cases
46
+
47
+ ### Auth / Session / Token Services
48
+
49
+ Generate applicable cases for:
50
+
51
+ - Missing identifier, missing password, empty credentials, malformed email/username.
52
+ - Identifier normalization: uppercase/lowercase email, leading/trailing whitespace, Unicode usernames when supported.
53
+ - User not found, wrong password, unverified account, disabled account, locked account.
54
+ - Failed login count just below/at/above lock threshold.
55
+ - Successful login creates exactly one session/token with expected expiry and persisted state.
56
+ - Token missing, malformed, invalid signature, wrong algorithm, expired, not-yet-valid, revoked.
57
+ - Refresh token rotation: old refresh token reuse, missing refresh token, expired refresh token, revoked refresh token.
58
+ - Logout idempotency: logout with valid token, already logged-out token, missing token.
59
+ - OAuth/callback flows: missing code, missing state, state mismatch, provider error, provider returns incomplete profile.
60
+ - Dependency failures: user store error, password hasher error, token signer/verifier error, clock skew.
61
+
62
+ ### Authorization / Permission / Entitlement Services
63
+
64
+ Generate applicable cases for:
65
+
66
+ - Missing principal, anonymous principal, principal without roles/permissions.
67
+ - Default-deny behavior when no policy matches.
68
+ - Role hierarchy: basic role, elevated role, admin override, deny rule precedence.
69
+ - Resource ownership: owner, non-owner, tenant mismatch, organization mismatch.
70
+ - Entitlement states: active, expired, canceled, trial, disabled feature, missing plan.
71
+ - Quota boundaries: usage below limit, exactly at limit, one over limit, reset window boundary.
72
+ - Duplicate or conflicting permissions.
73
+ - Policy conditions with missing attributes, malformed attributes, unknown action/resource.
74
+ - Dependency failures: policy store error, entitlement lookup error, quota service timeout.
75
+
76
+ ### Payment / Wallet / Billing / Refund Services
77
+
78
+ Generate applicable cases for:
79
+
80
+ - Amount zero, negative amount, minimum billable unit, maximum allowed amount, just above maximum.
81
+ - Currency precision: too many decimal places, integer minor units, rounding at half-unit boundaries.
82
+ - Balance boundaries: balance exactly equals debit amount, balance one minor unit below amount, zero balance.
83
+ - Currency mismatch between wallet, invoice, and payment request.
84
+ - Idempotency: missing key, duplicate key with same payload, duplicate key with different payload.
85
+ - Transaction states: pending, succeeded, failed, canceled, already paid, already refunded.
86
+ - Refund boundaries: zero refund, partial refund, full refund, cumulative refunds equal original amount, cumulative refunds exceed original amount.
87
+ - Concurrent debit/refund attempts against the same account or transaction.
88
+ - Subscription/billing cycles: trial start/end, expired subscription, canceled subscription, renewal at boundary time.
89
+ - Provider failures: timeout, 4xx/5xx, malformed response, duplicate provider event, out-of-order webhook.
90
+ - Side effects: ledger entry count, balance mutation, webhook/event emission, provider call arguments.
91
+
92
+ ### CRUD / Repository / Database Services
93
+
94
+ Generate applicable cases for:
95
+
96
+ - Create with missing required fields, nullable fields set to `null`, optional fields omitted.
97
+ - Duplicate unique key, generated ID collision, invalid foreign key, unknown enum value.
98
+ - Read/update/delete with nonexistent ID, malformed ID, deleted/soft-deleted ID.
99
+ - Partial update semantics: omitted field vs `undefined` vs `null`, empty patch object.
100
+ - Optimistic locking: expected version, stale version, missing version.
101
+ - Soft delete behavior: excluded by default, included only when requested, double delete idempotency.
102
+ - Transaction behavior: rollback when one write fails, no partial side effects after failure.
103
+ - Database dependency errors: connection failure, constraint violation, timeout.
104
+ - Repository side effects: correct query arguments, write count, returned entity shape.
105
+
106
+ ### Search / List / Pagination / Sorting Services
107
+
108
+ Generate applicable cases for:
109
+
110
+ - Empty query, whitespace query, special characters, Unicode query, injection-like strings treated as data.
111
+ - No results, one result, many results, duplicate ranking/sort values.
112
+ - Page/offset pagination: page 0, page 1, last page, beyond last page, negative page/offset.
113
+ - Cursor pagination: missing cursor, malformed cursor, expired cursor, cursor at final item.
114
+ - Limit boundaries: omitted limit, limit 0, limit 1, maximum limit, maximum + 1.
115
+ - Sorting: default sort, invalid sort field, invalid direction, stable ordering with ties.
116
+ - Filters: empty filter set, unknown filter, conflicting filters, inclusive/exclusive date ranges.
117
+ - Total count and hasNext/hasPrevious flags at page boundaries.
118
+ - Dependency failures: search index unavailable, database query error, stale index response.
119
+
120
+ ### Validation / Parser / Normalizer Services
121
+
122
+ Generate applicable cases for:
123
+
124
+ - Missing input, `null` / `undefined` / `None`, empty string, whitespace-only string.
125
+ - Minimum and maximum length; just below/above configured length boundaries.
126
+ - Special characters, Unicode, emoji, newline/control characters, normalization-sensitive characters.
127
+ - Wrong type, mixed-type arrays, numeric strings vs numbers, booleans represented as strings.
128
+ - Unknown fields in strict mode, extra fields in permissive mode, duplicate keys/items.
129
+ - Invalid formats: email, URL, date, UUID, JSON, CSV, phone number, currency.
130
+ - Normalization idempotency: applying the normalizer twice yields the same result.
131
+ - Error shape: path/field name, code, message, and aggregation of multiple errors.
132
+ - Parser failures: malformed payload, truncated payload, unsupported version/schema.
133
+
134
+ ### File Upload / Storage Services
135
+
136
+ Generate applicable cases for:
137
+
138
+ - Zero-byte file, one-byte file, just below max size, exactly max size, just above max size.
139
+ - MIME/type mismatch between content, extension, and declared header.
140
+ - Unsupported file type, missing extension, uppercase extension, compound extension.
141
+ - Filename boundaries: empty name, very long name, Unicode name, duplicate name, path traversal characters.
142
+ - Storage key collisions and deterministic key generation.
143
+ - Checksum/hash mismatch, corrupted stream, interrupted upload, storage write failure.
144
+ - Image/media metadata boundaries: dimensions too small/large, unsupported codec, malformed metadata.
145
+ - Delete/read behavior for missing object, already-deleted object, permission-denied object.
146
+ - Side effects: storage provider call arguments, metadata record creation, cleanup on failure.
147
+
148
+ ### Notification / Email / Webhook Services
149
+
150
+ Generate applicable cases for:
151
+
152
+ - Missing recipient, invalid email/phone/URL, empty recipient list, duplicate recipients.
153
+ - Recipient preferences: unsubscribed, disabled channel, quiet hours, blocked user.
154
+ - Template variables: missing required variable, extra variable, `null` variable, special characters/HTML escaping.
155
+ - Provider selection: unsupported channel, fallback provider, disabled provider.
156
+ - Deduplication: duplicate notification key, repeated webhook event, retry with same id.
157
+ - Provider responses: success, rate limit, timeout, 4xx/5xx, malformed response, partial multi-recipient failure.
158
+ - Webhook security: missing signature, invalid signature, timestamp outside tolerance, replayed event.
159
+ - Side effects: event status persisted, retry scheduled or suppressed, provider called with expected payload.
160
+
161
+ ### Job / Queue / Scheduler Services
162
+
163
+ Generate applicable cases for:
164
+
165
+ - Missing payload, empty payload, malformed payload, unsupported job type/version.
166
+ - Duplicate job ID, idempotent processing of already-completed job, requeue behavior.
167
+ - Retry boundaries: first failure, retry count just below max, at max, over max, poison/dead-letter path.
168
+ - Backoff calculation: zero delay, minimum delay, maximum delay, jitter bounds when deterministic/mocked.
169
+ - Schedule boundaries: run in past, run now, run in future, invalid cron, daylight-saving transition.
170
+ - Concurrency: two workers claim same job, lock acquisition failure, stale lock recovery.
171
+ - Cancellation: before start, during processing, after completion.
172
+ - Side effects: ack/nack calls, status transitions, retry scheduling, emitted events.
173
+
174
+ ### Cache / Rate Limit / Idempotency Services
175
+
176
+ Generate applicable cases for:
177
+
178
+ - Cache miss, hit, stale hit, expired entry, invalidation, key collision.
179
+ - TTL boundaries: zero TTL, negative TTL, one unit TTL, exact expiry instant, just before/after expiry.
180
+ - Serialization/deserialization failure, corrupted cached value, unsupported value type.
181
+ - Cache stampede: concurrent misses for the same key should not duplicate expensive work when guarded.
182
+ - Rate limit boundaries: count below limit, exactly at limit, one above limit, window rollover.
183
+ - Missing actor key: anonymous user, missing IP, shared tenant/global scope.
184
+ - Idempotency key: missing, malformed, reused with same payload, reused with different payload, expired record.
185
+ - Lock behavior: lock unavailable, lock timeout, release on success, release on failure.
186
+ - Backing store failures: Redis/cache down, slow response, partial write.
187
+
188
+ ### API Client / Third-Party Integration Services
189
+
190
+ Generate applicable cases for:
191
+
192
+ - Missing base URL, missing API key, malformed configuration, unsupported region/environment.
193
+ - Request building: query encoding, header inclusion, body serialization, path parameter escaping.
194
+ - Response handling: 200 with valid body, 204/no body, malformed JSON, missing required field, unknown extra field.
195
+ - Error responses: 400, 401/403, 404, 409, 429, 500/503; retryable vs non-retryable classification.
196
+ - Timeout, network error, DNS/connect failure, aborted request.
197
+ - Retry boundaries: zero retries, one retry then success, max retries exhausted, backoff capped.
198
+ - Pagination: empty page, last page, next token missing/malformed, duplicate page token.
199
+ - Auth refresh/signing: expired access token, refresh failure, invalid signature, clock skew.
200
+ - Circuit breaker or fallback behavior when present.
201
+
202
+ ### Date / Time / Expiration Services
203
+
204
+ Generate applicable cases for:
205
+
206
+ - Exact boundary: `now == startsAt`, `now == expiresAt`, one millisecond/second before and after.
207
+ - Inclusive vs exclusive interval ends according to the contract.
208
+ - Start after end, zero-length interval, negative duration, missing timezone.
209
+ - Time zones: UTC vs local time, DST jump forward/back, leap day, month end, year end.
210
+ - Clock skew tolerance for tokens, webhooks, scheduled jobs, and signed requests.
211
+ - Recurring schedules: first occurrence, last occurrence, skipped occurrence, invalid cron/expression.
212
+ - TTL/window calculations: zero TTL, negative TTL, max TTL, rollover between windows.
213
+
214
+ ## When Multiple Service Types Apply
215
+
216
+ Combine the relevant sections and remove duplicate cases. Prioritize tests that exercise business invariants over tests that only repeat generic invalid input handling. For example, a wallet debit function should cover payment amount boundaries, idempotency replay, and date/expiration behavior if it also accepts an expiring authorization.
217
+
218
+ ## N/A Rules
219
+
220
+ Mark a category `N/A` when the unit has no corresponding input, state, or dependency. Include a short reason:
221
+
222
+ - `N/A — no external provider dependency`
223
+ - `N/A — function is pure and has no stateful side effects`
224
+ - `N/A — pagination is handled by caller, not this unit`
225
+ - `N/A — concurrency safety belongs to integration test because unit has no shared mutable state`
@@ -11,12 +11,16 @@ If a test fails repeatedly after 2 fix attempts, skip it and mark as "unresolved
11
11
  ## 4a. Unit Tests (always applicable)
12
12
 
13
13
  For each uncovered interface:
14
- - Read the source file to understand function signature and logic
14
+ - Read the source file to understand function signature, branch logic, dependencies, state changes, side effects, and failure paths.
15
+ - Classify the function/class method by service responsibility using names, module path, parameters, dependencies, and related Prizm docs/spec acceptance criteria.
16
+ - Read `references/service-boundary-test-catalog.md` when the unit is service-like or has business-specific inputs — it maps service responsibilities to boundary cases such as auth/session, payment/wallet, repository, pagination, file storage, notification, queue, cache/idempotency, API client, and date/expiration behavior.
17
+ - Build a Unit Test Case Matrix before writing tests. Include generic boundaries plus every applicable service-specific boundary; mark non-applicable categories as `N/A` with a short reason instead of silently skipping them.
15
18
  - Generate test file matching project conventions (framework, naming, directory, import style, mock/fixture patterns)
16
19
  - Common naming patterns to match:
17
20
  - `src/foo.ts` → `src/__tests__/foo.test.ts` or `src/foo.spec.ts` or `tests/foo_test.py`
18
21
  - Mirror the existing pattern; if no tests exist, use the framework's default convention
19
- - Cover: happy path, edge cases (null/undefined/empty), error conditions, boundary values
22
+ - Cover: happy path, service-specific boundary cases, edge cases (null/undefined/empty), error conditions, branch paths, boundary values, state/side effects, and dependency failures.
23
+ - Verify mocks for dependency method calls, call count/order/arguments when the behavior depends on collaborators.
20
24
  - Do NOT test framework internals or third-party library behavior
21
25
  - Run tests immediately after generating
22
26
 
@@ -23,6 +23,11 @@ Used in Phase 5 of `/prizmkit-test`. Create `.prizmkit/test/{YYYY_MM_DD_HH_MM_SS
23
23
  |--------|-----------|------|--------|
24
24
  | ... | ... | unit/integration/e2e | covered / generated / needs-review / unresolved / skipped |
25
25
 
26
+ ## Boundary Coverage
27
+ | Module | Interface | Service Type | Boundary Categories Covered | N/A Categories |
28
+ |--------|-----------|--------------|-----------------------------|----------------|
29
+ | ... | ... | auth/payment/repository/etc. | happy path, service-specific, branch paths, side effects, dependency failures | concurrency — no shared mutable state |
30
+
26
31
  ## Generated Tests
27
32
  - Unit: {N} generated, {N} needs-review, {N} unresolved
28
33
  - Integration: {N} generated, {N} needs-review, {N} unresolved
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "prizmkit",
3
- "version": "1.1.84",
3
+ "version": "1.1.86",
4
4
  "description": "Create a new PrizmKit-powered project with clean initialization — no framework dev files, just what you need.",
5
5
  "type": "module",
6
6
  "bin": {