qa-skills 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (262) hide show
  1. package/README.md +20 -149
  2. package/bin/cli.js +1 -40
  3. package/package.json +23 -26
  4. package/dist/agents/registry.d.ts +0 -5
  5. package/dist/agents/registry.d.ts.map +0 -1
  6. package/dist/agents/registry.js +0 -101
  7. package/dist/agents/registry.js.map +0 -1
  8. package/dist/agents/types.d.ts +0 -9
  9. package/dist/agents/types.d.ts.map +0 -1
  10. package/dist/agents/types.js +0 -2
  11. package/dist/agents/types.js.map +0 -1
  12. package/dist/dependencies.d.ts +0 -21
  13. package/dist/dependencies.d.ts.map +0 -1
  14. package/dist/dependencies.js +0 -125
  15. package/dist/dependencies.js.map +0 -1
  16. package/dist/installer.d.ts +0 -25
  17. package/dist/installer.d.ts.map +0 -1
  18. package/dist/installer.js +0 -437
  19. package/dist/installer.js.map +0 -1
  20. package/dist/scaffold.d.ts +0 -27
  21. package/dist/scaffold.d.ts.map +0 -1
  22. package/dist/scaffold.js +0 -182
  23. package/dist/scaffold.js.map +0 -1
  24. package/skills/qa-accessibility-test-writer/SKILL.md +0 -127
  25. package/skills/qa-accessibility-test-writer/references/axe-core-patterns.md +0 -349
  26. package/skills/qa-accessibility-test-writer/references/best-practices.md +0 -184
  27. package/skills/qa-accessibility-test-writer/references/wcag-tests.md +0 -331
  28. package/skills/qa-api-contract-curator/SKILL.md +0 -104
  29. package/skills/qa-api-contract-curator/references/breaking-changes.md +0 -363
  30. package/skills/qa-api-contract-curator/references/openapi-structure.md +0 -404
  31. package/skills/qa-browser-data-collector/SKILL.md +0 -132
  32. package/skills/qa-browser-data-collector/references/data-collection-checklist.md +0 -91
  33. package/skills/qa-browser-data-collector/references/playwright-mcp-patterns.md +0 -113
  34. package/skills/qa-bug-ticket-creator/SKILL.md +0 -148
  35. package/skills/qa-bug-ticket-creator/references/bug-report-format.md +0 -149
  36. package/skills/qa-bug-ticket-creator/references/severity-guide.md +0 -81
  37. package/skills/qa-bug-ticket-creator/templates/bug-ticket-template.md +0 -39
  38. package/skills/qa-changelog-analyzer/SKILL.md +0 -134
  39. package/skills/qa-changelog-analyzer/references/git-analysis-patterns.md +0 -138
  40. package/skills/qa-changelog-analyzer/references/impact-mapping.md +0 -120
  41. package/skills/qa-clickup-integration/SKILL.md +0 -166
  42. package/skills/qa-clickup-integration/references/api-patterns.md +0 -102
  43. package/skills/qa-clickup-integration/references/field-mapping.md +0 -71
  44. package/skills/qa-codeceptjs-writer/SKILL.md +0 -136
  45. package/skills/qa-codeceptjs-writer/references/best-practices.md +0 -207
  46. package/skills/qa-codeceptjs-writer/references/config.md +0 -255
  47. package/skills/qa-codeceptjs-writer/references/patterns.md +0 -285
  48. package/skills/qa-coverage-analyzer/SKILL.md +0 -166
  49. package/skills/qa-coverage-analyzer/references/best-practices.md +0 -142
  50. package/skills/qa-coverage-analyzer/references/coverage-dimensions.md +0 -155
  51. package/skills/qa-coverage-analyzer/references/tools.md +0 -204
  52. package/skills/qa-cypress-writer/SKILL.md +0 -134
  53. package/skills/qa-cypress-writer/references/assertions.md +0 -121
  54. package/skills/qa-cypress-writer/references/best-practices.md +0 -82
  55. package/skills/qa-cypress-writer/references/config.md +0 -121
  56. package/skills/qa-cypress-writer/references/patterns.md +0 -170
  57. package/skills/qa-data-factory/SKILL.md +0 -126
  58. package/skills/qa-data-factory/references/factory-patterns.md +0 -164
  59. package/skills/qa-data-factory/references/faker-guide.md +0 -131
  60. package/skills/qa-diagram-generator/SKILL.md +0 -125
  61. package/skills/qa-diagram-generator/references/c4-model.md +0 -53
  62. package/skills/qa-diagram-generator/references/charts.md +0 -58
  63. package/skills/qa-diagram-generator/references/class-diagram.md +0 -85
  64. package/skills/qa-diagram-generator/references/er-diagram.md +0 -69
  65. package/skills/qa-diagram-generator/references/flowchart.md +0 -92
  66. package/skills/qa-diagram-generator/references/from-screenshot.md +0 -45
  67. package/skills/qa-diagram-generator/references/gantt.md +0 -49
  68. package/skills/qa-diagram-generator/references/journey.md +0 -50
  69. package/skills/qa-diagram-generator/references/mindmap.md +0 -75
  70. package/skills/qa-diagram-generator/references/sequence.md +0 -69
  71. package/skills/qa-diagram-generator/references/state-diagram.md +0 -56
  72. package/skills/qa-discovery-interview/SKILL.md +0 -182
  73. package/skills/qa-discovery-interview/references/completeness-checklist.md +0 -53
  74. package/skills/qa-discovery-interview/references/conflict-patterns.md +0 -101
  75. package/skills/qa-discovery-interview/references/qa-categories.md +0 -147
  76. package/skills/qa-discovery-interview/templates/qa-brief-template.md +0 -168
  77. package/skills/qa-environment-checker/SKILL.md +0 -142
  78. package/skills/qa-environment-checker/references/dependency-matrix.md +0 -101
  79. package/skills/qa-environment-checker/references/health-checks.md +0 -209
  80. package/skills/qa-environment-checker/templates/env-readiness-template.md +0 -64
  81. package/skills/qa-flaky-detector/SKILL.md +0 -153
  82. package/skills/qa-flaky-detector/references/ci-analysis.md +0 -140
  83. package/skills/qa-flaky-detector/references/flaky-patterns.md +0 -247
  84. package/skills/qa-github-issues-enhanced/SKILL.md +0 -175
  85. package/skills/qa-github-issues-enhanced/references/issue-templates.md +0 -425
  86. package/skills/qa-github-issues-enhanced/references/label-taxonomy.md +0 -130
  87. package/skills/qa-github-issues-enhanced/references/workflow-patterns.md +0 -188
  88. package/skills/qa-httpx-writer/SKILL.md +0 -138
  89. package/skills/qa-httpx-writer/references/assertions.md +0 -195
  90. package/skills/qa-httpx-writer/references/best-practices.md +0 -140
  91. package/skills/qa-httpx-writer/references/config.md +0 -212
  92. package/skills/qa-httpx-writer/references/patterns.md +0 -262
  93. package/skills/qa-jest-writer/SKILL.md +0 -131
  94. package/skills/qa-jest-writer/references/assertions.md +0 -125
  95. package/skills/qa-jest-writer/references/best-practices.md +0 -136
  96. package/skills/qa-jest-writer/references/config.md +0 -134
  97. package/skills/qa-jest-writer/references/patterns.md +0 -172
  98. package/skills/qa-jira-integration/SKILL.md +0 -135
  99. package/skills/qa-jira-integration/references/api-patterns.md +0 -143
  100. package/skills/qa-jira-integration/references/field-mapping.md +0 -79
  101. package/skills/qa-jira-integration/references/xray-integration.md +0 -85
  102. package/skills/qa-jmeter-writer/SKILL.md +0 -171
  103. package/skills/qa-jmeter-writer/references/best-practices.md +0 -157
  104. package/skills/qa-jmeter-writer/references/config.md +0 -204
  105. package/skills/qa-jmeter-writer/references/patterns.md +0 -242
  106. package/skills/qa-junit5-writer/SKILL.md +0 -157
  107. package/skills/qa-junit5-writer/references/assertions.md +0 -118
  108. package/skills/qa-junit5-writer/references/config.md +0 -97
  109. package/skills/qa-junit5-writer/references/patterns.md +0 -162
  110. package/skills/qa-k6-writer/SKILL.md +0 -155
  111. package/skills/qa-k6-writer/references/best-practices.md +0 -236
  112. package/skills/qa-k6-writer/references/config.md +0 -219
  113. package/skills/qa-k6-writer/references/patterns.md +0 -304
  114. package/skills/qa-linear-integration/SKILL.md +0 -137
  115. package/skills/qa-linear-integration/references/api-patterns.md +0 -249
  116. package/skills/qa-linear-integration/references/field-mapping.md +0 -121
  117. package/skills/qa-locust-writer/SKILL.md +0 -151
  118. package/skills/qa-locust-writer/references/best-practices.md +0 -126
  119. package/skills/qa-locust-writer/references/config.md +0 -170
  120. package/skills/qa-locust-writer/references/patterns.md +0 -235
  121. package/skills/qa-manual-test-designer/SKILL.md +0 -145
  122. package/skills/qa-manual-test-designer/references/exploratory-charters.md +0 -138
  123. package/skills/qa-manual-test-designer/references/personas.md +0 -146
  124. package/skills/qa-manual-test-designer/templates/exploratory-charter-template.md +0 -47
  125. package/skills/qa-manual-test-designer/templates/test-case-template.md +0 -31
  126. package/skills/qa-mobile-test-writer/SKILL.md +0 -144
  127. package/skills/qa-mobile-test-writer/references/best-practices.md +0 -214
  128. package/skills/qa-mobile-test-writer/references/config.md +0 -309
  129. package/skills/qa-mobile-test-writer/references/patterns.md +0 -304
  130. package/skills/qa-nfr-analyst/SKILL.md +0 -177
  131. package/skills/qa-nfr-analyst/references/iso-25010-model.md +0 -159
  132. package/skills/qa-nfr-analyst/references/owasp-wstg-baseline.md +0 -202
  133. package/skills/qa-nfr-analyst/references/wcag-checklist.md +0 -184
  134. package/skills/qa-nfr-analyst/templates/owasp-checklist-template.md +0 -89
  135. package/skills/qa-nfr-analyst/templates/wcag-checklist-template.md +0 -48
  136. package/skills/qa-orchestrator/SKILL.md +0 -132
  137. package/skills/qa-orchestrator/references/handoff-chains.md +0 -105
  138. package/skills/qa-orchestrator/references/pipeline-modes.md +0 -115
  139. package/skills/qa-orchestrator/references/scheduler-rules.md +0 -84
  140. package/skills/qa-pact-writer/SKILL.md +0 -133
  141. package/skills/qa-pact-writer/references/best-practices.md +0 -100
  142. package/skills/qa-pact-writer/references/config.md +0 -135
  143. package/skills/qa-pact-writer/references/patterns.md +0 -161
  144. package/skills/qa-plan-creator/SKILL.md +0 -139
  145. package/skills/qa-plan-creator/references/introduction-plan.md +0 -43
  146. package/skills/qa-plan-creator/references/migration-plan.md +0 -44
  147. package/skills/qa-plan-creator/references/onboarding-plan.md +0 -46
  148. package/skills/qa-plan-creator/references/performance-plan.md +0 -44
  149. package/skills/qa-plan-creator/references/regression-plan.md +0 -45
  150. package/skills/qa-plan-creator/references/release-plan.md +0 -45
  151. package/skills/qa-plan-creator/references/sprint-plan.md +0 -44
  152. package/skills/qa-plan-creator/references/test-plan.md +0 -59
  153. package/skills/qa-plan-creator/references/uat-plan.md +0 -43
  154. package/skills/qa-plan-creator/templates/checklist-template.md +0 -36
  155. package/skills/qa-plan-creator/templates/regression-checklist-template.md +0 -49
  156. package/skills/qa-plan-creator/templates/release-checklist-template.md +0 -46
  157. package/skills/qa-plan-creator/templates/test-plan-template.md +0 -74
  158. package/skills/qa-playwright-py-writer/SKILL.md +0 -156
  159. package/skills/qa-playwright-py-writer/references/best-practices.md +0 -194
  160. package/skills/qa-playwright-py-writer/references/config.md +0 -195
  161. package/skills/qa-playwright-py-writer/references/patterns.md +0 -212
  162. package/skills/qa-playwright-ts-writer/SKILL.md +0 -151
  163. package/skills/qa-playwright-ts-writer/references/assertions.md +0 -109
  164. package/skills/qa-playwright-ts-writer/references/best-practices.md +0 -191
  165. package/skills/qa-playwright-ts-writer/references/config.md +0 -144
  166. package/skills/qa-playwright-ts-writer/references/patterns.md +0 -171
  167. package/skills/qa-pytest-writer/SKILL.md +0 -145
  168. package/skills/qa-pytest-writer/references/assertions.md +0 -149
  169. package/skills/qa-pytest-writer/references/best-practices.md +0 -97
  170. package/skills/qa-pytest-writer/references/config.md +0 -176
  171. package/skills/qa-pytest-writer/references/patterns.md +0 -251
  172. package/skills/qa-qase-integration/SKILL.md +0 -149
  173. package/skills/qa-qase-integration/references/api-reference.md +0 -354
  174. package/skills/qa-qase-integration/references/ci-integration.md +0 -196
  175. package/skills/qa-qase-integration/references/field-mapping.md +0 -157
  176. package/skills/qa-requirements-generator/SKILL.md +0 -152
  177. package/skills/qa-requirements-generator/references/iso-29148-structure.md +0 -153
  178. package/skills/qa-requirements-generator/references/requirement-patterns.md +0 -278
  179. package/skills/qa-rest-assured-writer/SKILL.md +0 -137
  180. package/skills/qa-rest-assured-writer/references/best-practices.md +0 -50
  181. package/skills/qa-rest-assured-writer/references/config.md +0 -124
  182. package/skills/qa-rest-assured-writer/references/patterns.md +0 -192
  183. package/skills/qa-risk-analyzer/SKILL.md +0 -158
  184. package/skills/qa-risk-analyzer/references/impact-analysis.md +0 -133
  185. package/skills/qa-risk-analyzer/references/risk-factors.md +0 -123
  186. package/skills/qa-robot-framework-writer/SKILL.md +0 -147
  187. package/skills/qa-robot-framework-writer/references/best-practices.md +0 -249
  188. package/skills/qa-robot-framework-writer/references/config.md +0 -204
  189. package/skills/qa-robot-framework-writer/references/libraries.md +0 -273
  190. package/skills/qa-robot-framework-writer/references/patterns.md +0 -216
  191. package/skills/qa-security-test-writer/SKILL.md +0 -123
  192. package/skills/qa-security-test-writer/references/best-practices.md +0 -155
  193. package/skills/qa-security-test-writer/references/owasp-top10.md +0 -331
  194. package/skills/qa-security-test-writer/references/zap-config.md +0 -258
  195. package/skills/qa-selenium-java-writer/SKILL.md +0 -143
  196. package/skills/qa-selenium-java-writer/references/best-practices.md +0 -59
  197. package/skills/qa-selenium-java-writer/references/config.md +0 -143
  198. package/skills/qa-selenium-java-writer/references/patterns.md +0 -170
  199. package/skills/qa-selenium-py-writer/SKILL.md +0 -150
  200. package/skills/qa-selenium-py-writer/references/best-practices.md +0 -175
  201. package/skills/qa-selenium-py-writer/references/config.md +0 -224
  202. package/skills/qa-selenium-py-writer/references/patterns.md +0 -255
  203. package/skills/qa-shortcut-integration/SKILL.md +0 -143
  204. package/skills/qa-shortcut-integration/references/api-patterns.md +0 -126
  205. package/skills/qa-shortcut-integration/references/field-mapping.md +0 -66
  206. package/skills/qa-spec-auditor/SKILL.md +0 -162
  207. package/skills/qa-spec-auditor/references/audit-checklist.md +0 -144
  208. package/skills/qa-spec-auditor/references/drift-patterns.md +0 -207
  209. package/skills/qa-spec-writer/SKILL.md +0 -143
  210. package/skills/qa-spec-writer/references/gherkin-guide.md +0 -253
  211. package/skills/qa-spec-writer/references/specification-patterns.md +0 -274
  212. package/skills/qa-spring-test-writer/SKILL.md +0 -170
  213. package/skills/qa-spring-test-writer/references/best-practices.md +0 -57
  214. package/skills/qa-spring-test-writer/references/config.md +0 -179
  215. package/skills/qa-spring-test-writer/references/patterns.md +0 -235
  216. package/skills/qa-supertest-writer/SKILL.md +0 -150
  217. package/skills/qa-supertest-writer/references/assertions.md +0 -192
  218. package/skills/qa-supertest-writer/references/best-practices.md +0 -102
  219. package/skills/qa-supertest-writer/references/config.md +0 -166
  220. package/skills/qa-supertest-writer/references/patterns.md +0 -242
  221. package/skills/qa-task-creator/SKILL.md +0 -142
  222. package/skills/qa-task-creator/references/linking-patterns.md +0 -127
  223. package/skills/qa-task-creator/references/task-types.md +0 -169
  224. package/skills/qa-task-creator/templates/task-template.md +0 -24
  225. package/skills/qa-test-doc-compiler/SKILL.md +0 -114
  226. package/skills/qa-test-doc-compiler/references/agile-tailoring.md +0 -220
  227. package/skills/qa-test-doc-compiler/references/iso-29119-3-documents.md +0 -302
  228. package/skills/qa-test-healer/SKILL.md +0 -101
  229. package/skills/qa-test-healer/references/diagnosis-patterns.md +0 -142
  230. package/skills/qa-test-healer/references/fix-strategies.md +0 -177
  231. package/skills/qa-test-reporter/SKILL.md +0 -130
  232. package/skills/qa-test-reporter/references/best-practices.md +0 -162
  233. package/skills/qa-test-reporter/references/iso-29119-reports.md +0 -236
  234. package/skills/qa-test-reporter/references/report-formats.md +0 -287
  235. package/skills/qa-test-reviewer/SKILL.md +0 -142
  236. package/skills/qa-test-reviewer/references/anti-patterns.md +0 -268
  237. package/skills/qa-test-reviewer/references/review-checklist.md +0 -93
  238. package/skills/qa-test-strategy/SKILL.md +0 -133
  239. package/skills/qa-test-strategy/references/entry-exit-criteria.md +0 -176
  240. package/skills/qa-test-strategy/references/risk-matrix.md +0 -102
  241. package/skills/qa-test-strategy/references/testing-types.md +0 -143
  242. package/skills/qa-testcase-from-docs/SKILL.md +0 -161
  243. package/skills/qa-testcase-from-docs/references/test-case-format.md +0 -196
  244. package/skills/qa-testcase-from-docs/references/test-design-techniques.md +0 -126
  245. package/skills/qa-testcase-from-docs/templates/test-case-template.md +0 -31
  246. package/skills/qa-testcase-from-ui/SKILL.md +0 -109
  247. package/skills/qa-testcase-from-ui/references/ui-element-patterns.md +0 -126
  248. package/skills/qa-testcase-from-ui/references/visual-analysis-guide.md +0 -146
  249. package/skills/qa-testcase-from-ui/templates/test-case-template.md +0 -31
  250. package/skills/qa-visual-regression-writer/SKILL.md +0 -175
  251. package/skills/qa-visual-regression-writer/references/best-practices.md +0 -154
  252. package/skills/qa-visual-regression-writer/references/config.md +0 -220
  253. package/skills/qa-visual-regression-writer/references/patterns.md +0 -213
  254. package/skills/qa-vitest-writer/SKILL.md +0 -141
  255. package/skills/qa-vitest-writer/references/assertions.md +0 -105
  256. package/skills/qa-vitest-writer/references/best-practices.md +0 -62
  257. package/skills/qa-vitest-writer/references/config.md +0 -127
  258. package/skills/qa-vitest-writer/references/patterns.md +0 -141
  259. package/skills/qa-webdriverio-writer/SKILL.md +0 -145
  260. package/skills/qa-webdriverio-writer/references/best-practices.md +0 -176
  261. package/skills/qa-webdriverio-writer/references/config.md +0 -240
  262. package/skills/qa-webdriverio-writer/references/patterns.md +0 -269
@@ -1,177 +0,0 @@
1
- ---
2
- name: qa-nfr-analyst
3
- description: Dedicated non-functional requirements analysis per ISO/IEC 25010 quality model covering performance, security, usability, reliability, maintainability, and portability.
4
- output_dir: docs/nfr
5
- ---
6
-
7
- # QA NFR Analyst
8
-
9
- ## Purpose
10
-
11
- Analyze and document non-functional requirements (NFRs) per ISO/IEC 25010 quality characteristics. Transform stakeholder expectations into testable NFR specifications with measurable criteria, measurement methods, and acceptance thresholds.
12
-
13
- ## ISO 25010 Quality Characteristics
14
-
15
- | Characteristic | Sub-Characteristics |
16
- |----------------|---------------------|
17
- | **Performance Efficiency** | Time behavior, resource utilization, capacity |
18
- | **Security** | Confidentiality, integrity, non-repudiation, accountability, authenticity |
19
- | **Usability** | Appropriateness recognizability, learnability, operability, user error protection, accessibility |
20
- | **Reliability** | Maturity, availability, fault tolerance, recoverability |
21
- | **Maintainability** | Modularity, reusability, analysability, modifiability, testability |
22
- | **Portability** | Adaptability, installability, replaceability |
23
-
24
- See `references/iso-25010-model.md` for full definitions and measurement examples.
25
-
26
- ## Defining Testable Criteria
27
-
28
- For each characteristic, define:
29
-
30
- 1. **Criterion:** Specific, measurable statement (e.g., "API response time p95 ≤ 500ms")
31
- 2. **Measurement method:** How to verify (load test, static analysis, manual inspection)
32
- 3. **Target/threshold:** Acceptable value or range
33
- 4. **Environment:** Conditions under which measurement applies
34
-
35
- ### Example by Characteristic
36
-
37
- | Characteristic | Testable Criterion | Measurement Method |
38
- |----------------|-------------------|-------------------|
39
- | Performance | p95 response time ≤ 500ms | k6/Locust load test |
40
- | Security | No OWASP Top 10 findings | OWASP ZAP scan |
41
- | Usability | WCAG 2.2 AA compliance | axe-core, manual audit |
42
- | Reliability | 99.9% uptime | Monitoring over 30 days |
43
- | Maintainability | Cyclomatic complexity ≤ 10 | SonarQube |
44
- | Portability | Runs on Node 18+ | CI matrix build |
45
-
46
- ## Accessibility (WCAG 2.2)
47
-
48
- Use `references/wcag-checklist.md` for the full success criteria checklist.
49
-
50
- ### Levels
51
-
52
- - **Level A:** Minimum; required for basic accessibility
53
- - **Level AA:** Common target; addresses major barriers
54
- - **Level AAA:** Enhanced; highest conformance
55
-
56
- ### Key Checkpoints
57
-
58
- - 1.1.1 Non-text content (alt text)
59
- - 1.3.1 Info and relationships (semantic structure)
60
- - 1.4.3 Contrast (minimum 4.5:1)
61
- - 2.1.1 Keyboard (all functionality)
62
- - 2.4.7 Focus visible
63
- - 4.1.2 Name, role, value (ARIA)
64
-
65
- ## Security (OWASP WSTG)
66
-
67
- Use `references/owasp-wstg-baseline.md` for baseline scenarios.
68
-
69
- ### Baseline Categories
70
-
71
- | Category | Coverage |
72
- |----------|----------|
73
- | **Injection** | SQL, NoSQL, OS, LDAP, XSS |
74
- | **Authentication** | Credential strength, lockout, MFA |
75
- | **Session Management** | Token handling, timeout, fixation |
76
- | **Access Control** | IDOR, privilege escalation, CORS |
77
- | **Cryptography** | TLS, hashing, key management |
78
- | **Error Handling** | Stack traces, info disclosure |
79
-
80
- ## Performance (SLA Template)
81
-
82
- Use this template for SLA definitions:
83
-
84
- ```
85
- Response Time:
86
- - p50: ≤ {value}ms
87
- - p95: ≤ {value}ms
88
- - p99: ≤ {value}ms
89
-
90
- Throughput:
91
- - Requests/second: ≥ {value}
92
- - Concurrent users: ≥ {value}
93
-
94
- Error Rate:
95
- - Target: ≤ {value}%
96
- - Under load: ≤ {value}%
97
-
98
- Availability:
99
- - Target: ≥ {value}% (e.g., 99.9%)
100
- - Measurement window: 30 days rolling
101
- ```
102
-
103
- ## Output Format
104
-
105
- Produce an **NFR Specification Document** with:
106
-
107
- ```
108
- 1. Introduction
109
- - Purpose, scope, definitions
110
-
111
- 2. Quality Requirements by Characteristic
112
- [NFR-PERF-001] Response Time
113
- Criterion: API p95 ≤ 500ms
114
- Measurement: Load test, k6
115
- Target: 500ms
116
- Environment: Staging, 100 concurrent users
117
-
118
- [NFR-SEC-001] Injection Resistance
119
- Criterion: No SQL/NoSQL injection
120
- Measurement: OWASP ZAP, manual
121
- Target: Zero findings
122
- ...
123
-
124
- 3. Accessibility (WCAG 2.2)
125
- - Level: AA
126
- - Checklist: [reference to wcag-checklist.md]
127
-
128
- 4. Security Baseline (OWASP WSTG)
129
- - Scenarios: [reference to owasp-wstg-baseline.md]
130
-
131
- 5. SLA Summary
132
- - Response time, throughput, availability
133
- ```
134
-
135
- ## Scope
136
-
137
- **Can do (autonomous):**
138
- - Analyze NFRs from requirements docs, stakeholder input, or code
139
- - Generate NFR specification with testable criteria
140
- - Map to ISO 25010 characteristics
141
- - Produce WCAG 2.2 and OWASP WSTG checklists
142
- - Define SLA templates
143
- - Call qa-diagram-generator for quality model diagrams
144
-
145
- **Cannot do (requires confirmation):**
146
- - Change business-defined SLAs or compliance targets
147
- - Override stakeholder accessibility/security decisions
148
-
149
- **Will not do (out of scope):**
150
- - Execute load tests or security scans
151
- - Implement fixes for NFR violations
152
- - Deploy or modify production systems
153
-
154
- ## MCP Tools Used
155
-
156
- - **Sequential Thinking MCP:** For decomposition of complex NFRs into testable criteria; use when analyzing multi-characteristic requirements or reconciling conflicting targets.
157
-
158
- ## Quality Checklist
159
-
160
- - [ ] Every NFR has a unique ID (NFR-{CHAR}-{number})
161
- - [ ] All criteria are measurable (no vague terms)
162
- - [ ] Measurement method specified for each criterion
163
- - [ ] Thresholds/targets are explicit
164
- - [ ] WCAG level (A/AA/AAA) specified if accessibility applies
165
- - [ ] OWASP WSTG baseline referenced if security applies
166
- - [ ] SLA template filled with concrete values
167
- - [ ] No duplicate or conflicting criteria
168
-
169
- ## Troubleshooting
170
-
171
- | Symptom | Likely Cause | Fix |
172
- |---------|--------------|-----|
173
- | Vague NFRs ("fast", "secure") | Stakeholder language | Ask for quantifiable targets; suggest industry benchmarks |
174
- | Conflicting targets | Multiple stakeholders | Use Sequential Thinking to decompose; flag for prioritization |
175
- | Missing measurement method | Criterion not testable | Add tool/method (k6, ZAP, axe-core, etc.) |
176
- | WCAG level unclear | Accessibility scope undefined | Default to AA; ask if AAA needed |
177
- | OWASP scope too broad | Full WSTG is large | Use baseline scenarios; expand per risk assessment |
@@ -1,159 +0,0 @@
1
- # ISO/IEC 25010 Product Quality Model Reference
2
-
3
- ISO/IEC 25010 defines a product quality model for software and systems. This reference covers the eight core characteristics (ISO 25010:2011) widely used in NFR analysis. ISO 25010:2023 adds Compatibility, renames Usability to Interaction Capability, and introduces Safety.
4
-
5
- ---
6
-
7
- ## 1. Performance Efficiency
8
-
9
- Degree to which a product performs its functions within stated time and resource constraints.
10
-
11
- | Sub-characteristic | Definition | Measurement Examples |
12
- |--------------------|------------|----------------------|
13
- | **Time behavior** | Response time, throughput, processing time | p50/p95/p99 latency (ms), requests/sec, time to first byte |
14
- | **Resource utilization** | Amount of resources used relative to capacity | CPU %, memory MB, disk I/O, network bandwidth |
15
- | **Capacity** | Maximum limits of product parameters | Concurrent users, max throughput, data volume limits |
16
-
17
- **Testable criteria:**
18
- - API response time ≤ X ms at p95
19
- - Page load time ≤ Y seconds
20
- - Throughput ≥ Z requests/second under load
21
- - Memory usage ≤ W MB under normal operation
22
-
23
- ---
24
-
25
- ## 2. Security
26
-
27
- Degree to which a product protects information and data so that persons or other products have the appropriate degree of data access control.
28
-
29
- | Sub-characteristic | Definition | Measurement Examples |
30
- |--------------------|------------|----------------------|
31
- | **Confidentiality** | Data accessible only to authorized entities | Encryption at rest/transit, access controls, data masking |
32
- | **Integrity** | Data accuracy and consistency | Checksums, signatures, tamper detection |
33
- | **Non-repudiation** | Actions attributable to entities | Audit logs, digital signatures |
34
- | **Accountability** | Actions traceable to responsible entities | User attribution, audit trails |
35
- | **Authenticity** | Identity of entities can be verified | Authentication, certificate validation |
36
-
37
- **Testable criteria:**
38
- - All sensitive data encrypted (TLS 1.2+)
39
- - Authentication required for protected resources
40
- - Audit logs capture critical actions
41
- - Input validation prevents injection
42
-
43
- ---
44
-
45
- ## 3. Usability (Interaction Capability in 25010:2023)
46
-
47
- Degree to which a product can be used by specified users to achieve specified goals with effectiveness, efficiency, and satisfaction.
48
-
49
- | Sub-characteristic | Definition | Measurement Examples |
50
- |--------------------|------------|----------------------|
51
- | **Appropriateness recognizability** | Users can recognize suitability for their needs | Task completion rate, user surveys |
52
- | **Learnability** | Users can learn to use the product | Time to first task, help usage, training time |
53
- | **Operability** | Users can operate and control the product | Error rate, task completion time, clicks to goal |
54
- | **User error protection** | System protects against user errors | Confirmation dialogs, undo, validation feedback |
55
- | **User interface aesthetics** | UI is pleasing and satisfying | SUS score, satisfaction surveys |
56
- | **Accessibility** | Product usable by people with disabilities | WCAG conformance, screen reader compatibility |
57
-
58
- **Testable criteria:**
59
- - WCAG 2.2 Level AA conformance
60
- - Task completion rate ≥ X%
61
- - Time to complete key task ≤ Y minutes
62
- - Error recovery available for destructive actions
63
-
64
- ---
65
-
66
- ## 4. Reliability
67
-
68
- Degree to which a product performs specified functions under specified conditions for a specified period of time.
69
-
70
- | Sub-characteristic | Definition | Measurement Examples |
71
- |--------------------|------------|----------------------|
72
- | **Maturity** | Product meets reliability needs under normal use | Defect density, failure rate |
73
- | **Availability** | Product is operational when required | Uptime %, MTBF, planned downtime |
74
- | **Fault tolerance** | Product operates despite hardware/software faults | Graceful degradation, redundancy |
75
- | **Recoverability** | Product can recover data and restore service | RTO, RPO, backup/restore success |
76
-
77
- **Testable criteria:**
78
- - Availability ≥ 99.9% (excluding planned maintenance)
79
- - RTO ≤ X minutes
80
- - RPO ≤ Y minutes
81
- - Automatic failover within Z seconds
82
-
83
- ---
84
-
85
- ## 5. Maintainability
86
-
87
- Degree of effectiveness and efficiency with which a product can be modified.
88
-
89
- | Sub-characteristic | Definition | Measurement Examples |
90
- |--------------------|------------|----------------------|
91
- | **Modularity** | Components have minimal coupling | Cyclomatic complexity, coupling metrics |
92
- | **Reusability** | Components can be used in other systems | Component reuse count, API stability |
93
- | **Analysability** | Impact of defects can be diagnosed | Logging, tracing, observability |
94
- | **Modifiability** | Product can be modified without defects | Change impact analysis, regression rate |
95
- | **Testability** | Product can be effectively tested | Test coverage, test execution time |
96
-
97
- **Testable criteria:**
98
- - Cyclomatic complexity ≤ 10 per function
99
- - Test coverage ≥ 80% for critical paths
100
- - Deployment time ≤ X minutes
101
- - Documentation exists for public APIs
102
-
103
- ---
104
-
105
- ## 6. Portability (Flexibility in 25010:2023)
106
-
107
- Degree to which a product can be transferred from one environment to another.
108
-
109
- | Sub-characteristic | Definition | Measurement Examples |
110
- |--------------------|------------|----------------------|
111
- | **Adaptability** | Product can be adapted to different environments | Config-driven behavior, environment variables |
112
- | **Installability** | Product can be installed in specified environments | Install success rate, install time |
113
- | **Replaceability** | Product can replace another for the same purpose | API compatibility, migration scripts |
114
-
115
- **Testable criteria:**
116
- - Runs on specified OS/browser matrix
117
- - Installation script completes without manual intervention
118
- - Configuration externalized (no hardcoded env-specific values)
119
-
120
- ---
121
-
122
- ## 7. Compatibility (25010:2023)
123
-
124
- Degree to which a product can exchange information with other products and perform required functions while sharing the same environment.
125
-
126
- | Sub-characteristic | Definition | Measurement Examples |
127
- |--------------------|------------|----------------------|
128
- | **Coexistence** | Product functions when other products are present | No conflicts, shared resource handling |
129
- | **Interoperability** | Product can exchange information with other products | API compatibility, data format support |
130
-
131
- ---
132
-
133
- ## 8. Functional Suitability
134
-
135
- Degree to which a product provides functions that meet stated and implied needs.
136
-
137
- | Sub-characteristic | Definition | Measurement Examples |
138
- |--------------------|------------|----------------------|
139
- | **Functional completeness** | All required functions present | Requirement coverage |
140
- | **Functional correctness** | Functions produce correct results | Pass/fail test results |
141
- | **Functional appropriateness** | Functions support the task | User acceptance, task fit |
142
-
143
- ---
144
-
145
- ## Quality Attribute Relationships
146
-
147
- ```
148
- Performance ←→ Security (encryption overhead)
149
- Usability ←→ Accessibility (WCAG)
150
- Reliability ←→ Maintainability (observability)
151
- Portability ←→ Maintainability (modularity)
152
- ```
153
-
154
- ---
155
-
156
- ## References
157
-
158
- - ISO/IEC 25010:2011 Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — Product quality model
159
- - ISO/IEC 25010:2023 (Edition 2) — Updated model with Compatibility, Safety, Interaction Capability, Flexibility
@@ -1,202 +0,0 @@
1
- # OWASP Web Security Testing Guide — Baseline Scenarios
2
-
3
- Baseline security testing scenarios aligned with OWASP WSTG v4.2. Use for NFR security criteria and test case design.
4
-
5
- ---
6
-
7
- ## 4.1 Information Gathering
8
-
9
- | ID | Scenario | Test Objective |
10
- |----|----------|----------------|
11
- | WSTG-INFO-01 | Conduct Search Engine Discovery | Identify sensitive info exposed via search engines |
12
- | WSTG-INFO-02 | Fingerprint Web Server | Identify server type, version, technologies |
13
- | WSTG-INFO-03 | Review Webserver Metafiles | Check robots.txt, sitemap.xml, .well-known for sensitive paths |
14
- | WSTG-INFO-04 | Enumerate Applications on Webserver | Discover hidden apps, admin panels, backup files |
15
- | WSTG-INFO-05 | Review Webpage Content and Metadata | Extract comments, version info, credentials in source |
16
- | WSTG-INFO-06 | Identify Application Entry Points | Map all inputs: forms, URLs, headers, cookies |
17
- | WSTG-INFO-07 | Map Execution Paths Through Application | Trace user flows and data flow |
18
- | WSTG-INFO-08 | Review File Extensions Handled | Identify handlers for unusual extensions |
19
- | WSTG-INFO-09 | Analyze Web Application Architecture | Document tiers, trust boundaries, data flow |
20
- | WSTG-INFO-10 | Review HTTP Methods | Test allowed methods (GET, POST, PUT, DELETE, etc.) |
21
-
22
- ---
23
-
24
- ## 4.2 Configuration and Deployment Management
25
-
26
- | ID | Scenario | Test Objective |
27
- |----|----------|----------------|
28
- | WSTG-CONF-01 | Test Network/Infrastructure Configuration | Verify firewall, load balancer, TLS config |
29
- | WSTG-CONF-02 | Test Application Platform Configuration | Check default credentials, sample apps, debug mode |
30
- | WSTG-CONF-03 | Test File Extensions Handling | Verify dangerous extensions blocked |
31
- | WSTG-CONF-04 | Review Old, Backup, Unreferenced Files | Find backup, temp, old files |
32
- | WSTG-CONF-05 | Enumerate Infrastructure and Admin Interfaces | Discover admin, debug, monitoring endpoints |
33
- | WSTG-CONF-06 | Test HTTP Methods | Verify unnecessary methods disabled |
34
- | WSTG-CONF-07 | Test HTTP Strict Transport Security | Verify HSTS header, redirect to HTTPS |
35
- | WSTG-CONF-08 | Test RIA Cross Domain Policy | Check crossdomain.xml, clientaccesspolicy.xml |
36
- | WSTG-CONF-09 | Test File Permission | Verify file permissions restrict access |
37
- | WSTG-CONF-10 | Test for Subdomain Takeover | Check dangling DNS records |
38
-
39
- ---
40
-
41
- ## 4.3 Identity Management
42
-
43
- | ID | Scenario | Test Objective |
44
- |----|----------|----------------|
45
- | WSTG-IDEN-01 | Test Role Definitions | Verify roles and permissions defined correctly |
46
- | WSTG-IDEN-02 | Test User Registration Process | Test registration validation, duplicate handling |
47
- | WSTG-IDEN-03 | Test Account Provisioning Process | Verify provisioning workflows, approval |
48
- | WSTG-IDEN-04 | Testing for Account Enumeration | Check if valid/invalid usernames distinguishable |
49
- | WSTG-IDEN-05 | Testing for Weak or Unenforced Username Policy | Test username rules, predictability |
50
-
51
- ---
52
-
53
- ## 4.4 Authentication Testing
54
-
55
- | ID | Scenario | Test Objective |
56
- |----|----------|----------------|
57
- | WSTG-ATHN-01 | Testing for Credentials Transported over Encrypted Channel | Verify login over HTTPS only |
58
- | WSTG-ATHN-02 | Testing for Default Credentials | Check default admin/user credentials |
59
- | WSTG-ATHN-03 | Testing for Weak Lock Out Mechanism | Test account lockout, brute-force protection |
60
- | WSTG-ATHN-04 | Testing for Bypassing Authentication Schema | Test direct object reference, token manipulation |
61
- | WSTG-ATHN-05 | Testing for Vulnerable Remember Password | Test secure storage of credentials |
62
- | WSTG-ATHN-06 | Testing for Browser Cache Weaknesses | Verify sensitive data not cached |
63
- | WSTG-ATHN-07 | Testing for Weak Password Policy | Test password complexity, history |
64
- | WSTG-ATHN-08 | Testing for Weak Security Question/Answer | Test predictability of security questions |
65
- | WSTG-ATHN-09 | Testing for Weak Password Change or Reset | Test reset flow for token predictability |
66
- | WSTG-ATHN-10 | Testing for Weaker Authentication in Alternative Channel | Test fallback auth (e.g., SMS) |
67
-
68
- ---
69
-
70
- ## 4.5 Authorization (Access Control) Testing
71
-
72
- | ID | Scenario | Test Objective |
73
- |----|----------|----------------|
74
- | WSTG-ATHZ-01 | Testing Directory Traversal/File Include | Test path traversal (../, absolute paths) |
75
- | WSTG-ATHZ-02 | Testing for Bypassing Authorization Schema | Test horizontal/vertical privilege escalation |
76
- | WSTG-ATHZ-03 | Testing for Privilege Escalation | Test role elevation, IDOR |
77
- | WSTG-ATHZ-04 | Testing for Insecure Direct Object References | Test predictable IDs, access to others' data |
78
- | WSTG-ATHZ-05 | Testing for Missing Function Level Access Control | Test direct access to admin functions |
79
-
80
- ---
81
-
82
- ## 4.6 Session Management Testing
83
-
84
- | ID | Scenario | Test Objective |
85
- |----|----------|----------------|
86
- | WSTG-SESS-01 | Testing for Session Management Schema | Verify session ID entropy, lifecycle |
87
- | WSTG-SESS-02 | Testing for Cookie Attributes | Check HttpOnly, Secure, SameSite |
88
- | WSTG-SESS-03 | Testing for Session Fixation | Test session ID reuse after login |
89
- | WSTG-SESS-04 | Testing for Exposed Session Variables | Check session data in URL, logs |
90
- | WSTG-SESS-05 | Testing for Cross-Site Request Forgery | Test CSRF tokens, SameSite cookies |
91
- | WSTG-SESS-06 | Testing for Logout Functionality | Verify session invalidation on logout |
92
- | WSTG-SESS-07 | Testing for Session Timeout | Verify timeout and re-auth |
93
- | WSTG-SESS-08 | Testing for Session Puzzling | Test session variable confusion |
94
- | WSTG-SESS-09 | Testing for Session Hijacking | Test session fixation, prediction |
95
-
96
- ---
97
-
98
- ## 4.7 Input Validation Testing (Injection)
99
-
100
- | ID | Scenario | Test Objective |
101
- |----|----------|----------------|
102
- | WSTG-INPV-01 | Testing for Reflected Cross-Site Scripting (XSS) | Test reflected XSS in all inputs |
103
- | WSTG-INPV-02 | Testing for Stored Cross-Site Scripting (XSS) | Test stored XSS in persistent storage |
104
- | WSTG-INPV-03 | Testing for HTTP Verb Tampering | Test method override, verb confusion |
105
- | WSTG-INPV-04 | Testing for HTTP Parameter Pollution | Test duplicate parameters, HPP |
106
- | WSTG-INPV-05 | Testing for SQL Injection | Test SQLi in all query inputs |
107
- | WSTG-INPV-06 | Testing for LDAP Injection | Test LDAP filter injection |
108
- | WSTG-INPV-07 | Testing for XML Injection | Test XXE, XPath injection |
109
- | WSTG-INPV-08 | Testing for SSI Injection | Test server-side includes |
110
- | WSTG-INPV-09 | Testing for XPath Injection | Test XPath in XML queries |
111
- | WSTG-INPV-10 | Testing for IMAP/SMTP Injection | Test mail-related injection |
112
- | WSTG-INPV-11 | Testing for Code Injection | Test OS command, script injection |
113
- | WSTG-INPV-12 | Testing for Local File Inclusion | Test LFI, path traversal |
114
- | WSTG-INPV-13 | Testing for Remote File Inclusion | Test RFI |
115
- | WSTG-INPV-14 | Testing for Command Injection | Test OS command injection |
116
- | WSTG-INPV-15 | Testing for Format String Injection | Test format string bugs |
117
- | WSTG-INPV-16 | Testing for Incubated Vulnerability | Test delayed/stored injection |
118
- | WSTG-INPV-17 | Testing for HTTP Splitting/Smuggling | Test CRLF, request smuggling |
119
- | WSTG-INPV-18 | Testing for Host Header Injection | Test Host header manipulation |
120
- | WSTG-INPV-19 | Testing for Server-Side Template Injection | Test SSTI in templating engines |
121
- | WSTG-INPV-20 | Testing for Server-Side Request Forgery | Test SSRF to internal resources |
122
-
123
- ---
124
-
125
- ## 4.8 Error Handling Testing
126
-
127
- | ID | Scenario | Test Objective |
128
- |----|----------|----------------|
129
- | WSTG-ERRH-01 | Testing for Improper Error Handling | Verify no stack traces, paths, versions in errors |
130
- | WSTG-ERRH-02 | Testing for Stack Traces | Ensure stack traces disabled in production |
131
- | WSTG-ERRH-03 | Testing for Improper Error Handling - Oracle | Test error-based information disclosure |
132
- | WSTG-ERRH-04 | Testing for Improper Error Handling - Empty Responses | Test empty/blank error responses |
133
- | WSTG-ERRH-05 | Testing for Improper Error Handling - SQL | Test SQL error disclosure |
134
- | WSTG-ERRH-06 | Testing for Improper Error Handling - XML | Test XML error disclosure |
135
-
136
- ---
137
-
138
- ## 4.9 Cryptography Testing
139
-
140
- | ID | Scenario | Test Objective |
141
- |----|----------|----------------|
142
- | WSTG-CRYP-01 | Testing for Weak Transport Layer Security | Verify TLS 1.2+, strong ciphers, no SSL |
143
- | WSTG-CRYP-02 | Testing for Padding Oracle | Test padding oracle in crypto |
144
- | WSTG-CRYP-03 | Testing for Sensitive Data Sent via Unencrypted Channels | Verify no sensitive data over HTTP |
145
- | WSTG-CRYP-04 | Testing for Weak Encryption | Check algorithm strength, key management |
146
- | WSTG-CRYP-05 | Testing for Insufficient Entropy | Test PRNG, session ID entropy |
147
-
148
- ---
149
-
150
- ## 4.10 Business Logic Testing
151
-
152
- | ID | Scenario | Test Objective |
153
- |----|----------|----------------|
154
- | WSTG-BUSL-01 | Test Business Logic Data Validation | Test workflow bypass, negative amounts |
155
- | WSTG-BUSL-02 | Test Ability to Forge Requests | Test parameter tampering, replay |
156
- | WSTG-BUSL-03 | Test Integrity Checks | Test checksum, signature bypass |
157
- | WSTG-BUSL-04 | Test for Process Timing | Test race conditions, TOCTOU |
158
- | WSTG-BUSL-05 | Test for Function-Specific Input Validation | Test business rule enforcement |
159
- | WSTG-BUSL-06 | Test for Content Spoofing | Test content injection, defacement |
160
- | WSTG-BUSL-07 | Test for Application Logic Flaws | Test workflow, state machine bypass |
161
- | WSTG-BUSL-08 | Test for Upload of Unexpected File Types | Test file upload validation |
162
- | WSTG-BUSL-09 | Test for Upload of Malicious Files | Test malware upload, polyglot files |
163
-
164
- ---
165
-
166
- ## 4.11 Client-Side Testing
167
-
168
- | ID | Scenario | Test Objective |
169
- |----|----------|----------------|
170
- | WSTG-CLNT-01 | Testing for DOM-Based Cross-Site Scripting | Test DOM XSS, client-side injection |
171
- | WSTG-CLNT-02 | Testing for JavaScript Execution | Test script injection in sinks |
172
- | WSTG-CLNT-03 | Testing for HTML Injection | Test HTML injection, attribute injection |
173
- | WSTG-CLNT-04 | Testing for Client-Side URL Redirect | Test open redirect, parameter injection |
174
- | WSTG-CLNT-05 | Testing for CORS Misconfiguration | Test CORS origin validation |
175
- | WSTG-CLNT-06 | Testing for Cross-Domain Data Leakage | Test postMessage, CORS leakage |
176
- | WSTG-CLNT-07 | Testing for Cross-Site Flashing | Test Flash-based XSS |
177
- | WSTG-CLNT-08 | Testing for Clickjacking | Test X-Frame-Options, frame busting |
178
- | WSTG-CLNT-09 | Testing for WebSocket Security | Test WebSocket auth, message validation |
179
- | WSTG-CLNT-10 | Testing for Web Messaging | Test postMessage origin validation |
180
- | WSTG-CLNT-11 | Testing for Browser Storage | Test localStorage/sessionStorage for sensitive data |
181
- | WSTG-CLNT-12 | Testing for Cross-Site Script Inclusion | Test XSSI, JSONP callback injection |
182
-
183
- ---
184
-
185
- ## Baseline Test Set (Minimum)
186
-
187
- For NFR security criteria, prioritize:
188
-
189
- 1. **Injection**: WSTG-INPV-01, 02, 05 (XSS, SQLi)
190
- 2. **Authentication**: WSTG-ATHN-01, 03, 07 (TLS, lockout, password policy)
191
- 3. **Session**: WSTG-SESS-02, 05, 06 (cookies, CSRF, logout)
192
- 4. **Access Control**: WSTG-ATHZ-02, 04 (privilege escalation, IDOR)
193
- 5. **Cryptography**: WSTG-CRYP-01, 03 (TLS, unencrypted channels)
194
- 6. **Error Handling**: WSTG-ERRH-01, 02 (no info disclosure)
195
-
196
- ---
197
-
198
- ## References
199
-
200
- - [OWASP WSTG v4.2](https://owasp.org/www-project-web-security-testing-guide/v42/)
201
- - [OWASP WSTG Stable](https://owasp.org/www-project-web-security-testing-guide/stable/)
202
- - [OWASP Testing Guide GitHub](https://github.com/OWASP/wstg)