qa-skills 3.0.0

package/skills/qa-locust-writer/references/patterns.md

@@ -0,0 +1,235 @@
+# Locust Patterns
+
+## User Classes (HttpUser)
+
+### Basic HttpUser
+
+```python
+from locust import HttpUser, task, between
+
+class ApiUser(HttpUser):
+    wait_time = between(1, 3)
+
+    @task
+    def get_health(self):
+        self.client.get("/health")
+
+    @task(weight=3)
+    def get_items(self):
+        self.client.get("/api/items")
+
+    @task(weight=1)
+    def create_item(self):
+        self.client.post("/api/items", json={"name": "test"})
+```
+
+### Multiple User Classes
+
+```python
+class ReadOnlyUser(HttpUser):
+    wait_time = between(2, 5)
+    weight = 3  # 3x more likely to spawn
+
+    @task
+    def browse(self):
+        self.client.get("/api/items")
+        self.client.get("/api/items/1")
+
+class WriteUser(HttpUser):
+    wait_time = between(1, 2)
+    weight = 1
+
+    @task
+    def create_and_update(self):
+        r = self.client.post("/api/items", json={"name": "new"})
+        if r.status_code == 201:
+            item_id = r.json()["id"]
+            self.client.put(f"/api/items/{item_id}", json={"name": "updated"})
+```
+
+### on_start / on_stop
+
+```python
+class AuthenticatedUser(HttpUser):
+    wait_time = between(1, 2)
+
+    def on_start(self):
+        """Run once per user when spawned."""
+        r = self.client.post("/auth/login", json={"user": "test", "pass": "secret"})
+        self.token = r.json()["token"]
+
+    def on_stop(self):
+        """Run when user stops (e.g., test end)."""
+        self.client.post("/auth/logout", headers={"Authorization": f"Bearer {self.token}"})
+
+    @task
+    def get_profile(self):
+        self.client.get("/profile", headers={"Authorization": f"Bearer {self.token}"})
+```
+
+## TaskSets
+
+### Nested TaskSets
+
+```python
+from locust import HttpUser, task, TaskSet, between
+
+class BrowseTasks(TaskSet):
+    @task
+    def list_items(self):
+        self.client.get("/api/items")
+
+    @task
+    def view_item(self):
+        self.client.get("/api/items/1")
+
+class CheckoutTasks(TaskSet):
+    @task
+    def add_to_cart(self):
+        self.client.post("/api/cart", json={"item_id": 1, "qty": 1})
+
+    @task
+    def checkout(self):
+        self.client.post("/api/checkout", json={"payment": "card"})
+
+class WebUser(HttpUser):
+    wait_time = between(1, 3)
+    tasks = [BrowseTasks, CheckoutTasks]
+```
+
+### Interrupt (stop TaskSet)
+
+```python
+class CheckoutFlow(TaskSet):
+    @task
+    def complete_checkout(self):
+        self.client.post("/api/cart", json={"item_id": 1})
+        self.client.post("/api/checkout")
+        self.interrupt()  # Return to parent tasks
+```
+
+## Wait Time
+
+| Type | Usage | Behavior |
+| ---- | ----- | -------- |
+| `between(min, max)` | Random uniform | Wait min–max seconds |
+| `constant(n)` | Fixed | Wait n seconds every time |
+| `constant_pacing(n)` | Rate-based | Maintain ~1/n seconds between requests |
+
+```python
+from locust import between, constant, constant_pacing
+
+wait_time = between(1, 5)      # 1–5 sec between tasks
+wait_time = constant(2)        # Always 2 sec
+wait_time = constant_pacing(1) # ~1 req/sec per user
+```
+
+## Load Shapes (LoadTestShape)
+
+### Ramp-Up / Ramp-Down
+
+```python
+from locust import LoadTestShape
+
+class RampShape(LoadTestShape):
+    min_users = 0
+    peak_users = 100
+    time_limit = 300  # 5 min
+
+    def tick(self):
+        run_time = self.get_run_time()
+        if run_time < 60:
+            return (int(run_time * self.peak_users / 60), 10)  # Ramp up
+        elif run_time < 240:
+            return (self.peak_users, 10)  # Sustain
+        elif run_time < self.time_limit:
+            return (int(self.peak_users * (300 - run_time) / 60), 10)  # Ramp down
+        return None  # Stop
+```
+
+### Spike Test
+
+```python
+class SpikeShape(LoadTestShape):
+    def tick(self):
+        run_time = self.get_run_time()
+        if run_time < 30:
+            return (10, 5)   # Baseline
+        elif run_time < 60:
+            return (500, 50) # Spike
+        elif run_time < 90:
+            return (10, 5)   # Recovery
+        return None
+```
+
+### Soak (Endurance) Test
+
+```python
+class SoakShape(LoadTestShape):
+    def tick(self):
+        run_time = self.get_run_time()
+        if run_time < 60:
+            return (50, 10)   # Ramp to 50 users
+        elif run_time < 3600: # 1 hour
+            return (50, 10)   # Hold
+        return None
+```
+
+## Event Hooks
+
+### Request Events
+
+```python
+from locust import events
+
+@events.request.add_listener
+def on_request(request_type, name, response_time, response_length, exception, **kwargs):
+    if exception:
+        print(f"Request failed: {name} - {exception}")
+
+@events.request.add_listener
+def log_slow_requests(request_type, name, response_time, **kwargs):
+    if response_time > 2000:  # ms
+        print(f"Slow: {name} took {response_time}ms")
+```
+
+### Test Lifecycle
+
+```python
+@events.test_start.add_listener
+def on_test_start(environment, **kwargs):
+    print("Load test starting")
+
+@events.test_stop.add_listener
+def on_test_stop(environment, **kwargs):
+    print("Load test stopped")
+
+@events.init.add_listener
+def on_locust_init(environment, **kwargs):
+    # Custom init (e.g., setup connections)
+    pass
+```
+
+## Distributed Mode
+
+### Master
+
+```bash
+locust -f locustfile.py --master --expect-workers=4
+```
+
+### Workers
+
+```bash
+locust -f locustfile.py --worker --master-host=192.168.1.100
+```
+
+### Headless Distributed
+
+```bash
+# Master
+locust -f locustfile.py --master --expect-workers=4 --headless -u 1000 -r 50 -t 300s
+
+# Workers (run on separate machines)
+locust -f locustfile.py --worker --master-host=<master-ip>
+```

package/skills/qa-manual-test-designer/SKILL.md

@@ -0,0 +1,145 @@
+---
+name: qa-manual-test-designer
+description: Design manual test cases and exploratory testing charters using specification-based techniques, risk-based prioritization, and persona-based testing approaches.
+output_dir: test-cases/manual
+---
+
+# QA Manual Test Designer
+
+## Purpose
+
+Design manual test cases and exploratory testing charters for human testers. Combines specification-based test models, risk-based prioritization, and persona-based testing to produce structured test case sets, exploratory session charters, and session report templates.
+
+## Trigger Phrases
+
+- "Design manual test cases for [feature]"
+- "Create exploratory testing charter" / "Exploratory charter for [area]"
+- "Manual test design from [spec/requirements]"
+- "Risk-based manual test prioritization"
+- "Persona-based test scenarios" / "Test as [Novice/Power User/Admin]"
+- "Session charter for [new feature/regression/security]"
+- "Manual test case set with decision tables"
+- "Exploratory session report template"
+
+## Specification-Based Test Models
+
+Use these models to derive structured manual test cases per ISO/IEC/IEEE 29119-4:
+
+| Model | When to Use | Output |
+| ----- | ----------- | ------ |
+| **Decision tables** | Multiple conditions affecting outcome (validation, business rules) | One test case per rule column |
+| **State transitions** | Workflows, lifecycle states, session management | Test cases for valid/invalid transitions |
+| **Scenario models** | User journeys, use case flows | Main flow, alternate flows, exception flows |
+| **Classification trees** | Complex input spaces (user type × action × data state) | Pairwise or coverage-based combinations |
+
+See `references/test-design-techniques.md` (from qa-testcase-from-docs) for technique details.
+
+## Exploratory Testing Session Charters
+
+Exploratory charters guide time-boxed sessions without scripting every step. Each charter includes:
+
+| Element | Description |
+| ------- | ----------- |
+| **Mission statement** | Clear, focused goal (e.g., "Explore checkout flow for guest users") |
+| **Test areas** | Scope: what to explore, what to skip |
+| **Time-box** | 25 / 45 / 90 min — choose based on scope and focus |
+| **Notes template** | Structured placeholders for observations, bugs, ideas |
+| **Debrief structure** | Post-session: what worked, what didn't, risks, follow-ups |
+
+See `references/exploratory-charters.md` for templates by scenario (new feature, regression, security, usability).
+
+## Risk-Based Test Prioritization for Manual Testing
+
+Prioritize manual test cases by risk when time is limited:
+
+| Factor | High Risk | Medium Risk | Low Risk |
+| ------ | --------- | ----------- | -------- |
+| **Business impact** | Revenue, compliance, safety | Core workflows | Nice-to-have |
+| **Change frequency** | Recently changed, new code | Moderate changes | Stable |
+| **Complexity** | Multi-step, integrations | Moderate logic | Simple |
+| **User exposure** | High-traffic paths | Common paths | Rare paths |
+
+**Output:** Prioritized test case list (P1/P2/P3) with rationale. Run P1 first when time-boxed.
+
+## Persona-Based Testing
+
+Test from different user perspectives to uncover diverse defects:
+
+| Persona | Focus | Typical Behaviors |
+| ------- | ----- | ----------------- |
+| **Novice User** | First-time, confused | Clicks randomly, ignores hints, gets lost |
+| **Power User** | Efficiency, edge cases | Keyboard shortcuts, bulk actions, advanced features |
+| **Attacker** | Malicious input, bypass | SQL injection, XSS, auth bypass, privilege escalation |
+| **Admin** | Configuration, permissions | Role setup, access control, audit logs |
+| **Mobile User** | Touch, small screen | Thumb reach, orientation, slow network |
+
+See `references/personas.md` for detailed behaviors, goals, and test scenarios per persona.
+
+## Outputs
+
+| Output Type | Format | Use Case |
+| ----------- | ------ | -------- |
+| **Manual test case set** | ID, Title, Steps, Expected Results, Priority | Structured execution |
+| **Exploratory charter** | Mission, areas, time-box, notes template | Session planning |
+| **Session report** | Findings, bugs, risks, follow-ups | Post-session debrief |
+
+## Workflow
+
+1. **Input:** Spec, requirements, or feature description
+2. **Model selection:** Choose test models (decision table, state, scenario, classification tree)
+3. **Derive test cases:** Generate manual test cases with steps and expected results
+4. **Prioritize:** Apply risk-based prioritization (P1/P2/P3)
+5. **Charters (optional):** Create exploratory charters for areas needing exploration
+6. **Personas (optional):** Add persona-based scenarios for coverage diversity
+7. **Output:** Manual test case set + charters + session report template
+
+## Scope
+
+**Can do (autonomous):**
+- Design manual test cases from specs/requirements using decision tables, state transitions, scenario models, classification trees
+- Create exploratory testing charters with mission, areas, time-box, notes template, debrief structure
+- Apply risk-based prioritization to manual test cases
+- Generate persona-based test scenarios (Novice, Power User, Attacker, Admin, Mobile User)
+- Produce session report templates for exploratory debriefs
+- Reference qa-diagram-generator for state/flow diagrams when needed
+
+**Cannot do (requires confirmation):**
+- Change scope or priority set by stakeholders
+- Override organizational test policy or risk thresholds
+- Assign testers or schedule sessions without approval
+
+**Will not do (out of scope):**
+- Write test automation code
+- Execute tests or run exploratory sessions
+- Modify production code or environments
+- Approve releases or sign-offs
+
+## Quality Checklist
+
+- [ ] Manual test cases have clear steps and measurable expected results
+- [ ] Preconditions and postconditions specified where relevant
+- [ ] Risk-based prioritization applied with documented rationale
+- [ ] Exploratory charters include mission, areas, time-box, notes template, debrief structure
+- [ ] Persona-based scenarios cover at least 2–3 personas when diversity is needed
+- [ ] Session report template includes findings, bugs, risks, follow-ups
+- [ ] No duplicate test cases for same scenario
+- [ ] Traceability to requirements/specs where applicable
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+| ------- | ------------ | --- |
+| Vague test steps | Spec lacks detail | Run qa-spec-writer first; add Given/When/Then |
+| Too many test cases | Exhaustive combination | Apply risk prioritization; focus on P1/P2 |
+| Charters too broad | Mission not focused | Narrow mission to single area or flow |
+| Persona scenarios generic | Persona not specific enough | Use `references/personas.md` for concrete behaviors |
+| Session reports incomplete | Missing debrief structure | Include: what worked, what didn't, risks, follow-ups |
+| Low coverage diversity | Only happy path | Add persona-based and negative scenarios |
+
+## References
+
+| Topic | File |
+| ----- | ---- |
+| Exploratory charter templates | `references/exploratory-charters.md` |
+| Persona details & scenarios | `references/personas.md` |
+| Test design techniques | `references/test-design-techniques.md` (qa-testcase-from-docs) |

package/skills/qa-manual-test-designer/references/exploratory-charters.md

@@ -0,0 +1,138 @@
+# Exploratory Testing Charter Templates
+
+Charter templates for different exploratory testing scenarios. Each charter includes mission, test areas, time-box options, notes template, and debrief structure.
+
+---
+
+## New Feature Charter
+
+**Scenario:** First exploration of a newly implemented feature before formal test case execution.
+
+### Mission Statement
+Explore [feature name] to understand behavior, identify obvious defects, and map edge cases for follow-up test design.
+
+### Test Areas
+- **In scope:** [Feature name], [related flows], [configuration options]
+- **Out of scope:** [Unrelated modules], [performance], [automation]
+
+### Time-Box
+- **25 min:** Quick smoke of main flows
+- **45 min:** Main flows + 2–3 alternate paths
+- **90 min:** Full exploration including edge cases and error handling
+
+### Notes Template
+| Observation | Severity | Reproducible? | Notes |
+| ----------- | -------- | ------------- | ----- |
+| | | | |
+| | | | |
+
+**Bugs found:** [List IDs or brief descriptions]  
+**Ideas for test cases:** [Scenarios to formalize]  
+**Questions:** [Clarifications needed from dev/product]
+
+### Debrief Structure
+- **What worked:** Flows that behaved as expected
+- **What didn't:** Defects, confusing UX, missing validation
+- **Risks:** Areas not explored, assumptions, dependencies
+- **Follow-ups:** Test cases to add, bugs to file, areas for deeper exploration
+
+---
+
+## Regression Charter
+
+**Scenario:** Broad regression exploration after a release or significant change.
+
+### Mission Statement
+Explore [module/area] to verify core functionality after [change/release]. Focus on high-traffic paths and recently modified areas.
+
+### Test Areas
+- **In scope:** [Core flows], [changed modules], [integration points]
+- **Out of scope:** [Stable, low-risk areas], [new feature deep-dives]
+
+### Time-Box
+- **25 min:** Smoke of critical paths only
+- **45 min:** Critical + important paths
+- **90 min:** Full regression sweep with risk-based depth
+
+### Notes Template
+| Area Explored | Status | Issues |
+| ------------- | ------ | ------ |
+| | Pass / Fail / Blocked | |
+| | | |
+
+**Regression failures:** [List]  
+**New issues vs. known:** [Differentiate]  
+**Areas skipped (time):** [For follow-up]
+
+### Debrief Structure
+- **Pass/Fail summary:** Per area explored
+- **Blockers:** What prevented testing
+- **Comparison to baseline:** Better/worse/same vs. previous version
+- **Follow-ups:** Formal test cases for failures, retest plan
+
+---
+
+## Security Review Charter
+
+**Scenario:** Exploratory security-focused session (complements automated security scans).
+
+### Mission Statement
+Explore [feature/module] from a security perspective. Look for injection, auth bypass, data exposure, and privilege escalation risks.
+
+### Test Areas
+- **In scope:** [Auth flows], [input fields], [file upload], [API endpoints], [role-based access]
+- **Out of scope:** [Infrastructure], [third-party components]
+
+### Time-Box
+- **25 min:** Quick auth and input validation checks
+- **45 min:** Auth + input + basic access control
+- **90 min:** Full security review including session handling, CSRF, data exposure
+
+### Notes Template
+| Vulnerability Type | Location | Severity | Steps to Reproduce |
+| ------------------ | -------- | -------- | ------------------ |
+| | | Critical / High / Medium / Low | |
+| | | | |
+
+**Attack vectors tried:** [List]  
+**Recommendations:** [Mitigations, follow-up scans]
+
+### Debrief Structure
+- **Findings by severity:** Critical/High/Medium/Low
+- **False positives:** Checked and ruled out
+- **Areas not covered:** Time or tool limitations
+- **Follow-ups:** OWASP ZAP scan, penetration test, dev review
+
+---
+
+## Usability Review Charter
+
+**Scenario:** Exploratory usability and accessibility review.
+
+### Mission Statement
+Explore [feature/module] from a usability perspective. Assess clarity, discoverability, error handling, and accessibility for different user types.
+
+### Test Areas
+- **In scope:** [User flows], [error messages], [help text], [keyboard nav], [screen reader compatibility]
+- **Out of scope:** [Visual design polish], [performance]
+
+### Time-Box
+- **25 min:** First-time user flow, main friction points
+- **45 min:** First-time + power user flows, error handling
+- **90 min:** Full usability review including accessibility checks
+
+### Notes Template
+| Issue | Location | Type (Clarity / Discoverability / Error / A11y) | Severity |
+| ----- | -------- | ---------------------------------------------- | -------- |
+| | | | |
+| | | | |
+
+**Positive observations:** [What works well]  
+**User confusion points:** [Where users might get stuck]  
+**A11y findings:** [Keyboard, screen reader, contrast]
+
+### Debrief Structure
+- **Usability score (1–5):** Per flow or overall
+- **Top 3 issues:** Highest impact
+- **Accessibility gaps:** WCAG compliance notes
+- **Follow-ups:** UX review, a11y audit, design changes

package/skills/qa-manual-test-designer/references/personas.md

@@ -0,0 +1,146 @@
+# Persona-Based Testing
+
+Detailed persona descriptions for manual and exploratory testing. Use these to derive test scenarios that reflect different user behaviors, goals, and failure modes.
+
+---
+
+## Novice User
+
+**Profile:** First-time user, unfamiliar with the system. Easily confused, may ignore hints, gets lost in flows.
+
+### Behaviors
+- Clicks randomly or follows visual cues only
+- Skips onboarding or help text
+- Enters invalid data without reading validation messages
+- Uses back button or closes tab when stuck
+- May abandon flows mid-way
+- Relies on default values, rarely changes settings
+
+### Goals
+- Complete a simple task with minimal learning
+- Understand what the system does without reading documentation
+- Get help when something goes wrong
+
+### Test Scenarios
+- First-time flow without prior knowledge
+- Empty state / no data: what does the user see?
+- Invalid input: are error messages clear and actionable?
+- Dead ends: can the user recover or find a way back?
+- Onboarding: does it explain enough? Can it be skipped?
+- Default values: do they lead to success or confusion?
+
+---
+
+## Power User
+
+**Profile:** Experienced user who values efficiency. Uses keyboard shortcuts, bulk actions, advanced features.
+
+### Behaviors
+- Prefers keyboard over mouse (Tab, Enter, shortcuts)
+- Uses bulk operations, import/export, batch actions
+- Pushes limits: max items, max length, edge cases
+- Combines features in unexpected ways
+- Expects consistency across similar flows
+- May use API or CLI if available
+
+### Goals
+- Complete tasks quickly
+- Automate or batch repetitive work
+- Use advanced features without friction
+
+### Test Scenarios
+- Keyboard-only navigation through main flows
+- Bulk operations: select all, bulk delete, bulk edit
+- Boundary values: max length, max items, max file size
+- Shortcuts: do they work? Are they documented?
+- Import/export: large files, malformed data, encoding
+- Feature combinations: use A then B in same session
+- Performance: does it feel fast for power workflows?
+
+---
+
+## Attacker
+
+**Profile:** Malicious actor trying to bypass security, inject code, or escalate privileges.
+
+### Behaviors
+- Injects SQL, XSS, command injection in input fields
+- Manipulates URLs, headers, cookies
+- Tries auth bypass: session hijack, token reuse, privilege escalation
+- Tests file upload: executable files, path traversal
+- Probes for information disclosure (stack traces, debug info)
+- Uses automation (scripts, tools) to probe at scale
+
+### Goals
+- Bypass authentication or authorization
+- Extract or corrupt data
+- Disrupt service or degrade quality
+
+### Test Scenarios
+- SQL injection in search, login, form fields
+- XSS in user-generated content, error messages
+- Auth bypass: expired token, modified JWT, session fixation
+- Privilege escalation: access admin functions as regular user
+- File upload: .exe, .php, path traversal (../../../etc/passwd)
+- IDOR: change resource IDs in URLs to access others' data
+- Rate limiting: can brute-force or DoS be triggered?
+- Information disclosure: stack traces, internal URLs in responses
+
+---
+
+## Admin
+
+**Profile:** System administrator configuring roles, permissions, and system behavior.
+
+### Behaviors
+- Manages users, roles, permissions
+- Configures system settings, integrations, webhooks
+- Reviews audit logs and activity
+- Handles bulk user operations
+- Expects clear separation of admin vs. user capabilities
+- May use API or admin-only UI
+
+### Goals
+- Configure the system correctly and securely
+- Audit who did what and when
+- Manage access without breaking user experience
+
+### Test Scenarios
+- Role creation and assignment: do permissions apply correctly?
+- Permission boundaries: can admin do X? Can user do X when denied?
+- Audit logs: are actions logged? Can logs be tampered?
+- Configuration changes: do they take effect? Rollback?
+- Bulk operations: deactivate users, change roles
+- Admin vs. user UI: no privilege leakage to non-admin views
+- Integration setup: webhooks, API keys, OAuth — secure storage and usage
+
+---
+
+## Mobile User
+
+**Profile:** User on phone or tablet. Touch interaction, small screen, variable network.
+
+### Behaviors
+- Uses touch: tap, swipe, pinch, long-press
+- Holds device in portrait and landscape
+- May have slow or intermittent network
+- Uses thumb for primary interactions (reachability)
+- May switch apps and return (session restore)
+- Expects responsive layout, no horizontal scroll
+- May use mobile-specific features (camera, location)
+
+### Goals
+- Complete tasks on mobile without desktop
+- Have a usable experience on small screens
+- Work offline or with poor connectivity when possible
+
+### Test Scenarios
+- Touch targets: are buttons/links large enough (min 44×44 px)?
+- Thumb reach: can primary actions be reached one-handed?
+- Orientation: portrait and landscape both usable?
+- Responsive layout: no horizontal scroll, readable text
+- Slow network: loading states, timeouts, retry
+- Session restore: return after backgrounding — state preserved?
+- Forms: mobile-friendly inputs (tel, email, date pickers)
+- File upload: camera, gallery — supported and secure?
+- Gestures: swipe, pull-to-refresh — consistent and discoverable?