qa-skills 3.0.0

package/skills/qa-rest-assured-writer/SKILL.md

@@ -0,0 +1,137 @@
+---
+name: qa-rest-assured-writer
+description: Generate REST Assured API tests for Java with BDD-style syntax, JSON/XML schema validation, authentication handling, and Allure reporting.
+output_dir: tests/api
+dependencies:
+  recommended:
+    - qa-api-contract-curator
+---
+
+# QA REST Assured Writer
+
+## Purpose
+
+Write REST Assured API tests from test cases and API contracts. Transform structured test cases (from qa-testcase-from-docs, qa-api-contract-curator, OpenAPI specs) into executable REST Assured test files with BDD-style syntax, JSON/XML schema validation, authentication handling, and Allure reporting.
+
+## Trigger Phrases
+
+- "Write REST Assured tests for [API/endpoint]"
+- "Generate REST Assured API tests from OpenAPI"
+- "Create REST Assured tests with schema validation"
+- "Add REST Assured tests for [resource]"
+- "REST Assured BDD-style API tests"
+- "REST Assured tests with Bearer auth"
+- "REST Assured JSON schema validation"
+- "API tests with given/when/then"
+- "Heal my failing REST Assured tests"
+
+## Key Features
+
+| Feature | Description |
+| ------- | ----------- |
+| **BDD-style** | given().when().then() fluent API for readable tests |
+| **JSON schema** | JsonSchemaValidator for response schema validation |
+| **XML schema** | XML schema validation support |
+| **Authentication** | Basic, Bearer, OAuth2, custom headers |
+| **Request/Response spec** | RequestSpecification, ResponseSpecification for reuse |
+| **Serialization** | Jackson/Gson for POJO serialization/deserialization |
+| **Extraction** | extract().response(), path(), jsonPath() for assertions |
+| **Allure** | @Step, @Description, @Severity for reporting |
+
+## Workflow
+
+1. **Read test cases / API contract** — From specs, OpenAPI, or manual test designs
+2. **Analyze API** — Endpoints, request/response schemas, auth requirements
+3. **Generate test classes** — Produce `{Resource}ApiTest.java` with BDD structure
+4. **Configure base URI and specs** — RequestSpecification for common setup
+5. **Add validation** — Status codes, body assertions, schema validation
+6. **Run** — User runs `mvn test` to execute tests
+
+## Key Patterns
+
+| Pattern | Usage |
+| ------- | ----- |
+| `given().header().body().when().post().then().statusCode(201)` | Basic request/response |
+| `given().auth().oauth2(token)` | Bearer token auth |
+| `given().auth().basic(user, pass)` | Basic auth |
+| `then().body(JsonSchemaValidator.matchesJsonSchema(schema))` | JSON schema validation |
+| `RequestSpecification` | Reusable request config (base URI, headers) |
+| `ResponseSpecification` | Reusable response assertions |
+| `extract().response()` | Extract response for further assertions |
+| `extract().path("$.id")` | Extract value from JSON path |
+
+## BDD Structure
+
+```java
+@Test
+@DisplayName("Create user returns 201")
+void createUser_returns201() {
+    given()
+        .contentType(ContentType.JSON)
+        .body(userRequest)
+    .when()
+        .post("/users")
+    .then()
+        .statusCode(201)
+        .body("id", notNullValue())
+        .body("email", equalTo("user@example.com"));
+}
+```
+
+## File Naming
+
+- `{Resource}ApiTest.java` — Test classes (e.g., `UserApiTest.java`, `OrderApiTest.java`)
+- Place in `src/test/java` per Maven convention
+
+## Scope
+
+**Can do (autonomous):**
+- Generate REST Assured API tests from test case specs or OpenAPI
+- Apply BDD-style given/when/then structure
+- Add JSON/XML schema validation
+- Configure authentication (Basic, Bearer, OAuth2)
+- Use RequestSpecification/ResponseSpecification for reuse
+- Add Allure annotations for reporting
+- Use Context7 MCP for REST Assured docs
+- Delegate to qa-test-healer when tests fail (Heal Mode)
+
+**Cannot do (requires confirmation):**
+- Change production code structure
+- Add dependencies not in pom.xml
+- Override project REST Assured config without approval
+- Call APIs not provided or approved
+
+**Will not do (out of scope):**
+- Execute tests (user runs `mvn test`)
+- Write Selenium/Playwright tests (use qa-selenium-java-writer, qa-playwright-ts-writer)
+- Modify CI/CD pipelines
+- Bypass security or access restricted APIs
+
+## References
+
+- `references/patterns.md` — CRUD, auth, validation, filters, serialization
+- `references/config.md` — Maven config, base URI, logging
+- `references/best-practices.md` — API testing best practices with REST Assured
+
+## Quality Checklist
+
+- [ ] BDD-style given/when/then used
+- [ ] Status code assertions on every request
+- [ ] Schema validation where contract exists
+- [ ] No hardcoded credentials (use env vars or test config)
+- [ ] RequestSpecification for shared setup
+- [ ] Tests independent (no shared state)
+- [ ] Allure annotations where applicable
+- [ ] Traceability to test case IDs where applicable
+- [ ] File naming follows `{Resource}ApiTest.java` convention
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+| ------- | ------------ | --- |
+| Connection refused | Wrong base URI, service not running | Verify baseUri; ensure API is up |
+| 401/403 | Missing or invalid auth | Add auth to given(); check token expiry |
+| Schema validation fails | Schema mismatch, wrong path | Verify schema file; check JSON path |
+| Body assertion fails | Wrong JSON path, type mismatch | Use jsonPath() to debug; ensure correct type |
+| Timeout | Slow API, network | Increase timeout in config |
+| Serialization error | POJO mismatch | Verify POJO fields match JSON; check annotations |

package/skills/qa-rest-assured-writer/references/best-practices.md

@@ -0,0 +1,50 @@
+# REST Assured Best Practices
+
+## Structure
+
+- **One test class per resource** — `UserApiTest.java`, `OrderApiTest.java`
+- **BDD style** — given/when/then for readability
+- **Base class** — Shared RequestSpecification, base URI, auth
+- **Test data** — Use builders or fixtures; avoid hardcoded values in assertions where possible
+
+## Assertions
+
+- **Always assert status code** — Every request should validate response status
+- **Schema validation** — Use JsonSchemaValidator when OpenAPI/schema exists
+- **Specific assertions** — Prefer `body("id", notNullValue())` over generic checks
+- **AssertJ for extracted data** — `assertThat(response.path("id")).isNotNull()`
+
+## Authentication
+
+- **Never hardcode credentials** — Use env vars, test config, or secrets manager
+- **Token refresh** — For OAuth2, implement token refresh in @BeforeAll or filter
+- **Preemptive when needed** — Use preemptive basic auth if server doesn't send 401 challenge
+
+## Test Data
+
+- **Builders** — Use builder pattern for request POJOs
+- **Fixtures** — Centralize test data in fixture classes or JSON files
+- **Cleanup** — Delete created resources in @AfterEach if tests create data
+- **Idempotency** — Prefer idempotent operations when possible
+
+## Performance
+
+- **Reuse specs** — RequestSpecification/ResponseSpecification reduce duplication
+- **Connection pooling** — REST Assured uses Apache HttpClient; reuse config
+- **Timeout** — Set reasonable timeouts to fail fast on slow APIs
+
+## Maintainability
+
+- **Constants** — Extract endpoints, header names to constants
+- **Page Object–like** — Consider API client wrapper for complex APIs
+- **Traceability** — Link tests to requirements via @Description or test case ID
+
+## Common Pitfalls
+
+| Pitfall | Fix |
+| ------- | --- |
+| Forgetting content-type | Set in RequestSpecification or per request |
+| Brittle JSON path | Use schema validation; document path structure |
+| Shared state | Each test independent; cleanup in @AfterEach |
+| No timeout | Set connection/read timeout in config |
+| Logging sensitive data | Filter auth headers in log config |

package/skills/qa-rest-assured-writer/references/config.md

@@ -0,0 +1,124 @@
+# REST Assured Configuration
+
+## Maven Dependencies
+
+```xml
+<dependencies>
+    <dependency>
+        <groupId>io.rest-assured</groupId>
+        <artifactId>rest-assured</artifactId>
+        <version>5.4.0</version>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>io.rest-assured</groupId>
+        <artifactId>json-schema-validator</artifactId>
+        <version>5.4.0</version>
+        <scope>test</scope>
+    </dependency>
+    <dependency>
+        <groupId>org.junit.jupiter</groupId>
+        <artifactId>junit-jupiter</artifactId>
+        <version>5.10.0</version>
+        <scope>test</scope>
+    </dependency>
+</dependencies>
+```
+
+## Base URI Configuration
+
+### Static configuration
+```java
+@BeforeAll
+static void setupRestAssured() {
+    RestAssured.baseURI = "https://api.example.com";
+    RestAssured.basePath = "/v1";
+    RestAssured.port = 443;
+}
+```
+
+### From environment
+```java
+@BeforeAll
+static void setupRestAssured() {
+    RestAssured.baseURI = System.getenv().getOrDefault("API_BASE_URI", "http://localhost:8080");
+}
+```
+
+### Per-test override
+```java
+given()
+    .baseUri("https://staging.api.example.com")
+.when()
+    .get("/users")
+.then()
+    .statusCode(200);
+```
+
+## Logging
+
+### Request/Response logging
+```java
+RestAssured.enableLoggingOfRequestAndResponseIfValidationFails(LogDetail.ALL);
+
+// Or per request
+given()
+    .log().all()
+.when()
+    .get("/users")
+.then()
+    .log().body();
+```
+
+### Log levels
+- `LogDetail.ALL` — Full request and response
+- `LogDetail.HEADERS` — Headers only
+- `LogDetail.BODY` — Body only
+- `LogDetail.PARAMS` — Query/path params
+
+## Timeouts
+
+```java
+RestAssured.config = RestAssuredConfig.config()
+    .httpClient(HttpClientConfig.httpClientConfig()
+        .setParam(CoreConnectionPNames.CONNECTION_TIMEOUT, 5000)
+        .setParam(CoreConnectionPNames.SO_TIMEOUT, 10000));
+```
+
+## SSL / TLS
+
+### Relaxed HTTPS (self-signed certs, dev only)
+```java
+RestAssured.useRelaxedHTTPSValidation();
+```
+
+### Custom trust store
+```java
+RestAssured.config = RestAssuredConfig.config()
+    .sslConfig(SSLConfig.sslConfig()
+        .trustStore(pathToTrustStore, password));
+```
+
+## Content Type
+
+```java
+RestAssured.defaultContentType = ContentType.JSON;
+```
+
+## Request Specification (Reusable)
+
+```java
+public class ApiTestBase {
+    protected static RequestSpecification requestSpec;
+
+    @BeforeAll
+    static void setup() {
+        requestSpec = new RequestSpecBuilder()
+            .setBaseUri(System.getenv().getOrDefault("API_URI", "http://localhost:8080"))
+            .setContentType(ContentType.JSON)
+            .addFilter(new RequestLoggingFilter())
+            .addFilter(new ResponseLoggingFilter())
+            .build();
+    }
+}
+```

package/skills/qa-rest-assured-writer/references/patterns.md

@@ -0,0 +1,192 @@
+# REST Assured Patterns
+
+## CRUD Operations
+
+### GET (single resource)
+```java
+given()
+    .pathParam("id", 1)
+.when()
+    .get("/users/{id}")
+.then()
+    .statusCode(200)
+    .body("id", equalTo(1))
+    .body("name", notNullValue());
+```
+
+### GET (list)
+```java
+given()
+    .queryParam("page", 1)
+    .queryParam("size", 10)
+.when()
+    .get("/users")
+.then()
+    .statusCode(200)
+    .body("content", hasSize(lessThanOrEqualTo(10)))
+    .body("content[0].id", notNullValue());
+```
+
+### POST (create)
+```java
+given()
+    .contentType(ContentType.JSON)
+    .body(new UserRequest("john@example.com", "John"))
+.when()
+    .post("/users")
+.then()
+    .statusCode(201)
+    .header("Location", containsString("/users/"))
+    .body("id", notNullValue());
+```
+
+### PUT (update)
+```java
+given()
+    .contentType(ContentType.JSON)
+    .pathParam("id", 1)
+    .body(updatedUser)
+.when()
+    .put("/users/{id}")
+.then()
+    .statusCode(200)
+    .body("name", equalTo(updatedUser.getName()));
+```
+
+### DELETE
+```java
+given()
+    .pathParam("id", 1)
+.when()
+    .delete("/users/{id}")
+.then()
+    .statusCode(204);
+```
+
+## Authentication
+
+### Basic Auth
+```java
+given()
+    .auth().basic("user", "password")
+.when()
+    .get("/protected")
+.then()
+    .statusCode(200);
+```
+
+### Bearer Token
+```java
+given()
+    .auth().oauth2(accessToken)
+.when()
+    .get("/api/resource")
+.then()
+    .statusCode(200);
+```
+
+### Custom Header
+```java
+given()
+    .header("Authorization", "Bearer " + token)
+    .header("X-API-Key", apiKey)
+.when()
+    .get("/api/resource")
+.then()
+    .statusCode(200);
+```
+
+### Preemptive Basic
+```java
+given()
+    .auth().preemptive().basic("user", "password")
+.when()
+    .get("/protected")
+.then()
+    .statusCode(200);
+```
+
+## JSON Schema Validation
+
+```java
+import static io.restassured.module.jsv.JsonSchemaValidator.matchesJsonSchemaInClasspath;
+
+given()
+    .when()
+    .get("/users/1")
+.then()
+    .body(matchesJsonSchemaInClasspath("schemas/user-response.json"));
+```
+
+## Request/Response Specifications
+
+### RequestSpecification
+```java
+RequestSpecification requestSpec = new RequestSpecBuilder()
+    .setBaseUri("https://api.example.com")
+    .setContentType(ContentType.JSON)
+    .addHeader("Accept", "application/json")
+    .addFilter(new RequestLoggingFilter())
+    .build();
+
+given()
+    .spec(requestSpec)
+    .body(payload)
+.when()
+    .post("/users")
+.then()
+    .statusCode(201);
+```
+
+### ResponseSpecification
+```java
+ResponseSpecification responseSpec = new ResponseSpecBuilder()
+    .expectStatusCode(200)
+    .expectContentType(ContentType.JSON)
+    .expectResponseTime(lessThan(2000L), TimeUnit.MILLISECONDS)
+    .build();
+
+given().when().get("/users").then().spec(responseSpec);
+```
+
+## Filters
+
+- **RequestLoggingFilter** — Log request details
+- **ResponseLoggingFilter** — Log response details
+- **ErrorLoggingFilter** — Log on failure
+- **OAuth2Filter** — OAuth2 token handling
+
+## Extraction
+
+```java
+Response response = given()
+    .when()
+    .post("/users")
+    .then()
+    .statusCode(201)
+    .extract().response();
+
+int id = response.path("id");
+String location = response.header("Location");
+
+// Or with JsonPath
+String email = given().when().get("/users/1")
+    .then().extract().path("email");
+```
+
+## Serialization / Deserialization
+
+```java
+// POJO to JSON (serialization)
+UserRequest user = new UserRequest("john@example.com", "John");
+given().body(user).when().post("/users");
+
+// JSON to POJO (deserialization)
+UserResponse user = given()
+    .when()
+    .get("/users/1")
+    .as(UserResponse.class);
+
+assertThat(user.getId()).isEqualTo(1);
+assertThat(user.getEmail()).isEqualTo("john@example.com");
+```

package/skills/qa-risk-analyzer/SKILL.md

@@ -0,0 +1,158 @@
+---
+name: qa-risk-analyzer
+description: Risk-based testing prioritization with impact analysis for code changes using the formula Risk = Complexity × ChangeFrequency × (1 - TestCoverage).
+output_dir: reports/risk
+dependencies:
+  recommended:
+    - qa-coverage-analyzer
+---
+
+# QA Risk Analyzer
+
+## Purpose
+
+Risk-based testing prioritization and impact analysis for code changes. Calculate risk scores per feature/module, rank testing effort, and produce actionable recommendations using the formula:
+
+**Risk = Complexity × ChangeFrequency × (1 - TestCoverage)**
+
+## Trigger Phrases
+
+- "Risk analysis for [branch/PR/release]"
+- "Prioritize tests by risk" / "Risk-based test prioritization"
+- "Impact analysis for [git diff/changes]"
+- "Risk heatmap" / "Risk matrix for testing"
+- "Which tests to run first?" / "Test execution order by risk"
+- "Risk index per feature" / "High-risk modules"
+
+## Risk Formula
+
+```
+Risk = Complexity × ChangeFrequency × (1 - TestCoverage)
+```
+
+- **Complexity:** Cyclomatic complexity, coupling, or static analysis metrics
+- **ChangeFrequency:** Commits/changes per file from git history
+- **TestCoverage:** 0–1 from qa-coverage-analyzer (1 = fully covered)
+- **Defect history** and **business criticality** adjust the final ranking
+
+See `references/risk-factors.md` for calculation methods.
+
+## Risk Factors
+
+| Factor | Source | How to Obtain |
+|--------|--------|---------------|
+| **Code complexity** | Cyclomatic complexity, coupling | SonarQube, ESLint complexity, radon (Python) |
+| **Change frequency** | Git history | `git log --follow` per file; commits per module |
+| **Test coverage** | Coverage reports | qa-coverage-analyzer (Istanbul/JaCoCo/coverage.py) |
+| **Defect history** | Past bugs per module | Memory MCP, Jira/issue tracker |
+| **Business criticality** | Stakeholder input | Manual tagging or config; payment, auth, core flows |
+
+## Impact Analysis
+
+Analyze git diff to determine:
+
+1. **Affected modules** — Files changed → map to features/modules
+2. **Affected tests** — Tests that cover changed code (from coverage or naming)
+3. **Downstream impact** — Dependencies, imports, API consumers
+4. **Regression scope** — Suggested regression set based on impact
+
+See `references/impact-analysis.md` for git diff patterns and mapping strategies.
+
+## Output Deliverables
+
+1. **Risk Matrix** — Features/modules ranked by risk with testing recommendations
+2. **Prioritized Test Execution List** — Order tests by risk (high → low)
+3. **Risk Heatmap** — Visual matrix (complexity × change frequency, colored by coverage)
+4. **Impact Summary** — Per PR/branch: affected modules, suggested regression scope
+
+### Risk Matrix Template
+
+```markdown
+# Risk Matrix — [Branch/Release]
+
+## Summary
+| Module/Feature | Risk Index | Complexity | Change Freq | Coverage | Recommendation |
+|----------------|------------|------------|-------------|----------|-----------------|
+| [Name] | X.XX | H/M/L | H/M/L | X% | [Action] |
+
+## Prioritized Test Execution
+1. [High risk] — [Module] — [Tests]
+2. [Medium risk] — [Module] — [Tests]
+3. [Low risk] — [Module] — [Tests]
+
+## Heatmap
+[Quadrant: Complexity × ChangeFrequency, color = coverage]
+```
+
+## Workflow
+
+1. **Input:** Git diff/branch, coverage report, optional defect history (Memory MCP)
+2. **Impact:** Parse git diff; map changed files to modules/features
+3. **Factors:** Get complexity (static analysis), change frequency (git log), coverage (qa-coverage-analyzer)
+4. **Risk score:** Apply formula; apply defect/criticality adjustments
+5. **Rank:** Sort modules/features by risk
+6. **Output:** Risk matrix, prioritized test list, heatmap (via qa-diagram-generator)
+7. **Recommendations:** Suggest tests to run first, coverage gaps to address
+
+## MCP Tools Used
+
+- **Sequential Thinking MCP:** Decompose analysis, reconcile conflicting factors, prioritize recommendations
+- **Memory MCP:** Historical defect data per module, past risk trends, baseline comparison
+
+## Integration with Other Skills
+
+| Need | Skill | Usage |
+|------|-------|-------|
+| Test coverage data | qa-coverage-analyzer | Code coverage per module |
+| Risk quadrant chart | qa-diagram-generator | Heatmap, quadrant visualization |
+| Test cases for modules | qa-testcase-from-docs, qa-testcase-from-ui | Map tests to modules |
+| Risk matrix patterns | qa-test-strategy | `references/risk-matrix.md` |
+
+## Scope
+
+**Can do (autonomous):**
+- Calculate risk scores using the formula
+- Parse git diff and map to modules
+- Obtain change frequency from git history
+- Integrate coverage from qa-coverage-analyzer
+- Produce risk matrix, prioritized test list, heatmap
+- Call qa-diagram-generator for quadrant charts
+- Use Sequential Thinking for analysis; Memory for defect history
+
+**Cannot do (requires confirmation):**
+- Override business criticality without stakeholder input
+- Change risk formula or factor weights without agreement
+- Exclude modules from analysis without justification
+
+**Will not do (out of scope):**
+- Execute tests or generate coverage (consume existing data)
+- Modify source code or test automation
+- Deploy or change production systems
+
+## Quality Checklist
+
+- [ ] Risk formula applied consistently (Complexity × ChangeFrequency × (1 - TestCoverage))
+- [ ] All risk factors sourced (complexity, change freq, coverage)
+- [ ] Git diff impact analysis maps files to modules
+- [ ] Prioritized test list ordered by risk (high → low)
+- [ ] Heatmap/quadrant chart generated via qa-diagram-generator
+- [ ] Recommendations actionable (specific tests, coverage gaps)
+- [ ] No hardcoded secrets; paths/config referenced
+
+## Troubleshooting
+
+| Symptom | Likely Cause | Fix |
+|---------|--------------|-----|
+| Risk scores all similar | Factors not normalized | Normalize to 0–1 scale; use relative ranking |
+| Missing coverage data | qa-coverage-analyzer not run | Run coverage first; use 0 if unavailable |
+| Change frequency zero | New files, no git history | Use complexity + criticality only; flag as "new" |
+| Module mapping fails | Unclear file→module mapping | Use directory structure, package.json, or config |
+| Heatmap too dense | Too many modules | Group by feature; show top N by risk |
+| Defect history empty | Memory MCP not populated | Proceed without; note "no defect history" |
+
+## Reference Files
+
+| Topic | Reference |
+|-------|-----------|
+| Risk factor calculation | `references/risk-factors.md` |
+| Git diff impact analysis | `references/impact-analysis.md` |