dneprokos/api-test-scenario-generator
.github/skills/api-test-scenario-generator/SKILL.md
Generate comprehensive REST API test scenarios from a method, endpoint, optional domain hints, and an optional OpenAPI spec. Covers happy path, validation, security, query behavior, state transitions, idempotency, and error contract checks.
$ install --global
skillsauthnpx skillsauth add dneprokos/skills-examples api-test-scenario-generatorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:40 AM4.1s8 files scanned
SKILL.md
- name:
- api-test-scenario-generator
- description:
- Generate comprehensive REST API test scenarios from a method, endpoint, optional domain hints, and an optional OpenAPI spec. Covers happy path, validation, security, query behavior, state transitions, idempotency, and error contract checks.
API Test Scenario Generator
Generate API test-scenario specs that stay grounded in the endpoint plus any domain context the user provides. When domain details are missing, the skill should infer conservatively from HTTP semantics and list assumptions as warnings instead of inventing facts.
What this skill should produce
- a markdown scenario table with clear expected results and HTTP statuses
- explicit Priority labels:
High (H) > Medium (M) > Low (L) - an optional dependency graph when one resource must exist before another action can be tested
- a Warnings and Assumptions section for anything not confirmed
Usage
Use this command format:
/api-test-scenario-generator {METHOD} {ENDPOINT}
[--fields name:type:constraint,...]
[--states STATE1,STATE2,...]
[--transitions FROM:TO,...]
[--filters name:type,...]
[--sortable field1,field2,...]
[--relations resource:policy,...]
[--openapiSpec PATH_OR_JSON_OR_YAML]
[--openapiOperationId OPERATION_ID]
[additional_context]
Context rules
- These hints are optional, but they make the generated scenarios much more accurate.
- If
--openapiSpecis provided, the skill will attempt to locate the matching OpenAPI operation (by--openapiOperationIdwhen provided, otherwise by{METHOD} {ENDPOINT}) and infer request body fields, possible states (from enums), and query parameters. - Manual hints (
--fields,--states,--filters,--sortable) take precedence over OpenAPI-derived inference; any missing details are still recorded as warnings/assumptions. - If a hint is missing, fall back to common API patterns and built-in HTTP knowledge only.
- Any inferred RBAC rule, state machine, or filter behavior must be called out as an assumption.
Examples
/api-test-scenario-generator POST /api/users
/api-test-scenario-generator GET /api/users/{id}
/api-test-scenario-generator POST /api/orders \
--fields amount:number:>=0,status:enum:PENDING|CONFIRMED|CANCELLED \
--states PENDING,CONFIRMED,SHIPPED,DELIVERED,CANCELLED \
--transitions PENDING:CONFIRMED,CONFIRMED:SHIPPED,SHIPPED:DELIVERED \
--filters status:string,createdAt:date \
--sortable createdAt,totalAmount \
--relations user:owner-must-exist
/api-test-scenario-generator POST /api/orders \
--openapiSpec ./openapi.json
Generated Table Format
| Scenario | Test Type | Description | Expected Result | HTTP Status | Priority | Recommended Test Level | | -------- | --------- | ----------- | --------------- | ----------- | -------- | ---------------------- | | ... | ... | ... | ... | ... | ... | ... |
Priority rules
- High (H) — must-cover scenarios affecting business-critical flow, auth, money, destructive actions, or data integrity
- Medium (M) — important validation and common negative cases
- Low (L) — optional, exploratory, or rarer operational checks
- The skill assigns the initial priority. A reviewer can always override it.
Coverage checklist
The generated scenarios should consider, when relevant:
- Happy path and CRUD basics
- Validation and boundary cases — Unicode, unknown fields, zero values, min/max lengths, date limits
- Authentication and RBAC — missing token, invalid token, expired JWT →
401, refresh flow expectations, Admin vs Customer access to other users' resources - Query behavior — pagination, filtering, sorting, invalid filter field, invalid sort field, date-range filters
- State machines — explicit state transitions such as
PENDING → CONFIRMED → SHIPPED → DELIVERED, plus invalid transitions - Idempotency — duplicate
POSTor replayedIdempotency-Keymust not create duplicate writes - Referential integrity — cascade or blocked delete/update behavior when related resources exist
- Protocol and reliability errors —
405,415,429,502,503where applicable - Error response contract — check fields like
error.code,error.message,error.requestId, and validation details - HTTP methods outside CRUD —
HEADandOPTIONSwhen the endpoint contract supports them
Output Requirements
File generation
- Format: Always save output in
.mdformat - Location:
requirements/{main_resource_name}/{method_name}_{resource_path}.md- Example:
requirements/users/GET_users_id.mdforGET /api/users/{id} - Example:
requirements/orders/PUT_orders_id_status.mdforPUT /api/orders/{id}/status
- Example:
- Overwrite Check: If the file already exists, prompt the user before overwriting it
- File Structure: Include scenario table, optional dependency graph, then warnings/unknowns
Dependency graph
Add a dependency graph when the test flow requires prerequisite resources or state transitions.
{
"nodes": ["create_user", "update_user", "delete_user"],
"edges": [
{ "from": "create_user", "to": "update_user" },
{ "from": "create_user", "to": "delete_user" }
]
}
Warning documentation
- Location: List all warnings about unknowns at the end of the document
- Format: Use
⚠️for each warning - Content: Say exactly what was assumed or missing (RBAC, filters, states, relations, error schema, etc.)
Plan mode behavior
- No Implementation Questions: Do not ask about test framework details in Plan mode
- Focus: Generate scenarios only; implementation can be handled by another skill
Test level guidance
Use the testing pyramid as a heuristic, not a rigid quota:
- Unit: Most validation and pure business-rule checks
- Integration: API contracts, auth, RBAC, persistence, service-to-service behavior
- E2E: A small set of cross-system critical journeys
Do not force 70/20/10 blindly if the system shape suggests a different balance.
Configuration
The skill uses configuration files to customize test generation:
config/validation-rules.json— validation, auth, query, error, and protocol rulesconfig/test-types.json— test classifications, priority legend, and testing-level guidancetemplates/— markdown output templates
Implementation approach
This skill analyzes the provided HTTP method, endpoint, and optional context using:
- Pattern recognition — CRUD, nested resources, pagination, filtering, sorting
- Boundary analysis — lengths, ranges, Unicode, nullability, unknown fields
- Security testing — auth, RBAC, ownership, tenant isolation, token expiry
- Lifecycle modeling — states, transitions, idempotency, referential integrity
- Contract verification — status codes and structured error responses
- Operational resilience — rate limits and upstream failure scenarios
All unknowns must be surfaced explicitly rather than guessed.
Related Skills
dneprokos/windows-secretmanagement-setup
data-ai
VerifiedTrustedCommunity
Install and configure Windows Credential Manager style secret storage for PowerShell using SecretManagement and SecretStore. Use when users ask to install secret manager support, set up Credential Manager for GitHub token storage, or bootstrap GitHubToken for PR skills.
2SKILL.mdUpdated Apr 16, 2026
dneprokos/ut-coder
development
VerifiedTrustedCommunity
Generate a complete, compilable unit test file from an Analyst test plan and Architect strategy. Uses AAA pattern, language-specific frameworks (NUnit, JUnit 5, pytest, Vitest), correct mock/real dependency instantiation, constructor null-guard tests, parameterized tests, and setup/teardown hooks. Input is the Analyst JSON plan plus Architect strategy summary. Use when asked to generate test code, write test implementation, create test file, or implement tests from a plan. Also invoked as Phase 3 by the unit-test-generator agent.
2SKILL.mdUpdated Apr 16, 2026
dneprokos/ut-architect
development
VerifiedTrustedCommunity
Define the mocking strategy and assertion style for a unit test plan. Classifies each dependency as mock or real, resolves assertion framework and test file location from project patterns, lists constructor null-guard tests with expected exception types, and specifies abstraction interfaces for non-deterministic calls. Input is a JSON test plan from ut-analyst. Use when asked to define mocking strategy, plan test architecture, classify dependencies as mock vs real, or design test structure. Also invoked as Phase 2 by the unit-test-generator agent.
2SKILL.mdUpdated Apr 16, 2026
dneprokos/ut-analyst
testing
VerifiedTrustedCommunity
Analyze a class or function and produce a structured JSON test plan. Classifies all dependencies (interface, abstract, valueObject, dto, primitive), detects non-deterministic calls, enumerates test cases using black-box techniques (Equivalence Partitioning, Boundary Value Analysis, Decision Table, State Transition), and lists constructor null-guard requirements. Use when asked to analyze a class for testing, create a test plan, classify dependencies, or produce test case inventory. Also invoked as Phase 1 by the unit-test-generator agent.
2SKILL.mdUpdated Apr 16, 2026