21 KiB
Scenario Workflow — $autoresearch scenario
Scenario-driven use case generator that autonomously explores situations, edge cases, failure modes, and derivative scenarios from a seed scenario. Doesn't stop at obvious paths — iteratively discovers what could go wrong, what's missing, and what nobody thought of.
Core idea: Seed scenario in → Decompose into dimensions → Generate situations → Classify (new/duplicate/variant) → Expand edge cases → Log → Repeat. Every iteration explores one unexplored combination.
Trigger
- User invokes
$autoresearch scenario - User says "explore scenarios", "generate use cases", "what could go wrong", "stress test this feature", "edge cases for", "what are all the ways this could fail"
- User wants to enumerate situations for a feature, workflow, or system
Loop Support
# Unlimited — keep generating scenarios until interrupted
$autoresearch scenario
# Bounded — exactly N exploration iterations
$autoresearch scenario
Iterations: 25
# Focused scope
$autoresearch scenario
Scenario: User attempts to checkout with multiple payment methods
Domain: software
Depth: deep
PREREQUISITE: Interactive Setup (when invoked without scenario)
CRITICAL — BLOCKING PREREQUISITE: If $autoresearch scenario is invoked without a scenario description, you MUST use direct prompting to gather context BEFORE proceeding to ANY phase. DO NOT skip this step. DO NOT jump to Phase 1 without completing interactive setup.
TOOL AVAILABILITY: direct prompting may be a deferred tool. If calling it fails or the schema is not available, you MUST use ToolSearch to fetch the direct prompting schema first, then retry. NEVER skip interactive setup because of a tool fetch issue — resolve the tool availability, then ask the questions.
The question count adapts (4-8) based on what context is already provided:
Adaptive question selection rules:
- No input at all → ask all 8 questions
- Vague scenario only (≤5 words OR no verb/action) → ask questions 2-8 (skip 1)
- Clear scenario (>5 words AND contains actor + action), no domain → ask questions 2, 4, 5, 6, 7 (5 questions)
- Clear scenario + domain (via
--domainflag or explicit domain keyword like "API", "auth", "UX") → ask questions 4, 6, 7, 8 (4 questions)
Classification examples:
- "checkout" → vague (1 word, no actor, no action)
- "API rate limiting" → vague (no actor, no verb)
- "User resets password" → clear (actor=User, action=resets, object=password)
- "Admin deploys to production with rollback" → clear + domain=software (skip to 4 questions)
You MUST call direct prompting with the selected questions in ONE batched call:
| # | Header | Question | When to Ask | Options |
|---|---|---|---|---|
| 1 | Scenario |
"Describe the scenario you want to explore" | If not provided inline | Free text input |
| 2 | Domain |
"What domain is this scenario in?" | If not obvious from scenario | "Software/API (code paths, error handling)", "Product/UX (user journeys, accessibility)", "Business/Process (workflows, approvals, compliance)", "Security/Compliance (threats, access control, data)", "Marketing/Sales (campaigns, funnels, conversions)", "Custom (I'll describe)" |
| 3 | Actors |
"Who are the key actors/users in this scenario?" | If scenario doesn't mention actors | Detected from codebase/scenario + "End user", "Admin", "System/API", "External service", "Multiple (I'll list)" |
| 4 | Goal |
"What's your primary goal for exploring this scenario?" | If intent is unclear | "Find edge cases and boundary conditions", "Generate test scenarios (Given/When/Then)", "Explore all user journeys and paths", "Stress test — find what breaks under pressure", "Map failure modes and recovery paths", "All of the above" |
| 5 | Constraints |
"Any constraints or boundaries I should respect?" | If no scope or limits mentioned | "Technical limitations (infra, performance)", "Business rules (policies, SLAs)", "Regulatory/compliance requirements", "Time/resource constraints", "None — explore freely" |
| 6 | Depth |
"How deep should I explore?" | Always | "Shallow scan (10 iterations — quick overview)", "Standard exploration (25 iterations — recommended)", "Deep investigation (50+ iterations — comprehensive)", "Unlimited — keep going until interrupted" |
| 7 | Output |
"What output format is most useful?" | If domain doesn't make it obvious | "Use cases (Given/When/Then format)", "User stories (As a... I want... So that...)", "Test scenarios (input → expected → actual)", "Threat scenarios (attacker goal → vector → impact)", "Mixed — all applicable formats" |
| 8 | Focus |
"Any specific area to stress test first?" | If scenario is broad | Suggested areas from scenario analysis + "Happy path first, then edge cases", "Jump straight to failure modes", "Explore everything equally" |
IMPORTANT: You MUST batch ALL selected questions into a SINGLE direct prompting call. NEVER ask questions one at a time — users need full context to make informed decisions together. If direct prompting only supports one question per call, include all questions in a single call with numbered headers.
Architecture
$autoresearch scenario
├── Phase 1: Seed — Capture, parse, and analyze the scenario
├── Phase 2: Decompose — Break into exploration dimensions
├── Phase 3: Generate — Create ONE new situation
├── Phase 4: Classify — New? Valuable? Duplicate?
├── Phase 5: Expand — Derive edge cases, what-ifs, failure modes
├── Phase 6: Log — Record to scenario-results.tsv
└── Phase 7: Repeat — Next unexplored dimension/combination
Inline Context Parsing Rules
When the user provides arguments inline, parse them in this order (flags take precedence over positional text):
- Flags first: Extract
--domain,--depth,--scope,--format,--focus,--iterations(orIterations:inline config) - Scenario text: Everything that isn't a flag or
Iterations:config is the scenario description Scenario:prefix: If text starts withScenario:, strip the prefix- Flag order doesn't matter:
--domain software User resets password=User resets password --domain software - Conflict resolution: If
--depth shallowis set butIterations: 50is also set,Iterations:wins (explicit iteration count overrides depth presets)
Skip setup entirely when: Scenario text is "clear" (>5 words with actor+action) AND at least --domain or --depth is provided. Proceed directly to Phase 1.
Cancel & Interruption Handling
- If user selects "Cancel" in any direct prompting response → exit cleanly with message: "Scenario exploration cancelled. Run
$autoresearch scenarioagain when ready." - If user answers only some questions and stops responding → treat answered questions as config, ask remaining questions in a follow-up call
- If Ctrl+C during setup → no state persisted, clean restart on re-invocation
Phase 1: Seed — Capture & Analyze Scenario
STOP: Have you completed the Interactive Setup above? If invoked without scenario/flags, you MUST complete the direct prompting call above BEFORE entering this phase.
Parse the scenario and build a structured understanding.
Extract from scenario:
- Primary actor(s) and their roles
- Goal/objective of the scenario
- Preconditions (what must be true before)
- Postconditions (expected outcomes)
- System components involved
- Data flows and transformations
- External dependencies
If codebase context exists:
- Read relevant source files mentioned in or related to the scenario
- Identify API routes, database models, UI components involved
- Map the technical implementation to the scenario description
Output: ✓ Phase 1: Seed analyzed — [N] actors, [M] components, [K] preconditions identified
Phase 2: Decompose — Break Into Exploration Dimensions
Map the scenario into exploration dimensions. Each dimension represents a category of situations to generate.
Scenario Dimensions:
| Dimension | Description | Exploration Focus |
|---|---|---|
| Happy path | Normal successful flow | All steps complete as expected |
| Error path | Expected, handled failures | Validation errors, business rule violations |
| Edge case | Boundary conditions | Min/max values, empty inputs, unicode, huge payloads |
| Abuse/misuse | Adversarial or unintended behavior | Injection, privilege escalation, rate abuse |
| Scale | High volume/load scenarios | Concurrent users, large datasets, burst traffic |
| Concurrent | Race conditions and ordering | Simultaneous edits, distributed locks, eventual consistency |
| Temporal | Time-dependent behavior | Timeouts, expiry, scheduling, timezone edge cases |
| Data variation | Different input types and formats | Null, empty, unicode, special chars, max length |
| Permission | Access control and authorization | Role escalation, shared resources, delegation |
| Integration | External system interactions | API failures, timeouts, malformed responses, version mismatches |
| Recovery | System resilience | Crash recovery, retry logic, data consistency after failure |
| State transition | Object lifecycle | Invalid state transitions, partial updates, rollback |
Dimension prioritization:
- Start with happy path (baseline understanding)
- Error paths (most common real-world issues)
- Edge cases (where bugs hide)
- Domain-specific dimensions (security → abuse, product → UX, etc.)
Output: ✓ Phase 2: Decomposed — [N] dimensions active, [M] exploration vectors identified
Phase 3: Generate — Create ONE New Situation
Pick the highest-priority unexplored dimension/combination and generate a concrete situation.
Situation format:
### [DIMENSION] Situation: [descriptive title]
**Actors:** [who is involved]
**Precondition:** [what must be true]
**Trigger:** [what action initiates this]
**Flow:**
1. [step 1]
2. [step 2]
3. [step N]
**Expected outcome:** [what should happen]
**What could go wrong:** [potential failure points]
**Severity:** [Critical/High/Medium/Low — impact if this fails]
Generation strategies:
| Strategy | When to Use | Method |
|---|---|---|
| Dimension walk | Early iterations | Pick next unexplored dimension, generate vanilla situation |
| Combination | Mid iterations | Combine 2 dimensions (e.g., edge case + concurrent) |
| Negation | When stuck | Take a happy path step, negate it ("what if this fails?") |
| Amplification | Deep exploration | Take existing situation, amplify one parameter to extreme |
| Persona shift | Coverage gaps | Same scenario, different actor (admin vs user vs attacker) |
| Temporal shift | After basics covered | Same scenario at different times (peak load, maintenance window, first use) |
Rules:
- ONE situation per iteration (atomic — evaluate before generating more)
- Must be concrete and specific (not vague "something goes wrong")
- Must include at least one verifiable expected outcome
Phase 4: Classify — Evaluate & Deduplicate
Before keeping a generated situation, classify it:
| Classification | Criteria | Action |
|---|---|---|
| New | Not covered by any existing situation | KEEP — add to scenarios |
| Variant | Similar to existing but meaningfully different | KEEP — add as sub-scenario |
| Duplicate | Already covered by existing situation | DISCARD — log as "duplicate of #N" |
| Out of scope | Doesn't match the seed scenario | DISCARD — log as "out of scope" |
| Low value | Technically possible but unrealistic | DISCARD — log as "low value" |
Deduplication check:
- Compare against ALL previously generated situations
- Check for semantic similarity, not just text matching
- A situation with different actors but identical flow is a variant, not new
Phase 5: Expand — Edge Cases & Stress Tests
For each KEPT situation, derive additional scenarios:
Expansion techniques:
| Technique | Description | Example |
|---|---|---|
| What-if | Change one variable | "What if the network drops mid-transaction?" |
| Boundary | Push values to limits | "What if quantity = 0? -1? MAX_INT?" |
| Interruption | Inject failure mid-flow | "What if power loss occurs at step 3?" |
| Ordering | Change sequence | "What if step 2 happens before step 1?" |
| Missing data | Remove expected input | "What if the required field is null?" |
| Stale data | Use outdated information | "What if the cached price changed 5 minutes ago?" |
For each expansion:
- Generate as sub-scenario under the parent situation
- Mark with severity (Critical/High/Medium/Low)
- Note if it maps to a known bug pattern
Phase 6: Log — Record Everything
Append to scenario-results.tsv:
iteration dimension classification severity title description parent
1 happy_path new - Successful checkout User completes standard checkout flow -
2 error_path new HIGH Payment declined Card rejected during checkout -
3 edge_case new MEDIUM Empty cart checkout User clicks checkout with 0 items -
4 edge_case variant LOW Single-item cart User checks out with exactly 1 item #1
5 concurrent new CRITICAL Double-submit User clicks pay twice rapidly -
6 abuse new CRITICAL Price manipulation User modifies price client-side -
Every 5 iterations, print progress:
=== Scenario Progress (iteration 15) ===
Scenarios generated: 12 (8 new, 3 variants, 1 discarded)
Dimensions covered: 7/12 (58%)
Edge cases found: 18
Severity breakdown: 2 Critical, 4 High, 8 Medium, 4 Low
Coverage gaps: scale, temporal, recovery — unexplored
Phase 7: Repeat — Next Exploration Vector
Prioritization for next iteration:
- Unexplored dimensions with highest expected severity
- Combinations of dimensions not yet tested together
- Expansions of high-severity situations
- Domain-specific patterns not yet covered
- Coverage gaps identified in progress summary
When to stop (unbounded mode):
- Never stop automatically — user interrupts
- Print "diminishing returns" warning after 5 iterations with no new unique situations
When to stop (bounded mode):
- After N iterations, print final summary and stop
Flags
| Flag | Purpose |
|---|---|
--domain <type> |
Set domain context (software, product, business, security, marketing) |
--depth <level> |
Set exploration depth (shallow=10, standard=25, deep=50+) |
--scope <glob> |
Limit to specific files/features for codebase-aware generation |
--format <type> |
Output format (use-cases, user-stories, test-scenarios, threat-scenarios, mixed) |
--focus <area> |
Prioritize specific dimension (edge-cases, failures, security, scale) |
--chain <targets> |
Chain to downstream tool(s) after completion. Comma-separated for multi-chain. Spaces after commas tolerated. |
Composite Metric
For bounded loops, scenario exploration thoroughness:
scenario_score = scenarios_generated * 10
+ edge_cases_found * 15
+ (dimensions_covered / total_dimensions) * 30
+ unique_actors_explored * 5
+ (high_severity_found * 3)
Higher = more thorough. Incentivizes breadth (cover dimensions) AND depth (find edge cases).
Chain Conversion
--chain debug
Each high-risk scenario (Critical or High severity) becomes a hypothesis for the debug investigation loop. Scope is derived from the files mentioned in or related to each scenario.
$autoresearch debug
Scope: {files from scenario scope or codebase map}
Symptom: scenarios predict high-risk failure modes — {N} hypotheses queued
Hypotheses:
H-01 [CRITICAL] {scenario title} — {trigger description}
H-02 [HIGH] {scenario title} — {trigger description}
--chain fix
Edge case failures and failure mode scenarios become fix targets sorted by severity.
$autoresearch fix
Target: {top Critical/High scenario title}
Scope: {file paths related to failure scenarios}
--chain security
Threat scenarios and abuse-dimension findings feed the security audit focus areas.
$autoresearch security
Scope: {files from abuse/permission/data_variation scenarios}
Focus: threat scenarios from exploration: {comma-separated scenario titles}
--chain predict
Scenarios become the goal for multi-persona swarm impact analysis — "what broader impact do these scenarios predict."
$autoresearch predict
Scope: {file paths from scenario scope}
Goal: predict broader impact of identified failure scenarios and edge cases
--chain plan
Scenario findings become requirements for implementation planning — gaps and failure modes become planned features or hardening tasks.
$autoresearch plan
Goal: address failure modes and edge cases uncovered by scenario exploration
Source: scenario/{slug}/summary.md
--chain learn
The full scenario tree is documented for codebase learning — future features can reference coverage gaps.
$autoresearch learn
Topic: scenario coverage, edge cases, and failure modes
Source: scenario/{slug}/scenarios.md
--chain reason
Complex scenarios with no clear resolution become tasks for adversarial refinement.
$autoresearch reason
Task: determine best handling strategy for complex/unresolved scenarios
Evidence: scenario/{slug}/edge-cases.md
--chain ship
Scenario coverage becomes a ship readiness gate — Critical failures block, High failures warn.
$autoresearch ship
Gate: {FAIL if any unaddressed Critical scenarios, WARN if High scenarios unresolved}
Blockers: {count of unaddressed Critical scenarios}
--chain probe
Scenarios reveal requirement gaps — situations the system can't handle expose missing or ambiguous requirements.
$autoresearch probe
Topic: requirement gaps revealed by scenario exploration
Source: scenario/{slug}/summary.md
Multi-Chain Execution
--chain debug,fix,ship executes sequentially:
- Write
handoff.jsonafter scenario exploration completes - Launch
debugwith chain conversion above - After
debugcompletes, convert debug findings +handoff.json→fixtargets - After
fixcompletes, convert fix session results →shipgate - Each stage's output feeds the next via updated
handoff.json
Empirical evidence rule: Downstream loop results ALWAYS override upstream scenario consensus. If debug disproves a scenario's predicted failure mode, the empirical finding wins — update the scenario report with DISPROVEN by debug loop.
Output Directory
Creates scenario/{YYMMDD}-{HHMM}-{scenario-slug}/ with:
scenarios.md— all generated scenarios grouped by dimension, with full situation formatuse-cases.md— formal use cases (Given/When/Then) derived from scenariosedge-cases.md— edge cases and failure modes with severity ratingsscenario-results.tsv— iteration logsummary.md— executive summary with coverage matrix, dimension heatmap, recommendations
Domain-Specific Templates
When a domain is specified (or detected), load domain-specific dimension priorities:
Software/API Domain
Priority dimensions: error_path, edge_case, concurrent, integration, data_variation Default format: test-scenarios Extra checks: API contract violations, backward compatibility, idempotency
Product/UX Domain
Priority dimensions: happy_path, error_path, permission, temporal, state_transition Default format: user-stories Extra checks: Accessibility, mobile responsiveness, offline behavior, onboarding
Business/Process Domain
Priority dimensions: happy_path, error_path, permission, temporal, recovery Default format: use-cases Extra checks: Approval chains, SLA violations, audit trail, escalation paths
Security/Compliance Domain
Priority dimensions: abuse, permission, data_variation, integration, concurrent Default format: threat-scenarios Extra checks: OWASP Top 10 mapping, data exposure, privilege escalation, injection vectors
Marketing/Sales Domain
Priority dimensions: happy_path, data_variation, temporal, scale, state_transition Default format: user-stories Extra checks: A/B test interference, attribution edge cases, funnel drop-offs, localization
Chaining Patterns
# Explore scenarios, then hunt for bugs in those areas
$autoresearch scenario
Iterations: 25
$autoresearch debug --scope src/checkout/**
Symptom: edge cases from scenario exploration
# Explore, then security audit the weak spots
$autoresearch scenario --domain security
Iterations: 15
$autoresearch security --scope src/auth/**
# Generate test scenarios, then use them to write tests
$autoresearch scenario --format test-scenarios --domain software
Iterations: 20
# Output can feed into test generation workflows
What NOT to Do — Anti-Patterns
| Anti-Pattern | Why It Fails |
|---|---|
| Generate 50 happy paths | No value — one happy path reveals the baseline, then explore what breaks |
| Stay in one dimension | Missing coverage — force dimension rotation after 3 consecutive same-dimension iterations |
| Vague situations | "Something bad happens" is not a scenario — require specific trigger, flow, and outcome |
| Skip classification | Duplicates waste iterations and inflate metrics without adding value |
| Ignore domain context | A security scenario needs threat-focused dimensions, not UX-focused ones |
| Abstract without concrete | "User might experience issues" — name the issue, the trigger, and the impact |