Skip to content

Commit 1c15888

Browse files
committed
chore: Improve skills description and guidance
1 parent 0a7ce82 commit 1c15888

5 files changed

Lines changed: 118 additions & 20 deletions

File tree

src/main/resources/skills/dochia-fuzz/SKILL.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,9 @@ requests to discover unexpected vulnerabilities and edge cases.
2929
## Prerequisites
3030

3131
- Dochia CLI installed (any of the following):
32-
- `brew install dochia-dev/tap/dochia-cli`
33-
- `curl -sSL get.dochia.dev | sh`
34-
- `docker pull dochiadev/dochia-cli`
32+
- `brew install dochia-dev/tap/dochia-cli`
33+
- `curl -sSL get.dochia.dev | sh`
34+
- `docker pull dochiadev/dochia-cli`
3535
- An OpenAPI specification file (YAML or JSON)
3636
- A running API server to fuzz
3737

src/main/resources/skills/dochia-list/SKILL.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,27 @@ dochia list --paths -c openapi.yml --tag users
6868
| `--tag` | Filter paths by OpenAPI tag |
6969
| `-j, --json` | Output in JSON format |
7070

71+
## Understanding Resource Dependencies
72+
73+
Use `--paths` to inspect the API structure before running tests. This helps identify resource dependencies
74+
that require a specific testing order:
75+
76+
```bash
77+
# List all paths to understand the resource hierarchy
78+
dochia list --paths -c openapi.yml
79+
80+
# Inspect a specific path to see its query parameters, http headers, response codes, and methods
81+
dochia list --paths -c openapi.yml --path /pet/{petId}
82+
```
83+
84+
Look for patterns like:
85+
- `POST /resource` (creates) → `GET/PUT/DELETE /resource/{id}` (needs the created ID)
86+
- `POST /resource/{id}/subresource` (needs parent resource ID first)
87+
88+
This is important because Dochia is stateless. When testing endpoints that require existing resource IDs,
89+
you should first create resources using the `HappyPath` playbook on creation endpoints, then supply the
90+
IDs via `-R` or `--reference-data`. See the `dochia-test` skill for the full stateful testing workflow.
91+
7192
## Documentation
7293

7394
Full reference: https://docs.dochia.dev/cli/list

src/main/resources/skills/dochia-replay/SKILL.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,9 +28,9 @@ debugging failures, and validating fixes.
2828
## Prerequisites
2929

3030
- Dochia CLI installed (any of the following):
31-
- `brew install dochia-dev/tap/dochia-cli`
32-
- `curl -sSL get.dochia.dev | sh`
33-
- `docker pull dochiadev/dochia-cli`
31+
- `brew install dochia-dev/tap/dochia-cli`
32+
- `curl -sSL get.dochia.dev | sh`
33+
- `docker pull dochiadev/dochia-cli`
3434
- A previous test run with reports in `./dochia-report` (or custom output directory)
3535
- A running API server
3636

src/main/resources/skills/dochia-test/SKILL.md

Lines changed: 82 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: >
44
Run comprehensive API testing against OpenAPI specifications using Dochia. Use when the user wants to
55
test APIs, run negative/boundary tests, validate API behavior, check for 5XX errors, run security-focused
66
API tests, or verify input validation. Also use when the user mentions chaos testing, fuzzing playbooks,
7-
API hardening, or contract testing. Requires an OpenAPI spec file and a running server.
7+
API hardening, or contract testing. Requires an OpenAPI spec file and a running server. (1 supporting files)
88
metadata:
99
triggers: |
1010
test my API
@@ -19,6 +19,8 @@ metadata:
1919
chaos testing
2020
contract testing
2121
run dochia
22+
test endpoints with dependencies
23+
supply reference data
2224
examples: |
2325
dochia test -c openapi.yml -s http://localhost:8080 -b
2426
dochia test -c openapi.yml -s http://localhost:8080 --playbooks "MalformedJson,BypassAuthentication" -b
@@ -33,9 +35,9 @@ API endpoints based on an OpenAPI specification.
3335
## Prerequisites
3436

3537
- Dochia CLI installed (any of the following):
36-
- `brew install dochia-dev/tap/dochia-cli`
37-
- `curl -sSL get.dochia.dev | sh`
38-
- `docker pull dochiadev/dochia-cli`
38+
- `brew install dochia-dev/tap/dochia-cli`
39+
- `curl -sSL get.dochia.dev | sh`
40+
- `docker pull dochiadev/dochia-cli`
3941
- An OpenAPI specification file (YAML or JSON)
4042
- A running API server to test against
4143

@@ -150,12 +152,14 @@ dochia test -c openapi.yml -s https://localhost:8443 --ssl-keystore keystore.jks
150152
Reports are generated in `./dochia-report` by default. Use `--output` to change the directory.
151153

152154
Each test produces:
155+
153156
- `TestN.html` — human-readable report
154157
- `TestN.json` — machine-readable result with full request/response details
155158

156159
A `dochia-summary-report.json` is also generated with a compact array of all test results.
157160

158-
See [the report output reference](references/report-output.md) for the full JSON schemas and `jq` examples for parsing results programmatically.
161+
See [the report output reference](references/report-output.md) for the full JSON schemas and `jq` examples for parsing
162+
results programmatically.
159163

160164
### Quick Report Analysis
161165

@@ -176,6 +180,79 @@ cat dochia-report/Test449.json | jq .
176180
cat dochia-report/dochia-summary-report.json | jq -r '[.testCases[] | select(.result == "error") | .id] | join(",")'
177181
```
178182

183+
## Stateful Testing Workflow
184+
185+
Dochia is stateless — it does not automatically create or manage resources between requests. When testing APIs
186+
with resource dependencies (e.g. `PUT /pet/{petId}` requires a `petId` from `POST /pet`), you need to
187+
orchestrate the workflow yourself.
188+
189+
### Step 1: Understand the resource hierarchy
190+
191+
Use `dochia list --paths` to inspect the API structure and identify parent/child resource relationships:
192+
193+
```bash
194+
dochia list --paths -c openapi.yml
195+
dochia list --paths -c openapi.yml --path /pet/{petId}
196+
```
197+
198+
Look for patterns like:
199+
200+
- `POST /resource` (creates) → `GET/PUT/DELETE /resource/{id}` (requires ID)
201+
- `POST /resource/{id}/subresource` (requires parent ID)
202+
203+
### Step 2: Create resources first using HappyPath
204+
205+
Run the `HappyPath` playbook on creation endpoints (typically POST) to generate valid resources.
206+
Inspect the response body from the JSON report to extract the resource ID.
207+
208+
> **Note:** The ID field name varies by API. Check the OpenAPI spec or the raw response body to find the correct
209+
> field. For example, for a Pet resource, it might be `.id`, `.petId`, `.idOfPet`, `.petIdentifier`, etc.
210+
211+
```bash
212+
# Run only HappyPath on the creation endpoint
213+
dochia test -c openapi.yml -s http://localhost:8080 --path "/pet" --http-method POST --playbooks HappyPath -o /tmp/setup-report
214+
215+
# First, inspect the full response to find the correct ID field name
216+
cat /tmp/setup-report/Test1.json | jq '.response.body'
217+
218+
# Then extract using the actual field name from your API
219+
cat /tmp/setup-report/Test1.json | jq '.response.body.id' # adjust field name as needed
220+
```
221+
222+
### Step 3: Supply reference data with -R
223+
224+
Use `-R` to pass fixed field values that Dochia will inject into path parameters and request bodies:
225+
226+
```bash
227+
# Inline reference data (applied to all paths)
228+
dochia test -c openapi.yml -s http://localhost:8080 -R "petId=123" -b
229+
230+
# Per-path reference data via YAML file
231+
dochia test -c openapi.yml -s http://localhost:8080 --reference-data refData.yml -b
232+
```
233+
234+
The reference data YAML file format supports per-path and global (`all`) values:
235+
236+
```yaml
237+
/pet/{petId}:
238+
petId: "123"
239+
/store/order/{orderId}:
240+
orderId: "456"
241+
all:
242+
apiVersion: "v2"
243+
```
244+
245+
### Recommended agent workflow
246+
247+
When testing an API with resource dependencies:
248+
249+
1. Run `dochia list --paths -c openapi.yml` to understand the API structure
250+
2. Identify which endpoints create resources (typically POST without path parameters)
251+
3. Run `dochia test` with `--playbooks HappyPath` on creation endpoints first
252+
4. Extract resource IDs from the JSON response in the report
253+
5. Run the full test suite on dependent endpoints using `-R` to supply the extracted IDs
254+
6. Analyze results and replay failures with `dochia replay`
255+
179256
## Listing Available Playbooks
180257

181258
```bash

src/main/resources/skills/dochia-test/references/report-output.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -131,16 +131,16 @@ Each `TestN.json` file contains the full details of a single test case:
131131

132132
### Summary Key Fields
133133

134-
| Field | Description |
135-
|---------------------|-----------------------------------------------------------|
134+
| Field | Description |
135+
|---------------------|--------------------------------------------------------------------------|
136136
| `id` | Test identifier (e.g. "Test 1"). Filename strips the space: `Test1.json` |
137-
| `result` | `"error"`, `"warning"`, `"success"`, or `"skipped"` |
138-
| `playbook` | Playbook name |
139-
| `path` | OpenAPI path |
140-
| `httpMethod` | HTTP method |
141-
| `httpResponseCode` | Response status code |
142-
| `timeToExecuteInMs` | Execution time |
143-
| `switchedResult` | Whether the result was switched by a filter |
137+
| `result` | `"error"`, `"warning"`, `"success"`, or `"skipped"` |
138+
| `playbook` | Playbook name |
139+
| `path` | OpenAPI path |
140+
| `httpMethod` | HTTP method |
141+
| `httpResponseCode` | Response status code |
142+
| `timeToExecuteInMs` | Execution time |
143+
| `switchedResult` | Whether the result was switched by a filter |
144144

145145
### Summary Metadata Fields
146146

0 commit comments

Comments
 (0)