QA audit: auto-login per role and test the whole API
qa_auditScans project code for API endpoints, logs in as each role, runs test suite, and generates per-role and combined QA audit reports.
Instructions
The QA one-call workflow. Provide the project path and a list of role credentials (email/username + password). The tool detects the base URL and login endpoint, logs in as each role, runs the test suite per role (read-only by default), and writes a per-role + combined report. Set includeWrites=true only against a throwaway/staging env.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| path | Yes | Project root path. | |
| roles | Yes | Credentials per role, e.g. [{role:'admin',email:'a@x.com',password:'…'}]. | |
| baseUrl | No | API base URL. Omit to auto-detect from the code. | |
| loginPath | No | Override login endpoint path. | |
| roleScoped | No | Test each role only on endpoints its route-guard allows (plus unguarded ones), so you get more real 200s and far fewer 403/404s. Set false for full coverage. | |
| concurrency | No | ||
| includeWrites | No | Include POST/PUT/PATCH/DELETE tests. Only for throwaway/staging envs. | |
| includeDestructive | No | Also test session-breaking endpoints (logout, refresh-token, delete-account, password reset, register). Off by default — testing logout revokes your own token. | |
| maxRateLimitWaitMs | No | Max ms to pace a request when the server's rate-limit budget is low. Raise toward the reset window (e.g. 900000) for exhaustive coverage under strict limits. |