Business Logic Testing (/test-logic)¶
/test-logic is now a compatibility router. Real execution should prefer:
/test-logic-business/test-logic-race/test-logic-upload
These dedicated entrypoints keep the same methodology while avoiding the old monolithic prompt load.
/test-logic <target_url> [scope] [engagement_dir]
/test-logic <target_url> --scope <business|race|upload> [engagement_dir]
Scope Routing¶
| Scope | Dedicated Skill | Focus |
|---|---|---|
business |
/test-logic-business |
Price/quantity manipulation, financial logic, workflow bypass, coupon abuse, state-machine violations |
race |
/test-logic-race |
Atomicity violations, single-packet attack, concurrency exploitation, hidden substates, GraphQL batching races |
upload |
/test-logic-upload |
Extension bypass, Content-Type bypass, magic bytes manipulation, path traversal in filenames, SVG/XXE via upload |
Coverage by Sub-Skill¶
/test-logic-business-- Covers price and quantity manipulation, financial transfer flaws, workflow bypass, coupon abuse, client-side rule enforcement bypass, and other business-rule failures./test-logic-race-- Covers single-packet attacks, limit overruns, double-spend patterns, hidden substates, and other concurrency-driven invariant breaks./test-logic-upload-- Covers extension bypass, MIME and magic-byte tricks, filename/path traversal, SVG/XXE, and upload-processing weaknesses.
Router Behavior¶
If --scope is supplied, /test-logic immediately routes to the matching dedicated skill. Without --scope, the intended execution order is:
/test-logic-business/test-logic-race/test-logic-upload
Model and Thinking Budget¶
| Component | Model | Rationale |
|---|---|---|
/test-logic-business |
Opus (high) | Requires state-machine and domain reasoning |
/test-logic-race |
Opus (high) | Timing-sensitive concurrency reasoning |
/test-logic-upload |
Opus (medium) | Systematic validation-bypass testing |
Kill Switch¶
| Limit | Value |
|---|---|
| Timeout | 45 minutes |
| Max requests | 500 (warning at 400) |
| Race condition parallelism | Max 2-3 concurrent requests |
Critical Behaviors Preserved¶
- Business logic testing still requires identifying the violated invariant before mutation.
- Race testing still requires explicit user confirmation for side-effecting concurrent actions.
- Upload testing still requires clearly named test files and cleanup awareness.
- One proof does not close the entire category; each business flow, race target, or upload path remains separate.
Knowledge Packs and Cheatsheets¶
| Resource | Path |
|---|---|
| Shared router bootstrap | helpers/scope-bootstrap.md |
| Business logic knowledge | helpers/knowledge-business-logic.md (loaded only by /test-logic-business) |
| Race condition knowledge | helpers/knowledge-race-condition.md (loaded only by /test-logic-race) |
| Upload knowledge | helpers/knowledge-upload.md (loaded only by /test-logic-upload) |
| Shared logic notes | helpers/knowledge-logic.md |
| Logic cheatsheet | helpers/cheatsheet-logic.md |
| Research terms | helpers/research-terms.md |
External payload files: PayloadsAllTheThings race condition techniques, file upload bypass lists and extension intruder lists.
Safety¶
- Ask before cart, payment, coupon, transfer, or workflow tests that could trigger real impact.
- Ask before every race test that can create duplicate records, corrupt data, or cause charges.
- Ask before upload tests that leave artifacts on the server.
- Prefer minimal, reversible proofs and document cleanup needs.