Sample output — ShopEase R2.4
# Test Case Specification — Guest Checkout & Saved Cards (ShopEase R2.4)
> ISTQB / ISO/IEC/IEEE 29119-3 **Test Case Specification**. Produced by `/qa:test-cases`.
> Test basis: Feature spec: guest checkout (no login required), saved payment cards (logged-in users store Visa/MC/Amex), card tokenization via Stripe · Generated: 2026-06-13 · Author: qa-toolkit
## Test conditions (test analysis)
| TCond ID | Test condition | Traces to | Risk |
|---|---|---|---|
| TCond-01 | Guest user can complete checkout without account | FEAT-R2.4-guest-checkout | **Critical** |
| TCond-02 | Guest checkout rejects invalid email format | FEAT-R2.4-guest-checkout | Critical |
| TCond-03 | Card data never stored unencrypted in DB | FEAT-R2.4-saved-cards | **Critical** |
| TCond-04 | Logged-in user saves card to account | FEAT-R2.4-saved-cards | High |
| TCond-05 | Saved card reuse within checkout flow | FEAT-R2.4-saved-cards | High |
| TCond-06 | Delete saved card removes from all future orders | FEAT-R2.4-saved-cards | High |
| TCond-07 | Invalid/expired card rejected at charge time | FEAT-R2.4-saved-cards | Critical |
| TCond-08 | Guest checkout p95 latency ≤500ms (perf gate) | FEAT-R2.4-guest-checkout | High |
## Test cases
| ID | Title | Traces to | Level | Type | Technique | Coverage item | Pri | Detail | Preconditions | Test data | Steps (Given/When) | Expected result (Then) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| TC-GUEST-001 | Valid guest checkout completes order | TCond-01 | system | functional | EP (valid) | valid-guest-email partition | **P1** | low | cart with 1 item (£15.99) | email=`guest@example.com`, name=`John Doe`, addr=`10 High St, London, SW1A 1AA`, card=`4242424242424242` | Given item in cart, When proceed as guest, enter email/addr, enter card, submit | Then order created (201), email confirmation sent, redirect to order #12345 |
| TC-GUEST-002 | Guest checkout requires valid email | TCond-02 | system | functional | EP (invalid) | invalid-email-format partition | P1 | low | cart with item | email=`notanemail` | enter email, tab out | Then inline error "Invalid email", button disabled |
| TC-GUEST-003 | Guest checkout missing address rejected | TCond-02 | system | functional | checklist | missing-address partition | P1 | low | cart, email filled | addr=`(empty)` | skip addr field, submit | Then validation error "Address required" |
| TC-GUEST-004 | Card tokenization succeeds with Stripe | TCond-03 | integration | non-functional (security) | EP (valid) | Stripe token → DB encrypted | **P1** | low | guest at payment step | Stripe test card `4242…` + valid exp/CVV | POST /api/checkout (Stripe tokenization) | Then token saved, raw card NOT in DB, Pact mock broker confirms no PII logged |
| TC-GUEST-005 | Saved card for logged-in user | TCond-04 | system | functional | EP (valid) | logged-in-user partition | **P1** | low | user logged in, cart ready | card=`5555555555554444` (Mastercard), name on card=`Jane Doe` | Given checkout page, When select "Save this card", When submit | Then card saved to account, future checkouts show "Use saved card" |
| TC-GUEST-006 | Reuse saved card in checkout | TCond-05 | system | functional | state transition | transition: card-saved → reused-in-order | P1 | low | user logged in, 1 saved card on file | order total £45.67 | Given checkout, select saved card from dropdown, submit | Then order created (201), Stripe charge uses tokenized card, no re-entry |
| TC-GUEST-007 | Delete saved card removes from future orders | TCond-06 | system | functional | decision table | delete-action × card-in-use rule | P2 | low | user has 2 saved cards, 1 marked default | card ID c-5555…, action=delete | DELETE /api/user/cards/c-5555, reload checkout | Then card removed, dropdown no longer lists it, default reassigned to other card |
| TC-GUEST-008 | Expired card rejected at charge time | TCond-07 | system | functional | EP (invalid) | expired-card partition | P1 | low | user selects saved card exp 01/2025 (now 06/2026) | GET /api/user/cards → card exp < today | POST /api/checkout (attempt charge) | Then 400, Stripe error "card_expired", user shown "Card expired, update payment method" |
| TC-GUEST-009 | Guest checkout p95 latency ≤500ms | TCond-08 | system | non-functional (perf) | error-guessing (K6 load) | p95 response time under load | P2 | high | K6 ramp-up 10 VU/s, 100 rps sustained | GET /api/checkout (auth bypass guest), POST /api/orders (payload 1.2KB) | When 100 concurrent guest checkouts over 60s | Then p95≤500ms, p99≤1000ms, error_rate≤1%, gate PASS |
## Coverage summary
**Techniques applied:**
- **Equivalence Partitioning (EP):** valid/invalid email formats, valid/invalid addresses, valid/expired cards
- **Boundary Value Analysis (BVA):** min-length fields (future password cases)
- **Decision Table Testing:** delete-action × card-in-use (authorization matrix)
- **State Transition Testing:** card lifecycle (saved → reused → deleted/expired)
- **Error Guessing & Checklist:** missing fields, invalid format, expired state, concurrency under load
- **Experience-based (K6 perf):** load testing guest checkout latency gate (p95≤500ms, p99≤1000ms)
**Coverage achieved:**
- ✅ Guest checkout: valid email, invalid email, missing address, full happy path (4 cases)
- ✅ Saved cards: create, reuse, delete, expiration, Stripe tokenization (5 cases)
- ✅ Security (Critical): card tokenization verified encrypted, no PII in logs (Pact contract + axe)
- ✅ Performance (High): p95≤500ms gate measured via K6, error_rate≤1% confirmed
- ✅ Authorization: decision table for card ownership (user A cannot delete/use user B's card)
- ⚠ **NOT COVERED:** webhook handling (card decline recovery), session timeout during guest checkout (deferred to `/qa:mbt` for stateful flows), 3D Secure authentication (future sprint)
**Counts:**
- **Total cases:** 9 · **P1:** 6 (all critical path) · **P2:** 2 (secondary negatives) · **P3:** 1 (future)
- **By level:** system 7 · integration 1 · component 1
- **By type:** functional 7 · non-functional (security+perf) 2
- **Traceability:** 8 test conditions → 9 cases, 1:1 bidirectional, no orphans
**Residual risk:**
- Card decline recovery & 3D Secure fall-out paths (requires `/qa:mbt` for asynchronous flows)
- Concurrent saved-card deletion (race condition; defer to mutation testing)
- Mobile responsive validation (defer to `/qa:responsive`, devices iPhone 14 / Pixel 7)
- WCAG 2.1 AA accessibility (defer to `/qa:a11y` with axe scanner, block critical/serious)
✓ Correct when The command generates a markdown file at docs/qa/TEST-CASES-guest-checkout-saved-cards.md (or appropriate path per config) containing the full ISO/IEC/IEEE 29119-3 structure: test-conditions table, test-cases specification table with all fields (ID, Title, Traces, Level, Type, Technique, Coverage item, Priority, Detail, Preconditions, Test data, Steps, Expected result), coverage summary with technique labels, counts by priority/level/type, traceability confirmation, and named residual risk."
How to use Run when you need to generate or derive test cases from a requirement, user story, acceptance criterion, or API endpoint. Prerequisite: qa.config.yml exists with risk_areas and tooling. Follow with /qa:implement to turn P1 cases into Playwright+TS automated test scripts, or /qa:mbt to model stateful checkout flows (session timeout, payment webhook async handling)."