sar/.claude/skills/bmad-testarch-test-design/steps-c/step-03-risk-and-testability.md

name, description, nextStepFile, outputFile

name	description	nextStepFile	outputFile
step-03-risk-and-testability	Perform testability review (system-level) and risk assessment	{skill-root}/steps-c/step-04-coverage-plan.md	{test_artifacts}/test-design-progress.md

Step 3: Testability & Risk Assessment

STEP GOAL

Produce a defensible testability review (system-level) and a risk assessment matrix (all modes).

MANDATORY EXECUTION RULES

• 📖 Read the entire step file before acting
• ✅ Speak in {communication_language}
• 🎯 Base conclusions on evidence from loaded artifacts

---

EXECUTION PROTOCOLS:

• 🎯 Follow the MANDATORY SEQUENCE exactly
• 💾 Record outputs before proceeding
• 📖 Load the next step only when instructed

CONTEXT BOUNDARIES:

• Available context: config, loaded artifacts, and knowledge fragments
• Focus: this step's goal only
• Limits: do not execute future steps
• Dependencies: prior steps' outputs (if any)

MANDATORY SEQUENCE

CRITICAL: Follow this sequence exactly. Do not skip, reorder, or improvise.

1. System-Level Mode: Testability Review

If system-level, evaluate architecture for:

• Controllability (state seeding, mockability, fault injection)
• Observability (logs, metrics, traces, deterministic assertions)
• Reliability (isolation, reproducibility, parallel safety)

Structure output as:

1. 🚨 Testability Concerns (actionable issues first)
2. ✅ Testability Assessment Summary (what is already strong)

Also identify ASRs (Architecturally Significant Requirements):

• Mark each as ACTIONABLE or FYI

---

2. All Modes: Risk Assessment

Using risk-governance.md and probability-impact.md (if loaded):

• Identify real risks (not just features)
• Classify by category: TECH / SEC / PERF / DATA / BUS / OPS
• Score Probability (1–3) and Impact (1–3)
• Calculate Risk Score (P × I)
• Flag high risks (score ≥ 6)
• Define mitigation, owner, and timeline

---

3. NFR Planning Assessment

Using nfr-criteria.md when loaded:

• Identify NFR categories in scope: security, performance, reliability, scalability, maintainability, compliance, and any project-specific categories
• Extract measurable thresholds from PRD, architecture, ADRs, epics, or stories
• Mark missing thresholds as UNKNOWN and convert them into clarification items or risks; do not guess values
• Define planned evidence sources for later validation (tests, scans, metrics, logs, monitoring, CI reports)
• Convert NFR gaps into the existing risk register using SEC / PERF / OPS / TECH / DATA categories

Boundary: This workflow plans NFR validation. It does not assess final PASS/CONCERNS/FAIL from implementation evidence. Use nfr-assess after implementation evidence exists.

---

4. Summarize Risk Findings

Summarize the highest risks and their mitigation priorities.

---

5. Save Progress

Save this step's accumulated work to {outputFile}.

• If {outputFile} does not exist (first save), create it with YAML frontmatter:

  ---
  workflowStatus: 'in-progress'
  totalSteps: 5
  stepsCompleted: ['step-03-risk-and-testability']
  lastStep: 'step-03-risk-and-testability'
  nextStep: '{nextStepFile}'
  lastSaved: '{date}'
  ---
  

  Then write this step's output below the frontmatter.

• If {outputFile} already exists, update:

  • Set workflowStatus: 'in-progress'
  • Set totalSteps: 5
  • Add 'step-03-risk-and-testability' to stepsCompleted array (only if not already present)
  • Set lastStep: 'step-03-risk-and-testability'
  • Set nextStep: '{nextStepFile}'
  • Set lastSaved: '{date}'
  • Append this step's output to the appropriate section of the document.

Load next step: {nextStepFile}

🚨 SYSTEM SUCCESS/FAILURE METRICS:

✅ SUCCESS:

• Step completed in full with required outputs

❌ SYSTEM FAILURE:

• Skipped sequence steps or missing outputs Master Rule: Skipping steps is FORBIDDEN.