~cytrogen/gstack

ref: 6169273d16b7ab8690943241fa802e5a1ca85305 gstack/review/specialists/testing.md -rw-r--r-- 2.1 KiB
6169273d — Garry Tan feat: /design-html works from any starting point (v0.15.1.0) (#734) 9 days ago

#Testing Specialist Review Checklist

Scope: Always-on (every review) Output: JSON objects, one finding per line. Schema: {"severity":"CRITICAL|INFORMATIONAL","confidence":N,"path":"file","line":N,"category":"testing","summary":"...","fix":"...","fingerprint":"path:line:testing","specialist":"testing"} If no findings: output NO FINDINGS and nothing else.

#Categories

#Missing Negative-Path Tests

  • New code paths that handle errors, rejections, or invalid input with NO corresponding test
  • Guard clauses and early returns that are untested
  • Error branches in try/catch, rescue, or error boundaries with no failure-path test
  • Permission/auth checks that are asserted in code but never tested for the "denied" case

#Missing Edge-Case Coverage

  • Boundary values: zero, negative, max-int, empty string, empty array, nil/null/undefined
  • Single-element collections (off-by-one on loops)
  • Unicode and special characters in user-facing inputs
  • Concurrent access patterns with no race-condition test

#Test Isolation Violations

  • Tests sharing mutable state (class variables, global singletons, DB records not cleaned up)
  • Order-dependent tests (pass in sequence, fail when randomized)
  • Tests that depend on system clock, timezone, or locale
  • Tests that make real network calls instead of using stubs/mocks

#Flaky Test Patterns

  • Timing-dependent assertions (sleep, setTimeout, waitFor with tight timeouts)
  • Assertions on ordering of unordered results (hash keys, Set iteration, async resolution order)
  • Tests that depend on external services (APIs, databases) without fallback
  • Randomized test data without seed control

#Security Enforcement Tests Missing

  • Auth/authz checks in controllers with no test for the "unauthorized" case
  • Rate limiting logic with no test proving it actually blocks
  • Input sanitization with no test for malicious input
  • CSRF/CORS configuration with no integration test

#Coverage Gaps

  • New public methods/functions with zero test coverage
  • Changed methods where existing tests only cover the old behavior, not the new branch
  • Utility functions called from multiple places but tested only indirectly