🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

QA & Test Engineering Command Center

by @1kalin

Comprehensive QA system for planning strategy, writing tests, analyzing coverage, automating pipelines, performance and security testing, defect triage, and...

Versionv1.0.0
Downloads1,280
Installs5
Stars⭐ 1
TERMINAL
clawhub install afrexai-qa-engine

πŸ“– About This Skill

QA & Test Engineering Command Center

Complete quality assurance system β€” from test strategy to automation frameworks, coverage analysis, and release readiness. Works for any stack, any team size.

When to Use

  • Planning test strategy for a new feature or project
  • Writing unit, integration, or E2E tests
  • Reviewing test quality and coverage gaps
  • Setting up test automation and CI/CD quality gates
  • Performance testing and load analysis
  • Security testing checklist
  • Bug triage and defect management
  • Release readiness assessment

  • Phase 1: Test Strategy

    Strategy Brief

    Before writing any tests, define the strategy:

    # test-strategy.yaml
    project: "[name]"
    scope: "[feature/module/full product]"
    risk_level: high | medium | low
    stack:
      language: "[TypeScript/Python/Java/Go]"
      framework: "[React/Express/Django/Spring]"
      test_runner: "[Jest/Vitest/pytest/JUnit/Go test]"
      e2e_tool: "[Playwright/Cypress/Selenium]"

    What are we testing?

    test_scope: - area: "[e.g., Auth module]" risk: high test_types: [unit, integration, e2e] priority: 1 - area: "[e.g., Settings page]" risk: low test_types: [unit] priority: 3

    What's NOT in scope (and why)

    exclusions: - "[e.g., Third-party widget β€” covered by vendor]"

    Quality targets

    targets: line_coverage: 80 branch_coverage: 70 critical_path_coverage: 100 max_flaky_rate: 2% max_test_duration_unit: 10ms max_test_duration_integration: 500ms max_test_duration_e2e: 30s

    Risk-Based Test Allocation

    Not everything needs the same testing depth. Use the risk matrix:

    | Risk Level | Unit Tests | Integration | E2E | Manual/Exploratory | |-----------|-----------|-------------|-----|-------------------| | Critical (payments, auth, data loss) | 95%+ coverage | Full API coverage | Happy + error paths | Exploratory session | | High (core features, user-facing) | 85%+ coverage | Key integrations | Happy path | Spot check | | Medium (secondary features) | 70%+ coverage | Critical paths only | Smoke only | On release | | Low (admin, internal tools) | 50%+ coverage | None | None | None |

    Test Pyramid

    Follow the pyramid β€” not the ice cream cone:

             /  E2E  \          ← Few (5-10%) β€” slow, expensive, brittle
            / Integr. \         ← Some (15-25%) β€” API contracts, DB queries
           /   Unit    \        ← Many (65-80%) β€” fast, isolated, cheap
    

    Anti-pattern: Ice cream cone (mostly E2E, few unit tests) = slow CI, flaky builds, expensive maintenance.

    Decision rule: Can this be tested at a lower level? β†’ Test it there.


    Phase 2: Unit Testing

    Anatomy of a Good Unit Test

    Every unit test follows AAA (Arrange-Act-Assert):

    1. ARRANGE β€” Set up test data, mocks, state
    2. ACT     β€” Call the function/method under test
    3. ASSERT  β€” Verify the output matches expectations
    

    Unit Test Checklist (per function)

    For each function/method, verify:

  • [ ] Happy path β€” expected input β†’ expected output
  • [ ] Edge cases β€” empty input, null/undefined, zero, max values
  • [ ] Boundary values β€” off-by-one, min-1, max+1
  • [ ] Error handling β€” invalid input β†’ correct error thrown
  • [ ] Return types β€” correct type, shape, structure
  • [ ] Side effects β€” does it modify state it shouldn't?
  • [ ] Idempotency β€” calling twice gives same result?
  • What to Mock (and What NOT to Mock)

    Mock these:

  • External APIs (HTTP calls, third-party services)
  • Database queries (in unit tests only)
  • File system operations
  • Date/time (use fake timers)
  • Random number generators
  • Environment variables
  • DO NOT mock these:

  • The function under test itself
  • Pure utility functions (test them directly)
  • Data transformations
  • Simple value objects
  • Mock rule of thumb: If removing the mock would make the test hit the network, file system, or database β†’ mock it. Otherwise β†’ don't.

    Test Naming Convention

    Use the pattern: [unit] [scenario] [expected result]

    Examples:

  • calculateTotal returns 0 for empty cart
  • validateEmail throws for missing @ symbol
  • parseDate handles ISO 8601 with timezone offset
  • Coverage Analysis

    Metrics that matter: | Metric | Target | Why | |--------|--------|-----| | Line coverage | 80%+ | Basic completeness | | Branch coverage | 70%+ | Catches missed if/else paths | | Function coverage | 90%+ | Ensures all functions are tested | | Critical path coverage | 100% | Business-critical code fully verified |

    Coverage traps to avoid:

  • 100% line coverage β‰  good tests (assertions matter more than lines hit)
  • Coverage on generated code inflates numbers
  • Trivial getters/setters pad coverage without value
  • Coverage should INCREASE over time, never decrease

  • Phase 3: Integration Testing

    What Integration Tests Cover

    Integration tests verify that components work TOGETHER:

  • API endpoint β†’ middleware β†’ handler β†’ database β†’ response
  • Service A calls Service B and handles the response
  • Message queue producer β†’ consumer β†’ side effect
  • Auth flow: login β†’ token β†’ authenticated request
  • Integration Test Patterns

    Pattern 1: API Contract Testing

    1. Start test server (or use supertest/httptest)
    2. Send HTTP request with specific payload
    3. Assert: status code, response body shape, headers
    4. Assert: database state changed correctly
    5. Assert: side effects triggered (emails, events)
    

    Pattern 2: Database Integration

    1. Start test database (SQLite in-memory or test container)
    2. Run migrations
    3. Seed test data
    4. Execute query/operation
    5. Assert: data matches expectations
    6. Teardown (truncate or rollback transaction)
    

    Pattern 3: External Service

    1. Record real API response (VCR/nock/wiremock)
    2. Replay recorded response in tests
    3. Assert: your code handles the response correctly
    4. Also test: timeout, 500 error, malformed response
    

    Integration Test Checklist

  • [ ] Happy path β€” full flow works end-to-end
  • [ ] Auth β€” unauthenticated returns 401, wrong role returns 403
  • [ ] Validation β€” bad payload returns 400 with error details
  • [ ] Not found β€” missing resource returns 404
  • [ ] Conflict β€” duplicate create returns 409
  • [ ] Rate limiting β€” excessive requests return 429
  • [ ] Database constraints β€” unique violations, foreign keys
  • [ ] Concurrency β€” two simultaneous writes don't corrupt data
  • [ ] Timeout handling β€” external service timeout β†’ graceful fallback

  • Phase 4: End-to-End (E2E) Testing

    E2E Strategy

    E2E tests verify complete user journeys. They're expensive β€” be strategic:

    Test these E2E:

  • User registration β†’ email verification β†’ first login
  • Purchase flow β†’ payment β†’ confirmation
  • Critical business workflows (the ones that make money)
  • Cross-browser/device smoke tests
  • DON'T test these E2E:

  • Individual form validations (unit test)
  • API error handling (integration test)
  • Edge cases (lower-level tests)
  • Visual styling (visual regression tools)
  • E2E Test Template

    test_name: "[User journey name]"
    preconditions:
      - "[User is logged in]"
      - "[Product exists in catalog]"
    steps:
      - action: "Navigate to /products"
        verify: "Product list is visible"
      - action: "Click 'Add to Cart' on Product A"
        verify: "Cart badge shows 1"
      - action: "Click 'Checkout'"
        verify: "Checkout form displayed"
      - action: "Fill payment details and submit"
        verify: "Order confirmation page with order ID"
    postconditions:
      - "Order exists in database with status 'paid'"
      - "Confirmation email sent"
    max_duration: 30s
    

    Flaky Test Management

    Flaky tests are the #1 CI killer. Handle them:

    Flaky Test Triage: 1. Identify β€” Track test pass rates over 10+ runs 2. Classify β€” Why is it flaky? - Timing/race condition β†’ Add explicit waits, not sleep() - Test data dependency β†’ Isolate test data per run - External service β†’ Mock it or use test container - Browser rendering β†’ Use visibility checks, not delays 3. Quarantine β€” Move to @flaky suite, run separately 4. Fix or delete β€” Flaky test unfixed for 2 weeks β†’ delete it

    Flaky rate target: < 2% of total test runs


    Phase 5: Performance Testing

    Performance Test Types

    | Type | Purpose | When | |------|---------|------| | Load test | Normal traffic handling | Before every release | | Stress test | Find breaking point | Quarterly or before scaling | | Spike test | Sudden traffic burst | Before marketing campaigns | | Soak test | Memory leaks over time | Monthly or after major changes | | Capacity test | Max users/throughput | Planning infrastructure |

    Performance Test Plan

    test_name: "[API/Page] Load Test"
    target: "[URL or endpoint]"
    baseline:
      p50_response: "[current p50 ms]"
      p95_response: "[current p95 ms]"
      p99_response: "[current p99 ms]"
      error_rate: "[current %]"

    scenarios: - name: "Normal load" vus: 50 # virtual users duration: 5m ramp_up: 30s thresholds: p95_response: "< 500ms" error_rate: "< 1%"

    - name: "Peak load" vus: 200 duration: 10m ramp_up: 1m thresholds: p95_response: "< 2000ms" error_rate: "< 5%"

    - name: "Stress test" vus: 500 duration: 5m ramp_up: 2m # Find the breaking point β€” no thresholds, observe

    Performance Metrics Dashboard

    Track these per endpoint:

    | Metric | Green | Yellow | Red | |--------|-------|--------|-----| | p50 response | < 200ms | 200-500ms | > 500ms | | p95 response | < 500ms | 500ms-2s | > 2s | | p99 response | < 1s | 1-5s | > 5s | | Error rate | < 0.1% | 0.1-1% | > 1% | | Throughput | > baseline | 80-100% baseline | < 80% | | CPU usage | < 60% | 60-80% | > 80% | | Memory usage | < 70% | 70-85% | > 85% | | DB query time | < 50ms avg | 50-200ms | > 200ms |

    Common Performance Fixes

    | Symptom | Likely Cause | Fix | |---------|-------------|-----| | Slow API response | N+1 queries | Batch/join queries | | Memory climbing | Object retention | Profile heap, fix leaks | | Timeout spikes | Connection pool exhaustion | Increase pool, add queuing | | Slow page load | Large bundle | Code split, lazy load | | DB bottleneck | Missing index | Add index on WHERE/JOIN columns | | High CPU | Synchronous compute | Move to worker/queue |


    Phase 6: Security Testing

    Security Test Checklist

    Run through these for every feature/release:

    Authentication & Authorization:

  • [ ] Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
  • [ ] Session tokens are random, sufficient length (128+ bits)
  • [ ] JWT tokens have short expiry (15 min access, 7 day refresh)
  • [ ] Failed login rate limiting (5 attempts β†’ lockout)
  • [ ] Password reset tokens expire (1 hour max)
  • [ ] Role-based access enforced server-side (not just UI)
  • [ ] Can't access other users' data by changing IDs in URL
  • Input Validation:

  • [ ] SQL injection β€” parameterized queries everywhere
  • [ ] XSS β€” output encoding, CSP headers
  • [ ] CSRF β€” tokens on state-changing requests
  • [ ] Path traversal β€” validate file paths, no ../
  • [ ] Command injection β€” never pass user input to shell
  • [ ] File upload β€” validate type, size, scan for malware
  • [ ] JSON/XML parsing β€” depth limits, entity expansion disabled
  • Data Protection:

  • [ ] HTTPS everywhere (HSTS header)
  • [ ] Sensitive data encrypted at rest
  • [ ] PII not logged (mask in log output)
  • [ ] API keys not in client-side code
  • [ ] CORS configured correctly (not *)
  • [ ] Security headers set (X-Frame-Options, X-Content-Type-Options)
  • Infrastructure:

  • [ ] Dependencies scanned for CVEs (npm audit / pip audit)
  • [ ] Docker images scanned (Trivy/Snyk)
  • [ ] Secrets not in code/env files (use vault)
  • [ ] Error messages don't leak internals
  • [ ] Admin endpoints behind VPN/IP allowlist
  • OWASP Top 10 Quick Reference

    | # | Vulnerability | Test For | |---|--------------|----------| | A01 | Broken Access Control | Access other users' resources, bypass role checks | | A02 | Cryptographic Failures | Weak hashing, plaintext secrets, expired certs | | A03 | Injection | SQL, XSS, command, LDAP injection | | A04 | Insecure Design | Business logic flaws, missing rate limits | | A05 | Security Misconfiguration | Default creds, verbose errors, open ports | | A06 | Vulnerable Components | Outdated deps with known CVEs | | A07 | Authentication Failures | Brute force, weak passwords, session fixation | | A08 | Data Integrity Failures | Unsigned updates, CI/CD pipeline injection | | A09 | Logging Failures | Missing audit logs, no alerting on breaches | | A10 | SSRF | Internal network access via user-controlled URLs |


    Phase 7: Bug Triage & Defect Management

    Bug Report Template

    bug_id: "[auto or manual]"
    title: "[Short description of the bug]"
    severity: P0-critical | P1-high | P2-medium | P3-low
    reporter: "[name]"
    date: "[YYYY-MM-DD]"

    environment: os: "[OS + version]" browser: "[Browser + version]" app_version: "[version/commit]" steps_to_reproduce: 1. "[Step 1]" 2. "[Step 2]" 3. "[Step 3]"

    expected_result: "[What should happen]" actual_result: "[What actually happens]" frequency: "always | intermittent | once" screenshots: "[links]" logs: "[relevant log output]"

    Severity Classification

    | Level | Definition | SLA | Example | |-------|-----------|-----|---------| | P0 Critical | System down, data loss, security breach | Fix in 4 hours | Payment processing broken | | P1 High | Major feature broken, no workaround | Fix in 24 hours | Users can't login | | P2 Medium | Feature broken with workaround | Fix this sprint | Search returns wrong results sometimes | | P3 Low | Minor issue, cosmetic | Fix when convenient | Button alignment off by 2px |

    Bug Triage Process (Weekly)

    1. Review all new bugs (unassigned)
    2. For each bug:
       a. Reproduce β€” can you trigger it?
       b. Classify severity (P0-P3)
       c. Estimate fix effort (S/M/L)
       d. Assign to owner + sprint
       e. Link to related bugs/stories
    3. Review P0/P1 bugs from last week β€” are they fixed?
    4. Close bugs that can't be reproduced (after 2 attempts)
    5. Update metrics dashboard
    

    Bug Metrics Dashboard

    Track weekly:

    | Metric | Formula | Target | |--------|---------|--------| | Bug escape rate | Bugs found in prod / total bugs | < 10% | | Mean time to fix (P0) | Avg hours from report to deploy | < 8 hours | | Mean time to fix (P1) | Avg hours from report to deploy | < 48 hours | | Bug reopen rate | Reopened bugs / closed bugs | < 5% | | Test escape analysis | Bugs that SHOULD have been caught | Track & reduce | | Open bug count | Total open by severity | Trending down |


    Phase 8: Release Readiness

    Release Checklist

    Before shipping to production:

    Code Quality:

  • [ ] All unit tests passing
  • [ ] All integration tests passing
  • [ ] E2E smoke suite passing
  • [ ] No new lint warnings/errors
  • [ ] Code reviewed and approved
  • [ ] No known P0/P1 bugs open for this release
  • Coverage & Quality Gates:

  • [ ] Line coverage β‰₯ target (80%)
  • [ ] Branch coverage β‰₯ target (70%)
  • [ ] No coverage decrease from last release
  • [ ] Mutation testing score β‰₯ 60% (if applicable)
  • Performance:

  • [ ] Load test passed (within thresholds)
  • [ ] No performance regressions vs baseline
  • [ ] Bundle size within budget
  • Security:

  • [ ] Dependency audit clean (no critical/high CVEs)
  • [ ] Security checklist completed
  • [ ] Secrets rotated if needed
  • Operational Readiness:

  • [ ] Monitoring/alerts configured for new features
  • [ ] Rollback plan documented
  • [ ] Feature flags in place for risky changes
  • [ ] Database migration tested and reversible
  • [ ] Runbook updated
  • Release Readiness Score

    Score 0-100 across 5 dimensions:

    | Dimension | Weight | Scoring | |-----------|--------|---------| | Test coverage | 25% | 100 if targets met, -10 per gap area | | Bug status | 25% | 100 if 0 P0/P1, -20 per open P0, -10 per P1 | | Performance | 20% | 100 if all green, -15 per yellow, -30 per red | | Security | 20% | 100 if clean, -25 per critical, -15 per high | | Operational | 10% | 100 if checklist complete, -20 per missing item |

    Ship threshold: β‰₯ 80 overall, no dimension below 60


    Phase 9: CI/CD Quality Gates

    Pipeline Quality Gates

    Configure these gates in your CI pipeline:

    # Quality gate configuration
    gates:
      - name: "Lint"
        stage: pre-commit
        command: "npm run lint"
        blocking: true
        
      - name: "Unit Tests"
        stage: commit
        command: "npm test -- --coverage"
        blocking: true
        thresholds:
          pass_rate: 100%
          coverage_line: 80%
          coverage_branch: 70%
          
      - name: "Integration Tests"
        stage: merge
        command: "npm run test:integration"
        blocking: true
        thresholds:
          pass_rate: 100%
          
      - name: "Security Scan"
        stage: merge
        command: "npm audit --audit-level=high"
        blocking: true
        
      - name: "E2E Smoke"
        stage: staging
        command: "npm run test:e2e:smoke"
        blocking: true
        thresholds:
          pass_rate: 100%
          
      - name: "Performance"
        stage: staging
        command: "npm run test:perf"
        blocking: false  # Alert only
        thresholds:
          p95_regression: 20%
    

    Test Automation Maturity Model

    Rate your team 1-5:

    | Level | Description | Characteristics | |-------|------------|-----------------| | 1 β€” Manual | All testing is manual | No automation, long release cycles | | 2 β€” Reactive | Some unit tests, no CI | Tests written after bugs, not before | | 3 β€” Structured | Test pyramid, CI pipeline | Unit + integration, automated on push | | 4 β€” Proactive | Full automation, quality gates | E2E + perf + security in pipeline, TDD | | 5 β€” Optimized | Self-healing, predictive | Flaky auto-quarantine, AI-assisted testing, continuous deployment |


    Phase 10: Test Maintenance

    Weekly Test Health Review

    review_date: "[YYYY-MM-DD]"

    metrics: total_tests: 0 pass_rate_7d: "0%" flaky_tests: 0 flaky_rate: "0%" avg_suite_duration: "0s" coverage_line: "0%" coverage_branch: "0%" actions: quarantined: [] # Tests moved to flaky suite deleted: [] # Tests removed (obsolete/unfixable) fixed: [] # Flaky tests fixed this week added: [] # New tests added trends: coverage_delta: "+0%" # vs last week flaky_delta: "+0" # vs last week duration_delta: "+0s" # vs last week notes: ""

    Test Maintenance Rules

    1. No commented-out tests β€” delete or fix, never comment 2. No skipped tests > 2 weeks β€” fix or remove 3. No test duplication β€” each behavior tested once at the right level 4. Test names must be readable β€” someone new should understand what broke 5. Shared test utilities β€” common setup in fixtures/factories, not copy-pasted 6. Test data isolation β€” each test creates its own data, cleans up after 7. No magic numbers β€” use named constants in assertions 8. Assertion messages β€” custom messages on complex assertions

    Common Test Anti-Patterns

    | Anti-Pattern | Problem | Fix | |-------------|---------|-----| | Sleeping tests | sleep(2000) instead of waiting | Use explicit waits/polling | | Test interdependence | Test B relies on Test A's state | Isolate β€” each test sets up its own state | | Assertionless tests | Test runs code but doesn't assert | Add meaningful assertions | | Brittle selectors | CSS selectors that break on redesign | Use data-testid or aria roles | | God test | One test verifying 20 things | Split into focused tests | | Mock overload | Everything mocked, nothing real tested | Only mock external boundaries | | Hardcoded data | Tests break when seed data changes | Use factories/builders | | Ignoring test output | "It passed, ship it" | Review WHY it passed β€” is the assertion meaningful? |


    Quick Reference: Natural Language Commands

    Tell the agent:

  • "Create test strategy for [feature]" β†’ Generates strategy brief
  • "Write unit tests for [function/file]" β†’ AAA-structured tests with edge cases
  • "Review test coverage for [module]" β†’ Gap analysis + recommendations
  • "Write integration tests for [API endpoint]" β†’ Full HTTP test suite
  • "Plan E2E tests for [user journey]" β†’ E2E test template
  • "Run security checklist for [feature]" β†’ OWASP-based security review
  • "Triage these bugs: [list]" β†’ Severity classification + assignment
  • "Release readiness check" β†’ Full readiness score + blockers
  • "Performance test plan for [endpoint]" β†’ Load/stress test configuration
  • "Fix flaky test [name]" β†’ Root cause analysis + fix strategy
  • ⚑ When to Use

    TriggerAction
    - Writing unit, integration, or E2E tests
    - Reviewing test quality and coverage gaps
    - Setting up test automation and CI/CD quality gates
    - Performance testing and load analysis
    - Security testing checklist
    - Bug triage and defect management
    - Release readiness assessment
    ---