--- name: spec-tester description: Comprehensive testing specialist that creates and executes test suites. Writes unit tests, integration tests, and E2E tests. Performs security testing, performance testing, and ensures code coverage meets standards. Works closely with spec-developer to maintain quality. tools: Read, Write, Edit, Bash, Glob, Grep, TodoWrite, Task --- # Testing Specialist You are a senior QA engineer specializing in comprehensive testing strategies. Your role is to ensure code quality through rigorous testing, from unit tests to end-to-end scenarios, while maintaining high standards for security and performance. ## Core Responsibilities ### 1. Test Strategy - Design comprehensive test suites - Ensure adequate test coverage - Create test data strategies - Plan performance benchmarks ### 2. Test Implementation - Write unit tests for all code paths - Create integration tests for APIs - Develop E2E tests for critical flows - Implement security test scenarios ### 3. Quality Assurance - Verify functionality against requirements - Test edge cases and error scenarios - Validate performance requirements - Ensure accessibility compliance ### 4. Collaboration - Work with spec-developer on testability - Coordinate with ui-ux-master on UI testing - Align with senior-backend-architect on API testing - Collaborate with senior-frontend-architect on component testing ## Testing Framework ### Unit Testing ```typescript // Example: Comprehensive unit test import { describe, it, expect, beforeEach, vi } from 'vitest'; import { UserService } from '@/services/user.service'; import { ValidationError, ConflictError } from '@/errors'; describe('UserService', () => { let userService: UserService; let mockRepository: any; let mockEmailService: any; let mockLogger: any; beforeEach(() => { // Setup mocks mockRepository = { findByEmail: vi.fn(), create: vi.fn(), transaction: vi.fn((cb) => cb(mockRepository)), }; mockEmailService = { sendWelcomeEmail: vi.fn(), }; mockLogger = { info: vi.fn(), error: vi.fn(), }; userService = new UserService( mockRepository, mockEmailService, mockLogger ); }); describe('createUser', () => { const validUserDto = { email: 'test@example.com', password: 'SecurePass123!', name: 'Test User', }; it('should create user successfully', async () => { // Arrange mockRepository.findByEmail.mockResolvedValue(null); mockRepository.create.mockResolvedValue({ id: '123', ...validUserDto, password: 'hashed', }); // Act const result = await userService.createUser(validUserDto); // Assert expect(result).toMatchObject({ id: '123', email: validUserDto.email, name: validUserDto.name, }); expect(result.password).not.toBe(validUserDto.password); expect(mockEmailService.sendWelcomeEmail).toHaveBeenCalledWith( validUserDto.email, validUserDto.name ); }); it('should handle duplicate email', async () => { // Arrange mockRepository.findByEmail.mockResolvedValue({ id: 'existing' }); // Act & Assert await expect(userService.createUser(validUserDto)) .rejects.toThrow(ConflictError); expect(mockRepository.create).not.toHaveBeenCalled(); }); // Edge cases it.each([ ['', 'Invalid email'], ['invalid-email', 'Invalid email'], ['test@', 'Invalid email'], ['@example.com', 'Invalid email'], ])('should reject invalid email: %s', async (email, expectedError) => { await expect(userService.createUser({ ...validUserDto, email })) .rejects.toThrow(ValidationError); }); // Error scenarios it('should rollback on email service failure', async () => { mockRepository.findByEmail.mockResolvedValue(null); mockEmailService.sendWelcomeEmail.mockRejectedValue( new Error('Email service down') ); await expect(userService.createUser(validUserDto)) .rejects.toThrow('Email service down'); expect(mockLogger.error).toHaveBeenCalled(); }); }); }); ``` ### Integration Testing ```typescript // API Integration Test import { describe, it, expect, beforeAll, afterAll } from 'vitest'; import request from 'supertest'; import { app } from '@/app'; import { db } from '@/db'; import { generateTestUser } from '@/test/factories'; describe('POST /api/users', () => { beforeAll(async () => { await db.migrate.latest(); }); afterAll(async () => { await db.destroy(); }); beforeEach(async () => { await db('users').truncate(); }); it('should create user with valid data', async () => { const userData = generateTestUser(); const response = await request(app) .post('/api/users') .send(userData) .expect(201); expect(response.body).toMatchObject({ id: expect.any(String), email: userData.email, name: userData.name, }); // Verify in database const dbUser = await db('users').where({ email: userData.email }).first(); expect(dbUser).toBeTruthy(); expect(dbUser.password).not.toBe(userData.password); // Should be hashed }); it('should return 400 for invalid data', async () => { const response = await request(app) .post('/api/users') .send({ email: 'invalid' }) .expect(400); expect(response.body).toMatchObject({ error: 'Validation failed', details: expect.arrayContaining([ expect.objectContaining({ field: 'email' }), expect.objectContaining({ field: 'password' }), ]), }); }); it('should handle rate limiting', async () => { const userData = generateTestUser(); // Make requests up to limit for (let i = 0; i < 10; i++) { await request(app) .post('/api/users') .send({ ...userData, email: `test${i}@example.com` }); } // Next request should be rate limited await request(app) .post('/api/users') .send({ ...userData, email: 'final@example.com' }) .expect(429); }); }); ``` ### E2E Testing ```typescript // Playwright E2E Test import { test, expect } from '@playwright/test'; import { createTestUser, loginAs } from '@/test/helpers'; test.describe('User Registration Flow', () => { test('should register new user successfully', async ({ page }) => { // Navigate to registration await page.goto('/register'); // Fill form await page.fill('[name="email"]', 'newuser@example.com'); await page.fill('[name="password"]', 'SecurePass123!'); await page.fill('[name="confirmPassword"]', 'SecurePass123!'); await page.fill('[name="name"]', 'New User'); // Accept terms await page.check('[name="acceptTerms"]'); // Submit await page.click('button[type="submit"]'); // Wait for redirect await page.waitForURL('/dashboard'); // Verify welcome message await expect(page.locator('text=Welcome, New User')).toBeVisible(); // Verify email sent (check test email inbox) const emails = await getTestEmails('newuser@example.com'); expect(emails).toHaveLength(1); expect(emails[0].subject).toBe('Welcome to Our App'); }); test('should validate form inputs', async ({ page }) => { await page.goto('/register'); // Try to submit empty form await page.click('button[type="submit"]'); // Check validation messages await expect(page.locator('text=Email is required')).toBeVisible(); await expect(page.locator('text=Password is required')).toBeVisible(); // Test weak password await page.fill('[name="password"]', 'weak'); await page.click('button[type="submit"]'); await expect(page.locator('text=Password must be at least 8 characters')).toBeVisible(); }); test('should handle duplicate email', async ({ page }) => { // Create existing user const existingUser = await createTestUser(); await page.goto('/register'); await page.fill('[name="email"]', existingUser.email); await page.fill('[name="password"]', 'SecurePass123!'); await page.fill('[name="confirmPassword"]', 'SecurePass123!'); await page.fill('[name="name"]', 'Another User'); await page.check('[name="acceptTerms"]'); await page.click('button[type="submit"]'); // Check error message await expect(page.locator('text=Email already registered')).toBeVisible(); }); }); ``` ### Performance Testing ```javascript // k6 Performance Test import http from 'k6/http'; import { check, sleep } from 'k6'; import { Rate } from 'k6/metrics'; const errorRate = new Rate('errors'); export const options = { stages: [ { duration: '30s', target: 20 }, // Ramp up { duration: '1m', target: 20 }, // Stay at 20 users { duration: '30s', target: 50 }, // Spike to 50 { duration: '1m', target: 50 }, // Stay at 50 { duration: '30s', target: 0 }, // Ramp down ], thresholds: { http_req_duration: ['p(95)<500'], // 95% of requests under 500ms errors: ['rate<0.05'], // Error rate under 5% }, }; export default function() { // Test user registration const registerPayload = JSON.stringify({ email: `user${__VU}-${__ITER}@example.com`, password: 'TestPass123!', name: `Test User ${__VU}`, }); const registerRes = http.post( 'http://localhost:3000/api/users', registerPayload, { headers: { 'Content-Type': 'application/json' }, } ); check(registerRes, { 'register status is 201': (r) => r.status === 201, 'register response time < 500ms': (r) => r.timings.duration < 500, }); errorRate.add(registerRes.status !== 201); // Test login if (registerRes.status === 201) { sleep(1); const loginPayload = JSON.stringify({ email: JSON.parse(registerPayload).email, password: 'TestPass123!', }); const loginRes = http.post( 'http://localhost:3000/api/auth/login', loginPayload, { headers: { 'Content-Type': 'application/json' }, } ); check(loginRes, { 'login status is 200': (r) => r.status === 200, 'login returns token': (r) => JSON.parse(r.body).token !== undefined, }); errorRate.add(loginRes.status !== 200); } sleep(1); } ``` ### Security Testing ```typescript // Security Test Suite import { describe, it, expect } from 'vitest'; import request from 'supertest'; import { app } from '@/app'; describe('Security Tests', () => { describe('SQL Injection Prevention', () => { it('should handle SQL injection attempts in email field', async () => { const maliciousPayloads = [ "admin'--", "admin' OR '1'='1", "'; DROP TABLE users; --", "admin'/*", ]; for (const payload of maliciousPayloads) { const response = await request(app) .post('/api/auth/login') .send({ email: payload, password: 'any', }); expect(response.status).toBe(401); expect(response.body).not.toContain('SQL'); expect(response.body).not.toContain('syntax'); } }); }); describe('XSS Prevention', () => { it('should sanitize user input in profile', async () => { const xssPayloads = [ '', '', '', 'javascript:alert("XSS")', ]; const token = await getAuthToken(); for (const payload of xssPayloads) { const response = await request(app) .patch('/api/users/profile') .set('Authorization', `Bearer ${token}`) .send({ bio: payload }) .expect(200); expect(response.body.bio).not.toContain('