Test Quality Audit

When to Use

Use this skill when you need to:

• Test review (QA Agent): Validate test quality during code review
• Test audit (QA Agent): Systematic audit of test files for anti-patterns
• Code review (Any Agent): Check for mesa-optimization or happy-path testing
• Pre-merge validation (QA Agent): Ensure tests are meaningful before PR approval

Triggers:

• During QA review when test files are modified
• When code review shows test changes unrelated to feature
• Before approving PR with test modifications
• When tests are failing and you suspect quality issues
• Systematic test audit for entire codebase or feature area

Red Flags to Watch For:

• Tests weakened (fewer assertions, replaced checks, removed edge cases)
• Assertions removed or weakened
• Error handling bypassed
• Tests disabled without explanation

Workflow

Step 1: Identify Test Files to Audit

For code review (PR-specific):

• Scan only test files modified in the PR
• Focus on changes to existing tests (not new test creation)
• Look for test weakening patterns in diff

For systematic audit (codebase-wide):

• Scan all test files in specified directories
• Common test file patterns: *.test.js, *.spec.ts, *_test.py, test_*.py
• Organize findings by severity

Step 2: Scan for Anti-Patterns

Run the following checks on test files:

Check 1: Disabled Tests

Purpose: Detect tests that are skipped or disabled in committed code

Patterns to detect:

// JavaScript/TypeScript:
describe.skip("...", ...)
it.skip("...", ...)
test.skip("...", ...)
it.only("...", ...)  // CRITICAL: Means other tests are ignored
test.only("...", ...)

// Python:
@unittest.skip("...")
@pytest.mark.skip
pytest.skip()
# TODO: fix this test

Scan command:

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\(|# TODO.*test)" tests/

Severity:

• CRITICAL: .only() in committed code (all other tests ignored)
• HIGH: .skip() without issue reference or justification
• MEDIUM: .skip() with TODO comment but no timeline

Pass Criteria: No disabled tests, OR all disabled tests have:

• Linear issue reference (# LAW-123: Re-enable when feature X ships)
• Clear justification for why test is disabled
• Timeline for re-enabling

Check 2: Trivial Assertions

Purpose: Detect assertions that don't validate meaningful behavior

Patterns to detect:

// JavaScript/TypeScript:
expect(true).toBe(true)
expect(result).toBeDefined()
expect(response).toBeTruthy()
expect(error).toBeFalsy()  // Error swallowing!

// Python:
assert True
assert result is not None
assert response  # Vague assertion

Scan command:

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/ spec/

# Python:
grep -rn -E "(assert True|assert False|assert [a-zA-Z_]+ is not None)" tests/

Severity:

• HIGH: Assertion on boolean literals (expect(true).toBe(true))
• MEDIUM: Vague assertions without specific value checks
• MEDIUM: toBeDefined() without validating actual value

Pass Criteria: All assertions validate specific expected values or behaviors

Check 3: Error Swallowing

Purpose: Detect try/catch blocks that suppress errors without assertions

Patterns to detect:

// JavaScript/TypeScript:
try {
  // ... test code ...
} catch (error) {
  // No assertion on error - swallowed!
}

// Broad catch without validation:
try {
  await riskyOperation()
} catch (e) {
  console.log(e)  // Logged but not asserted
}

# Python:
try:
    # ... test code ...
except Exception:
    pass  # Error swallowed!

# Broad except without assertion:
try:
    risky_operation()
except Exception as e:
    print(e)  # Logged but not asserted

Manual Review Required: This pattern requires reading test code context

Check for:

• Try/catch blocks in tests
• Verify each catch block has assertion on error (or explicitly expects no error)
• Verify catch is not overly broad (catch (Exception) is suspicious)

Severity:

• CRITICAL: Empty catch block or catch with only logging
• HIGH: Broad exception catch without specific error assertion
• MEDIUM: Catch block that doesn't validate error message/type

Pass Criteria: All try/catch blocks either:

• Assert on expected error type/message
• Document why error is ignored (with justification)
• Use specific exception types (not broad Exception catch)

Check 4: Commented-Out HTTP Calls

Purpose: Detect HTTP calls replaced with mocks/constants without rationale

Patterns to detect:

// JavaScript/TypeScript:
// const response = await fetch('/api/endpoint')
const response = { status: 200, data: mockData }

// await api.createUser(userData)
// Commented out actual API call

Scan command:

# Look for commented HTTP calls:
grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/ spec/

Severity:

• HIGH: HTTP call commented out and replaced with mock, no explanation
• MEDIUM: Mock replaces real call without validating actual API integration

Pass Criteria: All mocked HTTP calls either:

• Have integration tests that validate real API calls
• Document why mock is used instead of real call
• Use proper mocking libraries (not inline constants)

Check 5: Mesa-Optimization Patterns

Purpose: Detect tests weakened to make them pass (instead of fixing code)

Manual Review Required: Compare test changes in PR diff

Patterns to detect:

• Assertions removed in test modification
• Edge case tests removed
• Expected values changed to match buggy output (instead of fixing bug)
• Validation logic weakened (e.g., regex made less strict)

Check in PR diff:

- expect(result.users).toHaveLength(5)
+ expect(result.users).toHaveLength(3)  // Why changed? Bug or feature?

- expect(response.status).toBe(200)
+ // Status check removed - why?

- expect(() => validateInput('')).toThrow('Input required')
+ expect(() => validateInput('')).not.toThrow()  // Validation removed?

Severity:

• CRITICAL: Assertions removed without explanation
• CRITICAL: Expected values changed to match buggy behavior
• HIGH: Edge case tests removed
• MEDIUM: Validation weakened without clear rationale

Pass Criteria: All test weakening changes are justified with:

• Linear issue documenting requirement change
• PR comment explaining why assertion/validation changed
• Confirmation that code behavior (not test) was updated to match new requirement

Check 6: Security Script Warnings Suppressed

Purpose: Detect security validation bypassed via ignore patterns

Patterns to detect:

// eslint-disable security/detect-non-literal-fs-filename
// eslint-disable-next-line security/detect-unsafe-regex
// prettier-ignore

Scan command:

# Look for security-related linter disables:
grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

Severity:

• HIGH: Security linter disabled without justification
• MEDIUM: Broad disable (entire file) instead of line-specific

Pass Criteria: All security linter disables have:

• Comment explaining why security rule doesn't apply
• Verification that actual security risk doesn't exist
• Minimal scope (line-specific, not file-wide)

Step 3: Categorize Findings by Severity

Organize all detected anti-patterns by severity:

CRITICAL (blocks merge):

• .only() in committed tests (all other tests ignored)
• Empty catch blocks in tests
• Assertions removed without explanation

HIGH (requires fix before approval):

• Disabled tests without issue reference
• Assertions on boolean literals
• Broad exception catches without assertions
• Security linter disabled without justification

MEDIUM (request fix, but can approve with warning):

• Disabled tests with TODO but no timeline
• Vague assertions (toBeDefined, toBeTruthy)
• HTTP calls mocked without integration test coverage

INFO (feedback for improvement):

• Minor style inconsistencies in tests
• Opportunities to improve test clarity

Step 4: Report Findings

If anti-patterns found, generate a report:

**Test Quality Audit Results**

⚠️ **ISSUES FOUND** - Test quality concerns detected

### Critical Issues (Must Fix Before Merge)

1. **Disabled Test with .only()** (tests/user.test.ts:45):
   - Pattern: `it.only("creates user", ...)`
   - Issue: All other tests in suite are ignored
   - Fix: Remove `.only()` or explain why only this test should run

2. **Empty Catch Block** (tests/api.test.ts:89):
   - Pattern: `catch (error) { /* empty */ }`
   - Issue: Errors swallowed without assertion
   - Fix: Assert on expected error or remove try/catch

### High Priority Issues (Fix Recommended)

3. **Disabled Test Without Justification** (tests/auth.test.ts:120):
   - Pattern: `it.skip("validates token expiry", ...)`
   - Issue: No Linear issue or explanation for skip
   - Fix: Add issue reference or re-enable test

4. **Trivial Assertion** (tests/validation.test.ts:67):
   - Pattern: `expect(true).toBe(true)`
   - Issue: Assertion doesn't validate actual behavior
   - Fix: Assert on specific validation result

### Medium Priority Issues (Warnings)

5. **Vague Assertion** (tests/response.test.ts:34):
   - Pattern: `expect(response).toBeDefined()`
   - Issue: Doesn't validate response contents
   - Fix: Assert on specific response fields (status, data, etc.)

**Recommendation**: [BLOCKED | REQUEST FIXES | APPROVED WITH WARNINGS]

If audit passes, confirm quality:

**Test Quality Audit Results**

✅ **PASSED** - No test quality issues found

All checks passed:
- [x] No disabled tests without justification
- [x] All assertions validate specific behaviors
- [x] Error handling includes assertions
- [x] No HTTP calls replaced with inline mocks
- [x] No test weakening detected
- [x] Security linter rules properly applied

**Recommendation**: APPROVED for merge

Reference

Common Anti-Patterns Examples

❌ Wrong: Disabled Test Without Justification

// Bad example:
it.skip("validates email format", () => {
  // Test disabled, no explanation why
})

✅ Correct: Disabled Test With Issue Reference

// Good example:
// LAW-456: Re-enable when email validation RFC compliance added
it.skip("validates email format per RFC 5322", () => {
  // Test disabled with clear reference to tracking issue
})

❌ Wrong: Trivial Assertion

// Bad example:
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result).toBeDefined()  // Vague - what about result?
})

✅ Correct: Specific Assertion

// Good example:
it("creates user", async () => {
  const result = await createUser(userData)
  expect(result.id).toBeDefined()
  expect(result.email).toBe(userData.email)
  expect(result.status).toBe("active")
})

❌ Wrong: Error Swallowing

// Bad example:
it("handles invalid input", async () => {
  try {
    await processInput(null)
  } catch (error) {
    console.log(error)  // Logged but not asserted
  }
})

✅ Correct: Error Assertion

// Good example:
it("handles invalid input", async () => {
  await expect(processInput(null)).rejects.toThrow("Input cannot be null")
})

❌ Wrong: HTTP Call Replaced With Mock

// Bad example:
it("fetches user data", async () => {
  // const response = await fetch('/api/users/123')
  const response = { id: 123, name: "Test User" }  // Inline mock
  expect(response.name).toBe("Test User")
})

✅ Correct: Proper Mocking

// Good example:
it("fetches user data", async () => {
  // Mock at framework level, not inline
  jest.spyOn(api, "getUser").mockResolvedValue({ id: 123, name: "Test User" })

  const response = await fetchUserData(123)
  expect(response.name).toBe("Test User")
  expect(api.getUser).toHaveBeenCalledWith(123)
})

Related Tools

• grep: Pattern matching for anti-pattern detection
• Test frameworks: Jest, Mocha, Pytest (for understanding test syntax)
• AST parsers (advanced): For more sophisticated pattern detection

Related Documentation

• Original Reference: test-quality-red-flags.md (deprecated - use this skill instead)
• Agent Prompts:
  • QA Agent: docs/agents/qa/qa-agent.md (Test Quality Standards section)
• Related Skills:
  • /security-validate - Security validation patterns
  • /test-standards - Comprehensive test quality validation (if available)
• Related Ref-Docs:
  • test-audit-protocol.md - Comprehensive test audit procedures

Quick Reference: Test Audit Commands

Scan for disabled tests:

# JavaScript/TypeScript:
grep -rn -E "\.(skip|only)\(" tests/ spec/ __tests__/

# Python:
grep -rn -E "(@unittest\.skip|@pytest\.mark\.skip|pytest\.skip\()" tests/

Scan for trivial assertions:

# JavaScript/TypeScript:
grep -rn -E "(expect\(true\)|expect\(false\)|\.toBeTruthy\(\)|\.toBeFalsy\(\)|\.toBeDefined\(\))" tests/

# Python:
grep -rn -E "(assert True|assert False)" tests/

Scan for commented HTTP calls:

grep -rn -E "// .*(fetch\(|axios\.|http\.|api\.)" tests/

Scan for security linter suppression:

grep -rn -E "(eslint-disable.*security|nosec|# noqa.*security)" tests/ src/

Version History

• v1.0 (2025-11-05): Converted from test-quality-red-flags.md to skill format
  • Expanded from quick reference to full audit workflow
  • Added scan commands and severity classifications
  • Included examples of correct vs. incorrect patterns
  • Created decision matrix for audit findings