Codymaster cm-test-gate
Complete guide to setting up a reliable test gate for any project — covers stack detection, 4 core test files, script wiring, secret hygiene, and Cloudflare Workers/Pages patterns. Use when starting a new project, adding CI to an existing one, or when "tests pass but production breaks." Companion to cm-safe-deploy and cm-project-bootstrap.
git clone https://github.com/tody-agent/codymaster
T=$(mktemp -d) && git clone --depth=1 https://github.com/tody-agent/codymaster "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/cm-test-gate" ~/.claude/skills/tody-agent-codymaster-cm-test-gate && rm -rf "$T"
skills/cm-test-gate/SKILL.mdcm-test-gate: Multi-Layer Test Gate Setup
Overview
A deployment process without a test gate is just shipping code and praying. The
test:gateCore assumption: The most dangerous errors are syntax flaws, variable shadowing, or import failures that tests often skip if they only check logic.
Violating the letter of this process is violating the spirit of quality engineering.
The Protocol
When setting up a test gate for a project, follow these 5 phases in order.
Phase 1: Stack Detection and Environment Setup
Goal: Identify the framework and install the correct testing dependencies.
-
Detect Stack:
- Check
for framework (React, Vue, Svelte, static HTML) and build tool (Vite, Next.js).package.json - Check for
(Cloudflare Workers/Pages).wrangler.json(c) - Check for Tailwind, PostCSS, or specific UI libraries.
- Check
-
Install Dependencies (Example: Vite/Vitest):
# Install vitest and related tools npm install -D vitest jsdom @testing-library/react @testing-library/jest-dom # (Adjust based on framework: e.g., @testing-library/svelte) -
Configure File:
- Create
(orvitest.config.ts
):.jsimport { defineConfig } from 'vitest/config' // Import framework plugin (e.g., react(), svelte()) export default defineConfig({ test: { environment: 'jsdom', globals: true, setupFiles: ['./test/setup.ts'], // Optional }, })
- Create
Phase 2: The 4 Core Test Files
A complete
test:gateLayer 1: Frontend Safety (frontend-safety.test.ts
)
frontend-safety.test.tsThis layer prevents white screens and catastrophic syntax errors in the browser. Emphasize parsing and template rendering over logical assertions.
Use the exact implementation from
regarding the 4 corruption checks.cm-quality-gate
import { test, expect } from 'vitest'; import fs from 'fs'; import path from 'path'; test('app.js does not contain catastrophic syntax corruption', () => { // 1. Read the raw file const content = fs.readFileSync(path.resolve(__dirname, '../public/static/app.js'), 'utf-8'); // 2. Syntax Validation (Check for broken template literals) // ❌ Bug #1: Single-quote wrapping template string expect(content).not.toMatch(/=\s*'[^']*\$\{t\(/); // 3. Delimiter consistency // ❌ Bug #4: Mismatched delimiters expect(content).not.toMatch(/t\('[^']*\`/); expect(content).not.toMatch(/t\(\`[^']*'\)/); // 4. HTML structure integrity // ❌ Bug #2: Spaces inside tags or broken closers expect(content).not.toMatch(/<\s+[a-zA-Z]/); // e.g., "< div" expect(content).not.toMatch(/<\/\s+[a-zA-Z]/); // e.g., "</ div" expect(content).not.toMatch(/--\s+>/); // e.g., "text-- >" });
Layer 2: API Routes (api-routes.test.ts
)
api-routes.test.tsThis layer ensures backend endpoints respond correctly and handle JSON properly.
Example for a generic fetch wrapper or specific Next.js/Worker handler:
import { test, expect } from 'vitest'; test('API mock test', async () => { // Test your server handlers directly // Ensure 200 OK for valid inputs and 400 for errors expect(true).toBe(true); });
Layer 3: Business Logic (business-logic.test.ts
)
business-logic.test.tsThis layer tests pure functions: calculations, validations, and data transformations.
import { test, expect } from 'vitest'; test('Calculates score correctly', () => { // const result = calculateScore(input); // expect(result).toBe(expected); expect(true).toBe(true); });
Layer 4: i18n Synchronization (i18n-sync.test.ts
)
i18n-sync.test.tsThis layer guarantees that language files are complete and identical in structure.
import { test, expect } from 'vitest'; import fs from 'fs'; import path from 'path'; test('i18n files have identical key counts', () => { const langDir = path.resolve(__dirname, '../public/static/i18n'); const langs = ['vi.json', 'en.json', 'th.json', 'ph.json']; const countKeys = (obj: any): number => { let count = 0; for (const k in obj) { if (typeof obj[k] === 'object' && obj[k] !== null) { count += countKeys(obj[k]); } else { count++; } } return count; }; let baseCount = -1; for (const file of langs) { if (!fs.existsSync(path.join(langDir, file))) continue; const data = JSON.parse(fs.readFileSync(path.join(langDir, file), 'utf-8')); const count = countKeys(data); if (baseCount === -1) { baseCount = count; } else { expect(count, `File ${file} has a different key count`).toBe(baseCount); } } });
Layer 5: Security Scan (security-scan.test.ts
)
security-scan.test.tsThis layer prevents secrets from being committed to the repository. Powered by
cm-secret-shieldimport { test, expect } from 'vitest'; import fs from 'fs'; import { execSync } from 'child_process'; test('no secret files tracked by git', () => { const tracked = execSync('git ls-files', { encoding: 'utf-8' }); const badFiles = ['.env', '.dev.vars', '.env.local', '.env.production']; const found = badFiles.filter(f => tracked.split('\n').includes(f)); expect(found, `Secret files tracked: ${found.join(', ')}`).toEqual([]); }); test('.gitignore contains required security patterns', () => { const gitignore = fs.readFileSync('.gitignore', 'utf-8'); expect(gitignore).toContain('.env'); expect(gitignore).toContain('.dev.vars'); }); test('no hardcoded secrets in source files', () => { const dangerousPatterns = [ /SERVICE_KEY\s*[=:]\s*['"][a-zA-Z0-9/+=]{20,}/g, /PRIVATE_KEY\s*[=:]\s*['"][a-zA-Z0-9/+=]{20,}/g, /-----BEGIN.*PRIVATE KEY-----/g, ]; const srcDir = 'src'; if (!fs.existsSync(srcDir)) return; const files = fs.readdirSync(srcDir).filter(f => f.endsWith('.ts') || f.endsWith('.js')); for (const file of files) { const content = fs.readFileSync(`${srcDir}/${file}`, 'utf-8'); for (const pattern of dangerousPatterns) { expect(content, `${file} contains potential secret`).not.toMatch(pattern); } } });
Phase 3: Script Wiring
Wire these tests into
package.json{ "scripts": { "test": "vitest", "test:gate": "vitest run --reporter=verbose", "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH", "test:watch": "vitest watch" } }
Security Gate Check: The
script runs the Snyk dependency check and the Aikido release scan in parallel. Seetest:securityfor advanced SAST/IaC flags.cm-security-gate
Phase 4: Secret Hygiene and Ignore Configuration
NEVER commit
or .env
. Ensure tests do not expose actual production secrets..dev.vars
- Check
:.gitignoregrep -E "node_modules|\.env|\.dev\.vars" .gitignore # Must exist, if not, add them. - Define Mock Env:
Create a
file (this CAN be committed) with safe, mock values if needed by the test environment..env.test
Phase 5: Verification
Run the test gate to prove it works before declaring the task complete.
npm run test:gate
Integration with Other Skills
| Skill | Relationship |
|---|---|
| |
| Should invoke |
| Relies on the i18n tests set up in Phase 2, Layer 4. |
| Layer 5 security scan uses Secret Shield patterns. |
Red Flags - STOP and Fix
- Setting up tests but not creating the
run script.test:gate - Combining all tests into one massive
file.app.test.js - Skipping the
layer for SPA/monolith projects.frontend-safety.test.ts - Using real production database credentials in the test setup.
- Ignoring test failures and proceeding anyway.