stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
git.stella-ops.org/docs/19_TEST_SUITE_OVERVIEW.md

199 lines
9.2 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 19 · TestSuite Overview — **StellaOps**
*(v2.0  12Jul2025)*
> **Purpose** — Describe the **multilayer automatedtest strategy** that guards StellaOps fivesecond performance promise, security posture and API stability, and show how each layer maps to CI gates and release criteria.
---
## 0TableofContents
1. Testpyramid at a glance
2. Layer definitions & tooling
3. Directory & naming conventions
4. CI workflows & failure policy
5. Quality gates & coverage budgets
6. Evidence retention & auditability
7. Local developer quickstart
8. Flakytest triage & escalation
9. Change log
---
## 1Testpyramid at a glance
| Layer | Framework(s) | Scope | CI frequency |
| ---------------------- | ------------------------ | --------------------------------------- | ------------ |
| **Unit** | xUnit + FluentAssertions | Pure C# methods, guard clauses, mapping | Every PR |
| **Mutation** | **Stryker.NET** | Critical algorithm branches | Nightly |
| **Static analysis** | **CodeQL**, **Semgrep** | OWASP, injection, secrets | Every PR |
| **Integration** | Testcontainers + xUnit | Redis, Trivy exec, plugin hotload | Every PR |
| **Quota / throttle** | Testcontainers + Clockmock | 333scan counter, 5s &60s retryafter headers | Every PR |
| **EndtoEnd (UI)** | **Playwright C#** | Login, scan list, mute flow | Merge→main |
| **Performance** | Hyperfine + K6 | P95 latency, 40rps throughput | Nightly |
| **Security DAST** | OWASP ZAP baseline | TLS headers, auth, XSS | Nightly + RC |
| **Chaos / Resilience** | **Pumba** & Toxiproxy | Redis latency, container kill | Weekly |
| **Compliance smoke** | Spectral + JSONSchema | SBOM & API payloads | Every PR |
| **Token validity** | xUnit + ClockMock | Expiry warning, OUK update refresh, `/token/offline` flow | Every PR |
---
## 2Layer definitions & tooling
### 2.1Unit
* Target ≥80% **lineand**60% **branch** coverage (`coverlet` + ReportGenerator).
* Naming: `Method_ShouldExpected_WhenCondition`.
### 2.2Mutation
* **Stryker.NET** runs only on projects tagged `criticallogic=true` in `Directory.Build.props`.
* Threshold: ≥60% mutation score; red build <55%.
### 2.3Integration
* `RedisTestcontainer`, `TrivyServerTestcontainer`, `TestcontainersNetwork` for realistic wiring.
* Each test cleans keys and volumes; parallelisable.
* **Quota & throttle tests (new)** spin up Redis container, fix system clock to just before UTC midnight, hammer `/scan` with a stub token to validate:
1. Counter hits **200** header `XStellaQuotaRemaining: 133`; banner socket event emitted. Delay of 5 secs is added.
2. Counter hits **333** Delay of 60 secs is added.
3. At UTC midnight rollover key expires counter resets to0.
###2.4Quota / throttle layer (explicit)
* Uses the same fixture but runs in isolation to keep CI time predictable.
* Fails the pipeline if **any** of the four behaviours above misfires.
### 2.4EndtoEnd
* API suite asserts presence of `XStellaQuotaRemaining` on every successful `/scan`.
* API suite uses **async httpx** for accurate latency numbers.
* UI suite uses **Playwright** headless Chromium; Lighthouse a11y snapshot recorded.
### 2.5Performance
* Hyperfine measures CLI workflows (`SBOM_LOCAL`, `SBOM_REMOTE`, `IMAGE_WARM`).
* **K6** hits `/scan` at 40rps for 3min; checks P95 5s and errorrate=0.
### 2.6Security (DAST + SAST)
* **PHASEQUOTA_WAIT** benchmark:
* 5s median for first 30 blocked requests (soft backoff).
* Exactly 60s wall for hard waitwall.
* SAST: **CodeQL** (GitHub native) + **Semgrep OSS** ruleset.
* DAST: **ZAPbaseline** spider + passive rules; fails on High risk alerts.
### 2.7Chaos / Resilience
* **Pumba** randomly kills Trivy sidecar; test asserts queue retry.
* **Toxiproxy** injects 150ms latency on Redis; perf budget still 6s.
---
## 3Repository layout
```text
tests/
├─ unit/ # *.Unit.csproj
├─ mutation/stryker.conf.json
├─ integration/ # *.Integration.csproj
│ └─ fixtures/
├─ e2e/
│ ├─ api/pytest/ # test_*.py
│ └─ ui/playwright/ # *.spec.ts
├─ perf/
│ ├─ compose-perf.yml
│ ├─ hyperfine/
│ └─ k6/
├─ security/
│ ├─ zap-baseline.conf
│ └─ semgrep/
└─ chaos/
├─ toxiproxy/
└─ pumba/
```
Tests mirror the module namespaces; each src project owns a matching test project.
## 4CI workflows
| File | Trigger | Stages |
| ------------ | ----------------------------------------------------- | -------------------------------------- |
| ci.yml | Push / PR Lint Unit Static analysis Integration |
| e2e.yml | Mergemain | Compose stack API+UI Playwright |
| perf.yml | Nightly | Hyperfine + K6; update Grafana JSON |
| security.yml | Nightly | ZAP baseline, Trivy FS, CodeQL |
| mutation.yml | Nightly | Stryker.NET; comment PR if <threshold |
| chaos.yml | Weekly (cron) | Toxiproxy + Pumba scenarios |
| release.yml | Tag | Run all above + evidence bundling |
Failure policy: any Red gate blocks merge; nightly failures ping #stella-ci.
## 5Quality gates & budgets
| Metric | Threshold | Source | Maps to KPI |
| ----------------------------------- | ---------- | --------------------------------- | --------------- |
| Line coverage | 80% | Unit, Integration Maintainability |
| Mutation score | 60% | Stryker Defect escape |
| P95 SBOMfirst | 5s | Hyperfine | Product promise |
| P95 QUOTA_WAIT (soft) | 10s | Hyperfine + Clockmock | Predictable throttling |
| Hard waitwall accuracy | 60±1s | Hyperfine | Compliance with spec |
| P95 imageunpack | 10s | Hyperfine | SRS FRIMG1 |
| /scan errorrate | 0 | K6 | Reliability |
| ZAP High alerts | 0 | ZAP JSON | Security NFR |
| Trivy Critical CVEs in release SBOM | 0 Trivy FS | NFRSEC1 |
| Offline token expiry warning leadtime | 7days | Token tests |
Coverage & perf budgets live in tests/budgets/*.json; CI actions fail on regression.
## 6Evidence retention
| Artefact | Retention | Storage |
| ------------------ | -------------- | --------------------- |
| Hyperfine & K6 CSV | 18months | GitHub artefacts S3 |
| Mutation reports | 6months | S3 |
| ZAP & Trivy SARIF | 18months | GitHub Security tab |
| Playwright videos | Last 50 builds | MinIO |
Test logs (JUnit/Allure) 12months S3, lifecycle policy
## 7Developer quickstart
# Bring up full stack for e2e on a laptop
```bash
docker compose -f tests/e2e/compose-core.yml up -d
```
# Run unit + integration
```bash
dotnet test --collect:"XPlat Code Coverage"
# API e2e
cd tests/e2e/api
pytest -q
# UI e2e
cd tests/e2e/ui
npx playwright install
npm test
```
## 8Flakytest triage & escalation
Label failing test with flaky and open GitHub Discussion.
After 3 consecutive nightly failures, autopage <ops@stella-ops.org>.
Rootcause within next sprint or quarantine behind feature flag (max 2weeks).
*Tokenexpiry tests cannot be quarantined* — they guard offline operability.
## 9Change log
| Version | Date | Notes |
| ------- | ---------- | -------------------------------------------------------------------------------------------------------------------------- |
| v2.0 | 20250712 | Full overhaul: mutation tests, CodeQL/Semgrep, chaos layer, rolebased escalation, perf/security budgets aligned with SRS. |
| v1.0 | 20250709 | Original minimal overview |
(End of TestSuite Overview v2.0)
Reference in New Issue View Git Blame Copy Permalink