Testing and Quality

This page documents what is currently covered, CI/CD infrastructure, and what should be prioritized next.

Current Test Coverage

Committed tests (main branch)

packages/reward-engine/src/evaluate.test.ts — Reward engine unit tests

Covered behavior:

Minimum spend gate
Points calculation for typical spend
Campaign multiplier application
Max points cap
Rounding policy behavior (floor, ceil, round)
Deterministic output
Redemption eligibility checks (min balance and cart cap)

Tests on feature branch (`copilot/improve-test-coverage`)

Additional tests authored but not yet merged to main:

apps/api/src/lib/errors.test.ts — AppError construction
apps/api/src/lib/merchant-workspace.test.ts — Workspace provisioning (idempotent, new creation, edge cases)
apps/api/src/lib/resolve-user.test.ts — User role derivation from metadata
packages/rbac/src/index.test.ts — Permission matrix validation
packages/reward-engine/src/index.test.ts — Module exports verification

These tests add coverage for API lib functions and RBAC permission matrix.

CI/CD Pipelines

CI — Quality Gates (`.github/workflows/ci.yml`)

Runs on: push to main/develop, PRs targeting main/develop.

Job	Command	Dependencies
TypeScript	`pnpm turbo run typecheck`	—
Lint	`pnpm turbo run lint`	—
Tests	`pnpm turbo run test`	—
Build	`pnpm turbo run build`	typecheck + lint + test

Build job uploads apps/api/dist as artifact (7-day retention).

Environment: Node 20, pnpm (version from packageManager field), Ubuntu latest.

CI env uses placeholder values for Supabase (sufficient for type/lint/build checks).

CD — Production Smoke Checks (`.github/workflows/cd.yml`)

Triggered: manual only (workflow_dispatch).

Does NOT deploy. Only runs HTTP health checks:

GET /health on API — expects 200
GET /api/v1/auth/me on API — expects 401 or 403 (unauthenticated)
GET /login on web app — expects 200

Production URLs: salesarc-api.onrender.com, salesarc-web.vercel.app.

Actual deployments are handled by Vercel (web, auto-deploy from Git) and Render (API, auto-deploy from Git).

Current Quality Gates

Workspace scripts enforce through Turbo pipeline:

pnpm lint — ESLint 9 with strict TypeScript rules
pnpm typecheck — TypeScript strict mode with noUncheckedIndexedAccess, exactOptionalPropertyTypes
pnpm test — Vitest (passWithNoTests enabled for packages without tests)
pnpm build — Full compilation

ESLint Configuration

Strict rules enforced (eslint.config.js):

Rule	Level	Impact
`no-explicit-any`	error	No `any` types allowed
`explicit-module-boundary-types`	error	All exports must have return types
`no-floating-promises`	error	All promises must be handled
`no-misused-promises`	error	Prevents async in non-async contexts
`consistent-type-imports`	error	Enforces `import type` syntax
`use-unknown-in-catch-callback-variable`	error	Catch vars typed as `unknown`

Test files have relaxed no-explicit-any rules.

TypeScript Configuration

Base config (tsconfig.base.json):

Target: ES2022
Module: ESNext with Bundler resolution
Strict mode: all strict flags enabled
Additional strict flags: noUncheckedIndexedAccess, noImplicitOverride, exactOptionalPropertyTypes

Dependency Update Branches

Dependabot maintains update PRs:

Branch	Update
`dependabot/npm_and_yarn/drizzle-orm-0.45.2`	drizzle-orm 0.31.4 -> 0.45.2
`dependabot/npm_and_yarn/hono-4.12.12`	Hono 4.4.0 -> 4.12.12
`dependabot/npm_and_yarn/hono/node-server-1.19.13`	@hono/node-server update
`dependabot/npm_and_yarn/vite-6.4.2`	Vite 5.3.0 -> 6.4.2

Key Testing Gaps

High-priority missing coverage areas:

Auth middleware edge cases (invalid/expired/revoked tokens)
Tenant isolation tests for all tenant-scoped routes
RBAC matrix contract tests by role
Webhook signature verification and malformed payload handling
Ingestion idempotency under duplicate events
Redemption concurrency (race-safe debits via FOR UPDATE)
Admin workflows and audit-log assertions
Frontend route guard behavior across status/role combinations
End-to-end merchant journey (signup -> approve -> onboarding -> connect POS)
Clover adapter normalization edge cases
Email template rendering and send behavior
Square polling watermark progression

Suggested Test Pyramid

Unit tests

reward-engine, tenant resolver, RBAC permission helpers, OAuth state helpers
Square/Clover adapter normalization (normalizeSquarePayment, normalizeCloverPayment)
Encryption/decryption round-trip
Error class construction

Integration tests

API routes with test DB and mocked Supabase/Square/Clover APIs
Webhook ingest + transaction dedup + wallet updates
Polling pipeline with mocked Square ListPayments

End-to-end tests

Browser-driven role journeys (consumer, client, admin)
Square/Clover OAuth callback happy and failure paths
Full ingestion: webhook -> transaction -> reward -> wallet -> email

Release Readiness Checklist

A release should not pass without:

Zero type errors
No critical lint failures
Reward-engine tests passing
Migration scripts validated on staging
Smoke checks for auth, wallet read, and webhook endpoint
CI pipeline green (typecheck + lint + test + build)

Written byDhruv Doshi

Current Test Coverage​

Committed tests (main branch)​

Tests on feature branch (copilot/improve-test-coverage)​

CI/CD Pipelines​

CI — Quality Gates (.github/workflows/ci.yml)​

CD — Production Smoke Checks (.github/workflows/cd.yml)​

Current Quality Gates​

ESLint Configuration​

TypeScript Configuration​

Dependency Update Branches​

Key Testing Gaps​

Suggested Test Pyramid​

Unit tests​

Integration tests​

End-to-end tests​

Release Readiness Checklist​