@atlashub/smartstack-cli 2.9.0 → 3.1.0

package/templates/skills/application/steps/step-07-tests.md

@@ -1,28 +1,33 @@
 ---
 name: step-07-tests
-description: Generate backend and security tests using MCP tools
+description: Generate backend tests with real integration testing and security coverage
 prev_step: steps/step-06-migration.md
 next_step: steps/step-08-documentation.md
 ---
 
-# Step 7: Test Generation
+# Step 7: Test Generation & Verification
 
 ## MANDATORY EXECUTION RULES
 
 - ALWAYS use MCP `scaffold_tests` for test generation
+- ALWAYS generate test infrastructure FIRST (once per project)
 - ALWAYS generate at least 3 test categories: controller, service, entity
 - ALWAYS follow naming convention: `{Method}_When{Condition}_Should{Result}`
+- ALWAYS pass `testTypes: ['unit', 'integration']` for controller tests
+- ALWAYS pass `testTypes: ['integration']` for repository tests
+- **ALL tests MUST compile AND pass** - this step is BLOCKING
 - YOU ARE AN ORCHESTRATOR calling MCP, not a generator
 
 ## YOUR TASK
 
 Use MCP tools to generate test files covering:
-1. Controller integration tests (API endpoints)
-2. Service unit tests (business logic)
-3. Entity unit tests (domain rules)
-4. Validator unit tests (input validation)
-5. Repository integration tests (data access)
-6. Security tests (OWASP coverage)
+1. **Test infrastructure** (WebApplicationFactory, IntegrationTestBase, TestAuthHandler)
+2. Controller integration tests (REAL API endpoints with real DB)
+3. Service unit tests (business logic)
+4. Entity unit tests (domain rules)
+5. Validator unit tests (input validation)
+6. Repository integration tests (data access)
+7. Security tests (OWASP coverage)
 
 ---
 
@@ -68,6 +73,8 @@ The test project MUST have these packages:
 | `FluentAssertions` | Assertion library |
 | `Moq` | Mocking framework |
 | `Microsoft.AspNetCore.Mvc.Testing` | Integration test support |
+| `Microsoft.EntityFrameworkCore.Sqlite` | SQLite in-memory for REAL integration tests |
+| `Microsoft.Data.Sqlite` | SQLite connection support |
 | `Microsoft.EntityFrameworkCore.InMemory` | In-memory DB for repository tests |
 | `FluentValidation.TestHelper` | Validator testing support |
 
@@ -76,21 +83,74 @@ cd tests/{SolutionName}.Tests
 dotnet add package FluentAssertions
 dotnet add package Moq
 dotnet add package Microsoft.AspNetCore.Mvc.Testing
+dotnet add package Microsoft.EntityFrameworkCore.Sqlite
+dotnet add package Microsoft.Data.Sqlite
 dotnet add package Microsoft.EntityFrameworkCore.InMemory
 dotnet add package FluentValidation.TestHelper
 ```
 
+### 3. Add Project References
+
+The test project MUST reference the API project (for WebApplicationFactory):
+
+```bash
+cd tests/{SolutionName}.Tests
+dotnet add reference ../../src/{SolutionName}.Api/{SolutionName}.Api.csproj
+dotnet add reference ../../src/{SolutionName}.Application/{SolutionName}.Application.csproj
+dotnet add reference ../../src/{SolutionName}.Domain/{SolutionName}.Domain.csproj
+dotnet add reference ../../src/{SolutionName}.Infrastructure/{SolutionName}.Infrastructure.csproj
+```
+
+### 4. Ensure Program.cs is Accessible (BLOCKING)
+
+The API project's `Program` class must be accessible for `WebApplicationFactory<Program>`.
+
+Check if `Program.cs` ends with `public partial class Program { }`. If not, add it:
+
+```csharp
+// At the very end of Program.cs
+public partial class Program { }
+```
+
+**Alternatively**, add to the API `.csproj`:
+
+```xml
+<ItemGroup>
+  <InternalsVisibleTo Include="{SolutionName}.Tests" />
+</ItemGroup>
+```
+
 ---
 
 ## EXECUTION SEQUENCE
 
+### 0. Generate Test Infrastructure (ONCE PER PROJECT)
+
+Check if `Tests/Integration/SmartStackTestFactory.cs` exists. If NOT:
+
+```
+Tool: mcp__smartstack__scaffold_tests
+Args:
+  target: "infrastructure"
+  name: "{SolutionName}"
+```
+
+This generates:
+- `Tests/Integration/SmartStackTestFactory.cs` - WebApplicationFactory with SQLite
+- `Tests/Integration/IntegrationTestBase.cs` - Base class for integration tests
+- `Tests/Integration/TestAuthHandler.cs` - Fake auth handler (bypasses JWT)
+- `Tests/Integration/TestDataSeeder.cs` - Minimal test data seeder
+
+**Review** `TestDataSeeder.cs` and add project-specific seeding logic if needed (tenant creation, base permissions, etc.).
+
 ### 1. Generate Controller Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "controller"
+  target: "controller"
   name: "{entity_name}"
+  testTypes: ["unit", "integration"]
   options:
     namespace: "{namespace}"
     navRoute: "{full_path}"
@@ -99,26 +159,30 @@ Args:
 ```
 
 This generates:
-- `Tests/Integration/Controllers/{EntityName}ControllerTests.cs`
-
-**Coverage:**
-- GET all → 200 with list
-- GET by ID → 200 when exists, 404 when not
-- POST → 201 when valid, 400 when invalid, 409 when duplicate
-- PUT → 200 when valid, 404 when not exists, 409 on concurrency
-- DELETE → 204 when exists, 404 when not
-- Authorization → 401 unauthenticated, 403 forbidden
-- Tenant isolation → only current tenant data
-- Pagination → paged results
-- Error format → ProblemDetails
+- `Tests/Integration/Controllers/{EntityName}ControllerTests.cs` (mock-based, validates controller routing)
+- `Tests/Integration/Controllers/{EntityName}ControllerIntegrationTests.cs` (REAL tests with actual DB)
+
+**REAL Integration Test Coverage:**
+- GET all -> 200 with list
+- GET by ID -> 200 when exists, 404 when not
+- POST -> 201/200 when valid, persist to DB, read back to verify
+- POST -> 400 when invalid data
+- POST -> 409 when duplicate code
+- PUT -> 200 when valid, persist changes, read back to verify
+- PUT -> 404 when not exists
+- DELETE -> 204 when exists
+- DELETE -> 404 when not exists
+- Tenant isolation -> create in tenant A, invisible in tenant B (REAL DB)
+- Authorization -> 401 when not authenticated
 
 ### 2. Generate Service Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "service"
+  target: "service"
   name: "{entity_name}"
+  testTypes: ["unit"]
   options:
     namespace: "{namespace}"
     includeSoftDelete: true
@@ -128,22 +192,14 @@ Args:
 This generates:
 - `Tests/Unit/Services/{EntityName}ServiceTests.cs`
 
-**Coverage:**
-- GetById → entity when exists, null when not
-- GetAll → list when entities exist, empty when none
-- Create → success, duplicate code rejection
-- Update → success, not found exception
-- Delete → soft delete, already deleted, not found
-- Tenant isolation → correct tenant assignment
-- Error handling → repository failure, concurrency conflict
-
 ### 3. Generate Entity Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "entity"
+  target: "entity"
   name: "{entity_name}"
+  testTypes: ["unit"]
   options:
     namespace: "{namespace}"
     includeSoftDelete: true
@@ -154,20 +210,14 @@ Args:
 This generates:
 - `Tests/Unit/Domain/{EntityName}Tests.cs`
 
-**Coverage:**
-- Factory method Create → valid data, empty tenant, invalid code
-- Update → audit fields
-- Soft delete → mark as deleted, already deleted, restore
-- Audit trail → creation fields, update fields
-- Tenant isolation → immutable TenantId
-
 ### 4. Generate Validator Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "validator"
+  target: "validator"
   name: "{entity_name}"
+  testTypes: ["unit"]
   options:
     namespace: "{namespace}"
 ```
@@ -175,21 +225,14 @@ Args:
 This generates:
 - `Tests/Unit/Validators/{EntityName}ValidatorTests.cs`
 
-**Coverage:**
-- Code validation → valid, null/empty, max length, valid format, invalid characters
-- Name validation → valid, max length
-- Update validation → valid data, optional null fields
-- Security → XSS, SQL injection, prototype pollution
-- Cross-field validation → dependent fields
-- Multiple errors → all errors returned
-
 ### 5. Generate Repository Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "repository"
+  target: "repository"
   name: "{entity_name}"
+  testTypes: ["integration"]
   options:
     namespace: "{namespace}"
     includeSoftDelete: true
@@ -199,24 +242,14 @@ Args:
 This generates:
 - `Tests/Integration/Repositories/{EntityName}RepositoryTests.cs`
 
-**Coverage:**
-- GetById → exists, not exists, soft deleted
-- GetAll → entities exist, empty, exclude soft deleted
-- Add → persist, generate ID
-- Update → persist changes
-- Remove → delete entity
-- ExistsByCode → exists, not exists, soft deleted
-- Tenant isolation → current tenant only, cross-tenant returns null
-- Pagination → correct page and counts
-- Concurrency → concurrent modification exception
-
 ### 6. Generate Security Tests
 
 ```
 Tool: mcp__smartstack__scaffold_tests
 Args:
-  type: "security"
+  target: "controller"
   name: "{entity_name}"
+  testTypes: ["security"]
   options:
     namespace: "{namespace}"
     isSystemEntity: false
@@ -225,17 +258,6 @@ Args:
 This generates:
 - `Tests/Security/{EntityName}SecurityTests.cs`
 
-**Coverage:**
-- Authentication → 401 for unauthenticated, expired token, malformed token
-- Authorization → 403 for insufficient permissions
-- Tenant isolation → cross-tenant access returns 404, tenant ID not injectable
-- Input validation → XSS prevention, SQL injection prevention, path traversal, prototype pollution
-- IDOR → no data leakage via ID guessing
-- Rate limiting → 429 on excessive requests
-- Sensitive data → no passwords/secrets/stack traces exposed
-- CORS → no wildcard origins
-- Security headers → X-Content-Type-Options, X-Frame-Options, X-XSS-Protection
-
 ---
 
 ## POST-GENERATION VERIFICATION (MANDATORY)
@@ -260,7 +282,7 @@ REQUIRED pattern:
 All tests MUST follow Arrange-Act-Assert:
 
 ```csharp
-// ✅ CORRECT
+// CORRECT
 [Fact]
 public async Task GetById_WhenExists_ShouldReturn200()
 {
@@ -274,14 +296,6 @@ public async Task GetById_WhenExists_ShouldReturn200()
     // Assert
     response.StatusCode.Should().Be(HttpStatusCode.OK);
 }
-
-// ❌ FORBIDDEN - No AAA structure
-[Fact]
-public async Task TestGetById()
-{
-    var response = await _client.GetAsync("/api/test/123");
-    Assert.True(response.IsSuccessStatusCode);
-}
 ```
 
 ### 3. Dependencies Check (BLOCKING)
@@ -297,7 +311,8 @@ Minimum test coverage per category:
 
 | Category | Minimum Tests |
 |----------|---------------|
-| Controller | 10 (CRUD + auth + tenant) |
+| Controller (mock) | 10 (CRUD + auth + tenant) |
+| Controller (real integration) | 8 (CRUD + persistence + tenant isolation) |
 | Service | 8 (CRUD + errors) |
 | Entity | 5 (factory + update + validation) |
 | Validator | 8 (code + name + security) |
@@ -312,13 +327,91 @@ dotnet build tests/{SolutionName}.Tests/{SolutionName}.Tests.csproj
 
 If build fails, fix compilation errors before proceeding.
 
-### 6. Test Run (NON-BLOCKING)
+### 6. Test Run (BLOCKING)
+
+```bash
+dotnet test tests/{SolutionName}.Tests/{SolutionName}.Tests.csproj --no-build --verbosity normal
+```
+
+**ALL tests MUST pass.** If tests fail:
+1. Read the failure output carefully
+2. Fix the failing tests or the code they test
+3. Re-run until all tests pass
+4. Do NOT proceed to the next step until all tests are green
+
+---
+
+## FRONTEND TESTS (React Components)
+
+### 7. Check Frontend Test Infrastructure
+
+Verify that the frontend project has Vitest + Testing Library configured:
 
 ```bash
-dotnet test tests/{SolutionName}.Tests/{SolutionName}.Tests.csproj --no-build
+# Check if vitest.config.ts exists in the web/frontend project
+ls {WebProjectPath}/vitest.config.ts 2>/dev/null
 ```
 
-Note: Some tests may fail initially because the service/repository implementations are stubs. This is expected. The test structure and conventions must be correct.
+If NOT found, deploy the test infrastructure:
+
+1. **Install packages:**
+
+```bash
+cd {WebProjectPath}
+npm install -D vitest @testing-library/react @testing-library/jest-dom @testing-library/user-event jsdom msw
+```
+
+2. **Copy infrastructure files** from SmartStack templates:
+
+| Template Source | Destination |
+|----------------|-------------|
+| `templates/project/test-frontend/vitest.config.ts` | `{WebProjectPath}/vitest.config.ts` |
+| `templates/project/test-frontend/setup.ts` | `{WebProjectPath}/src/test/setup.ts` |
+| `templates/project/test-frontend/test-utils.tsx` | `{WebProjectPath}/src/test/test-utils.tsx` |
+| `templates/project/test-frontend/msw/server.ts` | `{WebProjectPath}/src/test/msw/server.ts` |
+| `templates/project/test-frontend/msw/handlers.ts` | `{WebProjectPath}/src/test/msw/handlers.ts` |
+
+3. **Add test script** to `package.json` (if missing):
+
+```json
+{
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  }
+}
+```
+
+### 8. Generate Frontend Tests
+
+```
+Tool: mcp__smartstack__scaffold_frontend_tests
+Args:
+  name: "{entity_name}"
+  components: ["all"]
+  apiRoute: "/api/{entity_code}"
+```
+
+This generates:
+- `src/pages/{context}/{application}/__tests__/{EntityName}Page.test.tsx` - Page rendering, loading, error states
+- `src/pages/{context}/{application}/__tests__/{EntityName}ListView.test.tsx` - List display, pagination, view toggle
+- `src/pages/{context}/{application}/__tests__/{EntityName}DetailPage.test.tsx` - Detail view, tabs, back navigation
+- `src/hooks/__tests__/use{EntityName}Preferences.test.ts` - Preference get/set
+- `src/services/api/__tests__/{entityName}Api.test.ts` - API client calls with MSW
+
+### 9. Run Frontend Tests (BLOCKING)
+
+```bash
+cd {WebProjectPath}
+npx vitest run --reporter=default
+```
+
+**ALL frontend tests MUST pass.** If tests fail:
+1. Read the failure output carefully
+2. Fix the failing tests or the components they test
+3. Re-run until all tests pass
+4. Do NOT proceed to the next step until all tests are green
 
 ---
 
@@ -331,7 +424,12 @@ Note: Some tests may fail initially because the service/repository implementatio
 
 | File | Category | Tests |
 |------|----------|-------|
-| `Tests/Integration/Controllers/{EntityName}ControllerTests.cs` | Controller | ~12 |
+| `Tests/Integration/SmartStackTestFactory.cs` | Infrastructure | - |
+| `Tests/Integration/IntegrationTestBase.cs` | Infrastructure | - |
+| `Tests/Integration/TestAuthHandler.cs` | Infrastructure | - |
+| `Tests/Integration/TestDataSeeder.cs` | Infrastructure | - |
+| `Tests/Integration/Controllers/{EntityName}ControllerTests.cs` | Controller (mock) | ~12 |
+| `Tests/Integration/Controllers/{EntityName}ControllerIntegrationTests.cs` | Controller (REAL) | ~12 |
 | `Tests/Unit/Services/{EntityName}ServiceTests.cs` | Service | ~10 |
 | `Tests/Unit/Domain/{EntityName}Tests.cs` | Entity | ~8 |
 | `Tests/Unit/Validators/{EntityName}ValidatorTests.cs` | Validator | ~12 |
@@ -342,58 +440,97 @@ Note: Some tests may fail initially because the service/repository implementatio
 
 | Category | Coverage |
 |----------|----------|
-| CRUD Operations | ✅ All endpoints tested |
-| Authentication | ✅ 401 for unauthenticated |
-| Authorization | ✅ 403 for insufficient permissions |
-| Tenant Isolation | ✅ Cross-tenant access blocked |
-| Input Validation | ✅ XSS, SQL injection, path traversal |
-| Error Handling | ✅ ProblemDetails format |
-| Concurrency | ✅ Optimistic locking |
-| Pagination | ✅ Paged results |
-
-### Naming Convention
-All tests follow: `{Method}_When{Condition}_Should{Result}`
-
-### Required NuGet Packages
-- xunit
-- FluentAssertions
-- Moq
-- Microsoft.AspNetCore.Mvc.Testing
-- Microsoft.EntityFrameworkCore.InMemory
-- FluentValidation.TestHelper
-
-### Next Steps
-1. Implement service stubs to make tests pass
-2. Run `dotnet test` to verify test compilation
-3. Achieve >80% code coverage
+| CRUD Operations | All endpoints tested with REAL database |
+| Data Persistence | POST then GET to verify data in DB |
+| Authentication | 401 for unauthenticated |
+| Authorization | 403 for insufficient permissions |
+| Tenant Isolation | Cross-tenant access blocked (REAL) |
+| Input Validation | XSS, SQL injection, path traversal |
+| Error Handling | ProblemDetails format |
+
+### Frontend Tests
+
+| File | Category | Tests |
+|------|----------|-------|
+| `src/pages/.../__tests__/{EntityName}Page.test.tsx` | Page | ~5 |
+| `src/pages/.../__tests__/{EntityName}ListView.test.tsx` | List | ~8 |
+| `src/pages/.../__tests__/{EntityName}DetailPage.test.tsx` | Detail | ~5 |
+| `src/hooks/__tests__/use{EntityName}Preferences.test.ts` | Hooks | ~6 |
+| `src/services/api/__tests__/{entityName}Api.test.ts` | API Client | ~5 |
+
+### Test Execution Result
+- Backend Build: PASS
+- Backend Tests: PASS ({backend_test_count} tests)
+- Frontend Tests: PASS ({frontend_test_count} tests)
 ```
 
 ---
 
 ## SUCCESS METRICS
 
+### Backend
 - Test project exists in solution
-- All 6 test categories generated
+- Test infrastructure generated (SmartStackTestFactory, IntegrationTestBase, TestAuthHandler)
+- All 7 test categories generated (infrastructure + 6 test types)
 - Naming convention `{Method}_When{Condition}_Should{Result}` respected
 - Arrange-Act-Assert structure in all tests
 - FluentAssertions used (not Assert.Equal)
-- Moq used for mocking
-- Test project builds successfully
+- Moq used for mocking (only in mock-based tests)
+- **Test project builds successfully**
+- **ALL backend tests pass** (BLOCKING)
 - Minimum test count met per category
+- Real integration tests verify actual DB persistence
+
+### Frontend
+- Vitest + Testing Library + MSW infrastructure deployed
+- Test files generated for all scaffolded components (page, list, detail, hooks, api)
+- MSW handlers mock API endpoints correctly
+- **ALL frontend tests pass** (BLOCKING)
 
 ## FAILURE MODES
 
-- Test project doesn't exist → Create it first
-- Missing NuGet packages → Install them
-- Build failures → Fix compilation errors
-- Wrong naming convention → Rename tests
-- Missing test categories → Generate missing ones
+### Backend
+- Test project doesn't exist -> Create it first
+- Missing NuGet packages -> Install them
+- Program.cs not accessible -> Add `public partial class Program { }`
+- Build failures -> Fix compilation errors
+- **Test failures -> Fix the code or tests before proceeding**
+- Wrong naming convention -> Rename tests
+- Missing test categories -> Generate missing ones
+
+### Frontend
+- Vitest not configured -> Deploy infrastructure templates
+- Missing npm packages -> Run `npm install -D vitest @testing-library/react ...`
+- MSW handlers missing -> Check `src/test/msw/handlers.ts`
+- Import errors -> Check path aliases in `vitest.config.ts`
+- **Test failures -> Fix the components or tests before proceeding**
+
+---
+
+## CODE REVIEW (RECOMMENDED)
+
+After all tests pass, run a code quality audit on the generated feature:
+
+```
+Tool: mcp__smartstack__review_code
+Args:
+  scope: "{entity_name}"
+  focus: ["security", "architecture", "clean-code", "performance"]
+```
+
+This reviews:
+- **Security (OWASP)**: SQL injection, XSS, CSRF, auth bypass, tenant isolation
+- **Architecture**: Layer violations, DI patterns, SOLID principles
+- **Clean Code**: Naming, complexity, duplication, dead code
+- **Performance**: N+1 queries, missing indexes, unnecessary allocations
+
+IF critical issues found: Fix them before proceeding. Non-critical findings can be noted for future improvement.
 
 ---
 
 ## END OF WORKFLOW
 
-This is the final step of the /application skill workflow. The user now has:
+This step concludes the test generation. The user now has:
 - Full navigation structure (step 01)
 - RBAC permissions (step 02)
 - Role mappings (step 03)
@@ -401,4 +538,6 @@ This is the final step of the /application skill workflow. The user now has:
 - Backend CRUD API (step 04)
 - Frontend components + i18n + routes (step 05)
 - Database migration (step 06)
-- **Complete test suite (step 07)**
+- **Complete backend test suite with REAL integration tests (step 07)**
+- **Complete frontend test suite with Vitest + Testing Library + MSW (step 07)**
+- All backend and frontend tests compile and pass