test-strategy-doc

Test Strategy Document Skill

Produces a complete test strategy from a feature spec, PRD, or system description — covering scope, test types, risk areas, coverage requirements, and a prioritised test case outline.

Required Inputs

Ask for these if not provided:

• Feature or system being tested (paste a spec, PRD, or describe it in plain English)
• Tech stack (language and framework — e.g. TypeScript + React, Python + FastAPI)
• Existing test coverage (e.g. "we have unit tests but no E2E tests", "we use Jest + Playwright already", or "starting from scratch")
• Deployment cadence (e.g. continuous deployment / weekly releases / quarterly — affects what must be automated vs. manual)
• Risk level (low / medium / high / critical — affects depth and coverage requirements)
• Timeline (when does this need to ship — affects prioritisation)
• Team context (who is doing the testing — developers / dedicated QA / both)

Output Format

1. Test Scope

In scope:

• [Specific functionality being tested]
• [Integration points covered]
• [User-facing flows included]

Out of scope:

• [What is deliberately not tested here — and why]
• [Dependencies owned by other teams]

Assumptions:

• [What the test strategy assumes is true — e.g. mocked services, test data availability]

2. Risk Assessment

Identify the highest-risk areas first — these drive depth and coverage:

Area	Risk Level	Why	Test Priority
[e.g. Payment processing]	High	Money movement, regulatory	P0 — exhaustive
[e.g. User authentication]	High	Security boundary	P0 — exhaustive
[e.g. Email notifications]	Medium	External dependency	P1 — happy path + key failures
[e.g. UI copy changes]	Low	Visual only, reversible	P2 — smoke only

3. Test Types and Coverage

Unit Tests

• What: Individual functions and methods in isolation
• Who writes: Developer
• Coverage target: [e.g. 80% line coverage on new code / 100% on critical paths]
• Tools: [e.g. Jest, pytest, go test]
• Focus areas for this feature: [Specific logic that needs unit coverage]

Integration Tests

• What: Service interactions, database operations, API contracts
• Who writes: Developer / QA
• Coverage target: [All happy paths + key failure modes]
• Tools: [e.g. Supertest, pytest + testcontainers]
• Focus areas: [Specific integrations at risk — e.g. third-party API, DB schema changes]

End-to-End Tests

• What: Critical user journeys from browser/client to database
• Who writes: QA / Developer
• Coverage target: [Top N user journeys — list them]
• Tools: [e.g. Playwright, Cypress, Selenium]
• Focus areas: [The 3–5 most critical user flows]

Performance Tests (include if any row in the Risk Assessment table has performance as a risk factor, regardless of overall risk level)

• What: Load, stress, or latency testing
• Targets: [Specific numbers — e.g. 200 req/sec at p95 < 200ms]
• Tools: [e.g. k6, Locust, JMeter]

Security Tests (include only if risk is high+)

• What: OWASP Top 10 checks relevant to this feature
• Focus: [Auth bypasses, injection, data exposure]
• Tools: [e.g. OWASP ZAP, manual penetration testing, Snyk]

4. Test Case Outline

Priority-ordered list of specific test cases:

P0 — Must pass before merge:

Test Case	Type	Expected Outcome
[e.g. User can log in with valid credentials]	E2E	[Redirect to dashboard, session created]
[e.g. Invalid login returns 401]	Integration	[Error message displayed, no session]
[e.g. Password is never stored in plain text]	Unit	[bcrypt hash in DB]

P1 — Must pass before release:

Test Case	Type	Expected Outcome
[e.g. Login fails gracefully when DB is down]	Integration	[User sees friendly error, 503]
[e.g. Rate limiting blocks after 5 failed attempts]	Integration	[429 returned, account flagged]

P2 — Should pass, can ship with known issues tracked:

Test Case	Type	Expected Outcome
[e.g. Login page renders correctly on mobile]	E2E	[Layout matches design]

5. Test Data Requirements

• [Specific test data needed — e.g. test user accounts with various states]
• [External service stubs or mocks needed]
• [Database seed data requirements]
• [Any PII concerns and how test data handles them]

6. Definition of Done

Testing is complete when:

• All P0 test cases pass
• All P1 test cases pass
• Code coverage meets the stated target
• No critical or high severity bugs open
• Performance targets met (if applicable)
• Security checks completed (if applicable)

Quality Checks

• Risk table is populated and drives test priority (not filled in generically)
• Every "P0 — exhaustive" row in the Risk Assessment table has at least one corresponding P0 test case
• "Out of scope" section names at least one explicit exclusion (not left blank)
• Each test type names a concrete tool (not "some testing framework")
• Definition of Done is measurable (not "tests are done when QA is happy")

Anti-Patterns

• Do not write a test strategy without a risk table that drives test priority — generic coverage targets are not a strategy
• Do not leave the "out of scope" section blank — every test strategy must explicitly name what is not being tested and why
• Do not specify test types without naming a concrete tool for each — "some testing framework" is not actionable
• Do not define a Definition of Done that is not measurable — "QA is happy" is not a completion criterion
• Do not create P0 risk areas without corresponding P0 test cases — risk rating must map to test coverage

Usage Examples

• "Write a test strategy for [feature]" + [paste spec or PRD]
• "Create a test plan for [system]"
• "How should we test [feature]?"
• "I need a QA plan for this sprint"
• "What tests do we need for [X]?"