Complete guide to setting up a reliable test gate for any project — covers stack detection, 4 core test files, script wiring, secret hygiene, and Cloudflare Workers/Pages patterns. Use when starting a new project, adding CI to an existing one, or when "tests pass but production breaks." Companion to cm-safe-deploy and cm-project-bootstrap.
From cmnpx claudepluginhub tody-agent/codymaster --plugin cmThis skill uses the workspace's default tool permissions.
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Implements distributed tracing with Jaeger/Tempo for microservices, including Kubernetes/Docker setup and OpenTelemetry instrumentation (Python/Flask). Use for debugging latency, dependencies, and request flows.
A deployment process without a test gate is just shipping code and praying. The test:gate script is your first line of defense before deployment. A test gate MUST verify four things: frontend component safety, backend API behavior, core business logic, and i18n synchronization.
Core assumption: The most dangerous errors are syntax flaws, variable shadowing, or import failures that tests often skip if they only check logic.
Violating the letter of this process is violating the spirit of quality engineering.
When setting up a test gate for a project, follow these 5 phases in order.
Goal: Identify the framework and install the correct testing dependencies.
Detect Stack:
package.json for framework (React, Vue, Svelte, static HTML) and build tool (Vite, Next.js).wrangler.json(c) (Cloudflare Workers/Pages).Install Dependencies (Example: Vite/Vitest):
# Install vitest and related tools
npm install -D vitest jsdom @testing-library/react @testing-library/jest-dom
# (Adjust based on framework: e.g., @testing-library/svelte)
Configure File:
vitest.config.ts (or .js):
import { defineConfig } from 'vitest/config'
// Import framework plugin (e.g., react(), svelte())
export default defineConfig({
test: {
environment: 'jsdom',
globals: true,
setupFiles: ['./test/setup.ts'], // Optional
},
})
A complete test:gate must cover four distinct layers. Do not combine these files.
frontend-safety.test.ts)This layer prevents white screens and catastrophic syntax errors in the browser. Emphasize parsing and template rendering over logical assertions.
Use the exact implementation from cm-quality-gate regarding the 4 corruption checks.
import { test, expect } from 'vitest';
import fs from 'fs';
import path from 'path';
test('app.js does not contain catastrophic syntax corruption', () => {
// 1. Read the raw file
const content = fs.readFileSync(path.resolve(__dirname, '../public/static/app.js'), 'utf-8');
// 2. Syntax Validation (Check for broken template literals)
// ❌ Bug #1: Single-quote wrapping template string
expect(content).not.toMatch(/=\s*'[^']*\$\{t\(/);
// 3. Delimiter consistency
// ❌ Bug #4: Mismatched delimiters
expect(content).not.toMatch(/t\('[^']*\`/);
expect(content).not.toMatch(/t\(\`[^']*'\)/);
// 4. HTML structure integrity
// ❌ Bug #2: Spaces inside tags or broken closers
expect(content).not.toMatch(/<\s+[a-zA-Z]/); // e.g., "< div"
expect(content).not.toMatch(/<\/\s+[a-zA-Z]/); // e.g., "</ div"
expect(content).not.toMatch(/--\s+>/); // e.g., "text-- >"
});
api-routes.test.ts)This layer ensures backend endpoints respond correctly and handle JSON properly.
Example for a generic fetch wrapper or specific Next.js/Worker handler:
import { test, expect } from 'vitest';
test('API mock test', async () => {
// Test your server handlers directly
// Ensure 200 OK for valid inputs and 400 for errors
expect(true).toBe(true);
});
business-logic.test.ts)This layer tests pure functions: calculations, validations, and data transformations.
import { test, expect } from 'vitest';
test('Calculates score correctly', () => {
// const result = calculateScore(input);
// expect(result).toBe(expected);
expect(true).toBe(true);
});
i18n-sync.test.ts)This layer guarantees that language files are complete and identical in structure.
import { test, expect } from 'vitest';
import fs from 'fs';
import path from 'path';
test('i18n files have identical key counts', () => {
const langDir = path.resolve(__dirname, '../public/static/i18n');
const langs = ['vi.json', 'en.json', 'th.json', 'ph.json'];
const countKeys = (obj: any): number => {
let count = 0;
for (const k in obj) {
if (typeof obj[k] === 'object' && obj[k] !== null) {
count += countKeys(obj[k]);
} else {
count++;
}
}
return count;
};
let baseCount = -1;
for (const file of langs) {
if (!fs.existsSync(path.join(langDir, file))) continue;
const data = JSON.parse(fs.readFileSync(path.join(langDir, file), 'utf-8'));
const count = countKeys(data);
if (baseCount === -1) {
baseCount = count;
} else {
expect(count, `File ${file} has a different key count`).toBe(baseCount);
}
}
});
security-scan.test.ts)This layer prevents secrets from being committed to the repository. Powered by cm-secret-shield patterns.
import { test, expect } from 'vitest';
import fs from 'fs';
import { execSync } from 'child_process';
test('no secret files tracked by git', () => {
const tracked = execSync('git ls-files', { encoding: 'utf-8' });
const badFiles = ['.env', '.dev.vars', '.env.local', '.env.production'];
const found = badFiles.filter(f => tracked.split('\n').includes(f));
expect(found, `Secret files tracked: ${found.join(', ')}`).toEqual([]);
});
test('.gitignore contains required security patterns', () => {
const gitignore = fs.readFileSync('.gitignore', 'utf-8');
expect(gitignore).toContain('.env');
expect(gitignore).toContain('.dev.vars');
});
test('no hardcoded secrets in source files', () => {
const dangerousPatterns = [
/SERVICE_KEY\s*[=:]\s*['"][a-zA-Z0-9/+=]{20,}/g,
/PRIVATE_KEY\s*[=:]\s*['"][a-zA-Z0-9/+=]{20,}/g,
/-----BEGIN.*PRIVATE KEY-----/g,
];
const srcDir = 'src';
if (!fs.existsSync(srcDir)) return;
const files = fs.readdirSync(srcDir).filter(f => f.endsWith('.ts') || f.endsWith('.js'));
for (const file of files) {
const content = fs.readFileSync(`${srcDir}/${file}`, 'utf-8');
for (const pattern of dangerousPatterns) {
expect(content, `${file} contains potential secret`).not.toMatch(pattern);
}
}
});
Wire these tests into package.json to make them easily executable by CI or other skills.
{
"scripts": {
"test": "vitest",
"test:gate": "vitest run --reporter=verbose",
"test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
"test:watch": "vitest watch"
}
}
Security Gate Check: The
test:securityscript runs the Snyk dependency check and the Aikido release scan in parallel. Seecm-security-gatefor advanced SAST/IaC flags.
NEVER commit .env or .dev.vars. Ensure tests do not expose actual production secrets.
.gitignore:
grep -E "node_modules|\.env|\.dev\.vars" .gitignore
# Must exist, if not, add them.
.env.test file (this CAN be committed) with safe, mock values if needed by the test environment.Run the test gate to prove it works before declaring the task complete.
npm run test:gate
| Skill | Relationship |
|---|---|
cm-safe-deploy | test:gate is Gate 2 in the safe deploy pipeline. |
cm-project-bootstrap | Should invoke cm-test-gate during Phase 7 (Infrastructure Setup). |
cm-safe-i18n | Relies on the i18n tests set up in Phase 2, Layer 4. |
cm-secret-shield | Layer 5 security scan uses Secret Shield patterns. |
test:gate run script.app.test.js file.frontend-safety.test.ts layer for SPA/monolith projects.