Skip to main content

Operator Management Service — Testing Strategy

Status: populated Owner: Platform Engineering + QA Last updated: 2026-04-18

1. Coverage Targets

LayerTargetTool
Domain aggregates + VOs95%Vitest
Domain services (DuplicateGuard, HealthStateReducer)90%Vitest
Application use cases90% (branch)Vitest
Integration (HTTP + PG + Vault mock + Redis)All critical pathsTestcontainers
Mutation on aggregates≥ 75%Stryker

2. Unit Tests

  • OperatorName VO: rejects empty, > 128 chars, non-unique (mock repo).
  • DestinationPrefix VO: accepts +44, +1, rejects 44, +, empty.
  • HealthStateReducer: all 6 state transitions; no spurious transitions (e.g. HEALTHY → HEALTHY is no-op).
  • DuplicateOperatorGuard: found case returns error; not-found case passes.
  • RoutingRuleConflictChecker: exact match, prefix subset, no overlap.
  • TpsLimit VO: maxTps < 1 throws; burstMultiplier < 1.0 throws.

3. Integration Tests (Mandatory)

  • test/integration/create-operator.spec.ts — POST creates PG row, Vault secret; returns 201; NATS event published; no password in response.
  • test/integration/duplicate-prevention.spec.ts — second create with same (host, port, systemId) → 409.
  • test/integration/soft-delete.spec.ts — DELETE sets deleted_at; GET returns 404; NATS event published.
  • test/integration/credentials-endpoint.spec.ts — mTLS caller gets systemId + password from Vault; password absent in admin GET.
  • test/integration/vault-failure.spec.ts — Vault down during create → 503; PG row compensated (deleted).
  • test/integration/health-ingest.spec.ts — NATS health event → Redis cache updated → operator.health NATS published.
  • test/integration/routing-rules.spec.ts — create rule; conflict detection on overlap.

4. Contract Tests

  • Schema conformance for all 4 produced events against platform schema registry.
  • OpenAPI diff gate: no breaking change without major version bump.
  • mTLS: TLS handshake tested in integration suite using self-signed cert fixture.

5. Security Tests

  • OWASP ZAP baseline on admin API in staging.
  • Password never appears in: admin GET response, NATS event payloads, Pino logs, Prometheus labels.
  • Vault policy test: attempt to read secret/other-service/ with OMS SA → access denied.
  • NetworkPolicy test: curl from unauthorized namespace → connection refused (k8s policy validated in CI).

6. Load Tests

  • Admin API: 50 concurrent admin users, mixed CRUD, P95 ≤ 300 ms.
  • Internal credentials endpoint: 200 RPS (smpp-connector reconnect storm simulation), P95 ≤ 50 ms.
  • k6 scenarios in loadtests/ops/.