## ADDED Requirements ### Requirement: Testing strategy document The system SHALL include a document (`docs/engineering/09-testing.md`) that explains the test architecture, how to run tests, coverage requirements, and how to write new tests following project conventions. #### Scenario: Test types and their purposes explained - **WHEN** a new engineer reads 09-testing.md - **THEN** they SHALL understand the distinction between: unit tests (test one service/util in isolation, mock all dependencies, no running services needed) and integration tests (test full HTTP request/response cycle with real PostgreSQL + Redis) #### Scenario: Test framework stack documented - **WHEN** a new engineer reads 09-testing.md - **THEN** they SHALL find the test stack listed and explained: Jest 29.7 (test runner + assertions), ts-jest (TypeScript compilation), Supertest 6.3 (HTTP integration testing), and how each is configured #### Scenario: Coverage gates documented - **WHEN** a new engineer reads 09-testing.md - **THEN** they SHALL know the mandatory gates: >80% statements, >80% branches, >80% functions, >80% lines — and that PRs below these thresholds are blocked #### Scenario: How to run the test suite documented - **WHEN** a new engineer wants to run tests - **THEN** the guide SHALL show: `npm test` (unit tests, no services), `npm run test:coverage` (unit tests + coverage report), `npm run test:integration` (requires Docker stack), and `npx jest src/services/agentService.test.ts` (single file) #### Scenario: Unit test writing conventions shown - **WHEN** a new engineer writes a new unit test - **THEN** the guide SHALL show a complete example: how to mock a repository with `jest.mock()`, how to structure `describe`/`it` blocks, how to assert on thrown errors, and how to verify mock calls — using an actual test from the codebase as the example #### Scenario: Integration test writing conventions shown - **WHEN** a new engineer writes a new integration test - **THEN** the guide SHALL show a complete example using Supertest: how to boot the Express app, how to seed test data, how to make authenticated requests (including getting a JWT first), and how to clean up after the test #### Scenario: OWASP security testing reference included - **WHEN** a new engineer writes security-relevant code - **THEN** the guide SHALL include a reference to the OWASP Top 10 checks that are verified in QA sign-off and what each means in the context of this codebase (SQL injection, JWT attacks, credential exposure, etc.)