test-guard
**test-guard** is a Claude Code skill that reviews test code for quality and maintainability before it's committed or merged. It enforces nine universal rules designed to prevent common AI-generated test failures: excessive mocking of implementation details, near-duplicate test bodies, and redundant framework verification. The skill activates after agents write, edit, or refactor tests in Python pytest, PHPUnit, Pest, Jest, Vitest, Go, or other frameworks, adapting its enforcement to project-specific testing documentation when it exists.
git clone --depth 1 https://github.com/amElnagdy/guard-skills /tmp/test-guard && cp -r /tmp/test-guard/skills/test-guard ~/.claude/skills/test-guardSKILL.md
# Test Guard You are reviewing generated or changed test code before it ships. Enforce the rules below after the first test-writing pass and before the tests are presented, committed, or merged. Be a sharp reviewer, not a pedantic one: flag what wastes maintenance effort or hides real bugs, ignore cosmetic preferences. These rules exist because coding agents over-generate tests. The common failure modes: mock-heavy unit tests that assert implementation details, near-duplicate test bodies that differ by one value, and tests that re-verify the framework instead of the project's logic. Each looks productive in a diff and costs maintenance forever. ## When this skill activates - A coding agent has just written new test functions or test files, in any language - You are editing existing tests - You are reviewing a diff that contains test changes - The user asks you to write, add, or review tests ## Adapt to the project first These rules are universal, but their application is not. Before reviewing: 1. Check the project's own agent instructions (CLAUDE.md, AGENTS.md) and testing docs. Project-specific testing rules win over this skill when they conflict. 2. Identify the test stack, then read the matching reference for concrete patterns: - Python / pytest → [references/pytest.md](references/pytest.md) - PHP / PHPUnit / Pest / WordPress → [references/phpunit.md](references/phpunit.md) - JavaScript / TypeScript / Jest / Vitest → [references/jest.md](references/jest.md) 3. If the project calls LLM APIs, uses agent frameworks, or wires up observability/telemetry, also read [references/llm-app-testing.md](references/llm-app-testing.md) — it adds three rules specific to LLM applications. 4. Map the project's system boundaries: network calls, databases, filesystem, clock and randomness, third-party SDKs, LLM APIs. Existing fixtures and test helpers usually reveal where the project already draws these lines. ## What to do 1. Read the test code: the diff, the new file, or the section being modified. 2. Check each test against the rules below. 3. Report violations concisely: rule number, location, why it violates, suggested fix. 4. If the user explicitly invokes this skill before test writing, apply the rules as you write — don't write violations and then flag them. When writing new tests, ask for each test: "What specific bug does this catch that no other test in this suite catches?" If you can't answer clearly, don't write it. ## The Nine Rules ### Rule 1: Test behavior, not implementation Test what code does from the caller's perspective. Assert return values and observable side effects. Never assert that an internal helper was called with specific arguments — that test breaks on every refactor while catching nothing. **Violation pattern:** asserting a mock of an internal function was called, where that function is not a system boundary. **Fix:** assert the return value or the state change the caller observes. ### Rule 2: Every mock must be justified Mock only at system boundaries: network and HTTP calls, LLM APIs, databases, filesystem I/O on external files, clock and randomness, third-party SDKs. Never mock internal classes or helper functions to isolate a "unit" — the seams you create hide the integration bugs worth catching. When you mock a boundary, assert what the caller *does with the response*, not that the mock received specific arguments. ### Rule 3: One scenario per test, data-driven for variants If two or more tests share identical setup and differ only in input/output values, merge them into one data-driven test (`@pytest.mark.parametrize`, PHPUnit `#[DataProvider]`, Jest `test.each`). **When separate tests ARE correct:** different setup, different assertions, different mock configurations, or genuinely different scenarios that happen to exercise the same function. ### Rule 4: Every test must justify its existence Ask: "What bug does this catch that no other test catches?" Delete tests that only catch typos, verify default values of data classes, or test trivial pass-through logic. **Common unjustified tests:** constructors setting attributes, a function rejecting input the type system already forbids, string formatting of log messages, a constant equaling its literal value. ### Rule 5: Name tests for the scenario Pattern: `test_<scenario>_<expected_outcome>`. The name should read like a requirement, not echo the function signature. | Bad | Good | |-----|------| | `test_parse_response_missing_field` | `test_malformed_response_falls_back_to_default` | | `test_get_language_no_class` | `test_element_without_class_returns_empty_language` | | `test_add_tags_single_string` | `test_single_tag_normalizes_to_list` | ### Rule 6: Production regression tests are sacred Tests that reproduce a real production bug are always justified. Reference the incident (date, issue ID, or short description) in the name or a comment, and never delete them. They are exempt from Rule 4 — their justification is the incident. ### Rule 7: No tests for framework guarantees Don't test that the validation library validates, the ORM commits, the router returns 404, or the test framework's fixtures work. Test *your* logic that sits on top of the framework. **Violation pattern:** a test that would still pass if you deleted all the project's custom code and kept only framework defaults. ### Rule 8: State and value objects are real, never mocked Never mock a data model, DTO, entity, or state object. Construct a real instance. Mocking state hides field-name typos and validation errors — exactly the bugs worth catching. If constructing the real object is painful, that is design feedback, not a reason to mock; add a small builder or factory helper. ### Rule 9: Infrastructure under test gets real infrastructure When database queries, schema behavior, or persistence logic *is the subject* of the test, run against a real test database with real migrations applied via fixtures. Mocking the session t
Review generated or changed production code before it ships, using Clean Code, SOLID, DRY, KISS, YAGNI, and LLM-specific failure-mode checks in any programming language. Best used reactively after an agent writes, edits, refactors, or fixes code, before presenting, committing, or merging the result. Use when the user asks "review this PR", "is this safe to merge?", "make this cleaner", "audit this code", "refactor this", "fix this bug", or after a coding agent produced implementation code. Can also guide writing when explicitly invoked before a risky edit. DO NOT USE for factual/conceptual questions, CI/tooling config, git workflow, running/debugging tests, pure architecture discussion, prose writing, data analysis, or test-code review (use test-guard).
Review generated or changed documentation before it ships — READMEs, API references, docstrings, PHPDoc/JSDoc, changelogs, tutorials, and doc sites. Best used reactively after an agent writes or edits docs, after code changes documented behavior, or before publishing docs. Use when the user says 'review the docs', 'is this documentation accurate', 'update the docs', 'write a README', 'document this API', 'add a docstring', or 'add a changelog entry'. Core job: verify every referenced function, flag, endpoint, config key, and code sample against the source; catch docs-vs-code drift; strip filler and unverifiable claims. DO NOT USE for production code review (use clean-code-guard), test review (use test-guard), marketing copy or blog posts, prose style editing of non-technical writing, or documentation site theming.
Review generated or changed WooCommerce code — extensions, payment and shipping integrations, checkout customizations, and order/product logic — before it ships. Best used reactively after an agent writes, edits, or reviews code touching WooCommerce APIs: wc_get_order, wc_get_orders, wc_get_product, WC() cart or session, woocommerce_* hooks, Store API endpoints, payment gateways, order or product meta, HPOS, subscriptions, or bookings. Use on 'review this Woo plugin', 'is this HPOS compatible', or after tasks like 'write a WooCommerce extension', 'add a checkout field', 'hook into the order flow', or 'update stock'. Enforces HPOS-safe order access, CRUD over direct meta, feature-compatibility declarations, server-side checkout validation, money-handling discipline, and hooks over template overrides. DO NOT USE for WordPress code without WooCommerce APIs (use wp-guard), generic code review (use clean-code-guard), test review (use test-guard), or store configuration and admin-screen questions.
Review generated or changed WordPress code — plugins, themes, and blocks — before it ships. Best used reactively after an agent writes, edits, or reviews code touching WordPress APIs: add_action/add_filter, shortcodes, meta boxes, AJAX handlers, REST routes, WP_Query or $wpdb, widgets, or WP-CLI commands. Use on 'review this plugin', 'is this safe to ship', 'make this translatable', 'speed up this query', or after tasks like 'write a plugin' or 'add an endpoint/shortcode/meta box'. Enforces escaping and sanitization, nonces plus capability checks, prepared database queries, core-API-first development, translation-ready strings, and query/caching discipline. DO NOT USE for WooCommerce-specific order, product, or checkout logic (use woo-guard), non-WordPress PHP, generic code quality review (use clean-code-guard), test code review (use test-guard), server or hosting configuration, or conceptual WordPress questions.