TESTING: Inadequate Test Coverage

[devfire]

Severity: HIGH

Issue

The project has only ONE test for a cryptographic messaging system:

#[cfg(test)]
mod tests {
    #[test]
    fn test_parse_composite_key() { ... }
}

This is completely inadequate for a security-critical application.

Missing Test Categories

Unit Tests:

• Identity actor key loading
• OpenMLS actor operations
• State actor message handling
• Network configuration validation
• Error handling paths
• Protobuf serialization/deserialization

Integration Tests:

• Actor communication
• Group creation and joining
• Message encryption/decryption
• Key package exchange
• Multi-user scenarios

Property Tests:

• Message ordering invariants
• State consistency
• Cryptographic properties

Security Tests:

• Replay attack resistance
• Key isolation
• Authentication bypass attempts
• Malformed message handling

Performance Tests:

• Message throughput
• Memory usage under load
• Concurrent user handling

Why This Matters

Without comprehensive tests:

• Cannot refactor safely
• Security issues undetected
• Regressions introduced easily
• Hard to verify correctness
• Not production-ready

Recommended Test Framework

[dev-dependencies]
proptest = "1.0"        # Property testing
criterion = "0.5"       # Benchmarking
mockall = "0.12"        # Mocking
tokio-test = "0.4"      # Async testing

Example Test Structure

#[cfg(test)]
mod tests {
    mod identity_actor {
        #[test]
        fn test_load_valid_ssh_key() { ... }
        
        #[test]
        fn test_load_encrypted_ssh_key() { ... }
        
        #[test]
        fn test_reject_invalid_key_format() { ... }
    }
    
    mod state_actor {
        #[tokio::test]
        async fn test_create_group() { ... }
        
        #[tokio::test]
        async fn test_encrypt_decrypt_roundtrip() { ... }
    }
}

Test Coverage Goals

• 70%+ line coverage
• 100% coverage of error paths
• All public APIs tested
• Integration test for each user story

Labels

testing, technical-debt, quality