Production Quality Engineering

Six ways to fail a build before it reaches production

Regulated intake flows where "it works on my machine" isn't a defense. A look at the six testing layers that each catch a different class of bug, and why the two everyone skips are the two that matter.

Context
Multi-step regulated React/TypeScript workflows behind enterprise release gates.
Core technologies
React Hook Form, Zod, TanStack Query, Playwright, contract testing, service virtualization

Regulated intake flows do not forgive you. A user walks through a multi-step form, every step has rules, the data has to be right, and “we’ll patch it Tuesday” is not a sentence you get to say when the domain is regulated. The cost of a bad release is high, which means the cost of catching problems has to get paid earlier and more deliberately than a normal test folder ever bothers with.

The flows themselves were a fairly modern, opinionated stack: React 18 and TypeScript, TanStack Query for server state, React Hook Form for form state, and Zod as the validation contract. The Zod bit is the one I’d defend hardest. The same schema validates at runtime and generates the types at compile time, so the thing checking the user’s input and the thing checking my code are literally the same object. One source of truth, not two that drift.

But the stack isn’t the story. The story is what stood between a commit and production:

  • 6testing layers, each for a different bug class
  • 5+services covered by contract tests
  • G0–G4staged promotion gates

The six layers, quickly: unit for pure logic, component for rendered behavior, end-to-end on Playwright for full workflow traversal, mutation testing, contract testing against the backing services, and service-virtualized integration so we could exercise integration paths without standing up every dependency.

Most teams stop at three. The two that get skipped are mutation testing and contract testing, and those are exactly the two that earn their keep.

A green test suite tells you your tests passed. Mutation testing tells you whether they'd have noticed if you were wrong.

Mutation testing deliberately breaks your code and checks whether a test fails. If nothing fails, congratulations, you have a test that asserts nothing, and you had no idea. The first time you run it on a codebase you thought was well-tested is a humbling afternoon. Contract testing is the other one: it catches the moment an upstream service changes its shape and is about to break your flow silently, which is the kind of bug that otherwise gets discovered in production by a user, which is the worst possible QA engineer to have.

The honest hard part wasn’t writing any single layer. It was wiring all six into a gated pipeline and keeping them fast enough that people didn’t quietly route around them. A quality gate everyone disables is just a slow gate. Promotion through G0 to G4 had to be earned by passing real checks, and the checks had to be fast enough that earning it didn’t feel like punishment.

I’m describing this as practices and gates, not coverage percentages or defect rates, because those numbers belong to the employer and because a coverage number on a portfolio is meaningless anyway. The discipline is the point.