CI/CD Pipeline & Test Infrastructure

Architecture · STR-01, STR-02 · Priority: P1

Why It Matters

AI tools generate code fast. But without a CI/CD pipeline and tests, every change goes directly to production unchecked. There's no automated gate to catch regressions, no feedback loop to verify that a fix didn't break something else.

These two checks are the structural foundation for all other safety enforcement — without them, Guard can't run, scans happen only manually, and regressions accumulate silently.

Affected Stack: Any framework, any deployment target

STR-01 — CI/CD pipeline exists

Priority: P1 — Without CI/CD, safety checks only run when someone remembers to run them.

The Problem

AI-built apps often deploy directly from the developer's machine or through a simple git push to Vercel — with no automated checks in between. The deployment pipeline has no gates, no verification, no enforcement.

# ❌ Typical AI-built app deployment
git push → Vercel auto-deploys → production
# No checks. No tests. No guard. Hope for the best.

The Fix

Add a GitHub Actions workflow that runs safety checks on every push and PR:

# ✅ .github/workflows/vibecodiq-guard.yml
name: Safety Check
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npx @vibecodiq/cli scan --all --json

Or install Guard with one command:

npx @vibecodiq/cli guard init

This creates the workflow file, architecture rules, and enforcement script automatically.

STR-02 — Test files exist

Priority: P1 — Without tests, regressions are invisible until users report them.

The Problem

AI tools almost never generate tests. They focus on building features, not verifying them. The result: no regression safety net. Every AI-generated change might break something — and nobody knows until a user complains.

# ❌ Typical AI-built app
src/
├── app/
├── components/
├── lib/
└── ... (zero test files)

The Fix

Add at least basic test files for critical flows. You don't need 100% coverage — even a few tests catch the most damaging regressions.

# ✅ Minimum viable test structure
tests/
├── auth.test.ts        # Login, logout, protected routes
├── billing.test.ts     # Checkout, webhook, subscription
└── admin.test.ts       # Access control, role checks

Test frameworks that work well with Next.js + Supabase:

Vitest — fast, TypeScript-native, great for unit/integration tests
Playwright — browser-based E2E tests for real user flows
Jest — widely used, compatible with most setups

What to test first

Start with the flows where a failure costs you money or users:

Login flow — can users sign in?
Checkout flow — can users pay?
Protected routes — are admin pages actually protected?

References

Related Checks

ASA Architecture Slices — ARCH-01 to ARCH-06
Global Error Boundary — ERR-01

Is your app safe? Run Free Scan →