Test Case Review Checklist

Good: "Checkout rejects expired credit card with field-level error." Weak: "Checkout test 4." Title should let a reviewer skim the suite report and know what failed without opening the case.

Match the existing pattern in the repo (e.g., TC-CHECKOUT-042, billing.subscription.upgrade.spec.ts). Inconsistent IDs break dashboards that group by feature area and confuse Jira links.

Preconditions should name the environment (staging, ephemeral preview, local Docker), feature-flag state, seeded user role, and any required service stubs. Implicit "works on my machine" preconditions are the leading cause of flakes when the test runs in CI.

Synthetic fixtures are the default. Anonymized snapshots are acceptable when realistic distributions matter. Production-clone data triggers a PII review — never let raw prod records sit in a test repo.

Run the data through the team's anonymization script and spot-check email, name, address, payment, and free-text fields. Document the script version used. GDPR Article 5 and HIPAA minimum-necessary both apply if the clone leaves the production VPC.

Each step should be a single user-observable action. "Click Submit and verify the toast and check the database" is three steps, not one. Reviewers should be able to execute the case manually from the written steps without reading the code.

An expected result of "page loads" is too vague — name the element, status code, or DB row that proves success. Steps without explicit expectations rot into smoke tests that pass while the feature is broken.

Prefer toEqual on a known shape over toBeTruthy. Prefer toHaveText('$49.00') over toBeVisible. Loose assertions are how a regression that swaps the price field with the SKU field still passes the test.

The case should state what the database, queue, and external integrations look like after a successful run. Without this, the next test inherits unknown state and you get order-dependent failures in CI.

Use transaction rollback, fixture teardown hooks (afterEach), or explicit DELETE — never rely on "the next test will overwrite it." Leftover rows are the reason Friday's test run passes and Monday's fails.

Open the linked Jira ticket and confirm each AC bullet is covered by at least one assertion in this case (or another linked case). Unmapped ACs are how features ship half-tested.

If the code under test handles PHI (HIPAA), cardholder data (PCI DSS), EU resident data (GDPR), or controls referenced in the SOC 2 audit (access, change management, encryption), it falls in scope and needs an explicit control mapping.

Test descriptions land in customer-facing audit reports and onboarding docs. Typos in test names also break grep — "Checkuot" doesn't match anyone's search.

Open the PR with the linked ticket key in the title, request review from CODEOWNERS for the affected directory, and confirm CI is green before requesting sign-off. Don't merge with a rerun-the-flake exception.

Reviewer must be someone other than the author — a self-approved test case is a SOC 2 segregation-of-duties finding. Capture both the decision and any rework notes so they survive after the PR is merged or closed.