Test Case Review Checklist

Good: "Checkout rejects expired credit card with field-level error." Weak: "Checkout test 4." Title should let a reviewer skim the suite report and know what failed without opening the case.

Match the existing pattern in the repo (e.g., TC-CHECKOUT-042, billing.subscription.upgrade.spec.ts). Inconsistent IDs break dashboards that group by feature area and confuse Jira links.

Paste the Jira/Linear key into the test metadata so traceability reports populate automatically. Tests with no upstream link are the first thing a SOC 2 auditor flags during change-management evidence review.

Preconditions should name the environment (staging, ephemeral preview, local Docker), feature-flag state, seeded user role, and any required service stubs. Implicit "works on my machine" preconditions are the leading cause of flakes when the test runs in CI.

Synthetic fixtures are the default. Anonymized snapshots are acceptable when realistic distributions matter. Production-clone data triggers a PII review — never let raw prod records sit in a test repo.

Run the data through the team's anonymization script and spot-check email, name, address, payment, and free-text fields. Document the script version used. GDPR Article 5 and HIPAA minimum-necessary both apply if the clone leaves the production VPC.

List any other test cases that must run first (login fixtures, seed jobs) and any external services the test calls (payment sandbox, email mock, third-party API). Hidden test ordering is the second-leading cause of flakes after timing.

Each step should be a single user-observable action. "Click Submit and verify the toast and check the database" is three steps, not one. Reviewers should be able to execute the case manually from the written steps without reading the code.

An expected result of "page loads" is too vague — name the element, status code, or DB row that proves success. Steps without explicit expectations rot into smoke tests that pass while the feature is broken.

Prefer toEqual on a known shape over toBeTruthy. Prefer toHaveText('$49.00') over toBeVisible. Loose assertions are how a regression that swaps the price field with the SKU field still passes the test.

Happy-path-only suites are why bugs reach production. Confirm the case (or its sibling cases) covers invalid input, expired sessions, network failure, or boundary values relevant to the feature.

The case should state what the database, queue, and external integrations look like after a successful run. Without this, the next test inherits unknown state and you get order-dependent failures in CI.

Use transaction rollback, fixture teardown hooks (afterEach), or explicit DELETE — never rely on "the next test will overwrite it." Leftover rows are the reason Friday's test run passes and Monday's fails.

S3 uploads, Stripe test customers, SendGrid mock recipients, and ephemeral k8s namespaces all leak quota if not deleted. The test should clean these up even when an assertion fails — wrap teardown in finally.

Open the linked Jira ticket and confirm each AC bullet is covered by at least one assertion in this case (or another linked case). Unmapped ACs are how features ship half-tested.

If the code under test handles PHI (HIPAA), cardholder data (PCI DSS), EU resident data (GDPR), or controls referenced in the SOC 2 audit (access, change management, encryption), it falls in scope and needs an explicit control mapping.

Tag the case with the specific control ID (e.g., SOC 2 CC7.2, HIPAA §164.312(b), PCI DSS 10.2). Vanta/Drata pull these tags directly into the audit evidence package — saves hours during the SOC 2 fieldwork window.

Test descriptions land in customer-facing audit reports and onboarding docs. Typos in test names also break grep — "Checkuot" doesn't match anyone's search.

Open the PR with the linked ticket key in the title, request review from CODEOWNERS for the affected directory, and confirm CI is green before requesting sign-off. Don't merge with a rerun-the-flake exception.

Reviewer must be someone other than the author — a self-approved test case is a SOC 2 segregation-of-duties finding. Capture both the decision and any rework notes so they survive after the PR is merged or closed.

Open a Jira ticket linked to the original story, paste the reviewer notes verbatim, and assign back to the test author. Don't let rejected cases live in a draft branch — they get rebased into oblivion and the gap reappears in the next release.