Zippi uses GitHub Actions for continuous integration, with separate jobs for the Python backend and the TypeScript/React frontend. Every push toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CRISTIANCAMACH34/Zippi/llms.txt
Use this file to discover all available pages before exploring further.
main, master, or develop, and every pull request, triggers the full pipeline. Pre-commit hooks enforce the same linting and a fast smoke test locally before code ever reaches the remote.
CI Pipeline Overview
The pipeline is defined in.github/workflows/ci.yml and runs two parallel jobs:
Backend Job
Runs onubuntu-latest with Python 3.12, working directory backend/:
| Step | Command | Purpose |
|---|---|---|
| Install deps | pip install -r requirements-dev.txt | Install app + test dependencies |
| Lint | ruff check app tests | Style, import order, unused variables |
| Security scan | bandit -r app -ll | Detect low-severity-and-above security issues |
| Tests + coverage | pytest tests/by_role tests/unit --cov=app --cov-report=term-missing --cov-fail-under=1 | Run all contract and unit tests |
Frontend Job
Runs onubuntu-latest with Node 20, working directory frontend/:
| Step | Command | Purpose |
|---|---|---|
| Install | npm ci | Reproducible install from lockfile |
| Build | npm run build | Vite production build — fails on TypeScript and bundle errors |
| Type check | npx tsc --noEmit | Full TypeScript type verification |
| E2E smoke | npm run test:e2e | Playwright Chromium smoke tests |
Running Tests Locally
Test Organization
The Three-Layer Test Strategy
Layer 1 — Contract tests by role (tests/by_role/)
Each role directory tests every endpoint the role interacts with — both the endpoints it should reach (HTTP 200/201) and the endpoints it must be blocked from (HTTP 403/404). This is the primary mechanism for verifying RBAC correctness end-to-end.
Layer 2 — Unit tests (tests/unit/)
Domain logic, state machines, pricing calculations, and security functions are tested in isolation. Key files:
test_order_state_machine.py— valid and invalid FSM transitionstest_guest_order_pricing.py— server-side price recalculation (amounts are never trusted from the client)test_wompi_payments.py— checkout creation, webhook signature validation, idempotencytest_audit_context.py— audit event creation and field population
Pre-Commit Hooks
.pre-commit-config.yaml installs two hooks that run before every git commit:
backend/ file is staged. It runs the full by-role suite plus the two most critical unit tests. Commits that break contract tests or the order/pricing domain are rejected before they leave the developer’s machine.
Install the hooks once after cloning:
Keeping Sources of Truth in Sync
There are six files that must stay synchronized whenever a role, permission, or endpoint changes:
backend/app/modules/auth/domain/rbac.py— Python permission definitionsfrontend/src/lib/permissions.ts— TypeScript permission constantsbackend/tests/by_role/<role>/test_access.py— access control assertionsbackend/tests/by_role/<role>/test_functions.py— functional assertions- Route decorators —
require_permission("...")inroutes.pyfiles - API documentation — endpoint permission requirements
Test Data Patterns
Tests use in-memory SQLite databases (via SQLAlchemy’screate_engine("sqlite:///:memory:")) for isolation. Each test that needs database state seeds its own minimum catalog using helper functions (e.g. _seed_minimum_catalog) defined in the test file or conftest.py. Tests never share state between test functions.
Deterministic values (fixed timestamps, known reference strings, hardcoded checksums) are used in webhook and signature tests so that test failures produce identical output on every run and in every environment.