Stay Sidekick maintains a comprehensive test suite across both backend (Python/pytest) and frontend (Angular/Vitest) with a minimum 90% coverage threshold enforced in CI on every push and pull request. The strategy combines HTTP integration tests for the Flask API with unit tests for both backend services and Angular components, services, and guards — ensuring that behavioural regressions are caught before any code reaches theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/sdurutr436/stay-sidekick/llms.txt
Use this file to discover all available pages before exploring further.
main branch.
Backend tests — pytest
The backend test suite is located atbackend/tests/ and is executed with pytest. It covers both HTTP-level integration testing of Flask routes and unit-level testing of service logic.
92 test cases · 12 files
The full suite spans 12 test files split across two categories:7 HTTP integration suites — each mounts the relevant Flask Blueprint with a signed test JWT and exercises its routes end-to-end:
auth— login, token refresh, logoutempresas— company CRUD and multi-tenant isolationusuarios— user management and role changesperfil— per-company profile and integration settingsvault— communication template CRUD and AI usage loggingapartamentos— apartment catalogue and PMS syncheatmap— date-range heatmap data processing
mail_service,contact,solicitud,usuarios,export_csv
Isolation strategy
Each test instantiates the Flask app in test mode with a HS256-signed JWT — no live database or external API connection is required.External dependencies are replaced at the call site using
unittest.mock.patch:- Database — repository calls are patched to return fixture data
- PMS clients (Smoobu, etc.) — HTTP clients are fully mocked
- AI provider —
ai_service.pycalls are patched with canned responses - Mailgun / Discord — outbound HTTP calls are stubbed out
Running backend tests
backend/htmlcov/ and the XML report to backend/coverage.xml. The --cov-fail-under=90 flag causes pytest to exit with a non-zero code if coverage drops below 90%, which is what CI checks.
Lint step
In CI,ruff runs as a separate job that must pass before pytest is allowed to start:
backend/app/ source tree. To run it locally before committing:
Frontend tests — Vitest
The Angular SPA uses Vitest as its test runner (configured viafrontend/vitest.config.ts) with Istanbul for coverage instrumentation. The test suite covers the full component and service hierarchy.
297 tests · 38 specs
Tests are organized by Angular architectural layer:
- Services — all injectable services covering API calls, state management, and business logic
- Organisms — complex page-level components with multiple children
- Molecules — mid-level composite components
- Atoms — low-level presentational components
- Guards — route guards protecting authenticated and role-gated routes
- HTTP interceptor — the JWT attachment and CSRF double-submit cookie interceptor
Coverage thresholds
Istanbul enforces a minimum 90% threshold across all four metrics, defined in
Any pull request that drops below 90% on any metric causes the
frontend/vitest.config.ts:| Metric | Threshold |
|---|---|
| Statements | 90% |
| Branches | 90% |
| Functions | 90% |
| Lines | 90% |
CI — Tests y cobertura workflow to fail, blocking the merge.Running frontend tests
--watch=false flag runs the full suite once and exits, which is the same mode used in CI. To run in interactive watch mode during development, omit the flag:
frontend/coverage/ in three formats:
| Format | Path | Use case |
|---|---|---|
| Text summary | stdout | Quick terminal review |
| HTML | frontend/coverage/index.html | Detailed browser inspection |
| lcov | frontend/coverage/lcov.info | Third-party coverage tools |
Running tests locally
Use these commands to run the full test suite for each layer before opening a pull request:Security auditing — Trivy
In addition to the functional test suites, thetrivy.yml workflow performs automated security auditing using Aqua Security Trivy.
Scan scope
Trivy scans the full filesystem and all IaC configuration files (Docker Compose,
railway.toml, Dockerfiles, nginx.conf) for known vulnerabilities and misconfigurations.Severity filter
Only HIGH and CRITICAL severity findings are reported. Unfixed vulnerabilities (no patch available upstream) are suppressed with
ignore-unfixed: true to reduce noise.Results destination
Results are published as SARIF to GitHub Security → Code Scanning, where they appear as alerts on the repository. The raw SARIF file is also uploaded as a workflow artifact for 14 days.
- Every push to
main - Every pull request targeting
mainthat modifies backend, frontend, web, nginx, workflows, Docker Compose, orpackage.json - Weekly schedule — every Monday at 04:23 UTC, catching newly published CVEs for unchanged dependencies
- Manual dispatch (
workflow_dispatch) for on-demand audits
The coverage report for both backend and frontend is uploaded as a CI artifact with 14 days retention. To review coverage for a specific run, open the Actions tab on GitHub, select the relevant workflow run, and download the artifact from the Artifacts section at the bottom of the summary page.

