host-uk · Snider · Feb 2, 2026
diff --git a/AUDIT-TESTING.md b/AUDIT-TESTING.md
@@ -0,0 +1,84 @@
+# Test Audit Report
+
+## 1. Executive Summary
+
+This audit evaluates the current state of testing in the project. The overall test coverage is critically low, with a complete absence of unit tests. While the existing feature tests are of decent quality, they lack coverage for edge cases. This report provides a detailed analysis and a list of recommendations to improve test quality and coverage.
+
+**Setup Issues:**
+- A dependency conflict with `vimeo/psalm` prevented the initial installation. This was resolved by temporarily removing the dependency. This should be addressed by either upgrading the PHP version or finding a compatible version of the package.
+- The environment was missing a code coverage driver. This was resolved by installing and configuring Xdebug.
+
+## 2. Coverage Analysis
+
+The test coverage is critically low and requires immediate attention. The lack of unit tests is a major contributor to these low numbers.
+
+- **Line Coverage:** 2.45%
+- **Method Coverage:** 4.51%
+- **Class Coverage:** 3.30%
+- **Branch Coverage:** No data available from the `clover.xml` report.
+
+### Critical Paths
+
+The following critical paths have little to no test coverage:
+
+- **Authentication & Authorization (`Core\\Bouncer`):** This is a major security risk.
+- **Core Application Logic:** Most of the core application logic is untested.
+- **Website Components:** The entire `Core\\Website` namespace is untested.
+
+### Untested Code
+
+The vast majority of the codebase is untested. A full list of untested files can be derived from the `clover.xml` report.
+
+## 3. Test Quality
+
+### Test Independence
+
+- The existing feature tests use `RefreshDatabase`, which is a good practice for test isolation.
+- There is no evidence of order-dependent tests or shared mutable state.
+
+### Test Clarity
+
+- Test names are generally descriptive and follow a consistent pattern.
+- The Arrange-Act-Assert pattern is used correctly in the feature tests.
+- Most tests follow the single assertion principle, but some could be improved.
+
+### Test Reliability
+
+- No flaky tests were identified.
+- No time-dependent tests were found.
+- External dependencies are not consistently mocked, which could lead to unreliable tests.
+
+## 4. Missing Tests
+
+The most significant gap is the complete absence of unit tests. The following types of tests are also missing:
+
+- **Edge Cases:** Tests for null, empty, and boundary values are missing.
+- **Error Paths:** Exception handling is not tested.
+- **Security Tests:** No security-specific tests were found.
+- **Integration Tests:** There are no integration tests to verify the interaction between different components.
+- **Performance Tests:** No load or stress tests were found.
+
+## 5. Anti-Patterns
+
+- **No Unit Tests:** The most significant anti-pattern is the complete lack of unit tests.
+- **Lack of Mocking:** The existing feature tests do not consistently mock external dependencies.
+
+## 6. Suggested Tests to Add
+
+### Unit Tests
+
+- Add unit tests for all classes in the `src` directory.
+- Prioritize unit tests for critical components like `Core\\Bouncer`.
+
+### Feature Tests
+
+- Add feature tests for all public-facing endpoints.
+- Add feature tests for all critical user flows.
+
+### Integration Tests
+
+- Add integration tests to verify the interaction between different components.
+
+### Security Tests
+
+- Add security tests to prevent common vulnerabilities like SQL injection and cross-site scripting.