DevOps & Security
Mutation Testing Driver
Runs mutation testing to assess whether the test suite would catch small deliberate bugs, then reports mutation survival rate and prioritized test improvements. Useful for measuring real test quality beyond line coverage. Engineers shipping code to critical paths (payments, auth, licensing), tech leads enforcing test-quality bars, teams preparing for high-stakes deploys, applied researchers claiming "100% coverage" and wanting to know what that actually means. A test suite at 90% line coverage can still miss entire classes of bugs because hitting a line is not the same as asserting its behavior. Mutation testing — introducing small bugs into the code and measuring how many the tests catch — is the standard way to measure real test quality, but the tooling is underused because setup and interpretation are painful. A structured driver runs the mutation tool, parses the output, and turns it into actionable test improvements rather than a raw survival rate.
One-Time Purchase
$19.99
# Mutation Testing — `src/lib/watermark.ts` and `src/lib/zip-builder.ts`
**Tool:** Stryker Mutator 9.0
**Language:** TypeScript
**Scope:** 2 files, 187 lines
**Run time:** 4 minutes 12 seconds
<div data-callout="caution" data-label="Result">
Mutation score **72%** — below the **80% bar** for security-adjacent code. Of 144 mutants generated, 104 killed, 40 survived. Line coverage on the same files reads 96% — confirming the gap mutation testing exists to find: tests run the code but do not assert enough about what it produces. Eight surviving mutants are in **watermark signature verification** logic, which is the highest-leverage path to fix.
</div>
<div data-metric="caution" data-value="72%" data-direction="up">
Kill rate against 144 generated mutants. Target 80% before merging to `main`. The watermark verification path drives most of the survival rate — 8 mutants in a 40-line function.
</div>
<div data-stack data-stack-title="By module">
<div data-row data-value="65%">`watermark.ts` — 8 surviving mutants in signature verification</div>
<div data-row data-value="78%">`zip-builder.ts` — 12 surviving mutants, mostly in path-normalization edge cases</div>
<div data-row data-value="92%">`watermark.ts` — buyer-info injection path (acceptable)</div>
<div data-row data-value="88%">`zip-builder.ts` — frontmatter gate (acceptable)</div>
</div>
---
## Surviving mutants — prioritized
| # | Location | Mutation | Why it survived | Severity |
|---|---|---|---|---|
| 1 | `watermark.ts:42` | `!==` → `===` in HMAC comparison | No test asserts the negative path (invalid signature must reject) | <span data-pill="critical">critical</span> |
| 2 | `watermark.ts:48` | `timingSafeEqual` → `===` | No test exercises the constant-time path | <span data-pill="critical">critical</span> |
| 3 | `watermark.ts:51` | Boundary: `>` → `>=` on expiry check | No test exercises the off-by-one boundary | <span data-pill="critical">critical</span> |
| 4 | `watermark.ts:55` | Removed `return null` on invalid input | Tests never pass invalid input | <span data-pill="caution">high</span> |
| 5 | `zip-builder.ts:78` | `startsWith('/')` → `startsWith('')` | No test asserts on absolute-path rejection | <span data-pill="caution">high</span> |
| 6 | `zip-builder.ts:91` | `.includes('..')` → `false` | No test asserts on path traversal rejection | <span data-pill="caution">high</span> |
| 7 | `zip-builder.ts:103` | Conditional negated | Branch reached but result not asserted on | <span data-pill="caution">medium</span> |
| 8 | … 33 more | misc | various — see report | <span data-pill="info">low/med</span> |
---
<div data-callout="critical" data-label="Mutants 1–3 — security implication">
These three surviving mutants in `watermark.ts` mean the test suite **does not actually verify that signature checking works**. The current tests prove the function *runs*, not that it *rejects bad input*. If a future change accidentally inverts the comparison or removes the constant-time check, no test will fail. Add assertions for: (a) invalid HMAC rejects with `null`, (b) expired token rejects, (c) tampered payload rejects, (d) constant-time comparison is in fact constant-time (timing variance test).
</div>
<div data-callout="caution" data-label="Mutants 5–6 — path traversal">
`zip-builder.ts` has no test for the path-traversal guard. The function is fed user-controlled names from skill specs; if the `.includes('..')` check is ever removed or weakened, traversal becomes possible. Add a fixture skill spec with `../` in a filename and assert the build rejects it.
</div>
<div data-callout="info" data-label="Acceptable survivals">
Of the 40 survivors, ~22 are equivalent mutants (the mutation produces semantically identical behavior — logging order, redundant null checks). Mark these in `stryker.conf.json` under `ignoreStatic` so the score isn't penalized in future runs. After that adjustment, the **effective** score is ~85%.
</div>
*Mutation testing is a quality signal, not a coverage replacement. Re-run nightly on the security-critical paths; a survival-rate regression in those modules should block release.*
This sample illustrates the skill's output format. Names, metrics, and operational details are illustrative unless the artifact explicitly analyzes public information.
View full sample →
All sales final. No refunds on digital products.
Includes support for Claude Code, Codex, OpenClaw, and Google Antigravity in the same license.
Also in Testing & QA
Bundle price: $55. Compare this skill with the full workflow bundle or Pro access.
Best for
Engineers shipping code to truly critical paths — payments, auth, licensing, billing reconciliation — where 90% line coverage gives false confidence and mutation survival rate is the question that actually matters. Most useful in TypeScript, Python, Java, and Go projects where mature mutation-testing tooling exists.
Not ideal for
Codebases without a fast, deterministic test suite — mutation testing multiplies runtime, so slow or flaky tests make the whole thing untenable. Also a poor fit for early projects where line coverage is still low; fix the coverage gap first, then worry about mutation quality.
Included in this purchase
- Claude Code, Codex, OpenClaw, and Google Antigravity skill files.
- Setup guidance for the right adapter in your workspace.
- One-time license for the purchased skill version.
Setup
Plan for a short setup in the repository or workspace where the skill will run. Some coding familiarity helps for implementation-heavy outputs.
Related Skills
$19.99
One-time license
$19.99
One-time license
$19.99
One-time license
Future Updates
This purchase includes the current version of the skill. If you want future adapter updates — meaning compatibility and packaging updates as supported platforms evolve — plus new catalog additions included automatically, upgrade to Pro.