https://blog.abhipraya.dev/tags/mutation-testing/Recent content in Mutation-Testing on Daffa AbhiprayaHugoen-us© Daffa AbhiprayaWed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-ai-literacy/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-ai-literacy/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks where AI was the primary productivity multiplier across very different task shapes. Week 1 leaned on iterative CI debugging (ten MRs of &ldquo;run pipeline, read failure, ask AI, apply fix&rdquo;) and integration-test infrastructure design. Week 2 leaned on bulk test generation (400+ mutation-killing assertions), bash-with-tricky-primitives design (a <code>flock</code>-based slot allocator), and cross-agent documentation research. The common thread across all six patterns: AI is best when the task is a known pattern applied to new context, and weakest when the task is about how primitives interact in a specific environment.</p>https://blog.abhipraya.dev/ppl/part-b/s2w3-tdd/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-tdd/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks on mutation testing across the SIRA codebase. The first week wired <a href="https://github.com/boxed/mutmut">mutmut</a> (Python) and <a href="https://stryker-mutator.io/">Stryker</a> (TypeScript) into the pipeline and uncovered the uncomfortable truth: 91% line coverage on the services layer translated to a mutation score just above zero in places. The second week closed that gap by writing 400+ targeted tests across two rounds, driving the API mutation score from ~66% to 80.3%. This blog tells the full arc.</p>https://blog.abhipraya.dev/ppl/part-b/s2w3-code-quality/Wed, 15 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w3-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>Two weeks of quality infrastructure: wiring in the tools that measure test quality (week 1), then shortening the feedback loop so that signal actually influences the code being written (week 2). Starting state: 91% line coverage, no mutation testing, integration test coverage missing from SonarQube. Ending state: combined unit + integration coverage in SonarQube, mutmut + Stryker running per-MR with results in the CI comment, API mutation score 80.3%.</p>https://blog.abhipraya.dev/ppl/part-c/s2w2-aptitude/Thu, 09 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-c/s2w2-aptitude/<h2 id="overview"> <a class="anchor" href="#overview" data-anchor="overview" aria-hidden="true">#</a> Overview </h2> <p>Sprint 2 Week 2 (April 3 to 9) was dominated by a mutation testing sprint: setting up mutmut and Stryker in CI, building integration test infrastructure from scratch, and writing mutation-killing tests. The week also delivered three application features and a meta-level improvement to AI workflow. Each area required learning at least one technology or concept not covered in standard Fasilkom coursework.</p> <hr> <h2 id="1-mutation-testing-with-mutmut-python"> <a class="anchor" href="#1-mutation-testing-with-mutmut-python" data-anchor="1-mutation-testing-with-mutmut-python" aria-hidden="true">#</a> 1. Mutation Testing with mutmut (Python) </h2> <p>Mutation testing is a technique where a tool injects small faults (&ldquo;mutants&rdquo;) into your source code (flipping operators, changing constants, removing lines) and checks whether your test suite catches each fault. If a test fails, the mutant is &ldquo;killed.&rdquo; If no test fails, the mutant &ldquo;survives,&rdquo; meaning your tests have a blind spot.</p>https://blog.abhipraya.dev/ppl/part-a/tdd/Thu, 09 Apr 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/tdd/<p>We had 91% line coverage and felt good about it. Then we ran mutation testing and scored 0%. Every line of our service layer was executed by tests, but almost nothing was actually verified. This is the story of how we discovered the gap between &ldquo;code was run&rdquo; and &ldquo;code was checked,&rdquo; and what we changed to close it.</p> <blockquote> <p><strong>Note:</strong> Our project is hosted on an internal GitLab instance, so we use the term <strong>MR (Merge Request)</strong> throughout this blog. If you&rsquo;re coming from GitHub, MRs are the equivalent of <strong>Pull Requests (PRs)</strong>.</p>https://blog.abhipraya.dev/ppl/part-b/s2w1-tdd/Mon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-tdd/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I pushed our testing strategy well beyond standard unit tests. The project already had 433 backend and 200 frontend tests with 91% line coverage, but I wanted to answer a harder question: <strong>do our tests actually catch bugs, or do they just execute code?</strong></p> <p>I added four advanced testing approaches: property-based testing (Hypothesis + fast-check), behavioral testing (pytest-bdd with Gherkin), mutation testing (mutmut + Stryker), and test isolation verification (pytest-randomly). The results were eye-opening.</p>https://blog.abhipraya.dev/ppl/part-b/s2w1-code-quality/Mon, 23 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-b/s2w1-code-quality/<h2 id="what-i-worked-on"> <a class="anchor" href="#what-i-worked-on" data-anchor="what-i-worked-on" aria-hidden="true">#</a> What I Worked On </h2> <p>This week I enforced strict quality gates across the entire CI pipeline. The project previously had <code>allow_failure: true</code> on SonarQube and security scans, meaning violations were reported but never blocked merges. I changed that.</p> <h2 id="sonarqube-31-violations--0"> <a class="anchor" href="#sonarqube-31-violations--0" data-anchor="sonarqube-31-violations--0" aria-hidden="true">#</a> SonarQube: 31 Violations → 0 </h2> <h3 id="the-violations"> <a class="anchor" href="#the-violations" data-anchor="the-violations" aria-hidden="true">#</a> The Violations </h3> <p>SonarQube flagged 31 issues across the codebase:</p> <ul> <li><strong>1 CRITICAL vulnerability</strong>: <code>jwt.get_unverified_header()</code> reading JWT headers without signature verification</li> <li><strong>3 CRITICAL code smells</strong>: duplicated string literals, nested component definitions</li> <li><strong>27 other issues</strong>: unused variables, missing <code>Readonly&lt;&gt;</code> on props, duplicate CSS blocks, array index keys</li> </ul> <h3 id="the-fixes"> <a class="anchor" href="#the-fixes" data-anchor="the-fixes" aria-hidden="true">#</a> The Fixes </h3> <p><strong>Backend</strong> (3 files): Refactored JWT decode to try HS256 first and fall back to asymmetric on <code>DecodeError</code>, eliminating the unverified header call entirely. Extracted duplicated literals to constants.</p>https://blog.abhipraya.dev/ppl/part-a/tdd-and-qa/Sun, 15 Mar 2026 00:00:00 +0700https://blog.abhipraya.dev/ppl/part-a/tdd-and-qa/<p>We had 91% line coverage and felt good about it. Then we ran mutation testing and scored 0%. Every line of our service layer was executed by tests; almost nothing was actually verified. This is the story of how six advanced testing tools exposed the gap between &ldquo;code was run&rdquo; and &ldquo;code was checked,&rdquo; and what that means for any team relying on coverage as a quality signal.</p> <blockquote> <p><strong>Note:</strong> Our project is hosted on an internal GitLab instance, so we use the term <strong>MR (Merge Request)</strong> throughout this blog. If you&rsquo;re coming from GitHub, MRs are the equivalent of <strong>Pull Requests (PRs)</strong>.</p>