CodeDecay summarizes deterministic and runtime-backed test signals into a test evidence audit.
The audit asks:
Are the changed tests producing meaningful evidence that the changed behavior is safe?
The first implementation starts with deterministic analyzer findings and can augment them with runtime coverage artifacts when they are present. It does not run mutation testing, execute commands, call models, or use cloud services.
heuristic_only: no runtime coverage artifact was found, so the audit uses deterministic signals only.runtime_augmented: CodeDecay found runtime coverage artifacts and mapped changed files or lines to measured execution.
Current coverage sources:
- Istanbul
coverage-final.json - LCOV
lcov.info - V8 JSON coverage
Changed source classification currently includes JavaScript, TypeScript, and
Python (.py) files. Python projects should provide LCOV or another supported
coverage artifact from their own test runner; CodeDecay maps the artifact to
changed lines but does not run pytest automatically.
Use toolAdapters.coverage when you want CodeDecay to run an explicit local
coverage command or collect existing coverage artifacts during codedecay execute. The analyzer still owns changed-line coverage mapping in
analyze, redteam, and agent reports.
missing: changed source behavior does not have nearby changed test evidence.weak: changed tests exist, but CodeDecay found weak evidence signals.present: changed tests are present and no weak evidence signals were found.not_applicable: no changed source or test files require a test evidence audit.
The audit consumes existing analyzer findings, including:
missing-nearby-teststest-without-assertionssnapshot-only-testmocked-changed-sourceunrelated-test-changecopied-implementation-in-testhappy-path-only-testheavy-mockingtest-bloat
This walkthrough shows the intended review loop for a PR that looks tested but does not prove the real behavior.
-
A PR changes
src/routes/users.tssoGET /usersacceptsincludeDisabled=true. -
The PR also changes
src/routes/users.test.ts, but the test only calls a mockedfindUsers()helper and asserts that the mock was called. It never sends a request through the real route, auth helper, or response serializer. -
codedecay redteam --format markdownreports:Test proof status: weak Verification status: not-run Task: Strengthen test proof [Missing proof] -
The report should not be read as "the PR is broken." It means the current tests do not prove the changed production path works for a real caller.
-
The coding-agent task is to add proof on the real path, for example:
Add an integration test that performs GET /users?includeDisabled=true through the real route with an authorized and unauthorized session. Cover empty result, disabled users present, malformed query value, and default includeDisabled=false behavior. -
After the stronger test exists, run a configured command:
npx codedecay redteam --with-checks --format markdown
-
A stronger result should show the route/test task resolved and
verificationStatus: verifiedonly when the configured checks pass. If commands are disabled, skipped, blocked, or failing, CodeDecay keeps the report inunverified,blocked, orfailedinstead of pretending the PR is proven safe.
This is the core "fake confidence" rule: a changed test is not enough. The test must exercise the real user, API, database, or downstream path that the PR changed.
Adapters such as coverage and StrykerJS can add stronger runtime or mutation evidence to this audit. They remain explicit, local-first, and opt-in.