QA engineers who catch bugs before production, not after your users do.

Playwright-based end-to-end test suites that cover the user journeys where bugs cause the most damage: authentication and session management, checkout and payment flows, multi-step forms, data-dependent views, and critical paths where a regression directly affects revenue or retention. Page Object Model pattern throughout: selector logic is in a single place so a DOM change requires one update rather than finding and patching every affected test file. data-testid attributes used as primary selectors rather than CSS classes, element positions, or visual attributes -- tests survive design changes and refactors without needing to be rewritten. Test parallelisation in CI using Playwright's built-in sharding: a 200-test suite that takes 8 minutes serially completes in under 2 minutes across 5 workers, keeping PR feedback loops fast enough that engineers don't bypass CI. Network request mocking with page.route() for external API dependencies so E2E tests are deterministic -- a third-party service being slow or unavailable doesn't cause test failures. Test results in GitHub Actions or GitLab CI annotations so failures show the specific assertion that failed and the screenshot at the moment of failure, not just a red build status.

Visual regression testing with Playwright's built-in toHaveScreenshot() or Chromatic (for Storybook-integrated projects): pixel-by-pixel comparison of component and page screenshots between the current branch and the baseline. When a shared component used in 40 places is refactored, visual regression tests catch unintended rendering changes across all 40 contexts without manually reviewing each one. Baseline screenshots are version-controlled and updated deliberately (not automatically) so visual changes require a conscious review decision rather than a silent automatic pass. Contract testing for APIs consumed by the frontend: Pact consumer-driven contract tests define the minimum response structure the frontend expects from each API endpoint; the API team runs Pact verification to confirm the contract before deploying -- preventing breaking API changes from reaching the frontend integration environment.

Unit test coverage for business logic using Vitest (for Vite-based frontends and Node.js services) or Jest -- covering the functions, hooks, and modules where bugs have the highest blast radius, tested in isolation with mocked dependencies. React Testing Library for component tests: render(), userEvent.click(), expect(screen.getByRole()) -- tests written the way a user interacts with the component, not tests that inspect React state or call component methods directly. The test that breaks when you rename a state variable but not when you change a button label is a poorly written test; the reverse is what we aim for. Snapshot testing avoided for component tests because snapshot diffs are unreadable at review and broken snapshots are typically updated without careful review rather than investigated. Integration tests for API endpoints: Supertest (for Express/Fastify) fires real HTTP requests against the running server and asserts on response status, headers, and JSON body -- the test level that catches authentication middleware bugs, request validation failures, and serialisation errors that unit tests at the handler function level would miss. msw (Mock Service Worker) for frontend integration tests that need to stub API responses without a running backend. Database integration tests: tests that run against a real PostgreSQL test database (seeded with fixtures per test via a setup script) rather than mocked repository interfaces -- because mocked repositories don't catch ORM configuration mistakes, missing indexes that cause timeouts at volume, or schema constraints that the mock doesn't enforce. Coverage thresholds enforced in CI: 80% line coverage on business logic modules, with explicit exclusions for generated code, configuration files, and test utilities. Coverage delta reported as a GitHub PR comment -- a decrease in coverage on a changed module flags the PR for discussion before merge.

k6 load test scripts for API endpoints and critical user journeys: ramping virtual user (VU) tests that confirm the system holds under the projected concurrent user count before launch rather than after. Test scenarios are matched to actual usage patterns. A flash sale API needs a spike test: ramp from 0 to 10x normal VU count in 30 seconds, hold for 5 minutes, ramp down. A reporting endpoint needs a soak test: consistent 2x normal concurrency for 60 minutes to catch memory leaks and connection pool exhaustion that only appear over time. A checkout flow needs a stress test: incremental VU increase until the first error threshold is breached, identifying the ceiling. Performance thresholds defined in the k6 test script (thresholds configuration) -- p95 response time under 500ms, p99 under 1000ms, HTTP error rate under 0.5% -- so the test passes or fails objectively against agreed criteria rather than requiring manual judgement. Artillery as an alternative for event-driven and WebSocket load testing when k6's VU model is less representative. Lighthouse CI integrated into the PR pipeline for frontend performance: LCP, CLS, and INP regressions fail the build when they cross configured thresholds, catching the slow-loading image or unoptimised bundle on the PR that introduced it. Core Web Vitals baseline established at project start and tracked per release in a performance budget spreadsheet so trend changes are visible against a 12-week history rather than only compared to the previous release.

Security testing integrated into the QA scope: OWASP ZAP (Zed Attack Proxy) in baseline scan mode run against the staging environment before each major release, producing a report of common vulnerabilities (SQL injection surface, reflected XSS, missing CSRF tokens, insecure headers) without requiring a full penetration test. Dependency vulnerability scanning with Snyk or OWASP Dependency-Check on every PR -- flagging packages with known CVEs in the dependency tree before they reach production. These are not a replacement for a formal security audit but they catch the common vulnerabilities that should never reach production in a mature engineering team's release process.

Test environment management: test data seeding scripts that create deterministic, predictable test fixtures from a single command so any QA engineer can reproduce any test scenario on any branch without knowing which database records existed at the time a bug was filed. Environment-specific configuration managed via .env.test files with no production credentials. Database snapshot automation for restoring test environments to a known state after a test run modifies data, eliminating test order dependencies (a test that passes when run in isolation but fails when run after another test that left the database in an unexpected state is a hidden reliability problem).

Accessibility testing with axe-core integrated into Playwright tests: automated WCAG 2.1 AA rule checks on every key page as part of the CI suite, failing the build on new violations rather than accumulating a backlog of accessibility debt. Automated accessibility testing catches ~57% of accessibility issues (Deque research); the remainder requires manual keyboard navigation testing and screen reader testing (NVDA on Windows, VoiceOver on macOS/iOS) for complex interactive components -- modals with focus trap, custom dropdowns with keyboard selection, data tables with correct row and column header associations, and multi-step wizards where focus management between steps must be handled explicitly. WCAG 2.1 AA compliance report generated per release for products with contractual or legal accessibility requirements. Bug severity classification on a four-level scale (critical/blocking: production down or data loss; high: key feature broken with no workaround; medium: degraded functionality with workaround available; low: cosmetic or minor) with agreed response time SLAs per level agreed at engagement start. Reproduction steps, environment information, browser and device details, and a screen recording captured at the time of triage so engineers don't spend time reproducing what QA already documented. Regression suite run before every release: a targeted set of Playwright tests covering the features changed in the release plus the high-risk adjacent areas, with a minimum 200-scenario baseline regression for products in active development. Release checklists reflecting the actual system: deployment steps, environment variable checks, database migration verification, smoke test scenarios, third-party integration health checks, and rollback procedure -- reviewed and signed off per release rather than a static document nobody updates. Post-release monitoring period with defined error rate thresholds for triggering rollback decisions on major releases.