๐—›๐—ผ๐˜„ ๐—” ๐—™๐—ถ๐˜ƒ๐—ฒ ๐—Ÿ๐—ถ๐—ป๐—ฒ ๐—”๐—ฟ๐—ฐ๐—ต๐—ถ๐˜๐—ฒ๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐—ง๐—ฒ๐˜€๐˜ ๐—–๐—ฎ๐˜‚๐—ด๐—ต๐˜ ๐—” ๐——๐—ฎ๐˜๐—ฎ ๐—Ÿ๐—ฒ๐—ฎ๐—ธ

A human code review missed a major security flaw.

Our team had a rule. Every model with tenant data must use the BelongsToTenant trait. This trait prevents one client from seeing another client's data.

A new developer joined the team. They added a new model but forgot the trait. The reviewer focused on the business logic. They did not notice the missing trait. The code went live.

For two days, one clinic saw fragments of another clinic's data. A support ticket found the error. Our tests did not.

That day, we started using architecture tests.

Most tests check behavior. They check if input produces the right output. Architecture tests check structure. They check how you organize your code.

Pest PHP has a function for this. You can write rules like these:

These tests run in your CI pipeline on every commit. If a developer breaks a rule, the build fails. It tells you exactly which file broke the rule.

The tenant trait test caught four more data leaks in the following months. That one test paid for itself.

The env test prevents a common Laravel trap. Calling env directly works in development but returns null in production when you cache your config. This test makes that mistake impossible.

If you add these tests to an old codebase, do not add them all at once. A wall of red failures makes teams angry. Do this instead:

This enforces the rule for new code while you fix the old code slowly.

Architecture tests make your code predictable. Isolation becomes a fact instead of a hope. The machine checks the rules on every commit so humans do not have to remember them.

A rule in a wiki is a suggestion. A rule in CI is real.

What rule would you turn into a test first?

Source: https://dev.to/shahzamandev/how-a-five-line-architecture-test-caught-a-data-leak-a-code-review-missed-52np