Forem: ThankGod Chibugwum Obobo The latest articles on Forem by ThankGod Chibugwum Obobo (@actocodes). https://forem.com/actocodes https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3695202%2F9eabbead-6f92-4be9-9ca2-eb8ab9548c27.jpg Forem: ThankGod Chibugwum Obobo https://forem.com/actocodes en Self-Healing Systems: How to Use Secure Error Codes to Trigger Automated Rollback Scripts ThankGod Chibugwum Obobo Sun, 03 May 2026 17:00:00 +0000 https://forem.com/actocodes/self-healing-systems-how-to-use-secure-error-codes-to-trigger-automated-rollback-scripts-pb https://forem.com/actocodes/self-healing-systems-how-to-use-secure-error-codes-to-trigger-automated-rollback-scripts-pb <p>Every production system fails eventually. Databases go down, deployments introduce regressions, third-party APIs return unexpected errors, and traffic spikes overwhelm services. The difference between a mature engineering team and a reactive one is not whether failures happen, it's how fast the system recovers, and whether it can recover <em>without human intervention</em>.</p> <p><strong>Self-healing systems</strong> are infrastructure and application architectures designed to detect failure, classify its severity, and automatically execute recovery procedures, all before an on-call engineer has opened their laptop.</p> <p>The foundation of a self-healing system is <strong>structured error codes</strong>: machine-readable identifiers that carry enough semantic meaning to drive automated decisions. When your system knows <em>what kind</em> of failure occurred, it can trigger the right response, a rollback, a circuit break, a scale-out, or a failover, without guesswork.</p> <p>This guide covers how to design a secure error taxonomy, build rollback automation triggered by error signals, and implement the safeguards that prevent automated recovery from causing more damage than the original failure.</p> <h2> What Makes a System "Self-Healing"? </h2> <p>A self-healing system combines three capabilities:<br> <strong>Detection:</strong> continuously monitoring error rates, latency, health checks, and deployment signals to identify when something has gone wrong.</p> <p><strong>Classification:</strong> interpreting the error signal accurately enough to determine the appropriate recovery action. A deployment regression needs a rollback, a traffic spike needs a scale-out, a downstream timeout needs a circuit break.</p> <p><strong>Automated Recovery:</strong> executing the recovery action without waiting for human approval, within boundaries defined in advance by your engineering team.</p> <p>The critical word is <em>boundaries</em>. Self-healing automation is not about giving machines unlimited authority, it's about pre-authorizing specific, reversible recovery actions for well-understood failure modes.</p> <h2> Step 1 - Designing a Secure Error Code Taxonomy </h2> <p>Raw HTTP status codes (500, 503) are too coarse to drive automated decisions. A <code>500</code> could mean a null pointer exception, a database connection failure, an invalid deployment artifact, or an out-of-memory crash, each requiring a completely different recovery action.</p> <p>A <strong>structured error code taxonomy</strong> adds a semantic layer on top of status codes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{DOMAIN}-{CATEGORY}-{SPECIFIC_CODE} Examples: DB-CONN-001 → Database connection pool exhausted DB-QUERY-002 → Query timeout exceeded threshold DEPLOY-HEALTH-001 → Post-deployment health check failed DEPLOY-HEALTH-002 → Post-deployment error rate spike SVC-DEP-001 → Upstream dependency unreachable SVC-DEP-002 → Upstream dependency returning 5xx MEM-HEAP-001 → Heap memory above critical threshold AUTH-TOKEN-001 → Token signing key unavailable </code></pre> </div> <p>This taxonomy gives your automation layer unambiguous signals. <code>DEPLOY-HEALTH-002</code> (post-deployment error rate spike) maps to a rollback. <code>SVC-DEP-001</code> (upstream unreachable) maps to a circuit break. <code>MEM-HEAP-001</code> maps to a pod restart or scale-out.</p> <h3> Secure Error Code Design Principles </h3> <p><strong>Never expose raw error codes to external clients.</strong> Your taxonomy is internal infrastructure, it should appear in logs, metrics, and internal alerting systems, never in API responses consumed by third parties. External responses use the sanitized format covered in a previous article.</p> <p><strong>Make codes immutable once in use.</strong> Changing the meaning of <code>DB-CONN-001</code> after automation has been built around it is dangerous. Deprecate and replace, never redefine.</p> <p><strong>Scope codes to actionability.</strong> If a code cannot drive a distinct automated action, it adds noise without value. Every code in your taxonomy should have a documented owner, severity level, and response procedure.</p> <h2> Step 2 - Emitting Structured Error Signals </h2> <p>Error codes are only useful if they're consistently emitted wherever failures occur. Centralize this in your global exception filter and service-layer error handling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/errors/app-error.ts</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">errorCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="c1">// e.g., 'DB-CONN-001'</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">severity</span><span class="p">:</span> <span class="dl">'</span><span class="s1">low</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">medium</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">,</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">retryable</span><span class="p">:</span> <span class="nx">boolean</span><span class="p">,</span> <span class="k">public</span> <span class="k">readonly</span> <span class="nx">metadata</span><span class="p">?:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">,</span> <span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">AppError</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Throw typed errors from your service layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// users.service.ts</span> <span class="k">async</span> <span class="nf">findUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">repo</span><span class="p">.</span><span class="nf">findOneOrFail</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nf">isConnectionError</span><span class="p">(</span><span class="nx">error</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">AppError</span><span class="p">(</span> <span class="dl">'</span><span class="s1">DB-CONN-001</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Database connection pool exhausted</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">critical</span><span class="dl">'</span><span class="p">,</span> <span class="kc">true</span><span class="p">,</span> <span class="p">{</span> <span class="na">serviceId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">users-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">timestamp</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">()</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">AppError</span><span class="p">(</span> <span class="dl">'</span><span class="s1">DB-QUERY-001</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Database query failed</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">high</span><span class="dl">'</span><span class="p">,</span> <span class="kc">false</span><span class="p">,</span> <span class="p">{</span> <span class="na">query</span><span class="p">:</span> <span class="dl">'</span><span class="s1">findUser</span><span class="dl">'</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">id</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>In your global exception filter, emit these codes to your metrics and alerting systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In GlobalExceptionFilter</span> <span class="k">if </span><span class="p">(</span><span class="nx">exception</span> <span class="k">instanceof</span> <span class="nx">AppError</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Emit to metrics (Prometheus, Datadog, CloudWatch)</span> <span class="k">this</span><span class="p">.</span><span class="nx">metricsService</span><span class="p">.</span><span class="nf">increment</span><span class="p">(</span><span class="dl">'</span><span class="s1">app.errors</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">errorCode</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">severity</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SERVICE_NAME</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Emit to structured log</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="na">errorCode</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">severity</span><span class="p">,</span> <span class="na">retryable</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">retryable</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">metadata</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Every critical error is now a structured, queryable, alertable event, not just a line in a log file.</p> <h2> Step 3 - Building the Rollback Trigger Architecture </h2> <p>The rollback trigger sits between your observability layer and your infrastructure automation. Here's the recommended architecture:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Application Error ↓ Structured Log / Metric Emission (errorCode, severity, rate) ↓ Alert Rule (e.g., DEPLOY-HEALTH-002 rate &gt; threshold for 2 min) ↓ Webhook / Event Bridge ↓ Rollback Controller (validates, authorizes, executes) ↓ Rollback Script (kubectl rollout undo / git revert / feature flag disable) ↓ Notification (Slack, PagerDuty) + Audit Log </code></pre> </div> <p>The <strong>Rollback Controller</strong> is the critical safety layer, it must validate the signal before acting, enforce rate limits on rollback frequency, and log every automated action with full auditability.</p> <h2> Step 4 - Implementing the Rollback Controller </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// rollback-controller/src/rollback.service.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">Logger</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">exec</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">child_process</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">promisify</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">util</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">execAsync</span> <span class="o">=</span> <span class="nf">promisify</span><span class="p">(</span><span class="nx">exec</span><span class="p">);</span> <span class="kr">interface</span> <span class="nx">RollbackTrigger</span> <span class="p">{</span> <span class="nl">errorCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">service</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">environment</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">triggeredAt</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">webhookSecret</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">RollbackService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">(</span><span class="nx">RollbackService</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">lastRollback</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">number</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">COOLDOWN_MS</span> <span class="o">=</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">;</span> <span class="c1">// 10 minute cooldown per service</span> <span class="k">async</span> <span class="nf">handleTrigger</span><span class="p">(</span><span class="nx">trigger</span><span class="p">:</span> <span class="nx">RollbackTrigger</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// 1. Validate the webhook secret</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">validateSecret</span><span class="p">(</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">webhookSecret</span><span class="p">))</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Invalid rollback webhook secret</span><span class="dl">'</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span> <span class="p">});</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Unauthorized rollback trigger</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// 2. Validate the error code is rollback-eligible</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">isRollbackEligible</span><span class="p">(</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">))</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Error code not rollback-eligible</span><span class="dl">'</span><span class="p">,</span> <span class="na">errorCode</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">errorCode</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 3. Enforce cooldown, prevent rollback loops</span> <span class="kd">const</span> <span class="nx">lastRollbackTime</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastRollback</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">)</span> <span class="o">??</span> <span class="mi">0</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nx">lastRollbackTime</span> <span class="o">&lt;</span> <span class="k">this</span><span class="p">.</span><span class="nx">COOLDOWN_MS</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rollback cooldown active, skipping automated rollback</span><span class="dl">'</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// 4. Execute rollback</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">executeRollback</span><span class="p">(</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">environment</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">lastRollback</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">());</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Automated rollback executed successfully</span><span class="dl">'</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">environment</span><span class="p">,</span> <span class="na">errorCode</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">,</span> <span class="na">triggeredAt</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">triggeredAt</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">notifyTeam</span><span class="p">(</span><span class="nx">trigger</span><span class="p">,</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Automated rollback failed</span><span class="dl">'</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">error</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nf">notifyTeam</span><span class="p">(</span><span class="nx">trigger</span><span class="p">,</span> <span class="dl">'</span><span class="s1">failure</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">isRollbackEligible</span><span class="p">(</span><span class="nx">errorCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ROLLBACK_CODES</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">DEPLOY-HEALTH-001</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DEPLOY-HEALTH-002</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DEPLOY-HEALTH-003</span><span class="dl">'</span><span class="p">,</span> <span class="p">]);</span> <span class="k">return</span> <span class="nx">ROLLBACK_CODES</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">errorCode</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">validateSecret</span><span class="p">(</span><span class="nx">secret</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">secret</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ROLLBACK_WEBHOOK_SECRET</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">executeRollback</span><span class="p">(</span><span class="nx">service</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">environment</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Kubernetes rollback, undo the last deployment</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="s2">`kubectl rollout undo deployment/</span><span class="p">${</span><span class="nx">service</span><span class="p">}</span><span class="s2"> --namespace=</span><span class="p">${</span><span class="nx">environment</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">stdout</span><span class="p">,</span> <span class="nx">stderr</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">execAsync</span><span class="p">(</span><span class="nx">command</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">stderr</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Rollback command stderr: </span><span class="p">${</span><span class="nx">stderr</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Rollback command output</span><span class="dl">'</span><span class="p">,</span> <span class="nx">stdout</span> <span class="p">});</span> <span class="p">}</span> <span class="k">private</span> <span class="k">async</span> <span class="nf">notifyTeam</span><span class="p">(</span><span class="nx">trigger</span><span class="p">:</span> <span class="nx">RollbackTrigger</span><span class="p">,</span> <span class="nx">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">success</span><span class="dl">'</span> <span class="o">|</span> <span class="dl">'</span><span class="s1">failure</span><span class="dl">'</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="c1">// Emit to Slack, PagerDuty, or your alerting system</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Rollback notification: </span><span class="p">${</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">service</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">service</span><span class="p">,</span> <span class="na">errorCode</span><span class="p">:</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">errorCode</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The cooldown mechanism is non-negotiable. Without it, a persistent failure can trigger an infinite rollback loop, repeatedly rolling back to a version that also fails, amplifying the incident rather than resolving it.</p> <h2> Step 5 - Rollback Script Patterns by Infrastructure Type </h2> <p>Different infrastructure types require different rollback mechanisms:</p> <h3> Kubernetes Deployments </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># rollback-k8s.sh</span> <span class="nv">SERVICE</span><span class="o">=</span><span class="nv">$1</span> <span class="nv">NAMESPACE</span><span class="o">=</span><span class="nv">$2</span> <span class="nb">echo</span> <span class="s2">"Rolling back </span><span class="nv">$SERVICE</span><span class="s2"> in </span><span class="nv">$NAMESPACE</span><span class="s2">..."</span> kubectl rollout undo deployment/<span class="nv">$SERVICE</span> <span class="nt">--namespace</span><span class="o">=</span><span class="nv">$NAMESPACE</span> kubectl rollout status deployment/<span class="nv">$SERVICE</span> <span class="nt">--namespace</span><span class="o">=</span><span class="nv">$NAMESPACE</span> <span class="nt">--timeout</span><span class="o">=</span>120s <span class="k">if</span> <span class="o">[</span> <span class="nv">$?</span> <span class="nt">-ne</span> 0 <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"Rollback failed, manual intervention required"</span> <span class="nb">exit </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"Rollback complete"</span> </code></pre> </div> <h3> Feature Flag Disable (Instant, Zero-Downtime) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// For rollbacks that don't require redeployment</span> <span class="k">async</span> <span class="nf">disableFeatureFlag</span><span class="p">(</span><span class="nx">flagKey</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">featureFlagClient</span><span class="p">.</span><span class="nf">disable</span><span class="p">(</span><span class="nx">flagKey</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Feature flag disabled via rollback</span><span class="dl">'</span><span class="p">,</span> <span class="nx">flagKey</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>Feature flag rollbacks are the safest and fastest option, sub-second recovery with no deployment required. Build new features behind flags specifically to enable this.</p> <h2> Step 6 - Safety Guardrails for Production Automation </h2> <p>Automated rollbacks in production require strict safeguards:<br> <strong>Webhook authentication:</strong> Every rollback trigger must carry a signed secret. Validate it before executing any action, an unauthenticated trigger is an attack vector.</p> <p><strong>Audit trail:</strong> Log every triggered rollback attempt, successful or not, with the triggering error code, timestamp, operator (system vs. human), and outcome. This log is your compliance evidence and your post-incident reconstruction tool.</p> <p><strong>Runbook links in notifications:</strong> Every automated rollback notification should include a link to the relevant runbook, so the on-call engineer who receives the alert knows exactly what happened and what to verify next.</p> <p><strong>Dead man's switch:</strong> If the rollback controller itself goes unhealthy, it should stop processing triggers rather than silently failing. A broken rollback controller that appears healthy is more dangerous than no rollback controller at all.</p> <h2> Conclusion </h2> <p>Self-healing systems are not magic, they are disciplined engineering. A well-designed <strong>error code taxonomy</strong> gives your infrastructure layer the semantic richness to make decisions. A <strong>rollback controller</strong> with proper authentication, cooldown logic, and audit trails executes those decisions safely. And <strong>pre-authorized, reversible recovery scripts</strong> ensure that automation acts within boundaries your team has explicitly defined.</p> <p>The goal is not to eliminate human judgment, it's to remove humans from the critical path of routine, well-understood failure modes. When <code>DEPLOY-HEALTH-002</code> fires at 3am, your system should already be recovering before the on-call engineer's phone buzzes.</p> selfhealingsystems sitereliabilityengineering platformengineering softwareengineering Contract Testing for Microservices: How to Ensure Reliability in Distributed Systems ThankGod Chibugwum Obobo Sun, 26 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/contract-testing-for-microservices-how-to-ensure-reliability-in-distributed-systems-4j81 https://forem.com/actocodes/contract-testing-for-microservices-how-to-ensure-reliability-in-distributed-systems-4j81 <p>In a microservices architecture, services are independently developed, deployed, and scaled. But independence comes with a hidden cost: <strong>integration risk</strong>. When the <code>orders-service</code> calls the <code>users-service</code>, how do you know the response shape hasn't changed? When the <code>payments-service</code> upgrades its API, how do you catch breaking changes before they reach production?</p> <p>Unit tests won't catch this. E2E tests are too slow and too brittle to run on every deployment. The answer is <strong>contract testing</strong>, a lightweight, fast, and precise approach to verifying that services can communicate with each other correctly, without the overhead of a shared test environment.</p> <p>This guide covers what contract testing is, how <strong>consumer-driven contract testing</strong> with <strong>Pact</strong> works, and how to integrate it into your microservices CI/CD pipeline.</p> <h2> What Is Contract Testing? </h2> <p>A <strong>contract</strong> is a formal agreement between two services about what requests and responses look like. Contract testing verifies that both sides of a service interaction honor that agreement independently, without needing both services running simultaneously.</p> <p>There are two roles in every contract:</p> <ul> <li> <strong>Consumer:</strong> the service that makes a request and depends on the response (e.g., <code>orders-service</code> calling <code>users-service</code>)</li> <li> <strong>Provider:</strong> the service that receives the request and returns a response (e.g., <code>users-service</code>)</li> </ul> <p>In <strong>consumer-driven contract testing</strong>, the consumer defines the contract, specifying exactly what data it needs from the provider. The provider then verifies it can satisfy that contract. If the provider changes its API in a way that breaks the consumer's expectations, the contract test fails.</p> <p>This flips the traditional integration testing model: instead of testing against a real running provider, the consumer tests against a <strong>mock</strong>, generates a contract file, and the provider verifies against that file independently.</p> <h2> Why Not Just Use Integration or E2E Tests? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Testing Approach</th> <th>Speed</th> <th>Isolation</th> <th>Catches Breaking Changes</th> <th>Environment Required</th> </tr> </thead> <tbody> <tr> <td>Unit tests</td> <td>Fast</td> <td>Full</td> <td>No</td> <td>None</td> </tr> <tr> <td>Contract tests</td> <td>Fast</td> <td>Full</td> <td>Yes</td> <td>None</td> </tr> <tr> <td>Integration tests</td> <td>Slow</td> <td>Partial</td> <td>Yes</td> <td>Both services</td> </tr> <tr> <td>E2E tests</td> <td>Slow</td> <td>None</td> <td>Yes</td> <td>Full stack</td> </tr> </tbody> </table></div> <p>Contract tests occupy a unique position: they're as fast and isolated as unit tests, but they verify cross-service compatibility as accurately as integration tests, without requiring both services to run simultaneously.</p> <h2> Introducing Pact </h2> <p><strong>Pact</strong> is the most widely adopted consumer-driven contract testing framework. It supports multiple languages (JavaScript/TypeScript, Java, Go, Python, .NET) and provides:</p> <ul> <li>A <strong>consumer DSL</strong> for defining contracts as test code</li> <li>A <strong>mock provider</strong> that consumers test against</li> <li>A <strong>Pact file</strong> (JSON) that captures the contract</li> <li> <strong>Provider verification</strong> tooling that replays the contract against the real provider</li> <li> <strong>Pact Broker</strong> a hosted registry for sharing and versioning contracts between teams</li> </ul> <p>For this guide, we'll use <strong>PactJS</strong> with TypeScript in a NestJS microservices context.</p> <h2> Step 1 - Install Pact Dependencies </h2> <p>In your consumer service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">--save-dev</span> @pact-foundation/pact </code></pre> </div> <p>In your provider service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">--save-dev</span> @pact-foundation/pact </code></pre> </div> <h2> Step 2 - Write the Consumer Contract Test </h2> <p>The consumer test defines what it expects from the provider and generates a Pact file. Here, the <code>orders-service</code> (consumer) defines its contract with the <code>users-service</code> (provider):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// orders-service/src/users/users.pact.spec.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PactV3</span><span class="p">,</span> <span class="nx">MatchersV3</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@pact-foundation/pact</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UsersClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./users.client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">like</span><span class="p">,</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">integer</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">MatchersV3</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PactV3</span><span class="p">({</span> <span class="na">consumer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">orders-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">users-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">dir</span><span class="p">:</span> <span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">../../pacts</span><span class="dl">'</span><span class="p">),</span> <span class="c1">// where the Pact file is written</span> <span class="na">port</span><span class="p">:</span> <span class="mi">4000</span><span class="p">,</span> <span class="p">});</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">UsersService Contract</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">GET /users/:id</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">returns a user when given a valid ID</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">provider</span> <span class="p">.</span><span class="nf">given</span><span class="p">(</span><span class="dl">'</span><span class="s1">a user with ID usr_001 exists</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">uponReceiving</span><span class="p">(</span><span class="dl">'</span><span class="s1">a request for user usr_001</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">withRequest</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/users/usr_001</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">willRespondWith</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">usr_001</span><span class="dl">'</span><span class="p">),</span> <span class="na">email</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">),</span> <span class="na">name</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">Jane Doe</span><span class="dl">'</span><span class="p">),</span> <span class="na">role</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">customer</span><span class="dl">'</span><span class="p">),</span> <span class="na">createdAt</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">2025-01-01T00:00:00.000Z</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">executeTest</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">mockServer</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsersClient</span><span class="p">(</span><span class="nx">mockServer</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">getUser</span><span class="p">(</span><span class="dl">'</span><span class="s1">usr_001</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="dl">'</span><span class="s1">usr_001</span><span class="dl">'</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">).</span><span class="nf">toBeDefined</span><span class="p">();</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">).</span><span class="nf">toBeDefined</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">returns 404 when user does not exist</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">provider</span> <span class="p">.</span><span class="nf">given</span><span class="p">(</span><span class="dl">'</span><span class="s1">no user with ID usr_999 exists</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">uponReceiving</span><span class="p">(</span><span class="dl">'</span><span class="s1">a request for non-existent user usr_999</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">withRequest</span><span class="p">({</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/users/usr_999</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">willRespondWith</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="mi">404</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nf">integer</span><span class="p">(</span><span class="mi">404</span><span class="p">),</span> <span class="na">message</span><span class="p">:</span> <span class="nf">string</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">})</span> <span class="p">.</span><span class="nf">executeTest</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">mockServer</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UsersClient</span><span class="p">(</span><span class="nx">mockServer</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">client</span><span class="p">.</span><span class="nf">getUser</span><span class="p">(</span><span class="dl">'</span><span class="s1">usr_999</span><span class="dl">'</span><span class="p">)).</span><span class="nx">rejects</span><span class="p">.</span><span class="nf">toThrow</span><span class="p">(</span><span class="dl">'</span><span class="s1">404</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Key design decisions:</p> <ul> <li> <strong>Use matchers, not exact values.</strong> <code>string('user@example.com')</code> means "any string", not that exact email. This prevents brittle tests that break on dynamic data.</li> <li> <strong>Cover failure scenarios.</strong> The 404 test is as important as the happy path, the consumer must know how the provider signals failure.</li> <li> <strong>Use <code>given()</code> for provider states.</strong> These labels tell the provider what data to set up before verifying the contract.</li> </ul> <p>Running this test generates a file at <code>pacts/orders-service-users-service.json</code>, the contract artifact.</p> <h2> Step 3 - Publish the Contract to Pact Broker </h2> <p>The <strong>Pact Broker</strong> is a central registry where contracts are published and versioned. <a href="https://pactflow.io" rel="noopener noreferrer">PactFlow</a> offers a hosted version; self-hosting is also available.</p> <p>Publish the generated Pact file after the consumer tests pass:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// pact.publish.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Publisher</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@pact-foundation/pact</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">publisher</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Publisher</span><span class="p">({</span> <span class="na">pactBrokerUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PACT_BROKER_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">pactBrokerToken</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PACT_BROKER_TOKEN</span><span class="o">!</span><span class="p">,</span> <span class="na">pactFilesOrDirs</span><span class="p">:</span> <span class="p">[</span><span class="nx">path</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./pacts</span><span class="dl">'</span><span class="p">)],</span> <span class="na">consumerVersion</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GIT_COMMIT</span><span class="o">!</span><span class="p">,</span> <span class="c1">// tag contracts by Git SHA</span> <span class="na">tags</span><span class="p">:</span> <span class="p">[</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GIT_BRANCH</span><span class="o">!</span><span class="p">],</span> <span class="p">});</span> <span class="nx">publisher</span><span class="p">.</span><span class="nf">publishPacts</span><span class="p">().</span><span class="nf">then</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Pact contracts published successfully</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>Tagging contracts by <strong>Git commit SHA</strong> and <strong>branch name</strong> is essential, it lets the broker track which version of a consumer is compatible with which version of a provider.</p> <h2> Step 4 - Verify the Contract on the Provider </h2> <p>The provider fetches the contract from the Pact Broker and replays each interaction against the real running service. In the <code>users-service</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// users-service/src/pact/pact.verify.spec.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Verifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@pact-foundation/pact</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Pact Provider Verification - users-service</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">validates the expectations of orders-service</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">verifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Verifier</span><span class="p">({</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">'</span><span class="s1">users-service</span><span class="dl">'</span><span class="p">,</span> <span class="na">providerBaseUrl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:3001</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// real provider running locally or in CI</span> <span class="na">pactBrokerUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PACT_BROKER_URL</span><span class="o">!</span><span class="p">,</span> <span class="na">pactBrokerToken</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PACT_BROKER_TOKEN</span><span class="o">!</span><span class="p">,</span> <span class="na">publishVerificationResult</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">providerVersion</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GIT_COMMIT</span><span class="o">!</span><span class="p">,</span> <span class="c1">// Provider state handlers - set up test data for each 'given()' state</span> <span class="na">stateHandlers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">a user with ID usr_001 exists</span><span class="dl">'</span><span class="p">:</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">seedTestUser</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">usr_001</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">user@example.com</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Jane Doe</span><span class="dl">'</span> <span class="p">});</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">no user with ID usr_999 exists</span><span class="dl">'</span><span class="p">:</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">ensureUserAbsent</span><span class="p">(</span><span class="dl">'</span><span class="s1">usr_999</span><span class="dl">'</span><span class="p">);</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">verifier</span><span class="p">.</span><span class="nf">verifyProvider</span><span class="p">();</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>The <code>stateHandlers</code> are the bridge between the consumer's <code>given()</code> labels and the provider's test data setup. Each handler runs before the corresponding interaction is replayed, ensuring the provider is in the right state to respond correctly.</p> <h2> Step 5 - Can I Deploy? Preventing Breaking Releases </h2> <p>The most powerful feature of the Pact Broker is <strong>can-i-deploy</strong>, a CLI command that checks whether a specific version of a service is compatible with the versions already in production before deployment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx pact-broker can-i-deploy <span class="se">\</span> <span class="nt">--pacticipant</span> users-service <span class="se">\</span> <span class="nt">--version</span> <span class="nv">$GIT_COMMIT</span> <span class="se">\</span> <span class="nt">--to-environment</span> production <span class="se">\</span> <span class="nt">--broker-base-url</span> <span class="nv">$PACT_BROKER_URL</span> <span class="se">\</span> <span class="nt">--broker-token</span> <span class="nv">$PACT_BROKER_TOKEN</span> </code></pre> </div> <p>If any consumer contract is not verified against the version being deployed, <code>can-i-deploy</code> returns a non-zero exit code, blocking the deployment. This is the contract testing equivalent of a quality gate.</p> <h2> Step 6 - CI/CD Integration </h2> <p>Wire everything together in GitHub Actions, running consumer tests, publishing contracts, verifying on the provider, and gating deployments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/contract-tests.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Contract Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">consumer</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Consumer Contract Tests (orders-service)</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span><span class="pi">,</span> <span class="nv">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run test:pact</span> <span class="c1"># runs Pact consumer tests</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run pact:publish</span> <span class="c1"># publishes contracts to broker</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PACT_BROKER_URL</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_URL }}</span> <span class="na">PACT_BROKER_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_TOKEN }}</span> <span class="na">GIT_COMMIT</span><span class="pi">:</span> <span class="s">${{ github.sha }}</span> <span class="na">GIT_BRANCH</span><span class="pi">:</span> <span class="s">${{ github.ref_name }}</span> <span class="na">provider</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Provider Verification (users-service)</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">consumer</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">repository</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-org/users-service'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="pi">{</span> <span class="nv">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span><span class="pi">,</span> <span class="nv">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">}</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run start:test &amp;</span> <span class="c1"># start provider in test mode</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run test:pact:verify</span> <span class="c1"># verify contracts from broker</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PACT_BROKER_URL</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_URL }}</span> <span class="na">PACT_BROKER_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_TOKEN }}</span> <span class="na">GIT_COMMIT</span><span class="pi">:</span> <span class="s">${{ github.sha }}</span> <span class="na">can-i-deploy</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Can I Deploy?</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">provider</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">npx pact-broker can-i-deploy \</span> <span class="s">--pacticipant users-service \</span> <span class="s">--version ${{ github.sha }} \</span> <span class="s">--to-environment production</span> <span class="na">env</span><span class="pi">:</span> <span class="na">PACT_BROKER_BASE_URL</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_URL }}</span> <span class="na">PACT_BROKER_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.PACT_BROKER_TOKEN }}</span> </code></pre> </div> <h2> Common Pitfalls to Avoid </h2> <p><strong>Testing too much in the contract:</strong> A contract should only capture what the consumer actually uses, not every field the provider returns. If the consumer only needs <code>id</code>, <code>email</code>, and <code>name</code>, don't include <code>createdAt</code> or <code>role</code> in the contract. Overly broad contracts make the provider unnecessarily constrained.</p> <p><strong>Skipping provider states:</strong> Without proper <code>stateHandlers</code>, provider verification becomes non-deterministic, sometimes passing, sometimes failing depending on what data happens to exist. Every <code>given()</code> label must have a corresponding handler.</p> <p><strong>Treating contracts as documentation:</strong> Contracts are executable tests, not API docs. If they're not running in CI and gating deployments via <code>can-i-deploy</code>, they provide no safety guarantee.</p> <p><strong>One consumer, one contract assumption:</strong> A provider may have many consumers, each with their own contract. The Pact Broker aggregates all of them, the provider must satisfy every consumer's contract simultaneously.</p> <h2> Conclusion </h2> <p>Contract testing fills the most dangerous gap in microservices testing: the space between "my service works in isolation" and "my services work together in production." With <strong>Pact</strong>, you get fast, isolated, and precise verification of cross-service compatibility, without shared environments, brittle E2E suites, or manual coordination between teams.</p> <p>Implement consumer contracts for every external service your application depends on, publish them to the Pact Broker, enforce provider verification in CI, and gate every deployment with <code>can-i-deploy</code>. The result is a distributed system where teams ship independently, and confidently.</p> <p><em>Building contracts across mixed-language services, Node.js consumers talking to Java or Go providers? Pact's multi-language support handles this natively. Drop a comment with your stack.</em></p> contracttesting microservices softwareengineering qualityassurance Zero-Regression Strategy: How to Implement Playwright E2E Tests for Complex User Stories ThankGod Chibugwum Obobo Sun, 19 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/zero-regression-strategy-how-to-implement-playwright-e2e-tests-for-complex-user-stories-27a7 https://forem.com/actocodes/zero-regression-strategy-how-to-implement-playwright-e2e-tests-for-complex-user-stories-27a7 <p>Unit tests verify logic. Integration tests verify contracts. But neither tells you what your users actually experience when they click through a checkout flow, submit a multi-step form, or recover a forgotten password. That's the gap <strong>end-to-end (E2E) testing</strong> fills, and <strong>Playwright</strong> has rapidly become the tool of choice for doing it well.</p> <p>A <strong>zero-regression strategy</strong> means shipping with confidence, every critical user journey is covered by automated tests that run on every deployment, catching regressions before they reach production. Not every feature needs E2E coverage, but the ones your business depends on absolutely do.</p> <p>This guide covers how to architect a Playwright test suite around complex user stories, including project setup, the Page Object Model pattern, handling authentication, managing test data, and integrating into your CI/CD pipeline.</p> <h2> Why Playwright Over Other E2E Tools? </h2> <p>Before diving into implementation, it's worth understanding why Playwright has displaced older tools like Selenium and Cypress for many teams:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Playwright</th> <th>Cypress</th> <th>Selenium</th> </tr> </thead> <tbody> <tr> <td>Multi-browser support</td> <td>Chromium, Firefox, WebKit</td> <td>Chromium only (Firefox beta)</td> <td>All browsers</td> </tr> <tr> <td>Auto-waiting</td> <td>Built-in</td> <td>Built-in</td> <td>Manual waits</td> </tr> <tr> <td>Network interception</td> <td>Full control</td> <td>Limited</td> <td>Complex setup</td> </tr> <tr> <td>Parallel execution</td> <td>Native</td> <td>Paid tier</td> <td>Grid required</td> </tr> <tr> <td>Multiple tabs/windows</td> <td>Supported</td> <td>Not supported</td> <td>Supported</td> </tr> <tr> <td>Trace viewer</td> <td>Built-in</td> <td>External tools</td> <td>External tools</td> </tr> <tr> <td>TypeScript support</td> <td>First-class</td> <td>First-class</td> <td>Community</td> </tr> </tbody> </table></div> <p>Playwright's <strong>auto-waiting</strong>, <strong>built-in trace viewer</strong>, and <strong>native parallelism</strong> make it particularly well-suited for complex, multi-step user stories that span multiple pages and network interactions.</p> <h2> Step 1 - Project Setup and Configuration </h2> <p>Install Playwright and initialize the project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm init playwright@latest </code></pre> </div> <p>This scaffolds a <code>playwright.config.ts</code>, a sample test directory, and installs browser binaries. Configure it for your environment:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// playwright.config.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span><span class="p">,</span> <span class="nx">devices</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">testDir</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./e2e</span><span class="dl">'</span><span class="p">,</span> <span class="na">fullyParallel</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">forbidOnly</span><span class="p">:</span> <span class="o">!!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CI</span><span class="p">,</span> <span class="c1">// fail if test.only is committed</span> <span class="na">retries</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CI</span> <span class="p">?</span> <span class="mi">2</span> <span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="c1">// retry on CI only</span> <span class="na">workers</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CI</span> <span class="p">?</span> <span class="mi">4</span> <span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="na">reporter</span><span class="p">:</span> <span class="p">[</span> <span class="p">[</span><span class="dl">'</span><span class="s1">html</span><span class="dl">'</span><span class="p">],</span> <span class="p">[</span><span class="dl">'</span><span class="s1">junit</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">outputFile</span><span class="p">:</span> <span class="dl">'</span><span class="s1">results/junit.xml</span><span class="dl">'</span> <span class="p">}],</span> <span class="c1">// for CI reporting</span> <span class="p">],</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="na">baseURL</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BASE_URL</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">http://localhost:3000</span><span class="dl">'</span><span class="p">,</span> <span class="na">trace</span><span class="p">:</span> <span class="dl">'</span><span class="s1">on-first-retry</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// capture traces on failure</span> <span class="na">screenshot</span><span class="p">:</span> <span class="dl">'</span><span class="s1">only-on-failure</span><span class="dl">'</span><span class="p">,</span> <span class="na">video</span><span class="p">:</span> <span class="dl">'</span><span class="s1">on-first-retry</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">projects</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">chromium</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">devices</span><span class="p">[</span><span class="dl">'</span><span class="s1">Desktop Chrome</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">firefox</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">devices</span><span class="p">[</span><span class="dl">'</span><span class="s1">Desktop Firefox</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">webkit</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">devices</span><span class="p">[</span><span class="dl">'</span><span class="s1">Desktop Safari</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">mobile</span><span class="dl">'</span><span class="p">,</span> <span class="na">use</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">devices</span><span class="p">[</span><span class="dl">'</span><span class="s1">iPhone 14</span><span class="dl">'</span><span class="p">]</span> <span class="p">}</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>Key decisions here:</p> <ul> <li> <strong><code>retries: 2</code> on CI</strong> gives flaky tests a chance to pass before failing the build, while local runs fail fast.</li> <li> <strong><code>trace: 'on-first-retry'</code></strong> captures a full execution trace (network, DOM snapshots, console) only when a test fails, keeping storage overhead minimal.</li> <li> <strong><code>forbidOnly</code></strong> prevents accidentally committed <code>test.only</code> calls from silently skipping your entire test suite in CI.</li> </ul> <h2> Step 2 - Structuring Tests Around User Stories </h2> <p>The most common mistake in E2E testing is organizing tests by page rather than by <strong>user story</strong>. Pages change, user goals don't.</p> <p>Structure your test directory around business flows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/e2e /auth login.spec.ts registration.spec.ts password-reset.spec.ts /checkout add-to-cart.spec.ts payment-flow.spec.ts order-confirmation.spec.ts /dashboard user-profile.spec.ts data-export.spec.ts /pages &lt;- Page Object Models LoginPage.ts CheckoutPage.ts DashboardPage.ts /fixtures auth.fixture.ts test-data.ts </code></pre> </div> <p>Each spec file maps to a <strong>user story</strong>, a complete, describable flow from the user's perspective. This makes test failures immediately meaningful, when <code>payment-flow.spec.ts</code> fails, you know exactly which business-critical flow is broken.</p> <h2> Step 3 - The Page Object Model (POM) </h2> <p>The <strong>Page Object Model</strong> is the most important architectural pattern for maintainable E2E tests. It abstracts page interactions into reusable classes, so when a selector changes, you update it in one place, not across dozens of tests.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// e2e/pages/CheckoutPage.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Page</span><span class="p">,</span> <span class="nx">Locator</span><span class="p">,</span> <span class="nx">expect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CheckoutPage</span> <span class="p">{</span> <span class="k">readonly</span> <span class="nx">page</span><span class="p">:</span> <span class="nx">Page</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">productList</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">addToCartButton</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">cartIcon</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">proceedToCheckoutButton</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">cardNumberInput</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">placeOrderButton</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">orderConfirmation</span><span class="p">:</span> <span class="nx">Locator</span><span class="p">;</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">page</span><span class="p">:</span> <span class="nx">Page</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">page</span> <span class="o">=</span> <span class="nx">page</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">productList</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">product-list</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">addToCartButton</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">button</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Add to Cart</span><span class="dl">'</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">cartIcon</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">cart-icon</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">proceedToCheckoutButton</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">button</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Proceed to Checkout</span><span class="dl">'</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">cardNumberInput</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByLabel</span><span class="p">(</span><span class="dl">'</span><span class="s1">Card Number</span><span class="dl">'</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">placeOrderButton</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByRole</span><span class="p">(</span><span class="dl">'</span><span class="s1">button</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Place Order</span><span class="dl">'</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">orderConfirmation</span> <span class="o">=</span> <span class="nx">page</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">order-confirmation</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">addFirstProductToCart</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">addToCartButton</span><span class="p">.</span><span class="nf">first</span><span class="p">().</span><span class="nf">click</span><span class="p">();</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">cartIcon</span><span class="p">).</span><span class="nf">toContainText</span><span class="p">(</span><span class="dl">'</span><span class="s1">1</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">completePayment</span><span class="p">(</span><span class="nx">cardNumber</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">cardNumberInput</span><span class="p">.</span><span class="nf">fill</span><span class="p">(</span><span class="nx">cardNumber</span><span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">placeOrderButton</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">orderConfirmation</span><span class="p">).</span><span class="nf">toBeVisible</span><span class="p">();</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">navigateTo</span><span class="p">()</span> <span class="p">{</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/shop</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Use <code>getByRole</code>, <code>getByLabel</code>, and <code>getByTestId</code> over CSS selectors or XPath, they're more resilient to UI changes and closer to how users actually interact with the page.</p> <h2> Step 4 - Handling Authentication at Scale </h2> <p>Re-logging in before every test is slow and unnecessary. Playwright's <strong>storageState</strong> feature lets you authenticate once, save the session, and reuse it across all tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// e2e/fixtures/auth.fixture.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">test</span> <span class="k">as</span> <span class="nx">base</span><span class="p">,</span> <span class="nx">Page</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginPage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../pages/LoginPage</span><span class="dl">'</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">AuthFixtures</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authenticatedPage</span><span class="p">:</span> <span class="nx">Page</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">test</span> <span class="o">=</span> <span class="nx">base</span><span class="p">.</span><span class="nx">extend</span><span class="o">&lt;</span><span class="nx">AuthFixtures</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">authenticatedPage</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">browser</span> <span class="p">},</span> <span class="nx">use</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newContext</span><span class="p">({</span> <span class="na">storageState</span><span class="p">:</span> <span class="dl">'</span><span class="s1">e2e/.auth/user.json</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// reuse saved session</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">context</span><span class="p">.</span><span class="nf">newPage</span><span class="p">();</span> <span class="k">await</span> <span class="nf">use</span><span class="p">(</span><span class="nx">page</span><span class="p">);</span> <span class="k">await</span> <span class="nx">context</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p>Generate the saved session in a global setup file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// e2e/global-setup.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">chromium</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoginPage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./pages/LoginPage</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">globalSetup</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">chromium</span><span class="p">.</span><span class="nf">launch</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newPage</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">loginPage</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">LoginPage</span><span class="p">(</span><span class="nx">page</span><span class="p">);</span> <span class="k">await</span> <span class="nx">loginPage</span><span class="p">.</span><span class="nf">navigateTo</span><span class="p">();</span> <span class="k">await</span> <span class="nx">loginPage</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TEST_USER_EMAIL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TEST_USER_PASSWORD</span><span class="o">!</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">context</span><span class="p">().</span><span class="nf">storageState</span><span class="p">({</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">e2e/.auth/user.json</span><span class="dl">'</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">();</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">globalSetup</span><span class="p">;</span> </code></pre> </div> <p>With this setup, authentication happens once per CI run, not once per test, cutting suite runtime dramatically.</p> <h2> Step 5 - Writing Complex Multi-Step User Stories </h2> <p>Here's a complete E2E test for a checkout flow using the patterns established above:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// e2e/checkout/payment-flow.spec.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">expect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@playwright/test</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../fixtures/auth.fixture</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">CheckoutPage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../pages/CheckoutPage</span><span class="dl">'</span><span class="p">;</span> <span class="nx">test</span><span class="p">.</span><span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Checkout: Payment Flow</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">authenticated user can complete a purchase end-to-end</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">({</span> <span class="nx">authenticatedPage</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">checkout</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CheckoutPage</span><span class="p">(</span><span class="nx">authenticatedPage</span><span class="p">);</span> <span class="c1">// Step 1: Navigate to shop</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">navigateTo</span><span class="p">();</span> <span class="c1">// Step 2: Add a product to cart</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">addFirstProductToCart</span><span class="p">();</span> <span class="c1">// Step 3: Proceed to checkout</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nx">cartIcon</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nx">proceedToCheckoutButton</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="c1">// Step 4: Fill payment details</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">completePayment</span><span class="p">(</span><span class="dl">'</span><span class="s1">4242 4242 4242 4242</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Step 5: Verify order confirmation</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">checkout</span><span class="p">.</span><span class="nx">orderConfirmation</span><span class="p">).</span><span class="nf">toBeVisible</span><span class="p">();</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">authenticatedPage</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">order-id</span><span class="dl">'</span><span class="p">)).</span><span class="nf">toHaveText</span><span class="p">(</span><span class="sr">/ORD-</span><span class="se">\d</span><span class="sr">+/</span><span class="p">);</span> <span class="p">});</span> <span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">displays error for declined card</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">({</span> <span class="nx">authenticatedPage</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">checkout</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">CheckoutPage</span><span class="p">(</span><span class="nx">authenticatedPage</span><span class="p">);</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">navigateTo</span><span class="p">();</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">addFirstProductToCart</span><span class="p">();</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nx">cartIcon</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nx">proceedToCheckoutButton</span><span class="p">.</span><span class="nf">click</span><span class="p">();</span> <span class="c1">// Use a decline test card</span> <span class="k">await</span> <span class="nx">checkout</span><span class="p">.</span><span class="nf">completePayment</span><span class="p">(</span><span class="dl">'</span><span class="s1">4000 0000 0000 0002</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">authenticatedPage</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">payment-error</span><span class="dl">'</span><span class="p">))</span> <span class="p">.</span><span class="nf">toContainText</span><span class="p">(</span><span class="dl">'</span><span class="s1">Your card was declined</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Each <code>test</code> block represents a single user story scenario. Cover both <strong>happy paths</strong> and <strong>failure paths</strong>, the declined card scenario is just as important as the successful purchase.</p> <h2> Step 6 - Network Interception for Reliable Test Data </h2> <p>Complex user stories often depend on specific data states, an empty cart, an order in a specific status, or a user on a particular subscription tier. Instead of seeding a database before every test, use Playwright's <strong>route interception</strong> to mock API responses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">test</span><span class="p">(</span><span class="dl">'</span><span class="s1">displays empty state when cart has no items</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">({</span> <span class="nx">page</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Intercept the cart API and return an empty response</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">route</span><span class="p">(</span><span class="dl">'</span><span class="s1">**/api/cart</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">route</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">route</span><span class="p">.</span><span class="nf">fulfill</span><span class="p">({</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">contentType</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">items</span><span class="p">:</span> <span class="p">[],</span> <span class="na">total</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}),</span> <span class="p">})</span> <span class="p">);</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/cart</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">empty-cart-message</span><span class="dl">'</span><span class="p">)).</span><span class="nf">toBeVisible</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>This approach makes tests deterministic, they don't depend on external data state, and dramatically faster by eliminating real network calls for data setup.</p> <h2> Step 7 - Preventing Flakiness </h2> <p>Flaky tests erode trust faster than having no tests at all. Common causes and fixes:</p> <p><strong>Race conditions:</strong> Never use arbitrary <code>page.waitForTimeout(2000)</code>. Instead, wait for a specific condition:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Arbitrary wait: fragile</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">waitForTimeout</span><span class="p">(</span><span class="mi">2000</span><span class="p">);</span> <span class="c1">// Wait for a specific element or network event</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">waitForResponse</span><span class="p">(</span><span class="dl">'</span><span class="s1">**/api/orders</span><span class="dl">'</span><span class="p">);</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">page</span><span class="p">.</span><span class="nf">getByTestId</span><span class="p">(</span><span class="dl">'</span><span class="s1">order-list</span><span class="dl">'</span><span class="p">)).</span><span class="nf">toBeVisible</span><span class="p">();</span> </code></pre> </div> <p><strong>Selector brittleness:</strong> Avoid class names and CSS selectors that change with styling updates. Add <code>data-testid</code> attributes to elements critical for testing and use <code>getByTestId()</code> exclusively in E2E tests.</p> <p><strong>Test interdependence:</strong> Every test must be fully independent. Never rely on state left by a previous test. Use <code>beforeEach</code> hooks or fresh browser contexts to reset state.</p> <p><strong>Environment inconsistency:</strong> Pin browser versions in your CI environment to match local development. Playwright's <code>playwright install --with-deps</code> ensures consistent browser binaries across machines.</p> <h2> CI/CD Integration with GitHub Actions </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/e2e.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">E2E Tests</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">e2e</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install Playwright browsers</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright install --with-deps</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run E2E tests</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npx playwright test</span> <span class="na">env</span><span class="pi">:</span> <span class="na">BASE_URL</span><span class="pi">:</span> <span class="s">${{ secrets.STAGING_URL }}</span> <span class="na">TEST_USER_EMAIL</span><span class="pi">:</span> <span class="s">${{ secrets.TEST_USER_EMAIL }}</span> <span class="na">TEST_USER_PASSWORD</span><span class="pi">:</span> <span class="s">${{ secrets.TEST_USER_PASSWORD }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload test report</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v4</span> <span class="na">if</span><span class="pi">:</span> <span class="s">always()</span> <span class="c1"># upload even on failure</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">playwright-report</span> <span class="na">path</span><span class="pi">:</span> <span class="s">playwright-report/</span> <span class="na">retention-days</span><span class="pi">:</span> <span class="m">14</span> </code></pre> </div> <p>The <code>if: always()</code> on the artifact upload ensures you get the HTML report and traces even when the test run fails, which is exactly when you need them most.</p> <h2> Conclusion </h2> <p>A zero-regression strategy with Playwright is not about achieving 100% E2E coverage, it's about ensuring that every <strong>critical user journey</strong> is automated, deterministic, and runs on every deployment. Cover the flows that, if broken, would result in lost revenue, failed signups, or blocked workflows.</p> <p>With <strong>Page Object Models</strong> for maintainability, <strong>storageState</strong> for fast authentication, <strong>route interception</strong> for reliable test data, and disciplined flake prevention, your Playwright suite becomes a true safety net, one you can trust to catch regressions before your users do.</p> <p>Start with your three most critical user stories. Get them green, integrate them into CI, and expand from there.</p> e2etesting testautomation qualityassurance softwaretesting Production Logging Best Practices: How to Balance Observability with Security ThankGod Chibugwum Obobo Sun, 12 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/production-logging-best-practices-how-to-balance-observability-with-security-1jo9 https://forem.com/actocodes/production-logging-best-practices-how-to-balance-observability-with-security-1jo9 <p>Logging is the backbone of production observability. Without it, debugging a live incident is like navigating in the dark, you know something is wrong but have no way to trace why or where. Yet logging done carelessly introduces its own risks: sensitive user data written to disk, credentials captured in request logs, and compliance violations hiding in plain text files.</p> <p>The challenge every engineering team faces is not <em>whether</em> to log, but <em>what</em> to log, <em>how</em> to structure it, and <em>who</em> gets access to it.</p> <p>This guide covers production logging best practices that give your team the observability they need, without turning your log aggregator into a liability.</p> <h2> Why Logging Strategy Matters in Production </h2> <p>Poorly designed logging creates two equally dangerous failure modes:<br> <strong>Too little logging</strong> means you're flying blind during incidents. No request context, no error trail, no performance baseline. Mean time to resolution (MTTR) skyrockets because engineers spend hours reconstructing what happened.</p> <p><strong>Too much logging</strong> or logging the wrong things, creates serious security and compliance risks:</p> <ul> <li>Passwords captured in login request bodies</li> <li>Credit card numbers logged from payment payloads</li> <li>Session tokens recorded in access logs</li> <li>Personally Identifiable Information (PII) written to third-party log aggregators</li> <li>HIPAA or GDPR violations from retaining sensitive health or user data</li> </ul> <p>A mature logging strategy threads this needle deliberately, maximizing signal while minimizing exposure.</p> <h2> Log Levels: Using Them Correctly </h2> <p>Log levels are the first layer of control. Using them correctly keeps your logs actionable and your signal-to-noise ratio high.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Level</th> <th>When to Use</th> </tr> </thead> <tbody> <tr> <td><strong>ERROR</strong></td> <td>Unrecoverable failures that require immediate attention, exceptions, service crashes, failed critical operations</td> </tr> <tr> <td><strong>WARN</strong></td> <td>Recoverable issues that indicate something is wrong but hasn't broken yet, retry attempts, deprecated API usage, slow queries</td> </tr> <tr> <td><strong>INFO</strong></td> <td>Normal application lifecycle events, service startup, job completion, significant state transitions</td> </tr> <tr> <td><strong>DEBUG</strong></td> <td>Detailed diagnostic information useful during development and troubleshooting, never enabled in production by default</td> </tr> <tr> <td><strong>VERBOSE / TRACE</strong></td> <td>Highly granular execution flow, only for deep debugging in isolated environments</td> </tr> </tbody> </table></div> <p>A common mistake is logging everything at <code>INFO</code> or <code>ERROR</code>. This floods your aggregator with noise (making alerts meaningless) or misses important context entirely. Be deliberate: if a message doesn't require human attention, it doesn't belong at <code>ERROR</code>.</p> <h2> Structured Logging: JSON Over Plain Text </h2> <p>Plain text logs are human-readable but machine-hostile. Parsing <code>"[2025-04-06 10:23:11] ERROR: User not found for ID 42"</code> requires regex and breaks the moment the format changes.</p> <p><strong>Structured logging</strong> emits logs as JSON objects, making them directly queryable in any log aggregator (Datadog, ELK, Loki, CloudWatch):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"level"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"User not found"</span><span class="p">,</span><span class="w"> </span><span class="nl">"context"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UsersService"</span><span class="p">,</span><span class="w"> </span><span class="nl">"userId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"usr_8f3a2c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"requestId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"req_9d1b4e"</span><span class="p">,</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">404</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-06T10:23:11.412Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"production"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service"</span><span class="p">:</span><span class="w"> </span><span class="s2">"users-service"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Every field is indexable, filterable, and alertable. You can instantly query "all 404 errors in the users-service in the last hour" without parsing a single string.</p> <h3> Setting Up Structured Logging in NestJS with Pino </h3> <p><strong>Pino</strong> is the fastest structured logger for Node.js with native JSON output and minimal overhead:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>nestjs-pino pino-http pino-pretty </code></pre> </div> <p>Configure it in your <code>AppModule</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LoggerModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">nestjs-pino</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">LoggerModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">pinoHttp</span><span class="p">:</span> <span class="p">{</span> <span class="na">level</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">LOG_LEVEL</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">info</span><span class="dl">'</span><span class="p">,</span> <span class="na">transport</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span> <span class="p">?</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pino-pretty</span><span class="dl">'</span> <span class="p">}</span> <span class="c1">// human-readable in development</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="c1">// raw JSON in production</span> <span class="na">redact</span><span class="p">:</span> <span class="p">{</span> <span class="na">paths</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">req.headers.authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.headers.cookie</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.body.password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">req.body.creditCard</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="na">censor</span><span class="p">:</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <p>The <code>redact</code> configuration is critical, it automatically censors sensitive fields before they ever reach your log output. More on this in the next section.</p> <h2> Redacting Sensitive Data </h2> <p>Sensitive data leaking into logs is one of the most common and costly compliance failures. It often happens accidentally, a developer logs <code>req.body</code> for debugging and forgets to remove it before merging.</p> <h3> What to Always Redact </h3> <ul> <li> <strong>Authentication:</strong> passwords, tokens, API keys, session IDs, JWTs</li> <li> <strong>Payment data:</strong> credit card numbers, CVVs, bank account numbers</li> <li> <strong>PII:</strong> full names combined with identifiers, email addresses in certain contexts, phone numbers, dates of birth</li> <li> <strong>Health data:</strong> any field that could be classified as PHI under HIPAA</li> <li> <strong>Infrastructure secrets:</strong> database connection strings, internal IPs, service credentials</li> </ul> <h3> Redaction Strategies </h3> <p><strong>Field-level redaction</strong> (as shown with Pino's <code>redact</code> config) is the most reliable approach, it operates at the logger level before output, regardless of what gets passed in.</p> <p>For custom redaction logic, implement a sanitization utility:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/utils/sanitize-log.util.ts</span> <span class="kd">const</span> <span class="nx">SENSITIVE_KEYS</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">([</span> <span class="dl">'</span><span class="s1">password</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">secret</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">creditCard</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ssn</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">apiKey</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">refreshToken</span><span class="dl">'</span><span class="p">,</span> <span class="p">]);</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">sanitizeForLog</span><span class="p">(</span><span class="nx">obj</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">):</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">fromEntries</span><span class="p">(</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">obj</span><span class="p">).</span><span class="nf">map</span><span class="p">(([</span><span class="nx">key</span><span class="p">,</span> <span class="nx">value</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">SENSITIVE_KEYS</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">key</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">())</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">[REDACTED]</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">value</span><span class="p">,</span> <span class="p">])</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Use this utility whenever logging request payloads or user-supplied data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">User registration attempt</span><span class="dl">'</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nf">sanitizeForLog</span><span class="p">(</span><span class="nx">dto</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <h3> Never Log Full Request Bodies Indiscriminately </h3> <p>Logging <code>req.body</code> wholesale in a middleware is a common antipattern. Instead, log only specific, known-safe fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Dangerous — logs everything including passwords</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">body</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span> <span class="p">});</span> <span class="c1">// ✅ Safe — log only what you explicitly need</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">log</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Login attempt</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="c1">// safe — not a secret</span> <span class="na">ip</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <h2> Request Correlation with Trace IDs </h2> <p>In a distributed system, a single user action triggers calls across multiple services. Without a shared identifier, correlating logs across services is nearly impossible.</p> <p><strong>Request correlation IDs</strong> (also called trace IDs) solve this by attaching a unique identifier to every request at the entry point (API Gateway or first service), then propagating it through every downstream call via headers.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/middleware/correlation-id.middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span><span class="p">,</span> <span class="nx">NestMiddleware</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="k">as</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CorrelationIdMiddleware</span> <span class="k">implements</span> <span class="nx">NestMiddleware</span> <span class="p">{</span> <span class="nf">use</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">correlationId</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">]</span> <span class="k">as</span> <span class="kr">string</span><span class="p">)</span> <span class="o">??</span> <span class="nf">uuidv4</span><span class="p">();</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">]</span> <span class="o">=</span> <span class="nx">correlationId</span><span class="p">;</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-correlation-id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">correlationId</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Include the <code>correlationId</code> in every log entry. When an incident occurs, you can filter your entire log aggregator by a single ID and see the complete request journey across every service, with timestamps, durations, and error context.</p> <h2> Log Retention and Access Control </h2> <p>Storing logs indefinitely is a compliance and cost problem. Define a <strong>retention policy</strong> that balances operational need with regulatory requirements:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Log Type</th> <th>Recommended Retention</th> </tr> </thead> <tbody> <tr> <td>Application errors</td> <td>90 days</td> </tr> <tr> <td>Access / audit logs</td> <td>1-7 years (varies by regulation)</td> </tr> <tr> <td>Debug logs</td> <td>7-14 days</td> </tr> <tr> <td>Security events</td> <td>1-2 years</td> </tr> </tbody> </table></div> <p>Beyond retention, control <strong>who can access logs</strong>:</p> <ul> <li>Logs containing any PII should be <strong>access-controlled</strong> - not every engineer needs to read production user data.</li> <li>Use <strong>role-based access</strong> in your log aggregator (Datadog, Splunk, ELK) to restrict sensitive log streams.</li> <li>Enable <strong>audit logging on your log aggregator itself</strong> - knowing who queried which logs is part of your compliance story.</li> <li>Consider <strong>log encryption at rest</strong> for any aggregator storing sensitive application data.</li> </ul> <h2> Alerting: Turning Logs Into Action </h2> <p>Logs without alerts are archives, not observability. Define alert rules on your log aggregator for conditions that require immediate human attention:</p> <ul> <li> <strong>Error rate spike:</strong> more than X <code>ERROR</code> level logs per minute</li> <li> <strong>Authentication failures:</strong> repeated 401s from the same IP (brute force indicator)</li> <li> <strong>Downstream service failures:</strong> sustained connection errors to a dependency</li> <li> <strong>Zero logs:</strong> a sudden absence of logs from a service may indicate it has crashed</li> </ul> <p>Keep alert thresholds tuned, too sensitive and engineers become desensitized to noise; too lenient and real incidents go undetected.</p> <h2> Logging Antipatterns to Avoid </h2> <p><strong>Logging in a tight loop:</strong> logging inside high-frequency loops or hot paths creates I/O pressure and can degrade application performance. Sample logs or aggregate counters instead.</p> <p><strong>Using console.log in production:</strong> <code>console.log</code> bypasses your structured logger, produces unstructured output, and cannot be controlled by log level configuration. Replace all instances with your logger before deploying.</p> <p><strong>Logging and rethrowing without context:</strong> catching an exception, logging it, and rethrowing it without adding context creates duplicate log entries with no additional signal. Add context or don't log, pick one.</p> <p><strong>Storing logs locally on application servers:</strong> local log files are lost when containers restart or servers are terminated. Always ship logs to an external aggregator in real time.</p> <h2> Recommended Tooling </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Tool</th> </tr> </thead> <tbody> <tr> <td>Logger (Node.js)</td> <td>Pino, Winston</td> </tr> <tr> <td>Log aggregation</td> <td>Datadog, ELK Stack, Grafana Loki</td> </tr> <tr> <td>Distributed tracing</td> <td>OpenTelemetry, Jaeger, Tempo</td> </tr> <tr> <td>Alerting</td> <td>PagerDuty, Grafana Alerting, Datadog Monitors</td> </tr> <tr> <td>Compliance scanning</td> <td>Nightfall, Presidio (PII detection in logs)</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Production logging is not a feature you bolt on after launch, it's a foundational engineering practice that determines how quickly your team can detect, diagnose, and resolve incidents. Done well, it's invisible to users and invaluable to engineers. Done poorly, it's either useless noise or a ticking compliance time bomb.</p> <p>The formula is straightforward: <strong>use structured JSON logs, redact sensitive fields at the logger level, correlate requests with trace IDs, enforce retention policies, and alert on what matters.</strong> Everything else is tuning.</p> <p>Observability and security are not in conflict, with the right logging architecture, they reinforce each other.</p> <p><em>What log aggregator does your team use in production? Share your stack in the comments - we'd love to hear how different teams approach this.</em></p> observability sitereliabilityengineering softwareengineering logging Secure Error Handling in APIs: How to Implement Global Filters and Prevent Sensitive Data Leaks ThankGod Chibugwum Obobo Sun, 05 Apr 2026 17:00:00 +0000 https://forem.com/actocodes/secure-error-handling-in-apis-how-to-implement-global-filters-and-prevent-sensitive-data-leaks-31ke https://forem.com/actocodes/secure-error-handling-in-apis-how-to-implement-global-filters-and-prevent-sensitive-data-leaks-31ke <p>Error handling is one of the most overlooked attack surfaces in API security. While developers focus on authentication, authorization, and input validation, a poorly configured error response can silently leak database schemas, internal file paths, stack traces, and environment details handing attackers a roadmap to your system.</p> <p>The solution is <strong>secure, centralized error handling</strong>, intercepting all exceptions at a global level, sanitizing what gets returned to the client, and ensuring that internal details stay internal.</p> <p>In this guide, you'll learn how to implement global exception filters in <strong>NestJS</strong>, design a secure error response schema, prevent sensitive data leaks, and structure error handling for both development and production environments.</p> <h2> Why API Error Responses Are a Security Risk </h2> <p>Consider this typical unhandled exception response from an Express or NestJS app in development mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QueryFailedError: column </span><span class="se">\"</span><span class="s2">usr.emailAdress</span><span class="se">\"</span><span class="s2"> does not exist"</span><span class="p">,</span><span class="w"> </span><span class="nl">"stack"</span><span class="p">:</span><span class="w"> </span><span class="s2">"QueryFailedError: column </span><span class="se">\"</span><span class="s2">usr.emailAdress</span><span class="se">\"</span><span class="s2"> does not exist</span><span class="se">\n</span><span class="s2"> at PostgresQueryRunner (/app/node_modules/typeorm/src/...)</span><span class="se">\n</span><span class="s2"> at /app/src/users/users.service.ts:42:18"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This single response reveals:</p> <ul> <li>The <strong>database engine</strong> (PostgreSQL via TypeORM)</li> <li>The <strong>exact column name</strong> that failed, confirming your schema structure</li> <li>The <strong>internal file path</strong> of your application</li> <li>The <strong>ORM library</strong> and version in use</li> <li>The <strong>service layer architecture</strong> of your backend</li> </ul> <p>This type of information disclosure is classified under <strong>OWASP API Security Top 10 - API3: Excessive Data Exposure</strong> and is trivially exploitable by anyone probing your API.</p> <h2> The Secure Error Response Standard </h2> <p>Before writing any code, define what a safe error response looks like. A production API error should expose only:</p> <ul> <li>A <strong>generic status code</strong> (HTTP standard)</li> <li>A <strong>user-friendly message</strong> that reveals nothing about internals</li> <li>A <strong>unique error ID</strong> for traceability in logs (without exposing logs to the client)</li> <li>Optionally, a <strong>machine-readable error code</strong> for client-side handling </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"statusCode"</span><span class="p">:</span><span class="w"> </span><span class="mi">500</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorCode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INTERNAL_SERVER_ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"An unexpected error occurred. Please try again later."</span><span class="p">,</span><span class="w"> </span><span class="nl">"errorId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f92c1d-8e44-4b2e-9f3a-1c7d5b2e4a8f"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2025-04-04T10:23:45.123Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/users"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The <code>errorId</code> is critical, it allows your support team to correlate the client-facing error to a detailed internal log entry, without ever exposing that detail publicly.</p> <h2> Implementing a Global Exception Filter in NestJS </h2> <p>NestJS provides a built-in exception filter system. By default, it catches <code>HttpException</code> instances and returns structured responses, but unhandled errors (database failures, third-party timeouts, unexpected nulls) fall through as raw 500 responses.</p> <p>A <strong>global exception filter</strong> intercepts every thrown exception, handled or not, and applies consistent, secure formatting.</p> <h3> Step 1: Create the Global Exception Filter </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/common/filters/global-exception.filter.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">ExceptionFilter</span><span class="p">,</span> <span class="nx">Catch</span><span class="p">,</span> <span class="nx">ArgumentsHost</span><span class="p">,</span> <span class="nx">HttpException</span><span class="p">,</span> <span class="nx">HttpStatus</span><span class="p">,</span> <span class="nx">Logger</span><span class="p">,</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/common</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">v4</span> <span class="k">as</span> <span class="nx">uuidv4</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">uuid</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Catch</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">GlobalExceptionFilter</span> <span class="k">implements</span> <span class="nx">ExceptionFilter</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">logger</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Logger</span><span class="p">(</span><span class="nx">GlobalExceptionFilter</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">catch</span><span class="p">(</span><span class="nx">exception</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">,</span> <span class="nx">host</span><span class="p">:</span> <span class="nx">ArgumentsHost</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">ctx</span> <span class="o">=</span> <span class="nx">host</span><span class="p">.</span><span class="nf">switchToHttp</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">getResponse</span><span class="o">&lt;</span><span class="nx">Response</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">request</span> <span class="o">=</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">getRequest</span><span class="o">&lt;</span><span class="nx">Request</span><span class="o">&gt;</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">errorId</span> <span class="o">=</span> <span class="nf">uuidv4</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">timestamp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">path</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">HttpStatus</span><span class="p">.</span><span class="nx">INTERNAL_SERVER_ERROR</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">message</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">An unexpected error occurred. Please try again later.</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">errorCode</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">exception</span> <span class="k">instanceof</span> <span class="nx">HttpException</span><span class="p">)</span> <span class="p">{</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getStatus</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">exceptionResponse</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getResponse</span><span class="p">();</span> <span class="c1">// Use the HttpException message but sanitize it</span> <span class="nx">message</span> <span class="o">=</span> <span class="k">typeof</span> <span class="nx">exceptionResponse</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="p">?</span> <span class="nx">exceptionResponse</span> <span class="p">:</span> <span class="p">(</span><span class="nx">exceptionResponse</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">message</span> <span class="o">||</span> <span class="nx">message</span><span class="p">;</span> <span class="nx">errorCode</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">resolveErrorCode</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Log the full error internally - never send this to the client</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown error</span><span class="dl">'</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Send the sanitized response to the client</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">errorCode</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">private</span> <span class="nf">resolveErrorCode</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">codes</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">number</span><span class="p">,</span> <span class="kr">string</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="mi">400</span><span class="p">:</span> <span class="dl">'</span><span class="s1">BAD_REQUEST</span><span class="dl">'</span><span class="p">,</span> <span class="mi">401</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNAUTHORIZED</span><span class="dl">'</span><span class="p">,</span> <span class="mi">403</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span><span class="p">,</span> <span class="mi">404</span><span class="p">:</span> <span class="dl">'</span><span class="s1">NOT_FOUND</span><span class="dl">'</span><span class="p">,</span> <span class="mi">409</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CONFLICT</span><span class="dl">'</span><span class="p">,</span> <span class="mi">422</span><span class="p">:</span> <span class="dl">'</span><span class="s1">UNPROCESSABLE_ENTITY</span><span class="dl">'</span><span class="p">,</span> <span class="mi">429</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TOO_MANY_REQUESTS</span><span class="dl">'</span><span class="p">,</span> <span class="mi">500</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">return</span> <span class="nx">codes</span><span class="p">[</span><span class="nx">statusCode</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">INTERNAL_SERVER_ERROR</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Step 2 - Register the Filter Globally </h3> <p>Apply the filter at the application level so it catches exceptions from every controller, service, and middleware:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NestFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GlobalExceptionFilter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./common/filters/global-exception.filter</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">useGlobalFilters</span><span class="p">(</span><span class="k">new</span> <span class="nc">GlobalExceptionFilter</span><span class="p">());</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">(</span><span class="mi">3000</span><span class="p">);</span> <span class="p">}</span> <span class="nf">bootstrap</span><span class="p">();</span> </code></pre> </div> <p>Registering via <code>useGlobalFilters()</code> ensures the filter runs outside the dependency injection scope, catching even bootstrap-level errors.</p> <h2> Handling Validation Errors Securely </h2> <p>NestJS's <code>ValidationPipe</code> throws <code>BadRequestException</code> with a detailed array of validation failures. These are safe to return, they contain field-level feedback with no internal details. Ensure your filter preserves this structure for 400 errors:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In GlobalExceptionFilter - extend the HttpException branch</span> <span class="k">if </span><span class="p">(</span><span class="nx">exception</span> <span class="k">instanceof</span> <span class="nx">HttpException</span><span class="p">)</span> <span class="p">{</span> <span class="nx">statusCode</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getStatus</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">exceptionResponse</span> <span class="o">=</span> <span class="nx">exception</span><span class="p">.</span><span class="nf">getResponse</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">statusCode</span> <span class="o">===</span> <span class="mi">400</span> <span class="o">&amp;&amp;</span> <span class="k">typeof</span> <span class="nx">exceptionResponse</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">object</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Preserve validation error details for client-side form handling</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="na">errorCode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VALIDATION_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Request validation failed.</span><span class="dl">'</span><span class="p">,</span> <span class="na">errors</span><span class="p">:</span> <span class="p">(</span><span class="nx">exceptionResponse</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">message</span><span class="p">,</span> <span class="c1">// array of field errors</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This gives clients enough information to display helpful form errors, without leaking anything about internals.</p> <h2> Environment-Aware Error Detail </h2> <p>During local development, stack traces are invaluable. In production, they're a liability. Use an environment flag to control detail level:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">isDevelopment</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// In the catch method — add debug info only in development</span> <span class="nx">response</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="nx">statusCode</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="nx">errorCode</span><span class="p">,</span> <span class="nx">message</span><span class="p">,</span> <span class="nx">errorId</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">,</span> <span class="nx">path</span><span class="p">,</span> <span class="p">...(</span><span class="nx">isDevelopment</span> <span class="o">&amp;&amp;</span> <span class="p">{</span> <span class="na">debug</span><span class="p">:</span> <span class="p">{</span> <span class="na">originalMessage</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>This pattern ensures developers get rich error context locally, while production clients always receive the sanitized version.</p> <h2> Preventing Information Leaks Beyond the Filter </h2> <p>The global filter handles runtime exceptions, but sensitive data can leak through other vectors too. Address these proactively:</p> <h3> Disable the X-Powered-By Header </h3> <p>By default, Express advertises the framework in response headers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">,</span> <span class="p">{</span> <span class="na">rawBody</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">getHttpAdapter</span><span class="p">().</span><span class="nf">getInstance</span><span class="p">().</span><span class="nf">disable</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-powered-by</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h3> Sanitize Database Error Messages </h3> <p>ORM errors (TypeORM, Prisma) contain raw SQL and schema details. Never let them propagate as <code>HttpException</code> messages. Catch them at the service layer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="nf">findUser</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersRepository</span><span class="p">.</span><span class="nf">findOneOrFail</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Log the ORM error internally, throw a clean HttpException</span> <span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Database error in findUser</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">NotFoundException</span><span class="p">(</span><span class="dl">'</span><span class="s1">User not found.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Avoid Reflecting User Input in Error Messages </h3> <p>Never echo back user-supplied values in error messages, this can enable reflected XSS or information probing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Unsafe — reflects user input</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BadRequestException</span><span class="p">(</span><span class="s2">`User with email </span><span class="p">${</span><span class="nx">dto</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2"> already exists`</span><span class="p">);</span> <span class="c1">// Safe — generic message</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ConflictException</span><span class="p">(</span><span class="dl">'</span><span class="s1">An account with this email already exists.</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <h2> Structured Logging for Traceability </h2> <p>The <code>errorId</code> in your response is only useful if your logging system captures it with full context. Use a structured logger like <strong>Winston</strong> or <strong>Pino</strong> to ensure every log entry is queryable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">this</span><span class="p">.</span><span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="nx">errorId</span><span class="p">,</span> <span class="c1">// correlates to client-facing error</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">user</span><span class="p">?.</span><span class="nx">id</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="nx">statusCode</span><span class="p">,</span> <span class="na">exceptionType</span><span class="p">:</span> <span class="nx">exception</span><span class="p">?.</span><span class="kd">constructor</span><span class="p">?.</span><span class="nx">name</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Unknown</span><span class="dl">'</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">exception</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">exception</span><span class="p">.</span><span class="nx">stack</span> <span class="p">:</span> <span class="kc">undefined</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>With this structure, when a user reports an issue with their <code>errorId</code>, your team can instantly pull the full context from your log aggregator (Datadog, ELK, CloudWatch), without ever having exposed that detail publicly.</p> <h2> Security Checklist </h2> <p>Before shipping your error handling to production, verify the following:</p> <ul> <li>Stack traces never appear in API responses</li> <li>Database error messages are caught and replaced at the service layer</li> <li>ORM or driver names are not present in any response body or header</li> <li> <code>X-Powered-By</code> header is disabled</li> <li>Validation errors return field names but never internal paths or schema details</li> <li>Every unhandled exception generates a unique <code>errorId</code> and is logged with full context</li> <li> <code>NODE_ENV</code> controls debug detail visibility</li> <li>User input is never reflected verbatim in error messages</li> </ul> <h2> Conclusion </h2> <p>Secure error handling is not just about user experience, it's a critical layer of your API's defense-in-depth strategy. A single unhandled exception that leaks a stack trace can give an attacker everything they need to probe your system further.</p> <p>By implementing a <strong>global exception filter</strong> in NestJS, you establish a single, auditable point of control over every error your API emits. Pair it with environment-aware detail levels, structured logging, and service-layer ORM sanitization, and you've closed one of the most commonly overlooked API security gaps.</p> <p>The rule is simple: <strong>log everything internally, expose nothing externally.</strong></p> apisecurity errors softwareengineering backenddevelopment Shift-Left Testing: How to Automate QA/QC Pipelines with SonarQube and GitHub Actions ThankGod Chibugwum Obobo Sun, 29 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/shift-left-testing-how-to-automate-qaqc-pipelines-with-sonarqube-and-github-actions-2kln https://forem.com/actocodes/shift-left-testing-how-to-automate-qaqc-pipelines-with-sonarqube-and-github-actions-2kln <p>Finding a bug in production costs significantly more to fix than catching it during development. This is the core argument behind <strong>shift-left testing</strong>, the practice of moving quality checks earlier in the software development lifecycle, closer to where code is written rather than where it is deployed.</p> <p>With <strong>SonarQube</strong> for static code analysis and <strong>GitHub Actions</strong> for CI/CD automation, teams can enforce code quality, detect security vulnerabilities, and measure test coverage on every single pull request, automatically, and before a single line merges to main.</p> <p>This guide walks you through setting up a fully automated QA/QC pipeline from scratch, including SonarQube configuration, GitHub Actions integration, quality gate enforcement, and practical tips for rolling it out to your team.</p> <h2> What Is Shift-Left Testing? </h2> <p><strong>Shift-left</strong> refers to moving testing and quality assurance activities to the left side of the development timeline, earlier in the process. Instead of QA happening after development is complete, it becomes a continuous activity embedded into every step of the workflow.</p> <p>In practice, shift-left means:</p> <ul> <li>Running <strong>static analysis</strong> on every commit.</li> <li>Enforcing <strong>code coverage thresholds</strong> in CI before merging.</li> <li>Scanning for <strong>security vulnerabilities</strong> at the PR level, not post-deployment.</li> <li>Providing <strong>instant feedback</strong> to developers in their existing workflow (GitHub PRs).</li> </ul> <p>The result is shorter feedback loops, fewer regressions, and significantly reduced cost of quality.</p> <h2> Why SonarQube? </h2> <p><strong>SonarQube</strong> is one of the most widely adopted static analysis platforms in the industry. It supports 30+ programming languages and provides deep analysis across four dimensions:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>What It Checks</th> </tr> </thead> <tbody> <tr> <td><strong>Bugs</strong></td> <td>Logic errors and runtime issues</td> </tr> <tr> <td><strong>Vulnerabilities</strong></td> <td>Security weaknesses (OWASP Top 10)</td> </tr> <tr> <td><strong>Code Smells</strong></td> <td>Maintainability issues and technical debt</td> </tr> <tr> <td><strong>Coverage</strong></td> <td>Unit test coverage percentage</td> </tr> </tbody> </table></div> <p>SonarQube is available as a <strong>self-hosted</strong> open-source Community Edition or as <strong>SonarCloud</strong>, a fully managed SaaS version ideal for teams who don't want to manage infrastructure.</p> <p>For this guide, we'll use <strong>SonarCloud</strong>, it integrates natively with GitHub and requires no server setup.</p> <h2> Step 1 - Set Up SonarCloud </h2> <ol> <li>Go to <a href="https://sonarcloud.io" rel="noopener noreferrer">sonarcloud.io</a> and sign in with your GitHub account.</li> <li>Create a new <strong>Organization</strong> linked to your GitHub organization or personal account.</li> <li>Import the repository you want to analyze.</li> <li>SonarCloud will generate a <strong>Project Key</strong> and <strong>Organization Key</strong>, save these for later.</li> <li>Generate a <strong>SonarCloud Token</strong> from your account security settings.</li> </ol> <p>Store the token as a GitHub Actions secret:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Repo → Settings → Secrets and Variables → Actions → New Repository Secret Name: SONAR_TOKEN Value: &lt;your-sonarcloud-token&gt; </code></pre> </div> <h2> Step 2 - Add a SonarCloud Configuration File </h2> <p>Create a <code>sonar-project.properties</code> file in your repository root. This tells SonarCloud where to find your source code, tests, and coverage reports:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="c"># sonar-project.properties </span><span class="py">sonar.projectKey</span><span class="p">=</span><span class="s">your_org_your_project</span> <span class="py">sonar.organization</span><span class="p">=</span><span class="s">your-sonarcloud-org</span> <span class="py">sonar.projectName</span><span class="p">=</span><span class="s">Your Project Name</span> <span class="py">sonar.projectVersion</span><span class="p">=</span><span class="s">1.0</span> <span class="c"># Source and test directories </span><span class="py">sonar.sources</span><span class="p">=</span><span class="s">src</span> <span class="py">sonar.tests</span><span class="p">=</span><span class="s">src</span> <span class="py">sonar.test.inclusions</span><span class="p">=</span><span class="s">**/*.spec.ts,**/*.test.ts</span> <span class="c"># Coverage report path (generated by your test runner) </span><span class="py">sonar.javascript.lcov.reportPaths</span><span class="p">=</span><span class="s">coverage/lcov.info</span> <span class="c"># Exclusions </span><span class="py">sonar.exclusions</span><span class="p">=</span><span class="s">**/node_modules/**,**/dist/**,**/*.spec.ts</span> </code></pre> </div> <p>Adjust paths to match your project structure. For Java projects, replace the JavaScript-specific properties with the appropriate <code>sonar.java.*</code> equivalents.</p> <h2> Step 3 - Configure Your Test Runner for Coverage </h2> <p>SonarQube needs a coverage report to measure how much of your code is tested. For a <strong>Node.js/TypeScript</strong> project using Jest, configure coverage output in <code>jest.config.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// jest.config.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="p">{</span> <span class="na">preset</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ts-jest</span><span class="dl">'</span><span class="p">,</span> <span class="na">testEnvironment</span><span class="p">:</span> <span class="dl">'</span><span class="s1">node</span><span class="dl">'</span><span class="p">,</span> <span class="na">collectCoverage</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">coverageDirectory</span><span class="p">:</span> <span class="dl">'</span><span class="s1">coverage</span><span class="dl">'</span><span class="p">,</span> <span class="na">coverageReporters</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">lcov</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">text</span><span class="dl">'</span><span class="p">],</span> <span class="na">collectCoverageFrom</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">src/**/*.ts</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">!src/**/*.spec.ts</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">!src/main.ts</span><span class="dl">'</span><span class="p">,</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Running <code>jest</code> will now generate a <code>coverage/lcov.info</code> file, the format SonarCloud expects.</p> <h2> Step 4 - Create the GitHub Actions Workflow </h2> <p>Now wire everything together in a GitHub Actions workflow. This pipeline runs on every pull request and push to <code>main</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/quality.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Code Quality &amp; Security</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">pull_request</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">main</span><span class="pi">,</span> <span class="nv">develop</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">sonarcloud</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarCloud Analysis</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout code</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="c1"># Required for SonarCloud blame data</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set up Node.js</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run tests with coverage</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm test -- --coverage</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">SonarCloud Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">SonarSource/sonarcloud-github-action@master</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GITHUB_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">SONAR_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SONAR_TOKEN }}</span> </code></pre> </div> <p>The <code>fetch-depth: 0</code> is critical, it fetches full Git history so SonarCloud can accurately attribute code changes to authors and compute new vs overall code metrics.</p> <h2> Step 5 - Enforce Quality Gates </h2> <p>A <strong>Quality Gate</strong> is a set of conditions that must pass before code is considered releasable. SonarCloud ships with a default "Sonar Way" quality gate that checks:</p> <ul> <li>Coverage on new code ≥ 80%</li> <li>Duplicated lines on new code ≤ 3%</li> <li>Maintainability rating on new code = A</li> <li>Reliability rating on new code = A</li> <li>Security rating on new code = A</li> </ul> <p>When a pull request fails a quality gate, SonarCloud posts a comment directly on the PR and marks the check as failed, blocking the merge if branch protection rules are configured.</p> <p>To enforce this, enable <strong>branch protection</strong> on your main branch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GitHub Repo → Settings → Branches → Add Rule ✅ Require status checks to pass before merging ✅ Select: SonarCloud Code Analysis </code></pre> </div> <p>Now no PR can merge to <code>main</code> without passing the quality gate.</p> <h3> Customizing Quality Gates </h3> <p>For mature codebases, you may want stricter thresholds. In SonarCloud, navigate to your organization's <strong>Quality Gates</strong> section and create a custom gate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>New Code Coverage ≥ 85% New Blocker Issues = 0 New Critical Issues = 0 New Security Hotspots = 0 </code></pre> </div> <p>Tune these thresholds progressively, start lenient and tighten as your team addresses existing debt.</p> <h2> Step 6 - Viewing Results in Pull Requests </h2> <p>Once the workflow is active, every PR gets automated feedback directly in GitHub:</p> <ul> <li>A <strong>SonarCloud check</strong> appears in the PR status checks, pass or fail.</li> <li>An inline <strong>PR comment</strong> summarizes new issues, coverage delta, and quality gate status.</li> <li>Developers can click through to the <strong>SonarCloud dashboard</strong> for detailed findings, including the exact line, severity, and remediation guidance for every issue.</li> </ul> <p>This tight GitHub integration is what makes shift-left practical, developers get quality feedback in the same place they're already reviewing code, with no context switching required.</p> <h2> Going Further: Adding ESLint and Prettier to the Pipeline </h2> <p>SonarQube handles deep static analysis, but pairing it with <strong>ESLint</strong> (style and logic rules) and <strong>Prettier</strong> (formatting) gives you a complete quality layer. Add them as a separate job in the same workflow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">lint</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lint &amp; Format Check</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">20'</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">npm'</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm ci</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run lint</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm run format:check</span> </code></pre> </div> <p>With all three tools running in parallel, ESLint, Prettier, and SonarCloud, your CI pipeline covers style, logic, security, and coverage in a single unified workflow.</p> <h2> SonarQube for IDE: Catch Issues Before You Commit </h2> <p>Waiting for a CI pipeline to flag a quality issue still means a context switch, you push code, trigger a workflow, and then come back to fix a problem you'd already moved past. <strong>SonarQube for IDE</strong> (formerly SonarLint) closes that gap by bringing the same analysis engine directly into your editor, giving you real-time feedback as you type.</p> <h3> What It Does </h3> <p>SonarQube for IDE runs locally and surfaces bugs, vulnerabilities, and code smells inline, the same rules that SonarCloud applies in CI, but without leaving your editor. Issues appear as squiggly underlines with descriptions and remediation guidance, similar to how a compiler highlights syntax errors.</p> <p>Key features:</p> <ul> <li> <strong>Real-time analysis</strong> on the file you're editing, with no manual trigger required.</li> <li> <strong>Consistent rules</strong>, when connected to your SonarCloud project, it syncs your team's active quality profile so everyone is checking against the same ruleset.</li> <li> <strong>Detailed explanations</strong>, each issue includes why it's a problem, the risk it poses, and how to fix it, directly in the IDE panel.</li> <li> <strong>Security hotspot detection</strong>, flags sensitive code paths (e.g., hardcoded credentials, unsanitized inputs) at the point of authoring.</li> </ul> <h3> Supported IDEs </h3> <p>SonarQube for IDE is available as a plugin for:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>IDE</th> <th>Plugin Name</th> </tr> </thead> <tbody> <tr> <td><strong>VS Code</strong></td> <td>SonarQube for IDE (VS Code Marketplace)</td> </tr> <tr> <td><strong>IntelliJ IDEA / WebStorm / PyCharm</strong></td> <td>SonarQube for IDE (JetBrains Marketplace)</td> </tr> <tr> <td><strong>Eclipse</strong></td> <td>SonarLint (Eclipse Marketplace)</td> </tr> </tbody> </table></div> <h3> Installation (VS Code) </h3> <ol> <li>Open the <strong>Extensions</strong> panel (<code>Ctrl+Shift+X</code> / <code>Cmd+Shift+X</code>).</li> <li>Search for <strong>SonarQube for IDE</strong> and install it.</li> <li>Reload VS Code, analysis starts immediately with default rules.</li> </ol> <h3> Connected Mode: Sync with SonarCloud </h3> <p>By default, the plugin uses a standard set of built-in rules. For team consistency, enable <strong>Connected Mode</strong> to bind it to your SonarCloud project:</p> <ol> <li>Open the Command Palette (<code>Ctrl+Shift+P</code>) and run <strong>SonarQube: Connect to SonarQube Cloud</strong>.</li> <li>Authenticate with your SonarCloud token.</li> <li>Select your <strong>Organization</strong> and <strong>Project Key</strong>.</li> </ol> <p>Once connected, the IDE enforces the same quality profile and suppression decisions as your CI pipeline. Issues that your team has marked <em>Won't Fix</em> in SonarCloud won't appear in your editor either, reducing noise and keeping the signal relevant.</p> <h3> How It Complements the CI Pipeline </h3> <p>SonarQube for IDE and SonarCloud are not redundant, they operate at different points in the workflow and catch different things:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th></th> <th>SonarQube for IDE</th> <th>SonarCloud (CI)</th> </tr> </thead> <tbody> <tr> <td><strong>When</strong></td> <td>While typing</td> <td>On push / PR</td> </tr> <tr> <td><strong>Scope</strong></td> <td>Current file</td> <td>Full codebase</td> </tr> <tr> <td><strong>Coverage analysis</strong></td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>New vs. overall code</strong></td> <td>No</td> <td>Yes</td> </tr> <tr> <td><strong>Blocks merge</strong></td> <td>No</td> <td>Yes (Quality Gate)</td> </tr> <tr> <td><strong>Best for</strong></td> <td>Preventing issues</td> <td>Enforcing standards</td> </tr> </tbody> </table></div> <p>Think of the IDE plugin as your first line of defense and SonarCloud as the safety net. Most issues should be caught and fixed before a commit is ever pushed, with the CI pipeline acting as a final, authoritative check for the whole team.</p> <h2> Common Pitfalls to Avoid </h2> <p><strong>Ignoring the quality gate on legacy code:</strong> SonarCloud's default quality gate focuses on <em>new code</em>, not the overall codebase. This makes adoption practical: you're held accountable only for what you write going forward, not the full history of technical debt.</p> <p><strong>Skipping <code>fetch-depth: 0</code>:</strong> Without full Git history, SonarCloud cannot compute new vs. existing issues accurately. Always set this in your checkout step.</p> <p><strong>Setting coverage thresholds too high too soon:</strong> A 90% coverage requirement on day one will block every PR. Start at 60–70%, fix the gaps, then raise the bar incrementally.</p> <p><strong>Treating all issues as equal:</strong> Prioritize <strong>Blocker</strong> and <strong>Critical</strong> severity issues for immediate action. <strong>Major</strong> and <strong>Minor</strong> issues can be tracked as technical debt and addressed in dedicated cleanup sprints.</p> <h2> Conclusion </h2> <p>Shifting left is not just about adding tools to a pipeline, it's a cultural shift toward shared ownership of quality. By integrating <strong>SonarQube (SonarCloud)</strong> and <strong>GitHub Actions</strong>, you make code quality a first-class citizen of your development workflow: automated, visible, and enforced before any code reaches production.</p> <p>Start with the basic setup, enforce quality gates on new code, and iterate on your thresholds as your team builds the habit. The earlier you catch issues, the cheaper and faster they are to fix, and the more confidence your team has in every release.</p> <p><em>Already using SonarQube self-hosted instead of SonarCloud? The GitHub Actions integration works the same way, just swap the SonarCloud action for the generic SonarScanner and point it at your server URL.</em></p> softwareengineering codequality sonarqube githubactions Infrastructure as Code Is Still Code: How to Lint and Format Terraform and Ansible ThankGod Chibugwum Obobo Sun, 22 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/infrastructure-as-code-is-still-code-how-to-lint-and-format-terraform-and-ansible-5cn9 https://forem.com/actocodes/infrastructure-as-code-is-still-code-how-to-lint-and-format-terraform-and-ansible-5cn9 <p>When developers talk about code quality, they usually mean application code, running ESLint, enforcing Prettier, and integrating static analysis into CI pipelines. But <strong>Infrastructure as Code (IaC)</strong> deserves the same treatment.</p> <p>Terraform configurations and Ansible playbooks are real code. They define production environments, manage sensitive resources, and get reviewed in pull requests. Yet many teams apply zero linting or formatting standards to them, leading to inconsistent style, subtle misconfigurations, and security vulnerabilities that slip past reviewers.</p> <p>This guide covers the essential tools and practices for linting and formatting <strong>Terraform</strong> and <strong>Ansible</strong>, and how to integrate them into your CI/CD pipeline for consistent, reviewable, production-grade infrastructure code.</p> <h2> Why Code Quality Matters for IaC </h2> <p>The consequences of poor-quality IaC are more severe than messy application code:</p> <ul> <li> <strong>Misconfigurations cause outages.</strong> A wrong variable type or missing validation in a Terraform module can destroy or misconfigure production infrastructure.</li> <li> <strong>Security vulnerabilities are harder to spot.</strong> Open security groups, overly permissive IAM roles, and unencrypted storage buckets often hide in unreviewed or inconsistently formatted configs.</li> <li> <strong>Drift compounds over time.</strong> Without enforced standards, IaC files written by different engineers diverge in style, making diffs harder to read and reviews less effective.</li> <li> <strong>Onboarding suffers.</strong> New team members struggle to understand inconsistently structured playbooks and modules.</li> </ul> <p>Treating IaC with the same rigor as application code pays dividends in reliability and team velocity.</p> <h2> Linting and Formatting Terraform </h2> <h3> Formatting with <code>terraform fmt</code> </h3> <p>Terraform ships with a built-in formatter. Running <code>terraform fmt</code> rewrites your <code>.tf</code> files to conform to the canonical HCL style, consistent indentation, aligned <code>=</code> signs, and normalized block structures.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Format all .tf files recursively</span> terraform <span class="nb">fmt</span> <span class="nt">-recursive</span> <span class="c"># Check formatting without writing changes (useful in CI)</span> terraform <span class="nb">fmt</span> <span class="nt">-check</span> <span class="nt">-recursive</span> </code></pre> </div> <p>Make <code>-check</code> mode part of your CI pipeline. A non-zero exit code signals a formatting violation and fails the build, enforcing that all merged code is properly formatted.</p> <h3> Validation with <code>terraform validate</code> </h3> <p>Before linting, ensure your configuration is syntactically and semantically valid:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform init <span class="nt">-backend</span><span class="o">=</span><span class="nb">false </span>terraform validate </code></pre> </div> <p>This catches undefined variables, incorrect resource references, and invalid argument types, without making any API calls to your cloud provider.</p> <h3> Deep Linting with TFLint </h3> <p><code>terraform validate</code> only checks syntax. <strong>TFLint</strong> goes further, it analyzes your configurations against provider-specific rules, catches deprecated syntax, and flags likely bugs.</p> <p>Install TFLint and initialize provider plugins:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>brew <span class="nb">install </span>tflint <span class="c"># macOS</span> <span class="c">#or</span> curl <span class="nt">-s</span> https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash <span class="c">#linux</span> <span class="c">#or</span> choco <span class="nb">install </span>tflint <span class="c">#windows</span> <span class="c">#or</span> scoop <span class="nb">install </span>tflint <span class="c">#windows</span> <span class="c">#or</span> <span class="nb">alias </span><span class="nv">tflint</span><span class="o">=</span><span class="s2">"docker run --rm -v </span><span class="si">$(</span><span class="nb">pwd</span><span class="si">)</span><span class="s2">:/data -t ghcr.io/terraform-linters/tflint"</span> <span class="c">#docker</span> tflint <span class="nt">--init</span> </code></pre> </div> <p>Configure it with a <code>.tflint.hcl</code> file in your repo root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># .tflint.hcl</span> <span class="nx">plugin</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"0.27.0"</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/terraform-linters/tflint-ruleset-aws"</span> <span class="p">}</span> <span class="nx">rule</span> <span class="s2">"terraform_naming_convention"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">rule</span> <span class="s2">"terraform_unused_declarations"</span> <span class="p">{</span> <span class="nx">enabled</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tflint <span class="nt">--recursive</span> </code></pre> </div> <p>TFLint will flag issues like invalid instance types, deprecated resource arguments, and naming convention violations, all before any infrastructure is provisioned.</p> <h3> Security Scanning with Trivy or Checkov </h3> <p>Linting catches style and syntax issues. Security scanning catches <strong>misconfigurations</strong> and for IaC, this is critical.</p> <p><strong>Checkov</strong> is a static analysis tool purpose-built for IaC security:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>checkov checkov <span class="nt">-d</span> <span class="nb">.</span> <span class="nt">--framework</span> terraform </code></pre> </div> <p>It checks for issues like:</p> <ul> <li>S3 buckets with public access enabled</li> <li>Security groups open to <code>0.0.0.0/0</code> </li> <li>Unencrypted RDS instances</li> <li>Missing CloudTrail logging</li> </ul> <p><strong>Trivy</strong> offers similar coverage and integrates well into container-based CI environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>trivy config ./terraform </code></pre> </div> <p>Run both as non-blocking checks early in adoption, then graduate them to hard failures as your team addresses existing violations.</p> <h2> Linting and Formatting Ansible </h2> <h3> Linting with ansible-lint </h3> <p><strong>ansible-lint</strong> is the standard linting tool for Ansible playbooks, roles, and task files. It enforces best practices defined by the Ansible community and catches common mistakes.</p> <p>Install and run it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>ansible-lint ansible-lint playbooks/ </code></pre> </div> <p>Common issues it catches:</p> <ul> <li>Missing <code>name</code> on tasks (makes logs unreadable)</li> <li>Use of deprecated modules</li> <li>Command and shell tasks that should use native Ansible modules</li> <li>Missing <code>become</code> escalation where required</li> <li>Incorrect YAML formatting</li> </ul> <h3> Configuring ansible-lint </h3> <p>Customize rules with a <code>.ansible-lint</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .ansible-lint</span> <span class="na">warn_list</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">experimental</span> <span class="na">skip_list</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">yaml[line-length]</span> <span class="c1"># skip line length for long task names</span> <span class="na">exclude_paths</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.cache/</span> <span class="pi">-</span> <span class="s">molecule/</span> </code></pre> </div> <p>You can also use <strong>profiles</strong> to enforce stricter rule sets as your team matures:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ansible-lint <span class="nt">--profile</span> production playbooks/ </code></pre> </div> <p>Profiles range from <code>min</code> (basic safety checks) to <code>production</code> (full best-practice enforcement).</p> <h3> Formatting YAML with Prettier or yamllint </h3> <p>Ansible playbooks are YAML and YAML is notoriously whitespace-sensitive. Enforce consistent formatting using <strong>yamllint</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>yamllint yamllint playbooks/ </code></pre> </div> <p>Configure it with a <code>.yamllint</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .yamllint</span> <span class="na">extends</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="na">line-length</span><span class="pi">:</span> <span class="na">max</span><span class="pi">:</span> <span class="m">120</span> <span class="na">indentation</span><span class="pi">:</span> <span class="na">indent-sequences</span><span class="pi">:</span> <span class="s">consistent</span> <span class="na">truthy</span><span class="pi">:</span> <span class="na">allowed-values</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">true'</span><span class="pi">,</span> <span class="s1">'</span><span class="s">false'</span><span class="pi">]</span> </code></pre> </div> <p>For teams already using <strong>Prettier</strong>, it supports YAML formatting out of the box:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>prettier <span class="nt">--write</span> <span class="s2">"playbooks/**/*.yml"</span> </code></pre> </div> <p>Standardizing YAML formatting eliminates the most common source of noisy diff, whitespace-only changes.</p> <h3> Security Scanning Ansible with ansible-lint and Checkov </h3> <p>ansible-lint includes security-focused rules by default, flagging tasks that use <code>shell</code> or <code>command</code> with potentially unsafe inputs, or roles missing proper privilege escalation guards.</p> <p>Checkov also supports Ansible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>checkov <span class="nt">-d</span> <span class="nb">.</span> <span class="nt">--framework</span> ansible </code></pre> </div> <p>It flags hardcoded secrets, missing no-log directives on sensitive tasks, and overly permissive file permissions.</p> <h2> Integrating into CI/CD </h2> <p>All of these tools become most valuable when they run automatically on every pull request. Here's a sample <strong>GitHub Actions</strong> workflow covering both Terraform and Ansible:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/iac-quality.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">IaC Quality Checks</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">terraform</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">hashicorp/setup-terraform@v3</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Format Check</span> <span class="na">run</span><span class="pi">:</span> <span class="s">terraform fmt -check -recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Terraform Validate</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">terraform init -backend=false</span> <span class="s">terraform validate</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">TFLint</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">terraform-linters/setup-tflint@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">tflint_version</span><span class="pi">:</span> <span class="s">latest</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">tflint --recursive</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkov Security Scan</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">bridgecrewio/checkov-action@master</span> <span class="na">with</span><span class="pi">:</span> <span class="na">directory</span><span class="pi">:</span> <span class="s">.</span> <span class="na">framework</span><span class="pi">:</span> <span class="s">terraform</span> <span class="na">ansible</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install tools</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pip install ansible-lint yamllint</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">yamllint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">yamllint playbooks/</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">ansible-lint</span> <span class="na">run</span><span class="pi">:</span> <span class="s">ansible-lint playbooks/</span> </code></pre> </div> <p>Start with warnings before enforcing hard failures — this gives teams time to remediate existing violations without blocking all merges on day one.</p> <h2> Recommended Toolchain Summary </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Purpose</th> <th>Applies To</th> </tr> </thead> <tbody> <tr> <td><code>terraform fmt</code></td> <td>Canonical formatting</td> <td>Terraform</td> </tr> <tr> <td><code>terraform validate</code></td> <td>Syntax &amp; semantic validation</td> <td>Terraform</td> </tr> <tr> <td>TFLint</td> <td>Provider-aware deep linting</td> <td>Terraform</td> </tr> <tr> <td>Checkov</td> <td>Security misconfiguration scanning</td> <td>Terraform &amp; Ansible</td> </tr> <tr> <td>Trivy</td> <td>Security scanning (container-friendly)</td> <td>Terraform</td> </tr> <tr> <td>ansible-lint</td> <td>Best practice enforcement</td> <td>Ansible</td> </tr> <tr> <td>yamllint</td> <td>YAML formatting &amp; structure</td> <td>Ansible</td> </tr> <tr> <td>Prettier</td> <td>YAML formatting (if already in stack)</td> <td>Ansible</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Infrastructure as Code is not configuration, it's code, and it deserves the same quality standards your application code receives. By integrating <strong>terraform fmt</strong>, <strong>TFLint</strong>, <strong>Checkov</strong>, <strong>ansible-lint</strong>, and <strong>yamllint</strong> into your development workflow and CI pipeline, you catch misconfigurations before they reach production, enforce consistent standards across teams, and make infrastructure pull requests actually reviewable.</p> <p>Start with formatting and basic validation, layer in security scanning, and enforce everything in CI. Your future self, and your on-call rotation, will thank you.</p> <p><em>Already using a different IaC tool like Pulumi or OpenTofu? The same principles apply — drop a comment with your preferred linting setup.</em></p> terraform ansible infrastructureascode softwareengineering Monorepo vs. Polyrepo: How to Choose the Right Strategy for Managing Multiple Services ThankGod Chibugwum Obobo Sun, 15 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/monorepo-vs-polyrepo-how-to-choose-the-right-strategy-for-managing-multiple-services-b13 https://forem.com/actocodes/monorepo-vs-polyrepo-how-to-choose-the-right-strategy-for-managing-multiple-services-b13 <p>As engineering teams grow and services multiply, one architectural decision quietly shapes how fast you ship, how well teams collaborate, and how painful your CI/CD pipelines become: <strong>how you organize your code repositories</strong>.</p> <p>The debate between <strong>monorepo</strong> and <strong>polyrepo</strong> is not new, but it's become more relevant than ever as microservices, micro-frontends, and platform engineering take center stage. Neither approach is universally superior. The right choice depends on your team size, service boundaries, and tooling maturity.</p> <p>This guide breaks down both strategies, how they work, where they excel, where they struggle, and how to make the right call for your organization.</p> <h2> What Is a Monorepo? </h2> <p>A <strong>monorepo</strong> (monolithic repository) stores all services, libraries, and applications in a single version-controlled repository. Every team works in the same codebase, sharing tooling, CI configuration, and dependency management.</p> <p>Notable companies using monorepos include Google, Meta, and Microsoft, though their implementations are backed by custom-built tooling at a scale most teams will never reach.</p> <p>In practice, a monorepo structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/repo /apps /web /api-gateway /admin-dashboard /services /users-service /orders-service /payments-service /packages /ui-components /shared-utils /config </code></pre> </div> <p>Popular monorepo tooling includes <strong>Nx</strong>, <strong>Turborepo</strong>, <strong>Lerna</strong>, and <strong>Bazel</strong>, each offering features like dependency graph analysis, affected-only builds, and remote caching.</p> <h2> What Is a Polyrepo? </h2> <p>A <strong>polyrepo</strong> strategy gives each service or application its own dedicated repository. Teams own their repos end-to-end, from code to CI/CD pipeline to deployment configuration.</p> <p>A typical polyrepo setup looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>github.com/your-org/web github.com/your-org/api-gateway github.com/your-org/users-service github.com/your-org/orders-service github.com/your-org/shared-ui ← published as an npm package </code></pre> </div> <p>Cross-service shared code is distributed as versioned packages (npm, PyPI, private registries), and each repo independently manages its own dependencies and release cycle.</p> <h2> Monorepo: Key Advantages </h2> <h3> Unified Dependency Management </h3> <p>All services share the same <code>node_modules</code> (or equivalent). Upgrading a shared library, say, a logging utility or a UI component, happens once and propagates everywhere. No more version drift between repos.</p> <h3> Atomic Cross-Service Changes </h3> <p>A single commit can update an API contract and all its consumers simultaneously. This is invaluable when refactoring shared interfaces or rolling out breaking changes, you see the full blast radius in one pull request.</p> <h3> Simplified Code Sharing </h3> <p>Internal packages are imported directly without publishing to a registry. Your <code>orders-service</code> can import from <code>packages/shared-utils</code> with a simple path alias, no versioning, no publish step.</p> <h3> Consistent Tooling and Standards </h3> <p>Linting rules, test configurations, TypeScript settings, and CI pipelines are defined once and enforced across every project. Onboarding a new engineer means one repo to clone, one setup script to run.</p> <h2> Monorepo: Key Challenges </h2> <h3> Build and CI Complexity at Scale </h3> <p>Without smart tooling, a single change triggers a full rebuild of everything. Tools like <strong>Nx</strong> and <strong>Turborepo</strong> solve this with <strong>affected builds</strong>, only rebuilding projects impacted by a change, but they require investment to configure correctly.</p> <h3> Repository Size Over Time </h3> <p>As the repo grows, <code>git clone</code>, <code>git log</code>, and local tooling can slow down. This is manageable for most teams but becomes a real concern at Google or Meta scale.</p> <h3> Access Control Limitations </h3> <p>Standard version control systems don't offer fine-grained folder-level permissions out of the box. If compliance or security requires strict team boundaries, monorepos add friction.</p> <h2> Polyrepo: Key Advantages </h2> <h3> Strong Team Autonomy </h3> <p>Each team owns their repo completely. They choose their own tooling, set their own release schedules, and deploy without coordinating with other teams. This maps cleanly to microservices ownership models.</p> <h3> Isolated CI/CD Pipelines </h3> <p>Pipelines only run for the service that changed. No risk of a flaky test in an unrelated service blocking your deployment.</p> <h3> Clearer Blast Radius </h3> <p>Changes in one repo cannot inadvertently break another, unless a published package version is bumped. This enforces intentionality around cross-service dependencies.</p> <h3> Familiar and Widely Supported </h3> <p>Every developer knows how to work with independent repos. GitHub, GitLab, and Bitbucket all support polyrepo workflows natively with no additional tooling required.</p> <h2> Polyrepo: Key Challenges </h2> <h3> Dependency Version Drift </h3> <p>When 12 services each pin their own version of a shared library, you end up with 12 different versions in production. Security patches and upgrades become coordination nightmares.</p> <h3> Painful Cross-Service Refactoring </h3> <p>Renaming a shared interface or updating an API contract requires opening PRs across multiple repos, coordinating merges, and hoping nothing gets missed. There's no atomic cross-repo commit.</p> <h3> Duplicated Boilerplate </h3> <p>CI configuration, Dockerfile templates, lint rules, and test setups get copy-pasted across repos and then slowly diverge. Standardizing them requires manual effort or internal tooling investment.</p> <h3> Discoverability Overhead </h3> <p>Finding which repo owns a piece of functionality, understanding the dependency graph between services, and onboarding new engineers all become harder as the number of repos grows.</p> <h2> Head-to-Head Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Dimension</th> <th>Monorepo</th> <th>Polyrepo</th> </tr> </thead> <tbody> <tr> <td>Code sharing</td> <td>Native, zero friction</td> <td>Via versioned packages</td> </tr> <tr> <td>Team autonomy</td> <td>Shared conventions required</td> <td>Full independence</td> </tr> <tr> <td>Atomic refactoring</td> <td>Single PR across services</td> <td>Multi-repo coordination</td> </tr> <tr> <td>CI/CD speed (early stage)</td> <td>Centralized pipelines</td> <td>Isolated pipelines</td> </tr> <tr> <td>CI/CD speed (at scale)</td> <td>Requires smart build tooling</td> <td>No cross-service impact</td> </tr> <tr> <td>Dependency management</td> <td>Single source of truth</td> <td>Version drift risk</td> </tr> <tr> <td>Access control</td> <td>Limited granularity</td> <td>Repo-level isolation</td> </tr> <tr> <td>Onboarding complexity</td> <td>One repo to learn</td> <td>Many repos to navigate</td> </tr> <tr> <td>Tooling investment</td> <td>Higher upfront (Nx, Turborepo)</td> <td>Lower upfront</td> </tr> </tbody> </table></div> <h2> How to Make the Right Decision </h2> <p>Rather than defaulting to one strategy, evaluate these four factors:</p> <h3> 1. Team Size and Structure </h3> <p>Small teams (under 10 engineers) almost always benefit from a monorepo, the coordination overhead of polyrepo outweighs the autonomy benefits. Larger organizations with dedicated platform teams are better equipped to manage polyrepo complexity.</p> <h3> 2. Degree of Code Sharing </h3> <p>If services share a significant amount of code UI libraries, API clients, validation schemas, domain models, a monorepo eliminates the version management overhead that polyrepo introduces.</p> <h3> 3. Deployment Independence Requirements </h3> <p>If regulatory, compliance, or security requirements demand hard boundaries between services, polyrepo provides natural isolation. Monorepos can enforce boundaries via tooling, but it requires discipline.</p> <h3> 4. Tooling Maturity </h3> <p>A monorepo without proper tooling is a pain. If your team isn't ready to invest in configuring <strong>Nx</strong>, <strong>Turborepo</strong>, or equivalent, a polyrepo may be the more pragmatic short-term choice.</p> <h2> Hybrid Approaches </h2> <p>Many mature organizations land on a <strong>hybrid strategy</strong>:</p> <ul> <li>Group closely related services (e.g., all backend microservices) into a <strong>single monorepo</strong> with Nx or Turborepo.</li> <li>Keep unrelated products or platforms in <strong>separate repos</strong>.</li> <li>Publish stable, widely-consumed libraries to a <strong>private package registry</strong>.</li> </ul> <p>This balances autonomy, code sharing, and operational complexity without forcing a binary choice.</p> <h2> Conclusion </h2> <p>The monorepo vs. polyrepo decision is less about which is objectively better and more about <strong>what fits your team's current size, workflow, and tooling investment capacity</strong>.</p> <p>If you're optimizing for fast iteration, easy code sharing, and consistent standards lean toward a <strong>monorepo</strong> with modern tooling like Nx or Turborepo. If you're optimizing for team autonomy, strict service isolation, and minimal cross-team coordination a <strong>polyrepo</strong> approach gives you clean boundaries.</p> <p>Whatever you choose, document the decision, define clear conventions, and revisit it as your organization scales. The best architecture is the one your team can actually operate effectively.</p> monorepo polyrepo architecture programming Micro-Frontends Explained: How to Implement Module Federation ThankGod Chibugwum Obobo Sun, 08 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/micro-frontends-explained-how-to-implement-module-federation-oe3 https://forem.com/actocodes/micro-frontends-explained-how-to-implement-module-federation-oe3 <p>Frontend applications are growing in complexity. As teams scale and codebases expand, a single monolithic frontend becomes just as problematic as a monolithic backend, slow builds, deployment bottlenecks, and team conflicts over shared code.</p> <p><strong>Micro-frontends</strong> apply the same decomposition principles as microservices to the UI layer. And with <strong>Webpack Module Federation</strong>, implementing micro-frontends has never been more practical.</p> <p>In this guide, you'll learn what micro-frontends are, when to use them, and how to set up Module Federation step-by-step, with real configuration examples you can apply to your own projects.</p> <h2> What Are Micro-Frontends? </h2> <p>A micro-frontend architecture breaks a web application into smaller, independently deployable UI units each owned by a separate team, built with its own toolchain, and composed together at runtime.</p> <p>Think of it this way: instead of one giant React app that every team commits to, you have:</p> <ul> <li>A <strong>shell app</strong> (host) that defines the layout and navigation.</li> <li>Multiple <strong>remote apps</strong> (micro-frontends) that own specific features or pages.</li> </ul> <p>Each remote can be developed, tested, and deployed independently without touching the host or other remotes.</p> <h3> When Should You Use Micro-Frontends? </h3> <p>Micro-frontends are best suited for:</p> <ul> <li> <strong>Large teams</strong> working on the same product with minimal coordination overhead.</li> <li> <strong>Multi-team organizations</strong> where different squads own distinct product areas.</li> <li> <strong>Legacy modernization</strong> — incrementally replacing parts of an old app without a full rewrite.</li> <li> <strong>Independent deployment cycles</strong> — when one team shouldn't be blocked by another's release schedule.</li> </ul> <p>They're overkill for small teams or early-stage products. Start with a well-structured monorepo first.</p> <h2> What Is Webpack Module Federation? </h2> <p>Introduced in <strong>Webpack 5</strong>, <strong>Module Federation</strong> is a native plugin that allows JavaScript bundles to dynamically load code from other independently deployed applications at runtime.</p> <p>Before Module Federation, sharing code across apps required publishing npm packages, a slow feedback loop. Module Federation eliminates that by letting apps <strong>expose and consume modules directly over the network</strong>.</p> <p>Key concepts:<br> | Term | Description |<br> |------|-------------|<br> | <strong>Host</strong> | The shell app that consumes remote modules |<br> | <strong>Remote</strong> | An app that exposes modules to be consumed |<br> | <strong>Shared</strong> | Dependencies shared across host and remotes to avoid duplication |<br> | <strong>Exposes</strong> | The modules a remote makes available |</p> <h2> Step 1 — Project Structure </h2> <p>For this guide, we'll build two applications:</p> <ul> <li> <code>shell</code> — the host application</li> <li> <code>product-app</code> — a remote micro-frontend exposing a <code>ProductList</code> component </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/micro-frontend-demo /shell ← Host app /product-app ← Remote app </code></pre> </div> <p>Each app is a standalone Webpack + React project. Initialize them separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>shell product-app <span class="nb">cd </span>shell <span class="o">&amp;&amp;</span> npm init <span class="nt">-y</span> <span class="o">&amp;&amp;</span> npm <span class="nb">install </span>webpack webpack-cli webpack-dev-server react react-dom <span class="nb">cd</span> ../product-app <span class="o">&amp;&amp;</span> npm init <span class="nt">-y</span> <span class="o">&amp;&amp;</span> npm <span class="nb">install </span>webpack webpack-cli webpack-dev-server react react-dom </code></pre> </div> <h2> Step 2 — Configure the Remote App (product-app) </h2> <p>The remote app <strong>exposes</strong> components for the host to consume. Configure <code>ModuleFederationPlugin</code> in its <code>webpack.config.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// product-app/webpack.config.js</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ModuleFederationPlugin</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">webpack</span><span class="dl">'</span><span class="p">).</span><span class="nx">container</span><span class="p">;</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">devServer</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3001</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">ModuleFederationPlugin</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">productApp</span><span class="dl">'</span><span class="p">,</span> <span class="na">filename</span><span class="p">:</span> <span class="dl">'</span><span class="s1">remoteEntry.js</span><span class="dl">'</span><span class="p">,</span> <span class="na">exposes</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">./ProductList</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./src/components/ProductList</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">shared</span><span class="p">:</span> <span class="p">{</span> <span class="na">react</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">react-dom</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>Key properties explained:</p> <ul> <li> <strong><code>name</code></strong> — unique identifier for this remote.</li> <li> <strong><code>filename</code></strong> — the manifest file the host will fetch (<code>remoteEntry.js</code>).</li> <li> <strong><code>exposes</code></strong> — maps public aliases to local module paths.</li> <li> <strong><code>shared</code></strong> — prevents React from being loaded twice (critical for hooks to work correctly).</li> </ul> <h2> Step 3 — Configure the Host App (shell) </h2> <p>The shell app <strong>consumes</strong> the remote by referencing its <code>remoteEntry.js</code> URL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// shell/webpack.config.js</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">ModuleFederationPlugin</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">webpack</span><span class="dl">'</span><span class="p">).</span><span class="nx">container</span><span class="p">;</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">mode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">development</span><span class="dl">'</span><span class="p">,</span> <span class="na">devServer</span><span class="p">:</span> <span class="p">{</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3000</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">ModuleFederationPlugin</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shell</span><span class="dl">'</span><span class="p">,</span> <span class="na">remotes</span><span class="p">:</span> <span class="p">{</span> <span class="na">productApp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">productApp@http://localhost:3001/remoteEntry.js</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">shared</span><span class="p">:</span> <span class="p">{</span> <span class="na">react</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="dl">'</span><span class="s1">react-dom</span><span class="dl">'</span><span class="p">:</span> <span class="p">{</span> <span class="na">singleton</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">requiredVersion</span><span class="p">:</span> <span class="dl">'</span><span class="s1">^18.0.0</span><span class="dl">'</span> <span class="p">},</span> <span class="p">},</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <p>The remote reference follows the pattern: <code>name@url/remoteEntry.js</code></p> <h2> Step 4 — Consume the Remote Component </h2> <p>In your shell app, import the remote component using a <strong>dynamic import with React.lazy</strong>. This is required because Module Federation loads code asynchronously at runtime:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// shell/src/App.tsx</span> <span class="k">import</span> <span class="nx">React</span><span class="p">,</span> <span class="p">{</span> <span class="nx">Suspense</span><span class="p">,</span> <span class="nx">lazy</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ProductList</span> <span class="o">=</span> <span class="nf">lazy</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">productApp/ProductList</span><span class="dl">'</span><span class="p">));</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span><span class="p">&gt;</span>My Store<span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">Suspense</span> <span class="na">fallback</span><span class="p">=</span><span class="si">{</span><span class="p">&lt;</span><span class="nt">div</span><span class="p">&gt;</span>Loading products...<span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span><span class="si">}</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">ProductList</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nc">Suspense</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>When the shell renders <code>&lt;ProductList /&gt;</code>, Webpack fetches the component's bundle from the <code>product-app</code> server at runtime — not at build time.</p> <h2> Step 5 — Sharing State Across Micro-Frontends </h2> <p>One of the trickiest aspects of micro-frontends is <strong>cross-app state management</strong>. A few proven approaches:</p> <h3> URL as State </h3> <p>Use the URL (query params, path segments) as the source of truth for shared state. It's universally accessible and framework-agnostic.</p> <h3> Custom Events (Web APIs) </h3> <p>Use the browser's native <code>CustomEvent</code> API for lightweight communication between micro-frontends:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// In product-app — dispatch an event</span> <span class="nb">window</span><span class="p">.</span><span class="nf">dispatchEvent</span><span class="p">(</span><span class="k">new</span> <span class="nc">CustomEvent</span><span class="p">(</span><span class="dl">'</span><span class="s1">product:selected</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">detail</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="mi">42</span> <span class="p">}</span> <span class="p">}));</span> <span class="c1">// In shell — listen for the event</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">product:selected</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Selected product:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">e</span><span class="p">.</span><span class="nx">detail</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h3> Shared State Library </h3> <p>If deeper integration is needed, expose a shared store (e.g., Zustand or a Redux slice) via Module Federation's <code>shared</code> config and consume it across remotes.</p> <h2> Step 6 — Deployment Considerations </h2> <p>In production, each micro-frontend is deployed independently to its own origin (CDN bucket, cloud function, or container). Update your remote URLs to use environment variables:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">remotes</span><span class="p">:</span> <span class="p">{</span> <span class="nl">productApp</span><span class="p">:</span> <span class="s2">`productApp@</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">PRODUCT_APP_URL</span><span class="p">}</span><span class="s2">/remoteEntry.js`</span><span class="p">,</span> <span class="p">},</span> </code></pre> </div> <p><strong>Deployment best practices:</strong></p> <ul> <li> <strong>Version your remote entries</strong> — use content-hashed filenames or versioned paths (<code>/v2/remoteEntry.js</code>) to prevent stale cache issues.</li> <li> <strong>Health checks</strong> — monitor <code>remoteEntry.js</code> availability; a failed remote shouldn't crash the entire shell.</li> <li> <strong>Fallback UI</strong> — always wrap remote imports in <code>&lt;Suspense&gt;</code> and error boundaries.</li> <li> <strong>CI/CD independence</strong> — each remote should have its own pipeline with no dependency on the host's release cycle.</li> </ul> <h2> Common Pitfalls to Avoid </h2> <p><strong>Duplicate dependencies:</strong> Forgetting to mark <code>react</code> and <code>react-dom</code> as <code>singleton</code> in shared config causes multiple React instances breaking hooks and context. Always enforce singletons for peer dependencies.</p> <p><strong>Tight coupling through contracts:</strong> If remotes depend on props or APIs defined by the host, you've recreated the monolith problem. Remotes should be self-contained and communicate via events or shared state patterns.</p> <p><strong>Over-decomposing the UI:</strong> Not every component needs to be a micro-frontend. Decompose at the <strong>page or feature level</strong>, not the component level.</p> <h2> Conclusion </h2> <p><strong>Webpack Module Federation</strong> makes micro-frontends practical for production teams. By independently developing, deploying, and composing UI modules, you unlock true frontend scalability, shorter release cycles, clearer ownership, and the freedom to evolve each part of your UI without coordinating a full-app deployment.</p> <p>Start with a single remote extracted from your monolith, validate the workflow end-to-end, and expand incrementally. The architecture rewards patience and deliberate boundaries.</p> <p><em>Building micro-frontends with a different bundler like Vite or Rspack? Let me know in the comments, a follow-up guide might be on the way.</em></p> microfrontends modulefederation frontendarchitecture softwareengineering How to Migrate from Monolith to Microservices Using NestJS and PostgreSQL ThankGod Chibugwum Obobo Sun, 01 Mar 2026 17:00:00 +0000 https://forem.com/actocodes/how-to-migrate-from-monolith-to-microservices-using-nestjs-and-postgresql-4paj https://forem.com/actocodes/how-to-migrate-from-monolith-to-microservices-using-nestjs-and-postgresql-4paj <p>As your application grows, a monolithic backend can become a bottleneck, deployments slow down, teams step on each other's code, and scaling a single feature means scaling the entire app. The shift to a <strong>microservices architecture</strong> is one of the most impactful decisions you can make to ensure long-term scalability and maintainability.</p> <p>In this guide, you'll learn how to transition a monolithic Node.js backend to a microservices architecture using <strong>NestJS</strong> and <strong>PostgreSQL</strong>. We'll cover the architectural concepts, practical decomposition strategies, inter-service communication, and database-per-service patterns, giving you a clear, step-by-step roadmap.</p> <h2> What Is a Monolithic Architecture? </h2> <p>A monolithic application bundles all business logic, authentication, user management, payments, notifications, and more into a single deployable unit. While this works well early on, it comes with notable drawbacks as complexity scales:</p> <ul> <li> <strong>Tight coupling</strong> between modules makes changes risky.</li> <li> <strong>Scaling bottlenecks</strong> force you to scale the entire app instead of just the hot paths.</li> <li> <strong>Long deployment cycles</strong> increase downtime risk.</li> <li> <strong>Team friction</strong> grows as multiple engineers work in the same codebase.</li> </ul> <p>Recognizing these pain points is the first step toward making the right architectural shift.</p> <h2> Why NestJS Is Ideal for Microservices </h2> <p><strong>NestJS</strong> is a progressive Node.js framework built with TypeScript and inspired by Angular's module-based architecture. It has first-class support for microservices out of the box via its <code>@nestjs/microservices</code> package.</p> <p>Key advantages NestJS brings to microservices:</p> <ul> <li> <strong>Transport-agnostic communication:</strong> supports TCP, Redis, NATS, Kafka, RabbitMQ, and gRPC.</li> <li> <strong>Modular architecture:</strong> each domain naturally maps to an isolated NestJS module.</li> <li> <strong>Decorators and dependency injection:</strong> reduce boilerplate and improve testability.</li> <li> <strong>Consistent patterns:</strong> your team uses the same conventions across every service.</li> </ul> <h2> Step 1: Identify Service Boundaries (Domain Decomposition) </h2> <p>Before writing any code, map out your domain. A common strategy is <strong>Domain-Driven Design (DDD)</strong>, where you identify bounded contexts, logical groupings of business logic that operate independently. We mentioned this last week <a href="https://actocodes.hashnode.dev/decoupling-business-logic" rel="noopener noreferrer">here</a>.</p> <p>For example, an e-commerce monolith might be decomposed into:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt9p2i09u73zb78zjyuy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnt9p2i09u73zb78zjyuy.png" alt="common services and responsibilities" width="422" height="183"></a></p> <blockquote> <p><strong>Rule of thumb:</strong> If two pieces of logic require different scaling, different teams, or different release cycles, they belong in separate services.</p> </blockquote> <h2> Step 2: Set Up a NestJS Microservice </h2> <p>Let's scaffold a basic microservice. First, install the necessary packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @nestjs/microservices </code></pre> </div> <p>Then, bootstrap your service to listen over TCP (or any transport of your choice):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// main.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NestFactory</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Transport</span><span class="p">,</span> <span class="nx">MicroserviceOptions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/microservices</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AppModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./app.module</span><span class="dl">'</span><span class="p">;</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">bootstrap</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">NestFactory</span><span class="p">.</span><span class="nx">createMicroservice</span><span class="o">&lt;</span><span class="nx">MicroserviceOptions</span><span class="o">&gt;</span><span class="p">(</span><span class="nx">AppModule</span><span class="p">,</span> <span class="p">{</span> <span class="na">transport</span><span class="p">:</span> <span class="nx">Transport</span><span class="p">.</span><span class="nx">TCP</span><span class="p">,</span> <span class="na">options</span><span class="p">:</span> <span class="p">{</span> <span class="na">host</span><span class="p">:</span> <span class="dl">'</span><span class="s1">0.0.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">3001</span> <span class="p">},</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">app</span><span class="p">.</span><span class="nf">listen</span><span class="p">();</span> <span class="p">}</span> <span class="nf">bootstrap</span><span class="p">();</span> </code></pre> </div> <p>Your service is now an independent process that communicates via TCP. Other services (or an API Gateway) can send messages to it using NestJS's <code>ClientProxy</code>.</p> <h2> Step 3: Database Per Service with PostgreSQL </h2> <p>One of the most critical principles in microservices is <strong>database isolation</strong>. Each service should own its data, no shared tables, no cross-service joins.</p> <p>With <strong>PostgreSQL</strong>, this means:</p> <ul> <li>Each service gets its own <strong>database or schema</strong>.</li> <li>Services never query another service's database directly.</li> <li>Data consistency across services is achieved via <strong>events</strong>, not transactions.</li> </ul> <p>Here's how to configure TypeORM in a NestJS microservice pointing to its own PostgreSQL database:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app.module.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">TypeOrmModule</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@nestjs/typeorm</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Module</span><span class="p">({</span> <span class="na">imports</span><span class="p">:</span> <span class="p">[</span> <span class="nx">TypeOrmModule</span><span class="p">.</span><span class="nf">forRoot</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">postgres</span><span class="dl">'</span><span class="p">,</span> <span class="na">host</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_HOST</span><span class="p">,</span> <span class="na">port</span><span class="p">:</span> <span class="mi">5432</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_USER</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DB_PASS</span><span class="p">,</span> <span class="na">database</span><span class="p">:</span> <span class="dl">'</span><span class="s1">orders_db</span><span class="dl">'</span><span class="p">,</span> <span class="na">entities</span><span class="p">:</span> <span class="p">[</span><span class="nx">Order</span><span class="p">],</span> <span class="na">synchronize</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">AppModule</span> <span class="p">{}</span> </code></pre> </div> <blockquote> <p><strong>Pro tip:</strong> Use <strong>database migrations</strong> (via TypeORM) instead of <code>synchronize: true</code> in any environment beyond local development.</p> </blockquote> <h2> Step 4: Inter-Service Communication </h2> <p>Services need to talk to each other. There are two primary communication patterns:</p> <h3> Synchronous (Request/Response) </h3> <p>Used when the caller needs an immediate answer, e.g., fetching a user's profile during order creation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// In the orders-service, calling the users-service</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">usersClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">get_user</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">userId</span> <span class="p">}).</span><span class="nf">toPromise</span><span class="p">();</span> </code></pre> </div> <h3> Asynchronous (Event-Driven) </h3> <p>Used when you want to decouple services, e.g., emitting an <code>order_placed</code> event that the notifications-service listens for.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Emit an event — fire and forget</span> <span class="k">this</span><span class="p">.</span><span class="nx">client</span><span class="p">.</span><span class="nf">emit</span><span class="p">(</span><span class="dl">'</span><span class="s1">order_placed</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="nx">orderId</span><span class="p">,</span> <span class="nx">userId</span><span class="p">,</span> <span class="nx">total</span> <span class="p">});</span> </code></pre> </div> <p>For production workloads, consider using <strong>NATS</strong>, <strong>RabbitMQ</strong>, or <strong>Kafka</strong> as the message broker instead of bare TCP. These provide message persistence, retries, and fan-out delivery.</p> <h2> Step 5: API Gateway Pattern </h2> <p>In a microservices setup, clients shouldn't talk directly to individual services. Instead, implement an <strong>API Gateway</strong> — a single entry point that routes requests to the appropriate service.</p> <p>In NestJS, your gateway is a standard HTTP application that acts as a client to multiple microservices:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="p">@</span><span class="nd">Controller</span><span class="p">(</span><span class="dl">'</span><span class="s1">orders</span><span class="dl">'</span><span class="p">)</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OrdersController</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="p">@</span><span class="nd">Inject</span><span class="p">(</span><span class="dl">'</span><span class="s1">ORDERS_SERVICE</span><span class="dl">'</span><span class="p">)</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">ordersClient</span><span class="p">:</span> <span class="nx">ClientProxy</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="p">@</span><span class="nd">Post</span><span class="p">()</span> <span class="nf">createOrder</span><span class="p">(@</span><span class="nd">Body</span><span class="p">()</span> <span class="nx">dto</span><span class="p">:</span> <span class="nx">CreateOrderDto</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">this</span><span class="p">.</span><span class="nx">ordersClient</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">create_order</span><span class="dl">'</span><span class="p">,</span> <span class="nx">dto</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The API Gateway handles:</p> <ul> <li> <strong>Authentication &amp; authorization</strong> (JWT validation)</li> <li><strong>Rate limiting</strong></li> <li><strong>Request routing</strong></li> <li><strong>Response aggregation</strong></li> </ul> <h2> Step 6: Migrating Incrementally with the Strangler Fig Pattern </h2> <p>You don't have to rewrite everything at once. The <strong>Strangler Fig Pattern</strong> lets you migrate piece by piece:</p> <ol> <li> <strong>Identify</strong> the most isolated module in your monolith (e.g., notifications).</li> <li> <strong>Extract</strong> it into a standalone NestJS microservice.</li> <li> <strong>Route</strong> traffic for that domain to the new service via your API Gateway.</li> <li> <strong>Retire</strong> the corresponding code from the monolith.</li> <li> <strong>Repeat</strong> for the next module.</li> </ol> <p>This approach minimizes risk and keeps your application running throughout the migration.</p> <h2> Common Pitfalls to Avoid </h2> <p><strong>Distributed monolith:</strong> If your services are tightly coupled via synchronous calls and shared databases, you have a distributed monolith with all the complexity of microservices and none of the benefits. Design for loose coupling from day one.<br> <strong>Over-decomposition:</strong> Not every function needs its own service. Start with 3–5 well-defined services and split further only when a clear need arises.<br> <strong>Ignoring observability:</strong> In a distributed system, tracing a request across services requires dedicated tooling. Integrate <strong>distributed tracing</strong> (e.g., OpenTelemetry) and <strong>centralized logging</strong> (e.g., ELK stack) early.</p> <h2> Conclusion </h2> <p>Migrating from a monolith to microservices is not a flip-of-a-switch operation, it's a deliberate, incremental process. With <strong>NestJS</strong> providing a structured and transport-flexible framework, and <strong>PostgreSQL</strong> offering a battle-tested relational database, you have a solid foundation to build scalable, maintainable backend systems.</p> <p>Start by identifying your domain boundaries, extract one service at a time using the Strangler Fig Pattern, and invest early in observability and messaging infrastructure. Done right, your architecture will scale with your product, and your team.</p> <p><em>Have questions about your specific migration scenario? Drop them in the comments below.</em></p> scalability programming softwareengineering architecture Decoupling Business Logic: A Fullstack Guide to Domain-Driven Design (DDD) ThankGod Chibugwum Obobo Sun, 22 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/decoupling-business-logic-a-fullstack-guide-to-domain-driven-design-ddd-b6g https://forem.com/actocodes/decoupling-business-logic-a-fullstack-guide-to-domain-driven-design-ddd-b6g <p>One of the biggest mistakes in modern development is letting your framework (React, NestJS, Flutter) dictate your business logic. When the "rules" of your application are scattered across UI components and Database controllers, your system becomes a "Big Ball of Mud."</p> <p><strong>Domain-Driven Design (DDD)</strong> is the architectural remedy. It allows us to build a "Brain" (The Domain) that is independent of the "Body" (The Framework).</p> <p>Building on the <a href="https://actocodes.hashnode.dev/scalable-folder-structures" rel="noopener noreferrer">scalable folder structures</a> we discussed previously, we’re now diving into Domain-Driven Design (DDD). We are moving beyond simple organization to a modular architecture where each feature acts as a standalone unit, a vital step for anyone looking to implement Micro-Frontends or Microservices.</p> <h2> 1. The Core Philosophy: The Bounded Context </h2> <p>In an enterprise system, the word "User" means different things to different departments.</p> <ul> <li> <strong>In Auth:</strong> A User is a set of credentials (email/password).</li> <li> <strong>In Billing:</strong> A User is a tax ID and a credit card.</li> <li> <strong>In Support:</strong> A User is a ticket history.</li> </ul> <p>Instead of one massive <code>User</code> class that handles everything, DDD teaches us to create <strong>Bounded Contexts</strong>. We split the application into logical boundaries where terms are consistent.</p> <h2> 2. The Layered Blueprint (Frontend &amp; Backend) </h2> <p>Whether you are in a NestJS service or a React feature folder, the internal structure should follow these four layers:</p> <h3> A. The Domain Layer (The Core) </h3> <ul> <li> <strong>Content:</strong> Entities, Value Objects, and Domain Services.</li> <li> <strong>Rule:</strong> <strong>Zero Dependencies.</strong> It should not know about React, NestJS, Axios, or TypeORM.</li> <li> <strong>Example:</strong> A <code>calculateInvoiceTotal()</code> function that only cares about math and business rules.</li> </ul> <h3> B. The Application Layer (The Orchestrator) </h3> <ul> <li> <strong>Content:</strong> Use Cases, Ports, and Custom Hooks.</li> <li> <strong>Role:</strong> It tells the Domain what to do. </li> <li> <strong>Frontend:</strong> A React Hook like <code>useCheckoutFlow()</code>.</li> <li> <strong>Backend:</strong> A NestJS Service that coordinates between the Database and the Domain.</li> </ul> <h3> C. The Infrastructure Layer (The External World) </h3> <ul> <li> <strong>Content:</strong> Repositories, API Clients, Database Models.</li> <li> <strong>Role:</strong> Technical implementation. This is where you write your SQL queries or your <code>fetch()</code> calls.</li> </ul> <h3> D. The Presentation Layer (The Interface) </h3> <ul> <li> <strong>Content:</strong> React Components / NestJS Controllers.</li> <li> <strong>Role:</strong> Translating user input (clicks or HTTP requests) into something the Application layer understands.</li> </ul> <h2> 3. Why DDD is the Secret to Fullstack Harmony </h2> <p>When both your Frontend and Backend teams use DDD:</p> <ol> <li> <strong>Shared Language:</strong> The <code>DiscountCode</code> logic in the React app matches the <code>DiscountCode</code> logic in the NestJS API.</li> <li> <strong>Easier Migrations:</strong> If you want to move from Postgres to MongoDB (Infrastructure), your Business Logic (Domain) stays exactly the same.</li> <li> <strong>Microservices &amp; MFE Ready:</strong> Because your contexts are already isolated, splitting a Monolith into Microservices or Micro-Frontends becomes a "copy-paste" job rather than a rewrite.</li> </ol> <h2> 4. Summary: The DDD Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Responsibility</th> <th>Framework Dependency?</th> </tr> </thead> <tbody> <tr> <td><strong>Domain</strong></td> <td>Business Rules &amp; Logic</td> <td>No</td> </tr> <tr> <td><strong>Application</strong></td> <td>Workflow Orchestration</td> <td>Minimal (Hooks/Services)</td> </tr> <tr> <td><strong>Infrastructure</strong></td> <td>Data &amp; External Tools</td> <td>Yes (DB/API)</td> </tr> <tr> <td><strong>Presentation</strong></td> <td>UI &amp; Entry Points</td> <td>Yes (React/Nest)</td> </tr> </tbody> </table></div> <h3> Conclusion </h3> <p>DDD is not about adding more files; it’s about putting logic where it belongs. By isolating your "Domain," you ensure that your business rules remain stable even as frontend frameworks and backend databases evolve.</p> softwaredevelopment typescript ddd cleancode Scalable Folder Structures: How I Organized Nest.js, Nuxt.js and Next.js for Enterprise Projects ThankGod Chibugwum Obobo Sun, 15 Feb 2026 17:00:00 +0000 https://forem.com/actocodes/scalable-folder-structures-how-i-organized-nestjs-nuxtjs-and-nextjs-for-enterprise-projects-p8k https://forem.com/actocodes/scalable-folder-structures-how-i-organized-nestjs-nuxtjs-and-nextjs-for-enterprise-projects-p8k <p>This topic addresses one of the most debated aspects of frontend and backend development, where to put your files. As projects scale from 10 to 100+ modules, the standard "folders by type" approach often becomes a bottleneck for developer productivity.</p> <p>When a project is small, organizing by type (e.g., all controllers in one folder, all components in another) feels intuitive. But as I found while building modular UIs and enterprise systems, this structure eventually leads to "Folder Sprawl." </p> <p>To build for scale, we shifted from <strong>Type-based</strong> organization to <strong>Feature-based</strong> organization. Here is the blueprint for how to structure enterprise-grade apps across the stack.</p> <h2> 1. The Debate: Type-based vs. Feature-based </h2> <h3> The Type-based Approach </h3> <p>Organizing by what the file <em>is</em> (Components, Services, Models).</p> <ul> <li> <strong>Pros:</strong> Easy to set up, follows framework defaults.</li> <li> <strong>Cons:</strong> To work on a "User Profile" feature, you must open five different folders. It increases cognitive load and makes code discovery difficult.</li> </ul> <h3> The Feature-based Approach </h3> <p>Organizing by what the file <em>does</em> (Authentication, Billing, Dashboard).</p> <ul> <li> <strong>Pros:</strong> High cohesion, everything related to a feature is in one place.</li> <li> <strong>Cons:</strong> Requires more discipline and a "Shared" module for cross-cutting concerns.</li> </ul> <h2> 2. Implementation: Nest.js </h2> <p>Nest.js is designed around modules, which naturally encourages a feature-based structure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nestjs-app/ ├── src/ │ ├── main.ts │ ├── app.module.ts │ │ │ ├── common/ # Shared across all features │ │ ├── decorators/ │ │ ├── guards/ │ │ ├── interceptors/ │ │ ├── pipes/ │ │ ├── filters/ │ │ ├── middleware/ │ │ ├── interfaces/ │ │ └── utils/ │ │ │ ├── config/ # Configuration │ │ ├── database.config.ts │ │ ├── app.config.ts │ │ └── validation.schema.ts │ │ │ ├── features/ # Feature modules │ │ │ │ │ ├── auth/ │ │ │ ├── auth.module.ts │ │ │ ├── auth.controller.ts │ │ │ ├── auth.service.ts │ │ │ ├── dto/ │ │ │ │ ├── login.dto.ts │ │ │ │ ├── register.dto.ts │ │ │ │ └── refresh-token.dto.ts │ │ │ ├── entities/ │ │ │ │ └── session.entity.ts │ │ │ ├── guards/ │ │ │ │ ├── jwt-auth.guard.ts │ │ │ │ └── roles.guard.ts │ │ │ ├── strategies/ │ │ │ │ ├── jwt.strategy.ts │ │ │ │ └── local.strategy.ts │ │ │ └── tests/ │ │ │ ├── auth.controller.spec.ts │ │ │ └── auth.service.spec.ts │ │ │ │ │ ├── users/ │ │ │ ├── users.module.ts │ │ │ ├── users.controller.ts │ │ │ ├── users.service.ts │ │ │ ├── users.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-user.dto.ts │ │ │ │ ├── update-user.dto.ts │ │ │ │ └── user-response.dto.ts │ │ │ ├── entities/ │ │ │ │ └── user.entity.ts │ │ │ ├── interfaces/ │ │ │ │ └── user.interface.ts │ │ │ └── tests/ │ │ │ ├── users.controller.spec.ts │ │ │ └── users.service.spec.ts │ │ │ │ │ ├── products/ │ │ │ ├── products.module.ts │ │ │ ├── products.controller.ts │ │ │ ├── products.service.ts │ │ │ ├── products.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-product.dto.ts │ │ │ │ ├── update-product.dto.ts │ │ │ │ └── product-filter.dto.ts │ │ │ ├── entities/ │ │ │ │ ├── product.entity.ts │ │ │ │ └── product-category.entity.ts │ │ │ └── tests/ │ │ │ │ │ ├── orders/ │ │ │ ├── orders.module.ts │ │ │ ├── orders.controller.ts │ │ │ ├── orders.service.ts │ │ │ ├── orders.repository.ts │ │ │ ├── dto/ │ │ │ │ ├── create-order.dto.ts │ │ │ │ └── order-item.dto.ts │ │ │ ├── entities/ │ │ │ │ ├── order.entity.ts │ │ │ │ └── order-item.entity.ts │ │ │ ├── events/ │ │ │ │ └── order-created.event.ts │ │ │ ├── listeners/ │ │ │ │ └── order-notification.listener.ts │ │ │ └── tests/ │ │ │ │ │ └── payments/ │ │ ├── payments.module.ts │ │ ├── payments.controller.ts │ │ ├── payments.service.ts │ │ ├── dto/ │ │ ├── entities/ │ │ └── tests/ │ │ │ └── database/ # Database specific │ ├── migrations/ │ ├── seeds/ │ └── database.module.ts │ ├── test/ # E2E tests │ └── app.e2e-spec.ts │ ├── .env ├── .env.example ├── nest-cli.json ├── package.json ├── tsconfig.json └── README.md </code></pre> </div> <h3> Key Principles for NestJS: </h3> <ul> <li>Each feature is a self-contained module with its own controllers, services, DTOs, and entities</li> <li>Shared utilities and guards go in <code>common/</code> </li> <li>Database entities live within their respective feature folders</li> <li>Each feature can be independently tested and potentially extracted into a microservice</li> </ul> <h2> 3. Implementation: Nuxt.js &amp; Next.js (The Frontend) </h2> <p>Frontend projects often suffer from a <code>components/</code> folder containing 200 unrelated files. For enterprise projects, I implement a "Modular UI" strategy.</p> <h3> Next.js Feature-First Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nextjs-app/ ├── src/ │ ├── app/ # App Router │ │ ├── layout.tsx │ │ ├── page.tsx │ │ ├── loading.tsx │ │ ├── error.tsx │ │ │ │ │ ├── (auth)/ # Route group │ │ │ ├── login/ │ │ │ │ └── page.tsx │ │ │ └── register/ │ │ │ └── page.tsx │ │ │ │ │ ├── dashboard/ │ │ │ ├── layout.tsx │ │ │ ├── page.tsx │ │ │ └── loading.tsx │ │ │ │ │ ├── products/ │ │ │ ├── page.tsx │ │ │ ├── [id]/ │ │ │ │ ├── page.tsx │ │ │ │ └── loading.tsx │ │ │ └── new/ │ │ │ └── page.tsx │ │ │ │ │ └── api/ # API routes │ │ ├── auth/ │ │ │ └── [...nextauth]/ │ │ │ └── route.ts │ │ ├── products/ │ │ │ ├── route.ts │ │ │ └── [id]/ │ │ │ └── route.ts │ │ └── orders/ │ │ └── route.ts │ │ │ ├── features/ # Feature modules │ │ │ │ │ ├── auth/ │ │ │ ├── components/ │ │ │ │ ├── LoginForm.tsx │ │ │ │ ├── RegisterForm.tsx │ │ │ │ └── AuthProvider.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useAuth.ts │ │ │ │ └── useSession.ts │ │ │ ├── services/ │ │ │ │ └── auth.service.ts │ │ │ ├── types/ │ │ │ │ └── auth.types.ts │ │ │ ├── utils/ │ │ │ │ └── validation.ts │ │ │ └── constants/ │ │ │ └── auth.constants.ts │ │ │ │ │ ├── users/ │ │ │ ├── components/ │ │ │ │ ├── UserProfile.tsx │ │ │ │ ├── UserList.tsx │ │ │ │ └── UserCard.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useUser.ts │ │ │ │ └── useUsers.ts │ │ │ ├── services/ │ │ │ │ └── user.service.ts │ │ │ ├── types/ │ │ │ │ └── user.types.ts │ │ │ └── utils/ │ │ │ └── user.utils.ts │ │ │ │ │ ├── products/ │ │ │ ├── components/ │ │ │ │ ├── ProductCard.tsx │ │ │ │ ├── ProductList.tsx │ │ │ │ ├── ProductDetail.tsx │ │ │ │ ├── ProductForm.tsx │ │ │ │ └── ProductFilters.tsx │ │ │ ├── hooks/ │ │ │ │ ├── useProducts.ts │ │ │ │ ├── useProduct.ts │ │ │ │ └── useProductMutation.ts │ │ │ ├── services/ │ │ │ │ └── product.service.ts │ │ │ ├── types/ │ │ │ │ └── product.types.ts │ │ │ ├── store/ # If using state management │ │ │ │ ├── productSlice.ts │ │ │ │ └── productSelectors.ts │ │ │ └── utils/ │ │ │ └── product.utils.ts │ │ │ │ │ ├── orders/ │ │ │ ├── components/ │ │ │ │ ├── OrderList.tsx │ │ │ │ ├── OrderDetail.tsx │ │ │ │ └── OrderSummary.tsx │ │ │ ├── hooks/ │ │ │ │ └── useOrders.ts │ │ │ ├── services/ │ │ │ │ └── order.service.ts │ │ │ └── types/ │ │ │ └── order.types.ts │ │ │ │ │ └── cart/ │ │ ├── components/ │ │ │ ├── CartDrawer.tsx │ │ │ ├── CartItem.tsx │ │ │ └── CartSummary.tsx │ │ ├── hooks/ │ │ │ └── useCart.ts │ │ ├── store/ │ │ │ └── cartSlice.ts │ │ └── types/ │ │ └── cart.types.ts │ │ │ ├── shared/ # Shared across features │ │ ├── components/ │ │ │ ├── ui/ │ │ │ │ ├── Button.tsx │ │ │ │ ├── Input.tsx │ │ │ │ ├── Modal.tsx │ │ │ │ └── Card.tsx │ │ │ ├── layout/ │ │ │ │ ├── Header.tsx │ │ │ │ ├── Footer.tsx │ │ │ │ ├── Sidebar.tsx │ │ │ │ └── Container.tsx │ │ │ └── forms/ │ │ │ ├── FormInput.tsx │ │ │ └── FormSelect.tsx │ │ ├── hooks/ │ │ │ ├── useDebounce.ts │ │ │ ├── useLocalStorage.ts │ │ │ └── useMediaQuery.ts │ │ ├── utils/ │ │ │ ├── api.ts │ │ │ ├── format.ts │ │ │ └── validation.ts │ │ ├── types/ │ │ │ └── global.types.ts │ │ └── constants/ │ │ └── app.constants.ts │ │ │ ├── lib/ # Third-party configurations │ │ ├── prisma.ts │ │ ├── axios.ts │ │ └── react-query.ts │ │ │ └── styles/ │ ├── globals.css │ └── theme.ts │ ├── public/ │ ├── images/ │ ├── fonts/ │ └── icons/ │ ├── prisma/ # Database schema │ └── schema.prisma │ ├── .env.local ├── .env.example ├── next.config.js ├── tailwind.config.js ├── tsconfig.json ├── package.json └── README.md </code></pre> </div> <h3> Key Principles for Next.js: </h3> <ul> <li>Route-specific components live in <code>app/</code> directory</li> <li>Reusable feature logic (components, hooks, services) lives in <code>features/</code> </li> <li>Shared UI components and utilities in <code>shared/</code> </li> <li>Each feature is independent and can import from other features when needed</li> <li>API routes follow the same feature-based organization</li> </ul> <h3> Nuxt.js Feature-First Structure </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nuxtjs-app/ ├── app/ │ ├── app.vue │ └── router.options.ts │ ├── assets/ # Uncompiled assets │ ├── styles/ │ │ ├── main.css │ │ └── variables.css │ ├── images/ │ └── fonts/ │ ├── components/ # Auto-imported components │ ├── layout/ │ │ ├── AppHeader.vue │ │ ├── AppFooter.vue │ │ └── AppSidebar.vue │ │ │ └── ui/ # Shared UI components │ ├── BaseButton.vue │ ├── BaseInput.vue │ ├── BaseModal.vue │ └── BaseCard.vue │ ├── composables/ # Auto-imported composables │ ├── useDebounce.ts │ ├── useLocalStorage.ts │ └── useMediaQuery.ts │ ├── features/ # Feature modules │ │ │ ├── auth/ │ │ ├── components/ │ │ │ ├── LoginForm.vue │ │ │ ├── RegisterForm.vue │ │ │ └── PasswordReset.vue │ │ ├── composables/ │ │ │ ├── useAuth.ts │ │ │ └── useSession.ts │ │ ├── services/ │ │ │ └── auth.service.ts │ │ ├── types/ │ │ │ └── auth.types.ts │ │ ├── utils/ │ │ │ └── validation.ts │ │ └── stores/ │ │ └── auth.store.ts │ │ │ ├── users/ │ │ ├── components/ │ │ │ ├── UserProfile.vue │ │ │ ├── UserList.vue │ │ │ ├── UserCard.vue │ │ │ └── UserAvatar.vue │ │ ├── composables/ │ │ │ ├── useUser.ts │ │ │ └── useUsers.ts │ │ ├── services/ │ │ │ └── user.service.ts │ │ ├── types/ │ │ │ └── user.types.ts │ │ ├── utils/ │ │ │ └── user.utils.ts │ │ └── stores/ │ │ └── user.store.ts │ │ │ ├── products/ │ │ ├── components/ │ │ │ ├── ProductCard.vue │ │ │ ├── ProductList.vue │ │ │ ├── ProductDetail.vue │ │ │ ├── ProductForm.vue │ │ │ └── ProductFilters.vue │ │ ├── composables/ │ │ │ ├── useProducts.ts │ │ │ ├── useProduct.ts │ │ │ └── useProductFilters.ts │ │ ├── services/ │ │ │ └── product.service.ts │ │ ├── types/ │ │ │ └── product.types.ts │ │ ├── utils/ │ │ │ └── product.utils.ts │ │ └── stores/ │ │ └── product.store.ts │ │ │ ├── orders/ │ │ ├── components/ │ │ │ ├── OrderList.vue │ │ │ ├── OrderDetail.vue │ │ │ ├── OrderSummary.vue │ │ │ └── OrderStatus.vue │ │ ├── composables/ │ │ │ └── useOrders.ts │ │ ├── services/ │ │ │ └── order.service.ts │ │ ├── types/ │ │ │ └── order.types.ts │ │ └── stores/ │ │ └── order.store.ts │ │ │ └── cart/ │ ├── components/ │ │ ├── CartDrawer.vue │ │ ├── CartItem.vue │ │ └── CartSummary.vue │ ├── composables/ │ │ └── useCart.ts │ ├── types/ │ │ └── cart.types.ts │ └── stores/ │ └── cart.store.ts │ ├── layouts/ # Application layouts │ ├── default.vue │ ├── auth.vue │ └── dashboard.vue │ ├── middleware/ # Route middleware │ ├── auth.ts │ ├── guest.ts │ └── permissions.ts │ ├── pages/ # File-based routing │ ├── index.vue │ │ │ ├── auth/ │ │ ├── login.vue │ │ └── register.vue │ │ │ ├── dashboard/ │ │ └── index.vue │ │ │ ├── products/ │ │ ├── index.vue │ │ ├── [id].vue │ │ └── new.vue │ │ │ └── orders/ │ ├── index.vue │ └── [id].vue │ ├── plugins/ # Nuxt plugins │ ├── api.ts │ └── toast.ts │ ├── public/ # Static files │ ├── favicon.ico │ └── robots.txt │ ├── server/ # Server-side code │ ├── api/ │ │ ├── auth/ │ │ │ ├── login.post.ts │ │ │ └── register.post.ts │ │ ├── products/ │ │ │ ├── index.get.ts │ │ │ ├── [id].get.ts │ │ │ └── [id].put.ts │ │ └── orders/ │ │ ├── index.get.ts │ │ └── [id].get.ts │ │ │ ├── middleware/ │ │ └── auth.ts │ │ │ └── utils/ │ └── db.ts │ ├── stores/ # Global Pinia stores │ └── app.store.ts │ ├── types/ # Global TypeScript types │ └── index.d.ts │ ├── utils/ # Auto-imported utilities │ ├── api.ts │ ├── format.ts │ └── constants.ts │ ├── .env ├── .env.example ├── nuxt.config.ts ├── tailwind.config.js ├── tsconfig.json ├── package.json └── README.md </code></pre> </div> <h3> Key Principles for Nuxt.js: </h3> <ul> <li>File-based routing in <code>pages/</code> directory</li> <li>Feature-specific components in <code>features/[feature]/components/</code> </li> <li>Auto-imported composables from both root <code>composables/</code> and feature-specific directories</li> <li>Server API routes follow feature organization in <code>server/api/</code> </li> <li>Pinia stores for state management within each feature</li> <li>Shared components in root <code>components/</code> directory with auto-import</li> </ul> <h2> 4. Cross-Cutting Concerns: The <code>Shared</code> Module </h2> <p>The biggest risk of feature-based structures is duplication. To solve this, you must have a strictly governed <code>shared</code> or <code>common</code> folder.</p> <ul> <li>Shared UI: Generic buttons, inputs, and layouts.</li> <li>Shared Utils: Date formatters, string manipulators, and validators.</li> <li>Shared Hooks: <code>useWindowSize</code>, <code>useAuthContext</code>.</li> </ul> <p>The Rule: A feature can import from shared, but shared can never import from a feature.</p> <h2> 5. Common Benefits of Feature-First Architecture </h2> <ol> <li> <strong>Scalability</strong>: Easy to add new features without affecting existing ones</li> <li> <strong>Maintainability</strong>: Related code is co-located, making it easier to understand and modify</li> <li> <strong>Team Collaboration</strong>: Different teams can work on different features with minimal conflicts</li> <li> <strong>Code Reusability</strong>: Shared code is explicitly separated from feature-specific code</li> <li> <strong>Testing</strong>: Each feature can be tested independently</li> <li> <strong>Modularity</strong>: Features can potentially be extracted into separate packages or microservices</li> </ol> <h2> 6. Migration Tips </h2> <p>When transitioning from a layer-first to feature-first structure:</p> <ol> <li>Start with new features using the feature-first approach</li> <li>Gradually migrate existing features one at a time</li> <li>Keep shared utilities separate from the start</li> <li>Use barrel exports (index files) to maintain clean import paths</li> <li>Document the structure for your team</li> </ol> <p>Configure path aliases in your <code>tsconfig.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"compilerOptions"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"paths"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@features/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/features/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@shared/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/shared/*"</span><span class="p">],</span><span class="w"> </span><span class="nl">"@common/*"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"./src/common/*"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> 5. Summary: Scalability Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Principle</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><strong>Scale-Ready Structure</strong></td> <td>Design the folder structure to accommodate growth without major refactoring</td> </tr> <tr> <td><strong>Locality</strong></td> <td>Keep logic, types, and styles together with the component/module</td> </tr> <tr> <td><strong>Encapsulation</strong></td> <td>Use index.ts files to export only what is necessary (The Public API pattern)</td> </tr> <tr> <td><strong>Dependency Rule</strong></td> <td>Features should rarely depend on other features; use a Service or Store for communication</td> </tr> <tr> <td><strong>Naming</strong></td> <td>Use consistent suffixes (e.g., user.controller.ts, user.service.ts) for easy searching</td> </tr> </tbody> </table></div> <h2> Conclusion </h2> <p>Structure is not just about aesthetics, it is about developer velocity. By organizing Nest.js, Nuxt.js, and Next.js around features rather than types, you reduce the "mental tax" of navigating the codebase. This allows your team to spend less time finding files and more time building features.</p> softwaredevelopment softwareengineering programming cleancode