The latest articles on DEV Community by Fahad Hafeez (@fahadhafeeezofficial). https://dev.to/fahadhafeeezofficial https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3992303%2Fb0c0846d-ebef-46fe-8489-68a4d1e7056f.png https://dev.to/fahadhafeeezofficial en Fahad Hafeez Fri, 19 Jun 2026 09:56:20 +0000 https://dev.to/fahadhafeeezofficial/i-built-a-github-app-that-auto-generates-adversarial-tests-for-ai-written-code-heres-how-it-works-3371 https://dev.to/fahadhafeeezofficial/i-built-a-github-app-that-auto-generates-adversarial-tests-for-ai-written-code-heres-how-it-works-3371 <p>Six months ago I kept reading the same story. Developer uses Cursor or Claude Code to ship a feature. CI goes green. Merge lands. Three days later, production breaks in a way no test caught.<br> The failure mode isn't the model being wrong. It's that the tests being run were never designed for what an AI agent might do. The agent writes code that's syntactically correct, type-safe, and passes every existing check — but introduces a semantic error nobody scripted a test for.<br> So I built Khwand: a GitHub App that generates those tests automatically on every push.<br> How it works<br> When a push event hits the webhook, Khwand does four things:</p> <ol> <li>AST extraction via tree-sitter We parse the changed Python files and extract function signatures, bodies, docstrings, and type annotations as structured data:</li> </ol> <p><code>_pythonparser = Parser()<br> parser.set_language(PY_LANGUAGE)<br> tree = parser.parse(bytes(source_code, "utf8"))<br> for node in traverse(tree.root_node):<br> if node.type == "function_definition":<br> functions.append(extract_function_data(node, source_code))_</code></p> <ol> <li>Intent extraction via ReAct agent A ReAct agent running on Groq reads each function and produces a structured intent spec: what this function should always do, what it should never do, and what edge cases are most likely to break it.</li> <li>Adversarial test generation A Planner Agent generates targeted tests based on that spec — not generic pytest boilerplate, but edge cases specific to this function's risk surface. It cross-references a pgvector database of historical failure patterns to check if similar functions have failed in specific ways before.</li> <li>Stability Score Results feed into a 0–100 score across 7 dimensions: test coverage, edge case handling, model compatibility, intent alignment, regression risk, security posture, and heal rate. If tests fail, a LangGraph graph (analyze → fix → validate, max 3 iterations) generates a patch and opens a fix PR automatically. The hardest unsolved problem Non-determinism. The same function can get slightly different generated tests across runs, which means a function can "pass" on one push and "fail" on the next without any code change. I'm currently using semantic caching (sentence-transformers embeddings) to reuse test suites for similar functions, which helps but doesn't fully solve it. If you've dealt with non-determinism in LLM-generated test suites I'd genuinely love to hear how you handled it. Stack: FastAPI · LangGraph · Groq · Anthropic Claude · tree-sitter · Supabase · Next.js · GitHub App webhooks Python-first right now. Free during early access: khwand.com</li> </ol> ai devops python testing