DEV Community

Javier Leandro Arancibia
Javier Leandro Arancibia

Posted on

I let an AI agent write the tests for my access-control layer

#ai #node #testing #security

Fourth in the series. I've been giving mago — an autonomous agent team that runs over a GitHub repo on your own LLM key — real tasks on my own repos: a feature in Go, a crash fix in Zig, and a refactor in Python it wasn't allowed to cheat on. This time, the one that actually made me nervous: let it test my access-control layer.

The gap

superbackend is my Node.js backend toolkit. Its RBAC middleware — src/middleware/rbac.js: requireRight, requireModuleAccess, and a basic-auth super-admin bypass — had zero tests. Untested authorization is the scariest kind of untested code: a silent regression there is a security hole, not a bug report.

So I filed an issue: add a real unit-test suite for it. Mock the service so it needs no DB; cover the actual decisions; don't change the behavior.

What it shipped

src/middleware/rbac.test.js25 tests, +326 lines, covering each export against fake req/res/next with the rbac service mocked out:

  • requireRight — calls next() when the right is granted, returns 403 when denied, the super-admin basic-auth path bypasses the check, orgId resolves from params/query/body (and a custom resolver), and a service error is handled rather than crashing the request.
  • requireModuleAccess — allow/deny for both read and write actions.
  • isBasicAuthSuperAdmin — the true/false cases.

No change to rbac.js itself — tests only, exactly as asked.

Verified 

$ npx jest src/middleware/rbac.test.js
Tests: 25 passed, 25 total
Enter fullscreen mode Exit fullscreen mode

And the full suite stayed green — the PR is purely additive (+326/-0, one new file), introducing zero new failures. Merged. My access-control layer now has a safety net it didn't have this morning.

Four repos, four stacks, four kinds of work

Stack Task
Go a feature
Zig a crash fix
Python a refactor (without gutting the tests)
Node test coverage for security-critical RBAC

Same loop every time: file an issue, the agent implements it on your own key, runs the repo's own tests, and opens a PR you review — verified, not blindly merged. Not pinned to a language, a framework, or a kind of task.

The honest framing hasn't changed: it's a reliable autonomous dev shop for well-scoped, verifiable work — features, fixes, refactors, and the tests you keep meaning to write. Not "build me a startup."

Try it

CLI-only, BYOK (your Claude Code or tau key — it never resells completions), €20/mo. First 10 founding operators free during the beta, with a direct line to me:

👉 https://mago.intrane.fr

curl -fsSL https://mago.intrane.fr/install.sh | sh
mago register
Enter fullscreen mode Exit fullscreen mode

Top comments (0)