LCN Wafer Inspection

Appearance

Below is a deep review of testability and verification design in .NET systems, aimed at a senior engineer preparing for technical leadership discussions.

I will keep it technical, but grounded in how real systems behave.

Testability and Verification Design in .NET Systems

A lot of engineers treat testing as something that happens after design:

“We’ll build it first, then add tests.”

In real systems, that usually fails.

Why? Because testability is not a testing activity. It is a design property.

If a system is hard to control, hard to observe, and hard to isolate, then verifying it becomes expensive, slow, flaky, and incomplete. The result is predictable: the team writes a few happy-path unit tests, skips hard scenarios, and hopes production will reveal the rest.

Senior engineers think differently. They ask:

  • Can this behavior be isolated?
  • Can time be controlled?
  • Can failures be injected?
  • Can state transitions be observed?
  • Can concurrency be made reproducible enough to verify?
  • Can hardware or external systems be substituted without lying about behavior?

That is the real topic.

PART 1 — CORE CONCEPTS RECAP

Unit test vs integration test vs system test

These are not just different sizes of tests. They answer different questions.

Unit test

A unit test verifies a small piece of behavior in isolation.

Usually this means:

  • one class, method, or small cluster of collaborating objects
  • dependencies replaced or controlled
  • no real database, network, hardware, clock, filesystem, or thread timing dependency unless that dependency is intentionally part of the unit

A good unit test asks:

Given this input and this controlled context, does this logic produce the correct result?

Examples:

  • Does a retry policy stop after the configured number of attempts?
  • Does a state machine reject an invalid transition?
  • Does a pricing rule calculate the right result?
  • Does a command handler produce the correct domain event?

Unit tests are best for:

  • business rules
  • validation logic
  • state transitions
  • branching logic
  • error propagation rules
  • deterministic orchestration logic

They are fast and precise, but they cannot prove the whole system works when real components are wired together.

Integration test

An integration test verifies that multiple components work together correctly.

This is where real boundaries start to matter:

  • application code + database
  • service + message broker
  • workflow engine + persistence layer
  • machine adapter + simulation layer
  • API + authentication + storage

An integration test asks:

Do these pieces collaborate correctly when connected through their real interfaces?

Examples:

  • Does a repository save and load a workflow state correctly?
  • Does a background worker consume from a channel and persist results?
  • Does a timeout from a device adapter surface as the correct application error?
  • Does EF Core mapping preserve state machine invariants?

Integration tests catch problems unit tests miss:

  • serialization issues
  • schema mismatches
  • transaction boundaries
  • incorrect configuration
  • async coordination bugs
  • subtle contract mismatches between layers

They are slower and more brittle than unit tests, but much closer to real failure modes.

System test

A system test verifies the behavior of the whole deployed or nearly deployed system.

This usually means:

  • real app startup
  • real infrastructure or close-to-real substitutes
  • real process boundaries
  • real workflow execution
  • sometimes real UI
  • sometimes real hardware or a real simulator

A system test asks:

Does the system, as a whole, behave correctly for an end-to-end scenario?

Examples:

  • Can an inspection job be started, executed, paused, resumed, and completed?
  • Does a machine disconnect during operation cause the UI, workflow, logs, and persistence to respond correctly?
  • Can the desktop app recover after restart and resume an interrupted workflow?
  • Does a command sent from UI reach the machine driver and produce an observable result?

System tests are expensive and fewer in number, but they verify what stakeholders actually care about.

Deterministic vs non-deterministic systems

This distinction is fundamental.

Deterministic system

A system is deterministic when the same input and initial state always produce the same output and final state.

Examples:

  • a pure calculation
  • a transition function in a state machine
  • a validation rule
  • a parser

Deterministic behavior is easy to test because you can say:

For input X, the correct output is Y.

This is the ideal shape for unit testing.

Non-deterministic system

A system is non-deterministic when results depend on factors outside the pure input:

  • timing
  • thread scheduling
  • external devices
  • network behavior
  • clocks
  • random values
  • file system state
  • process ordering
  • hardware responses

Examples:

  • a background loop reading from a device
  • a workflow that depends on callbacks arriving from multiple sources
  • a reconnection loop
  • concurrent producers writing to a shared queue
  • code using DateTime.UtcNow, Task.Delay, random IDs, or live machine events

These systems are harder to verify because failures may not reproduce consistently.

Senior engineers try to push non-determinism outward and keep the core as deterministic as possible.

Test isolation

Test isolation means a test should fail only because the behavior under test is wrong, not because something unrelated leaked into it.

A test is poorly isolated when:

  • it depends on machine time
  • it depends on execution order with other tests
  • it shares mutable global state
  • it uses a live database left dirty by previous tests
  • it depends on background threads still running from earlier tests
  • it depends on environment variables or config not controlled by the test

Good isolation requires:

  • explicit dependency control
  • clean test setup and teardown
  • no hidden global state
  • no reliance on ambient context unless intentionally controlled
  • predictable inputs and observable outputs

Isolation does not always mean “mock everything.” It means the test controls what matters.

PART 2 — DESIGN FOR TESTABILITY

Separation of concerns

Separation of concerns is not an academic purity rule. It is what allows verification to exist at all.

When one method:

  • reads from hardware
  • updates UI state
  • writes to DB
  • logs
  • retries
  • transforms data
  • decides workflow transitions

then you cannot test any of those behaviors cleanly.

Instead, split by responsibility.

For example, instead of this:

  • UI click handler calls machine SDK
  • waits for result
  • transforms image
  • updates state
  • saves to DB
  • shows message box
  • writes log

You want something more like:

  • ViewModel triggers command
  • application service coordinates use case
  • machine adapter handles SDK call
  • domain logic decides transition
  • persistence component saves state
  • UI layer just displays results

Now each part can be verified at the right level.

The big principle is:

A component should have one kind of reason to change, and one kind of behavior to verify.

That is what makes testing tractable.

Dependency inversion principle (DIP)

DIP matters for testability because volatile, external, or hard-to-control dependencies should not dominate core logic.

High-level policy should not depend directly on low-level details.

For example, this is bad for testability:

  • workflow engine directly calls vendor camera SDK
  • retry policy directly uses Thread.Sleep
  • service directly calls DateTime.UtcNow
  • state machine directly writes files
  • coordinator directly uses new SqlConnection(...)

Because the business behavior is fused with infrastructure behavior.

A better design is:

  • core logic depends on abstractions like IClock, IDeviceClient, IJobRepository, IDelayStrategy, IWorkflowEventSink
  • infrastructure implements those abstractions
  • tests substitute controlled implementations

Important nuance: DIP is not “everything must be an interface.”

You do not abstract stable, simple, in-process logic just to satisfy a pattern. You abstract sources of volatility or non-determinism:

  • time
  • randomness
  • external I/O
  • hardware
  • process boundaries
  • thread scheduling helpers
  • long waits
  • environment-dependent behavior

That is where abstraction buys testability.

Pure functions vs side-effect-heavy code

A pure function:

  • depends only on its inputs
  • produces no side effects
  • returns the same result every time for the same inputs

These are the easiest things in the world to test.

Example:

  • NextState Transition(CurrentState state, Event e)

This is ideal. You can verify many scenarios cheaply and confidently.

By contrast, side-effect-heavy code:

  • reads clock
  • sends commands
  • writes DB
  • mutates shared state
  • sleeps
  • retries
  • spawns background work
  • publishes events

This code is inherently harder to test because behavior depends on environment and timing.

The design goal is not to eliminate side effects. Real systems need them.

The goal is to structure code so that:

  • decision logic is pure or near-pure
  • side effects happen at the edges
  • orchestration is explicit
  • the mapping from decision to effect is observable

A strong pattern is:

  1. Gather inputs
  2. Run deterministic decision logic
  3. Produce commands/actions/events
  4. Execute side effects through collaborators

That makes verification much easier.

PART 3 — TESTING ASYNC & CONCURRENT CODE

This is where many teams get into trouble.

A test passes 20 times, fails once in CI, then passes again locally. That is usually not “CI being weird.” That is a design problem.

Testing async flows

Async code itself is not the problem. Uncontrolled async code is.

Basic rules:

  • always await async operations in tests
  • avoid fire-and-forget in production code unless supervised
  • propagate cancellation tokens
  • make completion conditions explicit

Bad example:

  • test triggers background processing
  • test sleeps for 500 ms
  • hopes the work finished

This creates flaky timing-based tests.

Better:

  • the component exposes a task you can await
  • or publishes a completion event
  • or uses a channel/queue the test can observe
  • or writes to a fake dependency that can signal when done

In other words:

Never test async completion with hope and delay when you can test it with a real signal.

Controlling timing and race conditions

The hardest part of concurrent testing is that the scheduler is not your friend.

If behavior depends on:

  • exact millisecond timing
  • task interleaving
  • relative order of callbacks
  • thread pool scheduling luck

then your tests will be unreliable.

Design techniques that help:

  • inject a clock abstraction
  • inject a delay abstraction
  • avoid real Task.Delay in core logic
  • isolate coordination logic from scheduling mechanics
  • use bounded queues/channels with observable state
  • expose synchronization points for tests when necessary

For example, if you test retry logic, do not wait for real time. Use:

  • a fake clock
  • or a fake delay provider that completes immediately but records requested delays

If you test concurrency, create explicit coordination points:

  • TaskCompletionSource
  • barriers
  • semaphores
  • deterministic fake event sources

This lets the test control when operations advance.

Avoiding flaky tests

A flaky test is usually a signal of one of these problems:

  • hidden shared state
  • real time dependency
  • concurrency race
  • background work not cleaned up
  • reliance on thread scheduling
  • external dependency instability
  • assertions made too early
  • weak observation of completion

The answer is not “rerun failed tests.”

The answer is to redesign either:

  • the test
  • the component
  • or both

A useful mental model:

A reliable test needs three things:

  1. Control over important inputs and timing
  2. Observation of relevant outcomes
  3. Isolation from unrelated activity

If any one is missing, flakiness grows.

PART 4 — TESTING STATE MACHINES & WORKFLOWS

State-heavy systems are among the best candidates for strong automated verification.

Why? Because correctness often comes down to:

  • valid transitions
  • forbidden transitions
  • guard conditions
  • side effects attached to transitions
  • recovery after failure

Verifying transitions

At minimum, you want to prove:

  • allowed transitions succeed
  • invalid transitions are rejected
  • final state is correct
  • side effects are correct
  • no hidden state corruption occurs

A good state machine test often looks like this:

  • given initial state Idle
  • when event StartRequested
  • then new state is Preparing
  • and command InitializeMachine is emitted

This is far better than a vague “workflow runs successfully” test.

You want to test the transition function almost like a truth table.

For each state:

  • what events are accepted?
  • what events are ignored?
  • what events fail?
  • what guards are required?
  • what outputs occur?

That gives you strong coverage with relatively low cost.

Testing edge cases

Most production bugs are not in happy-path transitions. They are in boundary conditions:

  • duplicate events
  • out-of-order events
  • late callbacks
  • timeout during transition
  • cancellation during in-progress work
  • restart during partially persisted state
  • retry after half-completed action
  • failure after side effect but before state save
  • save succeeded but acknowledgment failed

These are workflow bugs, not syntax bugs.

Good verification requires scenario-based testing of these awkward moments.

For example:

  • if machine enters Running
  • result callback arrives
  • persistence fails
  • app restarts
  • does workflow recover safely without duplicating the result?

That is the kind of question leadership-level engineers should think about.

Ensuring correctness under failure

A robust workflow test suite should verify not just success transitions, but failure semantics:

  • what state do we move to on timeout?
  • is rollback attempted?
  • do we mark the job as unknown, failed, or retryable?
  • do we emit duplicate commands?
  • are partial side effects safe?
  • can the operator resume manually?

In real systems, “correct” may not mean “succeeds.” It may mean:

  • fails safely
  • preserves audit trail
  • avoids data corruption
  • allows recovery
  • does not command hardware into an unsafe state

This is a more mature notion of correctness.

PART 5 — MOCKING & FAKES

Mocks vs stubs vs fakes

These terms are often mixed together, but the distinction matters.

Stub

A stub provides canned responses. It exists mainly to supply inputs.

Example:

  • a device info provider that always returns a predefined machine status

It is passive. The test usually does not inspect how it was called in detail.

Mock

A mock verifies interaction behavior.

Example:

  • assert that SendStopCommand() was called exactly once
  • assert that SaveAsync() was called after validation but before notification

Mocks are useful when interaction itself is part of correctness.

Fake

A fake is a working lightweight implementation that behaves like the real thing in a simplified way.

Examples:

  • in-memory repository
  • simulated event bus
  • fake clock
  • fake device adapter
  • fake file store

Fakes are often more valuable than mocks because they preserve behavior rather than just call expectations.

When mocking becomes harmful

Mocking becomes harmful when tests stop verifying behavior and start verifying wiring trivia.

Examples:

  • asserting every internal method call
  • asserting exact call order between internal collaborators that users do not care about
  • requiring the same dependency interaction sequence even after harmless refactoring
  • mocking stable libraries unnecessarily
  • mocking so many layers that the test merely restates the implementation

This leads to brittle tests.

The smell is:

A small internal refactor breaks many tests even though external behavior did not change.

That means the tests are coupled to implementation details, not behavior.

Designing meaningful test doubles

Good test doubles should:

  • preserve the semantics that matter
  • be simple to understand
  • be easy to observe
  • avoid lying about the real system too much

For example, a fake repository that stores everything in a simple dictionary may be fine for testing orchestration logic. But it may be misleading if real behavior depends on:

  • transaction boundaries
  • unique constraints
  • ordering guarantees
  • serialization rules
  • concurrency tokens

So choose doubles based on the risk you are trying to verify.

A good principle:

  • use pure unit tests for logic
  • use fakes when you want realistic but controlled behavior
  • use mocks sparingly for important interactions
  • use integration tests when contract fidelity matters

PART 6 — TESTING HARDWARE-DEPENDENT SYSTEMS

This is where classic business-app testing advice starts to break down.

Hardware systems have unique challenges:

  • timeouts
  • jitter
  • vendor SDK quirks
  • disconnections
  • warmup time
  • device state drift
  • command/ack mismatches
  • physical timing
  • nondeterministic event ordering

You cannot solve this with unit tests alone.

Simulation layers

A simulation layer is often essential.

Instead of letting the whole application depend directly on vendor APIs, define a stable application-facing contract such as:

  • connect
  • disconnect
  • send command
  • subscribe to status
  • receive frame
  • receive alarm
  • query readiness

Then provide:

  • real implementation for production
  • simulator implementation for tests and development

A good simulator should model behavior that matters:

  • startup delay
  • success/failure responses
  • timeout
  • invalid state rejection
  • asynchronous events
  • disconnect mid-operation

A useless simulator only returns happy-path responses instantly. That gives false confidence.

Contract-based testing

When real and simulated hardware implementations both satisfy the same interface, you can run contract tests against both.

Example:

  • when StartInspectionAsync is called while disconnected, both simulator and real adapter should return the same class of error
  • when StopAsync is called twice, both should behave consistently
  • status events should follow the same contract shape and ordering guarantees

Contract tests help prevent the simulator from drifting away from reality.

Without this, teams end up with:

  • tests that all pass against simulator
  • production failures because the real device behaves differently

Emulators vs real hardware testing

Each has a role.

Emulator/simulator tests

Good for:

  • developer productivity
  • repeatable scenarios
  • injecting rare failure cases
  • CI automation
  • broad workflow coverage

Real hardware tests

Good for:

  • validating timing assumptions
  • checking SDK quirks
  • confirming command semantics
  • verifying protocol compatibility
  • catching physics-dependent behavior

The mature strategy is not choosing one or the other. It is layering them.

For example:

  • unit tests for transition logic
  • simulator-based integration tests for workflows
  • a smaller hardware-in-the-loop test suite for critical real-device validation

That gives both speed and realism.

PART 7 — TEST DATA & SCENARIOS

Designing meaningful scenarios

Bad tests use random shallow data:

  • Test1
  • Value123
  • SampleA

Good tests use scenario-shaped data.

Ask:

  • what business or operational situation does this represent?
  • what makes it risky?
  • what can fail here?

Examples of meaningful scenarios:

  • inspection started with machine warm but camera not calibrated
  • recipe version mismatches machine configuration
  • result batch contains one corrupt frame in the middle
  • reconnect occurs during save
  • duplicate event arrives after timeout boundary
  • operator presses stop while automatic retry is in progress

This makes tests easier to understand and more aligned with real failure modes.

Testing failure paths

Many systems are under-tested not because teams ignore testing, but because they test mostly success.

Failure-path tests should cover:

  • dependency timeout
  • cancellation
  • invalid input from external source
  • retry exhaustion
  • partial persistence failure
  • resource unavailable
  • duplicate message/event
  • stale state conflict
  • startup recovery after abnormal termination

A senior engineer should ask:

If this dependency fails at the worst possible moment, what must still remain true?

That is a powerful design and testing question.

Testing long-running flows

Long-running flows are difficult because:

  • they span time
  • they may cross process boundaries
  • they may persist state between steps
  • they may be interrupted
  • they often combine sync and async actions

To test them well:

  • break workflow logic into testable transition units
  • keep persistence boundaries explicit
  • make resume/recovery behavior testable
  • use synthetic clocks where possible
  • model checkpoints explicitly
  • test restart scenarios, not just clean runs

Example long-running scenario:

  1. workflow enters Preparing
  2. machine connects
  3. calibration starts
  4. timeout happens
  5. retry scheduled
  6. application restarts
  7. persisted workflow is restored
  8. retry continues or workflow moves to operator intervention

That is the kind of scenario that matters in industrial or distributed systems.

PART 8 — COMMON LOW-LEVEL PITFALLS

Brittle tests

A brittle test breaks too easily for irrelevant reasons.

Causes:

  • asserting exact log message text
  • asserting internal call order unnecessarily
  • depending on precise timing
  • relying on incidental data formatting
  • using overly specific mocks
  • verifying private behavior through public seams too aggressively

Brittle tests create maintenance drag and reduce trust in the suite.

Over-mocking

Over-mocking gives the illusion of isolation while removing the real behavior that matters.

Symptoms:

  • every dependency mocked
  • tests mostly assert “method A called method B”
  • real data flow disappears
  • no realistic state accumulation
  • tests mirror implementation instead of requirements

This often means the design is too fragmented or the team is testing at the wrong level.

Testing implementation details

This is one of the most common mistakes.

A good test should usually care about:

  • output
  • externally visible state
  • published event
  • persisted result
  • important side effect
  • contract-observable interaction

It should usually not care about:

  • private helper methods
  • exact internal sequence unless sequence is part of correctness
  • how many times a local transformation function ran
  • which internal collection type was used
  • whether a refactor introduced one extra method call

Tests should allow refactoring while protecting behavior.

Ignoring concurrency issues

A lot of systems have tests that are logically correct for single-threaded execution but wrong in production.

Examples:

  • two status events arriving simultaneously
  • UI command and device callback racing
  • cancellation arriving during result processing
  • shared mutable state accessed from event handlers and background loops
  • duplicate processing due to retries

If concurrency is part of the design, concurrency must be part of verification.

You do not need to exhaustively prove all schedules. But you do need targeted tests for known race-prone areas.

PART 9 — MAINTAINABILITY OF TESTS

A test suite is also software. It needs architecture.

Test readability

A good test should tell a story quickly:

  • initial context
  • triggering action
  • expected outcome

Tests are documentation of behavior.

If a test takes 100 lines to understand one simple rule, either:

  • the test is poorly written
  • or the design is too tangled

Good readability often comes from:

  • clear naming
  • scenario-based setup
  • minimal irrelevant detail
  • strong helper abstractions
  • domain vocabulary in test names

For example:

  • StartInspection_WhenMachineNotReady_ShouldRejectAndRemainIdle is far better than:
  • TestStartInspection2

Avoiding duplication

Test duplication creates maintenance pain, but aggressive DRY can also make tests unreadable.

The balance is:

  • deduplicate repetitive mechanics
  • do not hide essential scenario meaning

Good shared helpers:

  • object mothers/builders
  • fake clocks
  • common harnesses
  • reusable assertions
  • workflow setup helpers

Bad abstraction:

  • giant test helper methods that hide what the scenario really is

A reader should still be able to see what is special about this case.

Keeping tests aligned with system evolution

As systems evolve, tests can become:

  • stale
  • too tied to old architecture
  • too narrow for new failure modes
  • irrelevant to the current risk profile

Senior engineers periodically review:

  • what kinds of failures are happening in production?
  • where are defects escaping?
  • which tests are expensive but low value?
  • what critical paths are still under-verified?

A test suite should evolve with the architecture, not just accumulate forever.

PART 10 — SENIOR ENGINEER MENTAL MODEL

How to design systems that are easy to verify

The most testable systems usually have these properties:

1. Deterministic core, nondeterministic edges

Business rules, transition rules, and orchestration decisions are mostly deterministic.

Time, I/O, hardware, and threading are pushed to adapters.

2. Explicit boundaries

It is clear where:

  • state changes
  • side effects happen
  • persistence occurs
  • retries occur
  • timeouts are enforced
  • events are emitted

Hidden boundaries produce hidden bugs.

3. Observable behavior

Tests can clearly see:

  • output
  • state
  • emitted events
  • persisted records
  • important commands sent outward

If behavior cannot be observed, it is hard to verify.

4. Controllable dependencies

Clock, scheduler, randomness, device access, storage, and messaging can be substituted or controlled when needed.

5. Failure is modeled, not treated as an afterthought

The system explicitly defines:

  • retryable failures
  • fatal failures
  • unknown outcomes
  • compensation or recovery rules
  • operator intervention states

That makes testing failure semantics possible.

How to think about correctness under uncertainty

Real systems often cannot guarantee perfect knowledge.

For example:

  • command sent, acknowledgment lost
  • save maybe succeeded, response timed out
  • device disconnected after starting motion
  • workflow resumed after crash with incomplete local state

In these situations, correctness is not just “did the happy path succeed?”

It becomes:

  • is the system safe?
  • is state internally consistent?
  • can the situation be diagnosed?
  • can recovery proceed without corruption?
  • are duplicate effects prevented or tolerated?
  • is uncertainty represented honestly?

A mature engineer thinks in terms of:

  • invariants
  • idempotency
  • recoverability
  • observability
  • bounded uncertainty

Tests should reflect these concerns.

How to use tests as a design tool

This is the most important point.

Good engineers do not just write tests to validate code. They use testing pressure to improve design.

When a component is hard to test, ask why.

Common answers:

  • too many responsibilities
  • hidden state
  • implicit time dependency
  • direct infrastructure coupling
  • unclear outputs
  • overly stateful logic
  • background work with no supervision
  • no stable abstraction for external dependencies

In that sense, tests are a design feedback mechanism.

A useful rule:

If verifying a behavior is painful, the design around that behavior is often trying to tell you something.

Not always, but often.

A PRACTICAL ARCHITECTURE FOR VERIFIABLE .NET SYSTEMS

For a complex .NET system, especially one with workflows, hardware, or long-running processes, a strong verification-oriented architecture often looks like this:

Layer 1: Pure domain logic

  • validation
  • rules
  • state transition functions
  • decision policies

Test mostly with unit tests.

Layer 2: Application orchestration

  • use case coordination
  • command handling
  • workflow step coordination
  • retry/timeout policies
  • event routing

Test with unit tests plus integration tests using realistic fakes.

Layer 3: Infrastructure adapters

  • DB
  • filesystem
  • network
  • hardware SDK
  • clock/scheduler implementations
  • message bus

Test with integration tests and contract tests.

Layer 4: End-to-end system behavior

  • startup
  • configuration
  • workflow execution
  • recovery
  • operator-facing behavior

Test with system tests and a smaller number of real-environment scenarios.

That layered view is often what interviewers want to hear from senior candidates: not “we write unit tests,” but how verification strategy matches architecture and risk.

INTERVIEW-LEVEL SUMMARY

If you need a concise senior-level answer, it is this:

Testability is a design outcome, not a QA add-on. In .NET systems, especially async, stateful, hardware-connected, or workflow-heavy systems, the key is to isolate nondeterminism, keep core decisions deterministic, make dependencies controllable, and make behavior observable. Unit tests verify logic, integration tests verify contracts and wiring, and system tests verify real end-to-end behavior. Mocking should be used selectively; realistic fakes and contract tests are often more valuable. The strongest engineers design with recovery, concurrency, and failure semantics in mind from the start, and they use tests not only to catch bugs but to shape better architecture.

Final senior-engineer takeaway

The real question is not:

“Can we write tests for this?”

The real question is:

“Have we designed this system so correctness can be demonstrated with confidence?”

That is the mindset difference between basic testing and engineering leadership.

If you want, next I can turn this into Part 2: interview Q&A with strong senior-level model answers for this topic.

Docs-first project memory for AI-assisted implementation.

LCN Wafer Inspection Prototype