AI output snapshot regression testing: why the literal-byte snapshot is the wrong primitive, and what to do instead

The thesis: literal snapshots assume determinism your AI feature does not have

Snapshot testing was invented for deterministic functions. A pure function with no I/O returns the same value every time you call it with the same input, so saving that value and diffing against it on the next run is a fair test. The diff is loud when the function changes, silent when it does not, and the engineer running CI can read the change line by line.

None of those assumptions hold for an LLM call. Sampling temperature greater than zero re-rolls the output. Sampling at temperature zero still re-rolls because providers re-tokenize, swap model versions, and tune safety filters between deploys. The literal text drifts. The diff is red on run two even when nothing in your code changed, and red on run three because someone re-trained the model. Engineers learn to update the snapshot reflexively. The test becomes a write-once log of whatever the model said most recently, and the regression it was supposed to catch (a quietly broken citation pipeline, a chatbot that stopped saying the user's name) lands in production unnoticed.

This is not a problem with how snapshots are configured. It is a problem with the primitive itself. The thing being pinned (a stochastic string) is not the kind of thing that can be pinned by literal comparison. The only options are to pick a different thing to pin, or to pick a different comparison. AI output snapshot regression testing is the practice of doing both.

What replaces the literal snapshot: verify-bullets in plain markdown

The Assrt replacement primitive is a list of one-line semantic properties in a plain markdown file. Each property is a thing the AI output must satisfy. The properties are written by the human who knows what the feature is supposed to do, not by the model. They live in /tmp/assrt/scenario.md. The file is editable, gittable, greppable, and diffable in your normal editor. An fs.watch loop syncs every save back to central storage on a one-second debounce so a team can collaborate on the same scenario without copy-pasting strings around.

A scenario looks like this. The lines starting with Verify are the bullets that get enforced.

#Case 1: Chatbot answers a real question

Steps:
- Open the dashboard at /chat
- Type "What is my last invoice amount?"
- Press Enter
- Wait for the assistant message to finish streaming

- Verify the assistant message mentions the dollar amount from invoice 4821
- Verify the assistant message does not include any URL outside our domain
- Verify the assistant message renders inside the .assistant-message container
- Verify the response completes within 6 seconds of the user message
- Verify no other invoices are mentioned in the same reply

Five bullets, five properties. Run after run, the literal text the model produces is allowed to drift. The properties are what get checked, and the properties are not stochastic: either the dollar amount from invoice 4821 is mentioned or it is not.

The coverage gate: a regex and a two-keyword rule

A verify-bullet list is only useful if someone proves every bullet was actually checked. Otherwise it degrades into a slightly fancier comment. The piece that makes the pattern enforceable lives in src/core/agent.ts of the open-source assrt-mcp repo, around line 1141. It is a regex and a coverage rule. The regex extracts every line that starts with one of five verbs:

// agent.ts:1141
const verifyBulletRegex = /^[\s\-*\d.()]*(?:Verify|Check|Assert|Confirm|Ensure)\b[^\n]*/gim;

const verifyBullets = (scenarioSteps.match(verifyBulletRegex) || [])
  .map((s) => s.replace(/^[\s\-*\d.()]+/, "").trim())
  .filter((s) => s.length > 0);

// agent.ts:1146 -- normalize a bullet to its content keywords
const normalize = (s) =>
  s.toLowerCase()
   .replace(/[^a-z0-9 ]+/g, " ")
   .split(/\s+/)
   .filter((w) => w.length > 3);

// agent.ts:1149 -- a bullet is covered if some assert description shares
// at least 2 of its content keywords (or all of them when the bullet is short)
for (const bullet of verifyBullets) {
  const bulletKeywords = normalize(bullet);
  if (bulletKeywords.length === 0) continue;
  const covered = assertionDescriptions.some((desc) => {
    const matched = bulletKeywords.filter((kw) => desc.includes(kw)).length;
    return matched >= Math.min(2, bulletKeywords.length);
  });
  if (!covered) droppedAssertions.push(bullet);
}

if (droppedAssertions.length > 0) scenarioPassed = false;

That is the whole contract. Every line in the scenario that starts with Verify, Check, Assert, Confirm, or Ensure (with any leading whitespace, bullet character, or number) is an assertion the agent owes. The agent produces one assert tool call per bullet. After the run, the coverage gate normalises each bullet to its words longer than three characters, then looks for any assert description that contains at least two of those words. Misses get logged into droppedAssertions and the scenario fails.

The rule is intentionally loose on phrasing (the agent can rephrase a bullet, and the keyword match still finds the connection) and intentionally strict on coverage (every bullet has to be accounted for, no exceptions). Loose phrasing keeps the agent from being penalised for using synonyms; strict coverage keeps the agent from quietly skipping the one bullet that would have caught the regression.

Streaming responses, wait_for_stable, and the assertion timing problem

Snapshot tests do not have a timing problem. The function returns and the snapshot is checked. AI output regression tests do. If the agent fires an assertion against the assistant message while tokens are still streaming in, the assertion sees a partial response. The next run sees a different partial response. The test is flaky, the bullet is real, but the timing layer is broken.

Assrt's answer is a tool named wait_for_stable defined at src/core/agent.ts lines 186 to 195. It polls the DOM and returns once no mutations have happened for a configurable stable period (default two seconds), up to a configurable timeout (default thirty). The agent prompt at src/core/agent.ts lines 249 to 254 explicitly tells the model to call wait_for_stable after triggering any AI response, before any assertion runs. The model does not get to skip this step; if it does, the assertion sees half a token and the run fails the bullet, which surfaces to the engineer in the dropped-assertion log.

A worked example: catching a quietly broken citation pipeline

Imagine your support chatbot is supposed to cite at least one document from the user's knowledge base on every answer. The classical snapshot test would pin the literal answer, fail on every run that produces different phrasing, and get updated until nobody reads the diff. Then your retrieval pipeline silently breaks. The model still produces fluent answers, just without citations. The snapshot updates accept the new (non-citing) text. The regression ships.

The verify-bullet equivalent has one line in scenario.md:

- Verify the response contains at least one citation chip with class .citation

The agent runs the scenario, waits for the message to stabilise, snapshots the DOM, and asks: does the rendered response contain an element matching .citation? If yes, fire assert(passed=true, evidence="found 2 citations: invoice-4821, contract-9.pdf"). If no, fire assert(passed=false, evidence="no .citation elements in .assistant-message after wait_for_stable"). Either way, the bullet is covered, the coverage gate passes that bullet, and the test fails or passes on the actual property the human cared about.

The model is now allowed to phrase its answer any way it likes between runs. The literal text can drift. The thing being graded is not the literal text. The thing being graded is the structural property the engineer wrote down, and that property is checkable on any run because it depends on the DOM, not on a model sample.

The counterargument: when literal snapshots still earn their keep

None of the above means literal snapshots are useless. They earn their keep on the deterministic surfaces around the AI feature. The JSON shape of the request body your front end posts to the LLM provider, the schema of the response after your code parses and normalises it, the structural skeleton of the UI before tokens stream in, the email template you generate after the model returns: all of those are deterministic and a literal-byte snapshot is the right tool for each of them. The mistake is pointing a literal snapshot at the part of the surface that is by construction non-deterministic.

A team that does both is the team that catches the most regressions. Literal snapshots on the deterministic edges. Verify-bullets on the model output itself. Pixel diffs on the rendered UI for the things that have to look right. Three layers, each catching what the other two miss, none of them carrying the weight that is wrong for them to carry.

Where the verify-bullet pattern is still wrong (be honest about it)

The two-keyword overlap rule has a quiet failure mode. A bullet that uses uncommon vocabulary the agent does not echo can be marked uncovered even though the agent did the work. The fix is to write bullets in the vocabulary you expect the agent to produce, which is a small editorial discipline, not a structural change. You learn the shape after one or two failing runs and the bullets get tighter.

A bigger failure mode: the agent only sees what is rendered in the DOM. If your front end strips a citation array before rendering, or summarises a structured response into a paragraph, the verify-bullet on the original structure cannot be checked. The fix is a debug payload: a hidden div on the page that renders the raw model response when a test cookie is set. The bullet then points at the debug payload, not at the prettified UI. Most teams resist this until they have shipped one regression and then add it the next sprint.

The last failure mode is the one no test framework solves: an LLM-grader that confidently fakes an assertion. The mitigation is the evidence field on every assert call (defined at agent.ts line 140), which is logged into /tmp/assrt/results/<runId>.json. A human reviewing the artifacts can spot a passed assertion whose evidence does not actually show the property holding. This is a manual safety net; it is also the only one that catches a sufficiently motivated grader.

Where this pattern lives in code (so you can read it yourself)

None of this is a vendor abstraction. The repo is open source. The pieces sit in three short files of the assrt-mcp repository:

• src/core/agent.ts lines 1141 to 1175: the verifyBulletRegex, the normalize helper, and the coverage check that marks the scenario failed when a bullet has no matching assertion.
• src/core/agent.ts lines 186 to 195: the wait_for_stable tool definition, with the two-second default quiescence and the thirty-second default timeout the agent uses on streaming AI output.
• src/core/scenario-files.ts lines 16 to 20, 42 to 48, and 90 to 111: the file paths (/tmp/assrt/scenario.md, /tmp/assrt/scenario.json, /tmp/assrt/results/<runId>.json) and the fs.watch loop that syncs your local edits back to central storage on a one-second debounce.

The whole regression-detection contract for AI output sits in those three files. The total surface is about three hundred lines of TypeScript. If you do not want to use Assrt, you can lift the pattern: a markdown file with verify-bullets, a regex on those bullets, a coverage check on the assertion list, a stable-DOM wait helper, and an evidence field on every assertion. The shape is what does the work, not the framework.