Step 1 of 5
Inventory the API contracts
Write down what every endpoint promises before testing it.
Produce the API contract inventory: every endpoint with method, path, purpose, auth requirement, request shape, success response (code + body shape), and the expected failure responses (validation 400, unauthorized 401/403, not found 404, conflict 409, server 500). Define the standard error shape all endpoints should return (e.g. {error: {code, message}}). Flag endpoints whose current behavior is unknown.
Expected after this step
A complete contract table plus a standard error shape definition.
Should not happen
- ✕200 responses containing error strings
- ✕500s from bad user input instead of 400s
- ✕Different error shapes per endpoint breaking the frontend
- ✕No timeouts, so slow APIs hang the UI forever
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !200 responses containing error strings
- !500s from bad user input instead of 400s
- !Different error shapes per endpoint breaking the frontend
- !No timeouts, so slow APIs hang the UI forever
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
The inventory is missing failure contracts. For every endpoint define what invalid input, missing auth, and missing resources should return before testing.