api-testing

Discovery Questions

1. REST, GraphQL, or both? REST-only suites use standard HTTP assertions. GraphQL needs query/mutation builders.
2. Auth mechanism? JWT, API key, OAuth 2.0, or session cookies -- each needs a different fixture strategy.
3. OpenAPI/Swagger spec available? If yes, auto-generate schemas as contracts.
4. Check .agents/qa-project-context.md first. Respect existing conventions.

Core Principles

1. Test contracts, not implementations. Assert on response shape, status codes, and headers -- not on internal logic or database state.
2. Schema validation catches drift before it breaks consumers. A failing schema test means you caught a breaking change before your frontend did.
3. Auth flows are tests too -- don't just hardcode tokens. Test login, refresh, expiration, and permission boundaries.
4. Response time is a testable assertion. Performance regressions caught in CI are cheaper than production incidents.