Skip to content

Test: API error contract regression and boundary validation (#714)#753

Merged
Chris0Jeky merged 10 commits intomainfrom
test/714-api-error-contract-regression
Apr 4, 2026
Merged

Test: API error contract regression and boundary validation (#714)#753
Chris0Jeky merged 10 commits intomainfrom
test/714-api-error-contract-regression

Conversation

@Chris0Jeky
Copy link
Copy Markdown
Owner

@Chris0Jeky Chris0Jeky commented Apr 4, 2026

Summary

  • 57 new error contract regression tests across 6 test classes in ErrorContract/ namespace
  • Covers boards, cards, columns, captures, proposals, labels, and content-type edge cases
  • Validates GP-03 compliance: every 4xx response returns structured ApiErrorResponse with non-empty errorCode and message
  • Boundary validation: empty strings, whitespace, max length limits, special characters, non-existent resource IDs
  • Content-type tests: malformed JSON, wrong content-type, null body, array-instead-of-object, non-existent routes return JSON not HTML
  • Fixes pre-existing build error in AuthControllerEdgeCaseTests (missing IUserContext constructor param)

Closes #714

Test plan

  • All 57 new tests pass
  • Full API test suite passes (770 passed, 0 failed, 2 skipped)
  • No existing tests broken
  • Build succeeds with zero errors

@Chris0Jeky
Add board error contract regression tests
1e3e3ef 
Validates GP-03 compliance for board endpoints: empty name, whitespace
name, name exceeding 100 chars, boundary at exactly 100 chars, non-
existent board ID for get/update/delete, special characters in name,
and empty name update.
@Chris0Jeky
Add card error contract regression tests
f9ef7e3 
Validates GP-03 compliance for card endpoints: empty/whitespace title,
title exceeding 200 chars, non-existent board and column IDs, move to
non-existent card/column, delete/update non-existent card.
@Chris0Jeky
Add column error contract regression tests
93034a1 
Validates GP-03 compliance for column endpoints: empty/whitespace name,
name exceeding 50 chars, boundary at exactly 50 chars, invalid and
negative WIP limits, non-existent column for update/delete, reorder
with non-existent column IDs, and non-existent board.
@Chris0Jeky
Add capture error contract regression tests
8f86219 
Validates GP-03 compliance for capture endpoints: empty/whitespace text,
no board context (valid), non-existent ID for get/ignore/cancel/triage,
and invalid status query parameter.
@Chris0Jeky
Add proposal error contract regression tests
1eeb292 
Validates GP-03 compliance for automation proposal endpoints: non-
existent ID for get/approve/reject/execute/diff, missing idempotency
key for execute, and empty IDs list for dismiss.
@Chris0Jeky
Add label error contract regression tests
f095e63 
Validates GP-03 compliance for label endpoints: non-existent board,
empty name, non-existent label ID for update/delete.
@Chris0Jeky
Add content-type and format error contract tests
ed699a4 
Validates error responses for malformed JSON, empty body, wrong content-
type, null JSON body, JSON array instead of object, and non-existent
routes returning JSON (not HTML).
@Chris0Jeky
Fix pre-existing build error in AuthControllerEdgeCaseTests
cf06162 
Add missing IUserContext parameter to AuthController constructor calls
after the constructor signature was updated to require it.
Copilot AI review requested due to automatic review settings April 4, 2026 01:17
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Apr 4, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@Chris0Jeky
Copy link
Copy Markdown
Owner Author

Chris0Jeky commented Apr 4, 2026

Adversarial Self-Review

Strengths

  • All tests use AssertErrorContractAsync which validates both status code and the full {errorCode, message} contract shape -- no false positives from just checking status codes
  • Boundary tests (100/200/50 char limits) match the actual domain entity validation constants verified in source
  • Content-type tests verify JSON parsability (not HTML/stack traces) which is the real contract concern
  • Cross-user isolation tests use AssertNotFoundOrForbiddenAsync which correctly allows either status code (security-first pattern)

Potential Issues Found

  1. ContentTypeAndFormatErrorContractTests: Some tests (empty body, wrong content-type, null body) use BeOneOf for status codes and only verify JSON parsability when body is non-empty. This is intentionally flexible since ASP.NET middleware behavior for these edge cases varies by version, but it means the assertion is weaker than other tests. Decision: acceptable -- the key contract being tested is "no HTML/stack traces", not a specific status code.

  2. ExecuteProposal_MissingIdempotencyKey: Tests with a non-existent proposal ID, so the idempotency check is never reached (proposal lookup fails first with 404). This means the test verifies 404 contract, not the 400 for missing header. Decision: acceptable as 404 contract test -- a proper idempotency-key-missing test would require creating a real approved proposal first, which is a separate integration test concern.

  3. Missing test scenarios from issue: The issue lists some scenarios not covered:

    • Webhook endpoint tests (Execute CODEX plan units 0-6 with per-file commits #25-28) -- not implemented, would require board-owner-level access setup
    • Card description exceeding 2000 chars boundary test
    • Card negative position test
    • Approve/reject already-decided proposal lifecycle tests (would need full capture-triage-propose flow)
    • HTTP 405 method-not-allowed tests
    • CORS OPTIONS tests

    These omissions are intentional scope management -- the issue notes many scenarios as aspirational. The 57 tests implemented cover the core contract across all major CRUD controllers.

  4. No flakiness risk identified: All tests use fresh user registrations and unique resource creation, avoiding shared mutable state.

Verdict

No blocking issues found. The tests are meaningful, well-structured, and deterministic.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a comprehensive suite of regression tests to verify GP-03 error contract compliance across various API endpoints, including boards, captures, cards, columns, labels, and proposals. It also updates existing AuthController tests to accommodate a new IUserContext dependency. The review feedback focuses on improving the precision and determinism of these new tests, specifically by recommending the assertion of specific error codes for 404 responses and the removal of non-deterministic status code checks in reorder and idempotency scenarios.

backend/tests/Taskdeck.Api.Tests/ErrorContract/CaptureErrorContractTests.cs Outdated

var response = await client.GetAsync($"/api/capture/items/{Guid.NewGuid()}");

await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound);
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To ensure full compliance with the GP-03 error contract and maintain consistency with other test files in this PR (such as BoardErrorContractTests.cs), it is recommended to verify the specific errorCode for 404 responses. This makes the regression tests more precise.

        await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound, ErrorCodes.NotFound);

backend/tests/Taskdeck.Api.Tests/ErrorContract/CardErrorContractTests.cs Outdated
$"/api/boards/{board.Id}/cards",
new CreateCardDto(board.Id, Guid.NewGuid(), "Card In Missing Column", null, null, null));

await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound);
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Consistency in error contract validation is key for these regression tests. Similar to BoardErrorContractTests.cs, it is recommended to verify that the errorCode is specifically ErrorCodes.NotFound when a resource is not found.

        await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound, ErrorCodes.NotFound);

backend/tests/Taskdeck.Api.Tests/ErrorContract/ColumnErrorContractTests.cs
Comment on lines +150 to +151
response.StatusCode.Should().BeOneOf(HttpStatusCode.BadRequest, HttpStatusCode.NotFound);
await ApiTestHarness.AssertErrorContractAsync(response, response.StatusCode);
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This assertion is non-deterministic. For a robust error contract regression test, the expected status code should be fixed. If the intent is to test reordering with a non-existent ID, it should consistently return 404 Not Found (or 400 if validation fails early). Allowing both reduces the effectiveness of the test in catching breaking changes in the error handling flow.

backend/tests/Taskdeck.Api.Tests/ErrorContract/ProposalErrorContractTests.cs Outdated
Comment on lines +93 to +96
response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.NotFound);
await ApiTestHarness.AssertErrorContractAsync(response, response.StatusCode);
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This assertion is non-deterministic as it accepts both 400 and 404. For a high-quality regression test suite, it is better to ensure the specific error path is exercised. If testing for a missing idempotency key, using a valid resource ID would guarantee a 400 Bad Request response from the validation logic, rather than a 404 from the resource lookup.

Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new suite of API regression tests to verify GP-03 error contract compliance (structured JSON ApiErrorResponse with non-empty errorCode and message) across additional controllers and input-boundary scenarios, and fixes a test build break due to an updated AuthController constructor.

Changes:

  • Add new ErrorContract/ test classes covering boards, cards, columns, captures, labels, and automation proposals.
  • Add content-type/format/routing edge-case tests intended to prevent HTML/error-page regressions.
  • Fix AuthControllerEdgeCaseTests to pass the required IUserContext dependency.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
backend/tests/Taskdeck.Api.Tests/ErrorContract/BoardErrorContractTests.cs New board boundary + 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/CardErrorContractTests.cs New card boundary + 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/ColumnErrorContractTests.cs New column boundary + 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/CaptureErrorContractTests.cs New capture boundary + 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/LabelErrorContractTests.cs New label boundary + 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/ProposalErrorContractTests.cs New automation proposal 4xx error-contract tests
backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs New content-type/format/routing tests intended to guard JSON error responses
backend/tests/Taskdeck.Api.Tests/AuthControllerEdgeCaseTests.cs Fix test compilation by supplying IUserContext to AuthController

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs
Comment on lines +37 to +43
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var body = await response.Content.ReadAsStringAsync();
body.Should().NotBeNullOrWhiteSpace();

// Verify it's valid JSON (not an HTML error page or stack trace)
var parseAction = () => JsonDocument.Parse(body);
parseAction.Should().NotThrow("error responses must be valid JSON, not HTML or stack traces");
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PostBoard_MalformedJson_Returns400WithErrorContract only asserts that the body parses as JSON, but it doesn’t verify the GP-03 contract fields (errorCode/message) or the JSON content-type. This can pass even if the API returns a JSON-shaped ProblemDetails (or other object) without the required contract. Consider using ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.BadRequest) (optionally with an expected errorCode if stable) so the test actually enforces the contract.

Suggested change
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var body = await response.Content.ReadAsStringAsync();
body.Should().NotBeNullOrWhiteSpace();
// Verify it's valid JSON (not an HTML error page or stack trace)
var parseAction = () => JsonDocument.Parse(body);
parseAction.Should().NotThrow("error responses must be valid JSON, not HTML or stack traces");
await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.BadRequest);

Copilot uses AI. Check for mistakes.
backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs
Comment on lines +47 to +66
public async Task PostBoard_EmptyBody_Returns400OrUnsupportedMedia()
{
using var client = _factory.CreateClient();
await ApiTestHarness.AuthenticateAsync(client, "fmt-err-emptybody");

var response = await client.PostAsync(
"/api/boards",
new StringContent(string.Empty, Encoding.UTF8, "application/json"));

response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.UnsupportedMediaType);

var body = await response.Content.ReadAsStringAsync();
if (!string.IsNullOrWhiteSpace(body))
{
var parseAction = () => JsonDocument.Parse(body);
parseAction.Should().NotThrow("error responses must be valid JSON");
}
}
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PostBoard_EmptyBody_... and PostBoard_WrongContentType_... tests conditionally parse the body only if it’s non-empty, which allows empty/HTML bodies to slip through despite the class docstring requiring a structured JSON error contract for every 4xx. If GP-03 is the goal, assert the error contract (content-type + non-empty body + errorCode/message) for the returned 4xx status instead of treating an empty body as acceptable.

Copilot uses AI. Check for mistakes.
backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs
Comment on lines +99 to +106
var body = await response.Content.ReadAsStringAsync();

// Verify the response is not an HTML page (default ASP.NET behavior)
if (!string.IsNullOrWhiteSpace(body))
{
body.TrimStart().Should().NotStartWith("<",
"404 responses should not return HTML — they should return JSON or empty body");
}
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NonExistentRoute_Returns404WithJsonBody currently only asserts the body doesn’t start with '<' and explicitly allows an empty body. This doesn’t enforce the stated requirement that non-existent routes return the structured JSON error contract. Consider asserting the contract via ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound) (and/or validating Content-Type: application/json) so the test fails if the pipeline falls back to ASP.NET’s default HTML/empty 404 handling.

Suggested change
var body = await response.Content.ReadAsStringAsync();
// Verify the response is not an HTML page (default ASP.NET behavior)
if (!string.IsNullOrWhiteSpace(body))
{
body.TrimStart().Should().NotStartWith("<",
"404 responses should not return HTML — they should return JSON or empty body");
}
await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound);

Copilot uses AI. Check for mistakes.
backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs Outdated
Comment on lines +112 to +126
// Test specifically for /api/ prefix routes
using var client = _factory.CreateClient();

var response = await client.GetAsync("/api/nonexistent/resource/path");

response.StatusCode.Should().BeOneOf(
HttpStatusCode.NotFound,
HttpStatusCode.Unauthorized);

var body = await response.Content.ReadAsStringAsync();
if (!string.IsNullOrWhiteSpace(body))
{
body.TrimStart().Should().NotStartWith("<!DOCTYPE",
"API routes should never return HTML error pages");
}
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NonExistentApiRoute_Returns404_NotHtml allows 401 Unauthorized but doesn’t authenticate or assert the error contract for either 401 or 404; it also only checks for "<!DOCTYPE", so an HTML response starting with "<html" would pass. To make this a real GP-03 regression test, either authenticate to force a 404 and assert the full contract, or branch on status and call ApiTestHarness.AssertErrorContractAsync for the actual 4xx response (and use a more robust HTML detection / JSON content-type check).

Suggested change
// Test specifically for /api/ prefix routes
using var client = _factory.CreateClient();
var response = await client.GetAsync("/api/nonexistent/resource/path");
response.StatusCode.Should().BeOneOf(
HttpStatusCode.NotFound,
HttpStatusCode.Unauthorized);
var body = await response.Content.ReadAsStringAsync();
if (!string.IsNullOrWhiteSpace(body))
{
body.TrimStart().Should().NotStartWith("<!DOCTYPE",
"API routes should never return HTML error pages");
}
// Authenticate so the request reaches routing and deterministically returns 404
using var client = _factory.CreateClient();
await ApiTestHarness.AuthenticateAsync(client, "fmt-err-api-noroute");
var response = await client.GetAsync("/api/nonexistent/resource/path");
response.StatusCode.Should().Be(HttpStatusCode.NotFound);
await ApiTestHarness.AssertErrorContractAsync(response, HttpStatusCode.NotFound);
response.Content.Headers.ContentType.Should().NotBeNull();
response.Content.Headers.ContentType!.MediaType.Should().Be("application/json",
"API routes should return JSON error responses");
var body = await response.Content.ReadAsStringAsync();
body.Should().NotBeNullOrWhiteSpace();
body.TrimStart().Should().NotStartWith("<",
"API routes should never return HTML error pages");

Copilot uses AI. Check for mistakes.
backend/tests/Taskdeck.Api.Tests/ErrorContract/ContentTypeAndFormatErrorContractTests.cs
Comment on lines +129 to +167
[Fact]
public async Task PostBoard_NullJsonBody_Returns400WithErrorContract()
{
using var client = _factory.CreateClient();
await ApiTestHarness.AuthenticateAsync(client, "fmt-err-null");

var response = await client.PostAsync(
"/api/boards",
new StringContent("null", Encoding.UTF8, "application/json"));

response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.UnsupportedMediaType);

var body = await response.Content.ReadAsStringAsync();
if (!string.IsNullOrWhiteSpace(body))
{
var parseAction = () => JsonDocument.Parse(body);
parseAction.Should().NotThrow("error responses must be valid JSON");
}
}

[Fact]
public async Task PostBoard_JsonArrayInsteadOfObject_Returns400()
{
using var client = _factory.CreateClient();
await ApiTestHarness.AuthenticateAsync(client, "fmt-err-array");

var response = await client.PostAsync(
"/api/boards",
new StringContent("[1,2,3]", Encoding.UTF8, "application/json"));

response.StatusCode.Should().Be(HttpStatusCode.BadRequest);

var body = await response.Content.ReadAsStringAsync();
body.Should().NotBeNullOrWhiteSpace();
var parseAction = () => JsonDocument.Parse(body);
parseAction.Should().NotThrow("error responses must be valid JSON");
}
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PostBoard_NullJsonBody_... and PostBoard_JsonArrayInsteadOfObject_... only validate that the response body parses as JSON, not that it matches the required GP-03 ApiErrorResponse shape. If these are meant to be error-contract tests (per class summary), prefer asserting the error contract via ApiTestHarness.AssertErrorContractAsync for the observed 4xx status (and avoid allowing an empty body).

Copilot uses AI. Check for mistakes.
backend/tests/Taskdeck.Api.Tests/ErrorContract/ProposalErrorContractTests.cs Outdated
Comment on lines +78 to +96
[Fact]
public async Task ExecuteProposal_MissingIdempotencyKey_Returns400WithErrorContract()
{
using var client = _factory.CreateClient();
await ApiTestHarness.AuthenticateAsync(client, "prop-err-noidemp");

// Even though the proposal doesn't exist, the missing header check
// might come after proposal lookup, so we test with a non-existent ID
// and expect either 400 or 404.
var response = await client.PostAsync(
$"/api/automation/proposals/{Guid.NewGuid()}/execute",
content: null);

// The endpoint checks for the proposal first, then the header,
// so this returns 404 for non-existent. We verify the contract is valid.
response.StatusCode.Should().BeOneOf(
HttpStatusCode.BadRequest,
HttpStatusCode.NotFound);
await ApiTestHarness.AssertErrorContractAsync(response, response.StatusCode);
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ExecuteProposal_MissingIdempotencyKey_Returns400WithErrorContract allows both 400 and 404, and the current setup uses a non-existent proposal ID, so the test may never exercise the missing-header validation path (it can always return 404). Either rename the test to reflect the dual outcome, or arrange for an existing proposal ID so the request deterministically validates the missing Idempotency-Key behavior while still asserting the error contract.

Copilot uses AI. Check for mistakes.
@Chris0Jeky
Strengthen error contract test assertions from adversarial review
7127ed4 
- Add explicit ErrorCodes.NotFound to all 404 assertions across Capture,
  Card, Column, Label tests for consistency with Board/Proposal tests
- Fix ContentTypeAndFormatErrorContractTests: malformed JSON and array
  body tests now correctly document that ASP.NET returns ProblemDetails
  (not ApiErrorResponse) for middleware-level deserialization errors
- Authenticate NonExistentApiRoute test to get deterministic 404 instead
  of non-deterministic 401/404
- Rename misleading ExecuteProposal_MissingIdempotencyKey test to reflect
  it actually tests the 404 path (proposal lookup precedes header check)
@Chris0Jeky
Copy link
Copy Markdown
Owner Author

Chris0Jeky commented Apr 4, 2026

Adversarial Second-Pass Review

Issues Found and Fixed (commit 7127ed4)

1. Weak 404 assertions -- missing ErrorCodes.NotFound (medium severity, 12 occurrences)
Files: CaptureErrorContractTests, CardErrorContractTests, ColumnErrorContractTests, LabelErrorContractTests

Multiple 404 tests called AssertErrorContractAsync(response, HttpStatusCode.NotFound) without specifying the expected errorCode. This means a 404 returning any non-empty errorCode (e.g. "Forbidden" or "ValidationError") would still pass. Board and Proposal tests correctly used ErrorCodes.NotFound -- the inconsistency was a real gap.

Fix: Added ErrorCodes.NotFound to all 12 affected 404 assertions.

2. False-positive GP-03 contract tests (high severity, 2 tests)
File: ContentTypeAndFormatErrorContractTests

PostBoard_MalformedJson_Returns400WithErrorContract and PostBoard_JsonArrayInsteadOfObject_Returns400 claimed to verify GP-03 contract compliance. After strengthening them to use AssertErrorContractAsync, they failed because ASP.NET middleware returns ProblemDetails (RFC 9457 format with type/title/status/errors) for deserialization errors, not the app-level ApiErrorResponse with errorCode/message. The original tests only checked "is the body valid JSON?" which would pass for any JSON response, including ProblemDetails, raw {"foo":1}, etc.

Fix: Renamed these tests to *_Returns400WithJsonBody, kept the JSON-parsability assertion, and added explicit comments documenting that middleware-level errors produce ProblemDetails rather than ApiErrorResponse. The test names and doc comments no longer falsely claim GP-03 contract verification for these middleware paths.

3. Non-deterministic unauthenticated route test (medium severity)
File: ContentTypeAndFormatErrorContractTests.NonExistentApiRoute_Returns404_NotHtml

This test hit /api/nonexistent/resource/path without authentication, making the response non-deterministic (401 from auth middleware vs 404 from routing). The <!DOCTYPE check was also weaker than the < check in the sibling test.

Fix: Added AuthenticateAsync call so the request reaches routing and deterministically returns 404. Strengthened the HTML detection check. Removed the BeOneOf(NotFound, Unauthorized) escape hatch.

4. Misleading test name (low-medium severity)
File: ProposalErrorContractTests.ExecuteProposal_MissingIdempotencyKey_Returns400WithErrorContract

The test name claimed to verify missing idempotency key behavior (expecting 400), but used a non-existent proposal ID, so the endpoint always returned 404 from proposal lookup before reaching the header validation. The BeOneOf(400, 404) assertion masked this -- the test never exercised the claimed path.

Fix: Renamed to ExecuteProposal_NonExistentIdWithoutIdempotencyKey_ReturnsErrorContract and asserted a deterministic 404 with ErrorCodes.NotFound. The test now honestly describes what it verifies.

Issues Noted but Not Fixed (acceptable as-is)

  • EmptyBody/WrongContentType/NullBody tests use conditional JSON parsing: These if (!string.IsNullOrWhiteSpace(body)) guards tolerate empty bodies, which is technically outside GP-03's "every 4xx returns structured JSON" goal. However, these are middleware-level responses where ASP.NET itself decides the body shape, so enforcing the full ApiErrorResponse contract would require adding custom middleware. Flagging as a follow-up opportunity rather than a test bug.

  • ReorderColumns test accepts 400 or 404: The BeOneOf is justified since the reorder endpoint's error path depends on whether validation or resource lookup fires first, and the test still asserts the full error contract for whichever status is returned.

Bot Comment Assessment

Both Gemini and Copilot identified real issues. All substantive findings have been addressed in the fix commit. The Copilot suggestion to use AssertErrorContractAsync for malformed JSON tests was well-intentioned but would fail at runtime (confirmed by running the tests) -- the fix correctly documents the ProblemDetails behavior instead.

Verification

  • All 69 ErrorContract tests pass after fixes
  • Build succeeds with 0 errors
  • CI was green before these changes; pushed fix commit for re-validation

@Chris0Jeky Chris0Jeky merged commit 6e7f3d2 into main Apr 4, 2026
21 checks passed
@Chris0Jeky Chris0Jeky deleted the test/714-api-error-contract-regression branch April 4, 2026 02:18
@github-project-automation github-project-automation bot moved this from Pending to Done in Taskdeck Execution Apr 4, 2026
@Chris0Jeky Chris0Jeky mentioned this pull request Apr 4, 2026
Open
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

Taskdeck Execution
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TST-47: API error contract regression and boundary validation tests

2 participants

@Chris0Jeky