Gap
`apps/api/src/routes/health.ts` exposes three test-harness endpoints:
- `GET /api/_test/validation-error`
- `GET /api/_test/internal-error`
- `GET /api/_test/idempotency`
They exist for CI test cases that exercise the error-mapping path. They're documented nowhere in `specs/` and there's no env-gate keeping them off in production.
Two reasonable shapes
- Gate them. Wrap registration in `if (NODE_ENV !== 'production')`. The CI tests that depend on them already run in test mode, so nothing breaks. Production stops exposing a path that says "internal-error" in its name.
- Document them. Add a short note to `specs/api/conventions.md` explaining that `/api/_test/*` is intentionally available for harness use + characterizing the response shape.
The first is the safer call — there's no reason production callers should be able to hit `/api/_test/internal-error` and force a 500.
Identified during the 2026-05-30 post-cutover-blog spec-drift audit.
Gap
`apps/api/src/routes/health.ts` exposes three test-harness endpoints:
They exist for CI test cases that exercise the error-mapping path. They're documented nowhere in `specs/` and there's no env-gate keeping them off in production.
Two reasonable shapes
The first is the safer call — there's no reason production callers should be able to hit `/api/_test/internal-error` and force a 500.
Identified during the 2026-05-30 post-cutover-blog spec-drift audit.