postJson($versioned, ['email' => 'bad@example.test', 'password' => 'wrong']) : $this->actingAs($this->admin, 'api')->getJson($versioned); $legacyResponse = str_contains($legacy, 'login') ? $this->postJson($legacy, ['email' => 'bad@example.test', 'password' => 'wrong']) : $this->actingAs($this->admin, 'api')->getJson($legacy); $this->assertNoServerError($versionedResponse, 'versioned compatibility '.$versioned); $this->assertNoServerError($legacyResponse, 'legacy compatibility '.$legacy); $this->assertLessThan(500, $versionedResponse->getStatusCode()); $this->assertLessThan(500, $legacyResponse->getStatusCode()); } } public function test_legacy_routes_do_not_expand_beyond_documented_aliases_silently(): void { $legacyLike = []; foreach ($this->apiRoutes() as $route) { $uri = $route->uri(); if (! str_starts_with($uri, 'api/v1/') && ! str_contains($uri, 'docs') && ! str_contains($uri, 'health')) { $legacyLike[] = $this->primaryMethod($route).' '.$uri; } } $this->assertLessThan(80, count($legacyLike), 'Unversioned API compatibility routes should remain bounded, not become a second API by accident: '.implode(', ', $legacyLike)); } }