# Kintsugi QA API

> Kintsugi QA is a browser-based UI test automation platform. This file is the
> complete capability spec of the Kintsugi QA public HTTP API for autonomous
> AI agents. Given this file plus an API key (`X-API-Key: ksk_<64 hex chars>`),
> an agent can — with no other documentation — discover the user's
> organization and projects, write new test cases as JSON (single-actor
> browser scenarios), run them, poll for results, and download videos,
> screenshots, traces, network logs, and console logs. Every endpoint,
> request/response field, step type, assertion type, status enum, and
> variable placeholder usable via API key is documented below. Endpoints not
> usable with API keys are listed explicitly so they are not attempted.

## 1. Authentication & conventions

- **Header**: send `X-API-Key: ksk_<64 hex characters>` on every request.
  A query parameter `?api_key=ksk_...` also works, but the header is
  preferred (it won't leak into logs/URLs).
- **Base URL**: `https://kintsugi-qa.com/api/v1`.
- **Content-Type**: `application/json` for all JSON request bodies, except
  `POST /files` which is `multipart/form-data`.
- **Org scoping**: an API key belongs to exactly one organization and grants
  read/write access to every project, test case, suite, run, artifact,
  secret, file, schedule, and webhook token within that organization.
  `GET /orgs` returns only the key's own org. `GET /orgs/{id}` works for
  that org (any other org ID is rejected by the authorization check).
- **Pagination**: list endpoints that paginate return
  `{"items": [...], "count": N, "next_cursor": "...", "has_more": bool}`.
  Pass `?cursor=<next_cursor>` to fetch the next page and `?limit=<n>` to
  control page size. Some simple list endpoints (projects, secrets, files,
  schedules, webhook-tokens, orgs) return `{"items": [...], "count": N}`
  without cursor pagination (all results in one page).

### Error response shapes

Most errors:
```json
{ "error": "human-readable message", "request_id": "abc-123" }
```
(`request_id` may be empty/omitted; `code` may also appear for some
domain-level errors, e.g. `"code": "NOT_FOUND"`.)

Structural scenario validation failures use a slightly different shape.
Step ids must be unique within each actor for EVERY test case (single- and
multi-actor — duplicates corrupt run results and self-healing patches);
collaborative scenarios additionally get full barrier validation (see
section 4.7):
```json
{ "error": "barrier \"key-ready\": must have at least 2 participating actors, got 1; ...", "code": "INVALID_SCENARIO" }
```
`error` is a `; `-joined list of every problem found, so a single response can
report multiple issues at once.

### Common status codes

- `200 OK` — successful read/update.
- `201 Created` — resource created (test case, project, secret, file, schedule, webhook token, suite).
- `202 Accepted` — async operation started; response body is the created run object (or, for webhook tokens with a body, also a run object).
- `204 No Content` — successful delete.
- `400 Bad Request` — invalid JSON, missing required fields, or (for API
  keys) a collaborative (multi-actor) scenario that fails structural
  validation on a test-case create/update endpoint (`code: "INVALID_SCENARIO"`,
  see section 4.7).
- `401 Unauthorized` — missing/invalid API key.
- `403 Forbidden` — endpoint not available with API-key authentication
  (see section "Endpoints NOT available with API keys" below), or the
  key's org lacks access to the requested project/org. Body:
  `{"error": "this endpoint is not available with API key authentication", "code": "FORBIDDEN"}`
  for blocked endpoints, or `{"error": "access denied"}` for authorization
  failures.
- `404 Not Found` — resource does not exist or is not visible to this org.
- `409 Conflict` — duplicate slug/name on create.
- `413 Request Entity Too Large` — file upload exceeds 20 MB.
- `500 Internal Server Error` — unexpected server error.

### Endpoints NOT available with API keys (do not call these)

- `POST /test-cases/generate`, `POST /test-cases/{id}/regenerate` (AI test
  generation)
- All `/probes` and `/authoring-sessions` routes (interactive browser-driven
  authoring)
- `POST /suites/{id}/probe` (AI-generated suite transitions)
- Organization mutations: `POST/PUT/DELETE /orgs`, all
  `/orgs/{id}/members*` and `/orgs/{id}/invites` routes
- API key management: `POST/GET/DELETE /orgs/{id}/api-keys`
- `/admin/*`, `/dev/login`, `/auth/*`

All requests to these return `403 {"error":"this endpoint is not available
with API key authentication","code":"FORBIDDEN"}` (or `401`/redirect for the
auth/admin routes). **An agent writes test JSON itself — that is the entire
point of this API.**

---

## 2. RECOMMENDED AGENT WORKFLOW

Step-by-step, with `curl` examples. Replace `<api_key>` and IDs with real
values. Full request/response shapes for every endpoint used here are in
section 7.

### 2.1 Discover the organization

```bash
curl https://kintsugi-qa.com/api/v1/orgs -H "X-API-Key: <api_key>"
# => {"items":[{"id":"5b3c2a1d-...","name":"Acme Inc","slug":"acme", ...}], "count":1}
```
Save `items[0].id` as `<org_id>`.

### 2.2 List projects (create one if none exist)

```bash
curl "https://kintsugi-qa.com/api/v1/projects?org_id=<org_id>" -H "X-API-Key: <api_key>"
```
Save `items[0].id` as `<project_id>`. If `items` is empty, create a project:
```bash
curl -X POST https://kintsugi-qa.com/api/v1/projects \
  -H "X-API-Key: <api_key>" -H "Content-Type: application/json" \
  -d '{
    "org_id": "<org_id>", "slug": "marketing-site", "name": "Marketing Site",
    "description": "Public marketing site", "base_url": "https://staging.example.com",
    "environments": [
      { "name": "staging", "base_url": "https://staging.example.com" },
      { "name": "production", "base_url": "https://example.com" }
    ]
  }'
```
Required: `slug`, `name`, `org_id`. Optional: `description`, `base_url`,
`environments` (array of `{name, base_url}`), `custom_headers` (map of
header name -> value, sent on every request the test runner makes). Response
(`201 Created`) is the full project object — see 7.2.

### 2.3 Create a test case

`POST /test-cases` — see section 4 for the full scenario/step JSON schema.
Minimal example:

```bash
curl -X POST https://kintsugi-qa.com/api/v1/test-cases \
  -H "X-API-Key: <api_key>" -H "Content-Type: application/json" \
  -d '{
    "project_id": "<project_id>",
    "name": "User can log in",
    "description": "Logs in with valid credentials and lands on the dashboard",
    "default_base_url": "https://staging.example.com",
    "scenario": {
      "actors": [
        {
          "id": "user", "name": "User", "browser": "chromium",
          "viewport": { "width": 1280, "height": 800 },
          "steps": [
            { "id": "step-1", "type": "navigate", "url": "{{BASE_URL}}/login", "description": "Go to login" },
            { "id": "step-2", "type": "fill", "selector": "#email", "value": "demo@example.com", "description": "Enter email" },
            { "id": "step-3", "type": "fill", "selector": "#password", "value": "{{SECRET_DEMO_PASSWORD}}", "description": "Enter password" },
            { "id": "step-4", "type": "click", "selector": "button[type=submit]", "description": "Submit login form" },
            { "id": "step-5", "type": "assert", "selector": "[data-testid=dashboard-heading]", "assertion": { "type": "visible" }, "description": "Dashboard heading visible" }
          ]
        }
      ]
    }
  }'
```
Response (`201 Created`) is the TestCase object (section 7.3); save `id` as
`<test_case_id>`.

The example above has a single actor, which is the default and recommended
shape for most tests. `scenario.actors` MAY also contain **2 or more
actors** with `barriers` for collaborative (multi-actor) tests — see
section 4.7 for the schema, validation rules, and a full worked example.

### 2.4 Trigger a run

```bash
curl -X POST https://kintsugi-qa.com/api/v1/runs \
  -H "X-API-Key: <api_key>" -H "Content-Type: application/json" \
  -d '{ "test_case_id": "<test_case_id>", "project_id": "<project_id>" }'
```
Fields: `test_case_id` (required), `project_id` (required),
`test_case_version` (optional int — pin to a version, defaults to latest),
`environment` (optional — **omit it unless you need to override the base
URL**; if provided it must be either a full URL like
`https://staging.example.com` or the name of an environment defined in the
project's `environments[]`, which is resolved to its `base_url` at trigger
time; an unknown name is rejected with 400. When omitted, `{{BASE_URL}}`
resolves to the test case's `default_base_url`). Response (`202 Accepted`)
is a TestRun object (section 6.2) with `status: "pending"`; save `id` as
`<run_id>`.

### 2.5 Poll for completion

Poll every **3-5 seconds**:
```bash
curl https://kintsugi-qa.com/api/v1/runs/<run_id>/status -H "X-API-Key: <api_key>"
# => {"id":"...", "status":"passed", "started_at":"...", "completed_at":"...", "duration_ms":42000}
```
`completed_at`/`duration_ms` are `null` until the run finishes. Stop polling
once `status` is one of the **terminal** values: `passed`, `failed`,
`cancelled`, `timed_out` (`pending`, `running`, `healing` are non-terminal —
see section 6.1). For full details (per-step results, errors, artifact
keys), use `GET /runs/<run_id>` (section 6.2).

### 2.6 List and download artifacts

```bash
curl https://kintsugi-qa.com/api/v1/runs/<run_id>/artifacts -H "X-API-Key: <api_key>"
# => {"run_id":"...", "artifacts": ["runs/<run_id>/<actor_name>/video-<timestamp>.webm", "runs/<run_id>/<actor_name>/video-<timestamp>.vtt", ...]}
```
`artifacts` is a flat array of S3 key strings. Key names include generated
timestamps — **never construct artifact keys yourself; always copy the exact
key strings from this response.** Download any key two ways:

**A — presigned URL** (no auth header needed on the download itself, valid
15 minutes):
```bash
curl "https://kintsugi-qa.com/api/v1/artifacts/presign/<artifact_key>" -H "X-API-Key: <api_key>"
# => {"url": "https://kintsugi-prod-artifacts-529589820112.s3.us-east-1.amazonaws.com/...?X-Amz-...", "key": "<artifact_key>"}
curl -o video.webm "https://kintsugi-prod-artifacts-529589820112.s3.us-east-1.amazonaws.com/...&X-Amz-..."
```

**B — authenticated stream** (supports HTTP `Range` for video seeking):
```bash
curl "https://kintsugi-qa.com/api/v1/artifacts/<artifact_key>" -H "X-API-Key: <api_key>" -o video.webm
```

---

## 3. SUITES

A suite is an ordered list of test cases executed sequentially **in a single
browser session** (one browser context, not restarted between test cases).
Run-scoped variables (from `extract` steps) carry over from one test case to
the next within the suite run.

### Create — `POST /suites`
```json
{
  "project_id": "<project_id>",
  "name": "Core checkout flow",
  "description": "Login, then place an order",
  "steps": [
    { "test_case_id": "<tc_login_id>" },
    { "test_case_id": "<tc_checkout_id>", "transition": "User is already logged in; navigate to /products" }
  ]
}
```
- `project_id` (required), `steps` (required array of `{test_case_id, transition?}`).
- `name` is optional — auto-generated from the referenced test case names if omitted.
- `transition` (optional string) describes how to bridge from the previous
  test case's end state to this one's start state. It is informational only
  via the API — `transition_steps` are not auto-generated for API-created
  suites (that requires `POST /suites/{id}/probe`, not available with API
  keys), but you may hand-author `transition_steps` via `PUT /suites/{id}`.

Response (`201 Created`) is the full Suite object (section 7.5).

### Run — `POST /suites/{id}/run`
```bash
curl -X POST https://kintsugi-qa.com/api/v1/suites/<suite_id>/run \
  -H "X-API-Key: <api_key>" -H "Content-Type: application/json" \
  -d '{}'
```
Body is optional (`environment` only — same semantics as on `POST /runs`:
omit it, or pass a full URL / a project environment name). Response
(`202 Accepted`) is a
TestRun object identical in shape to a single-test-case run, but with
`suite_id` set and `actor_runs`/`suite_snapshot` reflecting all test cases in
the suite. Poll exactly as in 2.5. Suite runs also appear in
`GET /runs?project_id=...&suite_id=<suite_id>`.

---

## 4. TEST DEFINITION SCHEMA

### 4.1 Test case create/update body

`POST /test-cases` and `PUT /test-cases/{id}`:

```json
{
  "project_id": "<project_id>",       // required (POST only; PUT resolves from URL)
  "name": "User can log in",          // required
  "description": "optional text",     // optional
  "scenario": { "actors": [ ... ] },  // required — see 4.2
  "default_base_url": "https://staging.example.com", // strongly recommended when steps use {{BASE_URL}}
  "depends_on": "<other_tc_id>",      // optional, PUT only — prerequisite test case
  "transition": "description string"  // optional, PUT only — how to bridge from depends_on's end state
}
```

`default_base_url` is what `{{BASE_URL}}` resolves to when no `environment`
override is passed at run time. **Always set it if any step URL uses
`{{BASE_URL}}`** — otherwise the run fails at setup. Alternatively, use
absolute URLs in `navigate` steps and skip both.

`PUT /test-cases/{id}` creates a new version of the test case (response
`version` increments). `id` in the URL may be a UUID or a slug; if it's a
slug, pass `?project_id=<project_id>` as a query parameter.

#### `depends_on` and `transition` (dependency chains)

- `depends_on` (settable via **`PUT` only** — `POST /test-cases` does not
  accept it; create the test case first, then `PUT` to set `depends_on`) is
  the ID of a prerequisite test case. `transition` is a free-text
  description of how to bridge from that prerequisite's end state to this
  test case's start state (e.g. `"User is already logged in; navigate to
  /settings"`). `transition` is informational/documentation only — it is
  not turned into executable steps automatically.
- **Standalone run** (`POST /runs` with this test case, no suite): the
  orchestrator walks the `depends_on` chain (grandparent → parent → this
  test case) and **prepends every ancestor's steps**, in execution order,
  to actor 0's steps for that run — all in **one browser session**. A
  `transition` on this test case (or on any ancestor) becomes an executable
  `navigate` step ONLY if its text contains an http(s) URL (the first URL is
  extracted and navigated to); otherwise the transition is purely
  informational and no step is inserted. A cycle
  in the `depends_on` chain is detected and silently broken (the chain stops
  at the repeated test case) rather than looping forever or erroring.
- **Suite run**: dependency steps are **NOT** prepended. Instead,
  `POST /suites` and `PUT /suites/{id}` validate that every test case's full
  `depends_on` chain (including transitive ancestors) appears **earlier** in
  the suite's `steps` array — if not, the suite create/update is rejected
  with an error naming the missing prerequisite. Each test case may appear
  in a suite at most once for the purposes of this check.

### 4.2 Scenario

```json
{
  "actors": [
    {
      "id": "user",
      "name": "User",
      "description": "optional",
      "browser": "chromium",
      "viewport": { "width": 1280, "height": 800, "mobile": false },
      "steps": [ /* ordered Step[] — see 4.4 */ ]
    }
  ]
}
```

The example above shows the default single-actor shape. `actors` MAY
instead contain **2 or more actors**, each with its own `steps`, plus a
top-level `barriers` array for synchronization between them — see
**section 4.7 (Multi-actor / collaborative tests)** for the full schema,
validation rules, and a worked example. Everything in this section and 4.3-4.6
applies equally to each actor in a collaborative scenario.

| field | type | required | notes |
|---|---|---|---|
| `id` | string | yes | stable identifier for the actor |
| `name` | string | yes | human-readable name |
| `description` | string | no | optional notes |
| `browser` | `"chromium"` \| `"firefox"` \| `"webkit"` | no | defaults to `chromium` |
| `viewport` | `{width: int, height: int, mobile?: bool}` | no | pixel dimensions; `mobile: true` enables touch emulation |
| `steps` | Step[] | yes | ordered list of actions, executed top to bottom |

### 4.3 Common step fields

Every step is an object with at least `id` and `type`. These fields apply
across step types (only the relevant ones are used per type — see 4.4):

| field | type | applies to | notes |
|---|---|---|---|
| `id` | string | all | required, unique within the actor's steps. Used in run results and self-healing patches. |
| `type` | string | all | required. One of: `navigate`, `click`, `fill`, `select`, `hover`, `scroll`, `wait`, `assert`, `screenshot`, `upload`, `download`, `extract`, `press`, `drag`, `barrier_wait`, `barrier_open` (the last two are for collaborative/multi-actor scenarios — see section 4.7). |
| `selector` | string | click, fill, select, hover, scroll, assert, upload, extract, wait, press (optional), drag | CSS selector for the target element. Prefer stable selectors: `#id`, `[data-testid=...]`, `[name=...]`, `[aria-label=...]` over brittle nth-child/class chains. |
| `alternative_selectors` | string[] | click, fill, select, hover, scroll, assert, upload, drag, extract | optional fallback selectors tried by self-healing if the primary selector fails (see Self-healing, section 6). |
| `value` | string | fill, select, scroll, wait, screenshot, upload, press | meaning depends on step type — see 4.4. For `press`, the key name (e.g. `"Escape"`, `"Control+A"`). Supports `{{...}}` variable placeholders (section 4.5). |
| `url` | string | navigate | destination URL. Supports `{{BASE_URL}}` and other placeholders. |
| `assertion` | object | assert | `{type, expected?}` — see 4.4 `assert`. |
| `position` | `{x, y}` | click, drag | optional pixel offset from the target element's top-left corner. Defaults to the element's center. For `drag`, this is the offset within the **source** element. |
| `target_selector` | string | drag | destination element selector. Defaults to the source `selector` (same-element drag). |
| `target_position` | `{x, y}` | drag | optional pixel offset within the target element. Defaults to the element's center. |
| `timeout` | int (ms) | all (esp. navigate, wait, assert, extract) | per-step timeout in milliseconds. **Clamped server-side to 5000-120000 ms**; for `navigate` steps the effective minimum is **30000 ms** (a smaller value is raised to 30000). Values <= 0 or omitted default to 5000ms (or the type's own default — see per-step notes). Always specify timeouts explicitly in **milliseconds** (5000 = 5 seconds); never emit values like `30` meaning "30 seconds" — that becomes 30ms and is clamped up to 5000ms, likely causing the step to fail too fast. |
| `description` | string | all | human-readable description shown in run results/UI. Strongly recommended on every step. |
| `optional` | bool | all | if `true`, a failure on this step is tolerated and the run continues to the next step (e.g. for cookie-consent banners or one-time modals that may or may not appear). |
| `variable` | string | extract | name of the run-scoped variable to store the extracted value in. |
| `attribute` | string | extract, assert (with `assertion.type: "attribute"`) | which HTML attribute to read/compare. Empty/omitted means innerText (extract) or is required (assert attribute). |
| `regex` | string | extract | regex with exactly one capture group; if set, the **first capture group** of the match against the extracted raw text is stored instead of the raw text. |
| `barrier_id` | string | `barrier_wait`, `barrier_open` | required for these step types — references a `Barrier.id` from `scenario.barriers`. Single-actor scenarios omit this entirely. See section 4.7. |

### 4.4 Step types (full reference, one example each)

#### navigate
Navigates the page to a URL.
- `url` (string, required) — supports `{{BASE_URL}}` and other placeholders.
- Effective minimum timeout is 30000ms regardless of `timeout` value.

```json
{ "id": "step-1", "type": "navigate", "url": "{{BASE_URL}}/login", "description": "Go to the login page" }
```

#### click
Clicks the element matched by `selector`. Includes built-in handling for
custom dropdowns/comboboxes.
- `selector` (string, required)
- `alternative_selectors` (string[], optional)
- `position` (`{x, y}`, optional) — click at this pixel offset from the
  element's top-left corner instead of its center.

```json
{ "id": "step-4", "type": "click", "selector": "button[type=submit]", "alternative_selectors": ["#login-submit"], "description": "Submit the login form" }
```

#### fill
Types `value` into the input/textarea matched by `selector` (clears
existing content first).
- `selector` (string, required)
- `value` (string, required) — supports `{{SECRET_*}}`, `{{VAR:*}}`,
  `{{BASE_URL}}`, `{{FILE_*}}` placeholders. If the resolved value came from
  a `{{SECRET_*}}` placeholder it is treated as masked: the runner refuses to
  type it into anything but a `<input type="password">` and never logs it in
  plaintext (recorded as `"***"` in step results).
- `alternative_selectors` (string[], optional)

```json
{ "id": "step-3", "type": "fill", "selector": "#password", "value": "{{SECRET_DEMO_PASSWORD}}", "description": "Enter password" }
```

#### select
Chooses an option in a `<select>` element by value or visible label.
- `selector` (string, required)
- `value` (string, required) — option value or label

```json
{ "id": "step-6", "type": "select", "selector": "#country", "value": "US", "description": "Choose country" }
```

#### hover
Hovers the mouse over the element matched by `selector` (e.g. to open a menu).
- `selector` (string, required)

```json
{ "id": "step-7", "type": "hover", "selector": "#user-menu", "description": "Open the user menu" }
```

#### press
Sends a keyboard key press, using Playwright's key-name semantics:
- `value` (string, required) — the key to press. Single keys like
  `"Escape"`, `"Enter"`, `"Tab"`, `"ArrowDown"`, `"Backspace"`, `"PageDown"`,
  or letters/digits (`"a"`, `"1"`). Combos use `+`, e.g. `"Control+A"`,
  `"Shift+Tab"`, `"Meta+K"`.
- `selector` (string, optional) — if set, the runner focuses this element
  first (waits for it to be visible, then `.focus()`s it) before sending the
  key press. If omitted, the key press is sent to whatever currently has
  focus / the page itself.
- `alternative_selectors` (string[], optional) — fallback selectors for the
  optional `selector`.

Use `press` to dismiss modals/dialogs/dropdowns that have no clickable close
button (e.g. press `"Escape"`), to submit a form via `"Enter"`, or to
navigate custom widgets (`"ArrowDown"`, `"Tab"`) that don't respond to clicks.

```json
{ "id": "step-7a", "type": "press", "value": "Escape", "description": "Close the share dialog" }
```
With a selector (focus an element, then press a key):
```json
{ "id": "step-7b", "type": "press", "selector": "#search-input", "value": "Enter", "description": "Submit search" }
```

#### drag
Performs a drag gesture, starting from `selector`.
- `selector` (string, required) — the source element to drag.
- `position` (`{x, y}`, optional) — pixel offset within the source element
  where the drag starts. Defaults to the element's center.
- `target_selector` (string, optional) — the destination element. Defaults
  to `selector` (a same-element drag).
- `target_position` (`{x, y}`, optional) — pixel offset within the target
  element where the drag ends. Defaults to the element's center.
- `alternative_selectors` (string[], optional) — fallback selectors for
  `selector`.

Two modes:
- **Cross-element drag** (`target_selector` set and different from
  `selector`): uses Playwright's `dragTo`, which works for native HTML5
  drag-and-drop (`draggable="true"`) and for mouse-based reorderable lists
  (e.g. drag a kanban card to another column, reorder a list item).
- **Same-element point-to-point drag** (`target_selector` omitted or equal to
  `selector`): performs a raw mouse drag — `mousedown` at `position`, several
  intermediate `mousemove`s, then `mouseup` at `target_position`, both
  relative to the element's bounding box. Use this for canvas
  drawing/sketching, sliders, or custom drag surfaces that don't expose a
  separate drop target.

Cross-element example (kanban board):
```json
{ "id": "step-7c", "type": "drag", "selector": "#task-1", "target_selector": "#in-progress-column", "description": "Move task to In Progress" }
```
Same-element example (draw a line on a canvas):
```json
{
  "id": "step-7d",
  "type": "drag",
  "selector": "#drawing-canvas",
  "position": { "x": 200, "y": 150 },
  "target_position": { "x": 400, "y": 300 },
  "description": "Draw a diagonal line on the canvas"
}
```

#### scroll
Scrolls an element into view, or scrolls the page itself.
- `selector` (string, optional) — if set, scrolls this element into view
  (ignores `value`).
- `value` (string, optional, default `"down"`) — used only when `selector`
  is omitted. One of:
  - `"top"` — scroll to the very top of the page
  - `"bottom"` — scroll to the very bottom of the page
  - `"down"` — scroll down by one viewport height
  - `"up"` — scroll up by one viewport height
  - a numeric string, e.g. `"400"` or `"-200"` — scroll by that many pixels
    (negative = up)

```json
{ "id": "step-8", "type": "scroll", "value": "bottom", "description": "Scroll to footer" }
```
or, to scroll an element into view:
```json
{ "id": "step-8b", "type": "scroll", "selector": "#footer", "description": "Scroll footer into view" }
```

#### wait
Waits for a fixed duration, or until a URL pattern matches.
- `value` (string, optional):
  - `"url:/dashboard"` — wait until the current URL **contains** the
    substring `/dashboard` (deterministic, recommended after navigations
    that redirect, e.g. post-login).
  - `"url:!/login"` — wait until the current URL does **NOT** contain
    `/login` (negation via leading `!`).
  - a numeric string, e.g. `"1500"` — wait that many milliseconds
    (fixed delay).
  - omitted — falls back to `timeout` (or 1000ms if `timeout` is also
    unset/zero) as a fixed delay in milliseconds.
- `timeout` (int ms, optional) — for `url:` patterns, the max time to wait
  for the URL condition (still subject to the 5000-120000ms clamp). For
  fixed-delay waits, `timeout` can be used instead of `value` to specify the
  delay.

```json
{ "id": "step-2b", "type": "wait", "value": "url:/dashboard", "timeout": 15000, "description": "Wait for redirect to dashboard after login" }
```
Fixed delay example:
```json
{ "id": "step-9", "type": "wait", "value": "1500", "description": "Wait for animation" }
```

#### assert
Asserts a condition about the page or an element. See 4.4.1 for all 7
`assertion.type` values.
- `selector` (string, required for `visible`/`hidden`/`text`/`value`/`attribute`; not used for `url`/`title`)
- `assertion` (object, required) — `{type, expected?}`

```json
{ "id": "step-5", "type": "assert", "selector": "[data-testid=dashboard-heading]", "assertion": { "type": "visible" }, "description": "Dashboard heading is visible" }
```

##### 4.4.1 Assertion types (`assertion.type`)

| type | `selector` required? | `expected` | semantics |
|---|---|---|---|
| `visible` | yes | not used | waits until the element matched by `selector` is visible. Fails (timeout) if it never becomes visible. |
| `hidden` | yes | not used | waits until the element is hidden or absent from the DOM. |
| `text` | yes | yes (string) | waits for the element to be visible, then asserts its `textContent` **contains** `expected` (substring match). |
| `value` | yes | yes (string) | asserts an `<input>`/`<select>`/`<textarea>` element's current value **equals** `expected` (exact match). |
| `url` | no | yes (string) | waits until the current page URL **contains** `expected` (substring match). Use this after navigations/redirects. |
| `title` | no | yes (string) | waits (polling) until `document.title` **contains** `expected` (substring match). |
| `attribute` | yes | yes (string) | reads the HTML attribute named by the step's `attribute` field from the element matched by `selector`, and asserts it equals `expected`. Set the step-level `attribute` field (sibling of `assertion`), e.g. `{"id": "...", "type": "assert", "selector": "#flag", "attribute": "data-state", "assertion": {"type": "attribute", "expected": "open"}}`. |

Examples:
```json
{ "type": "text", "expected": "Welcome back" }
{ "type": "url", "expected": "/dashboard" }
{ "type": "title", "expected": "Dashboard" }
{ "type": "value", "expected": "demo@example.com" }
```

#### screenshot
Captures a screenshot for the run report (a screenshot is also captured
automatically on any step failure).
- `value` (string, optional) — base filename for the screenshot (without
  extension); if omitted, the step's `id` is used. The actual artifact key
  also includes a timestamp.

```json
{ "id": "step-10", "type": "screenshot", "value": "dashboard-loaded", "description": "Capture dashboard state" }
```

#### upload
Uploads a file to a `<input type="file">` element.
- `selector` (string, required) — the file input element.
- `value` (string, required) — file reference. Use a `{{FILE_NAME}}`
  placeholder for files uploaded via the Files API (section 7.7), resolved
  to a local path/URL the browser can attach.

```json
{ "id": "step-11", "type": "upload", "selector": "input[type=file]", "value": "{{FILE_resume}}", "description": "Upload resume" }
```

#### download
Verifies that clicking an element really serves a file download — without
transferring the whole file, so it is worker-safe for arbitrarily large
files (multi-GB model archives, exports, reports).
- `selector` (string, required) — the element that triggers the download.
- `value` (string, optional) — minimum expected file size in bytes
  (default 1). Checked against the response's `Content-Length` header.
- `timeout` (int ms, optional) — how long to wait for the download to start.

Semantics: clicks the selector, waits for the browser's download event,
then verifies server-side: the download URL's response status must be 2xx
and its `Content-Length` (when reported) must be >= the minimum size; a
small prefix (up to 64KB) is streamed to prove bytes actually flow, and the
transfer is then CANCELLED — the file is never fully downloaded or stored.
Failure messages are precise ("download responded 403", "Content-Length
1234 below required 1000000", "download event never fired within 15s").

```json
{ "id": "step-12", "type": "download", "selector": "button:has-text('Download model')", "value": "1000000", "description": "Verify the model archive (>=1MB) is actually served" }
```

Note: ANY download during a run (including ones triggered by plain `click`
steps) is automatically cancelled once it exceeds ~5MB, protecting worker
disk and bandwidth. Use the `download` step when you need the verification;
don't rely on plain clicks transferring large files.

#### extract
Reads text or an attribute from an element into a run-scoped variable,
available to **later steps in the same run** as `{{VAR:NAME}}`.
- `selector` (string, required) — element to read from. If multiple elements
  match, the runner attempts to disambiguate (prefers a single visible
  match).
- `alternative_selectors` (string[], optional) — fallback selectors tried by
  self-healing if `selector` doesn't match (see Self-healing, section 6).
- `variable` (string, required) — name of the variable (referenced later as
  `{{VAR:variable}}`).
- `attribute` (string, optional) — HTML attribute to read (e.g. `"href"`,
  `"data-order-id"`). If omitted (or `"value"` on a non-form element falls
  back to the `value` attribute), reads:
  - `<input>`/`<textarea>`/`<select>` -> their current `.value`
  - everything else -> `innerText`
- `regex` (string, optional) — a regex with **one capture group**; if it
  matches the raw extracted text, the **first capture group** is stored
  instead of the raw text. Useful when the content isn't pure JSON, e.g.
  `"Order #(\\w+)"` extracts the order ID from `"Order #AB123"`.
- `timeout` (int ms, optional, default 10000) — how long to wait for the
  element to become visible.

```json
{ "id": "step-12", "type": "extract", "selector": "[data-testid=order-id]", "variable": "ORDER_ID", "regex": "Order #(\\w+)", "description": "Capture the order ID for later steps" }
```

### 4.5 Variables & placeholders

`value` and `url` fields support `{{...}}` placeholder substitution,
resolved at run time:

| placeholder | resolves to |
|---|---|
| `{{BASE_URL}}` | the run's environment URL (only when an `environment` override is passed at trigger time), otherwise the test case's `default_base_url`. **Set `default_base_url` when creating the test case and omit `environment` on runs.** `${BASE_URL}` is an accepted equivalent spelling. |
| `{{SECRET_NAME}}` | the value of a project secret named `NAME` (created via `POST /secrets`, section 7.6). The placeholder is always the literal `SECRET_` prefix followed by the secret's name — a secret named `LOGIN_PASSWORD` is referenced as `{{SECRET_LOGIN_PASSWORD}}`. Never logged in plaintext; if the name contains PASSWORD/PWD/PASS, the runner only types it into password inputs. |
| `{{FILE_NAME}}` | a presigned URL/path for a project file named `NAME` (created via `POST /files`, section 7.7). Used in `upload` step `value`. |
| `{{VAR:NAME}}` | the value captured by an earlier `extract` step with `variable: "NAME"`, within the same run. Undefined if no prior `extract` step set it. |
| `{{TIMESTAMP}}` | the current Unix timestamp (e.g. `1710859200`), resolved once at run start. Use it to make form inputs unique across runs — e.g. `"value": "QA Project {{TIMESTAMP}}"` or `"value": "qa+{{TIMESTAMP}}@example.com"`. |
| `{{NUMBER:N}}` | a random zero-padded N-digit number (e.g. `{{NUMBER:6}}` → `042957`). Use for unique codes, SKUs, phone-number fragments. |
| `{{DATE}}` | today's date as `YYYY-MM-DD`. |

**Unique test data:** forms that reject duplicate names/emails/codes are the
most common cause of tests that pass once and fail on re-run. Prefer
`{{TIMESTAMP}}` / `{{NUMBER:N}}` in any `fill` value that must be unique.

### 4.6 Self-healing & `status: "healing"`

If a step's `selector` matches nothing, the runner first tries each of
`alternative_selectors` in order, then (if none work) an AI-assisted
strategy proposes new selectors. While this is happening the run's `status`
is `"healing"` (a non-terminal status — keep polling). If healing succeeds:
- the run resumes from the healed step,
- the step's result includes `used_selector` (the selector that actually
  worked) and `healed_at` (timestamp),
- the attempt is recorded in the run's `healing_attempts[]`,
- the test case's selector may be patched for future runs (visible in the
  test case's `patch_history[]`).

If healing exhausts its attempts, the run transitions to `failed` with
details in `error`.

To make tests resilient, always provide good `alternative_selectors` for
`click`/`fill`/`select`/`hover`/`scroll`/`assert`/`upload` steps when
multiple reasonable selectors exist for an element.

### 4.7 Multi-actor (collaborative) tests — advanced

Most tests need only one actor (section 4.2). When a test must model **two
or more independent users/sessions interacting at the same time** (e.g. an
admin provisions something that a developer then consumes), `scenario.actors`
can contain 2+ actors that run **concurrently**, synchronized via
`scenario.barriers`.

This is fully supported via the API (including API-key requests): submit
`scenario.actors` with 2+ entries and `scenario.barriers` describing the
sync points. A scenario that uses these features is validated strictly on
`POST /test-cases` / `PUT /test-cases/{id}` for API-key requests — see
"Validation" below.

#### Execution model

- Each actor in `scenario.actors` runs in its **own browser session on its
  own worker**, in parallel ("gang scheduling"). The run only starts once
  enough idle workers are available for **every** actor — on a cold worker
  pool, autoscaling typically provides them within **~2-3 minutes**; until
  then the run stays `pending`.
- If the number of actors permanently exceeds the total number of registered
  workers, the run is rejected immediately (it could never be scheduled).
- Run status aggregates across actors: if **any** actor fails, the overall
  run `status` is `failed`. Poll `GET /runs/{id}/status` exactly as for
  single-actor runs.
- Artifacts (video, trace, network log, etc.) are produced **per actor**,
  under `runs/<run_id>/<ActorName>/...` — see `GET /runs/{id}/artifacts`
  (section 2.6) and 6.3.

#### `scenario.barriers`

```json
{
  "barriers": [
    { "id": "key-ready", "name": "API key created", "description": "optional", "actor_ids": ["admin", "developer"] },
    { "id": "work-done", "name": "Developer finished", "actor_ids": ["admin", "developer"] }
  ]
}
```

| field | type | required | notes |
|---|---|---|---|
| `id` | string | yes | unique within the scenario; referenced by `barrier_id` on steps. |
| `name` | string | yes | human-readable name (shown in error messages, e.g. timeouts). |
| `description` | string | no | optional notes. |
| `actor_ids` | string[] | yes | the actors that participate in this synchronization point. Must reference actors that exist in `scenario.actors` and contain **at least 2** of them. |

#### `barrier_wait` and `barrier_open` steps

Both step types require `barrier_id` (referencing a `Barrier.id`):

```json
{ "id": "step-9", "type": "barrier_open", "barrier_id": "key-ready", "description": "Publish the API key for the developer" }
{ "id": "step-1", "type": "barrier_wait", "barrier_id": "key-ready", "description": "Wait for the admin to publish the API key" }
```

| step type | semantics |
|---|---|
| `barrier_wait` | Blocks this actor until the barrier is released. On release, the actor **receives all variables published to the barrier** (from any actor's `barrier_open` for the same `barrier_id`) and merges them into its own `{{VAR:*}}` namespace — they become usable in the actor's later steps. |
| `barrier_open` | **Publishes** all of this actor's accumulated variables (from its own `extract` steps and any variables it previously received via `barrier_wait`) to the barrier, then **releases the barrier immediately** (waking any actors blocked on it). |

A barrier also **auto-releases** once **every** actor in its `actor_ids` has
arrived at a `barrier_wait` for it — this works as a pure synchronization
point even with no `barrier_open` (e.g. "both actors must reach this point
before either continues", with no variables to hand off).

**Barrier timeout**: if a barrier is not released within **5 minutes** of
the first actor arriving, every actor still waiting on it fails with an
explicit error: `barrier "<name>" timed out before all actors arrived`. The
run's overall `status` becomes `failed`.

#### Variable handoff pattern (extract → barrier_open → barrier_wait → `{{VAR:*}}`)

The key recipe for passing data between actors:

1. Actor A runs an `extract` step, storing a value in `variable: "apiKey"`.
2. Actor A runs `barrier_open` for a barrier — this publishes `apiKey` (and
   any other accumulated variables) to that barrier and releases it.
3. Actor B's `barrier_wait` for the same barrier unblocks and **receives**
   `apiKey` into its own variable namespace.
4. Actor B can now reference `{{VAR:apiKey}}` in any later step.

#### Worked example: Admin provisions an API key, Developer uses it

Two actors, one barrier to hand off the key, a second barrier to signal the
developer is done so the admin can revoke it.

```json
{
  "actors": [
    {
      "id": "admin",
      "name": "Admin",
      "browser": "chromium",
      "steps": [
        { "id": "a1", "type": "navigate", "url": "{{BASE_URL}}/login", "description": "Go to login" },
        { "id": "a2", "type": "fill", "selector": "#email", "value": "admin@example.com", "description": "Enter admin email" },
        { "id": "a3", "type": "fill", "selector": "#password", "value": "{{SECRET_ADMIN_PASSWORD}}", "description": "Enter admin password" },
        { "id": "a4", "type": "click", "selector": "button[type=submit]", "description": "Log in" },
        { "id": "a5", "type": "navigate", "url": "{{BASE_URL}}/settings/api-keys", "description": "Go to API keys page" },
        { "id": "a6", "type": "click", "selector": "[data-testid=create-api-key]", "description": "Create a new API key" },
        { "id": "a7", "type": "extract", "selector": "[data-testid=new-api-key-value]", "variable": "apiKey", "description": "Capture the generated API key" },
        { "id": "a8", "type": "barrier_open", "barrier_id": "key-ready", "description": "Publish the API key to the developer" },
        { "id": "a9", "type": "barrier_wait", "barrier_id": "work-done", "description": "Wait for the developer to finish using the key" },
        { "id": "a10", "type": "click", "selector": "[data-testid=revoke-api-key]", "description": "Revoke the API key" },
        { "id": "a11", "type": "assert", "selector": "[data-testid=api-key-status]", "assertion": { "type": "text", "expected": "Revoked" }, "description": "Key shows as revoked" }
      ]
    },
    {
      "id": "developer",
      "name": "Developer",
      "browser": "chromium",
      "steps": [
        { "id": "d1", "type": "barrier_wait", "barrier_id": "key-ready", "description": "Wait for the admin to publish the API key" },
        { "id": "d2", "type": "navigate", "url": "https://api.example.com/docs", "description": "Open the Swagger UI" },
        { "id": "d3", "type": "click", "selector": "[data-testid=authorize-button]", "description": "Open the Authorize dialog" },
        { "id": "d4", "type": "fill", "selector": "#api-key-input", "value": "{{VAR:apiKey}}", "description": "Enter the API key from the admin" },
        { "id": "d5", "type": "click", "selector": "[data-testid=authorize-confirm]", "description": "Confirm authorization" },
        { "id": "d6", "type": "click", "selector": "[data-testid=try-it-out-get-users]", "description": "Try the GET /users endpoint" },
        { "id": "d7", "type": "click", "selector": "[data-testid=execute-button]", "description": "Execute the request" },
        { "id": "d8", "type": "assert", "selector": "[data-testid=response-status]", "assertion": { "type": "text", "expected": "200" }, "description": "Request succeeds with the admin's API key" },
        { "id": "d9", "type": "barrier_open", "barrier_id": "work-done", "description": "Signal the admin that testing is complete" }
      ]
    }
  ],
  "barriers": [
    { "id": "key-ready", "name": "API key created", "description": "Admin has generated an API key for the developer to use", "actor_ids": ["admin", "developer"] },
    { "id": "work-done", "name": "Developer finished", "description": "Developer has finished exercising the API; admin can revoke the key", "actor_ids": ["admin", "developer"] }
  ]
}
```

#### Validation (`code: "INVALID_SCENARIO"`)

For API-key requests, `POST /test-cases` and `PUT /test-cases/{id}` run
strict structural validation on any scenario with 2+ actors, any `barriers`,
or any `barrier_wait`/`barrier_open` step. If validation fails, the response
is `400` with `code: "INVALID_SCENARIO"` and an `error` string listing every
problem (`; `-joined). Rules:

- A scenario may have at most 5 actors.
- Every actor `id` must be non-empty and unique.
- Every step `id` must be non-empty and unique within its actor.
- Every `Barrier.id` must be non-empty and unique; `actor_ids` must
  reference existing actors and contain **at least 2** of them.
- Every `barrier_wait`/`barrier_open` step's `barrier_id` must reference an
  existing barrier, and the actor emitting the step must be one of that
  barrier's `actor_ids`. An actor may have at most one barrier step per
  barrier.
- **Liveness**: every actor listed in a barrier's `actor_ids` must have a
  corresponding `barrier_wait` or `barrier_open` step for that barrier —
  otherwise the barrier could never be reached by that actor and the run
  would hang until the 5-minute timeout. This is the most common validation
  failure; double-check that every participant actually has a step
  referencing each barrier it's listed under.

Single-actor scenarios with no barriers/barrier steps are unaffected by this
validation (it returns no problems immediately).

---

## 5. SUITES (recap)

See section 3 for the full create/run reference. Key facts:
- `POST /suites` creates a suite: `{project_id, name?, description?, steps:[{test_case_id, transition?}]}`.
- All test cases in a suite run **sequentially in one browser session/context**
  — cookies, localStorage, and run-scoped `{{VAR:*}}` variables persist
  across test cases within the suite run.
- `POST /suites/{id}/run` triggers execution; response is a TestRun with
  `suite_id` set. Poll exactly like a normal run.

---

## 6. RUNS

### 6.1 Status enum

| status | terminal? | meaning |
|---|---|---|
| `pending` | no | accepted, queued for a worker |
| `running` | no | a worker is actively executing the run |
| `healing` | no | a step failed and self-healing is searching for a working selector (see 4.6) |
| `passed` | **yes** | all steps completed successfully |
| `failed` | **yes** | one or more steps failed and self-healing did not recover |
| `cancelled` | **yes** | the run was cancelled before completion |
| `timed_out` | **yes** | the run exceeded its maximum allowed duration |

Poll `GET /runs/{id}/status` (or `GET /runs/{id}`) every 3-5 seconds until
`status` is one of the four terminal values.

### 6.2 Full run object — `GET /runs/{id}`

```json
{
  "id": "7c6b5a4d-...",
  "test_case_id": "1a2b3c4d-...",
  "test_case_version": 1,
  "project_id": "9e2b5e2a-...",
  "environment": "https://staging.example.com",
  "status": "passed",
  "started_at": "2026-06-10T10:01:00Z",
  "completed_at": "2026-06-10T10:01:42Z",
  "duration_ms": 42000,
  "triggered_by": "Jane Doe (user-123)",
  "correlation_id": "req-abc",
  "suite_id": "",
  "actor_runs": [
    {
      "actor_id": "user",
      "actor_name": "User",
      "browser": "chromium",
      "worker_id": "worker-1",
      "status": "passed",
      "step_results": [
        { "step_id": "step-1", "status": "passed", "duration_ms": 820, "step_type": "navigate", "step_description": "Go to the login page", "step_url": "https://staging.example.com/login" },
        {
          "step_id": "step-4",
          "status": "passed",
          "duration_ms": 410,
          "step_type": "click",
          "step_description": "Submit the login form",
          "step_selector": "button[type=submit]",
          "used_selector": "#login-submit",
          "healed_at": "2026-06-10T10:01:21Z"
        }
      ],
      "artifacts": {
        "video": "runs/7c6b5a4d-.../user/video.webm",
        "trace": "runs/7c6b5a4d-.../user/trace.zip",
        "network_log": "runs/7c6b5a4d-.../user/network-1781126043180.har",
        "console_log": "runs/7c6b5a4d-.../user/console-1781126043180.log",
        "final_snapshot": "runs/7c6b5a4d-.../user/final.png",
        "video_key": "runs/7c6b5a4d-.../user/video-1781126043180.webm",
        "subtitles_key": "runs/7c6b5a4d-.../user/video-1781126043180.vtt"
      }
    }
  ],
  "artifacts": { "combined_video": "", "report": "" },
  "healing_attempts": [],
  "error": null
}
```

#### `step_results[]` fields

| field | type | notes |
|---|---|---|
| `step_id` | string | matches the step's `id` from the scenario |
| `status` | `"passed"` \| `"failed"` \| `"skipped"` | outcome of this step |
| `duration_ms` | int | how long the step took |
| `error` | string | error message, if the step failed |
| `screenshot` | string | S3 key of a screenshot captured for this step (e.g. on failure) |
| `used_selector` | string | the selector that actually worked, if self-healing replaced the original |
| `healed_at` | timestamp | when self-healing patched this step, if applicable |
| `step_type`, `step_description`, `step_selector`, `step_value`, `step_url`, `step_optional` | various | snapshot of the step definition at execution time (password values shown as `"***"`) |

#### `error` (top-level, when `status` is `failed`/`timed_out`)

```json
{ "code": "STEP_FAILED", "message": "...", "actor_id": "user", "step_id": "step-4", "stacktrace": "..." }
```

### 6.3 Per-actor artifacts (`actor_runs[].artifacts`)

| field | extension | description |
|---|---|---|
| `video` / `video_key` | `.webm` | full screen recording of the actor's browser session |
| `trace` | `.zip` | Playwright trace (timeline, DOM snapshots, network) — open with trace.playwright.dev |
| `network_log` | `.har` | HTTP Archive of all network requests during the run (request/response bodies omitted; URLs, methods, statuses, timings, headers included) |
| `console_log` | `.log` | browser console output and uncaught page errors, one timestamped line per entry (capped at ~5000 lines) |
| `final_snapshot` | `.png` | screenshot of the final page state |
| `subtitles_key` | `.vtt` | WebVTT subtitles paired with the video, describing each step in time |
| (per-step) `screenshot` | `.png` | from `step_results[]`, captured by `screenshot` steps and automatically on failures |

`GET /runs/{id}/artifacts` lists every S3 key produced for the run as a flat
array (see 2.6). Use `GET /api/v1/artifacts/presign/<key>` or
`GET /api/v1/artifacts/<key>` to download (see 2.6).

---

## 7. FULL ENDPOINT REFERENCE

All paths are relative to `/api/v1`. All require `X-API-Key` unless noted.

### 7.1 Organizations (read-only via API key)

| method | path | notes |
|---|---|---|
| GET | `/orgs` | returns `{"items":[<the key's org>], "count":1}` |
| GET | `/orgs/{id}` | `{id}` must be the key's own org; returns the org object `{id, name, slug, created_at, updated_at}` |

### 7.2 Projects

| method | path | body / query | response |
|---|---|---|---|
| GET | `/projects?org_id=<org_id>` | query: `org_id` (required) | `{"items":[Project...], "count":N}` |
| POST | `/projects` | `{org_id, slug, name, description?, base_url?, environments?, custom_headers?}` (slug, name, org_id required) | `201` Project object |
| GET | `/projects/{id}` | `{id}` = UUID, or slug + `?org_id=<org_id>` | Project object |
| PUT | `/projects/{id}` | `{name, description?, base_url?, environments?, custom_headers?}`; optional `?org_id=` for slug resolution | Project object |
| DELETE | `/projects/{id}` | optional `?org_id=` for slug resolution | `204` |

Project object:
```json
{
  "id": "9e2b5e2a-...", "org_id": "5b3c2a1d-...", "slug": "marketing-site",
  "name": "Marketing Site", "description": "...", "base_url": "https://staging.example.com",
  "environments": [ { "name": "staging", "base_url": "https://staging.example.com" } ],
  "custom_headers": { "X-Test-Mode": "1" },
  "created_at": "...", "updated_at": "..."
}
```

Project-scoped sub-resources:
- `GET /projects/{id}/secrets` — list secret metadata for the project (see 7.6)
- `GET /projects/{id}/files` — list file metadata for the project (see 7.7)

### 7.3 Test cases

| method | path | body / query | response |
|---|---|---|---|
| GET | `/test-cases?project_id=<id>&limit=&cursor=` | query: `project_id` required | `PaginatedResponse<TestCase>` |
| POST | `/test-cases` | see 4.1 | `201` TestCase object |
| GET | `/test-cases/{id}` | `{id}` = UUID, or slug + `?project_id=<id>` | TestCase object |
| PUT | `/test-cases/{id}` | see 4.1; optional `?project_id=` for slug resolution | `200` TestCase object (new version) |
| DELETE | `/test-cases/{id}` | optional `?project_id=` for slug resolution | `204` |

TestCase object:
```json
{
  "id": "1a2b3c4d-...", "project_id": "9e2b5e2a-...", "name": "User can log in",
  "slug": "user-can-log-in", "description": "...", "version": 1,
  "scenario": { "actors": [ ... ] },
  "depends_on": "", "transition": "",
  "default_base_url": "https://staging.example.com",
  "patch_history": [],
  "created_at": "...", "updated_at": "...", "created_by": "..."
}
```

`POST /test-cases/generate` and `POST /test-cases/{id}/regenerate` are
**NOT available with API keys** (403).

### 7.4 Runs

| method | path | body / query | response |
|---|---|---|---|
| POST | `/runs` | `{test_case_id, project_id, test_case_version?, environment?}` — omit `environment` unless overriding the base URL (full URL or a project environment name; unknown names → 400) | `202` TestRun object |
| GET | `/runs?project_id=<id>&test_case_id=&suite_id=&limit=&cursor=` | query: `project_id` required; `test_case_id` and `suite_id` optional filters | `PaginatedResponse<TestRun>` |
| GET | `/runs/{id}` | optional `?org_id=` | full TestRun object (section 6.2) |
| GET | `/runs/{id}/status` | optional `?org_id=` | `{id, status, started_at, completed_at, duration_ms}` |
| GET | `/runs/{id}/artifacts` | — | `{run_id, artifacts: [<S3 keys>]}` |

### 7.5 Suites

| method | path | body / query | response |
|---|---|---|---|
| POST | `/suites` | `{project_id, name?, description?, steps:[{test_case_id, transition?}]}` | `201` Suite object |
| GET | `/suites?project_id=<id>&limit=&cursor=` | query: `project_id` required | `PaginatedResponse<Suite>` |
| GET | `/suites/{id}` | `{id}` = UUID, or slug + `?project_id=<id>` | Suite object |
| PUT | `/suites/{id}` | `{name, description?, steps:[...]}`; optional `?project_id=` for slug resolution | Suite object |
| DELETE | `/suites/{id}` | optional `?project_id=` | `204` |
| POST | `/suites/{id}/run` | `{environment?}` (optional body) | `202` TestRun object with `suite_id` set |

`POST /suites/{id}/probe` is **NOT available with API keys** (requires user
session).

### 7.6 Secrets

Project-scoped, encrypted at rest. Values are write-only (never returned
after creation). Reference in step `value`/`url` fields as
`{{SECRET_NAME}}`.

| method | path | body / query | response |
|---|---|---|---|
| POST | `/secrets` | `{project_id, name, value, description?}` (project_id, name, value required) | `201 {"status":"created","name":"<name>"}` |
| GET | `/secrets?project_id=<id>` (or `/projects/{id}/secrets`) | query: `project_id` required | `{"items":[{id, project_id, name, description, created_at, updated_at}], "count":N}` (no values) |
| PUT | `/secrets/{id}` | `{value, description?}` (value required) | `200 {"status":"updated"}` |
| DELETE | `/secrets/{id}` | — | `204` |

Note: `POST /secrets/resolve` exists but is intended for internal worker use.

### 7.7 Files

Project-scoped binary files (max 20 MB), referenced from `upload` steps as
`{{FILE_NAME}}`.

| method | path | body / query | response |
|---|---|---|---|
| POST | `/files` | `multipart/form-data`: `project_id`, `name`, `description?` (form fields) + `file` (form file, required) | `201` file metadata |
| GET | `/files?project_id=<id>` (or `/projects/{id}/files`) | query: `project_id` required | `{"items":[FileMeta...], "count":N}` |
| GET | `/files/{id}/download` | — | `{"url": "<presigned S3 URL>"}` |
| DELETE | `/files/{id}` | — | `204` |

File metadata object:
```json
{
  "id": "f-1", "project_id": "9e2b5e2a-...", "name": "resume",
  "file_name": "resume.pdf", "content_type": "application/pdf", "size": 102400,
  "description": "", "created_at": "...", "updated_at": "..."
}
```
Example upload:
```bash
curl -X POST https://kintsugi-qa.com/api/v1/files \
  -H "X-API-Key: <api_key>" \
  -F "project_id=<project_id>" \
  -F "name=resume" \
  -F "description=Sample resume PDF" \
  -F "file=@/path/to/resume.pdf"
```
Note: `POST /files/resolve` exists but is intended for internal worker use.

### 7.8 Schedules

Cron-based triggers for a test case or suite.

| method | path | body / query | response |
|---|---|---|---|
| POST | `/schedules` | `{project_id, name, cron_expression, suite_id? or test_case_id?, environment?, enabled}` (project_id, name, cron_expression required; exactly one of suite_id/test_case_id required; `environment` same semantics as on `POST /runs` — omit unless overriding) | `201` Schedule object |
| GET | `/schedules?project_id=<id>` | query: `project_id` required | `{"items":[Schedule...], "count":N}` |
| GET | `/schedules/{id}` | — | Schedule object |
| PUT | `/schedules/{id}` | same fields as create | Schedule object |
| DELETE | `/schedules/{id}` | — | `200 {"status":"deleted"}` |

Schedule object:
```json
{
  "id": "sch-1", "project_id": "9e2b5e2a-...", "name": "Nightly smoke test",
  "cron_expression": "0 3 * * *", "suite_id": "su-1", "test_case_id": "",
  "environment": "staging", "enabled": true,
  "next_run_at": "2026-06-11T03:00:00Z", "last_run_at": "2026-06-10T03:00:00Z",
  "last_run_id": "7c6b5a4d-..."
}
```
`cron_expression` is a standard 5-field cron expression evaluated in UTC.

### 7.9 Webhook tokens

Per-test-case or per-suite tokens that let CI/CD systems trigger runs
**without** an API key — the token itself is the credential.

| method | path | body / query | response |
|---|---|---|---|
| POST | `/webhook-tokens` | `{project_id, test_case_id? or suite_id?, label?}` (project_id required; exactly one of test_case_id/suite_id required) | `201` token object (includes plaintext `token`) |
| GET | `/webhook-tokens?project_id=<id>` | query: `project_id` required | `{"items":[token...], "count":N, "has_more":false}` |
| GET | `/webhook-tokens/{id}` | — | token object |
| PUT | `/webhook-tokens/{id}/toggle` | `{enabled: bool}` | token object |
| POST | `/webhook-tokens/{id}/regenerate` | — | token object with new `token` value (old one invalidated) |
| DELETE | `/webhook-tokens/{id}` | — | `204` |

Token object:
```json
{
  "id": "wt-1", "token": "whk_...", "project_id": "9e2b5e2a-...",
  "test_case_id": "1a2b3c4d-...", "suite_id": "", "enabled": true, "label": "CI pipeline",
  "trigger_url": "https://kintsugi-qa.com/webhook/trigger/whk_...",
  "trigger_count": 0, "last_used_at": "", "created_at": "...", "updated_at": "..."
}
```

To trigger via the token (separate from `/api/v1`, **no API key needed**):
```bash
curl -X POST https://kintsugi-qa.com/webhook/trigger/whk_... \
  -H "Content-Type: application/json" \
  -d '{ "ref": "ci-build-123" }'
```
(`environment` and `ref` are both optional — `environment` has the same
semantics as on `POST /runs` (omit unless overriding); `ref` is recorded as part of
`triggered_by`.) `GET /webhook/trigger/{token}` also works (no body).
Response: `202 Accepted` TestRun object.

### 7.10 Artifacts

| method | path | response |
|---|---|---|
| GET | `/artifacts/{key}` | streams the artifact (authenticated, supports `Range` header for video seeking) |
| GET | `/artifacts/presign/{key}` | `{"url": "<15-min presigned S3 URL>", "key": "<key>"}` — the `url` requires no auth |

`{key}` is the full S3 key path exactly as returned by
`/runs/{id}/artifacts`, e.g. `runs/<run_id>/<actor_name>/video-<timestamp>.webm`.
Keys contain generated timestamps — always copy them from the artifacts
response rather than constructing them.

**Timing:** artifacts upload asynchronously AFTER the run reaches a terminal
status (the browser must close before video/HAR finalize) — they typically
appear within ~60 seconds of completion. If an expected artifact is missing
from `/runs/{id}/artifacts`, re-poll for up to a minute before concluding it
doesn't exist.

---

## 8. COMPLETE WORKED EXAMPLE: login flow

### 8.1 Test case JSON (login -> dashboard -> extract welcome text -> screenshot)

```json
{
  "project_id": "9e2b5e2a-2f4e-4f7a-9c1a-1c2d3e4f5a6b",
  "name": "User can log in and see welcome message",
  "description": "Logs in with valid credentials, lands on the dashboard, and captures the welcome message",
  "default_base_url": "https://staging.example.com",
  "scenario": {
    "actors": [
      {
        "id": "user",
        "name": "User",
        "browser": "chromium",
        "viewport": { "width": 1280, "height": 800, "mobile": false },
        "steps": [
          {
            "id": "step-1",
            "type": "navigate",
            "url": "{{BASE_URL}}/login",
            "description": "Go to the login page",
            "timeout": 30000
          },
          {
            "id": "step-2",
            "type": "fill",
            "selector": "#email",
            "value": "demo@example.com",
            "description": "Enter email",
            "timeout": 10000
          },
          {
            "id": "step-3",
            "type": "fill",
            "selector": "#password",
            "value": "{{SECRET_LOGIN_PASSWORD}}",
            "description": "Enter password",
            "timeout": 10000
          },
          {
            "id": "step-4",
            "type": "click",
            "selector": "button[type=submit]",
            "alternative_selectors": ["#login-submit", "[data-testid=login-button]"],
            "description": "Submit the login form",
            "timeout": 10000
          },
          {
            "id": "step-5",
            "type": "wait",
            "value": "url:/dashboard",
            "description": "Wait for redirect to dashboard",
            "timeout": 15000
          },
          {
            "id": "step-6",
            "type": "assert",
            "selector": "[data-testid=dashboard-heading]",
            "assertion": { "type": "url", "expected": "/dashboard" },
            "description": "URL contains /dashboard",
            "timeout": 10000
          },
          {
            "id": "step-7",
            "type": "extract",
            "selector": "[data-testid=welcome-message]",
            "variable": "WELCOME_TEXT",
            "description": "Capture the welcome message text",
            "timeout": 10000
          },
          {
            "id": "step-8",
            "type": "assert",
            "selector": "[data-testid=welcome-message]",
            "assertion": { "type": "text", "expected": "Welcome" },
            "description": "Welcome message contains 'Welcome'",
            "timeout": 10000
          },
          {
            "id": "step-9",
            "type": "screenshot",
            "value": "dashboard-after-login",
            "description": "Capture the dashboard after login"
          }
        ]
      }
    ]
  }
}
```

Note: `{{SECRET_LOGIN_PASSWORD}}` references the project secret named
`LOGIN_PASSWORD` created in step 8.2 below (placeholder = `SECRET_` prefix +
the secret's name).
`assertion.type: "url"` in step-6 does not require `selector` — it is
included here only for context/UI display, but the URL check is the active
assertion. `step-6`'s `assertion.expected: "/dashboard"` checks
`page.url()` contains `/dashboard`.

### 8.2 Full curl sequence: create -> run -> poll -> download video

```bash
HOST="https://kintsugi-qa.com"
KEY="ksk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
ORG_ID="5b3c2a1d-..."
PROJECT_ID="9e2b5e2a-2f4e-4f7a-9c1a-1c2d3e4f5a6b"

# 1. Create the secret used by {{LOGIN_PASSWORD}}
curl -s -X POST "$HOST/api/v1/secrets" \
  -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
  -d "{\"project_id\":\"$PROJECT_ID\",\"name\":\"LOGIN_PASSWORD\",\"value\":\"hunter2\",\"description\":\"Demo account password\"}"
# => {"status":"created","name":"LOGIN_PASSWORD"}

# 2. Create the test case (body = the JSON from 8.1)
TC_ID=$(curl -s -X POST "$HOST/api/v1/test-cases" \
  -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
  -d @login-test-case.json | jq -r .id)
echo "test_case_id=$TC_ID"

# 3. Trigger a run
RUN_ID=$(curl -s -X POST "$HOST/api/v1/runs" \
  -H "X-API-Key: $KEY" -H "Content-Type: application/json" \
  -d "{\"test_case_id\":\"$TC_ID\",\"project_id\":\"$PROJECT_ID\"}" | jq -r .id)
echo "run_id=$RUN_ID"

# 4. Poll until terminal (every 3-5s)
while true; do
  STATUS=$(curl -s "$HOST/api/v1/runs/$RUN_ID/status" -H "X-API-Key: $KEY" | jq -r .status)
  echo "status=$STATUS"
  case "$STATUS" in
    passed|failed|cancelled|timed_out) break ;;
  esac
  sleep 4
done

# 5. List artifacts (keys contain generated timestamps — read them, never guess)
ARTIFACTS=$(curl -s "$HOST/api/v1/runs/$RUN_ID/artifacts" -H "X-API-Key: $KEY")
echo "$ARTIFACTS" | jq .
# => { "run_id": "...", "artifacts": ["runs/<run_id>/User/video-1781126043180.webm", "runs/<run_id>/User/video-1781126043180.vtt", ...] }

# 6. Download the video via presigned URL (pick the .webm key from the list)
VIDEO_KEY=$(echo "$ARTIFACTS" | jq -r '.artifacts[] | select(endswith(".webm"))' | head -1)
VIDEO_URL=$(curl -s "$HOST/api/v1/artifacts/presign/$VIDEO_KEY" -H "X-API-Key: $KEY" | jq -r .url)
curl -o video.webm "$VIDEO_URL"

# 7. (Optional) Download any screenshot the same way (pick a .png key from the list)
PNG_KEY=$(echo "$ARTIFACTS" | jq -r '.artifacts[] | select(endswith(".png"))' | head -1)
curl -o screenshot.png \
  "$(curl -s "$HOST/api/v1/artifacts/presign/$PNG_KEY" -H "X-API-Key: $KEY" | jq -r .url)"

# 8. (Optional) Get full run detail with per-step results
curl -s "$HOST/api/v1/runs/$RUN_ID" -H "X-API-Key: $KEY" | jq .
```