API Test Suite Builder

The problem you're describing — frontend and backend breaking each other — is a coordination failure between teams sharing an implicit contract. Contract testing makes that contract explicit and automated.

Consumer-Driven vs Provider-Driven

Provider-driven (what most teams do accidentally): the backend team decides what the API looks like, publishes docs, and the frontend adapts. When the backend changes something, the frontend finds out in integration testing or production. This is your current situation.

Consumer-driven contract testing: the frontend team defines the contract — "I need this endpoint to return these fields in this shape" — and publishes that expectation. The backend runs those expectations as part of its own test suite. If the backend would break the frontend contract, the backend's CI fails before the code is merged.

The consumer drives the contract. The provider is responsible for not breaking it.

Pact: The Standard Tool

Pact is the most widely adopted consumer-driven contract testing framework. It has clients for JavaScript, Python, Go, Java, Ruby, and more — which is important when your frontend and backend use different languages.

Step 1: Write the consumer contract (frontend team)

// frontend/src/api/__tests__/user.pact.test.ts
import { PactV3, MatchersV3 } from '@pact-foundation/pact';
import { UserApiClient } from '../userApiClient';

const { like, string, iso8601DateTime } = MatchersV3;

const provider = new PactV3({
  consumer: 'WebApp',
  provider: 'UserService',
  dir: './pacts',  // pact files written here
});

describe('UserService contract', () => {
  it('returns user profile for valid ID', async () => {
    await provider.addInteraction({
      states: [{ description: 'user 123 exists' }],
      uponReceiving: 'a request for user profile',
      withRequest: {
        method: 'GET',
        path: '/api/v1/users/123',
        headers: { Authorization: like('Bearer token') },
      },
      willRespondWith: {
        status: 200,
        headers: { 'Content-Type': 'application/json' },
        body: {
          id: string('123'),
          email: string('user@example.com'),
          name: string('Test User'),
          createdAt: iso8601DateTime(),
          // NOTE: frontend does NOT use passwordHash — not in contract
        },
      },
    });

    await provider.executeTest(async (mockServer) => {
      const client = new UserApiClient(mockServer.url);
      const user = await client.getUser('123');
      expect(user.id).toBe('123');
      expect(user).not.toHaveProperty('passwordHash');
    });
  });
});

Running this test generates a Pact file (./pacts/WebApp-UserService.json) — a JSON document describing exactly what the frontend expects.

Step 2: Publish the contract to Pact Broker

npx pact-broker publish ./pacts \
  --broker-base-url https://your-pact-broker.com \
  --broker-token $PACT_BROKER_TOKEN \
  --consumer-app-version $(git rev-parse HEAD) \
  --tag main

PactFlow offers a hosted broker. Self-hosted is also available.

Step 3: Backend verifies against the contract

// backend/src/__tests__/pact.provider.test.ts
import { PactV3 } from '@pact-foundation/pact';

const verifier = new PactV3({
  provider: 'UserService',
  providerBaseUrl: 'http://localhost:3000',
  pactBrokerUrl: 'https://your-pact-broker.com',
  pactBrokerToken: process.env.PACT_BROKER_TOKEN,
  publishVerificationResult: true,
  providerVersion: process.env.GIT_SHA,
  consumerVersionSelectors: [{ mainBranch: true }, { deployedOrReleased: true }],
});

describe('UserService provider verification', () => {
  it('verifies all consumer contracts', async () => {
    await verifier.verifyProvider();
  });
});

The backend test fetches the published Pact file and replays the interactions against the real backend. If the backend returns a 200 with fields the frontend expects, the test passes. If a backend developer removes the name field from the response, this test fails.

Fitting Into CI/CD

Frontend CI:
  1. Run consumer pact tests → generates pact file
  2. Publish pact file to broker
  3. "Can I deploy?" check → broker confirms backend has verified this contract

Backend CI:
  1. Fetch latest consumer contracts from broker
  2. Run provider verification tests against real running backend
  3. Publish verification result to broker
  4. If verification fails → BUILD FAILS → PR is blocked

The can-i-deploy command is the enforcement mechanism:

npx pact-broker can-i-deploy \
  --pacticipant WebApp \
  --version $(git rev-parse HEAD) \
  --to-environment production

This command queries the broker: "Has every provider that WebApp depends on verified it works with this version of WebApp?" If not, it exits non-zero and blocks the deploy.

Organizational Side

Who owns the contract: The consumer (frontend) team. They write the Pact tests and update them when their integration needs change.

How to handle breaking changes: If the backend needs to remove or rename a field the frontend uses, the process is:

1. Backend team proposes the change and tags it
2. Frontend team updates their Pact test to reflect the new shape
3. Frontend publishes the new contract
4. Backend verifies and deploys

The contract makes this coordination explicit and forces both teams to communicate before merging. That's the point — it replaces "we found out it was broken in staging" with "we knew about this change before it was merged."

Start with one or two critical endpoints (auth, core data fetch), prove the workflow, then expand. Contract testing the entire API at once is overwhelming — build the habit on a small surface area first.

90% coverage with regressions is a well-known trap. Coverage tells you which lines were executed during tests — not whether those tests would catch a bug on those lines. Mutation testing answers the real question: if this code were wrong, would my tests notice?

What Mutation Testing Does

A mutation testing tool makes small, deliberate code changes ("mutants") — flipping a > to >=, changing && to ||, removing a return statement, negating a condition — then runs your test suite against each mutant.

If your tests catch the change (at least one test fails), the mutant is killed. If your tests all pass despite the broken code, the mutant survives. Surviving mutants are lines of logic your tests aren't actually validating.

Mutation score = killed mutants / total mutants × 100%

A 90% line coverage test suite might have a 55% mutation score — meaning nearly half of your logic changes would go undetected. That's where your regressions are coming from.

Applying Mutation Testing to APIs

The most valuable targets in an API context:

Validation logic — Does removing a required-field check cause tests to fail? If not, you have no test that submits a request missing that field.

Authorization checks — Does flipping user.role === 'admin' to user.role !== 'admin' get caught? If not, you likely don't have a test that verifies a non-admin is rejected.

Business rules — Does changing price * quantity to price + quantity get caught by any test? If not, no test is asserting on the computed value.

Status code assertions — Does changing a 403 to a 200 get caught? If not, your tests aren't checking the status code on that branch.

Tools

JavaScript/TypeScript — Stryker

npm install --save-dev @stryker-mutator/core @stryker-mutator/jest-runner

# Initialize config
npx stryker init

stryker.config.json:

{
  "testRunner": "jest",
  "coverageAnalysis": "perTest",
  "mutate": [
    "src/routes/**/*.ts",
    "src/middleware/**/*.ts",
    "src/services/**/*.ts",
    "!src/**/*.test.ts"
  ],
  "reporters": ["html", "clear-text", "progress"]
}

# Run mutation testing (takes longer than normal test suite — plan accordingly)
npx stryker run

Output:

Mutation score: 68.4% (327 killed / 478 total)

Surviving mutants:
────────────────────────────────────────────────────
src/routes/orders.ts:47:12
  Original:  if (order.userId !== req.user.id) {
  Mutant:    if (order.userId === req.user.id) {
  → Tests did not catch this. No test verifies the 403 when a user accesses another user's order.

src/services/pricing.ts:23:28
  Original:  return subtotal * (1 - discount)
  Mutant:    return subtotal + (1 - discount)
  → Tests did not catch this. No test asserts the discounted price value.

Python — mutmut

pip install mutmut
mutmut run --paths-to-mutate src/api/
mutmut results
mutmut show 47  # inspect a specific surviving mutant

Mutation Score vs Coverage — What's "Good"

Don't aim for 100%. Some mutants are "equivalent mutants" — logically identical to the original — and will always survive. Chasing 100% wastes time. Target 80%+ on your critical business logic, 70%+ on validation, and don't bother with trivially simple code.

Practical Starting Point

Don't run mutation testing on your entire codebase on day one. It's computationally expensive and the volume of surviving mutants will be paralyzing.

Week 1: Run on one high-risk module — authentication middleware or payment processing. Fix the surviving mutants. Build the habit.

# Scope to a single file
npx stryker run --mutate "src/middleware/auth.ts"

Week 2–4: Expand to validation logic and core business rules. Add to CI as an informational step (don't fail the build yet — just report the score).

Ongoing: Add --incremental flag (Stryker supports this) to only mutate changed files, keeping CI times manageable:

npx stryker run --incremental

The key insight: a surviving mutant in your auth middleware is a security gap your tests won't catch. That's more valuable information than knowing your line coverage is 90%.