{"version":1,"updatedAt":"2026-05-06","docs":[{"slug":"overview","title":"Testorax overview","summary":"What Testorax does, who it is for, and the single run-credit pricing model.","path":"/api/docs/overview.json","canonicalUrl":"/","audience":"public","tags":["overview","intro","product"]},{"slug":"pricing","title":"Pricing — single run-credit ledger","summary":"Free 10 runs, Starter Pack $2/10 runs (one-time, stacks), monthly subscriptions Builder $20/Pro $49/Studio $99/Scale $199 with included monthly runs.","path":"/api/docs/pricing.json","canonicalUrl":"/pricing","audience":"public","tags":["pricing","plans","billing"]},{"slug":"runs","title":"Runs — start, status, report","summary":"How to start a run via /api/runs/start, check status via /api/runs/:id, and read the structured report.","path":"/api/docs/runs.json","canonicalUrl":"/api-docs","audience":"agent","tags":["runs","api","lifecycle"]},{"slug":"scenario-runner","title":"Scenario Runner mode","summary":"Use customScenarios + executeOnly to run hard-asserted, agent-authored test steps with proof.","path":"/api/docs/scenario-runner.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["scenario_runner","custom_scenarios","workflow"]},{"slug":"mutation-proof","title":"Mutation Proof","summary":"How Testorax verifies that scenarios actually catch the bugs they claim to.","path":"/api/docs/mutation-proof.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["mutation_proof","proof","quality"]},{"slug":"visual-quality","title":"Visual Quality findings","summary":"Tap targets, horizontal overflow, console errors, network failures, and other visual-layer findings on desktop and mobile.","path":"/api/docs/visual-quality.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["visual_quality","mobile","fast_bug_scan"]},{"slug":"backend-proof","title":"Backend Proof","summary":"Per-step backend assertions: did the click that the user made actually persist a record server-side?","path":"/api/docs/backend-proof.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["backend_proof","persistence","readback"]},{"slug":"proof-scores","title":"Proof Scores","summary":"Composite score combining mutation, visual, backend, and click diagnostics into a single 0-100 number.","path":"/api/docs/proof-scores.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["proof_score","quality","composite"]},{"slug":"run-diff","title":"Run diff","summary":"Compare two runs to surface regressions and fixes.","path":"/api/docs/run-diff.json","canonicalUrl":"/runs/diff","audience":"agent","tags":["run_diff","regression","compare"]},{"slug":"templates","title":"Scenario Template Gallery","summary":"33 safe-by-default templates (24 app-type + 9 proof-pattern). Customer UI submits via /api/runs/start.","path":"/api/docs/templates.json","canonicalUrl":"/templates","audience":"agent","tags":["templates","gallery","starting_points"]},{"slug":"mcp","title":"MCP integration","summary":"Hosted and stdio MCP servers expose Testorax tools to Claude, Cursor, and other MCP-capable agents.","path":"/api/docs/mcp.json","canonicalUrl":"/api-docs","audience":"agent","tags":["mcp","agent","integration"]},{"slug":"safety","title":"Safety model","summary":"What Testorax refuses to do: SSRF, destructive production action, real payment, raw secrets, video/replay storage.","path":"/api/docs/safety.json","canonicalUrl":"/docs/scenarios","audience":"agent","tags":["safety","guardrails","redaction"]},{"slug":"refund-policy","title":"Refund Policy","summary":"30-day usage-based refund window. One-time packages refundable if unused or minimally used. Subscriptions refundable for the first payment within 30 days subject to usage.","path":"/api/docs/refund-policy.json","canonicalUrl":"/refund-policy","audience":"public","tags":["refund","policy","cancellation"]},{"slug":"agents","title":"Agent guide","summary":"How coding agents (Claude, Cursor, Copilot) use Testorax: start a run, fetch findings, verify fixes.","path":"/api/docs/agents.json","canonicalUrl":"/docs/agent-setup","audience":"agent","tags":["agents","guide","workflow"]},{"slug":"agent-quickstart","title":"Agent Quickstart","summary":"Cold-start walkthrough for coding agents. Five steps, one decision tree, no prior knowledge of Testorax required. Start here if you have never used Testorax before.","path":"/api/docs/agent-quickstart.json","canonicalUrl":"/docs/agent-quickstart","audience":"agent","tags":["agent_quickstart","cold_start","first_run","compact_proof","decision_tree"]},{"slug":"agent-fix-loop","title":"Agent Fix Loop","summary":"Coding agents read the Proof Packet, apply the AI Fix Prompt, and verify with Fix Check. Only verdict=fixed_verified counts as a real fix.","path":"/api/docs/agent-fix-loop.json","canonicalUrl":"/docs/agent-fix-loop","audience":"agent","tags":["agent_fix_loop","proof_packet","fix_check","ai_fix_prompt"]},{"slug":"login-memory","title":"Login Memory","summary":"Save a login to your app once, then run authenticated Vibe Tests without re-typing your password — and without exposing the session to your coding agent. Customers create saved logins themselves; agents reference them by id.","path":"/api/docs/login-memory.json","canonicalUrl":"/docs/login-memory","audience":"agent","tags":["login_memory","safe_login","auth_session","authenticated_run"]},{"slug":"authenticated-smoke","title":"Authenticated Smoke Test","summary":"Test mode for logged-in dashboards / admin panels / behind-auth surfaces. Loads a saved Login Memory profile, visits each route, captures per-route classification + screenshot + console errors + failed network requests. Read-only. $1.99 / audit. Up to 25 routes.","path":"/api/docs/authenticated-smoke.json","canonicalUrl":"/docs/authenticated-smoke","audience":"agent","tags":["authenticated_smoke","login_memory","admin_panel","dashboard_audit","read_only","behind_auth"]},{"slug":"watch-test-live","title":"Watch Test Live / Run Console","summary":"Live observation of a Testorax run as it executes — current status, current step, recent proof events, latest screenshot. Polled JSON, NOT video replay, NOT session recording, NOT frame stream.","path":"/api/docs/watch-test-live.json","canonicalUrl":"/docs/watch-test-live","audience":"agent","tags":["watch_test_live","run_console","live_observation","proof_events"]},{"slug":"vibe-browser-engine","title":"Vibe Browser Engine","summary":"Deterministic capability matrix for browser engines Testorax can run scenarios on. Default: managed Chromium on Hetzner. Cloud browser providers NOT activated. Video replay, session recording, browser takeover NOT available. iOS Safari and extension testing NOT implemented.","path":"/api/docs/vibe-browser-engine.json","canonicalUrl":"/docs/vibe-browser-engine","audience":"agent","tags":["vibe_browser_engine","browser_capabilities","engine_selection","capability_matrix"]},{"slug":"authenticated-scenarios","title":"Authenticated scenarios (proof-flow hardening)","summary":"How to run authenticated dashboard tests on sandbox/staging hosts safely. setCookie / clearSession / clickByTestId / fillByTestId actions, with all values masked everywhere. Production-looking domains refused before billing — no run created, no credit deducted.","path":"/api/docs/authenticated-scenarios.json","canonicalUrl":"/docs/authenticated-scenarios","audience":"agent","tags":["authenticated_scenarios","session_injection","data_testid","proof_bundle","sandbox"]},{"slug":"run-history-intelligence","title":"Run History Intelligence (Proof Memory) — Stage A","summary":"Deterministic read-only classifier over Testorax run history. Surfaces recurring issues, weak passes, false-pass risks, stale deploys, selector failures, and proof-quality patterns. No LLM calls. No mutation of historical data.","path":"/api/docs/run-history-intelligence.json","canonicalUrl":"/docs/run-history-intelligence","audience":"agent","tags":["proof_memory","run_intelligence","classification","cluster_analysis","history_scan"]},{"slug":"compact-proof","title":"Compact Proof Summary (Agent Compact Mode) — Stage A","summary":"Small (~1–3 KB), agent-first JSON summary of a run. Lets coding agents read verdict, failure type, failed step, trust warning, and next safe action BEFORE downloading a full report. Read-only; no LLM call.","path":"/api/docs/compact-proof.json","canonicalUrl":"/docs/compact-proof","audience":"agent","tags":["compact_proof","agent_compact_mode","agent_summary","progressive_evidence"]},{"slug":"operational-depth-layer","title":"Operational Depth Layer v1 — universal classifier","summary":"Universal classifier (not app-specific) that tells apart shallow public/static/login-wall runs from runs that actually exercised authenticated operational surfaces. Surfaces verdict, depth score, traversal memory, action novelty, and recommendedNextRun. Stops ceremonial reruns. No engine change. No LLM. Read-only projection over existing run data.","path":"/api/docs/operational-depth-layer.json","canonicalUrl":"/docs/operational-depth-layer","audience":"agent","tags":["operational_depth","traversal_memory","action_novelty","shallow_audit_detector","ceremonial_rerun_prevention"]},{"slug":"stateful-traversal-runtime-substrate","title":"Stateful Traversal Runtime — substrate v1","summary":"Universal substrate (not app-specific) that defines the stable shared schema for future engine-side traversal memory: transition fingerprints, traversal memory summary, runtime novelty, workflow continuity verdicts. SUBSTRATE ONLY — no engine code, no executor change, no Hetzner deploy. The CF projection emits a legacy projection over click_audit_events until the engine emitter ships in a future phase.","path":"/api/docs/stateful-traversal-runtime-substrate.json","canonicalUrl":"/docs/stateful-traversal-runtime-substrate","audience":"agent","tags":["stateful_traversal","runtime_memory","transition_fingerprint","workflow_continuity","substrate"]},{"slug":"runtime-packet-ingestion-surface","title":"Runtime Packet Ingestion Surface v1","summary":"Ingestion-only CF surfaces for runtime evidence packets. Replay-safe persistence to R2, lineage-aware ingestion, supersession tracking, stale-evidence expiration. SUBSTRATE ONLY — no traversal execution, no runtime emitters, no authenticated traversal. Only synthetic_test provenance is accepted.","path":"/api/docs/runtime-packet-ingestion-surface.json","canonicalUrl":"/docs/runtime-packet-ingestion-surface","audience":"agent","tags":["runtime_packet_ingestion","replay_safety","lineage_governance","supersession","substrate"]},{"slug":"runtime-projection-governance","title":"Runtime Observation Projection Governance + Live-State v1","summary":"Downstream projection governance for sandbox runtime pilot packets. Hard-pins every load-bearing contribution (launchReady / operationalDepth / authenticatedCoverage / workflow_verified / persistence_verified / propagation_verified) at ZERO. Closed-set verdicts, allowed/forbidden cockpit wording, canonical runtime live-state object. SUBSTRATE ONLY — runtime emitters NOT operationalized.","path":"/api/docs/runtime-projection-governance.json","canonicalUrl":"/docs/runtime-projection-governance","audience":"agent","tags":["runtime_projection_governance","runtime_live_state","anti_inflation","pilot_packet_governance","cockpit_wording"]},{"slug":"authenticated-audit-execution","title":"Universal Authenticated Audit Execution v1","summary":"POST /api/audits/execute — agent-callable authenticated audit lane that takes a Login Memory id by reference (no raw passwords) and triggers Stage C authenticated route discovery on a Testorax-owned target. Universal, not app-specific. Honest NOT REACHED accounting baked in.","path":"/api/docs/authenticated-audit-execution.json","canonicalUrl":"/docs/authenticated-audit-execution","audience":"agent","tags":["authenticated_audit","login_memory_reference","route_discovery","not_reached_accounting","universal_saas"]},{"slug":"agent-visual-proof-loop","title":"Agent Visual Proof Loop (Screenshot-on-Demand) — Stage A","summary":"Lightweight, deterministic recommendation contract that tells coding agents WHEN a screenshot is worth fetching, WHICH screenshot (latest vs marked), and CAPS the loop so screenshot fetches never spam. No video replay. No session recording. No browser takeover.","path":"/api/docs/agent-visual-proof-loop.json","canonicalUrl":"/docs/agent-visual-proof-loop","audience":"agent","tags":["screenshot_on_demand","agent_visual_proof","progressive_evidence","screenshot_budget"]},{"slug":"preflight-build-freshness","title":"Preflight / Build Freshness Guard — Stage A","summary":"Scenario-level preflight contract that catches stale-deploy / wrong-route / unauthenticated / missing-testid problems BEFORE deep scenario steps run. Lint validator runs BEFORE billing — invalid configs are refused with HTTP 400 and 0 run credit deducted.","path":"/api/docs/preflight-build-freshness.json","canonicalUrl":"/docs/preflight-build-freshness","audience":"agent","tags":["preflight","build_freshness","stale_deploy","fail_fast","agent_safety"]},{"slug":"scenario-template-library","title":"Scenario Template Library — Stage A","summary":"41 ready-made, agent-first scenario templates covering common (login / CRUD / search / pagination / form validation) and unusual (multi-tenant switch / feature-flag / realtime / locale / CSV import / PDF export / accessibility / offline) test patterns. Each generated scenario carries preflight, real assertions, screenshot policy, Fix Check metadata, and doNotClaim warnings.","path":"/api/docs/scenario-template-library.json","canonicalUrl":"/docs/scenario-template-library","audience":"agent","tags":["scenario_templates","agent_first","preflight","fix_check","crud","auth","commerce","accessibility","realtime"]},{"slug":"campaign-preview","title":"Autonomous QA Campaign Orchestrator — Stage A","summary":"Read-only campaign preview. Stage A-D: route discovery, real-browser inspection (Hetzner Playwright), authenticated preview via Login Memory (raw secrets rejected as forbidden_auth_field). Stage E: live progress telemetry. Stage F: Chrome parity + runner-mismatch classification — preview jobs now carry jobParity + routeParities[] when complete; closed-set parityStatus (5: not_checked / internal_compared / chrome_checked / mismatch_detected / insufficient_evidence) and mismatchClassification (12) including `static_vs_browser_mismatch` for JS-rendered SPAs. `chrome_checked` is NEVER emitted in Stage F (Chrome Live not wired). chromeParityAvailable hard-false. A mismatch is NOT automatically an app bug. NEVER mutates target. NEVER creates customer runs. NEVER deducts credits. confirmationRequiredBeforeRun is always true.","path":"/api/docs/campaign-preview.json","canonicalUrl":"/docs/campaign-preview","audience":"agent","tags":["campaign","autonomous_qa","route_discovery","control_inventory","cost_preview","agent_safety","preview_only"]},{"slug":"assertion-dsl","title":"Scenario Authoring Expansion — Assertion DSL","summary":"Closed-set 19 assertion-helper kinds. Pure deterministic compiler that emits TestStep[] using existing engine actions only. Public POST /api/scenario-templates/validate-assertion validates helper shape + returns the compiled step list. Companion 12 new scenario templates spanning 6 new categories (dashboard / admin / proof / fix_check / booking / console_clean). Ship with proof.","path":"/api/docs/assertion-dsl.json","canonicalUrl":"/docs/scenario-templates","audience":"agent","tags":["assertion","dsl","flow_test","agent_authoring","scenario_templates","fix_check"]},{"slug":"fix-check-same-test-lock","title":"Fix Check Same-Test Lock — Stage A","summary":"Makes \"fixed_verified\" impossible to fake. Compares the same-test fingerprint of the ORIGINAL failing run vs the VERIFICATION run; refuses fixed_verified if the verification changed template, route, assertions, preflight, testIds, or removed proof. Pure deterministic comparator. Read-only. NO LLM call.","path":"/api/docs/fix-check-same-test-lock.json","canonicalUrl":"/docs/fix-check-same-test-lock","audience":"agent","tags":["fix_check","same_test_lock","assertions_hash","agent_safety","fix_loop"]},{"slug":"code-aware-fix-hints","title":"Code-Aware Fix Hints / Likely Fix Location — Stage A","summary":"Strictly advisory. When Testorax proves a failure, this surface generates safe read-only hints showing likely source files / symbols / routes / API handlers to inspect. NO LLM. NO auto-patch. NO raw code in output. NO secrets surfaced.","path":"/api/docs/code-aware-fix-hints.json","canonicalUrl":"/docs/code-aware-fix-hints","audience":"agent","tags":["code_hints","likely_fix_location","agent_safety","fix_loop","static_analysis"]},{"slug":"action-fidelity","title":"Action Fidelity Contract — synthetic-click / weak-fidelity detection","summary":"Closed-shape `actionFidelity` block on every report.json that classifies each click / fill / type / evaluate / select action into real_pointer | native_fill | keyboard_type | programmatic_click | evaluate_fallback | synthetic_event | ambiguous | not_applicable, with pointer / keyboard / focus proof booleans. Stops agents from claiming \"user can save\" when the engine actually used `element.click()` inside a `page.evaluate`.","path":"/api/docs/action-fidelity.json","canonicalUrl":"/docs/action-fidelity","audience":"agent","tags":["action_fidelity","synthetic_click","native_input","weak_fidelity","pointer_proof"]},{"slug":"coverage-grounding","title":"Fast Bug Scan Reality Grounding — Coverage Grounding Contract","summary":"Closed-shape `coverageGrounding` block on every Fast Bug Scan report. Observed-control registry, grounded-action accounting, shell-vs-module-body split, and a closed-set coverageStatus enum. Stops agents from claiming a dashboard \"works\" because only sidebar / header controls were clicked.","path":"/api/docs/coverage-grounding.json","canonicalUrl":"/docs/coverage-grounding","audience":"agent","tags":["fast_bug_scan","reality_grounding","coverage_grounding","no_hallucinated_controls"]},{"slug":"report-evidence-contract","title":"Report Evidence Contract — Passing Run Evidence + Console/Network Evidence","summary":"Closed wire shape for report.json evidence: passingRunEvidence, stepEvidence[], runtimeEvidence{console,network}. PASS reports must carry an explicit proofStrength so agents can tell strong vs weak passes apart. Booleans + counts + body-shape only — never raw cookies, passwords, headers, or request/response body values.","path":"/api/docs/report-evidence-contract.json","canonicalUrl":"/docs/report-evidence-contract","audience":"agent","tags":["report_evidence_contract","passing_run_evidence","runtime_evidence","proof_strength"]},{"slug":"run-submission-schema","title":"Run Submission Schema Contract — Fast Bug Scan + scenario_runner","summary":"Closed-set wire shape for /api/runs/start and /api/runs/bypass. Documents the auth strategies (storage_state, cookies, login_form, session_injection, login_memory, steps), scopedPaths shape, executeOnly + skipCrawl rules, preflight shape, and template-generated runs. Invalid payloads return a structured 400 BEFORE billing — no run created, 0 credits deducted.","path":"/api/docs/run-submission-schema.json","canonicalUrl":"/docs/run-submission-schema","audience":"agent","tags":["run_submission_schema","fast_bug_scan_auth","auth_evidence","auth_reliability"]},{"slug":"agent-workflow","title":"Agent-Native Workflow — the canonical 8-step loop","summary":"For coding agents (Claude / Codex / Cursor / MCP). 8 steps: scan → summary + app-map → patch from proof → verify-fix → review unsafeToClaim → launch audit → pr-comment → ship only on fixed_verified. 6 honesty rules.","path":"/api/docs/agent-workflow.json","canonicalUrl":"/docs/agent-workflow","audience":"agent","tags":["agent_workflow","agent_native","loop","8_step"]},{"slug":"vibe-coder-guide","title":"Vibe-Coder Guide — 5-min quickstart for non-testers","summary":"For founders and indie hackers who code with AI. Five-minute first scan, 3 honesty rules every non-tester must know, common mistakes.","path":"/api/docs/vibe-coder-guide.json","canonicalUrl":"/docs/vibe-coder-guide","audience":"public","tags":["vibe_coder","quickstart","non_tester","founder"]},{"slug":"testing-philosophy","title":"Testing Philosophy — proof-based, not claim-based","summary":"Untested ≠ green. Auth-blocked ≠ broken. UI render ≠ persistence. Closed-set vocabularies. doNotClaim contract. What Testorax is NOT.","path":"/api/docs/testing-philosophy.json","canonicalUrl":"/docs/testing-philosophy","audience":"agent","tags":["philosophy","honesty","proof_based"]},{"slug":"launch-audit-guide","title":"Launch Audit — safe to launch?","summary":"GET /api/launch/readiness?runId=... returns GO / GO_AFTER_DEPLOY / INSUFFICIENT_PROOF / NO_GO. Honest criteria for each.","path":"/api/docs/launch-audit-guide.json","canonicalUrl":"/docs/launch-audit-guide","audience":"agent","tags":["launch","readiness","verdict"]},{"slug":"fix-verification-guide","title":"Fix Verification — 12-status closed set","summary":"testorax verify-fix <originalRunId> <verificationRunId>. Only fixed_verified counts as a real fix. 12 statuses: fixed_verified / still_reproduces / scope_shrunk / assertion_weakened / flaky_uncertain / unable_to_verify / new_failure_introduced / partially_fixed / auth_blocked_verification / environment_drift / pending / provider_error.","path":"/api/docs/fix-verification-guide.json","canonicalUrl":"/docs/fix-verification-guide","audience":"agent","tags":["fix_verification","closed_set","12_statuses"]},{"slug":"app-map-guide","title":"App Map — see what was tested and what wasn't","summary":"6-color legend: purple=fix-verified, red=bug, yellow=warn, gray=untested, blue=auth-blocked, green=tested-pass. Run-level only in v1.","path":"/api/docs/app-map-guide.json","canonicalUrl":"/docs/app-map-guide","audience":"agent","tags":["app_map","coverage_visualization","run_level"]},{"slug":"visual-layout-intelligence","title":"Visual Layout Intelligence — operational layout, not pixel diff","summary":"20 issue types: horizontal_overflow, tap_target_too_small, missing_alt_text, contrast_violation, text_clipped, etc. 5 viewports. NOT a pixel-perfect visual diff.","path":"/api/docs/visual-layout-intelligence.json","canonicalUrl":"/docs/visual-layout-intelligence","audience":"agent","tags":["visual_layout","operational","closed_set_20"]},{"slug":"patch-batch-verification","title":"Patch Batch Verification — 10-state batch lifecycle","summary":"Group multi-bug fix PRs into batches with 10 states: proposed / patching / deployed / verifying / all_verified / partially_verified / still_failing / regression_introduced / abandoned / blocked. Run-level only (persisted: false).","path":"/api/docs/patch-batch-verification.json","canonicalUrl":"/docs/patch-batch-verification","audience":"agent","tags":["patch_batch","verification","10_states"]},{"slug":"coverage-confidence","title":"Coverage Confidence — 4 tiers","summary":"high / medium / low / unknown. Reading what was tested. unknown is the safe default when signals are missing.","path":"/api/docs/coverage-confidence.json","canonicalUrl":"/docs/coverage-confidence","audience":"agent","tags":["coverage","confidence","4_tier"]}]}