| TC-API-001 | API documentation exists | Review | High | Postman documentation exists and OpenAPI draft is available | Postman link/export and OpenAPI file/link evidence | Partial |
| TC-API-002 | OpenAPI paths match runtime route list | Review | High | No critical mismatch exists | route:list comparison | Not Run |
| TC-API-003 | Protected endpoints declare authentication | Review | Critical | Protected endpoints require bearer/auth token | OpenAPI review evidence | Not Run |
| TC-API-004 | Error responses are documented | Review | Medium | 401, 403, 422, 500 patterns documented | OpenAPI review evidence | Not Run |
| TC-API-005 | Swagger UI hosting decision is recorded | Review | Medium | Hosted or not-hosted decision exists | Decision record | Optional / Pending Decision |