Tendril — AI Lessons for Real Life

Tendril

Protect API Contracts

An API route is a promise. Agents should validate input, return stable errors, and avoid changing response shapes casually.

Name the job before naming the tool.

Write the smallest useful scope the agent can finish.

Run the result as a user, not as a fan of the tool.

Inspect the diff, data access, and failure path before sharing.

Add validation to POST /api/invite. Keep the existing response shape. Add tests for missing email, invalid role, and successful invite.Use this as the working prompt or checklist for the lesson.

What should the user be able to do when this is finished?

What data should the app or agent never expose?

What test proves the change works?

What rollback path exists if the output is wrong?

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-coder-api-contracts-creators

What is the primary purpose of an API contract?

To specify exactly which programming language must be used
To guarantee a consistent interface and behavior other code can depend on
To prevent users from making too many requests
To document every possible error message the API might produce

Why should an API validate incoming input data?

Validation is only necessary for user passwords and payment data
AI models already handle all invalid input automatically
It prevents the API from accepting requests that could cause crashes or security issues
Validation makes the API run faster

What downstream problem can occur when an API changes its response shape unexpectedly?

The API automatically rate-limits the client
Client applications that parse the response may break
The database connection becomes slower
The API server runs out of memory

What is the main benefit of writing contract tests for an API?

They automatically generate documentation for users
They make the API run faster
They verify that the interface remains consistent even after code changes
They replace the need for any other testing

When an API receives invalid input, what should it return?

A 200 OK status with a generic error message
A 500 Internal Server Error to hide the problem
The raw data the user sent back as-is
A 400 Bad Request with clear, consistent information about what was wrong

Which of the following represents a stable error format that API consumers can depend on?

Errors that include full database stack traces for debugging
A consistent object with 'error' and 'message' fields that always appears
Returning different error structures depending on which internal function failed
A random error format chosen each time the API is updated

What does it mean for code to be 'observable'?

The code runs without any errors
The source code is publicly available
The system produces logs and metrics that reveal its internal state and behavior
The code is well-commented for future developers

What does 'reversible' mean in the context of deploying AI-generated code?

The AI can reverse-engineer the original requirements
The code can be compiled to run on any operating system
The code can read data in both directions
You can easily undo the change and return to a working state if problems occur

Which type of data should an API never expose to external users?

Internal system details like database table names, stack traces, or configuration paths
The HTTP status code of the response
The version number of the API
Error messages that help users understand what went wrong

What is the best way to prove that a code change actually works as intended?

Running the code yourself and confirming it doesn't crash
Asking another developer to review the code visually
Writing tests that verify the specific behavior before deploying
Assuming it works because the AI generated it

What is the 'happy path' in API development?

The path users take when they are satisfied with the API
The ideal execution flow when everything works correctly with valid input
A special error-handling routine for critical failures
The code path that handles invalid input gracefully

Why should API response shapes be kept consistent rather than changed casually?

JSON format doesn't allow changes to structure
The API will run faster with consistent shapes
Consistent shapes are required by HTTP protocol
Code that depends on the API will break if the shape changes

According to best practices, what should you define BEFORE selecting a tool to solve a coding problem?

The specific library or framework you will use
The name of the developer who will write the code
The exact output you want the code to produce
The budget for purchasing tools

Why is it important to inspect the diff before sharing AI-generated code?

The diff must be approved by a lawyer
To make the code look prettier
Diff inspection is only required for open-source projects
To catch unintended changes, data access patterns, or problematic failure handling

Why is the failure path as important to test as the success path?

Failure paths are executed more frequently in production
Success paths cannot be tested automatically
Failure paths require less code to write
Users encounter errors and need clear feedback; broken error handling can expose data or crash systems

Protect API Contracts

An API route is a promise. Agents should validate input, return stable errors, and avoid changing response shapes casually.

Name the job before naming the tool.

Write the smallest useful scope the agent can finish.

Run the result as a user, not as a fan of the tool.

Inspect the diff, data access, and failure path before sharing.

Add validation to POST /api/invite. Keep the existing response shape. Add tests for missing email, invalid role, and successful invite.Use this as the working prompt or checklist for the lesson.

What should the user be able to do when this is finished?

What data should the app or agent never expose?

What test proves the change works?

What rollback path exists if the output is wrong?

End-of-lesson check

15 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-coder-api-contracts-creators

What is the primary purpose of an API contract?

To specify exactly which programming language must be used
To guarantee a consistent interface and behavior other code can depend on
To prevent users from making too many requests
To document every possible error message the API might produce

Why should an API validate incoming input data?

Validation is only necessary for user passwords and payment data
AI models already handle all invalid input automatically
It prevents the API from accepting requests that could cause crashes or security issues
Validation makes the API run faster

What downstream problem can occur when an API changes its response shape unexpectedly?

The API automatically rate-limits the client
Client applications that parse the response may break
The database connection becomes slower
The API server runs out of memory

What is the main benefit of writing contract tests for an API?

They automatically generate documentation for users
They make the API run faster
They verify that the interface remains consistent even after code changes
They replace the need for any other testing

When an API receives invalid input, what should it return?

A 200 OK status with a generic error message
A 500 Internal Server Error to hide the problem
The raw data the user sent back as-is
A 400 Bad Request with clear, consistent information about what was wrong

Which of the following represents a stable error format that API consumers can depend on?

Errors that include full database stack traces for debugging
A consistent object with 'error' and 'message' fields that always appears
Returning different error structures depending on which internal function failed
A random error format chosen each time the API is updated

What does it mean for code to be 'observable'?

The code runs without any errors
The source code is publicly available
The system produces logs and metrics that reveal its internal state and behavior
The code is well-commented for future developers

What does 'reversible' mean in the context of deploying AI-generated code?

The AI can reverse-engineer the original requirements
The code can be compiled to run on any operating system
The code can read data in both directions
You can easily undo the change and return to a working state if problems occur

Which type of data should an API never expose to external users?

Internal system details like database table names, stack traces, or configuration paths
The HTTP status code of the response
The version number of the API
Error messages that help users understand what went wrong

What is the best way to prove that a code change actually works as intended?

Running the code yourself and confirming it doesn't crash
Asking another developer to review the code visually
Writing tests that verify the specific behavior before deploying
Assuming it works because the AI generated it

What is the 'happy path' in API development?

The path users take when they are satisfied with the API
The ideal execution flow when everything works correctly with valid input
A special error-handling routine for critical failures
The code path that handles invalid input gracefully

Why should API response shapes be kept consistent rather than changed casually?

JSON format doesn't allow changes to structure
The API will run faster with consistent shapes
Consistent shapes are required by HTTP protocol
Code that depends on the API will break if the shape changes

According to best practices, what should you define BEFORE selecting a tool to solve a coding problem?

The specific library or framework you will use
The name of the developer who will write the code
The exact output you want the code to produce
The budget for purchasing tools

Why is it important to inspect the diff before sharing AI-generated code?

The diff must be approved by a lawyer
To make the code look prettier
Diff inspection is only required for open-source projects
To catch unintended changes, data access patterns, or problematic failure handling

Why is the failure path as important to test as the success path?

Failure paths are executed more frequently in production
Success paths cannot be tested automatically
Failure paths require less code to write
Users encounter errors and need clear feedback; broken error handling can expose data or crash systems