# API Contracts - MVC-Starter **Date:** 2026-03-11T11:59:39Z ## Overview This project does not expose a standalone JSON API. Its current externally reachable contracts are server-rendered HTTP routes handled by the Classic ASP MVC dispatcher. ## Route Catalog ### `GET /` - **Controller:** `homeController` - **Action:** `Index` - **Behavior:** Renders the home page using the shared layout and `app/views/Home/index.asp`. - **Layout:** enabled (`useLayout = True`) - **Response Type:** HTML - **Status:** `200 OK` ### `GET /home` - **Controller:** `homeController` - **Action:** `Index` - **Behavior:** Alias route to the home page; renders the same content as `/`. - **Layout:** enabled - **Response Type:** HTML - **Status:** `200 OK` ### `GET ""` (empty path fallback) - **Controller:** `homeController` - **Action:** `Index` - **Behavior:** Additional root-path fallback route declared in `public/Default.asp`. - **Layout:** enabled - **Response Type:** HTML - **Status:** `200 OK` ### `GET /404` - **Controller:** `ErrorController` - **Action:** `NotFound` - **Behavior:** Renders the not-found page and sets the response status to `404 Not Found`. - **Layout:** enabled - **Response Type:** HTML - **Status:** `404 Not Found` ## Dispatch Contract - All non-static requests are rewritten by IIS to `public/Default.asp`. - `public/Default.asp` registers routes and calls `MVC.DispatchRequest`. - `core/mvc.asp` validates controller and action names, checks the controller whitelist, resolves the controller dynamically, and invokes the action. - If `useLayout` is enabled on the resolved controller, shared header and footer views wrap the response. ## Security and Validation Notes - Controller names must pass format validation and whitelist checks in `core/lib.ControllerRegistry.asp`. - Action names must pass identifier validation before dispatch. - Current route handling is page-oriented; there are no documented JSON payload schemas or standalone API auth flows in the application itself. ## Brownfield Notes - Future endpoint additions require updates in at least three places: route registration, controller include/implementation, and controller whitelist registration. - This document reflects route contracts, not REST-style service endpoints.