test: add 9 edge-case API tests for validation, deleted/SQLi IDs, export, session

[devin-ai-integration]

Summary

Adds 9 new Jest + Supertest tests in tests/api.test.js covering edge cases that improve API behavior coverage:

• GET /api/todos — rejects invalid order and invalid completed filter values (2 tests).
• GET /api/todos/stats — POST to the stats endpoint falls through to notFoundHandler and returns 404 (1 test).
• GET /api/todos/:id — fetching a previously-deleted todo returns 404; SQL-injection-like string in the ID returns 400 from validateTodoId (2 tests).
• GET /api/todos/:id/export — non-existent UUID returns 404; non-UUID ID returns 400 (2 tests, new describe block).
• GET /api/session — POST and DELETE to /api/session fall through to notFoundHandler and return 404 (2 tests, new describe block).

All tests follow the existing pattern of using supertest against the app instance from src/app.js.

Notable finding (per session conversation)

The originally-planned PUT /api/todos/stats → 404 test was dropped. Express matches PUT /api/todos/stats against router.put('/todos/:id', validateUpdateTodo, ...) (id="stats"), which fails UUID validation and returns 400 VALIDATION_ERROR, not 404 from notFoundHandler. This is route-ordering / matching behavior, not a test bug — left for a follow-up code change if 405/404 semantics are desired on /api/todos/stats for non-GET methods.

Test results

Tests: 63 passed, 63 total  (54 baseline + 9 new)

Coverage thresholds (80/70/80/80) are not met on this branch — but they were already failing on the baseline branch (50% statements, 40% branches, 51.15% lines, 44.7% functions). My additions improve coverage slightly:

• statements: 50% → 50.67%
• branches: 40% → 40.37%
• lines: 51.15% → 51.87%
• functions: 44.7% → 45.88%

Bringing thresholds green requires covering src/public/js/app.js (client-side, currently 0%) and src/utils/{crypto,encoding,sanitizer}.js, which is out of scope for this PR.

Review & Testing Checklist for Human

• Confirm you're OK with the dropped PUT /api/todos/stats → 404 test, or open a follow-up to add an explicit handler that returns 405/404 for non-GET methods on /api/todos/stats.
• Run npm run test:coverage locally and verify all 63 tests pass.
• Spot-check the new tests in <ref_file file="/home/ubuntu/repos/node-upgrade-demo/tests/api.test.js" /> to confirm they match the patterns/style you wanted.

Notes

Targets devin/1777386487-node18-with-breaking-changes, not main.

Link to Devin session: https://app.devin.ai/sessions/afbfe7394c5c49ef9d2350f14d720da8
Requested by: @clivingston-cognition

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.