Answering REST API Questions

The `/api/*` surface is wide and grows organically. Most agents over-rely

on search to find endpoints, when the truth is two greps away in

`web.xml`.

When to use this runbook

When a user asks something that should be one curl call, but you can't

name the endpoint in advance.

Context

`wikantik-war/src/main/webapp/WEB-INF/web.xml` is the contract: every

servlet (every `*Resource.java`) has both a `<servlet>` declaration and

a `<servlet-mapping>`. The mapping shows the URL pattern; the

declaration shows the implementation class. Together they answer

"is there an endpoint for X" with full certainty.

The Resource classes themselves (`wikantik-rest/.../*Resource.java`)

are the source-of-truth for HTTP method shape and permission model.

`RestServletBase` is the parent class — its helpers (`checkPagePermission`,

`requirePathParam`, `parseJsonBody`) are used by every Resource.

Walkthrough

The frontmatter `steps` are the canonical procedure. The order matters:

web.xml first (it tells you whether the endpoint exists at all), then

the Resource (it tells you the method and permission), then the body

(it tells you the response shape).

Pitfalls

The frontmatter `pitfalls` cover the recurring traps. The

permission-by-analogy mistake is the most common — agents see

`view` work and assume `delete` will too on the same path.