test(scaffold): add skeleton test files for all 7 API endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

__tests__/api/todos.test.ts

@@ -0,0 +1,61 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('@/lib/prisma', () => ({
+  prisma: {
+    product: {
+      findFirst: vi.fn(),
+    },
+    todo: {
+      create: vi.fn(),
+    },
+  },
+}))
+
+vi.mock('@/lib/api-auth', () => ({
+  authenticateApiRequest: vi.fn(),
+}))
+
+import { prisma } from '@/lib/prisma'
+import { authenticateApiRequest } from '@/lib/api-auth'
+import { POST as postTodo } from '@/app/api/todos/route'
+
+const mockPrisma = prisma as unknown as {
+  product: { findFirst: ReturnType<typeof vi.fn> }
+  todo: { create: ReturnType<typeof vi.fn> }
+}
+const mockAuth = authenticateApiRequest as ReturnType<typeof vi.fn>
+
+function makeRequest(body: unknown): Request {
+  return new Request('http://localhost/api/todos', {
+    method: 'POST',
+    headers: { Authorization: 'Bearer test-token', 'Content-Type': 'application/json' },
+    body: JSON.stringify(body),
+  })
+}
+
+describe('POST /api/todos', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  // TC-TD-01
+  it.todo('returns 401 when no token provided')
+
+  // TC-TD-03
+  it.todo('returns 403 for demo users')
+
+  // TC-TD-04
+  it.todo('returns 400 when title is missing')
+
+  // TC-TD-05
+  it.todo('returns 400 when title is empty string')
+
+  // TC-TD-06
+  it.todo('creates todo without product_id and returns 201')
+
+  // TC-TD-07
+  it.todo('creates todo with valid product_id and returns 201')
+
+  // TC-TD-08
+  it.todo('returns 403 or 404 when product_id belongs to another user')
+})