I like the idea!
We use it actually for a financial application we develop for a bank.
We use spring test docs with tests to create example api calls with answers, run reference calculations as part of the test and record the outcome and decisions
Both become part of the documentation rendered with asciidoc.
We added custom annotations to add documentation snippets thorough the code in addition to using drools and recording the ruleset as well.
Feedback is great! But it is no generic approach and involved quite some effort for infrastructure and ongoing maintenance.
But well worth the effort given the stakes involved.
Perhaps this helps you as feedback. I am curious how your approach will turn out.
With an XSS exploit it is game over, you control the browser.
Adding more complexity and opening up the possibility of CSRF exploits with BFF does not look like a good trade off to me.
I got weired errors including delivery of old, expired, certificates on renewal and api errors.
I currently log into Google acme as alternative to LE to have a backup, the Android issue does not apply to my environment.