API Breaking Change Detection
Never ship a breaking API change again.
CodeRifts analyzes API contract changes directly in your PRs. Predict blast radius, detect agent-breaking drift, and block unsafe merges before production.
Read-only access to PR metadata and OpenAPI spec files · No source code access · Security details
All Pro and Team features free during beta · 31+ features · GitHub native · Zero config
Real PR comment from coderifts/demo#4
74,800+ breaking API changes documented across public API specs
Source: APIstic research dataset, USI Lugano (2024)
Most tools show what changed. CodeRifts shows how dangerous it is.
That's it. A list of diffs.
* Cost estimates are based on your team’s configured hourly rate and estimated engineering effort. Configure in .coderifts.yml.
The market shows you what changed.
We tell you how dangerous it is.
We tell you who it affects.
We tell you when deployment is blocked.
We tell you how much it will cost.
MigraGuard: schema changes vs live code
A migration PR that drops a column passes code review and green tests - then production breaks because src/billing/sync.ts still reads it. MigraGuard cross-checks every schema migration against your actual code references and gates the PR: DROP COLUMN with a live reference is a BLOCK with the exact file and line. Additive changes pass in seconds. Uncertain cases get a WARN, never a silent pass. Built into the same zero-config GitHub App - one install, two gates.
What your team sees on every pull request
Risk Breakdown
Breaking Changes
| Endpoint | Change Type | Intent | Confidence | Severity |
|---|---|---|---|---|
DELETE /api/users/{id} |
Endpoint removed | 🏗️ Structural | 🟢 High | Critical |
GET /api/orders |
Response schema changed | ⚙️ Behavioral | 🟡 Medium | Warning |
POST /api/payments |
Auth scheme removed | 🔒 Security | 🟢 High | Critical |
Policy Violations
Recommendations
Four steps. Zero config.
Push
A pull request modifies an API schema.
Calculate
CodeRifts diffs base vs head and scores risk across 4 dimensions.
Evaluate
Governance rules checked: budgets, freezes, ownership, approvals.
Enforce
Merge allowed or blocked. Full report posted as PR comment.
31+ governance features in a single PR comment
Zero config on GitHub. Works with GitLab, Bitbucket, and any CI/CD pipeline. Policy as code via .coderifts.yml.
4D Risk Scoring
Revenue, blast radius, app compatibility, and security — scored 0-100 on every PR, now powered by the formalized Ω_API engine with auditable components (S_contract, P_break, S_blast, S_agent).
Policy Engine
Governance rules as code, simulated against any spec pair before merge. Advanced rules — breaking budgets, freeze windows, approval matrix — available now.
Change Intent Classification
Every breaking change tagged: structural, behavioral, security, or performance.
AI-Generated Spec Safety
Detects when AI tools modify your API spec with 7 detection signals.
Auth Scheme Diff Severity
Granular security analysis: 5 severity levels with OAuth scope detection.
Deprecation Lifecycle
Enforce minimum deprecation periods, sunset dates, and replacement requirements.
Documentation Coverage
5-dimension docs quality score with PR delta tracking.
API Stability Badge
Embeddable SVG badges for your README: stability grade, breaking-free streak.
PR-Layer Enforcement
Block unsafe merges at the PR layer — not just detection, but enforcement with BLOCK/WARN/ALLOW decisions.
Agent Preflight Check
preflightCheck() before every tool invocation — verify API contracts haven't drifted before your agent calls them.
Policy as Code
Define governance rules in .coderifts.yml — version-controlled and simulated before merge. Advanced gates (breaking budgets, freeze windows, approvals) are available now.
Compliance Ledger
Permanent audit trail of every API change, risk decision, and policy evaluation — immutable and queryable.
SDK
npm install @coderifts/sdk or pip3 install coderifts-sdk — integrate governance checks directly into your agent pipelines. Available now.
Multi-Protocol Diff
Breaking-change detection across OpenAPI, GraphQL, gRPC, and AsyncAPI — one decision format for every protocol.
Agent-Readable Headers
Every decision ships as X-CodeRifts-Decision, Risk-Score, and Safe-For-Agent headers — agents read the verdict without parsing a body.
Explainable Decisions
Append ?debug=true for the full reasoning — cache lookup, score components, and a human-readable decision path.
AI Adoption Telemetry
See which AI crawlers and agents reach your API through the public preflight endpoint.
Owner Dashboard & Metrics
Per-repo decision distribution, cache efficiency, and request volume — for the teams that own the API.
Correlation ID & Audit Trail
Every request carries a correlation id — full traceability across logs, decisions, and PR comments.
Governance features in a single PR comment
Config required — install and it works
Policy as code via .coderifts.yml
Tests — production-grade reliability
29 Named Drift Patterns — 4 Detection Engines
Every pattern is backed by production detection logic and verified test cases. CodeRifts catches what schema diffs miss — behavioral drift, neural degradation, agent-specific breaks, and semantic shifts.
AIDE Instability Engine — 13 patterns
LATENCY_REGRESSION
Response times degrade beyond acceptable thresholds
PAYLOAD_FLAKINESS
Response payloads vary unpredictably between calls
ERROR_RATE_SPIKE
Sudden increase in error responses from endpoints
TOKEN_COST_DRIFT
API token consumption changes unexpectedly
SYSTEMIC_INSTABILITY
Multiple instability signals correlate across endpoints
SILENT_DATA_LOSS
Fields disappear from responses without error signals
ZOMBIE_ENDPOINT
Endpoints exist in spec but return errors or empty data
SESSION_INSTABILITY
Session state becomes unreliable across requests
CHANGE_INDUCED_FLAKINESS
Recent spec changes correlate with intermittent failures
BLOATED_RESPONSE
Response sizes grow beyond expected bounds
AUTH_DRIFT
Authentication requirements change without spec updates
INTERMITTENT_SLOWDOWN
Periodic latency spikes without consistent pattern
TRAFFIC_SHIFT
Request distribution changes across endpoint versions
Neural Drift Engine — 6 patterns
LATENCY_DRIFT
Gradual latency degradation across neural pathways
SIGNAL_LOSS
Critical API signals attenuate below detection threshold
SYNAPTIC_NOISE_RISE
Noise-to-signal ratio increases in API responses
AUTH_CONDUCTION_DECAY
Authentication token propagation degrades over time
TOKEN_INFLATION
Token sizes or counts inflate beyond expected bounds
PAYLOAD_EROSION
Response payload quality degrades incrementally
Agent-Specific Patterns — 6 patterns
TOOL_INPUT_SCHEMA_DRIFT
Tool input schemas change, breaking agent function calls
TOOL_RESULT_SHAPE_DRIFT
Tool response shapes change, breaking agent parsing
AGENT_PROTOCOL_DRIFT
Agent-to-agent communication protocol changes
AUTH_DELEGATION_DRIFT
Delegated auth flows change between agent hops
SHARED_STATE_SCHEMA_DRIFT
Shared state schemas diverge between cooperating agents
WORKFLOW_CHAIN_BREAK
Multi-step agent workflows break at chain boundaries
Semantic Drift Engine — 4 patterns
FIELD_SEMANTIC_CHANGE
Field meaning changes while name stays the same
ENDPOINT_SEMANTIC_CHANGE
Endpoint behavior changes while path stays the same
RESPONSE_CONTRACT_DRIFT
Response contracts shift in meaning or structure
DEFAULT_VALUE_SEMANTIC_CHANGE
Default values change, altering implicit behavior
Every pattern is backed by detection logic and verified test cases across 4 engines.
View Decision Spec v1.0 →Enforce release policies with version-aware, machine-checkable rules.
Governance as code
# .coderifts.yml
version: 1
policy:
default_action: allow
rules:
- id: breaking-budget
condition: "breaking_changes > 3"
action: block
- id: payments-freeze
condition: "breaking_changes > 0"
action: block
schedule:
- "2026-03-01T00:00:00Z/2026-03-15T23:59:59Z"
- id: high-risk-approval
condition: "risk_score >= 80"
action: require_approval
approvers: ["@payments-team"]
Breaking budgets
Set max allowed breaking changes per PR
Freeze windows
Block breaking changes during release periods
Domain ownership
Route alerts to the right team by API path
Approval matrix
Require sign-off based on risk level
How it works
CodeRifts reads your OpenAPI specification files (JSON or YAML) directly from your repository on every Pull Request. It never accesses your source code, business logic, or runtime data.
What it analyzes
- OpenAPI 3.x and Swagger 2.x specifications
- Schema changes between base and head branch
- CI configuration for governance gap detection
What it does not access
- Your source code
- Your database
- Runtime traffic or production data
- Any file outside your OpenAPI spec paths
Your spec files are processed in memory during the check run and are not stored or logged.
Start free. Scale when ready.
Free
Catch breaking changes locally
- Breaking change detection
- Auto-discovery of spec files
- Semver suggestion
- Lifecycle labels
- API surface stats
- Commit consistency check
- Breaking changes table
- REST in Peace
- Web UI & CLI & REST API
Pro
Risk intelligence on every PR
- Everything in Free, plus:
- GitHub App: zero-config PR comments
- Prevents production outages before merge
- Change intent classification
- Confidence scoring
- Catches auth regressions before merge
- Auth scheme diff severity
- AI-generated spec safety
- Generator-aware risk
- API design linter
- Auto-changelog
- Deprecation lifecycle tracker
- Documentation coverage score
- Heritage mode
- CODEOWNERS suggestion
- Versioning strategy advisor
Team
Governance enforcement for your team
- Everything in Pro, plus:
- Blocks breaking merges with policy-as-code
- Freeze windows
- Breaking budget per team
- Approval matrix
- Domain ownership & notifications
- Exception lifecycle manager
- Migration assessment
- Governance health score (A-F)
- Overlap detection
- PR review insights
- Feature flag cleanup
- API stability badges
- Shadow API detection
- SDK surface coverage Coming Soon
- Generated spec drift control
Enterprise
Governance at scale with compliance
- Everything in Team, plus:
- Multi-repo compatibility guard
- Consumer-aware risk scoring
- Org-level API registry
- Compliance ledger & audit trail
- External API drift monitor
- Historical drift intelligence
- Slack & Teams notifications
- SSO & dedicated support
See How CodeRifts Compares
The only tool that catches breaking API changes at the pull request — not after deployment.
OSS diff engine vs full governance platform
API docs vs API contract enforcement
Single-spec linting vs PR-native breaking change detection
Design-time governance vs PR-native enforcement
iPaaS lifecycle vs PR-level contract protection
Gateway management vs shift-left governance
Runtime routing vs pre-merge contract enforcement
Get API governance insights in your inbox.
Join developers who care about API stability.
One email per week. No spam.
Featured Case Study
"A single field rename passed code review, passed all tests, and took down POS systems across 19 restaurants for a week."
Read the case study