When an API your agent depends on changes (a renamed field, a removed endpoint, a dropped auth scope), your agent breaks silently. The tests stay green; the break shows up at runtime, mid-task. CodeRifts catches it before the call and returns a machine-readable verdict your agent can act on.
Three steps: guard your tool calls, adopt the policy, read the verdict.
Put a guard in front of your agent's API and tool calls. It asks CodeRifts whether the contract is safe before the call runs. CodeRifts ships ready-made, drop-in snippets per framework. Fetch the one for your stack (LangGraph, AutoGen, and more):
curl https://app.coderifts.com/api/v1/snippets/langgraph
# full framework list: https://app.coderifts.com/api/v1/snippetsThe guard sends the old and new contract to CodeRifts and aborts when the verdict is unsafe. The pattern, in any framework:
import requests
CODERIFTS = "https://app.coderifts.com/api/v1/diff"
HEADERS = {"Authorization": "Bearer YOUR_API_KEY"}
def coderifts_guard(old_spec, new_spec):
verdict = requests.post(
CODERIFTS, headers=HEADERS,
json={"old_spec": old_spec, "new_spec": new_spec},
).json()
if verdict["decision"] == "BLOCK" or verdict["safe_for_agent"] is False:
raise RuntimeError("CodeRifts blocked an unsafe API change: " + verdict["decision"])
# safe: proceed with the tool callNo key yet? The keyless /api/v1/public/preflight endpoint gives you a verdict for trying it out. The framework snippets show the exact wiring for each runtime.
CodeRifts publishes a default agent policy: preflight before every tool call, abort on block. Fetch it and enforce it as-is, or customize:
curl https://app.coderifts.com/api/v1/policy/default{
"policy": {
"name": "CodeRifts Default Agent Policy",
"rules": [
{
"trigger": "before_tool_call",
"condition": "any_api_call",
"action": "preflight_check",
"on_block": "abort_execution",
"on_warn": "proceed_with_caution"
}
]
}
}Every CodeRifts response leads with a machine-readable Decision Spec. The verdict comes first in the payload, so a truncating or streaming agent still gets it:
{
"decision": "BLOCK",
"safe_for_agent": false,
"risk_score": 60,
"breaking_changes": 4,
"requires_migration": true,
"evidence_quality": "high",
"patterns": ["AUTH_SCHEME_REMOVAL", "ENDPOINT_REMOVAL", "TYPE_NARROWING"],
"coderifts_version": "1.0",
"coderifts_governance": {
"mcp_config": { "url": "https://app.coderifts.com/mcp", "transport": "streamable-http" }
}
}Your agent acts on two fields: safe_for_agent (boolean: the agent must not call the updated API when this is false) and decision (one of ALLOW, WARN, REQUIRE_APPROVAL, BLOCK). The full contract is published as a JSON Schema you can validate against:
curl https://app.coderifts.com/api/v1/decision-spec/schema
# $id: https://coderifts.com/decision-spec/v1.0.jsonCodeRifts is an MCP server. Point your agent at it and 8 governance tools appear automatically, with no integration code.
MCP endpoint: https://app.coderifts.com/mcp (transport: streamable-http)
Manifest: https://coderifts.com/mcp.json
Registry: io.github.coderifts/api-governanceSee the full 8-tool list and per-tool REST endpoints on the MCP Integration page.
| Endpoint | Purpose | Auth |
|---|---|---|
POST /api/v1/diff |
Full verdict on an OpenAPI / GraphQL / gRPC / AsyncAPI change | key |
GET /api/v1/public/preflight |
Keyless preflight verdict | none |
POST /api/v1/agent-readiness-score |
0-100 agent-readiness score for a spec | key |
GET /api/v1/decision-spec/schema |
The Decision Spec JSON Schema (the contract) | none |
GET /api/v1/policy/default |
Recommended agent policy | none |
GET /api/v1/snippets/{framework} |
Framework integration snippets | none |