52 governance features.
One PR comment.
From breaking change detection to compliance enforcement.
Real PR comment from coderifts/demo#2
Free Tier
9 features included with every installation — no credit card required
Breaking Change Detection
Core diff engine for OpenAPI 3.0 and 3.1 schemas.
Detects endpoint removals, required field additions, response type changes, enum restrictions, auth changes, parameter modifications, and more.
Auto-Discovery
Automatically finds OpenAPI spec files in your repo.
No configuration needed. CodeRifts scans your repository for .yaml, .yml, and .json files matching OpenAPI patterns.
Semver Suggestion
Recommends MAJOR/MINOR/PATCH based on change severity.
Reads your current version from the spec and suggests the correct next version based on the breaking changes detected.
Lifecycle Labels
Tags each change: new-endpoint, field-removed, deprecated, etc.
Every change in the breaking changes table gets a lifecycle icon showing whether it's new, modified, deprecated, or removed.
API Surface Stats
Endpoint, field, and schema counts in every PR.
Shows your total API surface area and how the PR changes it, so you always know the scope of your API.
Commit Consistency Check
Validates PR title matches the suggested version bump.
Warns when breaking changes are detected but the PR title doesn't include a version bump indicator like feat!:.
Breaking Changes Table
Structured table of every breaking change with details.
Each breaking change gets its own row with endpoint, risk level, action type, and a link to the specific diff.
REST in Peace
Lists removed endpoints with a touch of humor.
A dedicated memorial section for removed endpoints. Because even APIs deserve a proper farewell.
Web UI, CLI & REST API
Three ways to use CodeRifts: browser, terminal, or API.
Try in the browser with no signup, run locally via CLI, or integrate into any CI/CD pipeline via the REST API.
Risk & Scoring
Quantify API change risk across 4 dimensions
4D Risk Score
Composite 0–100 score across severity, surface, auth, and stability.
Each PR gets a single risk number combining breaking change severity, affected surface area, authentication impact, and historical stability. Color-coded gauge included.
Confidence Score
How certain is the analysis? 0–100 confidence rating.
Factors in spec completeness, change specificity, and engine agreement. Low confidence triggers a warning so you know when to double-check.
Stability Grade
A+ to F grade based on recent breaking change history.
Tracks your API's breaking change frequency over the last 30 days. Fewer breaks = higher grade. Shown as a letter grade with trend arrow.
Change Intent Classifier
Tags each change as structural, behavioral, or security.
Uses change codes and heuristics to classify intent. Structural changes affect shape, behavioral changes affect logic, security changes affect auth.
Security
Catch authentication and authorization regressions
Auth Downgrade Detection
Flags when endpoints lose authentication requirements.
Detects when OAuth2 is downgraded to API key, when bearer tokens are removed, or when security schemes are weakened. Severity-rated.
Scope & Permission Tracker
Detects OAuth scope changes and permission model shifts.
Tracks when scopes are added, removed, or renamed. Warns when permission boundaries change in ways that could affect API consumers.
AI & Generator Awareness
Detect AI-generated specs and generator-specific risks
AI-Generated Spec Safety
Detects when specs are AI-generated and flags common AI mistakes.
Identifies patterns typical of LLM-generated OpenAPI specs: hallucinated endpoints, inconsistent naming, missing security schemes, and overly generic descriptions.
Generator-Aware Risk
Adjusts risk scoring based on spec generator (Swagger Codegen, OpenAPI Generator, etc.).
Detects the generator used and adjusts confidence and risk scores based on known generator quirks and limitations.
Insights & Reporting
Documentation quality, changelogs, and design standards
API Design Lint
Naming conventions, pagination, error consistency checks.
8 lint rules covering camelCase, pagination patterns, error response formats, and more. Warnings shown in a collapsible section.
Auto-Changelog
Categorized changelog: breaking, added, changed, deprecated.
Every PR gets a structured changelog grouped by change type, ready to copy into your release notes.
Deprecation Lifecycle Tracker
Tracks deprecated endpoints from announcement to removal.
Monitors x-deprecated and x-sunset headers. Warns when deprecated endpoints are removed without the sunset period completing.
Documentation Coverage Score
A–F grade for spec completeness: descriptions, examples, schemas.
Scores your OpenAPI spec across 5 dimensions: descriptions, examples, error responses, schema completeness, and parameter documentation. Shows delta from base.
Docs Drift Detection
Warns when schema changes happen without documentation updates.
Checks if README, CHANGELOG, or API docs were updated alongside schema changes. Flags PRs that skip documentation.
Structural
Understand your API architecture and versioning
Heritage Mode
Versioning suggestions for existing endpoints.
Detects high change density PRs and recommends version bumps or deprecation plans for heavily modified endpoints.
CODEOWNERS Suggestion
Auto-generates CODEOWNERS based on domain ownership config.
When no CODEOWNERS file exists, suggests one based on the domain ownership mapping in your .coderifts.yml.
Versioning Strategy
URL vs header versioning analysis and recommendation.
Detects your versioning approach (URL path, header, query param) and flags inconsistencies or missing version indicators.
PII Detection
Scans new fields for personally identifiable information.
Detects fields like ssn, credit_card, passport in new or modified schemas. Flags before merge with GDPR/CCPA compliance warning.
Breaking Change Density Score
Measures breaking changes relative to API size.
Score 0–100. A small API with 3 breaks scores higher than a large API with 3 breaks. Critical density triggers automatic block.
Compatibility Mode Suggestions
Suggests backward-compatible alternatives to breaking changes.
When a breaking change is detected, suggests a backward-compatible alternative instead of just blocking. Includes code examples and migration paths.
Policy & Governance
Enforce API standards with code-defined policies
Policy Engine Q2 2026
YAML-defined rules: max breaking changes, required deprecation periods, auth requirements.
Define governance rules in .coderifts.yml. The engine evaluates every PR against your policies and blocks merges that violate them. Coming Q2 2026.
Freeze Windows Q2 2026
Block breaking changes during release freezes or peak traffic periods.
Configure date ranges when breaking changes are prohibited. PRs opened during freeze windows get a hard block with the freeze reason. Coming Q2 2026.
Approval Matrix Q2 2026
Require specific approvers for high-risk changes.
Configure who must approve based on risk level: security changes need @security-team, auth changes need @platform-lead. Coming Q2 2026.
Domain Ownership
Map API paths to team owners for targeted notifications.
Define which team owns which API paths. Breaking changes to /payments/* notify @payments-team automatically.
Exception Lifecycle Manager
Time-boxed exceptions for policy violations with audit trail.
Grant temporary exceptions to governance rules. Each exception has an owner, expiry date, and reason. Expired exceptions auto-revoke.
Breaking Budget Q2 2026
Set a maximum number of allowed breaking changes per PR.
Configure a breaking change budget in your policy. PRs exceeding the budget get a policy violation with the count and limit shown. Coming Q2 2026.
Branch Risk Profiles
Different risk tolerance per branch pattern.
hotfix/* gets 2x budget, experiment/* never blocks, main/* zero tolerance. Configure per-branch governance rules in .coderifts.yml.
Migration & Assessment
Evaluate migration effort and governance health
Migration Assessment
Estimates consumer migration effort: hours, complexity, affected endpoints.
For each breaking change, estimates the migration effort for API consumers. Factors in change type, endpoint popularity, and complexity.
Governance Health Grade
A–F grade for your API governance posture.
Composite score across policy compliance, exception usage, deprecation adherence, and documentation quality. Shown as a letter grade.
Insights & Reporting
Review patterns, stability badges, and feature flag tracking
PR Review Insights
Time to first review, reviewer load, PR size analysis.
Tracks review patterns for API-related PRs. Shows time to first review, number of review rounds, and PR size classification.
Feature Flag Cleanup
Detects stale feature flags across 6 languages, 19 patterns.
Scans changed files for feature flag patterns. Flags stale and aging flags with configurable thresholds.
API Stability Badge
4 embeddable SVG badges for README: stability, streak, governance, risk.
Shields.io-style badges generated server-side. Embed in your README to show your API's governance posture.
Structural
Shadow API detection and overlap prevention
Shadow API Detection
Identifies high-change-density endpoints that may be undocumented.
Flags endpoints with many changes in a single PR, suggesting they may be shadow APIs that need proper documentation.
Overlap Detection
Detects other open PRs modifying the same schema files.
Warns when multiple open PRs touch the same OpenAPI spec, preventing merge conflicts and governance gaps.
Neural & Semantic Analysis
Deep behavioral and semantic drift detection powered by neural pattern engines
Neural Drift Engine
6 neural patterns: latency, signal loss, noise, auth decay, token inflation, payload erosion.
Detects LATENCY_DRIFT, SIGNAL_LOSS, SYNAPTIC_NOISE_RISE, AUTH_CONDUCTION_DECAY, TOKEN_INFLATION, and PAYLOAD_EROSION. Each pattern maps API behavioral changes to neural network analogies for intuitive risk assessment.
Semantic Drift Detection
4 patterns: field semantic change, endpoint semantic change, response contract drift, default value drift.
Detects FIELD_SEMANTIC_CHANGE, ENDPOINT_SEMANTIC_CHANGE, RESPONSE_CONTRACT_DRIFT, and DEFAULT_VALUE_SEMANTIC_CHANGE. Goes beyond structural diff to detect when the meaning of fields or endpoints changes even if the schema stays the same.
Synaptic Weight Engine
Neural hotspot map showing endpoint criticality weights.
Assigns synaptic weights to each endpoint based on usage patterns, change frequency, and downstream dependencies. Generates a neural hotspot map to visualize which endpoints carry the most risk.
Inhibitory Neuron Filter
Suppress known-safe findings to reduce noise.
POST /api/v1/findings/suppress — Mark specific findings as suppressed so they don't trigger alerts. Like inhibitory neurons in the brain, these filters prevent signal overload from known-safe changes.
Agent & Protocol Governance
A2A protocol governance, cross-spec compatibility, and agent-safe certification
A2A Protocol Governance
Agent-to-Agent protocol diff and pipeline simulation.
POST /api/v1/a2a/diff compares A2A agent cards for breaking changes. POST /api/v1/a2a/simulate runs multi-step pipeline simulations to detect cascading failures across agent chains.
Cross-Spec Compatibility
Compare specs across formats: OpenAPI, AsyncAPI, GraphQL, gRPC.
POST /api/v1/cross-spec/diff — Detects breaking changes when migrating between API specification formats. Supports OpenAPI 3.x, AsyncAPI 2.x, GraphQL SDL, and Protocol Buffers.
Agent-Safe Badge & Verification
Embeddable compliance badge for your README.
GET /api/v1/badge/compliant returns an SVG badge showing AGENT-SAFE, WARN, or BREAKING grade. GET /api/v1/verify/compliant returns full Decision Spec v1.0 verification. Learn more.
MCP SSE Server
Claude Desktop compatible MCP server over Server-Sent Events.
GET /mcp — Full Model Context Protocol server with 8 tools exposed via SSE transport. Compatible with Claude Desktop, Cursor, and any MCP-capable AI agent. JSON-RPC 2.0 protocol.
Monitoring & Compliance
Real-time monitoring, compliance scoring, and cost tracking
Shadow Agent Detection
Detect unauthorized or undocumented agent integrations.
POST /api/v1/shadow-agent/detect — Scans API traffic patterns and spec changes to identify shadow agents: unauthorized integrations that bypass governance controls.
Axiom Monitor
Real-time API axiom health status dashboard.
GET /api/v1/axiom/status — Monitors core API axioms (backward compatibility, idempotency, versioning) and reports violations in real time.
Policy Compliance Index
Aggregate compliance score across all governance rules.
GET /api/v1/compliance/index — Calculates a weighted compliance score across all active governance policies. Tracks score trends over time for audit reporting.
Token Cost Engine
token_cost_impact field in every diff response.
Every diff response includes token_cost_impact showing how API changes affect LLM token consumption. Helps teams understand the cost implications of schema changes for AI-powered consumers.
AI & Generator Awareness
SDK coverage and generated spec drift tracking
SDK Surface Coverage Coming Soon
Tracks which endpoints are covered by generated SDKs.
Cross-references your OpenAPI spec with generated SDK clients. Flags endpoints missing from SDKs and new endpoints that need SDK updates. Coming soon.
Generated Spec Drift
Detects when generated specs diverge from the source of truth.
If your spec is auto-generated from code annotations, detects when manual edits create drift between the generated and committed versions.
Enterprise
8 features — coming Q2 2026
External API Drift Monitor
Track third-party API specs and alert on undocumented changes.
Monitor external APIs your services depend on. Get notified when upstream providers introduce breaking changes before they hit production.
Multi-Repo Compatibility Guard
Cross-repo breaking change detection.
When a spec change in repo A breaks a consumer in repo B, CodeRifts flags it before either PR merges.
Consumer-Aware Risk Scoring
Risk scoring based on actual consumer data.
Integrate with your API gateway to weight risk scores by real traffic volume, active consumers, and revenue impact.
Org-Level API Registry
Company-wide API catalog and portfolio view.
A single pane of glass for every API in your organization: ownership, stability grade, governance health, and change history.
Compliance Ledger
Full audit trail: who changed what, when, and impact.
Immutable log of every API change, approval decision, and exception grant. SOC 2 and PCI-DSS aligned reporting.
Historical Drift Intelligence
Risk time-series and stability decay tracking.
Track how your API stability evolves over weeks and months. Spot decay patterns before they become incidents.
Slack & Teams Notifications
Webhook integration for breaking change alerts.
Configure per-domain notifications. Critical auth changes go to #security, payment API changes go to #payments.
Custom Integrations API
Webhooks and REST API for custom governance workflows.
Build custom integrations with your internal tools. Trigger workflows, sync data, and extend CodeRifts with your own logic.
Ready to protect your APIs?
Free during beta. No credit card required. Start with 9 features, upgrade when you need more.