A source-backed collection for reviewing API contracts before release: OpenAPI drift detection, JSON Schema validation, GraphQL schema checks, Spectral lint review, Pact consumer contract verification, and generated clients or stubs from approved specs.
Schema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI., GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing., Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints., Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
Privacy notes
API contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features., Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments., Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.
Author
MkDev11
Submitted by
MkDev11
Claim status
unclaimed
Last verified
2026-06-04
Decision playbook
Review trust signals before you adopt
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
Compare context
Selected
0
Current score
78
Baseline
—
Delta
No baseline selected
No major trust-signal divergence detected in the current selection.
Source and provenance checks
Complete
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Done
Source provenance statusRequired
Marked as source-backed.
Done
Metadata reviewed
Registry metadata indicates a reviewed listing.
Done
Safety and privacy checks
Complete
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Done
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Done
Trust level risk gateRequired
Trust level does not block evaluation.
Done
Package and install checks
Needs review
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Done
Package verification flag
No package verification flag provided.
Pending
Checksum metadata
No checksum provided for downloaded artifact.
Pending
Compare-driven decision checks
Needs review
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
4 safety and 3 privacy notes across 3 risk areas. Review closely: network access.
3 areas
SafetyLocal filesSchema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI.
SafetyLocal filesGraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing.
SafetyNetwork accessPact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints.
SafetyGeneralRuleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
PrivacyLocal filesValidation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments.
PrivacyNetwork accessPact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.
Safety notes
Schema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI.
GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing.
Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints.
Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
Privacy notes
API contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features.
Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments.
Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.
Prerequisites
A named API contract source of truth, such as OpenAPI, JSON Schema, GraphQL SDL, or Pact consumer contracts, with an owner and compatibility policy.
A repository baseline for committed schemas so drift checks can compare proposed changes against the current version.
Local or CI access to required validation tools such as git, jq, Node/npm, AJV, GraphQL Inspector, Spectral, Pact, and OpenAPI Generator as applicable.
Test data policy for request examples, response examples, provider states, schema fixtures, generated clients, and public documentation.
Release policy for breaking changes, deprecations, major-version bumps, generated code diffs, and consumer communication.
## What this collection sets up
This collection gives API teams a contract-review gate before release. It is
not a starter kit for building endpoints. It focuses on compatibility evidence:
what changed in the contract, whether schemas still validate, whether GraphQL
changes are breaking, whether OpenAPI lint results are release-blocking, whether
consumer Pact expectations still pass, and whether generated clients or server
stubs reflect the approved contract.
## Layers
### 1. Local drift and schema checks
- **api-schema-drift-detector** warns when an edited OpenAPI or JSON Schema file
removes paths or required fields compared with the committed version.
- **json-schema-validator** validates JSON files against discovered schemas and
catches syntax, shape, and integrity problems during edits.
- **graphql-schema-validator** validates GraphQL schema files and flags possible
breaking changes before they reach review.
### 2. Contract audit and consumer verification
- **spectral-openapi-contract-audit-capability-pack** reviews OpenAPI contracts,
Spectral rulesets, lint output, schema drift, CI gates, and API release
readiness.
- **api-contract-check** runs Pact consumer-driven provider verification so real
recorded consumer expectations are checked before a provider change ships.
### 3. Generation after approval
- **openapi-generator** creates clients, server stubs, documentation, schemas,
and configuration from OpenAPI specs after the source contract has passed
review.
## Suggested order
Install the local drift and schema hooks first so breaking changes surface while
contracts are being edited. Add the Spectral audit skill to review OpenAPI
rulesets, lint results, references, and release impact. Run the Pact contract
check when consumers publish contracts or when a provider change might break
recorded interactions. Use OpenAPI Generator last, after the source contract has
been approved, and review the generated diff as application code.
## Review checklist
- [ ] {"task": "Source of truth is named", "description": "The reviewed OpenAPI, JSON Schema, GraphQL, or Pact contract has an owner and compatibility policy"}
- [ ] {"task": "Breaking changes are classified", "description": "Removed paths, removed required fields, enum changes, type removals, and response-shape changes are reviewed"}
- [ ] {"task": "Validator output is reproducible", "description": "Spectral, AJV, GraphQL, Pact, and generator versions or commands are recorded"}
- [ ] {"task": "Examples are safe", "description": "Request, response, and provider-state examples do not expose secrets or customer data"}
- [ ] {"task": "Generated output is reviewed", "description": "Clients, stubs, docs, and schema artifacts are checked for auth, retries, validation, and destructive operations"}
- [ ] {"task": "Consumers are accounted for", "description": "Known clients, SDKs, downstream teams, and deprecation paths are covered before release"}
## Source and references
- OpenAPI Specification: https://spec.openapis.org/oas/latest.html
- Stoplight Spectral source: https://github.com/stoplightio/spectral/blob/v6.15.0/README.md
- Pact documentation: https://docs.pact.io/
- OpenAPI Generator installation docs: https://openapi-generator.tech/docs/installation/
- JSON Schema core specification: https://json-schema.org/draft/2020-12/json-schema-core
- AJV documentation: https://ajv.js.org/
- GraphQL specification: https://spec.graphql.org/October2021/
## Duplicate check
Checked existing collections, commands, hooks, skills, tools, open PRs, closed
PRs, and issue history for `api-contract-review-gate`, API contract review, API
contract gate, OpenAPI drift, Spectral, Pact, JSON Schema, GraphQL schema,
OpenAPI Generator, and schema compatibility. `api-development-starter-kit` is a
broad beginner-oriented API building and documentation collection. This entry is
narrower and release-focused: it bundles contract validation, compatibility
review, consumer verification, and generation from approved specs.
## Disclosure
Editorial collection. No paid placement or affiliate link is used.
About this resource
What this collection sets up
This collection gives API teams a contract-review gate before release. It is
not a starter kit for building endpoints. It focuses on compatibility evidence:
what changed in the contract, whether schemas still validate, whether GraphQL
changes are breaking, whether OpenAPI lint results are release-blocking, whether
consumer Pact expectations still pass, and whether generated clients or server
stubs reflect the approved contract.
Layers
1. Local drift and schema checks
api-schema-drift-detector warns when an edited OpenAPI or JSON Schema file
removes paths or required fields compared with the committed version.
json-schema-validator validates JSON files against discovered schemas and
catches syntax, shape, and integrity problems during edits.
graphql-schema-validator validates GraphQL schema files and flags possible
breaking changes before they reach review.
2. Contract audit and consumer verification
spectral-openapi-contract-audit-capability-pack reviews OpenAPI contracts,
Spectral rulesets, lint output, schema drift, CI gates, and API release
readiness.
api-contract-check runs Pact consumer-driven provider verification so real
recorded consumer expectations are checked before a provider change ships.
3. Generation after approval
openapi-generator creates clients, server stubs, documentation, schemas,
and configuration from OpenAPI specs after the source contract has passed
review.
Suggested order
Install the local drift and schema hooks first so breaking changes surface while
contracts are being edited. Add the Spectral audit skill to review OpenAPI
rulesets, lint results, references, and release impact. Run the Pact contract
check when consumers publish contracts or when a provider change might break
recorded interactions. Use OpenAPI Generator last, after the source contract has
been approved, and review the generated diff as application code.
Review checklist
{"task": "Source of truth is named", "description": "The reviewed OpenAPI, JSON Schema, GraphQL, or Pact contract has an owner and compatibility policy"}
{"task": "Breaking changes are classified", "description": "Removed paths, removed required fields, enum changes, type removals, and response-shape changes are reviewed"}
{"task": "Validator output is reproducible", "description": "Spectral, AJV, GraphQL, Pact, and generator versions or commands are recorded"}
{"task": "Examples are safe", "description": "Request, response, and provider-state examples do not expose secrets or customer data"}
{"task": "Generated output is reviewed", "description": "Clients, stubs, docs, and schema artifacts are checked for auth, retries, validation, and destructive operations"}
{"task": "Consumers are accounted for", "description": "Known clients, SDKs, downstream teams, and deprecation paths are covered before release"}
Checked existing collections, commands, hooks, skills, tools, open PRs, closed
PRs, and issue history for api-contract-review-gate, API contract review, API
contract gate, OpenAPI drift, Spectral, Pact, JSON Schema, GraphQL schema,
OpenAPI Generator, and schema compatibility. api-development-starter-kit is a
broad beginner-oriented API building and documentation collection. This entry is
narrower and release-focused: it bundles contract validation, compatibility
review, consumer verification, and generation from approved specs.
Disclosure
Editorial collection. No paid placement or affiliate link is used.
Show that API Contract Review Gate is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/collections/api-contract-review-gate)
How it compares
API Contract Review Gate side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
2 trust signals differ across this comparison (Source provenance, Submitter).
Next steps differ across entries — use the actions in the table below to copy install commands and source links per resource.
A source-backed collection for reviewing API contracts before release: OpenAPI drift detection, JSON Schema validation, GraphQL schema checks, Spectral lint review, Pact consumer contract verification, and generated clients or stubs from approved specs.
PostToolUse hook that compares a just-edited OpenAPI or JSON Schema document against the version committed in git and warns about backward-incompatible drift — removed OpenAPI paths and removed required properties — so breaking API changes are surfaced before they ship. Advisory only; it never blocks the edit.
✓Schema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI.
GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing.
Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints.
Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
✓Runs after every Write, Edit, and MultiEdit and only inspects JSON files that declare openapi, swagger, a $schema key, or paths.
Stays read-only and runs git show to read the committed version; it never edits, stages, or commits anything.
Advisory by design and always exits 0, so it never blocks a write even when drift is detected.
Uses key-set comparison heuristics for removed paths and required fields, so it catches common breaking changes but is not a full OpenAPI diff.
✓Installing Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work.
Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI.
Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes.
JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment.
The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.
✓Following the command runs the project's Pact provider-verification step, which typically starts the provider (or a stub of it) and replays recorded requests against it; review what the verify task does before running it.
It performs read and verify actions only - it replays existing consumer contracts and reports pass or fail; it does not deploy, publish, or mutate the provider.
When a Pact Broker is configured it fetches consumer contracts over the network using the project's existing broker credentials; it never prints those credentials.
Privacy notes
✓API contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features.
Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments.
Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.
✓Reads the edited schema file and its committed HEAD version from the local repository only.
Prints removed path and required-field names to local hook stderr; it makes no network calls and writes no logs.
Path and field names shown in output may reveal internal API surface in your terminal.
✓OpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints.
Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract.
Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.
✓Pact contract files and verification output contain example request and response bodies, headers, and provider state names, which enter the model context to explain failures.
If those example payloads include real customer data or tokens, that text becomes part of the prompt; review the pacts before running on sensitive contracts.
The command itself writes nothing to disk beyond the verifier's own logs.
Prerequisites
A named API contract source of truth, such as OpenAPI, JSON Schema, GraphQL SDL, or Pact consumer contracts, with an owner and compatibility policy.
A repository baseline for committed schemas so drift checks can compare proposed changes against the current version.
Local or CI access to required validation tools such as git, jq, Node/npm, AJV, GraphQL Inspector, Spectral, Pact, and OpenAPI Generator as applicable.
Test data policy for request examples, response examples, provider states, schema fixtures, generated clients, and public documentation.
Claude Code CLI with hooks enabled.
git, jq, and bash on PATH; the hook fails open and stays silent when git or jq is missing.
The schema file must be tracked in git so a committed baseline exists to diff against.
OpenAPI v2, v3.0, or v3.1 contract file set
Spectral ruleset such as `.spectral.yaml` or an explicit ruleset path
Lint output, CI output, or proposed contract diff
API owner expectations for breaking changes, naming, examples, and release gates