Skip to main content
collectionsSource-backed

API Contract Review Gate

A source-backed collection for reviewing API contracts before release: OpenAPI drift detection, JSON Schema validation, GraphQL schema checks, Spectral lint review, Pact consumer contract verification, and generated clients or stubs from approved specs.

by MkDev11·added 2026-06-04·
Bundle:6 items
Review first review before installing

Open the source and read safety notes before installing.

Citation facts

Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.

Source URLs
https://spec.openapis.org/oas/latest.html, https://github.com/JSONbored/awesome-claude/blob/main/content/collections/api-contract-review-gate.mdx
Safety notes
Schema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI., GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing., Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints., Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
Privacy notes
API contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features., Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments., Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.
Author
MkDev11
Submitted by
MkDev11
Claim status
unclaimed
Last verified
2026-06-04

Decision playbook

Review trust signals before you adopt

Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.

Compare context
Selected

0

Current score

78

Baseline

Delta

No baseline selected

No major trust-signal divergence detected in the current selection.

Source and provenance checks

Complete

Confirm ownership and provenance before trusting install instructions.

  • Source link availableRequired

    Open the canonical repository and verify ownership.

    Done
  • Source provenance statusRequired

    Marked as source-backed.

    Done
  • Metadata reviewed

    Registry metadata indicates a reviewed listing.

    Done

Safety and privacy checks

Complete

Validate risk disclosures before installation or API wiring.

  • Safety notes presentRequired

    Review the listed safety guidance before running commands.

    Done
  • Privacy notes presentRequired

    Review data handling notes before connecting accounts or secrets.

    Done
  • Trust level risk gateRequired

    Trust level does not block evaluation.

    Done

Package and install checks

Needs review

Check package metadata and artifact integrity signals.

  • Install payload available

    Install or copy payload is available for review.

    Done
  • Package verification flag

    No package verification flag provided.

    Pending
  • Checksum metadata

    No checksum provided for downloaded artifact.

    Pending

Compare-driven decision checks

Needs review

Use compare context to validate trade-offs before adoption.

  • Compare tray has multiple entries

    Add at least one more entry to compare trust differences.

    Pending
  • Baseline comparison available

    No baseline peer selected yet.

    Pending
  • Diverging trust signals identified

    No major trust-signal divergence found.

    Pending

Setup at a glance

Copy & paste

Copy-ready — paste the snippet to get started.

70 minutes

Adoption plan

Balanced adoption plan

Current risk score 16/100. Use staged verification before broader rollout.

Risk 16

Pre-adoption checks

Validate source and review signals before any execution.

  • Confirm source provenanceRequired

    Source URL/provenance metadata is present.

    Done
  • Confirm metadata review state

    Listing has review metadata.

    Done
  • Verify install payload

    Install/config payload exists and can be inspected.

    Done

Security checks

Confirm safety, privacy, and package integrity signals.

  • Review safety notesRequired

    Safety notes are present.

    Done
  • Review privacy notesRequired

    Privacy notes are present.

    Done
  • Verify package integrity metadata

    No package verification/checksum metadata.

    Pending

Rollout

Adopt in controlled steps based on the selected plan.

  • Run in isolated sandbox firstRequired

    Use a constrained sandbox and observe behavior across multiple tasks.

    Pending
  • Roll out graduallyRequired

    Roll out to a small cohort before wider usage.

    Pending
  • Set monitoring and fallback

    Define rollback path and monitor errors after adoption.

    Pending

Evidence readiness

Evidence readiness matrix · balanced

Required evidence gates are covered (5/6 signals complete).

Risk 15

Source provenance

Present

Source repository/provenance is listed.

Required in this preset

Metadata review

Present

Review metadata is present.

Required in this preset

Safety notes

Present

Safety notes are present.

Required in this preset

Privacy notes

Present

Privacy notes are present.

Optional in this preset

Package integrity

Missing

Package integrity metadata is missing.

Optional in this preset

Install payload

Present

Install payload is available.

Required in this preset

Required evidence gates are covered for this preset.

Decision timeline

Decision timeline · balanced

5/6 steps complete with no blocking gaps for this preset.

Risk 14

triage

Confirm source provenanceRequired

Source/provenance metadata is available.

Done

triage

Check metadata review statusRequired

Review metadata is available.

Done

verify

Review safety notesRequired

Safety notes are available.

Done

verify

Review privacy notes

Privacy notes are available.

Done

verify

Validate package integrity metadata

Package integrity metadata is missing.

Pending

rollout

Verify install payload and commandsRequired

Install payload is available.

Done

No required blockers for this timeline preset.

Prerequisite readiness

Prerequisite readiness

5 prerequisites to line up before setup.

0/5 ready
Install & runtime2Configuration2General170 minutes

Safety & privacy surface

Safety & privacy surface

4 safety and 3 privacy notes across 3 risk areas. Review closely: network access.

3 areas
  • SafetyLocal filesSchema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI.
  • SafetyLocal filesGraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing.
  • SafetyNetwork accessPact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints.
  • SafetyGeneralRuleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.
  • PrivacyNetwork accessAPI contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features.
  • PrivacyLocal filesValidation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments.
  • PrivacyNetwork accessPact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.

Safety notes

  • Schema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI.
  • GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing.
  • Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints.
  • Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.

Privacy notes

  • API contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features.
  • Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments.
  • Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.

Prerequisites

  • A named API contract source of truth, such as OpenAPI, JSON Schema, GraphQL SDL, or Pact consumer contracts, with an owner and compatibility policy.
  • A repository baseline for committed schemas so drift checks can compare proposed changes against the current version.
  • Local or CI access to required validation tools such as git, jq, Node/npm, AJV, GraphQL Inspector, Spectral, Pact, and OpenAPI Generator as applicable.
  • Test data policy for request examples, response examples, provider states, schema fixtures, generated clients, and public documentation.
  • Release policy for breaking changes, deprecations, major-version bumps, generated code diffs, and consumer communication.

Schema details

Install type
copy
Troubleshooting
No
Collection metadata
Items
6 entries
Estimated setup
70 minutes
Difficulty
advanced
Installation order
api-schema-drift-detectorjson-schema-validatorgraphql-schema-validatorspectral-openapi-contract-audit-capability-packapi-contract-checkopenapi-generator
Full copyable content
## What this collection sets up

This collection gives API teams a contract-review gate before release. It is
not a starter kit for building endpoints. It focuses on compatibility evidence:
what changed in the contract, whether schemas still validate, whether GraphQL
changes are breaking, whether OpenAPI lint results are release-blocking, whether
consumer Pact expectations still pass, and whether generated clients or server
stubs reflect the approved contract.

## Layers

### 1. Local drift and schema checks

- **api-schema-drift-detector** warns when an edited OpenAPI or JSON Schema file
  removes paths or required fields compared with the committed version.
- **json-schema-validator** validates JSON files against discovered schemas and
  catches syntax, shape, and integrity problems during edits.
- **graphql-schema-validator** validates GraphQL schema files and flags possible
  breaking changes before they reach review.

### 2. Contract audit and consumer verification

- **spectral-openapi-contract-audit-capability-pack** reviews OpenAPI contracts,
  Spectral rulesets, lint output, schema drift, CI gates, and API release
  readiness.
- **api-contract-check** runs Pact consumer-driven provider verification so real
  recorded consumer expectations are checked before a provider change ships.

### 3. Generation after approval

- **openapi-generator** creates clients, server stubs, documentation, schemas,
  and configuration from OpenAPI specs after the source contract has passed
  review.

## Suggested order

Install the local drift and schema hooks first so breaking changes surface while
contracts are being edited. Add the Spectral audit skill to review OpenAPI
rulesets, lint results, references, and release impact. Run the Pact contract
check when consumers publish contracts or when a provider change might break
recorded interactions. Use OpenAPI Generator last, after the source contract has
been approved, and review the generated diff as application code.

## Review checklist

- [ ] {"task": "Source of truth is named", "description": "The reviewed OpenAPI, JSON Schema, GraphQL, or Pact contract has an owner and compatibility policy"}
- [ ] {"task": "Breaking changes are classified", "description": "Removed paths, removed required fields, enum changes, type removals, and response-shape changes are reviewed"}
- [ ] {"task": "Validator output is reproducible", "description": "Spectral, AJV, GraphQL, Pact, and generator versions or commands are recorded"}
- [ ] {"task": "Examples are safe", "description": "Request, response, and provider-state examples do not expose secrets or customer data"}
- [ ] {"task": "Generated output is reviewed", "description": "Clients, stubs, docs, and schema artifacts are checked for auth, retries, validation, and destructive operations"}
- [ ] {"task": "Consumers are accounted for", "description": "Known clients, SDKs, downstream teams, and deprecation paths are covered before release"}

## Source and references

- OpenAPI Specification: https://spec.openapis.org/oas/latest.html
- Stoplight Spectral source: https://github.com/stoplightio/spectral/blob/v6.15.0/README.md
- Pact documentation: https://docs.pact.io/
- OpenAPI Generator installation docs: https://openapi-generator.tech/docs/installation/
- JSON Schema core specification: https://json-schema.org/draft/2020-12/json-schema-core
- AJV documentation: https://ajv.js.org/
- GraphQL specification: https://spec.graphql.org/October2021/

## Duplicate check

Checked existing collections, commands, hooks, skills, tools, open PRs, closed
PRs, and issue history for `api-contract-review-gate`, API contract review, API
contract gate, OpenAPI drift, Spectral, Pact, JSON Schema, GraphQL schema,
OpenAPI Generator, and schema compatibility. `api-development-starter-kit` is a
broad beginner-oriented API building and documentation collection. This entry is
narrower and release-focused: it bundles contract validation, compatibility
review, consumer verification, and generation from approved specs.

## Disclosure

Editorial collection. No paid placement or affiliate link is used.

About this resource

What this collection sets up

This collection gives API teams a contract-review gate before release. It is not a starter kit for building endpoints. It focuses on compatibility evidence: what changed in the contract, whether schemas still validate, whether GraphQL changes are breaking, whether OpenAPI lint results are release-blocking, whether consumer Pact expectations still pass, and whether generated clients or server stubs reflect the approved contract.

Layers

1. Local drift and schema checks

  • api-schema-drift-detector warns when an edited OpenAPI or JSON Schema file removes paths or required fields compared with the committed version.
  • json-schema-validator validates JSON files against discovered schemas and catches syntax, shape, and integrity problems during edits.
  • graphql-schema-validator validates GraphQL schema files and flags possible breaking changes before they reach review.

2. Contract audit and consumer verification

  • spectral-openapi-contract-audit-capability-pack reviews OpenAPI contracts, Spectral rulesets, lint output, schema drift, CI gates, and API release readiness.
  • api-contract-check runs Pact consumer-driven provider verification so real recorded consumer expectations are checked before a provider change ships.

3. Generation after approval

  • openapi-generator creates clients, server stubs, documentation, schemas, and configuration from OpenAPI specs after the source contract has passed review.

Suggested order

Install the local drift and schema hooks first so breaking changes surface while contracts are being edited. Add the Spectral audit skill to review OpenAPI rulesets, lint results, references, and release impact. Run the Pact contract check when consumers publish contracts or when a provider change might break recorded interactions. Use OpenAPI Generator last, after the source contract has been approved, and review the generated diff as application code.

Review checklist

  • {"task": "Source of truth is named", "description": "The reviewed OpenAPI, JSON Schema, GraphQL, or Pact contract has an owner and compatibility policy"}
  • {"task": "Breaking changes are classified", "description": "Removed paths, removed required fields, enum changes, type removals, and response-shape changes are reviewed"}
  • {"task": "Validator output is reproducible", "description": "Spectral, AJV, GraphQL, Pact, and generator versions or commands are recorded"}
  • {"task": "Examples are safe", "description": "Request, response, and provider-state examples do not expose secrets or customer data"}
  • {"task": "Generated output is reviewed", "description": "Clients, stubs, docs, and schema artifacts are checked for auth, retries, validation, and destructive operations"}
  • {"task": "Consumers are accounted for", "description": "Known clients, SDKs, downstream teams, and deprecation paths are covered before release"}

Source and references

Duplicate check

Checked existing collections, commands, hooks, skills, tools, open PRs, closed PRs, and issue history for api-contract-review-gate, API contract review, API contract gate, OpenAPI drift, Spectral, Pact, JSON Schema, GraphQL schema, OpenAPI Generator, and schema compatibility. api-development-starter-kit is a broad beginner-oriented API building and documentation collection. This entry is narrower and release-focused: it bundles contract validation, compatibility review, consumer verification, and generation from approved specs.

Disclosure

Editorial collection. No paid placement or affiliate link is used.

Source citations

Add this badge to your README

Show that API Contract Review Gate is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.

Listed on HeyClaude
[![Listed on HeyClaude](https://heyclau.de/badge/collections/api-contract-review-gate.svg)](https://heyclau.de/entry/collections/api-contract-review-gate)

How it compares

API Contract Review Gate side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.

2 trust signals differ across this comparison (Source provenance, Submitter).

Next steps differ across entries — use the actions in the table below to copy install commands and source links per resource.

Field

A source-backed collection for reviewing API contracts before release: OpenAPI drift detection, JSON Schema validation, GraphQL schema checks, Spectral lint review, Pact consumer contract verification, and generated clients or stubs from approved specs.

Open dossier

PostToolUse hook that compares a just-edited OpenAPI or JSON Schema document against the version committed in git and warns about backward-incompatible drift — removed OpenAPI paths and removed required properties — so breaking API changes are surfaced before they ship. Advisory only; it never blocks the edit.

Open dossier

Expert Spectral review skill for auditing OpenAPI contracts, OAS rulesets, lint results, schema drift, CI gates, and API release readiness.

Open dossier

Slash command that runs consumer-driven contract verification for an HTTP API using Pact.

Open dossier
Next stepsDiffers
Trust
Review statusReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewedReviewedMaintainer reviewed
Package trustPackage not verifiedPackage not verifiedPackage not verifiedPackage not verified
Source provenanceDiffersSource-backedSource-backedSubmission linkedSource submissionSource-backed
SubmitterDiffersMkDev11jony376oktofeesh1techforgeworks
Install riskReview firstReview firstReview firstReview first
Notes Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓ Safety ✓ Privacy ✓
Brand
Categorycollectionshooksskillscommands
SourceSource-backedSource-backedSource-backedSource-backed
AuthorMkDev11jony376oktofeesh1techforgeworks
Added2026-06-042026-06-042026-06-032026-06-04
Platforms
Harness
Source repo
Safety notesSchema validators, GraphQL validators, Pact verification, Spectral, and OpenAPI Generator can read large contract files and run project-defined commands; review tool configuration before running them in CI. GraphQL schema validation can create local backup files, and generated clients or stubs can overwrite broad output trees, so run in version control and review generated diffs before committing. Pact provider verification may start the provider or a stub and replay requests; confirm that the verify task cannot mutate production data or call live destructive endpoints. Ruleset changes, ignored schema drift, weakened fail thresholds, and regenerated client defaults should be treated as release-impacting until reviewed by an API owner.Runs after every Write, Edit, and MultiEdit and only inspects JSON files that declare openapi, swagger, a $schema key, or paths. Stays read-only and runs git show to read the committed version; it never edits, stages, or commits anything. Advisory by design and always exits 0, so it never blocks a write even when drift is detected. Uses key-set comparison heuristics for removed paths and required fields, so it catches common breaking changes but is not a full OpenAPI diff.Installing Spectral adds npm packages to the selected project environment; pin the reviewed version and avoid global installs for review work. Spectral can lint local files, globs, and remote contract URLs; review source locations before running checks in shared CI. Ruleset changes can silently weaken future API gates; review disabled rules, severity changes, and overrides as release-impacting changes. JavaScript rulesets and custom functions such as `.spectral.js` execute Node.js code; do not run attacker-supplied rulesets from untrusted PRs unless they have been inspected and executed in a sandboxed environment. The source ZIP is external and version-pinned for reference; package trust should remain a maintainer decision.Following the command runs the project's Pact provider-verification step, which typically starts the provider (or a stub of it) and replays recorded requests against it; review what the verify task does before running it. It performs read and verify actions only - it replays existing consumer contracts and reports pass or fail; it does not deploy, publish, or mutate the provider. When a Pact Broker is configured it fetches consumer contracts over the network using the project's existing broker credentials; it never prints those credentials.
Privacy notesAPI contracts can expose endpoint names, object models, request examples, response examples, auth schemes, internal hostnames, provider states, enum values, and planned features. Validation output can include file paths, schema paths, rule IDs, line numbers, snippets, sample payloads, and consumer names that should be redacted before public issue or PR comments. Pact brokers, remote specs, package managers, Docker pulls, hosted docs, and CI artifacts may disclose contract metadata or examples outside the local repository.Reads the edited schema file and its committed HEAD version from the local repository only. Prints removed path and required-field names to local hook stderr; it makes no network calls and writes no logs. Path and field names shown in output may reveal internal API surface in your terminal.OpenAPI files can reveal internal route names, hostnames, example payloads, business object names, and planned endpoints. Lint reports can include source paths, schema paths, rule names, snippets, and examples from the reviewed contract. Keep public review notes focused on rule IDs, contract paths, compatibility impact, and summarized examples; omit details that do not need to be public.Pact contract files and verification output contain example request and response bodies, headers, and provider state names, which enter the model context to explain failures. If those example payloads include real customer data or tokens, that text becomes part of the prompt; review the pacts before running on sensitive contracts. The command itself writes nothing to disk beyond the verifier's own logs.
Prerequisites
  • A named API contract source of truth, such as OpenAPI, JSON Schema, GraphQL SDL, or Pact consumer contracts, with an owner and compatibility policy.
  • A repository baseline for committed schemas so drift checks can compare proposed changes against the current version.
  • Local or CI access to required validation tools such as git, jq, Node/npm, AJV, GraphQL Inspector, Spectral, Pact, and OpenAPI Generator as applicable.
  • Test data policy for request examples, response examples, provider states, schema fixtures, generated clients, and public documentation.
  • Claude Code CLI with hooks enabled.
  • git, jq, and bash on PATH; the hook fails open and stays silent when git or jq is missing.
  • The schema file must be tracked in git so a committed baseline exists to diff against.
  • OpenAPI v2, v3.0, or v3.1 contract file set
  • Spectral ruleset such as `.spectral.yaml` or an explicit ruleset path
  • Lint output, CI output, or proposed contract diff
  • API owner expectations for breaking changes, naming, examples, and release gates
— none listed
Install
mkdir -p .claude/hooks && touch .claude/hooks/api-schema-drift-detector.sh && chmod +x .claude/hooks/api-schema-drift-detector.sh
npm install --save-dev @stoplight/spectral-cli@6.15.0
/api-contract-check [provider]
Config
{
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit|MultiEdit",
        "hooks": [
          {
            "type": "command",
            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/api-schema-drift-detector.sh"
          }
        ]
      }
    ]
  }
}
Citations
ClaimUnclaimedUnclaimedUnclaimedUnclaimed
Open 4 picks in the interactive comparison tool

Related guides

Signals

Loading live community signals…

More like this, weekly

A short, calm digest of reviewed Claude resources. Unsubscribe any time.