ContractSanbox
Early Access · Open Source · Built in Go

Catch breaking API changes
before they ship.

ContractSanbox scores every change to your OpenAPI spec, mocks any version in one command, and blocks regressions in CI. Versioned contracts, compatibility scoring, verified mocks, and ephemeral sandboxes.

Join the waitlistSee the CLI
Apache 2.0 Local-first, SQLite storage CI-ready

Contract Versioning

Register every change to your OpenAPI spec with immutable hashes and semver labels. Nothing gets lost, nothing gets overwritten.

Compatibility Scoring

Every diff produces a backward and forward score from 0 to 100. Know exactly how dangerous a change is before you ship it.

Drift Detection

Record live traffic against a contract and get a fidelity score that shows exactly where your implementation diverges from the spec.

The Workflow

From spec to safe deploy in five commands.

No dashboards required. The CLI is the interface. Everything works offline against a local SQLite store.

01

Initialize the workspace

Creates a local .contractsanbox/ folder and auto-detects any spec files in the current directory.

$ csb init initialized .contractsanbox/ detected spec: openapi.yml
02

Register your first spec

Assigns a contract name and a semver. Hashes the spec so future uploads can never silently overwrite history.

$ csb push openapi.yml --version 1.2.0 registered users-api@1.2.0 sha256:3a7c...f8b1
03

Diff two versions

Shows every breaking, warning and info change between any two versions in a structured tree.

$ csb diff 1.1.0 1.2.0 ✗ breaking required field removed User.email ! warning response type narrowed GET /users/{id} · info new optional field added User.nickname
04

Score the change

Prints backward and forward compatibility scores. Green is safe, yellow needs review, red is breaking.

$ csb score backward 42 / 100 (breaking) forward 98 / 100 (safe)
05

Spin up a mock

Starts a spec-backed mock server for any version in one command. No stubs, no hand-written fixtures.

$ csb mock [email protected] --port 9100 mock server ready http://localhost:9100
Features

Everything you need to keep APIs honest.

No SaaS lock-in. Single binary. One config file. Plug it into CI in five minutes.

contracts

Versioned OpenAPI 3.x

Every spec is hashed and versioned. GraphQL and Protobuf adapters are on the roadmap.

diff

Semantic diffs

Changes are classified as breaking, warning, or info — not a flat line-by-line output.

score

Backward + forward scores

Two independent scores so you know who gets hurt: old clients, new clients, or both.

mock

Spec-backed mocks

Mock any contract version on any port. Faker-backed responses. No stubs to maintain.

drift

Implementation drift

Record live traffic and see exactly where production diverges from the declared contract.

policy

Policy gates

Block merges below a minimum score, reject breaking changes, require manual approval. Enforced in CI.

sandbox

Ephemeral sandboxes

Isolated, branch-scoped environments for integration tests. Self-destruct after a configurable TTL.

runtime

Single binary

No daemon, no sidecar, no Docker required. SQLite under the hood. Start in half a second.

Under the hood

Config is code. Everything is scriptable.

Edit a YAML file. Hit the REST API with curl. Call the CLI from any CI runner. No proprietary protocols, no magic.

.contractsanbox/policy.ymlyaml
# Block merges unless scores clear these thresholds
policy:
  min_backward_score: 90
  min_forward_score: 80
  allow_breaking: false
  require_approval_below: 95

gates:
  - name: ci-merge
    enforce: on_push
    actions:
      - score
      - drift_check

notify:
  slack_webhook_env: "SLACK_WEBHOOK_URL"
  on_violation: true
REST APIcurl
# Upload a spec
curl -X POST http://localhost:9090/api/v1/contracts \
  -H "Content-Type: application/json" \
  -d '{"name":"users-api","spec":"..."}'

# Score a diff between two versions
curl http://localhost:9090/api/v1/score \
  ?from=1.1.0&to=1.2.0

# Create an ephemeral sandbox
curl -X POST http://localhost:9090/api/v1/sandboxes \
  -d '{"branch":"feat-x","ttl":"2h"}'
Who it is for

Built for teams where breaking the API costs real money.

Platform teams

Running internal APIs consumed by 5+ services

Every breaking change without warning becomes a pager at 2am. ContractSanbox turns that into a red CI check.

API product owners

Shipping public APIs with real customers

Versioning, deprecation, and forward compatibility become provable instead of guessed at.

SDK maintainers

Generating clients from OpenAPI

Detect when a regenerated SDK will break consumers before the PR hits main.

Early access

Join the waitlist.

ContractSanbox is in active development. We are onboarding teams in waves. Leave your email and we will reach out when we are ready for you.

No spam. No newsletter. We email once when early access opens for you.