Details
- Finds missing guards around destructive operations, risky mutations, weak schemas, missing error contracts, and underspecified behavior.
- Offline-first CLI with JSON, Markdown, and SARIF reports for CI and GitHub code scanning.
- Generates guard policy drafts and eval ideas from the source contract before MCP or tool wrappers are built.
Why it exists
Agent-facing APIs need a different review pass than human-only APIs. ToolSafe looks for the parts of an OpenAPI contract that become risky once an autonomous caller can invoke them repeatedly and quickly.
Product shape
The CLI is designed to be deterministic and CI-friendly. It produces human-readable findings for review, structured output for automation, and SARIF for code scanning workflows.
Engineering focus
The core challenge is translating vague API risk into repeatable rules. The analyzer favors explicit checks and explainable findings over magic scoring, so teams can fix the contract instead of debating the tool.