API Risk Monitor
OpenAPI ingestion (JSON, YAML, HTTPS URL), risk score, structured findings, Markdown export, recent run history, and Stripe-backed access when billing is configured on the deployment.
Product
Roadmap
Named capabilities on this Next.js deployment: what is established in production, what shipped recently, what is planned next, and the ordered API Risk engineering backlog. HTTP route detail for scans and compares lives in docs/API-RISK-FEATURES-AND-ROUTES.md.
Established
Core product lines available on the live app today.
AI Agent Security
Control-plane flows: policies, agent inventory, API keys, human-in-the-loop approvals, audit-oriented events, and dashboard entry points for operators.
Machine Identity
Declarative manifest path, identity inventory surfaces, dashboard workflows, correlation hooks toward API posture, and tiered access patterns.
Recent
Capabilities that landed on the live app in the current release window.
Spec diff and risk delta
Compare two OpenAPI documents (JSON, YAML, or URL per side) with score delta, route churn, auth drift, and findings appeared versus removed.
Compare persistence and Markdown reports
Compare runs stored alongside scans when a store file is configured; JSON detail route and Markdown report download for CI and auditors.
Automation hooks
Response headers exposing score and finding counts on scan and compare success paths, plus a thresholded CI gate script for pipelines.
Machine Identity workflow upgrades
Snapshot history table, inventory CSV export, and optional workspace label on higher tiers for team-facing scope naming.
Next
Planned product capability — scope is engineering-owned until shipped.
MCP server posture
Versioned definition of MCP tool surfaces, production-oriented policy templates, mapping tools to OpenAPI for API Risk-style analysis, stable identifiers, and exportable reports; optional encryption for sensitive posture payloads where the deployment requires it.
API Risk engineering backlog
Ordered follow-ups after the shipped compare stack.
Stricter static checks
Tighten detection of example and default fragments that may embed secret-like strings inside published specifications.
Compare job webhooks
Optional outbound notification when a compare job completes, aligned with existing scan automation patterns.
Stored compare quotas
Optional retention TTL or per-plan cap on retained compare rows, separate from the scan list length limit.