StoneyBeta
Start free

How it works

From production traffic
to enforced requirement.

Stoney observes your production API, generates contract tests automatically, links each test to the Jira ticket that defined the requirement, and blocks merges the moment code drifts from spec.

RecordGenerateEnforceTraceTrackProve
01
Record

Your API surface, mapped
without touching your code.

Install one middleware package. Stoney observes every route your app serves in production — method, path, status code, response shape, request frequency. No test suite. No manual setup. No instrumentation.

middleware.ts → Stoney recorder
Recording production traffic4 routes observed
GET/api/users/:id2002.4k/hr
DELETE/api/admin/users/:id20412/hr
POST/api/payments/charge201180/hr
GET/api/reports200640/hr
⬡ Generating contract suggestions…
02
Generate

Contracts written for you,
linked to the ticket that created them.

After observing enough traffic, Stoney's AI generates a structured contract for each route and stores it in your dashboard. It then scans your GitHub PR history for Jira ticket keys and matches each contract to the PR — and ticket — that introduced it. 94% match rate in practice.

Discover → AI contract generation
Jira ticket auto-matched
ENG-24794% confidence · PR #312
GENERATED CONTRACT
work_item: "ENG-247"
rule: "Only admins may delete accounts"
expect: status 403
feature: "Permissions"
03
Enforce

Every PR checked
against every requirement.

Drop stoney-action into your pipeline. It runs every active contract against your staging environment on every PR. When a requirement is violated — a permission check removed, a restriction silently broken — the merge is blocked before production.

GitHub Actions · feat/auth-refactor → main
✕ 1 contract failed — merge blocked
Admin access control
ENG-247
fail
Payment idempotency
PAY-019
pass
PII data boundaries
SEC-042
pass
Rate limiting
ENG-201
pass
04
Trace

Every failure links back
to the original ticket.

When a contract fails, Stoney posts a comment directly on the Jira ticket that defined the requirement. The engineer, the PM, and the security team all see the same thing: which rule broke, which PR broke it, and what the fix needs to be.

Jira · ENG-247
ENG-247In Progress
Only admins may delete user accounts
Permissions · Auth team
Stoneyjust now
⚠️ Contract failed on feat/auth-refactor.
The role check for DELETE /api/admin/users/:id was removed. Merge blocked.
05
Track

A living map
of your business rules.

Tag contracts with feature domains and Stoney builds a real-time compliance map — which domain is drifting, which team owns it, what the pass rate looks like over time. Engineers, PMs, and security all share the same source of truth.

Dashboard · Rule Registry
14 rules · 1 domain drifting
P
Permissions80%
5 rules
A
Auth100%
4 rules
B
Billing100%
3 rules
D
Data100%
2 rules
06
Prove

Compliance evidence,
ready for any audit.

Every CI verification is logged: contract, repo, actor, Jira ticket, timestamp. Export a structured evidence report for any date range as CSV or JSON. SOC 2 prep goes from weeks to one click.

Reports · Evidence export · last 90 days
4 contracts530 verified95% pass rate
↓ Export CSV
admin_delete_checkENG-247142×80%
payment_idempotencyPAY-01998×100%
pii_export_boundariesSEC-04287×100%
rate_limit_enforcementENG-201203×100%
📡
Zero-instrumentation coverage

The recorder maps your entire API surface automatically. No test writers. No annotation. Just install and observe.

🔗
Every test traces to a ticket

Contracts are automatically linked to the Jira tickets that created the requirement. Failures explain themselves.

📋
Audit evidence built in

Every verification is logged with ticket, actor, and timestamp. SOC 2 prep is a date-range export, not a weeks-long project.

Ready to close
the loop?

Install the recorder, watch contracts generate themselves, and run your first CI gate in under 20 minutes.

Start freeRead the docs