AI dependency lockfile / local-first / deterministic

Code compiles.
APIs drift.

Evidrift locks the TypeScript and OpenAPI assumptions your coding agent relied on, then rechecks them in CI before the next merge.

Evidrift: AI dependency lockfile — code compiles, APIs change
What it checks

One assumption. Recomputed.

Receipts are repository files, not trusted verdicts. Evidrift reloads the source and recalculates the deterministic contract every time.

typescript.symbol

TypeScript API drift

Lock the overload selected at a real call site, its parameter, normalized signature, installed version, resolved declaration path, and hash.

json.pointer

OpenAPI contract drift

Lock one canonical value in repository-local OpenAPI JSON or JSON Schema through RFC 6901 JSON Pointer.

sha256

Receipt tampering

Treat every Receipt as hostile input. Recompute content IDs and evidence hashes instead of trusting stored matched or verified flags.

No signup. No API key. No cloud.

Break it in ten seconds.

npx --yes evidrift@latest demo
Real Evidrift CLI demo: a TypeScript contract passes, the dependency signature changes, and Evidrift reports deterministic contract drift

Rendered from a real local CLI transcript. No package code, cloud service, or LLM verdict is involved.

FAIL contract_mismatch sha256:...
Claim: parseConfig accepts an optional options parameter used by the demo.
Expected signature: parseConfig(input:string,options?:ParseOptions):ParseResult
Current signature: parseConfig(input:string,options:ParseOptions):ParseResult
Affected code location: app/src/index.ts:3
Receipt ID: sha256:...
Action: Review the dependency change, then intentionally record new evidence.
Not another AI reviewer

Deterministic or it does not block.

Evidrift does

  • record why a code location depends on a static contract;
  • revalidate the exact evidence through CLI, MCP, or GitHub Actions;
  • fail on deterministic contract mismatch or evidence-integrity failure;
  • warn when a source changed but the selected contract still matches.

Evidrift does not

  • prove runtime correctness or free-text semantic truth;
  • fetch arbitrary URLs or resolve remote OpenAPI references;
  • execute package code or Receipt-supplied commands;
  • use an LLM judge as a CI gate.
Straight answers

FAQ

What is API drift?

API drift is a change to a dependency or contract after code was written against it. Evidrift checks the selected TypeScript call signature or repository-local JSON value.

Is this contract testing?

It is narrower. Contract tests exercise provider and consumer behavior. Evidrift locks one explicit static assumption and checks it without running dependency code or services.

Does it work with Codex, Claude Code, and Cursor?

Yes. Any MCP client that launches a local STDIO server can call Evidrift. All integrations use the same core as the CLI.

Does it prove AI-generated code is correct?

No. It proves only that deterministic evidence still matches and that stored Receipt content passes integrity checks. Runtime correctness and semantic truth remain separate.