Field notes
From the team building the API rule registry.
Notes on API governance, drift forensics, pre-merge contract checks, and the gap between “our API works” and “we can prove our API works.”
May 19, 2026 · 7 min read
What is an API rule registry? (And why your team needs one in 2026)
An API rule registry is the canonical list of business rules your API enforces — with each rule tied to the ticket that authorized it and the PR that last touched it. Here's what one looks like, why this category exists now, and how Stoney builds one for you in five minutes.
May 15, 2026 · 8 min read
SOC 2 CC7.1 evidence: what auditors actually want (and what most teams hand them instead)
CC7.1 asks whether you can detect anomalies in production AND tie them to the change that caused them. Most teams have the first half. Here is what a complete evidence bundle looks like, why it is hard to assemble manually, and how an API rule registry produces it as a byproduct of normal operation.
May 12, 2026 · 9 min read
AI-generated PRs are quietly breaking your business rules. Here is the pattern.
Cursor, Copilot, and Claude produce clean diffs that pass tests and remove load-bearing guards nobody documented. Three categories of rule failure we keep seeing, why existing defenses (code review, tests, linters) aren't enough, and what does work.
May 8, 2026 · 9 min read
API drift detection: what it is, what most tools miss, and how to catch the kind that costs you customers
API drift comes in three flavors: schema drift, behavioral drift, and rule drift. Most tools detect the first one and miss the third — the kind that triggers SOC 2 findings and breaks customer trust. Here is what good drift detection actually looks like.