Skip to main content
Dino uses autonomous agents to test your API. Each agent owns one quality dimension. Agents run in parallel and produce independent results. Six agents ship today. Six more are planned.

Shipped Agents

Input Fuzzer

Tests how your API handles bad input using five mutation strategies:
  • Type coercion: strings where integers are expected
  • Boundary values: MAX_SAFE_INTEGER, empty strings, zero, negatives
  • Injection strings: SQL injection, XSS payloads, GraphQL abuse
  • Null and empty: null arguments, empty arrays, missing required fields
  • Malformed Unicode: invalid UTF-8, zero-width characters

Response Validator

Validates every response against the declared schema using Zod:
  • Type mismatches: field declared as Int returns string
  • Unexpected nulls: non-nullable field returns null
  • Extra fields: response contains undeclared fields
  • Missing fields: declared field absent from response

RBAC Matrix

Tests every mutation against every role:
  • No token: request with no auth header
  • Expired token: past its TTL
  • Wrong role: valid token, unauthorized role
  • Correct role: should succeed
Auto-skips if auth is not configured.

Rate Limit Validator

Tests whether rate limiting is enforced:
  • Whether rate limiting exists at all
  • Approximate threshold before throttling
  • Presence of X-RateLimit-* and Retry-After headers
  • Proper 429 status codes
Designed to detect, not to DDoS. Burst size is configurable (1-500).

Error Code Validator

Validates error response consistency:
  • Format consistency: do all errors follow the same structure?
  • Information leakage: stack traces, file paths, internal state in errors?
  • GraphQL error classification: proper extensions.code values?
  • HTTP status codes: appropriate 400 vs 500?

Deprecation Tracker

Tracks deprecation lifecycle through four stages:
  1. Active — field is live
  2. Deprecated — has @deprecated directive
  3. Sunset — scheduled for removal
  4. Removed — gone from schema
Catches undocumented deprecations and missing directives.

Planned Agents

AgentWhat It Will Do
Web ScannerCrawl and test REST/webhook endpoints alongside GraphQL
Security AnalyzerOWASP-aligned vulnerability scanning for API attack vectors
Performance ProfilerResponse time percentiles, payload size, N+1 detection
Compliance AuditorSOC 2, GDPR, HIPAA data handling checks
Documentation QualityScore API docs for completeness, accuracy, staleness
Contract TesterConsumer-driven contract validation between services
We ship agents when they’re ready, not when they’re announced. Each goes through the same testing pipeline — 3,000+ tests, false-output validation, deterministic verification.

How Agents Work Together

Agents are independent. They don’t share state, don’t depend on each other, and don’t run in a fixed order. The orchestration layer launches all six in parallel and collects findings when they complete. This means:
  • A bug in one agent cannot corrupt another’s results
  • You can disable individual agents without affecting the rest
  • New agents can be added without modifying existing ones
  • Each agent can be tested in complete isolation
Run a single agent: dino scan --tools input-fuzzer Combine specific agents: dino scan --tools input-fuzzer,rbac-matrix By default, all shipped agents run.