SP-API Migration Validator Run free scan

Migration assurance

How the scanner works

The scanner is a deterministic static-analysis pipeline. It never executes your code, installs dependencies, or calls Amazon with your credentials. Results are labelled by tested scope, never as 100 percent migrated.

Detection layers

Deterministic string rules, AST-aware patterns, configuration-file rules, structured sample analyzers for settlement/finances/orders fixtures, and a workflow questionnaire when no source is available.

Honest reporting

Reports use BLOCKED, AT_RISK, READY_WITHIN_TESTED_SCOPE and NOT_VERIFIED states. A clean result is scoped to what was tested, not an absolute guarantee.

Ruleset versioning and lifecycle

Every report snapshots the scanner version and each selected module ruleset. Active versions carry their release date and the date they were last checked against Amazon documentation. Re-scan comparison discloses a ruleset change instead of attributing every difference to source changes.

ModuleActive rulesetReleasedVerified against Amazon
Ordersamazon-orders-1.0.0-r12026-07-022026-07-02
Settlementamazon-settlement-1.0.0-r12026-07-022026-07-02
Financesamazon-finances-1.0.0-r12026-07-022026-07-02

Finding confidence and typed evidence

Evidence is typed as SOURCE_LINE, SAMPLE_DATA, WORKFLOW_ANSWER, FILE_CONFIGURATION or MANUAL_VERIFICATION so consumers do not assume every result has a source line.

ConfidenceMeaningExpected action
HIGHDirect operation, endpoint, report type or explicit unsafe branchTreat as actionable evidence
MEDIUMContextual code pattern with a plausible migration riskConfirm in the surrounding workflow
LOWAbsence or runtime-dependent heuristicVerify before changing code
MANUAL_VERIFICATIONAutomation cannot establish equivalenceDevelopment or QA owns the decision

Evidence-context severity caps

Scanner rules may start from whole-word, path-pattern or keyword matches, but the evidence context caps the final confidence and severity before a report is generated.

Evidence contextMaximum confidence / severity
Direct runtime call or explicit unsafe branchHIGH / BLOCKER
Runtime configuration valueHIGH / BLOCKER or HIGH, depending on the rule
Plain source string or declarationMEDIUM / MEDIUM
Test, fixture or mock pathMEDIUM / MEDIUM
Comment, docs, Markdown or textLOW / LOW or INFO
Absence heuristicLOW / LOW; never BLOCKER
Manual verification evidenceMANUAL_REVIEW / MEDIUM; never BLOCKER

Supported and unsupported patterns

Scan coverage and partial scans

Coverage records submitted, scanned and skipped files; detected languages; applicable and completed rule groups; ruleset versions; and unverified scope. Unsupported, oversized or skipped inputs cannot silently produce a full green status.

False positives, suppressions and accepted risk

Stable finding fingerprints let a user suppress a false positive or record accepted risk without losing the original evidence. Suppressions carry reason, note and optional expiry; expired suppressions return to active review.

Sample-data validator methodology

ValidatorMethodWhat it cannot prove
Orders parityDeterministic structural and semantic diffProduction coverage beyond supplied same-order samples
Settlement sample validationHeader mapping and decimal normalizationEvery future marketplace/report variation
Finances reconciliationPage manifest, ID dedup and recursive decimal totalsCompleteness beyond supplied pages and time range

Deterministic quality gate

The versioned quality gate derives one of four states from active findings, completed coverage and pending verification. LOW-confidence findings and MANUAL_VERIFICATION findings never force BLOCKED; only deterministic direct evidence can create a blocking gate reason. The same report and gate version always produce the same decision; no generative model participates.

Re-scan fingerprinting

Layered fingerprints combine rule identity, normalized location and semantic evidence. They tolerate line movement while preserving distinctions between fixed, remaining, new, regressed and moved findings.

Security and retention

Benchmark methodology

Labeled fixtures contain expected and forbidden rule IDs for representative code. Golden scenarios cover clean, blocked and mixed reports; property tests check fingerprint and diff invariants; integration tests exercise scan, unlock, re-scan, validators, export and deletion. This curated benchmark is not advertised as 100 percent precision or recall for commercial production use; paid launch should add 20-30 real or anonymized repositories with SDK wrappers, monorepos, dead code, comments/docs, generated clients, dynamic endpoints, mixed old/new code and negative controls.

Public paid beta launch corpus gate

Before advertising accuracy percentages, the launch corpus should include real or anonymized repositories that exercise different languages and integration styles, not only curated fixtures.

Corpus sliceMinimum
TypeScript/JavaScript repositories5
Python repositories4
Java/Kotlin repositories3
C# repositories2
PHP/Ruby/Go repositories2 total
Monorepo or mixed fixtures4
Clean negative controls5

Commercial accuracy metrics to track

Accuracy claims should remain internal until these metrics are measured on the launch corpus. Do not advertise 100 percent precision/recall before representative coverage exists.

Known limitations

Frequently asked questions

What languages are supported?

TypeScript, JavaScript, Python, Java, Kotlin, C#, Go, Ruby, PHP plus JSON, YAML, XML and Terraform config.

Official sources

Recommended next action

Last reviewed: 2026-07-02.

Open the interactive scanner: /app#/methodology