Skip to main content

AI Hallucination Contracts

AI hallucination contracts are local YAML files that tell skylos verify what repo-specific truth should be enforced for generated code. They are useful when an agent can invent helpers, package versions, installed APIs, or route guardrails that look plausible but are not true for your codebase.

Contracts are intentionally narrower than a general rule language. Version 1 compiles declarative clauses into existing Skylos AI-defect checks and adds contract evidence to verifier findings.

Quickstart

Create and validate a starter contract:

skylos contract init
skylos contract validate .skylos/ai-contract.yml

Run skylos verify with the contract:

skylos verify . --contract .skylos/ai-contract.yml
skylos verify . --file apps/api/routes.py --project-context --contract .skylos/ai-contract.yml

MCP clients can pass the same file through verify_change with contract_path.

Contract Shape

version: 1
id: enterprise-generated-code

ai:
phantom_symbols:
names:
- verify_enterprise_auth
decorators:
- tenant_admin_required

dependencies:
reject_nonexistent_packages: true
reject_impossible_versions: true

api_surface:
reject_unknown_members: true
reject_unknown_kwargs: true

security:
routes:
paths:
- "apps/api/**"
require_any_decorator:
- login_required
- tenant_admin_required

tests:
high_risk_changes_require_tests: true

What Contracts Enforce

Contract clauseExample findingRule
ai.phantom_symbols.namesContract-listed helper is called but never defined or importedSKY-L012
ai.phantom_symbols.decoratorsContract-listed decorator is used but never defined or importedSKY-L023
ai.dependencies.reject_nonexistent_packagesImported package does not exist in the registrySKY-D222
ai.dependencies.reject_impossible_versionsManifest pins a package version that does not existSKY-D225
ai.api_surface.reject_unknown_membersInstalled package is called with an invented memberSKY-D224
ai.api_surface.reject_unknown_kwargsInstalled API receives an unsupported keyword argumentSKY-D224
security.routes.require_any_decoratorRoute handler is missing a required guard decoratorSKY-A105
tests.high_risk_changes_require_testsHigh-risk changed code has no related test changeSKY-A102

Evidence Fields

Contract-backed verifier findings can include these fields:

FieldMeaning
contract_idOptional id from the contract file
contract_clauseContract clause that explains the finding
contract_pathContract file used for the run
contract_reasonHuman-readable reason for the clause match

Example:

{
"rule_id": "SKY-A105",
"vibe_category": "missing_contract_guardrail",
"contract_clause": "security.routes.require_any_decorator",
"contract_reason": "Contract requires route handlers to use one of: @login_required."
}

When To Use Contracts

Use contracts for repo-specific generated-code truth that a general scanner cannot infer reliably:

  • endpoints under apps/api/** must use one of your real auth decorators
  • generated code must not rely on fake enterprise helper names
  • dependency and installed-API hallucinations should be checked during editor or agent loops
  • high-risk AI-authored changes should show test evidence before review

Contracts complement AI Defect Verification, MCP verify_change, and full scan --ai-defects. They do not replace security, quality, SCA, or custom rules.