AI-fabricated API calls, non-existent libraries, made-up types. Caught at PR time.
Modern codebases accumulate fabricated or impossible API surfaces — calls to library functions that were never written, types that look right but aren't real, imports from packages that resolve to typosquats. Securie's hallucinations specialist resolves every symbol against the actual installed packages + documented public surface.
Hallucinated package names create slopsquat surface — attackers register the fabricated package on npm/PyPI and the AI's suggestion becomes a supply-chain compromise on install. The CVE pipeline cannot catch this; the resolve-against-reality pass at PR time can.
Every import + every method call is resolved against the actual installed package tree (LSP-IR) at PR time. Calls to non-existent surfaces fail the gate.
Securie's registry-watch pipeline flags packages registered after the AI's training cutoff that match patterns the AI is known to fabricate (typosquats, homoglyphs, name-confusion). Pairs with the supply-chain pipeline for 15-minute CVE-to-block.
For framework APIs (React, Next.js, Supabase, Stripe, etc.), Securie cross-references against the documented public surface. Hallucinated method names get flagged with the canonical alternative.
LSPs catch type errors at edit time; Securie's hallucinations specialist runs at PR time across the full diff with package-installation context, then verifies in a sandbox.
Dependency-vulnerability scanning is part of axis #1 (security). Hallucinations are about non-existent or fabricated surfaces — a different shape.