<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: VIBEESH SUBRAMANIAN </title>
    <description>The latest articles on DEV Community by VIBEESH SUBRAMANIAN  (@vibez06).</description>
    <link>https://dev.to/vibez06</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3998893%2F7ad5eab4-896a-4f2d-a887-eb6059324d64.jpg</url>
      <title>DEV Community: VIBEESH SUBRAMANIAN </title>
      <link>https://dev.to/vibez06</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/vibez06"/>
    <language>en</language>
    <item>
      <title>How we stopped our AI assistant from hallucinating bug fixes</title>
      <dc:creator>VIBEESH SUBRAMANIAN </dc:creator>
      <pubDate>Thu, 25 Jun 2026 06:43:06 +0000</pubDate>
      <link>https://dev.to/vibez06/how-we-stopped-our-ai-assistant-from-hallucinating-bug-fixes-53l5</link>
      <guid>https://dev.to/vibez06/how-we-stopped-our-ai-assistant-from-hallucinating-bug-fixes-53l5</guid>
      <description>&lt;p&gt;&lt;em&gt;Cover: a real qa-probe run against our own stack, cropped to the summary - internal product detail withheld.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;We are building LightShield, a SIEM that is in active demo right now. We built&lt;br&gt;
most of it pair-programming with an AI coding assistant wired in over MCP - it&lt;br&gt;
ran our stack, read the errors, and patched its own code. For a small team that&lt;br&gt;
is a superpower. Until an endpoint failed.&lt;/p&gt;

&lt;p&gt;Here is the loop we kept hitting. A route returns a 500, or a 404, or an empty&lt;br&gt;
&lt;code&gt;[]&lt;/code&gt;. The assistant looks at the status code and announces the cause with total&lt;br&gt;
confidence. Then it rewrites a handler that was never broken - because a status&lt;br&gt;
code is not a cause, and it had nothing else to go on. So it guessed, and it&lt;br&gt;
guessed wrong, and the diff made things worse.&lt;/p&gt;

&lt;p&gt;The thing is, that empty &lt;code&gt;[]&lt;/code&gt; had at least six possible causes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the database was empty (nothing seeded)&lt;/li&gt;
&lt;li&gt;a feature flag was off&lt;/li&gt;
&lt;li&gt;a contract mismatch between the frontend and the backend&lt;/li&gt;
&lt;li&gt;an auth token that never got attached&lt;/li&gt;
&lt;li&gt;a 428 precondition&lt;/li&gt;
&lt;li&gt;a schema drift&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Same symptom, six different fixes. We could bisect to the real one. The AI could&lt;br&gt;
not - it had no ground truth, so it manufactured one.&lt;/p&gt;
&lt;h2&gt;
  
  
  So we built qa-probe
&lt;/h2&gt;

&lt;p&gt;It analyzes the app, probes the live endpoints, and classifies each failure with&lt;br&gt;
a root cause and a fix hint. Three decoupled, cached phases:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;qa-probe analyze   &lt;span class="c"&gt;# parse source + OpenAPI -&amp;gt; route graph&lt;/span&gt;
qa-probe probe     &lt;span class="c"&gt;# hit live endpoints (HTTP/SSE/WS), record evidence&lt;/span&gt;
qa-probe report    &lt;span class="c"&gt;# classify root cause -&amp;gt; HTML / Markdown / JSON / AI-context&lt;/span&gt;
&lt;span class="c"&gt;# or just: qa-probe run&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It has adapters for FastAPI, Express, Next.js, tRPC, GraphQL, and a generic&lt;br&gt;
fallback, so it discovers your routes instead of you hand-listing them.&lt;/p&gt;
&lt;h2&gt;
  
  
  The part that actually fixed our problem: every result is falsifiable
&lt;/h2&gt;

&lt;p&gt;Each result carries the evidence (the real request, a bounded response sample,&lt;br&gt;
the timing), a root cause from ~25 categories, and a calibrated confidence -&lt;br&gt;
&lt;code&gt;high&lt;/code&gt;, &lt;code&gt;medium&lt;/code&gt;, or &lt;code&gt;none&lt;/code&gt;. When it cannot tell, it returns &lt;code&gt;none&lt;/code&gt; instead of&lt;br&gt;
bluffing. No neural network, no black box - transparent rules plus per-endpoint&lt;br&gt;
stat memory, so you can always read &lt;em&gt;why&lt;/em&gt; it landed on a verdict. An AI&lt;br&gt;
consuming this needs to verify the claim, not trust a vibe.&lt;/p&gt;
&lt;h2&gt;
  
  
  What changed when we fed it to the AI
&lt;/h2&gt;


&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;qa-probe mcp   &lt;span class="c"&gt;# exposes 8 tools to Claude, Cursor, any MCP client&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;


&lt;p&gt;The assistant stopped reasoning from a status code and started reasoning from&lt;br&gt;
evidence: "empty database, high confidence, here is the response that proves&lt;br&gt;
it." It seeded the DB instead of rewriting the handler. It fixed the right&lt;br&gt;
layer. The guessing basically stopped.&lt;/p&gt;

&lt;p&gt;It helped us debug faster. It helped the AI more - because an AI is only as good&lt;br&gt;
as the evidence you hand it, and "the endpoint is failing" is not evidence.&lt;/p&gt;
&lt;h2&gt;
  
  
  What else it caught once it was in our pipeline
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Security checks (read-only) - auth-bypass, privilege-escalation, PII leaks&lt;/li&gt;
&lt;li&gt;Logic bugs via response assertions&lt;/li&gt;
&lt;li&gt;Adaptive baselines that flag an endpoint deviating from its own history&lt;/li&gt;
&lt;li&gt;Write-flows - opt-in CRUD chains with guaranteed cleanup, off by default&lt;/li&gt;
&lt;li&gt;A feedback loop - label a verdict once and it remembers&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;
  
  
  Where it fits
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;A CI gate that fails the build with a reason, not just a number&lt;/li&gt;
&lt;li&gt;A pre-release smoke test against staging&lt;/li&gt;
&lt;li&gt;The thing you point your AI assistant at so it debugs instead of hallucinating&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;
  
  
  Try it, break it, contribute
&lt;/h2&gt;

&lt;p&gt;It is early and it is open. The fastest way to help:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Run it against your own API and tell me what it found&lt;/strong&gt; - especially if it
got a root cause wrong. A wrong verdict with the evidence attached is the most
useful bug report I can get, because the classifier is just rules and I can
fix the rule.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;File an issue&lt;/strong&gt; for anything broken or confusing:
&lt;a href="https://github.com/LS-SIEM-LLP/qa-probe/issues" rel="noopener noreferrer"&gt;https://github.com/LS-SIEM-LLP/qa-probe/issues&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Send a PR.&lt;/strong&gt; Good first contributions are new framework adapters (Hono,
NestJS, Fastify), new root-cause rules, and new MCP tools. The adapter and
rule interfaces are documented in CONTRIBUTING.md, and there is a checklist on
every PR.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;One housekeeping note: contributions are sign-off based (DCO) - commit with&lt;br&gt;
&lt;code&gt;git commit -s&lt;/code&gt; so the project's licensing stays clean. That is the only hoop.&lt;/p&gt;
&lt;h2&gt;
  
  
  Get it
&lt;/h2&gt;

&lt;p&gt;We built it for ourselves. It worked well enough that we cleaned it up and&lt;br&gt;
released it under Apache-2.0.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;npm i &lt;span class="nt"&gt;-g&lt;/span&gt; qa-probe
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;ul&gt;
&lt;li&gt;GitHub: &lt;a href="https://github.com/LS-SIEM-LLP/qa-probe" rel="noopener noreferrer"&gt;https://github.com/LS-SIEM-LLP/qa-probe&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;npm: &lt;a href="https://www.npmjs.com/package/qa-probe" rel="noopener noreferrer"&gt;https://www.npmjs.com/package/qa-probe&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Built by LS-SIEM LLP. If you run it against your own API, I would genuinely like&lt;br&gt;
to know what it found - that feedback is how the rules get sharper.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>opensource</category>
      <category>api</category>
      <category>testing</category>
    </item>
  </channel>
</rss>
