Security & Checks
Trust is good, checking is better. How we verify AI output.
Sandbox Security
The sai engine executes specs in an isolated sandbox. Specs cannot access your filesystem outside the target directory, nor can they make unauthorized network requests during the generation phase.
Automated Checks
Every Spec must include a checks/ directory containing validation scripts. These run post-generation.
Smoke Checks
Does the server start? Does the build command succeed? Are port conflicts detected?
Contract Checks
Does the generated SQL migration match the declared schema? Does the API response match the OpenAPI spec?