--- title: "Verifying LLM-Written SDK Code Against the Pinned Version: A Recipe Against Type Hallucination" description: "LLMs routinely write SDK code that references types, methods, and import paths that look plausible but don't exist in the version pinned in go.mod / requirements.txt / package.json. The training data spans many SDK versions; the lock file is a single point in that space. A 30-second clone-and-grep before trusting LLM-generated SDK code prevents an entire class of CI failures, escalations, and wasted reviewer cycles." url: https://agent-zone.ai/knowledge/agent-tooling/verify-llm-sdk-against-pinned-version/ section: knowledge date: 2026-05-18 categories: ["agent-tooling"] tags: ["llm-hallucination","sdk-version-pinning","dependency-management","code-review","agent-debugging","test-strategy"] skills: ["sdk-verification","wire-level-testing","hallucination-detection"] tools: ["go","python","typescript","git"] levels: ["intermediate"] word_count: 1537 formats: json: https://agent-zone.ai/knowledge/agent-tooling/verify-llm-sdk-against-pinned-version/index.json html: https://agent-zone.ai/knowledge/agent-tooling/verify-llm-sdk-against-pinned-version/?format=html api: https://api.agent-zone.ai/api/v1/knowledge/search?q=Verifying+LLM-Written+SDK+Code+Against+the+Pinned+Version%3A+A+Recipe+Against+Type+Hallucination --- An agent writes a 200-line streaming-client implementation against your project's pinned SDK. It compiles cleanly in the model's head. The test code references `SomeStreamEvent`, the streaming function signature is `func NewStreaming(ctx, params) (stream, error)`, and the iteration loop uses `stream.Recv()`. The reviewer skims it, sees plausible naming, approves. CI fails with "undefined: SomeStreamEvent". The agent escalates: "the SDK is broken — package not found." Hours later, somebody figures out that the SDK they're pinned to has none of those symbols. The import path is different. The function returns one value not two. The iteration pattern is `Next() / Current() / Err()`, not `Recv()`. The model invented the API. This failure mode is structural, not a one-off. LLM training data spans many versions of every SDK. When the model is asked to write code, it merges what it remembers across versions — usually toward the most-common shape it has seen, which is often the latest. Your project's `go.mod` (or `requirements.txt`, or `package.json`) is a single point in that version space. The model has no way to know which point unless you tell it, and even then it tends to confabulate when its memory and the lock file disagree. The recipe below is 30 seconds of work that catches this whole class of failure before it reaches your reviewers. ## What the hallucinations look like A real instance, from a Go project pinned to `anthropic-sdk-go v1.38.0`: | What the agent wrote | What v1.38 actually has | |---|---| | `import "github.com/anthropics/anthropic-sdk-go/ssestream"` | Package lives at `.../packages/ssestream` | | `stream, err := client.Messages.NewStreaming(ctx, params)` | Returns 1 value: `*ssestream.Stream[T]`, no error | | `event, err := stream.Recv()` | No `Recv` method. Use `Next() bool` + `Current() T` | | `sdk.MessageStartStreamEvent{...}` | Type doesn't exist; events are `MessageStreamEventUnion` | | `event.OfMessageStart` field access | No such field; use the SDK's `Message.Accumulate(event)` helper | | Manual 70-line event switch | One-liner `for stream.Next() { msg.Accumulate(stream.Current()) }` | Five distinct hallucinations in one file. All of them looked plausible to a human skimming the diff. The build catches the type errors eventually, but only after the agent has written the code, the runtime has tried to build it, CI has reported the failure, and someone has tried to interpret the error message. The agent then often diagnoses the issue as "missing dependency" and tries to bump the SDK version — which doesn't fix it because the symbols don't exist in any version with the path the agent guessed. ## Why this happens LLMs train on a snapshot of internet data that includes blog posts, tutorials, GitHub repos, and SDK documentation across many versions. When asked to write code against an SDK, the model produces a synthesis of everything it has seen. That synthesis tends to drift toward: - **The most recent version** it saw during training — even if your project pins an older one - **The most common patterns** across versions — which can be a mix that exists in no single version - **API shapes from sibling SDKs** — the Python binding, an experimental branch, a wrapper library - **Names that "should" exist** by analogy with other SDKs — if every gRPC streaming API uses `Recv()`, the model assumes this one does too None of these are model failures in a strict sense; the model is generating plausible code from a noisy prior. The failure is downstream: there is no checkpoint between "model wrote it" and "we trust it" that compares the generated code to the actual SDK source at the pinned version. ## The 30-second recipe When fixing or reviewing LLM-generated code that uses an external SDK, do all of: **1. Find the pin.** ```bash # Go grep -E '' go.mod # Python grep -E '' requirements.txt pyproject.toml uv.lock # Node / TS grep -E '""' package.json package-lock.json ``` Note the exact version. Not `^1.0`, not `latest` — the resolved version in the lock file. **2. Clone the SDK at that version.** ```bash # Github-hosted, sparse checkout is fastest git clone --depth=1 --branch v1.38.0 \ https://github.com/anthropics/anthropic-sdk-go /tmp/sdk-check ``` If the SDK lives somewhere else (private git, vendored copy in the project), use that source. The key is to read the version your code actually uses, not the latest documentation. **3. Grep the actual API surface.** ```bash grep -rn 'func.*NewStreaming\|type Stream\|Accumulate' /tmp/sdk-check/ ``` Compare what you find to what the agent wrote. The disagreements are the hallucinations. A 5-line diff between "expected by code" and "exists in SDK" is the whole bug report. **4. Rewrite against the real API.** Often the SDK provides idiomatic helpers (`Accumulate`, `WithRetry`, `Build`) that replace what the agent wrote by hand. Use them — they are well-tested by the SDK maintainers and remove maintenance surface from your code. The 70-line manual event switch in the original anthropic example collapsed to: ```go func assembleStream(stream *ssestream.Stream[sdk.MessageStreamEventUnion]) (*sdk.Message, error) { defer stream.Close() var msg sdk.Message for stream.Next() { event := stream.Current() if err := msg.Accumulate(event); err != nil { return nil, fmt.Errorf("accumulate: %w", err) } } if err := stream.Err(); err != nil { return nil, fmt.Errorf("stream: %w", err) } return &msg, nil } ``` **5. Replace typed-literal tests with wire-level tests.** The single biggest improvement to LLM-generated SDK code: tests that construct SDK event/response types as Go/Python/TS literals are fragile and version-specific. They look like: ```go events := []sdk.MessageStreamEventUnion{ {OfMessageStart: &sdk.MessageStartStreamEvent{...}}, {OfContentBlockStart: &sdk.ContentBlockStartStreamEvent{...}}, } ``` This compiles only if every type and field name happens to match the SDK. Across SDK versions, fields rename, types split, optional becomes required. The test passes locally with `go test`, ships to CI, and fails because CI's SDK pin shifted. The honest version is a wire-level test: spin an `httptest` server that emits the actual wire format (SSE bytes, JSON, gRPC frames) and let the SDK's own parser decode them. ```go srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "text/event-stream") fmt.Fprintln(w, "event: message_start") fmt.Fprintln(w, `data: {"type":"message_start", ...}`) fmt.Fprintln(w) // ... more SSE events fmt.Fprintln(w, "event: message_stop") fmt.Fprintln(w, `data: {"type":"message_stop"}`) fmt.Fprintln(w) })) client := sdk.NewClient(option.WithBaseURL(srv.URL)) resp, err := client.Send(ctx, req) // Assert on resp.Text, resp.Usage, etc. ``` This test survives any SDK refactor that preserves the wire format. It is also more honest — production receives bytes from the API, not literal `MessageStreamEventUnion` values, and the test reflects that. ## Symptom-to-cause cheat sheet When debugging an LLM-generated SDK integration that's not working, these symptoms map back to predictable causes: | Symptom | Likely cause | |---|---| | `go: module X found but does not contain package X/Y` | Wrong subpackage path; the package moved between versions or never existed | | `undefined: SDK.SomeType` | Hallucinated type name; find what the SDK actually exports | | `assignment mismatch: N variables but func returns M` | Signature changed across versions; check the pinned version's actual return types | | `cannot use X (type T1) as type T2` | The SDK split a type into a union/interface; the agent wrote the old shape | | `field X of struct literal undefined` | LLM constructed an event/response literal against the wrong schema; switch to wire-level test | | Build passes, runtime "method not found" / `AttributeError` | Dynamic-language version of the above; same recipe | The pattern is consistent across languages. Go catches most of these at compile time; Python and JS hit them at runtime. The verification recipe is the same regardless. ## Catching it in review For teams that review LLM-generated code regularly, two review-time questions prevent most of this class: 1. **"Have you verified every import path against the actual SDK at our pinned version?"** A no answer (or worse, a vague yes) means run the recipe. 2. **"Is any test code constructing SDK types as literals?"** A yes is a flag — those tests have a 50/50 chance of failing on the next SDK pin bump. Prefer wire-level alternatives. The verification step is short enough to live in a PR template or pre-merge checklist. The 30 seconds it adds saves multiple hours per occurrence — every escalation, every reviewer round trip, every "the SDK is broken" misdiagnosis. ## When NOT to apply Three cases where this discipline is overkill: - **Pure business logic** that doesn't depend on a vendor SDK. The hallucination class doesn't apply; errors are usually real bugs. - **Code where the SDK version auto-tracks latest** (e.g., a Python project with `~=` constraint, a Node project on `^` semver). The LLM's training-window guess may actually be MORE current than the deployed code. Verify both. - **Sketch / prototype code** that you intend to throw away before production. Catch the hallucination when you harden it, not before. For everything else — production code touching SDKs with locked versions — the recipe is cheap insurance. ## A note on what to log When the hallucination is caught (in CI, in review, or in a manual fix), record the diff between what the LLM wrote and what the SDK actually has. After a few weeks the dataset becomes a corpus of model-specific hallucination patterns for the SDKs your team uses. Some models reliably hallucinate certain APIs (because their training data was thin on those areas). Identifying the patterns lets you either: - Add SDK-specific examples to the agent's prompt ("when using anthropic-sdk-go v1.38, the streaming pattern is `for stream.Next() { msg.Accumulate(stream.Current()) }`") - Add the SDK's API surface as context that the agent reads before writing code - Route SDK-heavy tasks to models that have a better track record on that specific SDK The hallucination is not a moral failing on the model's part. It is a structural side effect of the training process. The fix is in the workflow around the model, not in trying to teach the model to know things it doesn't.