Violations

A ContractViolation is a structured record of a specific clause breach. Not a generic error message. A precisely cited violation, with the clause breached, the evidence that triggered it, and the remediation required — the same rigour you'd expect from a professional services contract dispute.

ContractViolation model

Field	Type	Description
`clause_category`	string	The top-level clause that was breached. One of: `stack`, `architecture`, `cost`, `security`, `quality`, `compliance`, `audit`, `definition_of_done`.
`clause_id`	string	The specific field within the clause. e.g. `cost.forbidden_resources`, `security.secrets_store`.
`clause_description`	string	Human-readable description of the clause requirement that was violated.
`violated_by`	string	The specific action, code, or infrastructure that caused the violation.
`evidence_ref`	string	Reference to the evidence ledger entry that recorded this violation.
`severity`	`"critical"` \| `"major"` \| `"minor"`	Violation severity. Critical violations block contract fulfilment.
`remediation`	string	Specific action required to resolve the violation and restore contract compliance.
`auto_remediation_available`	boolean	Whether tickety-ai can automatically remediate this violation without human intervention. Default `false`.

Example violations

Cost clause breach — forbidden resource used

{
  "clause_category": "cost",
  "clause_id": "cost.forbidden_resources",
  "clause_description": "Secrets Manager is in the forbidden_resources list under the aws_free_tier budget envelope",
  "violated_by": "Created secret arn:aws:secretsmanager:eu-north-1:579378699130:secret:api-key",
  "evidence_ref": "query-2026-04-01T08:12:34Z",
  "severity": "critical",
  "remediation": "Delete the Secrets Manager secret. Move the API key to SSM Parameter Store as a SecureString. Update all references.",
  "auto_remediation_available": false
}

Security clause breach — secrets in environment variables

{
  "clause_category": "security",
  "clause_id": "security.forbidden_secrets_locations",
  "clause_description": "env_vars is a forbidden secrets location per the security clause",
  "violated_by": "API_KEY set as Lambda environment variable in terraform/modules/api/main.tf line 34",
  "evidence_ref": "scan-finding-secret-001",
  "severity": "critical",
  "remediation": "Remove API_KEY from Lambda environment variables. Read the value from SSM Parameter Store at runtime using boto3.client('ssm').get_parameter().",
  "auto_remediation_available": false
}

Quality clause breach — bare except present

{
  "clause_category": "quality",
  "clause_id": "quality.forbidden_patterns",
  "clause_description": "bare_except is in the quality.forbidden_patterns list",
  "violated_by": "handler.py line 147: except: pass",
  "evidence_ref": "scan-finding-sast-003",
  "severity": "major",
  "remediation": "Replace bare except with specific exception types. Log exceptions with logger.exception(). Never use bare except or except Exception as e: pass.",
  "auto_remediation_available": true
}

Severity levels

Severity	Meaning	Effect on verdict
`critical`	A fundamental clause breach — the deliverable cannot be accepted as-is. e.g. secrets in environment variables, forbidden infrastructure provisioned.	Forces `contract_breached` verdict until resolved.
`major`	A significant clause breach that reduces confidence in the deliverable. e.g. missing type hints, bare except statements, coverage below threshold.	Forces `contract_breached` verdict. May be remediated by the AI in-session if `auto_remediation_available` is `true`.
`minor`	A deviation from best practice that does not breach a hard requirement. e.g. missing docstring on an internal function.	Recorded in the evidence bundle but does not change the verdict.

How violations relate to scan gates

Not all violations come from contract clause checking. Violations can also originate from Gatekeep scan results when a definition_of_done.scan_gate threshold is exceeded. In this case:

clause_category is definition_of_done
clause_id is definition_of_done.scan_gates
violated_by references the specific Gatekeep finding
evidence_ref points to the Gatekeep scan result entry

See scan gates for the full list of gate categories and how they map to definition_of_done.scan_gates.