Code Quality Guard Rails

Security — AI's Blind Spot

AI-generated code contains 2-6x more security vulnerabilities than human code. Guard against these:

No hardcoded secrets. Never embed API keys, passwords, tokens, or credentials in source code. Use environment variables or secret managers.
No OS command construction from user input. Use parameterized APIs instead of string-concatenated shell commands.
No debug artifacts in committed code. Remove all System.out.println, printStackTrace, console.log debugging, and print() statements before finalizing. Use proper logging frameworks.
No cleartext sensitive data. Never log, transmit, or store passwords, tokens, or PII in plaintext.
Validate all external input. Sanitize user input, file paths, XML/JSON payloads — never trust it.

AI models copy parameter signatures without using them. Don't leave dead code:

Every function parameter must be used in the body. If unused, remove it or prefix with _.
No unused imports, variables, or fields.
No placeholder classes with trivial or empty methods.

Human code trends toward maintainability debt. Keep it simple:

Max cyclomatic complexity per function: 10. Refactor if higher.
Max nesting depth: 3 levels. Extract helpers if deeper.
Catch specific exceptions, never bare except: or catch(Exception e).
Don't instantiate objects inside loops when they can be reused.
Prefer raise ... from for exception chaining (Python) to preserve traceability.

Always specify file encoding in I/O operations.
Don't access protected/private members (_method) from outside the owning class.
Prefer proper logging over print statements at every stage, not just cleanup.
Review AI-generated code for security before merging — treat it as untrusted input.