Catches code that will surprise-bill on the first viral moment — non-LLM cost vectors that AI tools commonly leave unbounded: file uploads with no size limit, unbounded DB queries, email/SMS without rate limits, webhooks without idempotency, and background jobs without retry caps.
18
Total Checks
2
Delivery Formats
4
Categories
3
Versions
Included
Never included
PATCH — telemetry-format prose fix: verification instructions still required dotted check IDs (audit.{category}.{check}) while the JSON template and the ingest schema use bare kebab-case slugs; an AI following the prose over the template would emit IDs the schema rejects with a 400. Prose now states bare slugs. No check or criteria changes.
Picked by pack overlap with this audit.
Catches LLM hallucination — code that references modules, files, routes, schemas, env vars, or assets that do not exist anywhere in the project.
Catches multi-session AI confusion: codebases that accumulate multiple libraries doing the same job because the model picked differently across sessions, resulting in dependency cruft and split-brain data layers.
Catches security controls that are imported, configured, or defined but never actually wired up — the unique AI failure mode of code that looks secure but isn't. Strictly focused on the gap between declaring a security control and applying it.
Catches AI-generated test suites that look impressive but don't actually test anything — assertion-free test files, mock-saturated tests that test the mocks, tautologies, skipped tests in CI, and missing E2E coverage on critical user flows.
Catches AI-specific half-finished code patterns that slip into production: mock API responses in real handlers, hardcoded test credentials in fallbacks, stub returns, debug bypasses, and dev-only routes left active.