Handlers that return hardcoded fake data silently lie to every caller. Users see a populated list named "John Doe" with email "john@example.com" and assume the product is wired up, so the defect escapes QA, reaches paying customers, and often surfaces only after launch when real accounts should exist. Marketing dashboards, onboarding flows, and integration partners all pull from the mock and make wrong decisions. The placeholder-hygiene taxon exists because these fabrications corrupt trust long before they trigger an observable error.
Critical because fake data in a live handler actively misleads users and downstream systems with zero error signal.
Replace every hardcoded return with a real data source in the same request path. Wire the handler to your database client, upstream SDK, or request body; gate any remaining mock behind NODE_ENV === 'development' so production fails loudly. Example fix in src/app/api/users/route.ts:
import { prisma } from '@/lib/db'
export async function GET() {
const users = await prisma.user.findMany()
return Response.json(users)
}
ID: ai-slop-half-finished.mock-responses.mock-data-in-handlers
Severity: critical
What to look for: Walk all API handler files and look for handlers whose return expressions are literal object/array expressions containing AI-fake-data tells. Before evaluating, extract and quote each handler's return statement. Count all API handlers that return ONLY a hardcoded object literal (no database call, no third-party SDK call, no request body parsing) AND contain any of these 12 fake-data signals in the literal: "John Doe", "Jane Doe", "example@example.com", "test@test.com", "foo@bar.com", "Acme Corp", "Test User", "Sample Item", "Lorem ipsum", "placeholder", "fake", "dummy". Also count handlers that return ONLY an object literal with at least 3 fields where ALL string values are literal strings (no variables, no function calls, no dynamic expressions) AND the handler file has zero references to: database client, fetch, third-party SDK call, request.json(), req.body, session/cookie retrieval.
Pass criteria: 0 API handlers return hardcoded fake data. Report: "Scanned X API handlers, 0 return hardcoded fake data."
Fail criteria: At least 1 API handler returns a hardcoded object/array literal containing AI-fake-data tells OR returns a static literal object with no dynamic references.
Do NOT pass when: A handler comment says "TODO: replace with real data" or "placeholder for now" — the code is what's deployed.
Skip (N/A) when: Project has 0 API handler files (not a web-app or api project type).
Report even on pass: Report the number of API handlers scanned. Example: "Scanned 12 API handlers, 0 return hardcoded fake data."
Cross-reference: For broader API design quality, the API Design audit (api-design) covers endpoint design patterns.
Detail on fail: "3 API handlers return hardcoded fake data: app/api/users/route.ts returns [{name: 'John Doe', email: 'john@example.com'}], app/api/posts/route.ts returns static array with 'Lorem ipsum' content"
Remediation: AI commonly generates mock handlers to make the app "look working" before wiring up real data. Each mock handler that ships silently lies to users — they see fake data and think the product works. Fix each one by wiring up the actual data source:
// Bad: hardcoded fake data
// src/app/api/users/route.ts
export async function GET() {
return Response.json([
{ id: 1, name: 'John Doe', email: 'john@example.com' }
])
}
// Good: read from database
import { prisma } from '@/lib/db'
export async function GET() {
const users = await prisma.user.findMany()
return Response.json(users)
}
If you genuinely need mock data for development, gate it behind NODE_ENV === 'development' with a hard fail in production.