No TODO or FIXME comments in critical business logic

Why it matters

A TODO: add auth check here comment in authentication code means the auth check is absent — not planned, not partially implemented, but missing. This is a shipped security gap with a note attached. In payment processing code, FIXME: validate webhook signature means webhook validation is not happening. ISO 25010 maintainability.analysability penalizes TODOs that represent real functionality gaps, not just cleanup debt. At 10+ total TODOs, the project signals that a substantial portion of intended functionality was deferred without resolution.

Remediation

For each TODO found in authentication, authorization, payment, or validation code: implement the missing control before shipping. For TODOs tracked in an issue tracker, replace the comment with the issue URL:

// TODO: rate limiting - https://github.com/org/repo/issues/42

For resolved TODOs, delete the comment. Add an ESLint rule to warn on TODO comments in committed code:

"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]

For pre-launch readiness covering deferred feature gaps more broadly, the Pre-Launch Readiness Audit addresses this in detail.

Detection

ID: code-maintainability.code-hygiene.no-critical-todos
Severity: medium
What to look for: Search for TODO, FIXME, HACK, XXX comments across source files. Categorize them:
- In authentication, authorization, payment, or data validation code — high concern
- In UI components or non-critical utilities — low concern
- TODOs that indicate missing security checks (// TODO: add auth check here) — critical concern
The check fails based on the location and nature of the TODOs, not just their count.
Pass criteria: Count every TODO, FIXME, HACK, and XXX comment in the codebase and classify each by location (critical path vs. UI/utility). No TODO/FIXME comments in critical business logic paths (auth, payments, data validation, security middleware). No more than 9 total TODOs across all files. TODOs in UI components or low-stakes utilities are acceptable. Report the count: "Found X TODO/FIXME comments total, Y in critical paths."
Fail criteria: One or more TODO/FIXME comments found in authentication, authorization, payment processing, or input validation code paths. Or 10+ total TODOs across any files (indicating deferred work that may represent real functionality gaps).
Skip (N/A) when: No TODO or FIXME comments found anywhere (automatic pass). Signal: grep for TODO/FIXME returns no results.
Detail on fail: "TODO found in critical path: lib/auth.ts line 47 'TODO: add rate limiting to login endpoint' — security control not yet implemented." or "FIXME in app/api/payments/route.ts line 23: 'FIXME: validate webhook signature' — payment security check deferred." or "15 TODOs across codebase including 3 in API route handlers and 2 in auth middleware."
Remediation: TODOs in critical paths represent features that were promised but not delivered. // TODO: add auth check is particularly dangerous — it means the auth check doesn't exist yet.

For each critical TODO found:
1. If it's a real security gap → address it before shipping
2. If it's tracked in your issue tracker → replace the comment with the issue URL: // TODO: rate limiting - https://github.com/org/repo/issues/42
3. If it's resolved → delete the comment
Use ESLint to warn on TODOs in committed code:
```
"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]
```
For pre-launch readiness including deferred feature gaps, the Pre-Launch Readiness Audit covers this in detail.

Why it matters

Remediation

// TODO: rate limiting - https://github.com/org/repo/issues/42

For resolved TODOs, delete the comment. Add an ESLint rule to warn on TODO comments in committed code:

"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]

For pre-launch readiness covering deferred feature gaps more broadly, the Pre-Launch Readiness Audit addresses this in detail.

Detection

ID: code-maintainability.code-hygiene.no-critical-todos
Severity: medium
What to look for: Search for TODO, FIXME, HACK, XXX comments across source files. Categorize them:
- In authentication, authorization, payment, or data validation code — high concern
- In UI components or non-critical utilities — low concern
- TODOs that indicate missing security checks (// TODO: add auth check here) — critical concern
The check fails based on the location and nature of the TODOs, not just their count.
Pass criteria: Count every TODO, FIXME, HACK, and XXX comment in the codebase and classify each by location (critical path vs. UI/utility). No TODO/FIXME comments in critical business logic paths (auth, payments, data validation, security middleware). No more than 9 total TODOs across all files. TODOs in UI components or low-stakes utilities are acceptable. Report the count: "Found X TODO/FIXME comments total, Y in critical paths."
Fail criteria: One or more TODO/FIXME comments found in authentication, authorization, payment processing, or input validation code paths. Or 10+ total TODOs across any files (indicating deferred work that may represent real functionality gaps).
Skip (N/A) when: No TODO or FIXME comments found anywhere (automatic pass). Signal: grep for TODO/FIXME returns no results.
Detail on fail: "TODO found in critical path: lib/auth.ts line 47 'TODO: add rate limiting to login endpoint' — security control not yet implemented." or "FIXME in app/api/payments/route.ts line 23: 'FIXME: validate webhook signature' — payment security check deferred." or "15 TODOs across codebase including 3 in API route handlers and 2 in auth middleware."
Remediation: TODOs in critical paths represent features that were promised but not delivered. // TODO: add auth check is particularly dangerous — it means the auth check doesn't exist yet.

For each critical TODO found:
1. If it's a real security gap → address it before shipping
2. If it's tracked in your issue tracker → replace the comment with the issue URL: // TODO: rate limiting - https://github.com/org/repo/issues/42
3. If it's resolved → delete the comment
Use ESLint to warn on TODOs in committed code:
```
"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]
```
For pre-launch readiness including deferred feature gaps, the Pre-Launch Readiness Audit covers this in detail.

No TODO or FIXME comments in critical business logic

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

No TODO or FIXME comments in critical business logic

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History