No TODO or FIXME comments in critical business logic
Why it matters
A TODO: add auth check here comment in authentication code means the auth check is absent — not planned, not partially implemented, but missing. This is a shipped security gap with a note attached. In payment processing code, FIXME: validate webhook signature means webhook validation is not happening. ISO 25010 maintainability.analysability penalizes TODOs that represent real functionality gaps, not just cleanup debt. At 10+ total TODOs, the project signals that a substantial portion of intended functionality was deferred without resolution.
Severity rationale
Medium because TODOs in critical code paths — auth, payments, validation — represent absent security controls, not future cleanup work, making them functionally equivalent to known vulnerabilities.
Remediation
For each TODO found in authentication, authorization, payment, or validation code: implement the missing control before shipping. For TODOs tracked in an issue tracker, replace the comment with the issue URL:
// TODO: rate limiting - https://github.com/org/repo/issues/42
For resolved TODOs, delete the comment. Add an ESLint rule to warn on TODO comments in committed code:
"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]
For pre-launch readiness covering deferred feature gaps more broadly, the Pre-Launch Readiness Audit addresses this in detail.
Detection
-
ID:
no-critical-todos -
Severity:
medium -
What to look for: Search for
TODO,FIXME,HACK,XXXcomments across source files. Categorize them:- In authentication, authorization, payment, or data validation code — high concern
- In UI components or non-critical utilities — low concern
- TODOs that indicate missing security checks (
// TODO: add auth check here) — critical concern
The check fails based on the location and nature of the TODOs, not just their count.
-
Pass criteria: Count every TODO, FIXME, HACK, and XXX comment in the codebase and classify each by location (critical path vs. UI/utility). No TODO/FIXME comments in critical business logic paths (auth, payments, data validation, security middleware). No more than 9 total TODOs across all files. TODOs in UI components or low-stakes utilities are acceptable. Report the count: "Found X TODO/FIXME comments total, Y in critical paths."
-
Fail criteria: One or more TODO/FIXME comments found in authentication, authorization, payment processing, or input validation code paths. Or 10+ total TODOs across any files (indicating deferred work that may represent real functionality gaps).
-
Skip (N/A) when: No TODO or FIXME comments found anywhere (automatic pass). Signal: grep for TODO/FIXME returns no results.
-
Detail on fail:
"TODO found in critical path: lib/auth.ts line 47 'TODO: add rate limiting to login endpoint' — security control not yet implemented."or"FIXME in app/api/payments/route.ts line 23: 'FIXME: validate webhook signature' — payment security check deferred."or"15 TODOs across codebase including 3 in API route handlers and 2 in auth middleware." -
Remediation: TODOs in critical paths represent features that were promised but not delivered.
// TODO: add auth checkis particularly dangerous — it means the auth check doesn't exist yet.For each critical TODO found:
- If it's a real security gap → address it before shipping
- If it's tracked in your issue tracker → replace the comment with the issue URL:
// TODO: rate limiting - https://github.com/org/repo/issues/42 - If it's resolved → delete the comment
Use ESLint to warn on TODOs in committed code:
"no-warning-comments": ["warn", { "terms": ["TODO", "FIXME", "HACK", "XXX"] }]For pre-launch readiness including deferred feature gaps, the Pre-Launch Readiness Audit covers this in detail.
External references
- iso-25010:2011 · maintainability.analysability — Analysability
Taxons
History
- 2026-04-18·v1.0.0·Initial import from code-maintainability·automated