No TODO/FIXME/HACK blocking comments in production code

Placeholder strings like [INSERT_API_KEY], your_api_key_here, or CHANGEME that survive into production aren't style issues — they're proof a credential, webhook URL, or config value never got wired up, which means the feature is either silently failing, connecting to a template-literal fallback, or calling an attacker-controlled example domain. FIXME: validate amount in a payment path or HACK: skip auth in dev in middleware is a direct security finding when the dev branch is what ships. AI coding tools amplify this failure mode because they scaffold placeholder markers into generated code as a prompt to "come back later," and because multi-session agents forget which TODOs were blockers versus stretch goals when the user says "ship it." The count threshold catches codebases where the markers have accumulated past the point of anyone tracking them.

Either resolve the TODOs before shipping, or move them to your issue tracker. Placeholders like [INSERT_API_KEY] must be wired up before going live.

Deeper remediation guidance and cross-reference coverage for this check lives in the code-quality-essentials Pro audit — run that after applying this fix for a more exhaustive pass on the same topic.

• ID: project-snapshot.code-quality.no-blocking-todos
• Severity: high
• What to look for: Search source files for TODO, FIXME, HACK, XXX, WIP, INSERT, CHANGEME, [INSERT_*], your_api_key_here, replace-me. Also flag if (false) and if (true) blocks, and // @ts-ignore / // eslint-disable directives without justification comments. Count each.
• Pass criteria: Fewer than 5 blocking-marker comments total across the codebase, AND zero placeholder strings ([INSERT_*], your_api_key_here, CHANGEME).
• Fail criteria: 5+ blocking markers, or any placeholder string match.
• Skip (N/A) when: Never — every project should be checked.
• Do NOT pass when: TODOs are technically scoped ("TODO: optimize this loop") — still count them. The threshold of 5 already accounts for normal in-progress markers.
• Report even on pass: "Scanned ~N source files; found M markers (TODO/FIXME/HACK), 0 placeholder strings."
• Detail on fail: "12 TODO/FIXME markers found, including 2 in critical paths: src/lib/payments.ts ('FIXME: validate amount'), src/middleware.ts ('HACK: skip auth in dev')".
• Cross-reference: For full AI-slop coverage (mock data in handlers, hallucinated imports, dual-library drift, test theater), run the ai-slop-half-finished or ai-slop-hallucinations audit.
• Remediation: Either resolve the TODOs before shipping, or move them to your issue tracker. Placeholders like [INSERT_API_KEY] must be wired up before going live.