Scaffolding, stubs, mock data, debug bypasses, and placeholder credentials that survived to production — code that runs but wasn't meant to.
The scaffold-leakage layer: did the placeholder, stub, or debug hook get replaced before the code shipped?
In scope. Hardcoded admin/admin fallback credentials, mock data returned from a handler instead of a real query, debug routes or /debug/eval endpoints enabled in production, feature-flag defaults wrong for prod, TODO comments marking unimplemented security checks, debug-only auth bypasses (if (env === 'development') skipAuth()), placeholder strings ([INSERT_API_KEY], CHANGEME, your_api_key_here), console.log calls tracing sensitive data that were meant to be removed, if (false) / if (true) blocks, stub functions that return static data.
Not in scope. Deliberately incomplete but documented feature work — that's code-quality tech-debt. Feature fully missing by design — not a defect, a gap. References to things that don't resolve at all — that's reference-integrity.
Distinct because. The defect is scaffolding intended to be replaced was not. The code runs, and that's the problem. A pattern about "auth returns mock user when NODE_ENV is dev" is placeholder-hygiene. A pattern about "auth function has any return type" is code-quality.
Conceptual sub-structure. Debug / dev-only code in prod paths, stub / mock responses shipping real paths, placeholder strings / credentials, feature-flag defaults wrong for production.
Note on the name. Formerly implementation-completeness — renamed because "completeness" collides with "spec completeness" / "test coverage completeness." placeholder-hygiene names the specific defect: scaffolding residue.