Rules

Disallow unrecognized configuration options for well-known libraries. AI assistants frequently hallucinate option names.

Disallow imports of packages not found in node_modules, package.json, or npm registry cache

Disallow exposing process.env variables to client-side code

Disallow hardcoded API keys and tokens from known providers in string literals

Detect insecure default configurations commonly introduced by AI coding assistants: wildcard CORS, disabled CSRF, HTTP URLs, disabled TLS.

Disallow placeholder credential strings commonly left by AI assistants

Disallow raw SQL strings; prefer query builders or ORMs

Disallow SQL string concatenation with dynamic values (potential SQL injection)

Disallow if/ternary/while statements with literal conditions that create dead branches

Disallow empty or stub function implementations left by AI assistants

Disallow TODO/FIXME/HACK comments left as if work is complete

Disallow try/catch blocks where the try body contains no code that can throw

Flag function parameters that are declared but never used

Disallow async functions that have no await expression

Disallow empty catch blocks and catches that only log without handling

Disallow AI-style hedging comments that tell the user to finish the job

Disallow AI prompt artifacts (conversational text) in code

Flag JSDoc @param names that do not match actual function parameters

Enforce a maximum cognitive complexity per function to catch AI-generated tangled logic

Enforce a maximum cyclomatic complexity per function to catch AI-generated complex branching

Flag functions with low maintainability index (MI) based on Halstead volume, cyclomatic complexity, and lines of code

Enforce a maximum nesting depth to catch AI-generated deeply nested code

Flag string literals duplicated too many times to catch AI copy-paste patterns

Require that source files have a corresponding test file with actual test cases