A systematic checklist for reviewing AI-generated backend code. Security pitfalls, missing error handling, hidden race conditions, performance traps, and architecture smells — the patterns that slip through because AI writes confident, plausible-looking code that doesn't quite work in production.
AI-generated code is stylistically consistent but security-naive. It produces SQL injection risks, missing input validation, exposed secrets, and broken auth flows. Click each issue to see the bad pattern and the fix.
AI-generated code swallows errors, uses empty catch blocks, forgets to handle Promise rejections, and returns 200 OK for internal failures. Toggle between the patterns.
Race conditions are invisible in testing and lethal in production. AI code almost never includes locks, transactions, or atomic operations — it assumes sequential execution. Click each pattern to see the problem.
AI-generated code doesn't think about scale. It generates N+1 queries, loads entire tables into memory, missing indexes, and synchronous operations inside async handlers. Click each trap.
AI generates code that works but doesn't scale as a system. God functions that do everything, missing separation of concerns, business logic in controllers, hardcoded values, no dependency injection. These smell fine at first and become unmaintainable at scale.
Every item below is something I've found broken in AI-generated backend code in the wild. Work through this before merging any AI-assisted PR.