The security review gate

Here's the one habit that turns all of the above from a worry into a process: before you ship, make the AI attack its own code. The model that wrote the feature can usually find the holes in it — it just won't unless you ask. Flip it from builder to adversary:

You wrote this endpoint. Now act as an attacker trying to break it.
List every way a malicious user could:
  - read or modify data they shouldn't (authorization holes)
  - inject code via input (SQL injection, XSS, command injection)
  - abuse missing validation or rate limits
For each, show the exact request that exploits it, then the fix.
Don't reassure me — assume there IS a vulnerability and find it.

That last line matters: left neutral, the AI tends to say "looks secure!" Told to assume a flaw exists, it actually goes looking. Pair the adversarial pass with a short pre-ship checklist you run on anything user-facing:

• Every endpoint checks authorization, not just that the user is logged in
• All database queries are parameterized — no string-built SQL
• User input rendered to the page is escaped (no raw HTML injection)
• No secrets in client code, and none committed to the repo
• .env is gitignored; any leaked key has been rotated
• File uploads validate type and size and use generated names
• New dependencies were eyeballed for real existence and reputation

And run a secret scanner before you push — a tool like gitleaks (or your platform's built-in scanning) greps your code and history for things shaped like keys. It's a one-command safety net for the most expensive mistake on the list, and you can have the AI wire it into CI so it runs on every push.