I use Cursor and Claude Code daily. The code they write compiles, passes typescript, passes eslint. Then I find a hardcoded Supabase key in a client component, or an import for a package that was never installed, or a server action that takes raw formData with zero validation.

These aren't edge cases. I kept hitting the same patterns across projects so I started cataloging them. That turned into prodlint -- 52 static analysis rules targeting the specific bugs AI coding tools consistently produce.

Some examples of what it catches: hallucinated-imports flags import statements for packages not in your package.json (the AI invented them). supabase-missing-rls catches CREATE TABLE in migrations without Row Level Security enabled. env-fallback-secret finds process.env.SECRET || "sk_live_abc123" patterns where the AI helpfully provides a fallback for your API key.

It's all local static analysis, no AI in the tool itself. Babel AST for 12 rules, regex for the rest. Scans ~150 files in under 100ms.

npx prodlint

No config, no account, no install needed. MIT licensed. Interested in what patterns other people are seeing that I should add rules for.

Have you tried raptor? (https://github.com/gadievron/raptor)