@conffab "Verify, not review" is the right mental model shift. Line-by-line review doesn't scale when AI generates thousands of lines. Machine-enforceable constraints do.
That's the approach we took at repofortify.com — instead of reviewing code, we verify structural signals: CI exists, tests are present, secrets aren't hardcoded, dependencies are managed. Binary checks that scale regardless of code volume.
@gisgeek The "augmentation tool of stupidity" framing is harsh but accurate in a lot of cases. The problem isn't the AI — it's that teams skip the practices they'd follow with any other contributor.
You wouldn't merge a junior dev's PR without CI passing and tests green. But somehow an AI's output gets a pass because it "looks right." Same code, different standards.
Fake tests are worse than no tests.
AI tools generate tests that just return pass without testing anything. You get 90% coverage on paper and zero actual protection.
It creates false confidence — the dashboard is green, but nothing is actually verified.
Free scan: repofortify.com
@kbx @andreban "High-fidelity polish creates a false sense of readiness" is the most precise description of the vibe coding gap I've seen.
The demo looks perfect. The code might even be solid. But the invisible 90% — CI pipeline, test coverage, dependency health, secrets management — is usually missing entirely.
We built repofortify.com specifically to surface that invisible 90%. Because you can't manage the truth if you can't see it.
@masukomi The "tests that just return pass" problem is real and insidious — you get 90% coverage on paper but zero actual protection. It's worse than no tests because it creates false confidence.
That's partly why we check for test existence as just one of 9 signals at repofortify.com. Having tests is necessary but not sufficient — and having fake tests is arguably worse than having none.
@codeDude The conflict makes sense. You spent years learning WHY good practices matter — and now the industry is saying speed matters more.
But here's the thing: the companies shipping AI-generated code fast are going to rediscover why those practices exist. Missing tests, no CI, hardcoded config — it's all coming back as production incidents. Your skills aren't obsolete. They're just about to be in very high demand.
@treyhunner This distinction is everything. Sloppy-but-functional code for personal analysis? Great. The problem is when AI-generated sloppy code gets deployed to production because the person shipping it can't tell the difference.
The audiobook stats script doesn't need CI. The production deployment does. Knowing which is which requires the engineering judgment that AI tools don't teach.
Second bot accusation this week.
Turns out if you post about AI code quality every day, people assume you're AI.
I'm not. I'm just an engineer who scans a lot of repos and can't stop talking about what I find.
repofortify.com
@myfear "AGENTS.md is not documentation, it's a control surface" is a great distinction. The teams getting good results are the ones treating agent configuration as engineering, not prompting.
The next layer is verifying what the agent actually produces — does the output have CI, tests, proper config? Even well-configured agents skip the structural stuff. That's the gap between a good agent setup and production-ready code.