TypeScript passed it clean. The code ran. I would have approved it in review. Then I ran the linter. I gave Claude Sonnet 4.6 a single prompt: "Build a NestJS users service. Authentication, registration, login, profile endpoint, admin panel." 90 seconds later I had 200 lines of NestJS. Decorators in the right places, DTOs typed correctly, dependency injection wired. It looked like code written by a developer who knew NestJS. I ran eslint-plugin-nestjs-security — a plugin I built to catch exactly these patterns. 6 errors. 0 warnings. 3 seconds. Every AI-generated NestJS service I've tested ships password in the response body — 8 services across 3 different teams, all using Claude or GPT-4. This run was no different — it also shipped an admin endpoint with no auth guard, a login route with no rate limit, and a debug endpoint returning DATABASE_URL . I found the equivalent of that last one live in a staging environment four months after it was deployed, in under 60 seconds. Those are the six findings below.…