Skip to main content

AI Coding Guidelines

These are team-wide guidelines for using AI tools at Aliz. They apply regardless of which tool you're using.

Core Principlesโ€‹

  • Treat output as a draft, not a deliverable. AI-generated code needs the same review as a PR from a new team member.
  • You own the code. If AI writes it and you accept it, it's yours โ€” bugs, security holes, and all.
  • Context quality determines output quality. Vague prompts produce vague code. The more specific the input, the more useful the output.
  • Don't let AI bypass your process. AI-generated code still goes through code review, testing, and security considerations.

Context Managementโ€‹

Give the AI what it needs to help you well:

  • Keep the relevant files open in the editor's context window.
  • Use workspace instruction files for persistent, repo-level context โ€” see Prompt Engineering.
  • Break large tasks into focused sub-tasks โ€” "refactor this one function" beats "rewrite the whole module."
  • Provide concrete inputs: types, interfaces, error messages, test cases โ€” not vague descriptions.
tip

The more specific the context you give, the less the model has to guess, and the fewer hallucinations you'll get.

Reviewing AI Outputโ€‹

  • Read every line. Skimming is how bugs get through.
  • Check specifically for: correctness, edge cases, error handling, security, and style consistency with the rest of the codebase.
  • Run the existing test suite after accepting changes.
  • For larger AI-driven changes, run git diff before staging to review the full set of changes.

Security Considerationsโ€‹

Protecting Sensitive Informationโ€‹

danger

Never paste secrets, API keys, credentials, or PII into any AI prompt โ€” not even "just for context." This applies to all third-party AI tools, whether browser-based or in-editor.

Be cautious with NDA-bound client code and proprietary business logic. Check with your manager before using any AI tools on client projects or with proprietary code.

AI-Generated Code Security Risksโ€‹

AI models are trained on the entire internet, including insecure code. Common pitfalls to watch for:

  • SQL injection via string interpolation
  • Missing input validation and sanitization
  • Hardcoded credentials or tokens
  • Overly permissive CORS configuration

Watch for hallucinated package names โ€” AI may suggest an npm install for a package that doesn't exist or, worse, is a typosquatted malicious package. Always verify package names on npmjs.com before installing.

caution

AI training data has a cutoff date. Code for rapidly-changing APIs (cloud SDKs, third-party integrations) may reference outdated patterns. Cross-check generated code against the official docs of whatever library or API is involved.

Content Exclusionsโ€‹

GitHub Copilot supports content exclusions โ€” organization-level rules that prevent certain files or repositories from being used as Copilot context. Excluded content won't appear in completions or chat responses.

This is configured by organization admins in GitHub.com โ†’ Organization Settings โ†’ Copilot โ†’ Content Exclusions, using patterns similar to .gitignore:

# Exclude sensitive directories
internal/secrets/**
config/production/**
**/credentials.*

Content exclusions operate at the GitHub organization level โ€” individual developers don't need to configure anything locally. If you notice Copilot not suggesting completions for certain files, content exclusions may be the reason.

tip

If your project contains files that should never be sent to AI tools (credentials, proprietary algorithms, compliance-sensitive data), ask your org admin to add them to the content exclusion list rather than relying on individual developers to remember not to reference them.

When AI Helps Mostโ€‹

  • Boilerplate and scaffolding โ€” CRUD routes, form components, test stubs
  • Writing and expanding tests, especially generating edge-case inputs
  • Explaining unfamiliar code or third-party libraries
  • Writing and improving documentation and code comments
  • Refactoring well-understood, well-tested code
  • One-off scripts โ€” data migrations, file processing, CI helpers

When to Be More Carefulโ€‹

  • Complex domain logic with subtle business invariants
  • Security-sensitive code โ€” auth, authorization, cryptography
  • Performance-critical paths where algorithmic choices matter
  • Anything that touches PII, payments, or compliance-regulated data