Lessons Ledger

Institutional memory from past incidents, reviews, and patterns

Lessons Learned

CIC Passes Guided

Actively Consulted

Hardcoded credentials in test files trigger security findings

Active

Even in tests, API keys and secrets should come from environment variables or explicit test fixtures.

securityhigh🔥2

First seen: Feb 4, 2026Last triggered: Feb 10, 2026

Contributed by sara-chen

5CIC passes guided

Webhook retry logic needs test coverage for edge cases

Active

Network timeouts, 5xx responses, and deserialization errors all need explicit test coverage. Happy-path-only tests mask production failures.

test-coveragelow🔥1

First seen: Feb 3, 2026Last triggered: Feb 3, 2026

Contributed by priya-k

2CIC passes guided

Billing service patterns should not be copy-pasted

Active

Duplicated logic across billing-report.ts and churn-report.ts creates maintenance burden. Shared patterns belong in a common module.

code-hygienemedium🔥4

First seen: Feb 2, 2026Last triggered: Feb 14, 2026

Contributed by marcus-webb

6CIC passes guided

Sprint deadline shortcuts accumulate CIC warnings

Active

Silent WARN accumulation across multiple PRs in the same service is a leading indicator of architecture drift. Weekly WARN count reviews should be mandatory.

sprint-debtmedium🔥5

First seen: Feb 1, 2026Last triggered: Feb 15, 2026

Contributed by sara-chen

12CIC passes guided

AI refactors in auth require integration test coverage

Active

Ghost files introduced by AI refactors can silently remove critical validation. All auth middleware changes must include integration tests covering all validation paths.

auth-incidenthigh🔥3

First seen: Jan 25, 2026Last triggered: Feb 5, 2026

Contributed by sara-chen

7CIC passes guided

Ghost files must be detected before merge

Active

Files created by AI refactors but not imported anywhere should block the PR at review time, not at release time.

auth-incidenthigh🔥2

First seen: Jan 25, 2026Last triggered: Jan 26, 2026

Contributed by sara-chen

4CIC passes guided