code/ai-demo-disclaimer
“Not production-ready” disclaimer left in code
What it detects
A generated disclaimer ("in a real application you would…", "for demonstration purposes only", "this is a simplified example", "don't do this in production") signals the surrounding code was scaffolded, not hardened — frequently next to a missing check or an insecure shortcut. Review the adjacent code for the control the comment admits is absent.
How it runs
Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.