There are a number of dimensions we often wish to obtain and monitor in our codebases: Practical correctness (works as supposed), architectural health (is quick/safe/usable sufficient), and maintainability. I outline maintainability right here as making it straightforward and low threat to vary the codebase over time – also called “inner high quality”. So I do not solely need to have the ability to make modifications rapidly right now, but additionally sooner or later. And I do not wish to fear about introducing bugs or degradation of health each time I make a change – or have AI make a change. I often see the primary indicators of cracks within the maintainability of an AI-generated codebase when the variety of recordsdata modified for a small adjustment will increase. Or when modifications begin breaking issues that used to work.
Inner high quality issues have an effect on AI brokers in comparable ways in which they have an effect on human builders. An agent working in a tangled codebase may look within the incorrect place for an current implementation, create inconsistencies as a result of it has not seen a replica, or be pressured to load extra context than a activity ought to require.
On this article, I describe my experimentation with numerous sensors that assist us and AI replicate on the maintainability of a codebase, and what I realized from that.
The appliance
I am engaged on an inner analytics dashboard for group managers that reads chat house exercise, engagement, and demographic information from a mixture of APIs and presents the information in an internet frontend.
Determine 1:
The instance app: net UI, service layer, and exterior APIs.
The tech stack is a TypeScript, NextJS, and React. The backend reads and joins information from the APIs. The appliance has been round for some time, however for the sake of those experiments I rebuilt it with AI from scratch.
There are hardly any guides (e.g. markdown recordsdata) for AI about code high quality and maintainability current, I wished to see how effectively it might probably just do by counting on sensor suggestions.
Overview of all sensors used
Determine 2:
The place sensors can run: through the preliminary coding session, within the pipeline, on a schedule, and in manufacturing.
That is an outline of the sensors I arrange throughout the trail to manufacturing.
Throughout coding session
Sensors that run repeatedly alongside the agent to supply quick suggestions.
- Sort checker (computational)
- ESLint (computational)
- Semgrep, SAST software prescribed by our inner AppSec workforce (computational)
- dependency-cruiser, runs structural guidelines to examine inner module dependencies (computational)
- Take a look at suite outcomes together with take a look at protection (computational – although the take a look at suite is generated by AI, subsequently created in an inferential manner)
- Incremental mutation testing (computational)
- GitLeaks runs as a part of the pre-commit hook, I take into account it to be a sensor as effectively, as it is going to give the agent suggestions when it tries to commit (computational)
After integration – pipeline
The identical computational sensors run once more in CI. The in-session sensors give the agent early suggestions throughout improvement. The CI pipeline confirms the consequence on clear infrastructure and after integration.
Repeatedly
Sensors that run on a slower cadence to detect drift that accumulates over time, relatively than errors that happen within the second.
- A safety assessment, immediate derived from our AppSec guidelines for inner purposes (inferential)
- A knowledge dealing with assessment, immediate describes issues like “no person names ought to ever be despatched to the net frontend” (inferential)
- Dependency freshness report, which runs a script first to get the age and exercise of the library dependencies, after which has AI create a report with suggestions about potential upgrades, deprecations, and so on (computational and inferential)
- Modularity and coupling assessment (computational and inferential)
With this context out of the way in which, let’s dive into the primary class of sensors.
Base harnesses and fashions
All through constructing the applying, I used a mixture of Cursor, Claude Code, and OpenCode (in that order of frequency). My default mannequin was often Claude Sonnet, for among the planning and evaluation duties I used Claude Opus, and for implementation duties I often used Cursor’s composer-2 mannequin.
Static code evaluation: Primary linting
I am going to begin with my learnings from utilizing ESLint on this software. Primary linting instruments like ESLint largely goal maintainability threat on the degree of particular person recordsdata and features.
Guidelines for typical AI shortcomings
In my expertise, the AI failure modes which might be essentially the most low-hanging fruit for static code evaluation are
- Max variety of arguments for features
- File size
- Perform size
- Cyclomatic complexity
Nonetheless, these weren’t even lively in ESLint’s default preset, I needed to configure maximums for them first. Hopefully, static evaluation instruments will evolve to supply higher presets for utilization with AI. A little bit of analysis exhibits that individuals are additionally beginning to publish ESLint plugins with rule units which might be particularly focusing on recognized agent failure modes, like this one by Manufacturing facility, with guidelines about issues like requiring take a look at recordsdata or structured logging.
Steerage for self-correction
A sensor is supposed to present the agent suggestions in order that it might probably self-correct. Ideally, we wish to give the agent additional context for that self-correction – a great form of immediate injection. To try this, I constructed a customized ESLint formatter to override among the default messages – with the assistance of AI after all, naturally.
Right here is an instance of my steerage for the no-explicit-any warning.
We wish issues to be typed to make it simpler to keep away from errors, particularly for key ideas. However we additionally wish to keep away from cluttering our codebase with pointless varieties. Make a judgment name about this. If you happen to select to not introduce a kind, suppress it with: // eslint-disable-next-line @typescript-eslint/no-explicit-any -- (give purpose why)`,
Managing warnings – now extra possible?
Static code evaluation has been round for a very long time, and but, groups usually did not use it persistently, even once they had it arrange. One of many causes for that’s the administration overhead that comes with it. Efficient use of this evaluation requires a workforce to maintain a “clear home”, in any other case the metrics simply grow to be noise. Particularly warnings just like the no-explicit-any instance above are tough, since you do not all the time wish to repair them – it relies upon. And suppressing them one after the other has all the time felt tedious, and like noise within the code.
With coding brokers, we would now have an opportunity at that clear baseline. Within the steerage textual content above, the agent is advised to make a judgment name, and allowed to suppress a warning within the code. This retains the suppressions manageable, seen and reviewable.
For thresholds, like the utmost variety of strains, or the utmost allowed cyclomatic complexity, I advised the agent within the lint message that it could barely improve the thresholds if it thinks {that a} refactoring is pointless or inconceivable in a selected case. This does not suppress the edge without end, simply will increase it, in order that the rule fires once more if it will get even worse sooner or later. Constraints are preserved with out forcing a binary suppress-or-comply alternative.
Observations
- Wanting on the exceptions AI created (suppressed warnings, elevated thresholds) was a great level to begin my code assessment.
- AI often determined to extend the cyclomatic complexity threshold, however recommended good refactorings after I nudged it additional. It was the one class the place it did that, and I later found that I did not have a self-correction steerage in place for this one, so there was no specific instruction saying {that a} threshold improve needs to be absolutely the exception. That is an indicator that the customized lint messages can certainly make fairly a distinction.
- Typically I wish to deal with guidelines otherwise in several elements of the code. Let’s take
no-console, telling AI off when it makes use ofconsole.log. Within the backend, I would like it to make use of a logger part as an alternative. Within the frontend, I would wish to not use direct logging in any respect, or on the very least I want to make use of a distinct logging part. That is one other instance of the facility of the self-correction steerage, and the place AI will help with semantic judgment and administration of study warnings. - I used to be watching out for examples of trade-offs between guidelines. The one one I’ve seen thus far was created by the
max-linesandmax-lines-per-functionguidelines. I’ve seen AI do fairly a little bit of helpful refactoring and breakdown into smaller features and parts on account of this sensor suggestions. Nonetheless, within the React frontend, I am seeing a worrying development of parts with heaps and plenty of properties on account of passing values by way of a rising chain of smaller and smaller parts. I have not obtained helpful observations but about how good AI may be at making constant choices between tradeoffs like that.
Major takeaways
General, I used to be positively shocked by what number of issues I can cowl with static evaluation. I needed to remind myself a number of instances why it has been considerably underused previously, and what has modified: The associated fee-benefit stability. Value is lowered as a result of it is less expensive to create customized scripts and guidelines with AI. And the profit has additionally elevated: the evaluation outcomes assist me get a primary sense of plenty of hygiene elements that would not even occur that a lot after I write code myself, so I can get widespread AI errors out of the way in which.
Nonetheless, I am unable to assist however surprise if this could additionally result in a false sense of safety and an phantasm of high quality. In any case, another excuse why linters like this have been much less used previously is that they’ve limits, and we have now been cautious of utilizing them as a simplified indicator of high quality. There are many extra semantic features of high quality that static evaluation can’t catch, it stays to be seen if AI can adequately fill that hole in partnership with these instruments. I additionally found new supposed points within the code each time I activated a brand new algorithm. It was all the time a mixture of irrelevant issues and issues that truly matter. So I fear about suggestions overload for the agent, sending it right into a spiral of over-engineered refactorings.
Static code evaluation: Dependency guidelines
Primary linting is usually focussed on high quality and complexity inside a file or perform. Subsequent I began wanting into sensors that might give me and the agent suggestions about maintainability considerations that cross file and module boundaries. Evaluation instruments on this space are traditionally much more underused than the essential linting.
To study concerning the potential of sensors that may assist us and AI sustain good modularity within a codebase, I explored three issues:
- Dependency guidelines (deterministic)
- Coupling evaluation (deterministic and inferential)
- Modularity assessment (inferential)
Let’s begin with dependency guidelines. I labored with the agent to give you a layered module construction for my software, about half manner by way of implementing it. I requested it to assist me write dependency-cruiser guidelines to implement these layers.
Determine 3:
Layered module construction and dependency guidelines
For instance, one of many guidelines enforces that code within the shoppers folder by no means imports something from the companies folder:
{
title: “clients-no-services”,
remark:
“API shoppers should not rely upon the orchestration layer above them. “ + LAYERS,
severity: “error”,
from: { path: “^server/shoppers/”, pathNot: “/__tests__/” },
to: { path: “^server/companies/” },
},
As with the ESLint messages, I additionally expanded the error messages a bit to be self-correction steerage, recapping the layering idea as an entire:
ERROR clients-no-services API shoppers should not rely upon the orchestration layer above them. [Layers: routes -> services -> clients + domain; Services orchestrate: fetch data via clients, compute via domain -- no I/O, no SDKs, no knowledge of data fetching.]
Observations
- With out AI, I might not have gotten these guidelines in place rapidly. The software’s configuration syntax has a steep entry value, and AI absorbed that value nearly fully.
- The agent violated the foundations a handful of instances after I launched them, after which self-corrected primarily based on
dependency-cruisersuggestions, so it did assist hold my folder ideas. - I additionally used the identical method to introduce conventions for a way React hooks needs to be structured within the frontend.
- I had to determine methods to catch issues when AI begins creating new folders outdoors of this construction, with a rule that requires each new file to be someplace within the predefined folder construction.
Major takeaways
On the level after I launched these guidelines, the structuring of code into folders had already grow to be a bit bit haphazard. I might see how the foundations helped the agent clear that up, after which proceed implement these layers going ahead. So I’ve discovered it fairly a helpful alternative for describing code construction in a markdown information. Nonetheless, instruments like this are restricted to what’s expressible through imports, file names, and folder construction.
Static code evaluation: Coupling information
Subsequent, I experimented with the extraction of typical coupling metrics from my codebase, i.e. the variety of incoming and outgoing imports and calls per file.
I did not use any current instruments for this, as an alternative I had a coding agent write an software that creates these metrics with the assistance of the typescript compiler, in order that I might have most flexibility to mess around with this as a part of my experimentation. I had it add two interfaces: An internet interface with a bunch of various visualisations of these metrics for my very own human consumption. And a CLI that may present these metrics to a coding agent.
Determine 4:
Coupling metrics: net visualisations and CLI for brokers.
For human consumption
Most of those visualisations are effectively established ideas, like a dependency construction matrix (DSM). I discovered them tedious to interpret, and though they have been vibe coded and will most definitely be improved, I feel that had extra to do with the character of the information. It is fairly detailed information that wants loads of context and expertise to interpret it, and map it again to extra excessive degree good practices. So I’ve a sense that these kind of instruments nonetheless will not actually assist scale back a human’s cognitive load a lot when reviewing codebases that have been modified by AI.
For AI consumption
I gave an agent entry to this practice CLI (coupling-analyser) and requested it to create a report primarily based on the information, together with ideas of methods to enhance the vital points.
Right here is an excerpt of what that immediate seemed like – I am primarily reproducing this to point out you that I did not really give it a lot steerage on what good or unhealthy modularity appears to be like like, I largely delegated to the mannequin to interpret what good and unhealthy appears to be like like:
Produce a markdown report on modularity and coupling high quality for the goal TypeScript codebase, grounded in precise CLI output from npx coupling-analyser, not guesswork from static shopping alone.
Collect proof (run the CLI)
Execute the CLI and seize stdout. Use the report subcommands—mix as helpful for the query:
…
Write the markdown report
Use clear headings. Want concrete module IDs / paths and numbers quoted or paraphrased from CLI output.
Instructed sections:
-
Context — What was analyzed
-
Government abstract — 2–5 bullets: general modularity posture, prime 1–3 systemic points.
-
Findings from the software — Summarize hotspots, prime dangers, notable cycles or mutual dependencies, and behavioural highlights as reported by the CLI.
-
Interpretation (modularity lens) — Tie metrics to software program design: cohesion vs. unfold of change, stability vs. dependency path, fan-in/fan-out instinct, cycle influence.
-
Deep dives for every excessive and important problem
- What it’s — Module(s), position within the system, dependency neighbours (from CLI + minimal code peek if wanted).
- Duties right now …
- Why it hurts …
- Design choices (2+ the place cheap) …
- Why the brand new design is healthier — Fewer cycles, clearer dependency path, smaller surfaces, take a look at seams, align with seemingly change vectors.
- Future change threat — How every choice reduces regression threat and makes secure evolution cheaper (concrete situations: “including X”, “swapping Y”, “transport Z independently”).
…
This LLM-led evaluation really pointed me to the identical coupling scorching spots that I might have discovered by wanting by way of the visible diagrams, simply in a format that was extra digestible. And asking the LLM to floor its evaluation within the outcomes from the deterministic software gave me the next degree of confidence, and possibly additionally used much less time and tokens than if the agent had scanned the codebase itself to search out coupling issues.
Observations
What the LLM discovered primarily based on this information was fairly lackluster (I used Claude Opus 4.7 for this):
- It mentioned one of many largest points was a manufacturing facility that initialises all the mandatory parts, however I had launched that manufacturing facility on function as a part that acts like a light-weight dependency injection framework.
- One other problem it had was with a shared (
zod) schema between frontend and backend, declared a “god module” by the LLM. It is a widespread sample although to create an specific contract between backend and frontend, and isn’t as a lot of a difficulty when backend and frontend evolve collectively anyway, and even reside collectively in the identical repo, like in my case. - When official patterns seem as high-coupling hubs, there must be a technique to suppress these in future analyses, in any other case they create much more noise.
- The one form of fascinating discovering it had: An
index.tsfile within the area folder indiscriminately uncovered all recordsdata in./area, and is imported by plenty of locations. Whereas that can also be a typical sample to create specific contracts for a layer, it does have its professionals and cons, and is at the very least value an investigation to see whether it is acceptable for this codebase.
Major takeaways
The examples above present that much more so than with the essential linting, good and unhealthy doesn’t have a transparent definition, as an alternative it’s all about what’s acceptable. And what coupling is acceptable relies on loads of context, not simply the uncooked name and import graph of a codebase. So primarily based on this small experiment, I haven’t got the impression that such a coupling information is helpful to AI by itself.
A extra sensible use I can think about for this information is throughout threat triage for code assessment. Once I assessment a code change made by AI, it appears helpful to know what the influence radius of the modified recordsdata is, in order that I will pay extra consideration when e.g. a file with 10+ callers is modified. Or an AI assessment agent might use the information to prioritise the place it spends its tokens.
Static code evaluation: AI modularity assessment
The lackluster outcomes from the coupling information experiment might have a number of causes:
- My immediate about what to analyse was not very particular
- The coupling information isn’t helpful to AI
- The coupling information solely is just too shallow and lacks context of the complete code
So the ultimate factor I did was to go absolutely down the inferential route and use Vlad Khononov’s “Modularity Expertise” to analyse the codebase design and discover modularity points. This proved to be very fruitful! It gave me plenty of fascinating pointers for refactorings that may clearly scale back the chance of future modifications. I ran the talents a second time and gave them entry to my coupling evaluation CLI. The AI largely discovered affirmation within the information, however not any further findings. Quite the opposite, it identified plenty of issues that the CLI was lacking. It is also value noting that the second run of the evaluation (with out context of the primary one) surfaced one more problem that the primary run didn’t discover. A helpful reminder that when it issues, it is usually value working an LLM-based evaluation a number of instances, to get a fuller image.
Observations
Listed here are some highlights from the outcomes (mannequin used was Claude Opus 4.7, identical as for the coupling evaluation):
- Duplicate route code – all my three backend endpoints had their very own route file, and every of these route implementations was nearly similar. So every time I might wish to introduce a change to the final ideas of the backend API (for instance introducing a request ID, or altering the error dealing with or logging method), I would need to do it in a number of recordsdata. I had solely simply launched a 3rd endpoint, so I feel it is truthful sufficient that this wasn’t abstracted out but. However in my expertise, AI brokers often do not go forward and begin refactoring with out an specific nudge once they repeat a chunk of code for the third or fourth time, they’re fairly completely happy to repeat and paste.
- Inconsistency in calling the backend – or put one other manner, one more type of semantic duplication. I’ve 3 pages within the software that must name the backend with the identical set of parameters (chosen chat house, and which date vary to analyse). Two of these pages have been utilizing the identical hook and basic method to do that, however when AI launched the third web page, it deviated from that and reimplemented comparable behaviour in its personal manner. This will e.g. result in inconsistencies in error dealing with, or once more the necessity to change a number of recordsdata when backend API ideas change.
- Inefficient dealing with of the core arguments – As simply talked about, all of the pages within the software cross on a chat house ID and a date vary to the backend. I had already seen after I modified the way in which a person can specify a date vary that AI needed to change a lot of recordsdata for that change – over 40! So I used to be already conscious that one thing was fishy right here, and the evaluation confirmed it: “Situation: Request parameters repeated at each degree”. The advice was to introduce an object that wraps all of those parameters. AI had already finished that in a manner – however by no means absolutely adopted by way of with the utilization of that object, so it was an inconsistent mess.
- Duties within the incorrect place – The assessment discovered a little bit of authentication code sitting inside our manufacturing facility that was speculated to solely be answerable for wiring up our modules. It carried out a fallback to mock information when the person isn’t authenticated. An sudden location like that creates a threat of being missed when new routes are added.
- Higher interpretation of acceptable high-import-count “hubs” – Keep in mind the “god lessons” discovered by my earlier coupling evaluation? The modularity expertise additionally seen these, however in each circumstances properly identified that they’ve a function within the context of this software. I assume that’s both because of the good prompting in these expertise, or because of the truth that this evaluation really learn what was within the code, whereas I requested the opposite one to solely depend on the coupling information.
Major takeaways
- Dependency parsers like
dependency-cruisermight be efficient reside sensors to implement some primary folder buildings and dependency instructions, however they will solely go thus far. - The AI modularity assessment is a good instance of “rubbish assortment”, and labored fairly effectively when given highly effective prompts. Grounding it in precise coupling information did not appear to make a lot distinction. It could be nice to discover a technique to apply this to the modified recordsdata in a commit, to have this earlier within the pipeline, however I didn’t discover this but.
- I ran the modularity assessment after constructing a lot of the codebase with out making use of that sort of assessment myself – and it had some fairly regarding and really legitimate findings that may have elevated threat sooner or later. It exhibits that with out human assessment and coupling experience, AND with out these additional AI evaluations, the agent was undoubtedly compounding inadvertent technical debt.
General, codebase design and modularity looks as if a priority the place computational sensors alone can’t assist us a lot, AI is required so as to add semantic interpretation, and take into account trade-offs.
