My AI-Assisted Development Policy

My AI-Assisted
Development Policy

I use AI coding tools every day — Cursor, Claude, Copilot, ChatGPT — and they've made me significantly more productive. But over the past year, I've developed a clear set of principles for using them responsibly. This is my personal framework.

✓ AI-Assisted: Yes ✗ Blind Copy-Paste: Never Standard: Non-Negotiable

Core Philosophy

I'm fully on board with using AI to write code. I use Cursor, Claude, Copilot, and ChatGPT daily, and they've made me significantly faster. But I've learned — sometimes the hard way — that there's a critical line between AI-assisted development and simply being a copy-paste relay for model output.

The distinction matters: AI-assisted means I understand every line, I've tested the logic, and I can defend my decisions. AI-proxied means I hit "accept all" and hoped for the best. The first approach multiplies my productivity. The second is a liability I refuse to ship.

No matter what tools helped produce the code, I am the sole responsible author of everything I submit — the logic, the design choices, and the trade-offs.

The Five Rules I Follow

🔬

Rule 1 — Prove It Works

AI writes code that looks plausible but fails at runtime more often than you'd think. "It compiled" or "no red squiggles" is never enough for me.

Must

Every PR I submit with functional changes includes local test output — pytest, npm test, cargo test, or screenshots. No exceptions.

Must

Non-trivial changes get discussed first — in a GitHub issue, team chat, or design doc. The PR always references that discussion.

Must

Any algorithm I implement references an authoritative source — a paper, official docs, or a proven library. I don't trust AI to invent algorithms.

Red Flag

If I can't show test output for complex logic, the PR stays in draft until I can.

🚫

Rule 2 — No Hallucinations, No Reinventing

I've watched AI confidently explain code that was already deleted, reinvent utilities that exist three files away, and write comments about variables that don't exist. I actively guard against this.

Must

Use what already exists in the codebase — utilities, shared patterns, established conventions. I don't let AI reinvent the wheel.

Red Flag

Ghost comments — comments describing logic that was removed or never existed. I treat this as a sign the code wasn't properly reviewed.

Red Flag

Noise comments like // returns the result or // loop through the array. If my code has these, it means I got lazy and accepted AI output without reading it.

Red Flag

Ignoring language idioms — unwrap() in Rust library code, bare except: in Python, any everywhere in TypeScript. These are tell-tale signs of unreviewed output.

🧠

Rule 3 — If I Wrote It, I Can Explain It

This is the simplest rule and the most important one. If someone asks me about a function I submitted, I can walk through it line by line.

Must

I can explain the logic, justify the design, derive the math, and identify edge cases for every function I submit. Not from memory — but from genuine understanding.

Red Flag

"That's what the AI generated" or "I don't know, it passes tests" — if I ever catch myself thinking this, the code goes back for a rewrite.

Note

This doesn't mean memorizing every line. It means I've read, understood, and can discuss the code as confidently as if I'd written it by hand.

🏗️

Rule 4 — I Own the Architecture

AI is great at writing individual functions, but it tends to over-architect. Module boundaries, API design, data modeling — those decisions come from me, not the model.

Must

Structural decisions — module boundaries, API surfaces, data modeling, dependency choices — are mine. I don't blindly accept AI suggestions for architecture.

Must

When AI suggests a significant structural change, I document why I accepted or modified it in the PR description.

Red Flag

Unnecessary abstractions, factory-of-factories, over-engineered patterns with no justification — I reject these as "AI-driven complexity."

🔒

Rule 5 — Security Is My Responsibility

AI has no concept of my security context. It doesn't know what's sensitive, what's public, or what could go wrong. I treat security-touching code with extra care.

Must

I never paste proprietary code, secrets, API keys, or user data into AI prompts unless I'm using enterprise-tier tools with data guarantees.

Must

Any AI-generated code touching authentication, authorization, cryptography, or financial logic gets a manual line-by-line review from me.

Red Flag

Submitting security-critical AI-generated code without explicit review notes is something I consider a personal violation of my own standards.

How I Disclose AI Usage

I believe transparency builds trust. When I use AI in my work, I'm upfront about it — not because it's shameful, but because it gives reviewers the right context to evaluate my code.

Minimal AI

Autocompletion, typo fixes, boilerplate scaffolding. I wrote the core logic myself.

Significant AI

AI drafted major sections. I reviewed every line, understood the approach, tested it, and modified where needed.

Fully Generated

AI produced most of the code. I hold this to extra scrutiny and can still explain every piece of it.

My Code Review Checklist

When I review code — my own or someone else's — here's what I specifically look for to catch low-effort AI output:

📝 Suspiciously Polished PR Descriptions

If the PR description is 300+ words with generic H2 headers and no specific file references

Then I flag it — a good PR description is concise and references specific changes

👻 Hallucinated Patterns

If code reinvents existing utilities or uses names like data, process_item

Then I ask for a refactor using existing code and domain-specific naming

✅ Missing Proof of Execution

If no test output, no linked issue, no reference for algorithms

Then I request the missing artifacts before continuing review

🔍 Ghost Comments & Noise

If comments reference nonexistent variables or just restate the function name

Then I flag it as AI hallucination and ask for cleanup

⚙️ Broken Language Idioms

If code ignores language best practices — sloppy error handling, unnecessary cloning, missing docs

Then I request fixes per the language's idiomatic style

🛡️ Security-Sensitive Code

If PR touches auth, crypto, validation, or financial logic without security review notes

Then I block merge until security review is documented

Anti-Patterns I've Learned to Avoid

🍝 The "Spaghetti Dump"

A massive PR that spans dozens of files, clearly generated in one long AI session with zero incremental thought. Usually full of duplicated logic and inconsistent naming. I've done this once — never again.

🏰 The "Castle in the Sky"

Over-engineered abstractions no one asked for — factory-of-factories, premature generalization, design patterns for their own sake. AI loves to architect. I've learned to keep it grounded.

🦜 The "Parrot"

Every function has a comment that restates its name. // Gets the user above getUser(). AI loves narrating the obvious — I strip this noise out before committing.

🎭 The "Confidence Mask"

Beautifully formatted code with eloquent commit messages that hides a total lack of understanding. Breaks on the first edge case. If I can't answer basic questions about my own PR, something went wrong.

My Best Practices

Read before I commit. I go through every line the AI generates. If I can't explain a block to a teammate, it doesn't get submitted.

AI accelerates, I decide. I let AI handle boilerplate, first drafts, and pattern matching. Architecture, edge cases, and security stay in my hands.

Test the unhappy paths. AI-generated code has a "happy path bias" — it writes for the ideal scenario. I specifically write tests for edge cases, error conditions, and boundary values.

Keep PRs focused. I don't dump an entire AI session into one PR. I break changes into logical, reviewable units — same discipline as hand-written code.

Review with fresh eyes. I take a break between generating and reviewing. AI output is convincing at first glance — distance helps me catch errors.

Write better prompts. The quality of AI output directly correlates with prompt quality. I invest time in providing context, constraints, and existing patterns.

Keep my fundamentals sharp. AI tools are powerful but they come and go. Debugging, system design, reading code, reasoning about complexity — these skills are permanent.

我的 AI 辅助
开发规范

我每天都在用 AI 编程工具 — Cursor、Claude、Copilot、ChatGPT — 它们确实让我的效率提高了很多。但过去一年的实践让我形成了一套清晰的使用原则。这是我的个人框架。

✓ AI 辅助：支持 ✗ 盲目复制：绝不标准：不可妥协

核心理念

我完全支持用 AI 来写代码。Cursor、Claude、Copilot、ChatGPT 我每天都在用，它们让我快了不少。但我也学到了一个教训——有时候是吃了亏才学到的——AI 辅助开发和单纯做 AI 输出的复制粘贴中转站，有本质区别。

区别在于：AI 辅助意味着我理解每一行代码、测试过逻辑、能为自己的决策辩护。AI 代理意味着我点了"全部接受"然后祈祷不出问题。前者让我效率翻倍，后者是我绝不允许自己交付的隐患。

不管用了什么工具，我就是代码的唯一责任人——逻辑、设计选择、权衡取舍，都是我的。

我遵循的五条规则

🔬

规则一 — 证明它能跑

AI 写出来的代码看着合理但跑不通的情况比想象中多得多。"编译通过了"或"没有红色波浪线"对我来说永远不够。

必须

每个包含功能修改的 PR 都要附带本地测试输出——pytest、npm test、cargo test，或截图。没有例外。

必须

非平凡的改动先讨论——GitHub Issue、团队群聊或设计文档。PR 必须引用讨论内容。

必须

算法实现必须引用权威来源——论文、官方文档或成熟的库。我不信任 AI 自己"发明"的算法。

警告

如果复杂逻辑拿不出测试结果，PR 就留在草稿状态。

🚫

规则二 — 不允许幻觉，不重复造轮子

我见过 AI 信心满满地解释已经删掉的代码、重新实现隔壁文件就有的工具函数、给不存在的变量写注释。我对这些保持警惕。

必须

用代码库里已有的工具函数、共享模式和既定约定。不让 AI 重复造轮子。

警告

幽灵注释——描述已删除或根本不存在的逻辑的注释。这说明代码没有被认真审查。

警告

噪音注释如 // 返回结果 或 // 遍历数组。如果我的代码里有这些，说明我偷懒了。

警告

无视语言惯例——Rust 库代码里的 unwrap()、Python 里裸露的 except:、TypeScript 里到处是 any。这些是未审查 AI 输出的铁证。

🧠

规则三 — 我写的代码，我能解释

最简单的规则，也是最重要的。如果有人问我提交的某个函数，我能逐行讲清楚。

必须

我能解释逻辑、推导数学、论证设计选择、识别边界情况。不是靠背诵——而是靠真正的理解。

警告

"这是 AI 生成的"或"我也不清楚，反正能跑"——如果我发现自己这么想，代码会被推翻重写。

说明

这不是要背诵每一行。而是我读过、理解了、能像讨论自己手写的代码一样讨论它。

🏗️

规则四 — 架构是我的

AI 擅长写单个函数，但喜欢过度设计。模块划分、API 设计、数据建模——这些决策由我来做，不是模型。

必须

结构性决策——模块边界、API 接口、数据模型、依赖选型——都由我做主。不盲目接受 AI 的架构建议。

必须

当 AI 建议重大结构变更时，我在 PR 描述中记录接受或修改的原因。

警告

不必要的抽象、工厂套工厂、没有理由的过度设计——我把这些归类为"AI 驱动的复杂性"，一律拒绝。

🔒

规则五 — 安全是我的责任

AI 不了解我的安全上下文。什么是敏感的、什么是公开的、什么可能出问题——它一概不知。安全相关的代码我格外小心。

必须

绝不把专有代码、密钥、API Key 或用户数据粘贴到 AI 提示中——除非使用有数据保障的企业级工具。

必须

任何涉及认证、授权、加密或金融逻辑的 AI 生成代码，都会被我逐行手动审查。

警告

提交未附带审查说明的安全关键代码——这在我自己的标准里算违规。

我如何声明 AI 使用

我相信透明建立信任。当我在工作中使用 AI 时，我会坦诚说明——不是因为丢人，而是为了给审查者提供正确的上下文。

轻度使用

自动补全、修错别字、生成样板代码。核心逻辑是我自己写的。

重度使用

AI 起草了主要部分。我逐行审查、理解思路、测试过、按需修改。

完全生成

AI 生成了大部分代码。我对此格外严格审查，且依然能解释每一部分。

我的代码审查清单

审查代码时——不管是自己的还是别人的——我专门看这些点来发现低质量的 AI 输出：

📝 过于精美的 PR 描述

如果 PR 描述超过 300 词、用了通用 H2 标题、没有具体文件引用

则我会标记——好的 PR 描述应该简洁且指向具体改动

👻 幻觉模式

如果代码重新实现了已有工具，或用 data、process_item 这种泛化命名

则我要求重构：使用已有代码和领域特定命名

✅ 缺少执行证明

如果没有测试输出、没有关联 Issue、算法没有参考来源

则审查继续之前，先补齐缺失的材料

🔍 幽灵注释与噪音

如果注释描述了不存在的变量，或只是复述函数名

则标记为 AI 幻觉，要求清理

⚙️ 违反语言惯例

如果代码不符合语言最佳实践——错误处理粗糙、不必要的拷贝、公开 API 没有文档

则要求按照语言惯例修正

🛡️ 安全敏感代码

如果 PR 涉及认证、加密、验证或金融逻辑，但没有安全审查说明

则安全审查完成前阻止合并

我学会避免的反模式

🍝 "意面倾倒"

一个巨大的 PR 跨了几十个文件，明显是一次 AI 长对话的产物，没有增量思考。通常充满重复逻辑和不一致的命名。我犯过一次这个错——不会有第二次。

🏰 "空中楼阁"

没人要求的过度抽象——工厂套工厂、为了设计模式而用设计模式、过早的泛化。AI 特别喜欢当架构师，我学会了让它脚踏实地。

🦜 "鹦鹉学舌"

每个函数上面都有一条复述函数名的注释。getUser() 上面写着 // 获取用户。AI 特别喜欢叙述显而易见的事——我提交前会把这些噪音全部清掉。

🎭 "自信面具"

格式完美的代码配上华丽的 commit message，掩盖的是对代码的完全不理解。第一个边界情况就会崩。如果我自己回答不了 PR 的基本问题，那就有问题了。

我的最佳实践

提交前先读一遍。AI 生成的每一行我都会过一遍。如果解释不了某段代码，就不提交。

AI 加速，我决策。样板代码、初稿、模式匹配交给 AI。架构、边界情况、安全逻辑留在自己手里。

测试不走寻常路。AI 生成的代码有"快乐路径偏见"——只考虑理想场景。我专门写边界测试、异常路径测试和极限值测试。

PR 保持聚焦。我不会把整个 AI 对话倒进一个 PR。拆分成逻辑清晰、可审查的单元——和手写代码一样的纪律。

换个脑子再审查。生成和审查之间我会休息一下。AI 输出乍看很有说服力——拉开距离才能发现问题。

写好提示词。AI 输出质量和提示词质量直接挂钩。我会花时间提供上下文、约束条件和现有模式。

基本功不能丢。AI 工具很强但不是永恒的。调试、系统设计、读代码、分析复杂度——这些能力是不会过时的。