Lewati ke konten utama

AI Coding Guidelines

This document outlines the standard practices for using AI coding assistants (such as Codex, VSCode Copilot, Claude, GitHub Copilot, and Gemini) within our development team to ensure code consistency, maintainability, and security.

1. Supported AI Tools

  • GitHub Copilot / VSCode Copilot / Codex: Best for inline code completion, generating boilerplate, and writing routine tests.
  • Claude / Gemini: Best for broader architectural discussions, complex refactoring, writing comprehensive tests, and navigating large contexts (especially tools with MCP integrations like Laravel Boost).

2. Best Practice Prompts

To generate safe, maintainable code, your prompts should be specific and layered with necessary context:

  • Be Explicit & Version Specific: Always specify the framework and version. (e.g., "Write a Laravel 12 feature test using Pest 3...").
  • Provide Context: Supply relevant database schemas, component structures, or existing domain logic to guide the AI. Do not rely entirely on the AI's guesses.
  • Enforce Standards: Instruct the AI to adhere to SOLID principles, use strict typing, and implement proper error handling.
  • Prioritize Security: Explicitly request secure code. (e.g., "Ensure all user inputs in this FormRequest are strictly validated", "Use Eloquent ORM to prevent SQL injection").

3. Code Formatting and Commenting Standards

AI coding tools often generate code with varying styles. You must enforce repository conventions:

  • Strict Typing: Ensure all AI-generated PHP files start with declare(strict_types=1); and have strict property, parameter, and return types.
  • Comments: Only use PHPDoc for classes, properties, and methods if they contain complex types (like specific array shapes). Avoid redundant inline comments. The generated code must be clean and self-explanatory.
  • Linting & Formatting: Never merge AI code raw. You must run vendor/bin/pint to apply the project's formatting standard automatically.

4. Review and Validation

Code generated by AI MUST be thoroughly reviewed and validated before inclusion in the codebase:

  1. Understand Every Line: Never commit AI-generated code that you do not fully understand. You are responsible for the code, not the AI.
  2. Write Tests: AI-generated logic must be completely covered by Pest tests. If the AI writes the logic, you can have the AI write the tests, but you must manually review and run them (php artisan test).
  3. Security Audit: Manually double-check the code for common vulnerabilities:
    • Missing Authorization checks (Gates/Policies).
    • Mass assignment vulnerabilities ($fillable / $guarded).
    • Insecure direct object references (IDOR).
  4. Code Review Transparency: Highlight in Pull Request descriptions if a complex or critical piece of logic was heavily AI-generated, allowing reviewers to scrutinize it appropriately.