- Hardcoded keys: const STRIPE_KEY = "sk_live_..."
- Fallback patterns: process.env.SECRET || "sk_live_abc123" (the AI helpfully provides a default)
- NEXT_PUBLIC_ prefix on server-only secrets, exposing them to the client bundle
- Secrets inside console.log or error responses that end up in production logs
These pass type-checks and look correct in review. I built a static analysis tool that catches them automatically: https://github.com/prodlint/prodlint