ChatGPT Prompt Engineering: Complete Guide for Developers (2025)

Prompt engineering is the art and science of crafting inputs that get the best results from AI models. For developers, mastering prompt engineering means building more reliable, efficient, and creative AI-powered applications. This comprehensive guide covers everything from basic techniques to advanced patterns used in production systems.

What is Prompt Engineering?

Prompt engineering is the practice of designing and optimizing inputs (prompts) to AI models to achieve desired outputs. It's not just about asking questions—it's about structuring requests in ways that leverage the model's capabilities while minimizing hallucinations and errors.

Why Developers Need Prompt Engineering

• API Integration: Better prompts mean more reliable API responses
• Cost Optimization: Efficient prompts reduce token usage and costs
• User Experience: Well-crafted prompts lead to better user-facing features
• Production Reliability: Consistent outputs are crucial for production systems

Core Prompt Engineering Techniques

1. The Role-Context-Instruction Pattern

This is the most effective pattern for consistent results:

System: You are a senior software engineer with expertise in [specific technology].
Context: [Provide relevant background information]
Instruction: [Specific task with clear output format]

Example for Code Review:

const prompt = `System: You are a senior React developer reviewing code for performance and best practices.
Context: This is a production e-commerce application handling 10k+ daily users.
Instruction: Review this React component and provide specific, actionable feedback in JSON format:
{
  "issues": ["issue1", "issue2"],
  "suggestions": ["suggestion1", "suggestion2"],
  "performance_score": 1-10,
  "security_concerns": ["concern1", "concern2"]
}

Component code:
${componentCode}`;

2. Few-Shot Learning

Provide examples to guide the model's output format:

const codeGenerationPrompt = `Generate a TypeScript function based on these examples:

Example 1:
Input: "Create a user validation function"
Output: 
\`\`\`typescript
function validateUser(user: User): ValidationResult {
  const errors: string[] = [];
  
  if (!user.email || !isValidEmail(user.email)) {
    errors.push('Invalid email format');
  }
  
  if (!user.name || user.name.trim().length < 2) {
    errors.push('Name must be at least 2 characters');
  }
  
  return {
    isValid: errors.length === 0,
    errors
  };
}
\`\`\`

Example 2:
Input: "Create a password hashing function"
Output:
\`\`\`typescript
async function hashPassword(password: string): Promise<string> {
  const bcrypt = await import('bcrypt');
  const saltRounds = 12;
  return await bcrypt.hash(password, saltRounds);
}
\`\`\`

Now generate: "Create a JWT token validation function"`;

3. Chain of Thought Prompting

Guide the model through step-by-step reasoning:

const debuggingPrompt = `Debug this Node.js application step by step:

1. First, identify the error type and location
2. Analyze the root cause
3. Suggest specific fixes
4. Provide corrected code

Error: ${errorMessage}
Code: ${problematicCode}

Think through this systematically:`;

Advanced Prompt Engineering Patterns

1. Function Calling with Structured Outputs

const functionCallPrompt = `Analyze this codebase and extract key information:

\`\`\`typescript
// Code to analyze
${codebase}
\`\`\`

Return a structured analysis in this exact JSON format:
{
  "functions": [
    {
      "name": "functionName",
      "complexity": "low|medium|high",
      "dependencies": ["dep1", "dep2"],
      "potential_issues": ["issue1", "issue2"]
    }
  ],
  "overall_complexity": "low|medium|high",
  "recommendations": ["rec1", "rec2"]
}`;

2. Iterative Refinement

const iterativePrompt = `I need to optimize this database query. Let's work through this iteratively:

Initial Query:
${sqlQuery}

Step 1: Identify performance bottlenecks
Step 2: Suggest specific optimizations
Step 3: Provide optimized query
Step 4: Explain the improvements

Please address each step separately.`;

3. Constraint-Based Prompting

const constraintPrompt = `Generate a secure authentication middleware with these constraints:

CONSTRAINTS:
- Must use JWT tokens
- Must validate token expiration
- Must handle refresh tokens
- Must be under 50 lines of code
- Must include error handling
- Must be TypeScript

REQUIREMENTS:
- Input: Express.js request, response, next
- Output: void (calls next() or sends error response)
- Security: Validate token signature and claims

Generate the middleware:`;

ChatGPT API Integration

Basic API Setup

import OpenAI from 'openai';

const openai = new OpenAI({
  apiKey: process.env.OPENAI_API_KEY,
});

async function generateCode(prompt: string, context?: string) {
  const response = await openai.chat.completions.create({
    model: "gpt-4",
    messages: [
      {
        role: "system",
        content: "You are a senior software engineer. Generate clean, production-ready code with proper error handling and TypeScript types."
      },
      {
        role: "user",
        content: context ? `${context}\n\n${prompt}` : prompt
      }
    ],
    temperature: 0.1, // Low temperature for consistent code generation
    max_tokens: 2000,
  });

  return response.choices[0].message.content;
}

Advanced API Usage with Streaming

async function streamCodeGeneration(prompt: string) {
  const stream = await openai.chat.completions.create({
    model: "gpt-4",
    messages: [
      {
        role: "system",
        content: "Generate code with detailed explanations. Stream your response as you think through the problem."
      },
      {
        role: "user",
        content: prompt
      }
    ],
    stream: true,
    temperature: 0.3,
  });

  let fullResponse = '';
  for await (const chunk of stream) {
    const content = chunk.choices[0]?.delta?.content || '';
    fullResponse += content;
    process.stdout.write(content); // Stream to console
  }

  return fullResponse;
}

Error Handling and Retry Logic

async function robustCodeGeneration(prompt: string, maxRetries = 3) {
  for (let attempt = 1; attempt <= maxRetries; attempt++) {
    try {
      const response = await openai.chat.completions.create({
        model: "gpt-4",
        messages: [
          {
            role: "system",
            content: "You are a senior software engineer. Generate clean, production-ready code."
          },
          {
            role: "user",
            content: prompt
          }
        ],
        temperature: 0.1,
        max_tokens: 2000,
      });

      return {
        success: true,
        code: response.choices[0].message.content,
        usage: response.usage
      };
    } catch (error) {
      console.error(`Attempt ${attempt} failed:`, error.message);
      
      if (attempt === maxRetries) {
        return {
          success: false,
          error: error.message,
          fallback: "// Unable to generate code. Please try again."
        };
      }
      
      // Exponential backoff
      await new Promise(resolve => setTimeout(resolve, Math.pow(2, attempt) * 1000));
    }
  }
}

Production-Ready Prompt Templates

1. Code Review Template

const codeReviewTemplate = (code, context = {}) => `
System: You are a senior software engineer conducting a thorough code review.

Context:
- Project: ${context.project || 'Unknown'}
- Language: ${context.language || 'TypeScript'}
- Framework: ${context.framework || 'React'}
- Team Size: ${context.teamSize || '5-10 developers'}

Code to Review:
\`\`\`${context.language || 'typescript'}
${code}
\`\`\`

Review Criteria:
1. Code Quality (readability, maintainability)
2. Performance (efficiency, optimization opportunities)
3. Security (vulnerabilities, best practices)
4. Testing (testability, coverage)
5. Documentation (comments, type definitions)

Provide feedback in this JSON format:
{
  "overall_score": 1-10,
  "strengths": ["strength1", "strength2"],
  "issues": [
    {
      "type": "quality|performance|security|testing|documentation",
      "severity": "low|medium|high|critical",
      "line": number,
      "description": "Issue description",
      "suggestion": "How to fix"
    }
  ],
  "recommendations": ["rec1", "rec2"],
  "priority_fixes": ["fix1", "fix2"]
}`;

2. API Documentation Generator

const apiDocTemplate = (endpoint, code) => `
System: You are a technical writer specializing in API documentation.

Generate comprehensive API documentation for this endpoint:

Endpoint: ${endpoint.method} ${endpoint.path}
Code:
\`\`\`typescript
${code}
\`\`\`

Include:
1. Overview and purpose
2. Request parameters (path, query, body)
3. Response format and status codes
4. Error handling
5. Example requests and responses
6. Authentication requirements
7. Rate limiting information

Format as Markdown with clear sections and code examples.`;

3. Test Case Generator

const testGeneratorTemplate = (functionCode, context = {}) => `
System: You are a senior QA engineer writing comprehensive test cases.

Generate test cases for this function:

\`\`\`typescript
${functionCode}
\`\`\`

Context:
- Framework: ${context.framework || 'Jest'}
- Coverage Target: ${context.coverage || '90%+'}
- Test Types: Unit, Integration, Edge Cases

Generate:
1. Happy path tests
2. Edge case tests
3. Error condition tests
4. Performance tests (if applicable)
5. Mock strategies

Format as Jest test cases with:
- Descriptive test names
- Arrange-Act-Assert structure
- Proper mocking
- Clear assertions
- Comments explaining test purpose`;

Common Pitfalls and Solutions

1. Vague Prompts

Bad:

"Make this code better"

Good:

"Optimize this React component for performance by:
1. Identifying unnecessary re-renders
2. Suggesting memoization opportunities
3. Providing specific code improvements
4. Explaining the performance impact of each change"

2. Missing Context

Bad:

"Create a user authentication function"

Good:

"Create a secure user authentication function for a Node.js/Express API that:
- Uses JWT tokens with 15-minute expiration
- Includes refresh token rotation
- Validates against a PostgreSQL database
- Handles rate limiting (5 attempts per minute)
- Returns proper HTTP status codes
- Includes comprehensive error handling"

3. Inconsistent Output Format

Bad:

"Generate API endpoints"

Good:

"Generate API endpoints in this exact format:
{
  "endpoints": [
    {
      "method": "GET|POST|PUT|DELETE",
      "path": "/api/endpoint",
      "description": "What it does",
      "parameters": [...],
      "response": {...}
    }
  ]
}"

Performance Optimization

1. Token Management

function optimizePrompt(prompt: string, maxTokens: number = 4000) {
  // Remove unnecessary whitespace
  let optimized = prompt.replace(/\s+/g, ' ').trim();
  
  // Truncate if too long (leave room for response)
  const maxPromptTokens = maxTokens * 0.7; // Reserve 30% for response
  const estimatedTokens = Math.ceil(optimized.length / 4); // Rough estimation
  
  if (estimatedTokens > maxPromptTokens) {
    optimized = optimized.substring(0, maxPromptTokens * 4);
  }
  
  return optimized;
}

2. Caching Strategies

import { createHash } from 'crypto';

class PromptCache {
  private cache = new Map<string, string>();
  
  generateKey(prompt: string, model: string): string {
    return createHash('md5')
      .update(`${model}:${prompt}`)
      .digest('hex');
  }
  
  async get(prompt: string, model: string): Promise<string | null> {
    const key = this.generateKey(prompt, model);
    return this.cache.get(key) || null;
  }
  
  set(prompt: string, model: string, response: string): void {
    const key = this.generateKey(prompt, model);
    this.cache.set(key, response);
  }
}

3. Batch Processing

async function batchCodeGeneration(prompts: string[]) {
  const batchSize = 5; // Process 5 prompts at once
  const results = [];
  
  for (let i = 0; i < prompts.length; i += batchSize) {
    const batch = prompts.slice(i, i + batchSize);
    
    const batchPromises = batch.map(prompt => 
      generateCode(prompt).catch(error => ({
        error: error.message,
        prompt
      }))
    );
    
    const batchResults = await Promise.all(batchPromises);
    results.push(...batchResults);
    
    // Rate limiting
    await new Promise(resolve => setTimeout(resolve, 1000));
  }
  
  return results;
}

Best Practices for Production

1. Prompt Versioning

const PROMPT_VERSIONS = {
  'code-review-v1': {
    template: '...',
    model: 'gpt-4',
    temperature: 0.1
  },
  'code-review-v2': {
    template: '...', // Improved version
    model: 'gpt-4',
    temperature: 0.1
  }
};

function getPromptVersion(version: string) {
  return PROMPT_VERSIONS[version] || PROMPT_VERSIONS['code-review-v1'];
}

2. A/B Testing Prompts

class PromptTester {
  async testPrompts(prompts: string[], testCases: any[]) {
    const results = [];
    
    for (const prompt of prompts) {
      const promptResults = [];
      
      for (const testCase of testCases) {
        const response = await generateCode(prompt, testCase.context);
        promptResults.push({
          prompt,
          testCase,
          response,
          quality: this.evaluateResponse(response, testCase.expected)
        });
      }
      
      results.push({
        prompt,
        averageQuality: this.calculateAverage(promptResults.map(r => r.quality)),
        results: promptResults
      });
    }
    
    return results;
  }
  
  evaluateResponse(response: string, expected: any): number {
    // Implement your quality metrics
    return 0.85; // Example score
  }
}

3. Monitoring and Analytics

class PromptAnalytics {
  private metrics = {
    totalRequests: 0,
    successfulRequests: 0,
    averageResponseTime: 0,
    tokenUsage: 0,
    errorRate: 0
  };
  
  async trackRequest(prompt: string, response: string, duration: number, tokens: number) {
    this.metrics.totalRequests++;
    this.metrics.successfulRequests++;
    this.metrics.averageResponseTime = 
      (this.metrics.averageResponseTime + duration) / 2;
    this.metrics.tokenUsage += tokens;
    
    // Log for analysis
    console.log({
      timestamp: new Date().toISOString(),
      promptLength: prompt.length,
      responseLength: response.length,
      duration,
      tokens,
      success: true
    });
  }
  
  getMetrics() {
    return {
      ...this.metrics,
      errorRate: (this.metrics.totalRequests - this.metrics.successfulRequests) / this.metrics.totalRequests
    };
  }
}

Real-World Examples

1. Automated Code Documentation

async function generateDocumentation(codebase: string) {
  const prompt = `
System: You are a technical documentation expert.

Analyze this codebase and generate comprehensive documentation:

\`\`\`typescript
${codebase}
\`\`\`

Create:
1. README.md with setup instructions
2. API documentation for all public functions
3. Code comments for complex logic
4. Usage examples
5. Troubleshooting guide

Format as Markdown with clear sections.`;

  return await generateCode(prompt);
}

2. Automated Test Generation

async function generateTestSuite(component: string) {
  const prompt = `
System: You are a senior QA engineer.

Generate a comprehensive test suite for this React component:

\`\`\`typescript
${component}
\`\`\`

Include:
- Unit tests for all functions
- Integration tests for user interactions
- Accessibility tests
- Performance tests
- Snapshot tests

Use Jest and React Testing Library. Provide complete, runnable test files.`;

  return await generateCode(prompt);
}

3. Code Migration Assistant

async function migrateCode(oldCode: string, fromFramework: string, toFramework: string) {
  const prompt = `
System: You are a senior software engineer specializing in framework migrations.

Migrate this ${fromFramework} code to ${toFramework}:

\`\`\`typescript
${oldCode}
\`\`\`

Requirements:
1. Maintain the same functionality
2. Use ${toFramework} best practices
3. Include proper TypeScript types
4. Add migration notes explaining changes
5. Provide before/after comparison

Generate the migrated code with detailed explanations.`;

  return await generateCode(prompt);
}

Conclusion

Mastering prompt engineering is essential for developers working with AI. The techniques covered in this guide—from basic patterns to advanced production strategies—will help you build more reliable and efficient AI-powered applications.

Key takeaways:

• Structure matters: Use role-context-instruction patterns
• Examples guide: Provide few-shot examples for consistent outputs
• Constraints help: Be specific about requirements and limitations
• Monitor and optimize: Track performance and iterate on prompts
• Version control: Manage prompt versions like code

Start with simple prompts and gradually add complexity. Test different approaches, measure results, and refine your techniques. With practice, you'll develop a toolkit of effective prompts that make your AI integrations more powerful and reliable.

FAQ

Q: How do I handle inconsistent outputs from ChatGPT? A: Use more specific prompts with clear output formats, lower temperature settings (0.1-0.3), and implement validation logic to check response quality.

Q: What's the best way to reduce token usage? A: Optimize prompts by removing unnecessary words, using concise instructions, and implementing caching for repeated requests.

Q: How can I ensure code quality in AI-generated responses? A: Use detailed system prompts, provide code examples, specify testing requirements, and implement post-generation validation.

Q: Should I use GPT-4 or GPT-3.5 for code generation? A: GPT-4 is better for complex code generation and reasoning tasks. Use GPT-3.5 for simpler tasks to reduce costs.

Q: How do I handle rate limits in production? A: Implement exponential backoff, request queuing, and consider using multiple API keys with load balancing.

Prompt Patterns Cookbook (25 production-ready templates)

Below is a collection of reusable prompt patterns, each with a clear goal, structure, and example. Copy and adapt for your stack.

1) Bug Reproducer

Goal: Generate a minimal reproducible example and failing test.

System: You are a senior engineer. Create a minimal reproducer for the reported bug, then write a failing test.
Context:
- Tech: ${tech}
- Error: ${error}
- Logs: ${logs}
Instruction:
1) Produce the smallest code sample that triggers the bug
2) Write a failing test case
3) Propose a fix with explanation
Output sections: Reproducer, Test, Fix, Notes

Example Input:

tech=Next.js + Prisma
error=Unique constraint violation on user email
logs=PrismaClientKnownRequestError P2002

2) Guarded JSON Generator

Goal: Force well‑formed JSON that matches a schema.

System: Return ONLY JSON, no prose. If unsure, return {}.
Instruction: Produce JSON matching this schema:
{
  "type": "object",
  "properties": {
    "title": {"type": "string"},
    "tags": {"type": "array", "items": {"type": "string"}},
    "summary": {"type": "string"}
  },
  "required": ["title", "summary"]
}
Content: ${article}

3) ADR (Architecture Decision Record)

System: You are a principal engineer writing an ADR.
Instruction: Write an ADR with sections: Context, Decision, Alternatives, Consequences, References.
Context: ${project_context}
Topic: ${topic}

4) Threat Modeling (STRIDE)

System: Security architect.
Instruction: Perform STRIDE analysis for the system below. Output table with columns: Threat, Component, Impact, Likelihood, Mitigations.
System: ${diagram_or_text}

5) Incident Triage

System: SRE on-call.
Instruction: Given logs and metrics, classify incident severity, blast radius, suspected root cause, immediate mitigations, and next steps.
Inputs: ${logs} ${metrics}

6) API Contract Generator

System: API designer.
Instruction: Produce OpenAPI 3.1 for the described endpoints with request/response schemas, examples, and error codes.
Spec: ${english_description}

7) SQL Optimizer

System: Database performance engineer.
Instruction: Analyze the SQL, identify bottlenecks, propose indexes, and return an optimized query with rationale.
SQL: ${sql}

8) Test Matrix Builder

System: QA lead.
Instruction: Build a test matrix for feature X with axes: Browsers, Devices, Locales, Network Conditions, Permissions. Output CSV.
Feature: ${feature}

9) Accessibility Review (WCAG)

System: Accessibility expert.
Instruction: Audit the provided component/page for WCAG 2.2 AA. Output issues with Severity, Guideline, Fix.
HTML/JSX: ${snippet}

10) Logging & Observability Plan

System: Observability architect.
Instruction: Propose structured logs, metrics, and traces for the service. Include sampling, PII redaction, and dashboards.
Service: ${service}

11) Data Contract Extractor

System: Data engineer.
Instruction: From payload examples, infer schema, nullable fields, enums, and constraints. Output JSON Schema draft 2020-12.
Samples: ${samples}

12) i18n Copy Linter

System: i18n specialist.
Instruction: Find hardcoded strings, concatenations, and pluralization issues; suggest ICU MessageFormat.
Code: ${code}

13) RAG Prompt Builder

System: Retrieval engineer.
Instruction: Generate retrieval queries (keywords + embeddings) and a grounded prompt template. Include anti-hallucination guardrails.
Docs summary: ${summary}

14) Persona Mapper

System: Product strategist.
Instruction: Translate support tickets into user personas with jobs-to-be-done, pains, gains, and top tasks.
Tickets: ${tickets}

15) Red Team Prompt

System: Red team.
Instruction: Attempt prompt injection, data exfiltration, and jailbreak on the spec below. Report vulnerabilities and fixes.
Spec: ${assistant_spec}

16) Migration Planner

System: Migration architect.
Instruction: Produce a phased migration plan with rollback, data backfill strategy, and observability KPIs.
From→To: ${from} → ${to}
Constraints: ${constraints}

17) Privacy Review (PII)

System: Privacy officer.
Instruction: Detect PII fields, propose minimization/retention policies, and redact strategies.
Data map: ${map}

18) Feature Spec Writer

System: Staff engineer.
Instruction: Write a feature spec with Goals, Non-goals, Flows, Data Model, API, Risks, Rollout.
Context: ${context}

19) Performance Budget Enforcer

System: Frontend perf specialist.
Instruction: Define performance budgets (JS, CSS, images), measurement plan, and CI gates.
App: ${app}

20) Content Safety Filter Designer

System: Safety engineer.
Instruction: Create a ruleset and escalation flow for moderating user-generated content with categories and examples.
Platform: ${platform}

21) Dependency Risk Report

System: Supply chain security.
Instruction: Assess top dependencies for license and known CVEs; propose mitigation or alternatives.
Dependencies: ${list}

22) Design Doc Reviewer

System: Principal reviewer.
Instruction: Review the design doc for correctness, risks, and testability. Output: Strengths, Risks, Questions, Missing Data.
Doc: ${doc}

23) Release Notes Generator

System: Release manager.
Instruction: Summarize merged PRs into user-friendly release notes with sections and breaking changes.
PRs: ${prs}

24) Onboarding Curriculum

System: Eng manager.
Instruction: Build a 30-60-90 onboarding plan with tasks, reading, and milestones for role X.
Role: ${role}

25) Prompt Linter

System: Prompt linter.
Instruction: Score the prompt on clarity, constraints, safety, and structure. Suggest improvements and a revised prompt.
Prompt: ${prompt}

Domain Prompt Packs (ready-to-use)

E‑commerce

• Product enrichment, duplicate detection, attribute normalization, SEO copy, support macros
• Example: classify return reason codes into standardized categories

Fintech

• Transaction categorization, fraud signals summary, KYC document extraction (ensure human review)

Healthcare

• Clinical note summarization (PHI handling), triage suggestions, insurance eligibility extraction

SaaS B2B

• Churn risk signals, account health scoring explanations, upsell recommendations

Education

• Quiz generation with answer keys, rubric‑based grading drafts, lesson plan outlines

Evaluation Suite (how to measure reliably)

Create a Golden Set of prompts and expected outputs. Use automatic judges where possible.

type Case = { id: string; prompt: string; expected: unknown };
type Judge = (out: unknown, exp: unknown) => number; // 0..1

async function run(cases: Case[], gen: (p: string) => Promise<unknown>, judge: Judge) {
  const scores: number[] = [];
  for (const c of cases) {
    const out = await gen(c.prompt);
    scores.push(judge(out, c.expected));
  }
  const avg = scores.reduce((a, b) => a + b, 0) / scores.length;
  return { scores, avg };
}

Metrics to track:

• Accuracy/F1 for extraction tasks
• Exact match for formatting tasks
• Latency P50/P95; cost per output; error rate

Safety & Red Teaming

Add refusal tests and jailbreak attempts to your evals. Maintain a blocklist and allowlist; route flagged content to human review. Log prompts/outputs with retention and PII scrubbing.

JSON Schemas (starter library)

Common structures you can reuse for strict outputs: TestPlan, ADR, ReleaseNotes, APIContract, RiskLog. Keep schemas small and composable.

Glossary

• Few‑shot: Providing examples in the prompt to guide outputs
• RAG: Retrieval‑augmented generation using your own data
• Tool calling: Structured outputs that your code treats as function calls
• Hallucination: Confidently wrong output; mitigate with context and validation

Appendix A1 — Prompt Anti‑patterns (300)

• Anti-pattern 001: Vague goals without success criteria
• Anti-pattern 002: Asking for multiple unrelated outputs in one step
• Anti-pattern 003: Mixing style and substance requirements in a single instruction
• Anti-pattern 004: No output schema when downstream code expects structure
• Anti-pattern 005: Omitting guardrails for safety‑sensitive topics
• Anti-pattern 006: Under‑specifying domain context and constraints
• Anti-pattern 007: Contradictory instructions in system vs user messages
• Anti-pattern 008: Overly high temperature for deterministic tasks
• Anti-pattern 009: No examples for niche formats (few‑shot missing)
• Anti-pattern 010: Excessively long context with irrelevant details
• Anti-pattern 011: Using ambiguous terms like “optimize” without metrics
• Anti-pattern 012: Missing audience and tone guidance for docs
• Anti-pattern 013: No error budget or latency target for tooling
• Anti-pattern 014: Requiring external browsing when offline
• Anti-pattern 015: Allowing free‑form text when only JSON is valid
• Anti-pattern 016: Not reserving tokens for the model’s response
• Anti-pattern 017: Ignoring model context length limitations
• Anti-pattern 018: Combining requirements and examples without labels
• Anti-pattern 019: Hidden constraints only implied, not explicit
• Anti-pattern 020: Requesting code without specifying language/runtime
• Anti-pattern 021: No dependency versions when generating code
• Anti-pattern 022: Asking for tests without test framework indicated
• Anti-pattern 023: No security guidance for auth/crypto prompts
• Anti-pattern 024: Asking for DB queries without schema overview
• Anti-pattern 025: Requesting UI without design system tokens
• Anti-pattern 026: Inconsistent capitalization causing misparsing
• Anti-pattern 027: Asking for creativity on legal/compliance outputs
• Anti-pattern 028: No handling of PII/sensitive info redaction
• Anti-pattern 029: Using absolute time without time zone
• Anti-pattern 030: Not specifying locale for formatting
• Anti-pattern 031: Failing to pin model for reproducibility
• Anti-pattern 032: Combining analysis and generation with no phases
• Anti-pattern 033: No fallback behavior on partial failures
• Anti-pattern 034: Encouraging hallucinations with “invent if missing”
• Anti-pattern 035: Missing refusal guidance for restricted topics
• Anti-pattern 036: No chain‑of‑thought surrogate like checklists
• Anti-pattern 037: Overusing chain‑of‑thought for trivial tasks
• Anti-pattern 038: Not instructing to think step‑by‑step on complex tasks
• Anti-pattern 039: No unit limits on generated lists/tables
• Anti-pattern 040: Requesting diagrams without supported formats
• Anti-pattern 041: Not specifying JSON field ordering when diffing
• Anti-pattern 042: No instruction to avoid trailing commas in JSON
• Anti-pattern 043: Missing escape rules for code blocks
• Anti-pattern 044: Mixing tabs/spaces in code generation requests
• Anti-pattern 045: Overly strict constraints that contradict each other
• Anti-pattern 046: Requesting long outputs without sectioning
• Anti-pattern 047: Asking for summaries without length targets
• Anti-pattern 048: Neglecting context memory resets across turns
• Anti-pattern 049: Providing inconsistent examples (format drift)
• Anti-pattern 050: No glossary for domain jargon
• Anti-pattern 051: Reusing old prompts after spec changed
• Anti-pattern 052: No deprecation notes for changed fields
• Anti-pattern 053: Unclear rights/licensing for generated content
• Anti-pattern 054: No citation requirements when needed
• Anti-pattern 055: Mixing public and confidential context
• Anti-pattern 056: Having the model invent unknown URLs/IDs
• Anti-pattern 057: Not instructing to say “don’t know” on gaps
• Anti-pattern 058: Asking for exact numeric accuracy without tools
• Anti-pattern 059: No retry/backoff guidance for flaky tools
• Anti-pattern 060: Not validating the model’s JSON with schema
• Anti-pattern 061: Free‑form validation messages without codes
• Anti-pattern 062: Missing locale in currency outputs
• Anti-pattern 063: Requesting time math with ambiguous DST handling
• Anti-pattern 064: Not limiting external references to allowed sources
• Anti-pattern 065: Forgetting to trim whitespace for signature matching
• Anti-pattern 066: Requesting secrets or private data from model
• Anti-pattern 067: No instruction to avoid sending secrets back
• Anti-pattern 068: Output too compressed to be readable by users
• Anti-pattern 069: Overly verbose output that exceeds UI limits
• Anti-pattern 070: Not instructing to keep code idempotent
• Anti-pattern 071: Not specifying API error handling conventions
• Anti-pattern 072: Requesting HTML without sanitization policies
• Anti-pattern 073: No alt text guidance for images
• Anti-pattern 074: Not asking for testable examples
• Anti-pattern 075: Missing license headers where required
• Anti-pattern 076: No logging redaction guidance
• Anti-pattern 077: No rate‑limit handling in client code
• Anti-pattern 078: No pagination handling in clients
• Anti-pattern 079: Neglecting graceful degradation instructions
• Anti-pattern 080: No storage limits for generated assets
• Anti-pattern 081: Overfitting prompts to one project’s style
• Anti-pattern 082: Not generalizing where appropriate
• Anti-pattern 083: Requesting opinionated style without justification
• Anti-pattern 084: Hardcoding secrets in examples
• Anti-pattern 085: Using production endpoints in examples
• Anti-pattern 086: No test data fixtures guidance
• Anti-pattern 087: No lint/format instructions for code
• Anti-pattern 088: Asking to ignore types in TypeScript
• Anti-pattern 089: Requesting admin‑level actions casually
• Anti-pattern 090: Not asking to verify preconditions
• Anti-pattern 091: No post‑conditions validation steps
• Anti-pattern 092: No rollback plan for migrations
• Anti-pattern 093: Asking to disable security features “for speed”
• Anti-pattern 094: No accessibility checklist for UI
• Anti-pattern 095: No mobile constraints for UI outputs
• Anti-pattern 096: Assuming unlimited compute in examples
• Anti-pattern 097: No resource cleanup in example code
• Anti-pattern 098: No timeouts or aborts in fetches
• Anti-pattern 099: Ignoring retries for transient errors
• Anti-pattern 100: No idempotency keys for mutating APIs
• Anti-pattern 101: Using GET for state‑changing requests
• Anti-pattern 102: Leaking tokens in logs
• Anti-pattern 103: Not hashing PII where possible
• Anti-pattern 104: Using weak randoms for security tokens
• Anti-pattern 105: No scoping for API tokens
• Anti-pattern 106: Not specifying TLS version requirements
• Anti-pattern 107: Missing CORS guidance for browser clients
• Anti-pattern 108: Exposing internal error details in outputs
• Anti-pattern 109: Mixing test and prod data in examples
• Anti-pattern 110: Non‑deterministic seeds in examples
• Anti-pattern 111: No reproducibility in sample results
• Anti-pattern 112: Not pinning dependency versions
• Anti-pattern 113: Ignoring ESM/CJS module differences
• Anti-pattern 114: Shell commands without flags for non‑interactive
• Anti-pattern 115: Not mentioning OS differences for commands
• Anti-pattern 116: Hardcoding absolute paths in examples
• Anti-pattern 117: Not documenting prerequisites
• Anti-pattern 118: Skipping license attribution for third‑party code
• Anti-pattern 119: No threat model for sensitive flows
• Anti-pattern 120: Asking the model to “assume success”
• Anti-pattern 121: No fallback UI for failures
• Anti-pattern 122: No responsiveness rules for large outputs
• Anti-pattern 123: No chunking guidance for long content
• Anti-pattern 124: Not instructing to avoid duplicate items
• Anti-pattern 125: No deduplication rule for lists
• Anti-pattern 126: Missing “do not invent fields” rule
• Anti-pattern 127: Not limiting to known enum values
• Anti-pattern 128: No unknown handling for enums
• Anti-pattern 129: Asking for proprietary content reproduction
• Anti-pattern 130: No citation anchors for references
• Anti-pattern 131: No encoding rules (UTF‑8/CSV escaping)
• Anti-pattern 132: Requesting CSV without delimiter/quote rules
• Anti-pattern 133: JSON with comments where parser rejects
• Anti-pattern 134: YAML unsafe anchors/aliases
• Anti-pattern 135: XML without namespace declarations
• Anti-pattern 136: Markdown tables that overflow width
• Anti-pattern 137: Not warning about truncation risks
• Anti-pattern 138: No validation step by deterministic code
• Anti-pattern 139: No unit conversion rules
• Anti-pattern 140: Requesting money without currency/rounding
• Anti-pattern 141: Dates without ISO8601 format
• Anti-pattern 142: Time math without leap year rules
• Anti-pattern 143: Timezone handling ignored
• Anti-pattern 144: Not clarifying decimal separators for locales
• Anti-pattern 145: Missing thousand separators policy
• Anti-pattern 146: Not declaring accessibility support goals
• Anti-pattern 147: Not stating privacy expectations
• Anti-pattern 148: No redaction of secrets in examples
• Anti-pattern 149: Asking to manipulate users unethically
• Anti-pattern 150: No consent guidance for data usage
• Anti-pattern 151: Requesting unsupported file formats
• Anti-pattern 152: Requesting screenshots in pure text channels
• Anti-pattern 153: Overusing humor in professional docs
• Anti-pattern 154: No inclusive language guidance
• Anti-pattern 155: No bias checks for model outputs
• Anti-pattern 156: Overly strict profanity filters for dev logs
• Anti-pattern 157: Disallowing any error output (unrealistic)
• Anti-pattern 158: Encouraging copy‑paste without context
• Anti-pattern 159: No license on generated OSS snippets
• Anti-pattern 160: Encouraging scraping beyond ToS
• Anti-pattern 161: Ignoring robots/noindex flags in examples
• Anti-pattern 162: Misusing “canonical” in SEO advice
• Anti-pattern 163: No sitemap rules for new routes
• Anti-pattern 164: Forgetting alt tags for critical images
• Anti-pattern 165: Not compressing images in examples
• Anti-pattern 166: No caching headers guidance
• Anti-pattern 167: Using any type pervasively in TS
• Anti-pattern 168: Disabling ESLint/TS rules globally
• Anti-pattern 169: No formatting config for teams
• Anti-pattern 170: Ignoring code review processes
• Anti-pattern 171: No security review for sensitive diffs
• Anti-pattern 172: No performance review for hot paths
• Anti-pattern 173: Not defining SLOs for generated APIs
• Anti-pattern 174: No dashboards for critical endpoints
• Anti-pattern 175: Skipping runbooks for on‑call
• Anti-pattern 176: No incident comms templates
• Anti-pattern 177: Not storing prompts for audit
• Anti-pattern 178: No prompt versioning policy
• Anti-pattern 179: Ignoring model updates impact
• Anti-pattern 180: Not testing prompts across models
• Anti-pattern 181: No cost budget caps
• Anti-pattern 182: No caching of prompt → output
• Anti-pattern 183: No idempotent tool calls
• Anti-pattern 184: Missing tool call timeouts
• Anti-pattern 185: No circuit breaker for tool errors
• Anti-pattern 186: Large context, tiny ask (token waste)
• Anti-pattern 187: Tiny context, huge ask (hallucination risk)
• Anti-pattern 188: Not checking for empty inputs
• Anti-pattern 189: Not validating URLs before fetch
• Anti-pattern 190: Not specifying retryable vs fatal errors
• Anti-pattern 191: Hard fail on partial success
• Anti-pattern 192: Looping the same prompt after failure
• Anti-pattern 193: No exponential backoff guidance
• Anti-pattern 194: Not persisting outputs for reuse
• Anti-pattern 195: No trace IDs for correlation
• Anti-pattern 196: Inconsistent casing in keys
• Anti-pattern 197: Using spaces where underscores are mandatory
• Anti-pattern 198: Unicode normalization not specified
• Anti-pattern 199: No newline normalization rule
• Anti-pattern 200: Forgetting to escape backticks in Markdown
• Anti-pattern 201: Not pinning npm registry for determinism
• Anti-pattern 202: Ignoring air‑gapped constraints
• Anti-pattern 203: Generating URLs with wrong host env
• Anti-pattern 204: Not separating dev/stage/prod configs
• Anti-pattern 205: Leaking internal IPs/domains in docs
• Anti-pattern 206: No “do not disclose confidential info” clause
• Anti-pattern 207: No legal disclaimer where necessary
• Anti-pattern 208: Failing to identify the end user persona
• Anti-pattern 209: Not stating device constraints (mobile/desktop)
• Anti-pattern 210: Skipping color contrast rules in UI docs
• Anti-pattern 211: No keyboard navigation in UI specs
• Anti-pattern 212: No focus management guidance
• Anti-pattern 213: Ignoring RTL languages in layouts
• Anti-pattern 214: Not specifying print styles for docs
• Anti-pattern 215: Using screenshots instead of code examples
• Anti-pattern 216: No copy‑paste ready examples
• Anti-pattern 217: Inconsistent units (px vs rem vs em)
• Anti-pattern 218: Suggesting inline styles in complex apps
• Anti-pattern 219: No SSR/CSR distinction in web prompts
• Anti-pattern 220: No hydration boundaries planning
• Anti-pattern 221: Not separating server and client logic
• Anti-pattern 222: No streaming strategy for large payloads
• Anti-pattern 223: Forgetting pagination in lists
• Anti-pattern 224: Ignoring accessibility in data tables
• Anti-pattern 225: No skeleton loading guidance
• Anti-pattern 226: Not preferring progressive enhancement
• Anti-pattern 227: Assuming JS always enabled
• Anti-pattern 228: No offline/poor network strategies
• Anti-pattern 229: Not using content negotiation rules
• Anti-pattern 230: No compression guidance (gzip/br)
• Anti-pattern 231: No ETag or conditional request usage
• Anti-pattern 232: Not listing safe retry conditions
• Anti-pattern 233: No retry jitter to avoid thundering herd
• Anti-pattern 234: Missing “don’t repeat yourself” guideline
• Anti-pattern 235: Template variables not delimited
• Anti-pattern 236: Forgetting to define placeholders format
• Anti-pattern 237: No schema migration guidance
• Anti-pattern 238: Monolithic prompts instead of modular
• Anti-pattern 239: No content index or table of contents
• Anti-pattern 240: Not giving examples for both good/bad
• Anti-pattern 241: Asking for generalities, no specifics
• Anti-pattern 242: Not bounding the solution space
• Anti-pattern 243: Over‑constraining beyond feasibility
• Anti-pattern 244: Using non‑portable shell features
• Anti-pattern 245: Mixing Windows and Unix commands
• Anti-pattern 246: Wrong path separators for OS
• Anti-pattern 247: Not highlighting destructive commands
• Anti-pattern 248: Not requiring “confirm” semantics
• Anti-pattern 249: No rollback shell for migrations
• Anti-pattern 250: No env var prefix conventions
• Anti-pattern 251: Using reserved words as keys
• Anti-pattern 252: No code owners in generated modules
• Anti-pattern 253: No comments on non‑obvious code
• Anti-pattern 254: Excess comments stating the obvious
• Anti-pattern 255: No license in generated files where needed
• Anti-pattern 256: Ignoring performance budgets
• Anti-pattern 257: Forgetting long‑task splitting guidance
• Anti-pattern 258: No web vitals targets in UI docs
• Anti-pattern 259: Not testing prompts under load
• Anti-pattern 260: Ignoring cost regressions in prompts
• Anti-pattern 261: Not pinning embeddings model for RAG
• Anti-pattern 262: Not documenting chunking rules for RAG
• Anti-pattern 263: No overlap spec for RAG chunks
• Anti-pattern 264: Retriever top‑k not specified
• Anti-pattern 265: No reranking guidance when needed
• Anti-pattern 266: Not limiting context duplication
• Anti-pattern 267: No citation boundaries for RAG
• Anti-pattern 268: No anti‑hallucination reminders
• Anti-pattern 269: Asking for proprietary formats w/o license
• Anti-pattern 270: No test data anonymization rules
• Anti-pattern 271: No prompt linting in CI
• Anti-pattern 272: No prompt library ownership
• Anti-pattern 273: No prompt catalog metadata
• Anti-pattern 274: No change log for prompts
• Anti-pattern 275: Not archiving deprecated prompts
• Anti-pattern 276: Mixing staging and prod prompt libraries
• Anti-pattern 277: No tenant isolation for prompts
• Anti-pattern 278: Asking for DB admin tasks in app code
• Anti-pattern 279: No index strategy when generating SQL
• Anti-pattern 280: No transaction boundaries in examples
• Anti-pattern 281: No idempotent retry in payment flows
• Anti-pattern 282: No clear ambiguity resolution steps
• Anti-pattern 283: Missing “ask clarifying questions” rule
• Anti-pattern 284: No “stop when insufficient context” rule
• Anti-pattern 285: Not specifying dependencies output format
• Anti-pattern 286: Asking for package installs without versions
• Anti-pattern 287: No OS/package manager differences
• Anti-pattern 288: Copying vendor configs without adaptation
• Anti-pattern 289: No operator guidance for daily ops
• Anti-pattern 290: No SRE readiness checklist
• Anti-pattern 291: Not specifying where secrets come from
• Anti-pattern 292: Using plaintext secrets in examples
• Anti-pattern 293: Not warning about rate limits/quotas
• Anti-pattern 294: No sandbox vs prod distinctions
• Anti-pattern 295: No test isolation guidance
• Anti-pattern 296: Missing seeding/fixtures info
• Anti-pattern 297: Flaky test acceptance in outputs
• Anti-pattern 298: Ignoring determinism in tests
• Anti-pattern 299: No per‑env configuration examples
• Anti-pattern 300: No instructions to validate against schema

Appendix A2 — Golden Evaluation Cases (150)

• Eval Case 001: Extract contact info from noisy email footer
• Eval Case 002: Normalize dates into ISO8601 across locales
• Eval Case 003: Classify support tickets into 6 categories
• Eval Case 004: Generate OpenAPI paths for CRUD resource
• Eval Case 005: Summarize PR diff into risks and tests
• Eval Case 006: Generate Jest tests for async error paths
• Eval Case 007: Convert legacy CSV to JSON with schema
• Eval Case 008: Find PII entities and mask them
• Eval Case 009: Map product attributes to canonical schema
• Eval Case 010: Write SQL query with cursor pagination
• Eval Case 011: Propose index for slow query plan
• Eval Case 012: Generate ADR from alternatives list
• Eval Case 013: Explain 500 error logs with root cause
• Eval Case 014: Optimize React component for INP
• Eval Case 015: Convert REST payloads to GraphQL types
• Eval Case 016: Detect SSRF risks in URL fetch code
• Eval Case 017: Suggest CSP for new marketing site
• Eval Case 018: Draft incident comms for outage
• Eval Case 019: Migrate moment.js usage to date‑fns
• Eval Case 020: Add idempotency to payment handler
• Eval Case 021: Transform Markdown to HTML safely
• Eval Case 022: Draft SLOs for checkout API
• Eval Case 023: Identify missing tests in PR diff
• Eval Case 024: Generate Helm values from env file
• Eval Case 025: Explain TypeScript error with fix
• Eval Case 026: Draft Terraform policy for SGs
• Eval Case 027: Create Semgrep rule for raw SQL
• Eval Case 028: Draft DLP patterns for PII in logs
• Eval Case 029: Create onboarding plan for new dev
• Eval Case 030: Generate docstrings per style guide
• Eval Case 031: Draft OAuth scopes matrix
• Eval Case 032: Convert CSV delimiter reliably
• Eval Case 033: Build release notes from PR titles
• Eval Case 034: Propose cache keys for list filters
• Eval Case 035: Generate SQL migration with rollback
• Eval Case 036: Draft codeowners for critical paths
• Eval Case 037: Create feature flag rollout plan
• Eval Case 038: Explain GraphQL resolver N+1 fix
• Eval Case 039: Map OWASP Top 10 to backlog tasks
• Eval Case 040: Create redaction middleware spec
• Eval Case 041: Suggest alt text for hero images
• Eval Case 042: Draft error codes catalog
• Eval Case 043: Convert YAML to JSON with schema
• Eval Case 044: Propose test data anonymization
• Eval Case 045: Draft risk register entries
• Eval Case 046: Generate SAST ignore with rationale
• Eval Case 047: Design retry policy matrix
• Eval Case 048: Create CI matrix for platforms
• Eval Case 049: Draft SLA and alert thresholds
• Eval Case 050: Summarize logs into incident timeline
• Eval Case 051: Generate CSV parsing edge cases list
• Eval Case 052: Convert units with rounding rules
• Eval Case 053: Build prompt schema for RAG
• Eval Case 054: Draft privacy policy clauses
• Eval Case 055: Suggest A11y improvements for form
• Eval Case 056: Create A/B test experiment plan
• Eval Case 057: Propose streaming strategy for SSR
• Eval Case 058: Draft API pagination examples
• Eval Case 059: Suggest bundling optimizations
• Eval Case 060: Propose cache headers for assets
• Eval Case 061: Convert docx to Markdown constraints
• Eval Case 062: Draft GraphQL persisted query policy
• Eval Case 063: Create guardrails for function tools
• Eval Case 064: Draft logging fields catalog
• Eval Case 065: Create SLO error budget policies
• Eval Case 066: Propose index per query workload
• Eval Case 067: Draft RBAC roles for SaaS app
• Eval Case 068: Create cost dashboards metrics list
• Eval Case 069: Draft code review checklist
• Eval Case 070: Generate test fixtures template
• Eval Case 071: Propose API versioning plan
• Eval Case 072: Create 2FA enrollment UX content
• Eval Case 073: Draft passwordless rollout steps
• Eval Case 074: Create backup/restore drill plan
• Eval Case 075: Draft vulnerability triage SOP
• Eval Case 076: Create secrets rotation calendar
• Eval Case 077: Draft environment promotion policy
• Eval Case 078: Propose CDN caching strategy
• Eval Case 079: Build data retention schedule
• Eval Case 080: Draft changelog format
• Eval Case 081: Propose rate limit tiers
• Eval Case 082: Create service dependency map
• Eval Case 083: Draft observability sampling plan
• Eval Case 084: Create runbook template
• Eval Case 085: Draft risk acceptance form
• Eval Case 086: Propose ETag strategy for lists
• Eval Case 087: Create input validation rules
• Eval Case 088: Draft CSP nonces/hashes policy
• Eval Case 089: Create SSRF allowlist rules
• Eval Case 090: Draft PII minimization checklist
• Eval Case 091: Propose schema for metrics events
• Eval Case 092: Create feature maturity rubric
• Eval Case 093: Draft cloud region selection guide
• Eval Case 094: Create dataset lineage policy
• Eval Case 095: Draft ATO checklist
• Eval Case 096: Create pen‑test readiness list
• Eval Case 097: Draft SLA for internal tools
• Eval Case 098: Propose static asset pipeline
• Eval Case 099: Create API error examples catalog
• Eval Case 100: Draft UI copy tone guide
• Eval Case 101: Propose compression thresholds
• Eval Case 102: Create error taxonomy
• Eval Case 103: Draft code style deviations policy
• Eval Case 104: Create performance budgets doc
• Eval Case 105: Draft fallback UX rules
• Eval Case 106: Propose build cache strategy
• Eval Case 107: Draft PR template with sections
• Eval Case 108: Create DAST target list
• Eval Case 109: Draft CSRF protection plan
• Eval Case 110: Create binary artifact signing plan
• Eval Case 111: Draft SBOM retention policy
• Eval Case 112: Create API quota enforcement plan
• Eval Case 113: Draft cookie policy
• Eval Case 114: Create device posture signals list
• Eval Case 115: Draft TLS cipher policy
• Eval Case 116: Create dependency pinning policy
• Eval Case 117: Draft model selection guide
• Eval Case 118: Create prompt library metadata
• Eval Case 119: Draft prompt change control
• Eval Case 120: Create prompt lint rules
• Eval Case 121: Draft red team prompt suite
• Eval Case 122: Create jailbreak defense plan
• Eval Case 123: Draft eval dataset curation SOP
• Eval Case 124: Create test coverage KPIs
• Eval Case 125: Draft cache invalidation rules
• Eval Case 126: Create log retention policy
• Eval Case 127: Draft incident roles matrix
• Eval Case 128: Create incident severity levels
• Eval Case 129: Draft customer comms templates
• Eval Case 130: Create SRE runbook checklist
• Eval Case 131: Draft mobile secure storage spec
• Eval Case 132: Create deep‑link security policy
• Eval Case 133: Draft clipboard security rules
• Eval Case 134: Create screenshot privacy rules
• Eval Case 135: Draft browser extension policy
• Eval Case 136: Create secrets scanning exemptions
• Eval Case 137: Draft GraphQL authZ patterns
• Eval Case 138: Create multi‑tenant isolation tests
• Eval Case 139: Draft synthetic monitoring plan
• Eval Case 140: Create RUM sampling policy
• Eval Case 141: Draft export data schema
• Eval Case 142: Create import validation rules
• Eval Case 143: Draft CSV escaping policy
• Eval Case 144: Create pagination UX patterns
• Eval Case 145: Draft table accessibility rules
• Eval Case 146: Create PDF export checklist
• Eval Case 147: Draft email deliverability plan
• Eval Case 148: Create SAST baseline update SOP
• Eval Case 149: Draft DLP policies for repos
• Eval Case 150: Create compliance mapping index

Appendix A3 — Quick Reference Notes (23)

• Note 01: Always state role, context, and instruction explicitly
• Note 02: Provide examples for non‑standard formats
• Note 03: Use JSON schemas and validate outputs
• Note 04: Keep safety guardrails visible and strict
• Note 05: Reserve tokens; keep prompts concise
• Note 06: Prefer stepwise reasoning on hard tasks
• Note 07: Separate analysis and generation phases
• Note 08: Pin models and parameters for reproducibility
• Note 09: Cache stable prompts and outputs
• Note 10: Add backoff and retries to tool calls
• Note 11: Use deterministic post‑processing
• Note 12: Track latency, cost, and error rates
• Note 13: Add evals to CI like unit tests
• Note 14: Version prompts and keep change logs
• Note 15: Include audience and tone guidance
• Note 16: Avoid hallucinations with citations or RAG
• Note 17: Prefer structured outputs over prose
• Note 18: Keep code compilable and runnable
• Note 19: Add tests to all generated code
• Note 20: Secure by default; least privilege
• Note 21: Localize and format with locales
• Note 22: Document limitations and failure modes