Code Room
Vibe codingHardvc-g219
Subject Ai code reviewLevel Senior–Staff~20 minCommon in Security interviewsIndustries Software development

Question

Asked to add a per-tenant rate limiter to a multi-tenant API, an AI agent produced this TypeScript middleware. It compiles, passes the happy-path test, and the agent explained it confidently. It's going into a regulated fintech gateway. What's wrong, and how would your process have caught it before it shipped?

typescript
const counts = new Map<string, number>(); export function rateLimit(req, res, next) {  const tenant = req.headers["x-tenant-id"] ?? "anon";  const n = (counts.get(tenant) ?? 0) + 1;  counts.set(tenant, n);  if (n > 100) {    return res.status(429).send("rate limited");  }  setTimeout(() => counts.set(tenant, 0), 60_000);  next();}
What a strong answer looks like

Treat the AI’s output as a draft to verify, not an answer to trust. Name the specific flaw and the input that triggers it, say how you’d catch it — tests, edge cases, reading critically — and how you’d re-prompt or decompose to get it right.

Describe your solution

Vibe coding: describe the solution in plain language (or narrate it) and the coach grades your approach. Generating runnable code from your description is coming next.

Run or narrate your approach, then ask the coach.