Skip to main content

Code Generation

AI is most effective for code generation when the task is well-defined and bounded. Use it to eliminate repetitive work — not to figure out what you're building.

What AI generates well

  • Boilerplate (API routes, CRUD handlers, form schemas)
  • Data transformations and mapping functions
  • Regex patterns and parser logic
  • Type definitions from JSON or database schemas
  • Configuration files (Dockerfile, CI pipelines, linting rules)
  • Repetitive UI components with variations

What to avoid generating blindly

  • Authentication and authorisation logic (verify every line)
  • Cryptography (never use AI-generated crypto without expert review)
  • SQL queries on untrusted input (always check for injection)
  • Business logic you don't fully understand yet

Generating from a schema

Give the model a source of truth and ask it to derive code from it:

Here is my Zod schema:

const UserSchema = z.object({
  id: z.string().uuid(),
  email: z.string().email(),
  role: z.enum(['admin', 'member', 'viewer']),
  createdAt: z.date(),
});

Generate:
1. The TypeScript type (inferred from the schema)
2. A mock factory function for tests
3. An Express POST /users route that validates the body and returns 201

Generating from examples

If you have existing code you want replicated in a different shape:

Here's how I handle a GET endpoint in this codebase:

[paste example]

Now generate a DELETE /users/:id endpoint that follows the same pattern.

Iterating on generated code

Generated code rarely fits perfectly on the first pass. Use follow-up messages to refine:

  1. Fix types: "The return type should be Promise<User | null>, not Promise<User>"
  2. Adjust style: "Use named exports, not default exports"
  3. Add error handling: "Handle the case where the database returns null"
  4. Optimise: "This runs N+1 queries — rewrite it using a JOIN"

Reviewing generated code

Before using any generated code, check:

  • Does it compile without errors?
  • Does it handle null, undefined, and empty inputs?
  • Are there any hardcoded values that should be configurable?
  • Does it import everything it uses?
  • Does it introduce any security risks?