How We Stopped Claude Code from Writing eval() in Production

Claude Code wrote eval() in our production codebase. Nobody caught it for 3 days. It was a Tuesday refactor. We asked Claude Code to consolidate three config parsers into one. The task was mundane -- merge duplicate logic, unify the interface, write tests. Claude did exactly what we asked. Clean code. Tests passed. PR approved by two engineers who both said "looks good." Three days later, our security scanner flagged it in the nightly report. Buried on line 47 of the new unified parser: const parsed = eval ( ' ( ' + configString + ' ) ' ); Claude had decided that the fastest way to parse a flexible config format -- sometimes JSON, sometimes a JS object literal -- was to eval() the string. And it was right. It worked perfectly. Every test passed. The code was readable, well-commented, and syntactically clean. It was also a textbook remote code execution vulnerability. If you're using AI coding tools, here's the question you should be asking yourself right now: what's in your codebase th