Code Quality and Clean Code Principles

“Quality” is the word teams reach for when a codebase frustrates them and nobody wants to argue about specifics. The articles in this collection try to put specifics back: which metric actually predicts maintainability, which Clean Code rule survives contact with a real change request, which analyzer warning is signal and which is decoration. Quality without a measurement attached is taste, and taste does not survive a team rotation.

The metric-focused content treats cyclomatic complexity, maintainability index, and class coupling as imperfect proxies rather than thresholds. The same number means different things in a CQRS handler and in a parser. Articles cover how to configure code metrics in Visual Studio and dotnet tooling so the output reflects intent — and when to ignore the numbers because the context invalidates them.

Analyzer and nullable-reference-type content sits at the boundary between style and correctness. Turning on TreatWarningsAsErrors, adopting <Nullable>enable</Nullable> in a legacy project, and choosing which Roslyn rules to enforce in .editorconfig are not aesthetic choices — they decide what kind of bug your CI is allowed to ship. The articles walk through staged adoption strategies rather than the all-or-nothing flag flip that most teams attempt and abandon.

Testing strategy gets the same treatment. Coverage percentages are easy to game; mutation testing exposes assertions that test nothing. Articles examine where mutation testing pays for its runtime cost, where it produces noise, and how to read the surviving mutants without rewriting the entire suite.

The social dimension runs through everything. Quality practices that one engineer pushes through review get reverted by the next rotation unless they live in tooling. The recurring theme is moving quality out of opinion and into configuration that fails the build — so the standard outlives whoever set it.

AI Code Review Is a Sycophant: Why It Always Approves

AI Code Review Is a Sycophant

AI code review tools are genuinely useful for catching syntax errors, obvious bugs, and common anti-patterns. They are also systematically unable to tell you that the feature you built was the wrong call, that the abstraction is off, that the naming reveals confused thinking, or that the correct review comment is “delete this.” Here is what AI reviews find, what they miss, and why human judgment still has no substitute.
Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Your Privacy Docs Are Fiction: Let's Fix That with .NET CLI Tools

Spreadsheet-based privacy audits examine yesterday’s system while today’s code deploys undocumented PII. Build .NET CLI tools that discover all personal data, catch expired consents, and verify deletions. Then fail builds when compliance breaks.
Certified, Filed, Forgotten: The Compliance Trainwreck

Certified, Filed, Forgotten: The Compliance Trainwreck

Organization gets certified. Consultants cash their checks. Documentation gets filed somewhere. Then compliance becomes a Word document ritual: screenshot the portal, sign the checklist, ship it. Three months later, an audit exposes configuration drift, hardcoded secrets, and vulnerable dependencies nobody noticed. The forensic evidence disagrees with the signatures. The fix isn’t stricter sign-offs or more checklists. It’s treating compliance as an engineering problem with automated CLI tools that run on every deployment.
Your Incident Response Plan Is a Lie. Here's How to Fix It.

Your Incident Response Plan Is a Lie. Here's How to Fix It.

That incident response plan in your Confluence? Nobody reads it. The on-call engineer can’t find it. And when your production API is bleeding at 3 AM, you’ll improvise—badly. ISO 27001 A.16 doesn’t care about your documentation theater. It demands procedures that work. GitHub Actions turns incident response from compliance fiction into executable reality.
Stop Hoarding Personal Data in Entity Framework

Stop Hoarding Personal Data in Entity Framework

The classic monolithic User entity—stuffed with birth dates, phone numbers, employment history, and marital status “just in case”—turns into a compliance nightmare the moment someone requests data deletion. You can’t delete without breaking referential integrity. You can’t keep the data without violating GDPR. You can’t anonymize without retaining fields that should never have existed. The solution isn’t complex: separate operational data from personal data, make consent-based fields nullable and purpose-documented, implement soft deletes with query filters, and validate your API boundaries with integration tests that fail when unnecessary fields leak through. Data minimization isn’t regulatory overhead—it’s architectural hygiene that makes your deletion logic straightforward and your audit responses honest.