> There’s probably more I built that I have already forgotten about.

This is a big gripe of mine at the moment. I rarely have any confidence that I know how the thing works, or what additional things it does / does not do but which I expect.

Recent example: all API endpoints should require a bearer token. Imagine my surprise when half of them didn’t enforce this effectively, 3 days later. A bearer token would work, but also providing no bearer token would also work. Over the course of time, tests were removed / things were modified to get to the goal and say “done, boss!”

I’ll note that for this project, “don’t look at the source code” was a requirement. Things have been corrected before release, but the amount of potential foot guns is so damn high.