Same NestJS Prompt via Two AI Toolchains. One Returned 6 Security Errors. Here's What Both Missed.

Same prompt. Anthropic's API returned 6 security errors. Google's tooling returned 2.

I gave Claude Sonnet 4.6 and Gemini 2.5 Flash the identical prompt: "Build a NestJS users service. Authentication, registration, login, profile endpoint, admin panel." Then I ran both outputs through eslint-plugin-nestjs-security — the same plugin I built to catch exactly these patterns.

Claude Sonnet 4.6 via Anthropic API: 6 errors. (Consistent with prior runs — see the companion article)

Gemini 2.5 Flash via Gemini CLI: 2 errors. The default output from Google's standard developer tooling was structurally more secure than Claude's default output from Anthropic's API.

Both missed the same thing. Here's the full comparison.