AI code review workflow

AI Agent Code Review Checklist

Before merging a Cursor, Claude Code, Codex, or Copilot-agent patch, run this 6-point review checklist to catch risky changes that are easy to miss.

Buy Basic Kit — $5 Buy Pro Pack — $19

Local-first. Standard-library Python. No cloud upload required.

The 6 checks

  1. Dependency changes: Did package files, lockfiles, or build manifests change?
  2. Sensitive paths: Did auth, payment, security, session, token, or config files change?
  3. Missing tests: Did source files change without tests changing?
  4. Generated changes: Did a large generated or bundled file hide a small risky diff?
  5. Secret-like literals: Did the patch include API keys, tokens, passwords, or similar strings?
  6. Evidence: Are “tests passed” claims backed by real output?

Why this matters

AI coding agents are fast enough to touch many files in one session. The dangerous patches are not always obviously broken; they are often plausible-looking changes in risky places.

This checklist helps reviewers decide when to slow down before merge.

What the kit adds

  • Local Python CLI that scores unified diffs.
  • JSON output for automation.
  • CI gate template.
  • Sample audit report and reviewer workflow.
  • Pro Pack: batch audit, Slack/Teams notification, agency checklist.

Example risk flags

Risk level: high
Risk score: 63/100
Flags:
- DEPENDENCY_CHANGE:package.json
- SOURCE_CHANGED_WITHOUT_TEST_CHANGE
- POSSIBLE_SECRET_LITERAL_IN_DIFF

This is not a security guarantee or a replacement for human review. It is a local signal that a patch deserves closer attention.

Read the public write-up

The DEV.to article explains the reasoning and checklist in a value-first format:

Read: I built a local risk gate for AI-agent code changes

Get the kit

Basic Kit

$5one-time
  • Local CLI source
  • JSON output
  • CI template
  • Quick start

Pro Pack

$19one-time
  • Everything in Basic
  • Batch audit
  • Slack/Teams notifier
  • Agency checklist

Back to main product page