Free checklist
6-point checklist for reviewing AI-generated code changes
Before you merge an AI-agent diff, run through this checklist. It catches the patterns that cause the most production incidents.
The checklist
- Dependency changes — Did the agent add, remove, or update packages (package.json, requirements.txt, go.mod)? Check necessity, reputation, and lockfile consistency.
- Auth/payment/security paths — Did the diff touch auth middleware, payment processing, or security-critical code? These need extra-human review.
- Config and infrastructure — Did .env, config.yaml, Dockerfile, docker-compose, or CI pipeline files change? Verify they match all environments.
- Source changed without tests — If a source file changed but no test file changed, the change is either untested or the agent wrote code it didn't verify.
- Secret-like literals — Look for api_key=, token=, password=, or long random strings. Sometimes they're test fixtures. Sometimes they're real credentials.
- Large or generated-looking diffs — 500+ line diffs or files that look auto-generated get a lower trust score. Review line-by-line or request a clear explanation.
Automate this checklist
The AI Agent Change Risk Audit Kit runs this checklist automatically on every diff — local, no cloud, under 1 second, with CI integration.
Basic Kit
$5one-time
- CLI tool (Python, stdlib only)
- Local HTTP API server
- CI exit code gate
- JSON output mode
- GitHub Actions template
- Test suite (14 tests)
- Commercial license
Manual-delivery MVP. PayPal Standard checkout.
Pro Pack
$19one-time
- Everything in Basic, plus:
- Multi-repo batch audit
- Agency review checklist
- Pre-commit hook template
- Slack/Teams integration
- Priority email support
Manual-delivery MVP. PayPal Standard checkout.
See it in action
Compliance note
This checklist is a review aid, not a guarantee of security or correctness. Always run your own tests and security scans. False positives are possible with any pattern-matching approach.