Catch risky AI-generated code before it merges.
A 15-minute checklist for reviewing pull requests from Cursor, Copilot, Codex, and other coding agents — plus a worked example of what a second pass actually catches.
The problem
Agent PRs often look merge-ready: tidy diff, green tests, confident message. The risky part is usually not obviously bad code — it is plausible code that did not get reviewed deeply enough. Scope drift in auth middleware. Tests that pass without proving behavior. Handlers that only cover the happy path.
See it on a diff
We walk through a synthetic agent PR: permission widening buried in a refactor, hollow tests, an unrelated config change. Twelve minutes. Would have merged on a skim.
Read the walkthroughWhat you get free
- Worked example (synthetic teaching PR)
- 15-minute checklist — scope, behavior, security, tests, system fit
- Agent self-review prompt and reviewer note template
Why trust it
Read the walkthrough and decide if the catches match problems you have seen. This is a narrow pre-merge pass — not a replacement for security review or your judgment.
Help shape it
Review agent PRs regularly? Tell us what the checklist misses.