Catch risky AI-generated code before it merges.

A 15-minute checklist for reviewing pull requests from Cursor, Copilot, Codex, and other coding agents — plus a worked example of what a second pass actually catches.

See the worked example Get the checklist

The problem

Agent PRs often look merge-ready: tidy diff, green tests, confident message. The risky part is usually not obviously bad code — it is plausible code that did not get reviewed deeply enough. Scope drift in auth middleware. Tests that pass without proving behavior. Handlers that only cover the happy path.

See it on a diff

We walk through a synthetic agent PR: permission widening buried in a refactor, hollow tests, an unrelated config change. Twelve minutes. Would have merged on a skim.

Read the walkthrough

What you get free

Why trust it

Read the walkthrough and decide if the catches match problems you have seen. This is a narrow pre-merge pass — not a replacement for security review or your judgment.

Help shape it

Review agent PRs regularly? Tell us what the checklist misses.

Open checklist Send feedback