How to Review AI-Generated Code Before You Merge
A practical review workflow for code generated by Cursor, Claude Code, Codex, Copilot, Windsurf, ChatGPT, Lovable, Bolt, or Replit Agent.
AI-generated code should be reviewed by workflow, not by trust. Whether the change came from Cursor, Claude Code, Codex, Copilot, Windsurf, ChatGPT, Lovable, Bolt, or Replit Agent, the first job is to check scope, behavior, risky systems, and verification gates.
Use the AI Code Review Checklist when you need a local review note. For the full release path, start from the AI Coding Workflow Checklist.
Start with the changed files
Before reading the code line by line, answer three questions:
- What did you ask the AI to do?
- Which files changed?
- Which files are surprising?
AI agents often edit nearby files while solving a task. That can be useful, but it can also hide unrelated refactors, config changes, test rewrites, or generated assets. If the diff is broad, compare it with the original task before you accept it.
Review behavior before style
Do not start with naming or formatting. First check whether existing behavior still works:
- Does the old user flow still pass?
- Did redirects, filters, forms, or empty states change?
- Did a copied ChatGPT snippet skip error handling?
- Did a vibe coding builder create happy-path-only UI?
If the project has tests, run them. If it does not, write a manual gate: route, account type, browser, command, and expected result.
Check risky systems explicitly
Some changes need extra review even when the UI looks fine:
| Risk area | What to check |
|---|---|
| Auth | Anonymous, normal user, admin, expired session |
| Data | Migrations, default values, delete/update scripts |
| Payments | Test/live keys, webhook URL, duplicate events |
| API | Request shape, response fields, status codes, CORS |
| SEO | Title, description, canonical, sitemap, robots |
| Mobile | 360px layout, fixed buttons, keyboard and overflow |
These checks matter for technical developers and non-technical vibe coders. A generated app can appear complete while still leaking a key, hiding an error state, or failing on deploy.
Ask the AI better follow-up questions
Good review questions are specific:
- Which files changed outside the original task, and why?
- What existing flow could this patch break?
- Which env vars are required, and which are safe for the client?
- What command or manual step verifies the fix?
- What should the next AI agent avoid changing?
Copy the answers into a PR description, issue, or handoff note. If the review finds a bug, switch to the Bug Report Packet Builder so the next debugging pass starts with clean context.