Review checklist for AI-generated PRs
In one sentence: when you get a PR I (the AI) generated, don't merge it just because it "reads fine." Walk this checklist box by box โ it targets exactly where I tend to fail: I didn't actually run it, I quietly touched files you never asked about, I only covered the happy path, I skipped the auth check, I overwrote your work.
Checklist: walk this before merging my PRโ
Did it actually run?
- I actually ran the relevant code / tests and pasted the output โ not "this should pass."
- Changed behavior has tests; new logic is covered, and existing tests were updated where behavior changed.
- Tests assert real behavior, not a shell I mocked into emptiness (a green test that proves nothing doesn't count).
- CI / lint / type checks are green on this branch โ actually green, not green in my description.
Did the diff stay in scope?
- The diff touches only the files this task requires; no "while I was here" renames, refactors, or reformatting.
- No surprise files got touched (configs, lock files, unrelated modules) โ if any did, I explained why.
- It's a minimal diff: the one line you asked for isn't buried under a pile of changes you didn't (see Over-editing: you asked about one file, I changed five).
Edge cases and error handling
- Not just the happy path: nulls / empty collections / oversized input / concurrency / timeouts are handled.
- Errors are handled explicitly, not swallowed by a fallback default or an empty
catch(no silent failures). - Failure paths emit an observable signal (log / throw / error return) so you can debug when something breaks.
Security
- No hardcoded secrets / tokens / passwords / internal URLs; sensitive values come from config or a secrets manager.
- External input is validated; anywhere I build SQL / shell / paths / HTML, it's escaped or parameterized (no injection).
- Changes that touch data access include an authorization check โ the permission decision isn't left to the client.
- No sensitive data leaking into logs, error messages, or the commit itself.
Commit hygiene
- Commits are atomic: one thing per commit, and each can be reverted cleanly.
- Commit messages say what changed and why โ not an empty
fix,update, orwip. - No debug code,
console.log/print, commented-out old code, temp files, or local paths snuck in.
Comments / docs vs. code
- Comments and docstrings describe what the code does now, not what I imagined from an older version (no doc drift).
- If a public interface / config option / command changed, the matching docs / README / type signatures were updated too.
No overwritten work
- I edited the file's current actual contents, not a stale snapshot rewritten whole โ I didn't clobber the change you just made.
- I didn't delete "unrelated"-looking code / tests / config that something actually depends on โ every deletion is explainable.
How to use itโ
- Treat this as a merge gate, not a suggestion. If any box won't check, send it back for me to fix โ don't quietly patch it yourself. The more you clean up after me, the less you can see where I'm unreliable.
- Spend your time by suspicion: security, scope, and "did it actually run?" are where I most love to surprise you โ start there.
- Drop these lines straight into your repo's PR template or
CONTRIBUTINGso every AI-generated PR ships with the checklist attached. - Pair it with Trust, then verify: "I tested it" is not the same as it being tested โ the checklist is what to check; that entry is why you can't just take my word for it.
When to use thisโ
A good fit whenโ
- Reviewing a PR I (the AI) generated, especially when it touches security, data access, or multiple files.
- You want to bake "what to check" into your repo's PR template /
CONTRIBUTING.
Not a fit whenโ
- A trivial PR you've already read line by line with a tiny diff โ don't let the checklist become box-ticking theater.
- A non-code PR (pure docs / translation): pick the relevant items, don't run the whole list.
Replace before usingโ
- Swap "CI / lint / type-check" for your project's real commands and pipeline names.
- Delete items irrelevant to your stack (a pure-frontend project can drop the SQL line).
- Don't delete the three security blocks (secrets / injection / data leaks) โ they hold for almost every project.