Skip to main content
AIDive
EN
Sign in
How to review code after Cursor, Claude Code, and Codex

How to review code after Cursor, Claude Code, and Codex

A practical review process for agent-written code: diff boundaries, deterministic checks, migrations, security, browser tests, and release validation.

Jin Samuray
0

A coding agent reduces the time from task to diff, but it does not take responsibility for the release. AI-written code is not dangerous because it has a special machine category of bug. It produces ordinary bugs quickly, across several files, with convincing explanations. Review should therefore begin with change boundaries and reproducible signals, not another chatbot.

Explain why every changed file belongs in the diff

Ask the agent for a short summary, then compare it with the actual diff. Remove incidental formatting, unexplained lockfile updates, debug code, and neighboring-module changes that the task does not need. Split a large diff when possible: data schema, server, interface, and tests are easier to reason about as separate logical units.

Locate the new source of truth. Where does state live now, who calls the function, and which old paths remain? An agent often adds a new layer without removing or updating the earlier one. Searching for the name, route, and type can reveal two competing implementations.

Let the compiler and tests speak before an AI reviewer

Run formatting, linting, typechecking, unit tests, and integration tests with the same commands as CI. If the project lacks these checks, that is a separate risk rather than a reason to replace them with a model. A deterministic tool repeats a rule exactly; an AI reviewer estimates likely problems and may overlook something simple.

A new test should fail against the old code and pass after the fix. A test that is green in both versions may prove nothing. Reproduce the original failure for a bugfix; for a feature, cover the primary path, boundaries, and a dependency failure.

Playwright validates a user journey, not implementation elegance

Add or update a browser test for a critical web flow. Playwright projects run different browsers and environments, while trace viewer preserves steps, DOM state, network activity, and screenshots for CI diagnosis. Codegen is a useful draft, but locators and expectations should be rewritten around stable user-visible behavior.

Do not cover every setter with E2E. Lock down the journey whose failure is expensive: sign-in, payment, object creation, publishing, or role permissions. API and unit tests can cover the cheaper branches.

Migrations and background work need rollback rehearsal

When a diff changes the schema, inspect existing rows, null values, indexes, locks, and execution time. Run the migration against a copy with realistic volume. Decide whether new code works with the old schema during a rolling deploy and whether the application can roll back after the migration.

For queues and webhooks, test retries, ordering, timeouts, and partial completion. Agents readily write a happy path where an event arrives once. Production tends to test the opposite.

Permissions and data paths matter more than suspicious-looking lines

Trace untrusted input to the database, filesystem, shell, HTML, and outbound requests. Verify authorization on the server instead of relying on a hidden button. Secrets must not enter a client bundle, logs, an error response, or model context.

Inspect dependencies and generated code. A new library expands the supply-chain surface and bundle size; a look-alike package may be a typo. For personal data, check minimization, retention, and whether records are sent to a model without authorization.

A second AI works best as a narrowly briefed opponent

After conventional checks, give the diff to a separate reviewer agent. Set a precise job: find invariant violations, missing tests, API incompatibility, race conditions, or authorization bypasses. Require a file, line, and failure scenario. “Review this code” produces a great deal of stylistic noise.

Do not accept a finding without reproducing it. A model can invent a contract or miss a project rule. Relevant products are listed in AIDive's AI code review collection, with execution-focused products in the AI testing collection.

Release review ends with observation after deployment

Before merge, verify the PR description, linked issue, documentation, flags, metrics, and rollback plan. After release, watch more than server errors: step conversion, latency, queue depth, rejection rates, and business invariants. A fast rollback is more valuable than a long debate with an agent during an incident.

The short sequence is: understand the diff, shrink it, run deterministic checks, reproduce the critical journey, inspect data and access separately, use AI as a second reviewer, then release with observation. Generation speed only matters when the team keeps the ability to prove correctness.

0 comments

Newsletter

Get notified when new AI tools are added

Join the community.