This checklist is part of the Agentic SDLC — How to Deliver with Confidence guide. It is designed to be used independently. No prior reading is required.
Use this checklist when reviewing a pull request that contains AI-generated code. This checklist assumes that the code was generated against a specification, under governance constraints, and that verification has already been performed. The reviewer’s job is to confirm conformance and apply human judgment where automation cannot reach.
Before You Start: Attach Artifacts
Before reviewing any code, attach the following artifacts to the PR or confirm they are linked:
- Specification: Attach the technical specification the code was generated against. This is the primary reference for what the code should do and how.
- PRD: Attach the product requirements document (if one exists). This provides the business context for the change.
- Plan: Attach the execution plan that defined the scope and sequencing of this work.
- Drift report: Attach the drift detection report that compared the generated output against the specification.
- Invariant compliance results: Attach the results of invariant scanning.
- Specialist review findings: Attach any findings from specialist domain reviews (database, security, API, infrastructure).
If any of these artifacts are missing, request them before proceeding with the review. Reviewing AI-generated code without the specification and drift report is reviewing without context — it reverts to the unreviewable single-surface model.
Drift Verification
- Read the drift report: does the generated code match the specification?
- For every deviation flagged in the drift report, determine: is this an intentional divergence (documented and justified) or an unintentional drift (needs correction)?
- Confirm that every acceptance criterion in the specification has a corresponding implementation
- If no drift report is available, flag this PR as unreviewable under the governed process — request that verification be run first
Invariant Compliance
- Read the invariant compliance results: were any hard constraints violated?
- For every violation found, determine: is the invariant incorrect (needs updating) or did the generator violate a valid constraint (needs correction)?
- If no invariant scan was run, check the most critical invariants manually and flag the gap
Specialist Review Findings
- Read any specialist review findings attached to the PR
- For database changes: confirm migration safety, rollback strategy, and query performance have been reviewed
- For security changes: confirm authentication, authorization, and data handling have been reviewed
- For API changes: confirm backward compatibility and contract completeness have been reviewed
- For infrastructure changes: confirm deployment safety and failure modes have been reviewed
- If specialist review was required but not performed, request it before approving
Human Judgment Areas
These items require human evaluation and cannot be fully automated:
- Edge cases: Are there scenarios the specification did not anticipate that the generated code handles incorrectly or does not handle at all?
- Naming and clarity: Are variable names, function names, and file names clear and consistent with team conventions?
- Business logic correctness: Does the code implement the business rules correctly, including subtle conditions the specification may have described in prose?
- Error handling: Are error paths reasonable? Do they provide useful information for debugging? Do they fail safely?
- Test quality: Do the generated tests actually verify the behavior they claim to test? Are assertions meaningful, or do they pass trivially?
- Performance concerns: Are there obvious performance issues in hot paths (unnecessary allocations, unbounded queries, missing pagination)?
Final Check
- All drift report deviations are resolved (corrected or documented as intentional)
- All invariant violations are resolved
- All specialist review findings are addressed
- Human judgment areas have been evaluated
- The PR is approved only when all of the above are confirmed — not before