Getting Started beginner 6 min read

How to Review AI-Generated Code Safely

Hướng dẫn chi tiết về How to Review AI-Generated Code Safely trong Vibe Coding dành cho None.

How to Review AI-Generated Code Safely

The era of “Vibe Coding” has arrived. It is a world where the distance between a raw idea and a functional application is bridged by a few lines of natural language and the massive compute power of Large Language Models (LLMs). For the modern developer, the primary bottleneck is no longer how fast you can type or how many library signatures you can memorize; it is how effectively you can direct the AI and, more importantly, how safely you can validate its output.

In this high-velocity environment, your role has shifted from a “writer” to an “editor-in-chief.” When you ask an AI to generate a complex React component or a backend authentication flow, it delivers code with terrifying speed and a deceptive air of confidence. But the “vibe” can be misleading. A perfectly indented code block can hide subtle logic errors, security vulnerabilities, or “hallucinated” library functions that don’t actually exist.

Reviewing AI-generated code is not a chore—it is the foundational skill of the Vibe Coding movement. This article provides a comprehensive framework for reviewing AI output safely, ensuring that your speed never comes at the cost of your system’s integrity.

The Core Concept: The “Reviewer’s Mindset”

To review AI code effectively, you must adopt the mindset of a Senior Mentor working with a Highly Motivated but Inexperienced Junior Developer.

The AI is incredible at syntax and pattern matching, but it lacks “situational awareness.” It doesn’t know that your company’s database is sensitive to specific query patterns, nor does it understand the long-term maintenance burden of a particular abstraction.

Why Exactly Does This Solve a Real Problem?

In traditional development, you know exactly why every line of code exists because you fought to write it. In Vibe Coding, you can inherit 200 lines of code in 10 seconds. The “Black Box” problem occurs when you ship code you don’t fully understand. If a bug occurs in production, you are left helpless because you didn’t “own” the logic.

Safe review solves this by re-establishing Cognitive Ownership. By following a systematic review protocol, you ensure that even though the AI typed the code, you authorized the logic.

How It Works: The Four Pillars of Review

When an AI drops a code snippet into your editor, your review should proceed through four distinct gates: Intent, Integrity, Security, and Scalability.

1. Intent Validation (The “What” vs. “How”)

The most common AI error isn’t a syntax mistake—it’s a misunderstanding of your prompt.

  • The Check: Does this code actually solve the problem I described?
  • The Trap: Sometimes the AI gets distracted by a secondary detail in your prompt and misses the primary goal.
  • Action: Read the code logic aloud in plain English. If you can’t explain what a function does in one sentence, the AI’s abstraction is likely too complex or incorrect.

2. Logic & Syntax Integrity

LLMs are probabilistic, not deterministic. They are guessing the next best token.

  • The Check: Are there off-by-one errors in loops? Are edge cases (null values, empty arrays, API timeouts) handled?
  • The Trap: “Hallucinated” APIs. The AI might use array.flattenDeep() in a language version that only supports array.flat(Infinity).
  • Action: Use a “Sanity Run.” Before integrating the code into your main project, run it in a isolated scratchpad or a REPL to see if it even executes.

3. Security Hardening

AI models are trained on vast amounts of public code, including code written before modern security standards were established.

  • The Check: Are secrets hardcoded? Is user input being sanitized before being passed to a database or a shell command?
  • The Trap: The AI often provides “happy path” code that lacks CSRF protection, proper CORS headers, or input validation.
  • Action: Specifically ask the AI: “Review this code for security vulnerabilities and rewrite it to be production-ready.”

4. Intentional Maintenance (The “Future You” Check)

Speed today can lead to technical debt tomorrow.

  • The Check: Is the variable naming clear? Is the logic so clever that it’s unreadable?
  • The Trap: The AI loves to nest functions deeply or use “magic numbers” without explanation.
  • Action: Refactor for clarity. Rename the AI’s generic variables (like data or res) to something descriptive (like userProfileResponse).

Practical Example: The “Vulnerable” API Route

Let’s look at a common scenario in Vibe Coding. You ask the AI: “Create a Node.js Express route to fetch a user from the database by their ID.”

The AI’s Initial Draft (The “Vibe” Version)

app.get('/user/:id', async (req, res) => {
  const user = await db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);
  res.json(user);
});

At first glance, this looks great. It’s concise and it works. But as a safe reviewer, you should see three major red flags:

  1. SQL Injection: It’s concatenating raw user input directly into a query.
  2. Missing Error Handling: If the database is down, the server will crash.
  3. No “Not Found” Check: If the user doesn’t exist, it might return an empty object or an error depending on the DB driver.

The Reviewer’s Correction (The “Safe” Version)

After spotting these, you don’t necessarily have to write the fix yourself. You can direct the AI to improve: “Rewrite this route to use parameterized queries to prevent SQL injection, add a try-catch block for error handling, and return a 404 if the user isn’t found.”

The Improved Result:

app.get('/user/:id', async (req, res) => {
  try {
    const userId = req.params.id;
    // Parameterized query prevents SQL injection
    const result = await db.query('SELECT id, username, email FROM users WHERE id = $1', [userId]);
    
    if (result.rows.length === 0) {
      return res.status(404).json({ error: 'User not found' });
    }

    res.json(result.rows[0]);
  } catch (error) {
    console.error('Database error:', error);
    res.status(500).json({ error: 'Internal server error' });
  }
});

By performing this review, you’ve moved from a dangerous prototype to a production-grade feature in under 60 seconds.

Best Practices & Tips for AI Code Review

1. The “Explain Before Acting” Protocol

Never accept a large block of code without asking the AI to explain its architectural choices first.

  • Prompt: “Before you write the code, explain the logic you plan to use and any libraries you will depend on.”
  • Benefit: This forces you to understand the high-level strategy before you get bogged down in syntax details.

2. Leverage TDD (Test-Driven Development)

In Vibe Coding, tests are your safety harness.

  • Strategy: Ask the AI to write the test for the feature before it writes the feature.
  • Why? If the AI writes both the code and the test at the same time, it might bake the same logical error into both. If the code passes a pre-written test, your confidence in its correctness sky-rockets.

3. The “Spot-the-Error” Game

When the AI generates code, assume there is exactly one intentional bug hidden in it. Look for it. This psychological trick prevents “Reviewer Fatigue,” where you start skimming code because the first three lines looked fine.

4. Use “Reviewer Agents”

If you are using a multi-agent system like Cody Master, use one agent to generate the code and a second, specialized “Security & Quality” agent to audit it.

  • Human Role: You act as the final judge between the two AI perspectives.

5. Check the “Dependencies”

AI often suggests libraries that are deprecated or have security vulnerabilities (e.g., suggesting request instead of axios or fetch).

  • Tip: Always verify the package.json changes. If you don’t recognize a library, look it up on npm before installing it.

Common AI “Hallucinations” to Watch For

  1. Imaginary Methods: Using .map() on an object or .contains() on a string (instead of .includes()).
  2. CSS Variable Hallucinations: Using Tailwind classes that don’t exist (e.g., text-ultra-bold) or CSS variables that aren’t defined in your theme.
  3. API Version Mismatch: Using the v1 syntax for an API that is currently on v3.
  4. Invisible Imports: Forgetting to import a utility function it used deep inside a component.

The “10-Second Rule” for Simple Logic

If the AI produces a logic-heavy function (like a sorting algorithm or a data transformation), and it takes you more than 10 seconds to verify it visually, don’t trust it. Instead, ask the AI to “Refactor this logic into smaller, named utility functions.” Small functions are significantly easier to review than a giant “God Function.”

Conclusion: Mastering the Vibe

Reviewing AI-generated code isn’t about being a skeptic; it’s about being a professional. Vibe Coding allows us to build at the speed of thought, but our thoughts are occasionally messy, and the AI’s interpretation of those thoughts can be even messier.

By implementing a rigorous review process—validating intent, checking integrity, hardening security, and prioritizing maintainability—you transform the AI from a unpredictable generator into a precision instrument.

The goal of Vibe Coding is to spend less time fighting with the machine and more time solving problems for users. But the only way to stay in the “flow” is to know that the foundation you are building on is rock solid. Reviewing code safely is how you ensure that your “Vibe” today doesn’t become your “Crisis” tomorrow.

Remember: The AI provides the speed, but you provide the soul and the safety. Happy Vibe Coding!