Best Practices advanced 6 min read

The Correct Way to Review AI Pull Requests

Hướng dẫn chi tiết về The Correct Way to Review AI Pull Requests trong Vibe Coding dành cho None.

The Correct Way to Review AI Pull Requests

The promise of “Vibe Coding” is simple: you describe your intent, and the AI manifests the implementation. In this new paradigm, developer velocity has shifted from a linear progression to an exponential one. However, this explosion in output has created a critical bottleneck that many engineering teams are failing to address: the Pull Request (PR) review.

If your team is still reviewing AI-generated code the same way you review human-authored code—line-by-line, looking for syntax errors and minor stylistic preferences—you are already falling behind. Worse, you are likely accumulating “hidden technical debt” that will inevitably crash your system. AI is exceptionally good at producing code that looks correct but is structurally hollow or architecturally inconsistent with your “vibe.”

To survive and thrive in the era of AI-first development, we must shift our mental model from Code Reviewer to System Validator. This article outlines the advanced, multi-layered strategy for reviewing AI pull requests to ensure that your Vibe Coding remains sustainable, secure, and high-quality.

The Silent Crisis of AI Overproduction

In traditional development, a senior engineer might produce two or three meaningful pull requests a week. Each PR is the result of hours of conscious thought, architectural planning, and manual debugging. As a reviewer, you trust that the author has wrestled with the edge cases.

In a Vibe Coding environment, that same engineer (or even a junior one) can generate twenty pull requests a week. The AI doesn’t “wrestle” with anything; it predicts the most likely next tokens based on its training data and the context you provided. If that context is shallow, the resulting code will be shallow.

The problem isn’t just the volume; it’s the illusion of competence. AI-generated code rarely has syntax errors. It follows naming conventions perfectly. It looks like “senior-level” code at a glance. But under the hood, it might be missing critical error handling, introducing N+1 query problems, or silently breaking a global state management pattern that it wasn’t explicitly told to follow.

The “Correct Way” to review these PRs is to build an Infrastructure of Trust that automates the low-level verification, allowing humans to focus on high-level intent and architectural alignment.

Level 1: The Automated Gatekeeper (The Zero-Trust Layer)

Before a human even looks at an AI-generated PR, it must pass through a rigorous automated pipeline. In Vibe Coding, we assume the AI has hallucinated something until proven otherwise.

Beyond Standard Linting

Standard linters (ESLint, Ruff, Clippy) are the bare minimum. For AI PRs, you need Semantic Analysis. You should employ tools that check for:

  • Dependency Bloat: AI loves to suggest new npm packages or libraries to solve simple problems. Your CI should flag any change to package.json or requirements.txt that wasn’t explicitly requested in the task description.
  • Security Scanning: Automated SAST (Static Application Security Testing) is non-negotiable. AI often ignores CORS policies, hardcodes secrets (if the prompt is poor), or uses vulnerable regex patterns.
  • Breaking Changes: Use tools like treeshake or specialized API checkers to ensure that the AI hasn’t modified a public-facing interface that other parts of the system rely on.

The “Test-First” Enforcement

If a Vibe Coding agent submits a PR without accompanying tests, the PR should be automatically rejected by the system. However, simply having tests isn’t enough. The reviewer must verify that the tests are meaningful.

  • Mutation Testing: Run mutation tests to see if the AI-generated tests actually fail when the logic is subtly changed. AI is notorious for writing “happy path” tests that pass regardless of the implementation.
  • Coverage Parity: Ensure that the new feature has at least the same level of coverage as the rest of the codebase.

Level 2: Structural & Architectural Integrity (The “Vibe” Check)

This is where the human reviewer (or a specialized “Architect AI”) comes in. The goal is to ensure the code follows the Implicit Design Language of the project.

Architectural Drifting

AI models are trained on millions of repositories. Left to their own devices, they will suggest “Standard Industry Practices” which might conflict with your specific project’s “Local Best Practices.”

  • Example: If your project uses a “Functional Core, Imperative Shell” architecture, but the AI submits a PR using heavy Class-based OOP with deep inheritance, it has failed the vibe check. Even if the code works, it increases the cognitive load for everyone else.
  • The Fix: You must provide the AI with a DESIGN.md or .cursorrules file that strictly defines the “Vibe.” During review, your first question should be: “Does this look like it belongs in this codebase, or any codebase?”

State and Data Flow

AI often struggles with the long-term consequences of state management. In a React application, for instance, an AI might suggest adding a local useState for something that should clearly be in a global Zustand store or a React Query cache. As a reviewer, you must look for:

  • Prop Drilling: Did the AI take the easy way out instead of refactoring the context?
  • Side Effects: Are there useEffect hooks that will trigger infinite loops or redundant API calls?

Level 3: Adversarial AI Reviewing (The “Twin AI” Strategy)

The most advanced way to review AI code is to use another AI specifically configured to be an adversary. At Todyle, we call this the “Twin AI” strategy.

You don’t just ask an AI “Does this look good?” You give a second AI (preferably a different model, like switching from Claude to GPT-4o or vice versa) a specific persona and a “kill” mission.

The Adversarial Prompt Example

“You are a Senior Security Architect and Performance Engineer. Review this Pull Request generated by a coding assistant. Your goal is to find 3 ways this code could fail under high load, 2 potential security vulnerabilities, and 1 instance where it violates the project’s ‘DRY’ (Don’t Repeat Yourself) principle. Be hyper-critical. If you find nothing, you have failed your task.”

By forcing the AI to be adversarial, you bypass the “polite compliance” that LLMs often exhibit. The output of this adversarial review becomes a comment on the PR, which the human reviewer then uses as a guide.

Level 4: Test-Driven Review (TDR)

In Vibe Coding, the most practical way to verify a PR is to reverse the review flow. Instead of reading the code and trying to imagine if it works, you interact with the results.

The Interactive Verification Script

For any complex PR, require the author (or the AI) to provide a Reproduction/Validation Script. If the PR fixes a bug, the PR must include a script that:

  1. Sets up the environment.
  2. Triggers the bug (demonstrating it existed).
  3. Applies the fix.
  4. Verifies the bug is gone.

As a reviewer, you don’t read the logic; you run the script. If the script passes, you then perform a “Light Audit” of the code for readability. If the script fails, the review ends immediately.

Practical Example: The “Smart Refactor” Gone Wrong

Let’s look at a real-world scenario. An AI is asked to “Refactor the user dashboard to improve loading speed.”

The AI’s Implementation: It adds a complex caching layer using localStorage and a custom hook. The code is clean, documented, and the dashboard is faster.

The Human Reviewer’s “Correct” Path:

  1. Automation Check: CI passes. Linting is green.
  2. Adversarial AI Check: The Adversarial AI notes: “The localStorage implementation doesn’t have a TTL (Time-To-Live). If the user’s permissions change on the server, the dashboard will show stale, sensitive data until they manually clear their cache.”
  3. Vibe Check: The human reviewer notices that the project already uses TanStack Query (React Query) which handles caching and invalidation natively. The AI reinvented a “broken” wheel instead of using the existing infrastructure.
  4. The Result: The PR is rejected with the comment: “Great intent, but we use React Query for caching. Re-implement using queryClient.invalidateQueries to ensure data consistency. Refer to src/hooks/useUser.ts for the pattern.”

This review took 5 minutes because the human was looking for Architectural Alignment rather than checking if the localStorage.setItem syntax was correct.

Best Practices & Tips for AI-First Architects

To master the review process, follow these high-level principles:

1. The “Atomic intent” Rule

Never allow an AI to submit a PR that does “everything.” If a task is “Build the Auth system,” it should be broken down into:

  • PR #1: Database Schema & Migration.
  • PR #2: Logic/Service Layer (Internal).
  • PR #3: API Routes & Controllers.
  • PR #4: Frontend Components.
  • PR #5: Integration & E2E Tests.

Small, atomic PRs are easier for both humans and Adversarial AIs to audit. Large “Vibe” PRs are where bugs hide.

2. Trust the Tests, Not the Code

If you have to choose between reading 500 lines of code or reading 50 lines of robust E2E tests (Playwright/Cypress), read the tests. If the tests accurately describe the user’s “Jobs To Be Done” (JTBD) and they pass, the implementation details are secondary (provided they aren’t a security risk).

3. Maintain a “Mistake Log” (CONTINUITY.md)

When an AI makes a mistake during a PR review (like the localStorage example above), document it in a project-level file like CONTINUITY.md or a SKILL.md. This becomes part of the context for future AI prompts, preventing the same mistake from appearing in the next 100 PRs.

4. Zero-Tolerance for “Just-in-Case” Logic

AI often adds defensive checks or “helper functions” that aren’t actually needed for the current task. This is “code noise” that leads to long-term maintenance nightmares. As a reviewer, ruthlessly delete any code that doesn’t serve the immediate, verified intent of the PR.

Conclusion: From Coder to Conductor

Reviewing AI pull requests is no longer about finding “bugs” in the traditional sense. It is about Orchestration. Your job is to ensure that the “Vibe” produced by the AI aligns with the long-term vision of the system.

By implementing a multi-layered validation pipeline—automated gates, adversarial AI reviews, architectural vibe checks, and test-driven verification—you can scale your output without sacrificing your sanity or your system’s integrity.

In the world of Vibe Coding, the best engineers aren’t the ones who write the most code; they are the ones who build the best systems for validating it. Stop reading the lines. Start verifying the outcomes. That is the correct way.