The Seven-Point Review Framework
Apply systematic checks for correctness, coherence, currency, modernity, necessity, dependencies, and security in every AI-generated PR.
Introduction: Code Review in the Age of AI-Generated Code
Remember the first time you copied code from Stack Overflow, pasted it into your project, and it actually worked? That moment of relief quickly turned into anxiety as you realized you didn't fully understand what you'd just added to your codebase. Now multiply that feeling by a hundred. That's the reality of modern development with AI code generation, and if you're reading this, you've probably already felt it. The good news? This lesson includes free flashcards to help you master the systematic approach that transforms this anxiety into confidence. The shift we're experiencing isn't just about having a helpful assistantโit's fundamentally changing what it means to be a developer.
The Fundamental Shift: From Code Writer to Code Director
For decades, the primary skill of a software developer was writing code. You learned syntax, memorized APIs, and spent hours crafting functions character by character. The bottleneck was your typing speed and your ability to recall the exact method signature you needed. Today, that bottleneck has evaporated.
With AI code generation tools like GitHub Copilot, ChatGPT, and Claude, a developer can produce hundreds of lines of functional code in minutes. You describe what you want, and the AI generates it. But here's the critical question that most developers aren't asking: Who is responsible when that code fails in production? Not the AI. You are.
๐ฏ Key Principle: In the AI era, your primary skill shifts from code authorship to code stewardship. You become less of a writer and more of an editor, architect, and quality gatekeeper.
This shift is profound. Consider what you actually do in a typical day now versus five years ago:
Then (2019):
- 70% writing code manually
- 20% debugging your own code
- 10% reviewing others' code
Now (2024):
- 30% prompting and directing AI
- 50% reviewing and refining AI-generated code
- 20% reviewing others' code (which might also be AI-generated)
The numbers vary by role and organization, but the trend is unmistakable. Code review has evolved from a collaborative quality-check performed occasionally to a core competency you exercise constantly. Every time you accept an AI suggestion, you're performing a micro-review. Every time you ask AI to refactor a function, you're reviewing the output. The question isn't whether you'll review codeโit's whether you'll do it systematically or haphazardly.
๐ก Real-World Example: A senior developer at a fintech company recently told me they now generate 80% of their boilerplate code with AI assistance. But after a production incident where an AI-generated date handling function failed to account for timezone edge cases, they realized they'd been treating AI output as "probably correct" rather than "needs verification." The incident cost thousands in customer support time and damaged trust. The developer's manager didn't blame the AIโthey questioned why the code hadn't been properly reviewed before deployment.
Why Ad-Hoc Review Approaches Fail at Scale
When you review code occasionallyโmaybe a colleague's pull request once a weekโan ad-hoc approach works reasonably well. You read through the changes, trust your intuition, look for obvious issues, and maybe check for a few patterns you've been burned by before. This informal process relies on:
๐ง Your mental catalog of "things that have gone wrong before" ๐ง Your current cognitive state (are you tired? distracted?) ๐ง Your memory of similar code in the codebase ๐ง Whatever happens to catch your eye
This approach breaks down completely when you're reviewing dozens or hundreds of AI-generated code snippets daily. Here's why:
Volume Overwhelms Intuition
When reviewing 50+ code generations per day, you cannot rely on careful, thoughtful analysis of each one. You start pattern-matching at a surface level: "This looks like TypeScript... has a try-catch block... returns a Promise... probably fine." You accept the code without deep inspection, and subtle issues slip through.
// AI-generated function that looks fine at first glance
async function getUserData(userId: string): Promise<UserData> {
try {
const response = await fetch(`/api/users/${userId}`);
const data = await response.json();
return data;
} catch (error) {
console.error('Error fetching user:', error);
return null; // โ ๏ธ Type error! Promised UserData but returning null
}
}
An ad-hoc review might miss that the error handling violates the type contract. The function compiles (with loose TypeScript settings) and looks reasonable, but it will cause runtime errors downstream when code expects UserData and receives null.
Consistency Disappears
Without a systematic approach, your review quality varies wildly based on:
- Time of day (morning vs. late afternoon)
- Context switching (interruptions, meetings)
- Recency bias (you catch the same issue you saw yesterday but miss others)
- Confidence in the AI ("This AI is usually right, so...")
โ ๏ธ Common Mistake: Developers often create an informal mental checklist for reviews, but it remains inconsistent and incomplete. You might remember to check error handling on Tuesday but forget on Friday when you're rushing to finish before the weekend.
Specialized Knowledge Gaps
AI generates code across many domains: database queries, API endpoints, cryptographic operations, UI components, business logic, infrastructure configuration. No developer has deep expertise in every area, yet ad-hoc review assumes you'll spot issues across all domains equally well.
๐ก Mental Model: Imagine you're a restaurant health inspector who checks cleanliness by "looking around for anything that seems off." That might catch obviously moldy food, but you'd miss bacterial contamination, improper food storage temperatures, or cross-contamination risks. You need a structured checklist that ensures you examine critical areas regardless of what "catches your eye."
๐ค Did you know? Studies of code review effectiveness show that systematic, checklist-based reviews catch 60-90% more defects than unstructured reviews, yet most developers still review code without any formal framework.
Enter the Seven-Point Framework: A Systematic Approach
The Seven-Point Review Framework provides a structured methodology for evaluating any piece of codeโwhether generated by AI, written by a junior developer, or produced by your past self at 2 AM. It's designed specifically to address the challenges of high-volume code review in an AI-assisted development environment.
Think of the framework as a mental checklist that ensures comprehensive coverage without getting lost in minutiae. Each of the seven points represents a critical dimension of code quality:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ THE SEVEN-POINT FRAMEWORK โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโ
โ โ โ
โโโโโผโโโโ โโโโโผโโโโ โโโโโโผโโโโโ
โ 1-3 โ โ 4-5 โ โ 6-7 โ
โBasic โ โLogic โ โContext โ
โQualityโ โ&Intentโ โ&Impact โ
โโโโโฌโโโโ โโโโโฌโโโโ โโโโโโฌโโโโโ
โ โ โ
โ โ โ
โโโโโโโผโโโโโโ โโโโโโโผโโโโโโ โโโโโโผโโโโโโโ
โ1.Correctnessโ โ4.Logic โ โ6.Domain โ
โ2.Safety โ โ5.Intent โ โ7.Maintainability
โ3.Standards โ โ Clarity โ โ โ
โโโโโโโโโโโโโโโ โโโโโโโโโโโโโ โโโโโโโโโโโโโโ
Here's a high-level overview of each point (we'll explore these in depth in the next section):
1. Correctness โ Does the code actually do what it's supposed to do? 2. Safety โ Can this code cause crashes, security vulnerabilities, or data corruption? 3. Standards โ Does it follow language idioms, style guides, and team conventions? 4. Logic โ Is the algorithmic approach sound and efficient? 5. Intent Clarity โ Can another developer (or you in six months) understand what this code does and why? 6. Domain Alignment โ Does the code correctly implement business rules and domain requirements? 7. Maintainability โ Will this code be easy to modify, debug, and extend?
๐ง Mnemonic: CSS-LID-M (Correctness, Safety, Standards, Logic, Intent, Domain, Maintainability) โ think of it as putting a "CSS lid" on your code to keep it from spilling over with problems.
The framework is intentionally ordered from quick-check fundamentals (1-3) to deeper analysis (4-7). This ordering allows you to:
๐ฏ Fail fast on obviously broken code (Point 1) ๐ฏ Catch dangerous patterns before deep analysis (Point 2) ๐ฏ Surface style issues that might obscure understanding (Point 3) ๐ฏ Then dive into logic, intent, domain correctness, and long-term maintainability
Let's see this in action with a simple example:
## AI-generated function to calculate discount
def calculate_discount(price, customer_type):
if customer_type == "VIP":
discount = price * 0.2
elif customer_type == "regular":
discount = price * 0.1
else:
discount = 0
final_price = price - discount
return final_price
An ad-hoc review might think: "Looks good, returns the discounted price, moving on." But applying the Seven-Point Framework systematically:
1. Correctness โ โ Performs the calculation, returns a result
2. Safety โ ๏ธ โ No input validation! What if price is negative? What if customer_type is None?
3. Standards โ ๏ธ โ Python conventions suggest snake_case is fine, but no type hints (Python 3.5+)
4. Logic โ ๏ธ โ Calculation is straightforward but doesn't handle edge cases (price = 0, very large numbers)
5. Intent Clarity โ ๏ธ โ Magic numbers (0.2, 0.1) aren't explained. Are these percentages permanent? Configurable?
6. Domain Alignment โ โ Need to verify: Are these the correct discount rates? Is "VIP" the right term? What about other customer types?
7. Maintainability โ ๏ธ โ Hardcoded discount rates will require code changes to adjust pricing strategy
Suddenly, a "looks good" function reveals six areas needing attention. This is the power of systematic review.
๐ก Pro Tip: You don't need to spend equal time on all seven points for every code snippet. A simple getter function might pass points 1-5 in seconds, while a complex authentication function demands deep scrutiny on points 2, 4, 6, and 7. The framework ensures you at least consider each dimension rather than skipping critical areas by accident.
How the Framework Connects to Specialized Review Areas
The Seven-Point Framework provides the structural scaffold for your review process, but some areas demand specialized expertise. That's where the three deep-dive topics connect:
๐ Quick Reference Card: Framework to Specialized Topics
| Framework Point | ๐ฏ Primary Focus | ๐ Specialized Topic Connection |
|---|---|---|
| 1. Correctness | Does it work? | ๐ง All topics โ foundational requirement |
| 2. Safety | Can it break? | ๐ Security Review โ vulnerability detection |
| 3. Standards | Does it fit conventions? | ๐จ Pattern Recognition โ idioms and anti-patterns |
| 4. Logic | Is the approach sound? | ๐จ Pattern Recognition โ algorithmic patterns |
| 5. Intent Clarity | Is it understandable? | ๐ All topics โ clarity enables review |
| 6. Domain Alignment | Does it meet requirements? | ๐ข Domain Logic Review โ business rule validation |
| 7. Maintainability | Can we change it safely? | ๐จ Pattern Recognition โ sustainable patterns |
Think of it this way:
- The Seven-Point Framework is your review process โ what to check and in what order
- Pattern Recognition teaches you to spot common structures, idioms, and anti-patterns quickly
- Security Review gives you the expertise to evaluate safety (Point 2) with a security-focused lens
- Domain Logic Review equips you to validate business rules and domain alignment (Point 6)
โ Wrong thinking: "I'll just focus on security since that's the most important thing." โ Correct thinking: "I'll use the framework to ensure comprehensive coverage, applying specialized knowledge at relevant checkpoints."
Consider this AI-generated authentication function:
// AI-generated login validation
function validateLogin(username, password) {
const users = loadUsersFromDatabase();
const user = users.find(u => u.username === username);
if (user && user.password === password) {
return { success: true, userId: user.id };
}
return { success: false };
}
The Seven-Point Framework guides you through:
Point 1 (Correctness): Does it validate login? Yes, basic logic is present.
Point 2 (Safety): This triggers deep security review because authentication is security-critical. Your specialized security knowledge immediately flags:
- Plaintext password comparison (should be hashed)
- Vulnerable to timing attacks
- No rate limiting consideration
- Loads entire user database into memory
Point 3 (Standards): Missing JSDoc, inconsistent return structure
Point 4 (Logic): Loading all users is inefficient; should query by username
Point 5 (Intent Clarity): Function name is clear, but implementation details are opaque
Point 6 (Domain Alignment): Triggers domain logic review โ need to verify:
- Are there account lockout rules after failed attempts?
- Should there be multi-factor authentication?
- What about "remember me" functionality?
Point 7 (Maintainability): Tightly couples authentication logic to database structure; difficult to add OAuth or SSO later
See how the framework provides structure while specialized knowledge deepens your analysis at specific points? You're not choosing between the framework and specialized topicsโyou're using them together.
Why This Matters More Than Ever
The stakes of code review have never been higher. AI can generate code faster than any team can carefully review it. Without a systematic approach, you face three dangerous outcomes:
1. Review Fatigue โ Rubber-Stamping
When overwhelmed by volume, developers start automatically approving AI suggestions without genuine review. This creates a false sense of productivity while accumulating technical debt and bugs.
2. Inconsistent Quality โ Production Incidents
Some code gets careful scrutiny while other code slips through unchecked. The resulting codebase is a minefield of hidden issues waiting to cause outages, security breaches, or data corruption.
3. Knowledge Atrophy โ Skill Degradation
When you stop understanding the code in your codebase, you lose the ability to debug, extend, or maintain it effectively. You become dependent on AI to fix AI-generated code, creating a vicious cycle of decreasing competence.
๐ฏ Key Principle: The Seven-Point Framework isn't about slowing down developmentโit's about maintaining quality and understanding while moving fast. A systematic 2-minute review beats a 30-minute debugging session hunting for an issue you could have caught immediately.
๐ก Real-World Example: A development team at a SaaS company adopted systematic code review for all AI-generated code. Initially, reviews took longer and felt like friction. Within three months, they measured:
- 73% reduction in bugs caught in QA
- 45% reduction in production incidents
- 28% decrease in time spent debugging
- Increased developer confidence and velocity
The framework didn't slow them downโit helped them move faster with higher quality.
What You'll Learn in This Lesson
This lesson equips you with a complete systematic approach to code review in the AI era:
๐ง The full Seven-Point Framework with detailed guidance on applying each checkpoint ๐ง Practical walkthrough examples showing the framework in action on real AI-generated code ๐ง Workflow integration strategies for making systematic review natural and fast ๐ง Common pitfalls and anti-patterns that trap even experienced reviewers ๐ง Connections to specialized topics so you know when to apply deeper expertise
By the end, you'll have a reliable mental model for evaluating any code that crosses your screenโwhether it came from AI, a team member, or your own keyboard. You'll review with confidence, knowing you're systematically checking the critical dimensions of code quality.
The shift from code writer to code director is already here. The developers who thrive won't be those who resist AI assistanceโthey'll be those who master the art of systematic code stewardship. The Seven-Point Framework is your foundation for that mastery.
Let's dive into the framework itself and explore each checkpoint in detail.
The Seven-Point Framework: Structure and Philosophy
When AI generates a hundred lines of code in seconds, the temptation is to skim it quickly, see that it "looks right," and move on. But this approach leads to technical debt accumulation at unprecedented speed. What we need is a systematic frameworkโa mental checklist that ensures we examine every critical dimension of code quality, regardless of whether it came from GPT-4, Copilot, or a human colleague.
The Seven-Point Review Framework provides exactly this structure. It's not a rigid bureaucratic process, but rather a flexible mental model that prevents review blind spotsโthose dangerous gaps where bugs, security vulnerabilities, and maintenance nightmares hide. Let's explore each checkpoint in depth.
The Seven Checkpoints: Your Complete Review Lens
Think of the framework as seven different lenses through which you examine the same code. Each lens reveals different aspects of quality:
Code Under Review
|
v
โโโโโโโโโโโโโโโโโโโโโ
โ 1. FUNCTIONALITY โ โโ> Does it work correctly?
โโโโโโโโโโโโโโโโโโโโโค
โ 2. READABILITY โ โโ> Can humans understand it?
โโโโโโโโโโโโโโโโโโโโโค
โ 3. MAINTAINABILITYโ โโ> Can it be modified safely?
โโโโโโโโโโโโโโโโโโโโโค
โ 4. PERFORMANCE โ โโ> Does it use resources wisely?
โโโโโโโโโโโโโโโโโโโโโค
โ 5. TESTING โ โโ> Is quality verifiable?
โโโโโโโโโโโโโโโโโโโโโค
โ 6. DOCUMENTATION โ โโ> Is intent captured?
โโโโโโโโโโโโโโโโโโโโโค
โ 7. INTEGRATION โ โโ> Does it fit the system?
โโโโโโโโโโโโโโโโโโโโโ
Let's examine each checkpoint in detail.
1. Functionality: The Foundation of Everything
Functionality asks the most fundamental question: Does this code actually do what it's supposed to do? This might seem obvious, but AI-generated code frequently produces solutions that work for the obvious cases while silently failing on edge cases.
When reviewing functionality, you're examining:
๐ฏ Correctness of logic: Does the algorithm implement the intended behavior? ๐ฏ Edge case handling: What happens with empty inputs, null values, boundary conditions? ๐ฏ Error scenarios: How does the code behave when things go wrong? ๐ฏ Requirements alignment: Does it actually solve the stated problem?
๐ก Real-World Example: An AI might generate a function to calculate discounts:
def calculate_discount(price, discount_percent):
"""Calculate discounted price"""
return price - (price * discount_percent / 100)
This looks correct at first glance. But functionality review asks: What if price is negative? What if discount_percent is over 100? What if they're strings instead of numbers? The AI solved the happy path but ignored real-world messiness.
โ ๏ธ Common Mistake 1: Assuming that if code runs without errors on one test case, its functionality is correct. Always probe edge cases and error conditions. โ ๏ธ
2. Readability: Code Is Written for Humans
Readability evaluates how easily other developers (including your future self) can understand the code's intent and operation. AI-generated code often has a distinctive "mechanical" qualityโtechnically correct but lacking the thoughtful structure humans need.
Readability encompasses:
๐ Variable and function naming: Are names self-explanatory and consistent? ๐ Code structure: Is the logical flow clear and linear? ๐ Complexity management: Are complex operations broken into understandable chunks? ๐ Consistency: Does it follow project conventions and style guides?
Consider this AI-generated code:
function p(a, b) {
let r = [];
for(let i = 0; i < a.length; i++) {
if(a[i].s === b) {
r.push(a[i]);
}
}
return r;
}
Versus a readable version:
function filterUsersByStatus(users, targetStatus) {
const matchingUsers = [];
for(let i = 0; i < users.length; i++) {
const user = users[i];
if(user.status === targetStatus) {
matchingUsers.push(user);
}
}
return matchingUsers;
}
Both do the same thing, but the second version reveals its purpose immediately. Readability review would flag the first version as a must-fix issue.
๐ฏ Key Principle: Code is read 10 times more often than it's written. Optimizing for readability pays dividends for years.
3. Maintainability: The Long-Term View
Maintainability looks beyond today to ask: How easy will it be to modify, extend, or debug this code in six months? AI often generates code that's tightly coupled, rigid, or built on assumptions that will break when requirements change.
Maintainability review examines:
๐ง Coupling and cohesion: Are components loosely coupled and highly cohesive? ๐ง Flexibility: Can the code adapt to likely future changes? ๐ง Debugging support: Are there clear error messages and logging? ๐ง Dependency management: Are external dependencies reasonable and stable?
AI might generate this database query:
def get_report_data():
# Hardcoded for current requirements
query = "SELECT u.name, o.total, o.date FROM users u JOIN orders o ON u.id = o.user_id WHERE o.date >= '2024-01-01' AND o.status = 'completed'"
return database.execute(query)
Maintainability review flags several issues: hardcoded dates, no parameterization, mixing data access with business logic. When requirements change (different date ranges, additional filters, different statuses), this code becomes a maintenance nightmare.
๐ก Pro Tip: Ask yourself: "If I had to add a feature or fix a bug here at 2 AM, how quickly could I understand what to change?" That's your maintainability test.
4. Performance: Resources Matter
Performance evaluates whether the code uses computational resources (CPU, memory, network, I/O) appropriately for its context. AI-generated code often produces algorithmically inefficient solutions because the model optimizes for "code that looks right" rather than "code that scales."
Performance review considers:
โก Algorithmic complexity: Is the Big-O complexity appropriate? โก Resource usage: Are memory allocations reasonable? โก Database efficiency: Are queries optimized? Is there an N+1 problem? โก Caching opportunities: Are expensive operations unnecessarily repeated?
Here's a classic AI-generated performance problem:
function findDuplicates(items) {
const duplicates = [];
for(let i = 0; i < items.length; i++) {
for(let j = i + 1; j < items.length; j++) {
if(items[i] === items[j] && !duplicates.includes(items[i])) {
duplicates.push(items[i]);
}
}
}
return duplicates;
}
This O(nยณ) solution works fine for 10 items but becomes unusable at scale. Performance review would flag this and suggest a Set-based O(n) approach.
โ ๏ธ Common Mistake 2: Ignoring performance review for "small" functions. Small functions called in loops or on large datasets become performance bottlenecks. โ ๏ธ
๐ค Did you know? Studies show that AI code generators are 2-3x more likely to produce inefficient algorithms than human developers, particularly for searching and sorting operations.
5. Testing: Verification and Confidence
Testing evaluates whether the code can be tested effectively and whether appropriate tests exist or are planned. AI rarely generates comprehensive tests alongside implementation code, leaving a critical gap in quality assurance.
Testing review examines:
๐งช Testability: Can this code be unit tested easily? ๐งช Test coverage: Are critical paths and edge cases covered? ๐งช Test quality: Do tests verify behavior, not just implementation? ๐งช Test maintainability: Will tests break with every small refactor?
When AI generates a function with multiple responsibilities and tight coupling:
def process_order(order_id):
order = database.get_order(order_id) # Database call
inventory = check_inventory(order.items) # External API call
payment = charge_card(order.payment_info) # Payment gateway call
send_confirmation_email(order.email) # Email service call
log_to_analytics(order) # Analytics call
return {"success": True, "order_id": order_id}
Testing review immediately flags this as problematic: it's nearly impossible to unit test because it directly calls multiple external services. Each test would require complex mocking or actual service availability.
๐ก Mental Model: Think of testing review as asking: "Could I write a fast, reliable unit test for this in under 10 minutes?" If not, there's likely a testability problem.
6. Documentation: Capturing Intent
Documentation evaluates whether the code's purpose, usage, and important behaviors are adequately explained. AI-generated documentation often ranges from absent to misleadingโthe model generates plausible-sounding comments that may not reflect what the code actually does.
Documentation review covers:
๐ Function/method documentation: Are parameters, return values, and side effects explained? ๐ Complex logic explanation: Are non-obvious algorithms or business rules clarified? ๐ API contracts: Are expectations and guarantees clear? ๐ Accuracy: Do comments match the actual code behavior?
/**
* Processes user data
* @param data User data object
* @returns Processed result
*/
async function processUserData(data: any): Promise<any> {
// Validate data
if (!data.email || !data.age) throw new Error("Invalid data");
// Apply business rules: users under 18 require parental consent
// Premium users get priority processing
// Blacklisted domains are rejected
const validated = await complexValidation(data);
const enriched = await enrichWithExternalData(validated);
const transformed = applyBusinessRules(enriched);
return transformed;
}
Documentation review flags multiple issues here: the docstring is generic and unhelpful, critical business rules are mentioned in comments but not explained, parameter types are any (no type documentation), and error conditions aren't documented.
๐ฏ Key Principle: Documentation should answer "why" more than "what." The code itself shows what it does; documentation should explain why it exists and why it works this way.
7. Integration: Fitting Into the Larger System
Integration examines how the code fits within the broader codebase, architecture, and team practices. This is where AI-generated code most often failsโthe model lacks context about your specific system architecture, naming conventions, error handling patterns, and team decisions.
Integration review considers:
๐ Architectural alignment: Does this follow established patterns? ๐ API consistency: Do interfaces match existing conventions? ๐ Error handling patterns: Does it use the project's error handling approach? ๐ Dependency policy: Are new dependencies appropriate and approved? ๐ Cross-cutting concerns: Does it integrate with logging, monitoring, security?
Imagine your project uses a Result type for error handling:
// Project convention: use Result<T, E> for fallible operations
fn existing_function() -> Result<User, DatabaseError> {
// ...
}
But AI generates:
// AI-generated code using exceptions instead
fn new_ai_function() -> User {
match database.query() {
Some(user) => user,
None => panic!("User not found!") // Doesn't follow project patterns
}
}
Integration review catches this inconsistency. The code might work in isolation but violates established patterns, creating maintenance confusion.
๐ก Pro Tip: Create a "project integration checklist" specific to your codebaseโlogging format, error handling style, naming conventions, required middleware, etc. Use it during integration review.
The Hierarchical Nature: Must-Fix, Should-Improve, Nice-to-Have
Not all review findings are equally important. The framework uses a three-tier hierarchy to prioritize issues:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ด MUST-FIX (Blocking Issues) โ
โ - Functionality bugs โ
โ - Security vulnerabilities โ
โ - Data corruption risks โ
โ - Critical performance problems โ
โ - Untestable code in critical paths โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ ๐ก SHOULD-IMPROVE (Important but not blocking)โ
โ - Poor readability โ
โ - Maintainability concerns โ
โ - Missing documentation โ
โ - Moderate performance issues โ
โ - Integration inconsistencies โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ ๐ข NICE-TO-HAVE (Suggestions) โ
โ - Style preferences โ
โ - Minor optimizations โ
โ - Extra documentation โ
โ - Refactoring opportunities โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Must-fix issues prevent code from being merged. These are correctness, security, or critical quality problems. If functionality review reveals a bug or performance review finds an O(nยฒ) query that will timeout in production, that's must-fix.
Should-improve issues are important quality concerns that should be addressed soon but don't necessarily block merging, depending on context. Poor readability or missing tests often fall here.
Nice-to-have suggestions are improvements that would make the code better but aren't essential. These are often logged as future refactoring opportunities rather than immediate work.
โ Wrong thinking: "Every review finding must be fixed before merging." โ Correct thinking: "Must-fix issues block merging. Should-improve and nice-to-have issues are weighted against delivery timeline and code criticality."
โ ๏ธ Common Mistake 3: Treating all review feedback equally, leading to either perfectionism paralysis or dismissing legitimate concerns as "just preferences." โ ๏ธ
Adapting Framework Intensity: Context Matters
The framework isn't applied uniformly to every line of code. Code criticality and context determine how deeply you review each checkpoint:
| ๐ฏ Context | ๐ Review Intensity | ๐ Focus Areas |
|---|---|---|
| ๐ Security-critical code (authentication, authorization, payment processing) | Maximum depth on ALL checkpoints | Functionality, Integration, Testing mandatory deep dives |
| โก Performance-critical code (hot paths, loops, database queries) | Deep on Performance, Functionality | Can be lighter on Documentation if well-tested |
| ๐ง Complex business logic | Deep on Functionality, Maintainability, Documentation | Critical that future developers understand intent |
| ๐ง Utility functions and helpers | Moderate depth | Emphasize Testing and Readability |
| ๐จ UI components (non-critical) | Lighter review | Focus on Readability and Integration |
| ๐งช Test code | Moderate depth | Functionality (do tests actually test?) and Maintainability |
| ๐ Prototype/spike code | Minimal | Primarily Functionality verification |
๐ก Real-World Example: When reviewing AI-generated authentication middleware, you'd spend 30 minutes applying deep scrutiny across all seven checkpoints. When reviewing AI-generated date formatting utilities, you might spend 5 minutes focusing on functionality, testability, and readability.
๐ง Mnemonic: Remember "FRM-PTD-I" (Functionality, Readability, MaintainabilityโPerformance, Testing, DocumentationโIntegration). The first three are about "what the code is," the next three are about "how we verify and explain it," and the last is about "how it fits."
Cross-Cutting Concerns: Patterns, Security, and Domain Logic
The seven checkpoints provide structure, but three specialized review areas cut across multiple checkpoints:
1. Design Patterns Review touches:
- Maintainability: Are appropriate patterns used?
- Readability: Do patterns clarify or obscure intent?
- Integration: Do patterns match architectural standards?
2. Security Review touches:
- Functionality: Are security controls correctly implemented?
- Testing: Are security scenarios tested?
- Integration: Does code follow security policies?
- Documentation: Are security assumptions documented?
3. Domain Logic Review touches:
- Functionality: Are business rules correctly implemented?
- Documentation: Is domain knowledge captured?
- Maintainability: Can domain experts understand and modify this?
- Testing: Are business scenarios comprehensively tested?
Think of these specialized areas as "themes" that you evaluate through multiple framework lenses:
Specialized Review Areas
|
โโโโโโโโโโโดโโโโโโโโโโโ
โ โ
v v
Patterns Security
โ โ
โโโโโโโโโโโฌโโโโโโโโโโโโ
โ
v
Domain Logic
โ
v
Applied through each
framework checkpoint
โ
โโโโโโโโโโโดโโโโโโโโโโ
โ โ
v v
Functionality Maintainability
Readability Performance
Testing Documentation
Integration
For example, when reviewing authentication code (a security-critical area):
- Functionality checkpoint + Security: Does password hashing actually work correctly? Are timing attacks prevented?
- Testing checkpoint + Security: Are authentication bypass scenarios tested?
- Integration checkpoint + Security: Does this integrate with the security logging system?
- Documentation checkpoint + Security: Are security assumptions and threat models documented?
Creating Your Mental Checklist
The framework's power lies in creating a mental checklist that prevents blind spots. With practice, reviewing code with all seven checkpoints becomes natural:
๐ Quick Reference Card:
| ๐ Checkpoint | โ Quick Question | โก Red Flags |
|---|---|---|
| ๐ฏ Functionality | Does it work right? | Unhandled edge cases, missing validation |
| ๐ Readability | Can I understand it? | Cryptic names, dense complexity |
| ๐ง Maintainability | Can I change it safely? | Tight coupling, hardcoded values |
| โก Performance | Does it scale? | Nested loops, N+1 queries |
| ๐งช Testing | Can I verify it? | Untestable design, missing tests |
| ๐ Documentation | Do I know why? | Missing or inaccurate comments |
| ๐ Integration | Does it fit? | Pattern violations, inconsistent APIs |
As you review code, mentally check each box. If you can't confidently answer the quick question, spend more time on that checkpoint.
๐ก Remember: The goal isn't perfectionโit's systematic completeness. The framework ensures you at least consider each quality dimension before accepting code into your codebase.
From Checklist to Intuition
When you first use the framework, you'll explicitly walk through each checkpoint. That's perfectโdeliberate practice builds skill. Over time, the seven checkpoints become intuitive. You'll glance at code and immediately notice "this has integration problems" or "the performance characteristics here are concerning."
This transition from conscious checklist to unconscious competence is the framework's ultimate goal: turning you into a developer who can instinctively evaluate code quality across all critical dimensions, whether that code came from an AI, a colleague, or your own keyboard six months ago.
In the next section, we'll take this framework from theory to practice, walking through a complete review of real AI-generated code and seeing how each checkpoint reveals different insights.
Applying the Framework: A Walkthrough Example
Theory becomes meaningful only when applied to real situations. In this section, we'll walk through a complete framework application using an AI-generated code sample that mirrors what you'll encounter in actual development. We'll examine each of the seven framework points systematically, documenting our findings as we go, and learning how different perspectives reveal different issues in the same code.
The Sample Scenario
Imagine you've asked an AI assistant to create a REST API endpoint for a user management system. The requirement: "Create an endpoint that allows admins to update user profiles, including email changes and role assignments." The AI has generated the following code:
const express = require('express');
const router = express.Router();
const db = require('../db');
router.put('/users/:id', async (req, res) => {
const userId = req.params.id;
const { email, role, firstName, lastName } = req.body;
// Update user in database
const query = `UPDATE users SET email='${email}', role='${role}',
first_name='${firstName}', last_name='${lastName}'
WHERE id=${userId}`;
try {
const result = await db.query(query);
if (result.affectedRows > 0) {
res.json({ success: true, message: 'User updated successfully' });
} else {
res.status(404).json({ success: false, message: 'User not found' });
}
} catch (error) {
res.status(500).json({ success: false, message: 'Database error' });
}
});
module.exports = router;
At first glance, this code appears functionalโit follows Express conventions, has error handling, and seems to accomplish the stated requirement. But systematic review will reveal critical issues. Let's walk through each framework point to see what emerges.
Point 1: Correctness and Logic Flow
Correctness asks: Does this code actually do what it claims to do correctly? We start by tracing the execution path from input to output.
The logic flow follows this pattern:
Request arrives โ Extract parameters โ Build SQL query โ Execute query โ
Check results โ Send response
At the logic level, we immediately notice several issues:
Issue 1A: Missing authentication check. The requirement specified "allows admins" but there's no verification that the requester is an admin. The code will allow any authenticated user (or potentially unauthenticated users) to modify any user profile.
Issue 1B: No data validation. The code accepts whatever values arrive in the request body without checking if they're valid. What happens if email isn't a valid email format? What if role is set to a non-existent role like "supervillain"?
Issue 1C: Incomplete update semantics. If a field isn't provided in the request, it gets set to undefined, which then gets stringified into the SQL as the literal text "undefined". This means optional updates aren't handled correctly.
๐ก Pro Tip: When reviewing logic flow, always trace what happens with edge cases: missing data, invalid data, boundary conditions, and unexpected data types.
Documentation format for Point 1:
### Correctness Issues
- CRITICAL: No admin authorization check (violates stated requirement)
- HIGH: Missing input validation for email format and role values
- MEDIUM: Optional field updates will insert string "undefined" into database
- LOW: No check if userId is a valid numeric ID
Point 2: Security Vulnerabilities
The security checkpoint specifically looks for vulnerabilities that could be exploited by malicious actors. This AI-generated code contains a textbook example of a critical vulnerability.
Issue 2A: SQL Injection vulnerability. The code uses string concatenation to build SQL queries, inserting user-provided values directly into the query string. An attacker could send:
{
"email": "attacker@evil.com' WHERE id=1 OR '1'='1",
"role": "admin"
}
This would transform the query into:
UPDATE users SET email='attacker@evil.com' WHERE id=1 OR '1'='1',
role='admin', ...
This would update every user in the database, not just the targeted user.
โ ๏ธ Common Mistake: Developers sometimes think basic input sanitization (like removing quotes) provides adequate SQL injection protection. It doesn't. Always use parameterized queries or an ORM.
Issue 2B: Authorization bypass. Even if authentication exists at a higher layer, there's no check preventing a regular user from modifying other users' profiles or elevating their own privileges.
Issue 2C: No rate limiting or abuse prevention. An attacker could repeatedly hit this endpoint to perform denial-of-service attacks or brute-force attempts.
๐ฏ Key Principle: Security issues in AI-generated code are particularly dangerous because the code often looks reasonable and may even work correctly for normal use cases. The vulnerability only becomes apparent when you actively think adversarially.
Documentation for Point 2:
### Security Vulnerabilities
- CRITICAL: SQL injection via string concatenation (CWE-89)
- CRITICAL: Missing authorization check allows privilege escalation
- HIGH: No protection against IDOR (Insecure Direct Object Reference)
- MEDIUM: Missing rate limiting enables DoS attacks
- MEDIUM: Error messages may leak database schema information
Point 3: Performance and Efficiency
Performance review examines resource usage, scalability, and efficiency. Even functionally correct code can create production problems if it doesn't scale.
For this endpoint, we analyze:
Issue 3A: No database indexing consideration. The query uses WHERE id=... which assumes an index exists on the id field. While this is usually present on primary keys, the code doesn't document this assumption or verify it.
Issue 3B: No caching strategy. User profile updates might trigger related data to become stale (permissions, session data, etc.), but there's no cache invalidation logic.
Issue 3C: Synchronous email verification missing. If the email changes, there's likely a need to send verification emails or invalidate sessions, but this isn't handled. Performing such operations synchronously in the request path would cause poor response times.
Issue 3D: Full row update regardless of what changed. The code updates all fields even if only one changed. While not critical for this small example, this pattern doesn't scale well to tables with many columns or large text fields.
๐ก Mental Model: Think of performance review like inspecting a car's engine. It might drive fine around the block, but will it survive a cross-country journey with a full load?
Documentation for Point 3:
### Performance Considerations
- MEDIUM: Updates all fields regardless of what changed (inefficient)
- LOW: No caching strategy for frequently-accessed user data
- INFO: Assumes database indexes exist (should document)
- INFO: Synchronous operations may cause latency at scale
Point 4: Error Handling and Edge Cases
The error handling checkpoint evaluates how the code behaves when things go wrong. AI-generated code often includes basic try-catch blocks but misses nuanced error scenarios.
Issue 4A: Generic error responses. The catch block returns a generic "Database error" message for all failures. This makes debugging difficult and provides poor user experience. Different errors need different handling:
- Unique constraint violation (duplicate email) โ 409 Conflict
- Database connection failure โ 503 Service Unavailable
- Invalid foreign key (bad role_id) โ 400 Bad Request
Issue 4B: No validation for missing required fields. If email is undefined, the code will try to execute a malformed query rather than returning a clear validation error.
Issue 4C: Race condition not handled. If two requests update the same user simultaneously, the last write wins without any conflict detection.
Issue 4D: No transaction management. If this update should be atomic with other operations (like logging changes to an audit table), there's no transaction wrapper.
Here's what improved error handling might look like:
try {
const result = await db.query(query, params);
if (result.affectedRows === 0) {
return res.status(404).json({
success: false,
error: 'USER_NOT_FOUND',
message: 'No user exists with the provided ID'
});
}
res.json({ success: true, data: { userId, updated: true } });
} catch (error) {
// Log full error server-side
logger.error('User update failed', { userId, error: error.message });
// Return appropriate error to client
if (error.code === 'ER_DUP_ENTRY') {
return res.status(409).json({
success: false,
error: 'EMAIL_TAKEN',
message: 'An account with this email already exists'
});
}
if (error.code === 'ER_NO_REFERENCED_ROW') {
return res.status(400).json({
success: false,
error: 'INVALID_ROLE',
message: 'The specified role does not exist'
});
}
// Generic fallback for unexpected errors
res.status(500).json({
success: false,
error: 'INTERNAL_ERROR',
message: 'Unable to update user profile'
});
}
Documentation for Point 4:
### Error Handling Issues
- HIGH: Generic error responses hide root causes
- MEDIUM: No validation for required fields before query
- MEDIUM: Race conditions not handled (concurrent updates)
- LOW: No transaction management for atomic operations
- INFO: Consider implementing optimistic locking
Point 5: Maintainability and Code Quality
Maintainability assesses how easy the code will be to understand, modify, and extend in the future. This is where we look at structure, naming, and clarity.
Issue 5A: Business logic in route handler. The endpoint mixes routing concerns, validation, authorization, and data access all in one function. This violates the separation of concerns principle.
Issue 5B: No input validation layer. Validation logic should be extracted into reusable schemas (using tools like Joi, Yup, or Zod).
Issue 5C: Direct database coupling. The route directly constructs SQL queries, making it difficult to change database implementations or add business logic.
Issue 5D: Magic strings. The role names, error messages, and status codes are hardcoded literals rather than constants.
A more maintainable structure would separate concerns:
// validators/userValidator.js
const Joi = require('joi');
const updateUserSchema = Joi.object({
email: Joi.string().email().optional(),
role: Joi.string().valid('user', 'admin', 'moderator').optional(),
firstName: Joi.string().min(1).max(50).optional(),
lastName: Joi.string().min(1).max(50).optional()
}).min(1); // At least one field required
// services/userService.js
class UserService {
async updateUser(userId, updates, requestingUserId) {
// Check authorization
await this.checkUpdatePermission(requestingUserId, userId);
// Validate email uniqueness if changing
if (updates.email) {
await this.validateEmailAvailable(updates.email, userId);
}
// Perform update with parameterized query
const result = await this.db.users.update(
userId,
updates,
{ transaction: true }
);
// Invalidate caches
await this.cacheService.invalidateUser(userId);
return result;
}
}
// routes/users.js
router.put('/users/:id',
authenticate, // Middleware
validate(updateUserSchema), // Middleware
async (req, res, next) => {
try {
const result = await userService.updateUser(
req.params.id,
req.body,
req.user.id
);
res.json({ success: true, data: result });
} catch (error) {
next(error); // Let error handling middleware deal with it
}
}
);
Documentation for Point 5:
### Maintainability Issues
- HIGH: Business logic mixed with routing logic (violates SoC)
- MEDIUM: No validation layer or schema definition
- MEDIUM: Direct SQL coupling makes changes difficult
- LOW: Magic strings should be constants
- INFO: Consider service layer pattern for better testing
Point 6: Testing and Testability
Testability evaluates how easily we can write tests for this code and whether the structure facilitates good test coverage.
Issue 6A: Difficult to unit test. Because everything is in one function with direct dependencies on Express, the database, and external modules, you can't test business logic in isolation.
Issue 6B: No dependency injection. The database connection is directly required, making it hard to substitute a mock database for testing.
Issue 6C: Side effects not isolated. If updating a user triggers other operations (sending emails, logging, cache invalidation), those are mixed with core logic.
Issue 6D: No test hooks or seams. The code provides no natural points to inject test doubles or observe internal behavior.
๐ก Real-World Example: In production, a developer needed to test that admin checks were working correctly. But because the authentication, authorization, and business logic were tangled together, they had to set up a full database, mock session store, and HTTP server just to verify a simple permission check. With better structure, this could have been a simple unit test.
Documentation for Point 6:
### Testing Concerns
- HIGH: Tightly coupled design prevents unit testing
- MEDIUM: No dependency injection for mocking
- MEDIUM: Side effects mixed with core logic
- INFO: Would require integration tests for basic coverage
- INFO: Consider using repositories pattern for data access
Point 7: Requirements Alignment and Documentation
Requirements alignment verifies that the code actually fulfills the original requirement and documents its behavior appropriately.
Recall the original requirement: "Create an endpoint that allows admins to update user profiles, including email changes and role assignments."
Issue 7A: Admin requirement not implemented. The most obvious gapโthere's no admin check.
Issue 7B: Email change implications not addressed. Email changes typically require verification, session invalidation, and notification to the old email address. None of this is mentioned or implemented.
Issue 7C: No API documentation. There's no documentation about expected request format, possible response codes, or error formats.
Issue 7D: Partial requirement implementation. The code handles firstName and lastName which weren't mentioned in the requirement. This might be scope creep or might be intentional, but it's not documented.
Issue 7E: No audit trail. For a security-sensitive operation like role changes, there should be audit logging. This is implied by "role assignments" but not implemented.
Proper documentation might look like:
/**
* Update User Profile (Admin Only)
*
* Allows administrators to modify user profile information including
* email addresses and role assignments. Email changes trigger verification
* workflows. Role changes are logged to the audit trail.
*
* @route PUT /users/:id
* @param {string} id - User ID to update
* @body {object} updates - Fields to update
* @body {string} [updates.email] - New email (triggers verification)
* @body {string} [updates.role] - New role (user|admin|moderator)
* @body {string} [updates.firstName] - Updated first name
* @body {string} [updates.lastName] - Updated last name
*
* @returns {200} Success - User updated
* @returns {400} Bad Request - Invalid input data
* @returns {401} Unauthorized - Not authenticated
* @returns {403} Forbidden - Not an admin
* @returns {404} Not Found - User doesn't exist
* @returns {409} Conflict - Email already in use
* @returns {500} Server Error - Database failure
*
* @security Requires admin role
* @sideeffects Email verification workflow, cache invalidation, audit logging
*/
Documentation for Point 7:
### Requirements Alignment
- CRITICAL: Admin authorization requirement not implemented
- HIGH: Email change implications not addressed (verification, notifications)
- MEDIUM: No audit logging for role changes
- MEDIUM: No API documentation (request/response formats)
- LOW: Scope unclear (firstName/lastName not in original spec)
Synthesizing the Review: Prioritization and Next Steps
After walking through all seven framework points, we now have a comprehensive picture of issues. The next step is prioritizationโdetermining what must be fixed immediately versus what can be improved over time.
๐ Quick Reference Card: Issue Prioritization Matrix
| Priority | Issue | Framework Point | Impact |
|---|---|---|---|
| ๐ด P0 | SQL injection vulnerability | Security | Data breach risk |
| ๐ด P0 | Missing admin authorization | Security, Requirements | Privilege escalation |
| ๐ P1 | No input validation | Correctness, Security | Data corruption |
| ๐ P1 | Poor error handling | Error Handling | Poor UX, debugging |
| ๐ก P2 | Tight coupling | Maintainability, Testing | Technical debt |
| ๐ก P2 | Missing documentation | Requirements | Team velocity |
| ๐ข P3 | Performance optimizations | Performance | Scaling concerns |
How Different Framework Points Surface Different Issues
One powerful aspect of the seven-point framework is how different perspectives reveal different problems in the same code:
โ Wrong thinking: "This code has a security problem. I'll fix the SQL injection and move on."
โ Correct thinking: "The SQL injection is critical, but security isn't the only lens. Let me check all seven points to see what else matters."
Consider how each framework point revealed unique insights:
๐ Security found the SQL injection and authorization gapsโissues that could lead to data breaches
๐ง Correctness identified logic gaps that security review might miss, like undefined field handling
โก Performance noticed efficiency issues that wouldn't break functionality but could cause production problems
๐ก๏ธ Error Handling revealed brittleness in edge cases that other reviews overlooked
๐ Maintainability highlighted structural problems that make future changes risky
๐งช Testing exposed design decisions that make verification difficult
๐ Requirements caught the fundamental gap between what was requested and what was delivered
Without a systematic framework, you might catch one or two issues but miss others entirely. The AI generated code that worked for the happy path but failed on almost every other dimension.
Creating Your Review Document
A complete review document should map findings to framework points, assign priorities, and suggest remediation:
## Code Review: User Update Endpoint
**Reviewer:** [Your Name]
**Date:** 2024-01-15
**Code Location:** routes/users.js lines 5-27
**AI Generated:** Yes (Claude/GPT-4/Copilot)
### Executive Summary
โ **Recommendation: DO NOT MERGE**
Critical security vulnerabilities (SQL injection, missing authorization) must be
addressed before this code can be deployed.
### Framework Assessment
#### 1. Correctness โ ๏ธ ISSUES FOUND
- Missing admin check violates stated requirements
- No validation for email format or role values
- Optional fields incorrectly handled
#### 2. Security ๐ด CRITICAL
- SQL injection via string concatenation (CWE-89)
- Authorization bypass allows privilege escalation
- IDOR vulnerability
[... continue for all seven points ...]
### Required Actions
1. โ
Implement parameterized queries or ORM
2. โ
Add admin authorization middleware
3. โ
Add input validation with schema
4. โญ๏ธ Refactor to service layer pattern
5. โญ๏ธ Add comprehensive error handling
6. โญ๏ธ Add API documentation
### Suggested Implementation
[Include improved code example or architectural guidance]
๐ฏ Key Principle: The goal of code review isn't to criticizeโit's to ensure quality and share knowledge. Your review document should educate as much as it evaluates.
Patterns You'll Notice in AI-Generated Code
After reviewing many AI-generated code samples, certain patterns emerge:
Common strengths:
- โ Follows basic language idioms and conventions
- โ Includes try-catch blocks and basic error handling
- โ Often has reasonable variable naming
- โ Structures code in familiar patterns
Common weaknesses:
- โ Security vulnerabilities (especially injection attacks)
- โ Missing authorization and authentication
- โ Poor separation of concerns
- โ Incomplete error handling
- โ Missing documentation of assumptions
- โ No consideration of production concerns
๐ก Remember: AI models are trained on code examples, including examples with security vulnerabilities and poor practices. They generate plausible code, not necessarily correct or secure code.
Applying This to Your Own Reviews
When you review your next piece of AI-generated code:
๐ง Step 1: Read through once for general understanding
๐ง Step 2: Apply each framework point systematically, taking notes
๐ง Step 3: Categorize findings by severity and framework point
๐ง Step 4: Determine if code can be improved or needs rewriting
๐ง Step 5: Document your findings clearly
๐ง Step 6: Provide constructive feedback with examples
The framework isn't bureaucracyโit's a thinking tool that helps you see what you might otherwise miss. Like a pilot's pre-flight checklist, it ensures you don't skip critical checks even when you're experienced.
With this walkthrough complete, you now have a concrete example of how the seven-point framework transforms abstract principles into actionable review insights. The same systematic approach applies whether you're reviewing a simple endpoint or a complex systemโthe framework scales to match the complexity of the code being reviewed.
Building Your Review Workflow
Knowing the Seven-Point Framework is one thingโmaking it a seamless part of your daily development practice is another. The difference between reviewers who occasionally remember to check security and those who catch critical issues consistently lies not in knowledge but in workflow integration. When AI generates code at conversational speed, your review process must be both thorough and efficient, structured yet adaptable.
The challenge is real: a framework with seven distinct checkpoints could easily balloon into hour-long reviews that frustrate teams and slow delivery. The solution lies in building a review workflow that makes the framework feel natural rather than bureaucratic, fast rather than exhaustive, and collaborative rather than adversarial.
Time-Boxing Your Reviews for Maximum Efficiency
The first principle of sustainable code review is time-boxing: allocating fixed time periods to specific review activities. Without time constraints, reviews expand to fill available time, often dwelling too long on style preferences while rushing past security concerns.
๐ฏ Key Principle: Each framework point doesn't deserve equal timeโallocate based on risk and context.
For a typical AI-generated feature (100-300 lines), consider this baseline time allocation:
Framework Point Time Budget % of Total
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
1. Requirements Alignment 3 min 15%
2. Code Patterns & Quality 4 min 20%
3. Edge Cases & Error Handling 5 min 25%
4. Security & Data Safety 4 min 20%
5. Performance Implications 2 min 10%
6. Domain Logic Correctness 4 min 20%
7. Test Coverage & Quality 3 min 10%
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Total Review Time ~25 min 100%
This isn't a rigid prescriptionโit's a starting point that you'll adjust based on your domain. Notice that edge cases and security together consume 45% of review time. This reflects the reality that AI often generates happy-path code that looks correct but harbors subtle bugs in error handling and security.
๐ก Pro Tip: Use a physical or digital timer when reviewing. When the timer signals the end of a framework point, make a decision: flag for further investigation or move on. This prevents analysis paralysis on minor style issues.
Adjusting time allocation by context is crucial. A data processing function touching user PII might allocate 40% of time to security, while a UI component rendering public data might spend 35% on patterns and code quality. Let's see how this looks in practice:
// Reviewing this AI-generated password reset function
async function resetUserPassword(userId, newPassword) {
const user = await db.users.findById(userId);
user.password = hashPassword(newPassword);
await user.save();
await sendEmail(user.email, 'Password reset successful');
return { success: true };
}
// Time allocation adjustment for this security-critical function:
// Requirements: 2 min (15% โ 10%)
// Patterns: 2 min (20% โ 10%)
// Edge Cases: 4 min (25% โ 20%)
// Security: 10 min (20% โ 40%) โ INCREASED
// Performance: 2 min (10% โ 10%)
// Domain Logic: 3 min (20% โ 15%)
// Tests: 2 min (10% โ 10%)
// Total: ~25 min with security-focused allocation
โ ๏ธ Common Mistake 1: Spending equal time on every framework point regardless of code context leads to missed critical issues in high-risk areas. โ ๏ธ
The security review of this function would immediately flag several issues: no password strength validation, no rate limiting mention, no notification to the old email, and no verification that the requester should have reset privileges. A generic time allocation might have glossed over these concerns.
Creating Your Personal Review Toolkit
Checklists transform the abstract framework into concrete, actionable steps. But generic checklists become noiseโyou need personalized checklists that reflect your domain, your team's common issues, and your technology stack.
Here's how to build checklists that actually get used:
Start with framework points as top-level sections, then populate with questions specific to your context. For a web application team working with AI-generated code, a Security checkpoint might look like:
### ๐ Security & Data Safety (4-10 min depending on sensitivity)
#### Authentication & Authorization
- [ ] Does this code check user permissions before data access?
- [ ] Are authentication tokens validated and not just trusted?
- [ ] Is there protection against horizontal privilege escalation?
#### Input Validation
- [ ] Are all user inputs validated (type, format, range)?
- [ ] Is validation done server-side, not just client-side?
- [ ] Are SQL queries parameterized (no string concatenation)?
#### Data Exposure
- [ ] Does the response filter sensitive fields (passwords, tokens, PII)?
- [ ] Are error messages sanitized (no stack traces to users)?
- [ ] Is logging appropriate (no sensitive data in logs)?
#### Our Common AI Pitfalls
- [ ] AI often forgets rate limiting on auth endpoints - is it present?
- [ ] AI frequently returns too much data - checked response shape?
- [ ] AI sometimes uses weak randomness - crypto.randomBytes used?
Notice the "Our Common AI Pitfalls" sectionโthis is the adaptive layer where you document patterns you've observed in AI-generated code from your tools. This section grows over time as you notice recurring issues.
๐ก Real-World Example: A fintech team noticed their AI code generator consistently forgot to include idempotency keys in payment API calls. They added "Is there an idempotency key for this financial transaction?" to their domain logic checklist. This single item prevented three duplicate payment bugs in the following month.
Templates take this further by providing starting points for review comments. Instead of typing the same explanation about SQL injection for the tenth time, use a template:
### Review Comment Templates
#### Template: SQL Injection Risk
๐ **Security Issue: SQL Injection Vulnerability**
The query on line {LINE} concatenates user input directly into SQL:
```{CODE_SNIPPET}```
**Risk:** An attacker could manipulate the query to access/modify unauthorized data.
**Fix:** Use parameterized queries:
```sql
-- Instead of:
const query = `SELECT * FROM users WHERE email = '${userEmail}'`;
-- Use:
const query = 'SELECT * FROM users WHERE email = ?';
db.execute(query, [userEmail]);
Reference: OWASP SQL Injection Prevention Cheat Sheet
With this template saved in your IDE snippets or a browser extension, you maintain consistency and educational value in reviews while saving time.
<div class="lesson-flashcard-placeholder" data-flashcards="[{"q":"What is the practice of allocating fixed time to review activities?","a":"time-boxing"},{"q":"What should grow over time documenting AI patterns?","a":"adaptive layer"},{"q":"What transforms abstract frameworks into concrete steps?","a":"checklists"}]" id="flashcard-set-10"></div>
#### Leveraging Tool Support for Automated Checks
The most efficient review workflow **automates what can be automated** and reserves human judgment for what cannot. Several framework checkpoints have components that tools handle better than humans.
**Static analysis and linting** can automatically check portions of the Code Patterns & Quality point:
```javascript
// .eslintrc.json configuration targeting AI code quality
{
"rules": {
// AI often generates unused variables
"no-unused-vars": ["error", {
"argsIgnorePattern": "^_",
"varsIgnorePattern": "^_"
}],
// AI sometimes uses var instead of const/let
"no-var": "error",
"prefer-const": "error",
// AI may not handle async errors properly
"no-async-promise-executor": "error",
"require-await": "warn",
// AI generated code often has inconsistent returns
"consistent-return": "error",
// AI may create overly complex conditions
"complexity": ["warn", 10]
}
}
These automated checks don't replace human reviewโthey triage issues so you spend framework point 2 time on architectural patterns rather than variable naming.
Security-focused tools can automate parts of the Security & Data Safety checkpoint:
| Tool Category | Automated Framework Support | Human Still Needed For |
|---|---|---|
| ๐ SAST Tools (Semgrep, SonarQube) | SQL injection patterns, XSS vulnerabilities, hardcoded secrets, insecure dependencies | Authorization logic, business-specific security rules, context-dependent risks |
| ๐ Dependency Scanners (Snyk, Dependabot) | Known CVEs in dependencies, license issues, outdated packages | Whether the vulnerability applies to your usage, upgrade feasibility |
| โก Secret Scanners (git-secrets, TruffleHog) | API keys, tokens, passwords in code or history | False positives, environment-specific secrets management |
๐ค Did you know? Studies show that automated tools catch about 30-40% of security issues in typical codebases, but nearly 80% of the easy-to-detect issues. This frees reviewers to focus on the subtle logic flaws that tools miss.
IDE integration makes the framework feel natural rather than external. Modern IDEs can surface review checkpoints directly in the development environment:
## Using IDE task comments to integrate framework points
def process_payment(user_id, amount, card_token):
# TODO(framework-security): Validate amount range and currency
# TODO(framework-edge-cases): Handle card declined, network timeout
# TODO(framework-domain): Verify user has permission for this payment
user = get_user(user_id)
charge = stripe.Charge.create(
amount=amount,
currency='usd',
source=card_token,
description=f'Charge for user {user_id}'
)
return charge
By prefixing TODO comments with framework-{point}, you create searchable checkpoints that IDEs can highlight, collect in task lists, and even auto-generate review checklists from.
๐ก Pro Tip: Create custom IDE inspections or snippets for common framework patterns. In IntelliJ, you can create structural search patterns that flag AI-generated code missing error handling or input validation.
Adapting the Framework Across Review Contexts
The Seven-Point Framework isn't just for pull request reviewsโit adapts to three primary review contexts: pull requests, pair programming, and self-review. Each context demands different emphasis and workflow adjustments.
Pull Request Reviews: Asynchronous and Documented
In PR reviews, you have time for thoroughness and your comments become permanent documentation. The full framework applies, but with these workflow adaptations:
Use a two-pass strategy: First pass for requirements, domain logic, and security (the "rejection criteria" points). If these fail, request changes before reviewing patterns and performance.
PR Review Workflow (Two-Pass)
First Pass (10 min) Decision Point Second Pass (15 min)
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโ
โ 1. Requirements โโโโ โ 2. Code Patterns โ
โ 4. Security โ โ โ 3. Edge Cases โ
โ 6. Domain Logic โ โโโ> PASS? โโโYESโโ> โ 5. Performance โ
โโโโโโโโโโโโโโโโโโโ โ โ 7. Test Coverage โ
โ โโโโโโโโโโโโโโโโโโโโ
โ
NO
โ
v
Request Changes
(with specific framework
points that failed)
This prevents wasting time on code style when the fundamental approach is wrong.
Framework-tagged comments help authors understand review context:
๐ **[Framework: Security]** Line 45: User input `searchQuery` is directly
interpolated into the database query. This creates a SQL injection vulnerability.
๐ **[Framework: Edge Cases]** Lines 78-82: The error handling assumes the
API always returns JSON, but network failures could return HTML error pages,
causing JSON.parse() to throw.
๐ฏ **[Framework: Domain Logic]** Line 103: The discount calculation doesn't
account for our business rule that discounts can't reduce price below cost.
Needs a `Math.max(calculatedPrice, product.cost)` check.
This tagging helps authors see the review as systematic rather than nitpicky, and helps you ensure you've covered all framework points.
Pair Programming: Real-Time and Collaborative
When pair programming with AI-generated code, the framework becomes a conversation guide rather than a checklist. The driver and navigator naturally divide framework responsibilities:
Navigator focus: Security, edge cases, domain logic (the points requiring broader context) Driver focus: Code patterns, requirements alignment (the points visible in immediate code) Shared: Performance and test coverage (discussed as code emerges)
๐ก Real-World Example: A team practicing "AI-assisted pair programming" has one developer prompt the AI while the other navigates with framework points in mind. As the AI generates code, the navigator calls out: "Let's check framework point 4โdoes this handle the authorization for guest users?" This real-time framework application catches issues before they're even committed.
โ ๏ธ Common Mistake 2: Trying to apply all seven framework points in real-time during pairing creates cognitive overload. Focus on the three highest-risk points for the code being written, and catch the rest in later self-review. โ ๏ธ
Self-Review: Before the Code Leaves Your Machine
Self-review is your first line of defense, especially for AI-generated code. The framework here acts as a pre-commit gate:
#!/bin/bash
## pre-commit hook for framework-based self-review
echo "๐ Running Seven-Point Framework Pre-Commit Checks..."
echo ""
## Automated checks (framework points 2, 4, 7)
echo "[2/7] Code Patterns: Running linter..."
npm run lint || exit 1
echo "[4/7] Security: Scanning for secrets..."
git secrets --scan || exit 1
echo "[7/7] Test Coverage: Checking tests..."
npm run test:coverage -- --threshold 80 || exit 1
## Manual checklist reminder
echo ""
echo "โ
Automated checks passed. Manual review required:"
echo " [1/7] Requirements: Does this solve the stated problem?"
echo " [3/7] Edge Cases: Have you tested failure paths?"
echo " [5/7] Performance: Any O(nยฒ) or heavy operations?"
echo " [6/7] Domain Logic: Correct business rules?"
echo ""
read -p "Confirm manual framework review complete (y/N): " confirm
if [ "$confirm" != "y" ]; then
echo "โ Commit aborted - complete framework review first"
exit 1
fi
echo "โ
Framework review complete - proceeding with commit"
This script combines automation with human judgment, making the framework a habit rather than an afterthought.
Building Team Consensus Around the Framework
The framework only works if your team shares an understanding of what each point means and what standards apply. Without consensus, reviews become arguments about interpretation rather than collaborative quality improvement.
Calibration sessions are the foundation of team alignment. Schedule monthly 1-hour sessions where the team reviews the same AI-generated code sample together:
Calibration Session Structure (60 min)
1. Individual Review (15 min)
โ Everyone reviews the code sample independently
โ Tag findings with framework points
โ Note severity (blocker, major, minor)
2. Comparison & Discussion (30 min)
โ What did everyone find vs. miss?
โ Where did interpretations differ?
โ Which findings were false positives?
3. Standards Refinement (15 min)
โ Update team checklist based on gaps
โ Document consensus on contentious points
โ Add sample to team playbook
Over time, these sessions create shared mental models of what "good" looks like for each framework point.
Living documentation captures these shared understandings. Don't let them live only in team memory:
๐ Quick Reference Card: Team Framework Standards
| Point | โ We Always | โ ๏ธ We Never | ๐ค Context Dependent |
|---|---|---|---|
| ๐ฏ Requirements | Verify acceptance criteria met | Approve without testing user story | Performance trade-offs need product input |
| ๐๏ธ Patterns | Follow team style guide | Use deprecated patterns | New patterns need architecture review |
| ๐ Edge Cases | Test null, empty, boundary values | Ship without error handling | Defensive coding level varies by layer |
| ๐ Security | Validate all inputs, parameterize queries | Trust client-side validation | PII handling follows data classification |
| โก Performance | Consider O(n) complexity | Optimize without profiling | Caching decisions need load data |
| ๐ผ Domain Logic | Match documented business rules | Assume AI knows our domain | Complex rules need product validation |
| โ Tests | Test happy path and errors | Accept AI-generated tests as-is | Integration test depth varies by risk |
Framework champions accelerate adoption. Designate team members who become go-to resources for specific framework points:
๐ง Security Champion: Deep expertise in framework point 4, reviews all security-sensitive PRs
โก Performance Champion: Expertise in framework point 5, consulted on data-intensive features
๐ฏ Domain Logic Champion: Usually a senior developer or domain expert, validates framework point 6
This distributes expertise while maintaining consistency.
๐ก Pro Tip: During team retrospectives, discuss framework effectiveness explicitly. Ask: "Which framework points caught issues this sprint?" and "Which points are we still struggling with?" Use this data to adjust your workflow and focus areas.
Progressive Workflow Adoption
โ Wrong thinking: "We'll implement the full framework tomorrow for all code." โ Correct thinking: "We'll start with three framework points on high-risk code and expand gradually."
Adopting the framework is itself a workflow challenge. A phased approach prevents review fatigue:
Phase 1 (Weeks 1-2): The Critical Three
Start with the framework points that catch the most severe issues:
- Point 4: Security & Data Safety
- Point 6: Domain Logic Correctness
- Point 3: Edge Cases & Error Handling
Apply only to AI-generated code touching data or business logic.
Phase 2 (Weeks 3-4): Expand Coverage
Add the quality foundation points:
- Point 1: Requirements Alignment
- Point 2: Code Patterns & Quality
Apply to all AI-generated code in PRs.
Phase 3 (Weeks 5-6): Complete Framework
Add the optimization points:
- Point 5: Performance Implications
- Point 7: Test Coverage & Quality
Now applying all seven points to all code reviews.
Phase 4 (Week 7+): Refinement
Optimize your workflow:
- Calibrate time allocations based on actual review data
- Automate repetitive checks
- Build team-specific checklists and templates
This progressive approach builds review muscle memory without overwhelming the team.
๐ง Mnemonic for framework adoption: SEC-DRE-PT
- Security
- Edge Cases
- Correctness (Domain Logic)
- Demands (Requirements)
- Readability (Patterns)
- Performance
- Tests
The first three letters (SEC) remind you of the critical starting points.
Measuring Workflow Effectiveness
You can't improve what you don't measure. Track simple workflow metrics to understand if your framework integration is working:
Review Efficiency Metrics:
- Average time per framework point
- Framework points that find issues vs. those that don't
- Percentage of reviews completing within time-box
Quality Outcome Metrics:
- Issues found per framework point (which points are catching bugs?)
- Issues escaping to production by framework point (which points need more rigor?)
- Review cycle time (initial review to approval)
A simple tracking approach:
## PR #2847 Review Metrics
Time Allocation:
- [1] Requirements: 3 min โ Found 0 issues
- [2] Patterns: 5 min โ Found 2 issues (minor)
- [3] Edge Cases: 6 min โ Found 1 issue (major)
- [4] Security: 8 min โ Found 1 issue (blocker)
- [5] Performance: 2 min โ Found 0 issues
- [6] Domain Logic: 4 min โ Found 1 issue (major)
- [7] Tests: 3 min โ Found 1 issue (minor)
Total Time: 31 min (over budget by 6 min, due to complex security issue)
Issues Found: 6 (1 blocker, 2 major, 3 minor)
Framework Points Finding Issues: 4/7
After a few weeks, patterns emerge. You might notice that performance rarely finds issues in your backend services but frequently catches problems in frontend codeโadjust time allocation accordingly.
โ ๏ธ Common Mistake 3: Tracking so many metrics that the tracking overhead exceeds the value. Start with just "time spent" and "issues found per point" for your first month. โ ๏ธ
Your Personal Review Environment
Your physical and digital environment matters more than you might think. Effective reviewers engineer their review space:
Digital Environment Setup:
- Dual monitors: Code on one screen, requirements/docs on the other
- Framework checklist: Always visible (sticky note, second browser tab, IDE sidebar)
- Reference docs: Quick access to team standards, API docs, security guidelines
- Timer: Visible countdown for time-boxing
- Distraction blocking: Close Slack, email, notifications during review time-boxes
Mental Environment Setup:
- Review scheduling: Block calendar time for reviews; don't review between meetings
- Energy awareness: Review high-risk code (security, domain logic) when mentally fresh
- Batch reviewing: Group similar reviews (e.g., all UI PRs) to maintain context
๐ก Real-World Example: One senior developer schedules "Framework Review Hour" every morning from 9-10 AM. She reviews all pending PRs during this focused time, with her framework checklist open and notifications disabled. Her review quality improved and time-per-review decreased by 30% after adopting this practice.
Workflow Variations for Different Code Scales
Not all code is equal in scope. A 10-line bug fix needs different workflow than a 500-line feature. Scale-adjusted workflows maintain efficiency:
Small Changes (<50 lines):
- Quick scan: 5 minutes total
- Focus on points 3, 4, 6 (edge cases, security, domain logic)
- Skip or rapid-scan points 5, 7 (performance, tests) if low-risk
Medium Changes (50-200 lines):
- Standard workflow: 15-25 minutes
- Apply all seven framework points
- Use time-boxing strictly
Large Changes (200+ lines):
- Extended review: 30-60 minutes
- Consider splitting review across multiple sessions
- Focus each session on 2-3 framework points
- May need architectural review before detailed framework review
Massive Changes (500+ lines):
- Question whether this should be one PR
- If unavoidable: multi-day review
- Create review plan assigning framework points to different reviewers
- Schedule synchronous review session for complex points
๐ฏ Key Principle: The framework scales by adjusting depth per point, not by skipping points entirely. Even a 5-line change should consider security if it touches authentication.
Making the Framework Habitual
The ultimate goal is internalization: the framework becomes automatic rather than deliberate. This happens through repetition and reinforcement.
Deliberate practice with the framework:
- Review at least one piece of code daily using the explicit framework
- Time yourself on each framework point
- Reflect weekly: which points came naturally, which required conscious effort?
- After each review, note: "Which framework point caught the most important issue?"
Positive reinforcement when the framework works:
- When a framework point catches a bug in production, document it
- Share framework successes in team channels: "Point 3 (edge cases) caught this null pointer that would have crashed checkout"
- Celebrate framework adoption milestones
Within 4-6 weeks of consistent application, most developers report that the framework becomes second natureโthey think in terms of the seven points automatically rather than consulting checklists.
๐ก Mental Model: Think of the framework like learning to drive. Initially, you consciously think "check mirrors, signal, blind spot, turn." With practice, these checks become automatic and simultaneous. The Seven-Point Framework follows the same learning curve.
Your review workflow is now a systematic practice rather than an ad-hoc activity. You have time-boxes that keep reviews efficient, tools that automate mechanical checks, checklists that ensure consistency, and team consensus that makes reviews collaborative. The framework has moved from a theoretical concept to a practical daily habit.
But knowing how to review isn't enoughโyou also need to know what not to do. Even experienced reviewers fall into traps that undermine the framework's effectiveness, and AI-generated code introduces novel pitfalls that catch even seasoned developers off-guard. Let's turn our attention to these common mistakes and how to avoid them.
Common Review Pitfalls and Anti-Patterns
Even with a systematic framework in hand, code reviewers consistently fall into predictable traps when evaluating AI-generated code. These pitfalls are particularly insidious because they often feel like reasonable shortcuts or time-savers in the moment. Understanding these anti-patternsโrecurring mistakes that seem helpful but ultimately undermine code qualityโis essential for becoming an effective reviewer in the age of AI-assisted development.
The good news? The Seven-Point Framework naturally guards against most of these traps when applied consistently. Let's explore each pitfall in depth, see how it manifests in real reviews, and understand how systematic evaluation protects us.
Pitfall #1: Surface-Level Approval
Surface-level approval is perhaps the most dangerous anti-pattern when reviewing AI-generated code. It occurs when reviewers run the code, see it execute without errors, and immediately assume correctness. This trap is especially tempting with AI-generated code because the output often looks polished and professionalโproper indentation, reasonable variable names, even helpful comments.
โ ๏ธ Common Mistake: Equating "runs without errors" with "correct implementation" โ ๏ธ
๐ฏ Key Principle: Code that executes successfully has only cleared the lowest possible bar. It tells you nothing about correctness, efficiency, security, or maintainability.
Consider this AI-generated function that appears to work perfectly:
def calculate_user_discount(user_id, purchase_amount):
"""Calculate discount for a user based on their purchase history."""
# Fetch user's total purchases
total_purchases = get_user_total_purchases(user_id)
# Apply discount tiers
if total_purchases > 10000:
discount = purchase_amount * 0.20
elif total_purchases > 5000:
discount = purchase_amount * 0.15
elif total_purchases > 1000:
discount = purchase_amount * 0.10
else:
discount = 0
return discount
A surface-level review might test this with a few user IDs, see reasonable discount values returned, and approve it. But deeper analysis reveals critical issues:
๐ What's actually wrong:
- No validation that
purchase_amountis positive (could accept negative values) - No handling for when
get_user_total_purchases()fails or returnsNone - No maximum discount cap (20% of a $1,000,000 purchase is $200,000)
- No currency consideration (works differently for USD vs JPY)
- Possible race condition if user makes concurrent purchases
- Missing audit trail for discount calculations
The function runs, but it's fundamentally flawed for production use. This is where the Seven-Point Framework saves usโspecifically the edge case analysis and error handling checkpoints force us to ask questions that surface-level testing never touches.
๐ก Pro Tip: Before running any AI-generated code, read it completely and form hypotheses about what could go wrong. Then test those hypotheses deliberately, not just the happy path.
Pitfall #2: Analysis Paralysis
At the opposite extreme from surface-level approval sits analysis paralysisโspending enormous time debating minor style preferences while missing substantive flaws. This anti-pattern often emerges when reviewers lack a structured approach and don't know where to focus their attention.
// Reviewer spends 20 minutes debating whether to use
// single quotes vs double quotes...
const userName = "John Doe"; // or 'John Doe'?
// ...while completely missing this security vulnerability
function executeUserQuery(query) {
// Directly interpolating user input into SQL!
return database.execute(`SELECT * FROM users WHERE name = '${query}'`);
}
โ Wrong thinking: "This code needs 15 changes to meet our exact style guide before we discuss functionality."
โ Correct thinking: "Let me systematically evaluate correctness, security, and integration first. Style refinements come last."
The Seven-Point Framework creates natural prioritization by ordering checkpoints from critical to refinement:
Priority Flow:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. Correctness & Logic [CRITICAL] โ
โ 2. Error Handling [CRITICAL] โ
โ 3. Security & Validation [CRITICAL] โ
โ 4. Integration & Dependencies [HIGH] โ
โ 5. Performance & Edge Cases [MEDIUM] โ
โ 6. Maintainability [MEDIUM] โ
โ 7. Style & Conventions [LOW] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
When you follow this structure, you naturally encounter critical flaws before getting bogged down in formatting debates. If you discover a fundamental logic error in step 1, there's no point perfecting the indentationโthe code needs to be rewritten.
๐ง Mnemonic: CESI-PMS (Correctness, Error handling, Security, Integration, Performance, Maintainability, Style) - Critical issues before cosmetic ones.
Pitfall #3: Inconsistent Review Depth
Inconsistent review depth occurs when reviewers thoroughly examine some aspects of code while barely glancing at others. This creates a dangerous illusion of thoroughnessโyou feel like you've done a comprehensive review because you deeply analyzed something, even though you skipped entire categories of potential issues.
๐ก Real-World Example: A developer reviews an AI-generated API endpoint. They meticulously verify the response format matches the API specification, check that all required fields are present, and ensure proper HTTP status codes. They approve the code. Three weeks later, production crashes because the endpoint has no authentication, accepts unlimited payload sizes, and contains a SQL injection vulnerability. The reviewer was thorough about data format but completely ignored security.
This anti-pattern often emerges from personal comfort zones. Developers naturally gravitate toward reviewing aspects they understand well:
- Backend specialists scrutinize database queries but gloss over frontend state management
- Security-minded developers catch vulnerabilities but ignore performance implications
- Architecture enthusiasts verify patterns but miss basic logic errors
The framework acts as a systematic checklist that prevents cherry-picking:
๐ Quick Reference Card: Coverage Tracking
| Checkpoint | โ Reviewed | โญ๏ธ Skipped | ๐ค Needs Expert |
|---|---|---|---|
| ๐ฏ Correctness | Required | Never | Rare |
| ๐ก๏ธ Error Handling | Required | Never | Sometimes |
| ๐ Security | Required | Never | Often |
| ๐ Integration | Required | Never | Sometimes |
| โก Performance | Required | Low-risk only | Sometimes |
| ๐งน Maintainability | Required | Never | Rare |
| ๐ Style | Required | Minor issues | Never |
โ ๏ธ Warning: If you find yourself consistently checking "Needs Expert" for security reviews, that's a signal to either build that skill or establish a formal security review process. Skipping security isn't acceptable.
Here's how inconsistent depth manifests in practice:
## AI-generated user registration function
def register_user(username, password, email):
# Reviewer carefully checked these validations
if len(username) < 3 or len(username) > 20:
raise ValueError("Username must be 3-20 characters")
if '@' not in email or '.' not in email:
raise ValueError("Invalid email format")
# Reviewer verified database schema compatibility
user = User(
username=username,
password=password, # โ ๏ธ MISSED: Storing plaintext password!
email=email,
created_at=datetime.now()
)
# Reviewer confirmed this matches ORM patterns
db.session.add(user)
db.session.commit()
# โ ๏ธ MISSED: No uniqueness check for username/email
# โ ๏ธ MISSED: No email verification flow
# โ ๏ธ MISSED: No rate limiting on registration
return user
The reviewer thoroughly checked input validation length requirements and database integration but completely missed critical security flaws. This happens when you review sequentially through code rather than systematically through checkpoints.
Pitfall #4: Context Blindness
Context blindness occurs when reviewers evaluate code in isolation without considering how it integrates with the broader system. AI-generated code is particularly susceptible to this pitfall because AI models lack full context about your application's architecture, existing patterns, and integration requirements.
๐ค Did you know? Studies of code review effectiveness show that context-aware reviews catch 3-4x more defects than isolated code reviews, yet most developers default to isolated review because it requires less cognitive load.
Consider this AI-generated caching function:
// AI generated this based on prompt: "Add caching to user lookup"
const userCache = new Map();
function getUserById(userId) {
// Check cache first
if (userCache.has(userId)) {
return userCache.get(userId);
}
// Fetch from database
const user = database.query('SELECT * FROM users WHERE id = ?', [userId]);
// Store in cache
userCache.set(userId, user);
return user;
}
Reviewed in isolation, this looks reasonableโit implements basic caching logic correctly. But context reveals fatal flaws:
๐ Context questions that reveal problems:
Deployment architecture: "We run 12 container instances. Each has its own
userCacheMap. User updates in one instance won't invalidate caches in other instances. We'll serve stale data."Existing patterns: "We already use Redis for distributed caching. This introduces a second caching layer with different semantics."
Memory management: "This cache grows unbounded. In production with 2M users, we'll leak memory until the process crashes."
Transaction context: "Our user updates happen in database transactions. This cache doesn't respect transaction boundaries, so we might cache uncommitted data."
Security context: "Our audit system logs all user data access. This cache bypasses auditing after the first lookup."
None of these issues are visible in the code itselfโthey only emerge when you consider the system context.
The framework's Integration & Dependencies checkpoint explicitly forces context consideration:
Integration Context Checklist:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โก How does this interact with existing systems? โ
โ โก What assumptions does it make? โ
โ โก Does it match our architectural patterns? โ
โ โก What happens in distributed deployments? โ
โ โก How does it behave across service boundaries? โ
โ โก What shared resources does it access? โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ก Pro Tip: Keep a "context document" for each major system component that lists its deployment model, dependencies, data flow, and architectural constraints. Reference this during reviews.
Pitfall #5: Framework Fatigue
Framework fatigue is the gradual degradation of review quality that occurs when systematic processes become mechanical and mindless. You're technically following the Seven-Point Framework, checking each box, but you're no longer truly thinking about what you're reviewing. The framework becomes a ritual rather than a tool.
This anti-pattern is particularly insidious because it's hard to detectโthe reviewer feels like they're being thorough, their review comments look complete, but they're missing obvious issues because they've stopped engaging critically.
โ ๏ธ Common Mistake: Treating the framework as a bureaucratic checklist rather than a thinking tool. โ ๏ธ
Signs you're experiencing framework fatigue:
๐ง Fatigue indicators:
- You find yourself using identical review comments on different code
- You approve code without remembering specific details minutes later
- You're checking boxes faster and faster each review
- You feel relieved when you reach checkpoint 7, like you've "finished homework"
- You can't explain why a particular checkpoint matters for the code you just reviewed
Here's what framework fatigue looks like in practice:
Review #1 (fresh and engaged):
โ Correctness: Verified algorithm matches requirements.
Tested with sample inputs A, B, C. Edge case with
empty input would cause NPE on line 47.
Review #47 (fatigued, mechanical):
โ Correctness: Looks correct.
โ Error handling: Has try-catch.
โ Security: Seems fine.
...
The second review has lost all specificity and critical engagement. The reviewer is going through motions without genuine analysis.
๐ฏ Key Principle: A framework should enhance your thinking, not replace it. Each checkpoint should prompt specific questions about this particular code, not generate generic comments.
Strategies to prevent framework fatigue:
1. Vary Your Review Approach
Don't always review in the same order. Sometimes start with security if the code handles sensitive data. Other times begin with integration if that's the highest risk area. The framework provides seven essential checkpoints, but it doesn't mandate a rigid sequence for every review.
2. Take Analytical Breaks
Reviewing 10 AI-generated functions in a row leads to fatigue. Break up review sessions:
Sustainable Review Schedule:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 09:00-10:00 Review 2-3 functions โ
โ 10:00-11:00 Write your own code โ
โ 11:00-11:30 Review 1-2 functions โ
โ 11:30-12:30 Meetings/other work โ
โ 14:00-15:00 Review 2-3 functions โ
โ 15:00-17:00 Development work โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Interspersing reviews with other cognitive work keeps your mind engaged.
3. Pair Review Complex Code
When reviewing particularly complex or critical AI-generated code, conduct pair reviews where two developers work through the framework together. The dialogue naturally prevents mechanical checkbox-ticking:
Developer A: "Okay, security checkpoint. What could go wrong here?"
Developer B: "Well, this accepts user input for the file path..."
Developer A: "Right, so path traversal attacks. Does it validate?"
Developer B: "I see a regex here, but... wait, this doesn't block '../' properly."
The conversation format forces active engagement.
4. Write Specific Review Comments
Force yourself to reference specific line numbers, variable names, and scenarios in every review comment. This prevents generic observations:
โ Weak (fatigued): "Error handling seems okay."
โ
Strong (engaged): "Line 23 catches DatabaseError but doesn't handle the case where the connection times out mid-query, which would raise TimeoutError and crash the service."
5. Periodically Review Your Reviews
Once a week, look back at 3-4 code reviews you approved. Re-examine the code with fresh eyes. Did you miss anything? Were your comments substantive? This meta-review helps you catch fatigue patterns:
๐ก Mental Model: Think of framework fatigue like muscle fatigue during exercise. The solution isn't to skip the workout (stop using the framework), it's to vary the routine, take rest periods, and maintain form awareness.
The Framework as a Living Tool
The Seven-Point Framework remains effective over time only if you treat it as a living thinking tool rather than a dead checklist. Here's the difference:
| Dead Checklist | Living Tool |
|---|---|
| ๐ค "Does it have error handling? Yes/No." | ๐ง "What errors could realistically occur here? How well does this handling address them?" |
| ๐ค "Security check complete." | ๐ง "Given this code's purpose and data flow, what are the specific attack vectors?" |
| ๐ค "Performance acceptable." | ๐ง "Under our expected load patterns, where would this bottleneck?" |
| ๐ค "Integration verified." | ๐ง "How does this interact with the payment service during failure scenarios?" |
Notice how the living tool approach generates specific questions for this particular code rather than generic observations that could apply to anything.
Cross-Cutting Anti-Pattern: Speed Over Substance
Underlying many of these pitfalls is a meta-anti-pattern: valuing review speed over review quality. In organizations transitioning to AI-assisted development, there's often pressure to review code as quickly as AI generates it. This creates a toxic dynamic where reviewers feel they must match AI's speed, leading to surface-level approvals, inconsistent depth, and framework fatigue.
๐ฏ Key Principle: The purpose of code review is not to keep pace with AI code generation. It's to ensure code quality, prevent defects, and maintain system integrity. If AI generates code faster than you can properly review it, that's a workflow problem, not a review problem.
Sustainable review expectations:
Realistic Review Timing:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Simple function (20-50 lines): 10-15 min โ
โ Complex function (50-150 lines): 20-30 min โ
โ Module/class (150-300 lines): 45-60 min โ
โ System integration (300+ lines): 90-120 min โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
These times include:
- Reading and understanding the code
- Applying all seven framework checkpoints
- Testing critical paths
- Writing detailed review comments
If management expects faster reviews, the solution is better AI prompting (generating higher-quality code that needs less review) or additional reviewers, not rushing through the framework.
Anti-Pattern Self-Assessment
Periodically assess whether you're falling into these traps:
๐ Quick Reference Card: Review Quality Self-Check
| โ ๏ธ Anti-Pattern | ๐ Self-Check Question | โ Healthy Practice |
|---|---|---|
| Surface-level approval | Did I only test the happy path? | I deliberately tested edge cases and failure scenarios |
| Analysis paralysis | Did I spend more time on style than logic? | I prioritized critical issues first |
| Inconsistent depth | Did I skip any framework checkpoints? | I systematically evaluated all seven points |
| Context blindness | Did I consider system integration? | I reviewed with architectural context in mind |
| Framework fatigue | Could I explain my review without notes? | I wrote specific, detailed observations |
How the Framework Protects You
When applied thoughtfully, the Seven-Point Framework naturally guards against these anti-patterns:
Surface-level approval โ The framework forces you beyond "does it run?" into correctness, security, and edge cases.
Analysis paralysis โ The ordered checkpoints prioritize critical issues (correctness, security) before refinements (style).
Inconsistent depth โ The seven mandatory checkpoints ensure comprehensive coverage rather than cherry-picking familiar areas.
Context blindness โ The integration checkpoint explicitly requires considering system context and dependencies.
Framework fatigue โ Awareness of this anti-pattern helps you treat the framework as a thinking tool, not a ritual.
The framework is most effective when you understand not just what to check, but why each checkpoint matters and how to avoid the mental shortcuts that undermine review quality. In the next section, we'll synthesize everything you've learned into actionable takeaways and prepare you for deeper dives into specialized review topics.
๐ก Remember: Every anti-pattern represents a moment where a reviewer chose speed or convenience over thoroughness. The framework helps, but ultimately, review quality depends on your commitment to asking hard questions about every piece of code, whether AI-generated or human-written.
Key Takeaways and Next Steps
Congratulations! You've completed the foundational lesson on the Seven-Point Review Frameworkโa systematic approach to evaluating code in an era where AI generates more lines than humans write. Before you started this lesson, code review might have felt like an ad-hoc process of "looking for bugs" or "making sure it works." Now, you possess a structured methodology that transforms code review from subjective gut-checking into a repeatable, teachable skill.
Let's consolidate what you've learned, establish how to continue building your expertise, and prepare you for the specialized deep-dive lessons that follow.
What You've Gained: From Reactive to Systematic Review
Before this lesson, you likely approached AI-generated code with a mixture of trust and skepticismโmaybe you ran it to see if it worked, skimmed for obvious errors, or felt overwhelmed by the volume of code requiring review. You now have a mental framework that breaks the overwhelming task into seven manageable checkpoints, each with a specific focus and purpose.
๐ฏ Key Principle: The Seven-Point Framework transforms code review from "I hope I didn't miss anything" to "I systematically evaluated seven distinct quality dimensions."
You've learned that effective code review isn't about being the smartest person in the room or having encyclopedic knowledge of every language feature. Instead, it's about asking the right questions in the right order, knowing what to look for at each checkpoint, and building pattern recognition over time.
The Seven-Point Framework: Your Foundation
Let's create a comprehensive quick-reference that you can return to whenever you review code. This summary consolidates the framework you've internalized throughout this lesson.
๐ Quick Reference Card: The Seven-Point Review Framework
| ๐ฏ Checkpoint | ๐ Primary Focus | โฑ๏ธ Time Investment | ๐จ Red Flags to Watch |
|---|---|---|---|
| 1๏ธโฃ Correctness | Does it produce the right output? | 20-25% | Wrong algorithm, logic errors, off-by-one |
| 2๏ธโฃ Patterns & Practices | Does it follow modern idioms? | 15-20% | Outdated APIs, deprecated patterns, reinventing wheels |
| 3๏ธโฃ Security & Edge Cases | What could break or be exploited? | 20-25% | Missing validation, injection risks, unhandled nulls |
| 4๏ธโฃ Domain Logic | Does it match business requirements? | 15-20% | Misunderstood specs, wrong assumptions, incomplete coverage |
| 5๏ธโฃ Maintainability | Can future developers work with this? | 10-15% | Cryptic names, no comments, tight coupling |
| 6๏ธโฃ Performance | Are there obvious inefficiencies? | 5-10% | N+1 queries, unnecessary loops, memory leaks |
| 7๏ธโฃ Testing | Is verification sufficient? | 5-10% | Missing tests, brittle tests, low coverage |
๐ก Pro Tip: The time percentages are guidelines for complex code reviews. For simple utility functions, you might spend 60% on correctness and security combined, and skip performance entirely. Adapt the framework to the code's complexity and criticality.
The Framework as Your Foundation for Expertise
Think of the Seven-Point Framework as the foundation of a house. Right now, you have a solid concrete slabโyou understand the structure, you know what each checkpoint means, and you've seen it applied to real code. But a foundation alone doesn't make you an expert reviewer. That expertise comes from building the walls, roof, and interior of the house: deep knowledge in each specialized area.
Here's how the framework serves as your foundation:
๐ง Pattern Recognition Development: Each time you apply the framework, you're training your brain to recognize specific categories of issues. After reviewing 20 functions using this structure, you'll start seeing security issues jump out at you automatically. After 50 reviews, you'll spot outdated patterns before you consciously think "I'm now on checkpoint 2."
๐ Knowledge Organization: The framework gives you a place to file every new thing you learn. When you discover that eval() is dangerous in JavaScript, you file that under "Security & Edge Cases." When you learn that Python 3.10 introduced structural pattern matching, you file that under "Patterns & Practices." Your knowledge becomes organized rather than scattered.
๐ง Systematic Improvement: Because the framework is structured, you can identify your weak points. Maybe you're excellent at correctness and domain logic but weak at spotting performance issues. Now you know exactly what to study.
๐ก Mental Model: Think of the framework as a filing cabinet with seven drawers. Every code review fills these drawers with examples, patterns, and lessons. The more you review, the richer each drawer becomes, and the faster you can find relevant precedents.
How the Specialized Lessons Deepen Your Framework
The three specialized sub-topic lessons that follow this foundation course are designed to fill specific knowledge gaps in your framework expertise. Let's preview how each lesson connects to and deepens specific checkpoints:
Specialized Lesson 1: Outdated Patterns and Modern Alternatives
Primary Framework Connection: Checkpoint 2 (Patterns & Practices)
What You'll Gain: The framework taught you to ask "Does this follow modern idioms?" This specialized lesson answers how to recognize outdated patterns across different languages and ecosystems. You'll learn:
- ๐ How to spot code that looks like it was written for Python 2.7, Java 7, or JavaScript ES5
- ๐ Modern alternatives that replace verbose, outdated approaches
- ๐ค Why AI models often suggest outdated patterns (their training data includes older code)
- ๐ A decision matrix for when to flag outdated patterns vs. when legacy approaches are acceptable
Secondary Framework Connections: This lesson also strengthens Checkpoint 5 (Maintainability) because modern patterns are typically more readable, and Checkpoint 6 (Performance) because newer language features often include optimizations.
## Example of what the specialized lesson covers:
## You'll learn to recognize this outdated pattern (AI loves suggesting it)
def process_items_outdated(items):
result = []
for item in items:
if item.is_valid():
result.append(item.process())
return result
## And immediately suggest this modern alternative
def process_items_modern(items):
return [
item.process()
for item in items
if item.is_valid()
] # List comprehension: more Pythonic, often faster
Specialized Lesson 2: Security Vulnerabilities and Edge Cases
Primary Framework Connection: Checkpoint 3 (Security & Edge Cases)
What You'll Gain: The framework taught you to ask "What could break or be exploited?" This specialized lesson gives you the specific attack vectors, vulnerability patterns, and edge case categories to check. You'll learn:
- ๐ The OWASP Top 10 vulnerabilities as they appear in AI-generated code
- ๐ฏ Edge case categories: boundary conditions, null/undefined, concurrent access, resource exhaustion
- ๐ก๏ธ Language-specific security pitfalls (SQL injection, XSS, CSRF, path traversal, etc.)
- โ How to construct mental checklists for different code types (API endpoints, database queries, file operations)
Secondary Framework Connections: This lesson reinforces Checkpoint 1 (Correctness) because edge cases are often correctness bugs waiting to happen, and Checkpoint 7 (Testing) because you'll learn what edge cases require test coverage.
// Example of what the specialized lesson covers:
// You'll learn to immediately recognize this injection vulnerability
function getUserData_VULNERABLE(userId) {
const query = `SELECT * FROM users WHERE id = ${userId}`;
return database.execute(query); // โ ๏ธ SQL injection risk!
}
// And know the secure alternatives
function getUserData_SECURE(userId) {
const query = 'SELECT * FROM users WHERE id = ?';
return database.execute(query, [userId]); // โ
Parameterized query
}
Specialized Lesson 3: Domain Logic Verification and Business Rules
Primary Framework Connection: Checkpoint 4 (Domain Logic)
What You'll Gain: The framework taught you to ask "Does this match business requirements?" This specialized lesson teaches you how to extract requirements from specifications, detect subtle misunderstandings, and verify complex business rules. You'll learn:
- ๐ Techniques for mapping requirements to code sections
- ๐ How to spot when AI has misunderstood ambiguous specifications
- ๐งฎ Verifying calculations, business logic, and workflow sequences
- ๐ฃ๏ธ Asking the right clarifying questions when requirements are unclear
Secondary Framework Connections: This lesson strengthens Checkpoint 1 (Correctness) because domain logic errors are correctness issues at the business level, and Checkpoint 7 (Testing) because business rules require specific test scenarios.
## Example of what the specialized lesson covers:
## Requirement: "Customers get 10% discount on orders over $100"
## AI might generate this (WRONG - discount calculated on wrong base)
def calculate_total_WRONG(subtotal):
if subtotal > 100:
discount = subtotal * 0.10
return subtotal - discount + (subtotal * 0.08) # tax on original
return subtotal + (subtotal * 0.08)
## You'll learn to verify: discount first, then tax on discounted amount
def calculate_total_CORRECT(subtotal):
if subtotal > 100:
discounted = subtotal * 0.90 # 10% off
else:
discounted = subtotal
return discounted * 1.08 # Tax on final discounted amount
๐ค Did you know? Studies of AI-generated code show that domain logic errors are among the hardest for automated testing to catch, because the code "works" perfectlyโit just doesn't solve the right problem. This makes human review of domain logic irreplaceable.
The Learning Path Ahead: Building Mastery
Here's how your framework expertise develops over time:
Framework Mastery Timeline
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Week 1-2: Conscious Application
โโ You explicitly think through each checkpoint
โโ You reference the framework guide frequently
โโ Reviews take 2-3x longer than before (but catch 3-5x more issues)
Week 3-4: Pattern Recognition Emerges
โโ Common issues start to "jump out" automatically
โโ You develop personal shortcuts and checklists
โโ Review speed increases while maintaining quality
Month 2-3: Unconscious Competence
โโ Framework becomes second nature
โโ You can explain rationale for each concern you raise
โโ You start teaching others the framework
Month 4+: Expert Intuition
โโ You instantly recognize issue categories
โโ You develop specialized expertise in 2-3 checkpoints
โโ You contribute to team standards and best practices
๐ก Remember: Expert reviewers aren't people who know everythingโthey're people who have a systematic way of checking everything that matters and the humility to look up what they don't know.
Action Items: Practicing the Framework
Knowledge without practice is just theory. Here are concrete action items to transform this framework from conceptual knowledge into practical skill:
Action Item 1: The Daily Review Practice (15 minutes/day)
๐ฏ Goal: Build framework fluency through consistent, focused practice.
How to do it:
- Find a code sample (GitHub, Stack Overflow, or AI-generated)
- Set a timer for 15 minutes
- Apply all seven checkpoints, taking notes
- Score yourself: Did you find issues in at least 4 of the 7 areas?
- Look up any issues you weren't sure about
๐ก Pro Tip: Start with code in your primary language, then branch out. Reviewing Python when you know Java actually helps you see patterns more clearly because you're not on autopilot.
Sample Practice Sources:
- Code Review Exercise: Ask ChatGPT or Claude to "Write a function that [does X]" then review it
- GitHub Pull Requests: Find open PRs in projects you use and review them (even if you don't comment)
- Refactoring Practice: Take code from your own past projects and review it with the framework
Action Item 2: The Framework Journal
๐ฏ Goal: Build your personal knowledge base of patterns, antipatterns, and lessons learned.
How to do it:
- Create a document (Notion, markdown file, or notebook) with seven sectionsโone per checkpoint
- After each code review, add 1-2 entries to relevant sections
- Format: Issue Found โ Why It Matters โ How to Fix โ How to Prevent
- Review your journal weekly to identify patterns
Example Journal Entry:
### Checkpoint 3: Security & Edge Cases
#### Date: 2024-01-15
#### Issue: Unbounded List Growth in Cache
**Found:** AI-generated caching function that appends to list without
size limit. In production, this would cause memory exhaustion.
**Why It Matters:** Memory leaks can crash production servers,
especially under load.
**How to Fix:** Implement LRU eviction with max size parameter.
**How to Prevent:** Always ask "What happens if this runs for 30 days?"
when reviewing code that accumulates data.
Action Item 3: The Peer Review Partnership
๐ฏ Goal: Calibrate your review instincts and learn from others' perspectives.
How to do it:
- Find a peer also learning the framework
- Both independently review the same code sample
- Compare findings: What did each person catch?
- Discuss disagreements: Which checkpoint does this fall under?
- Rotate who picks the code samples
Benefits:
- ๐ง Discover blind spots in your review process
- ๐ Learn new patterns and issues you hadn't considered
- ๐ง Build confidence in your judgment
โ ๏ธ Common Mistake: Mistake 1: Skipping "easy" code samples. โ ๏ธ Even simple functions are valuable practice. The goal isn't finding bugsโit's building the habit of systematic review. A 5-line function with no issues is still 7 checkpoints practiced.
Measuring Your Review Effectiveness
You can't improve what you don't measure. Here's how to track your growing expertise:
Metric 1: Issue Detection Rate
What to track: For each code sample you review, count how many issues you find in each checkpoint category.
Why it matters: This reveals which checkpoints are your strengths and which need development.
Sample Tracking Sheet:
| Date | Code Sample | C1 | C2 | C3 | C4 | C5 | C6 | C7 | Total |
|-------|-------------------|----|----|----|----|----|----|----| ------|
| 01/15 | Auth function | 2 | 1 | 3 | 0 | 1 | 0 | 1 | 8 |
| 01/16 | Data parser | 1 | 2 | 2 | 1 | 0 | 1 | 0 | 7 |
| 01/17 | API endpoint | 0 | 1 | 4 | 2 | 1 | 0 | 2 | 10 |
|-------|-------------------|----|----|----|----|----|----|----| ------|
| Avg | | 1.0| 1.3| 3.0| 1.0| 0.7| 0.3| 1.0| 8.3 |
Analysis: In this example, the reviewer is strong at security (C3) but weak at performance (C6). Action: Study performance optimization patterns.
Metric 2: False Positive Rate
What to track: When you flag something as an issue, how often are you correct vs. how often is it actually fine?
Why it matters: Low false positives = good judgment. High false positives = you're being too strict or misunderstanding context.
How to measure: For code with known issues (tutorial examples, deliberately buggy code), compare your findings to the answer key.
Target: 80%+ accuracy. It's better to flag questionable code for discussion than to let real issues slip through.
Metric 3: Review Depth Score
What to track: Did you check all seven checkpoints, or did you skip some?
Why it matters: Incomplete reviews create blind spots. The framework only works if applied completely.
Simple scoring:
- โ Checkpoint thoroughly examined = 1 point
- โ ๏ธ Checkpoint briefly considered = 0.5 points
- โ Checkpoint skipped = 0 points
- Target score: 6.5-7.0 per review
๐ก Real-World Example: A developer tracking these metrics discovered they consistently scored 0 on performance reviews. They realized they were intimidated by performance topics. After completing a performance optimization course, their comprehensive review scores jumped from 5.5/7 to 6.8/7.
Improving Over Time: The Deliberate Practice Approach
Expertise doesn't come from just doing many reviewsโit comes from deliberate practice with feedback and reflection.
The Weekly Review Retrospective (30 minutes)
Each week, analyze your review activity:
Questions to ask yourself:
- ๐ฏ Which checkpoint did I use most this week? Least?
- ๐ What's one new issue type I learned to recognize?
- ๐ Which checkpoint needs more study?
- ๐ง Did I discover any framework modifications that work better for my context?
- โ What's one specific skill I'll practice next week?
The Monthly Deep Dive
Once a month, pick your weakest checkpoint and spend focused time strengthening it:
- ๐ Read 2-3 articles specifically about that area
- ๐ง Review 5-10 code samples focusing only on that checkpoint
- ๐ฏ Add 10 new patterns to your framework journal for that area
- ๐ฌ Discuss that checkpoint with experienced developers
Example Monthly Plan:
Month 1: Deep Dive into Security & Edge Cases
โโ Week 1: Study OWASP Top 10
โโ Week 2: Practice finding injection vulnerabilities
โโ Week 3: Learn edge case categories (null, boundary, concurrency)
โโ Week 4: Review 20 API functions focusing only on security
Month 2: Deep Dive into Patterns & Practices
โโ Week 1: Study modern JavaScript patterns (ES2023+)
โโ Week 2: Learn Python idioms and anti-patterns
โโ Week 3: Research framework-specific best practices
โโ Week 4: Review AI-generated code focusing on outdated patterns
๐ง Mnemonic for Improvement: "DRIFT" - Daily practice, Reflection weekly, Intensive monthly deep-dive, Feedback from peers, Tracking metrics.
Adapting the Framework to Your Context
While the Seven-Point Framework is comprehensive, you'll naturally adapt it to your specific needs:
If you work in high-security environments: Spend 35-40% of review time on Checkpoint 3, develop specialized security checklists.
If you work on performance-critical systems: Elevate Checkpoint 6 to 20-25% of your review time, learn profiling tools.
If you're reviewing simple utility functions: Merge checkpointsโyou might evaluate correctness, security, and edge cases together in one pass.
If you're reviewing complex business logic: Expand Checkpoint 4 to include workflow diagrams and requirement traceability matrices.
โ ๏ธ Critical Caveat: Adaptation doesn't mean skipping checkpoints entirely. Even performance-critical code needs security review. Even simple utilities need correctness verification. Adaptation means emphasis, not elimination.
Practical Applications: Where to Use the Framework
Now that you have the framework, here are specific contexts where it provides immediate value:
Application 1: Reviewing AI-Generated Code in Your IDE
Scenario: GitHub Copilot or Cursor suggests a function completion.
Framework Application:
- โก Quick scan (30 seconds): Correctness + Security (checkpoints 1 & 3)
- โ If it passes, accept and move on
- โ ๏ธ If anything looks off, do full 7-point review before using
Time saved: Instead of blindly accepting or spending 10 minutes unsure, you make a confident decision in under a minute.
Application 2: Code Review in Pull Requests
Scenario: Teammate (or AI pair programmer) submits a PR with 300 lines of new code.
Framework Application:
- ๐ Create a review checklist comment with seven sections
- ๐ Systematically examine each file against each checkpoint
- ๐ฌ Leave inline comments tagged with checkpoint number (e.g., "[C3] Missing null check here")
- โ Approve only when all checkpoints pass or concerns are addressed
Value: Your reviews are comprehensive, consistent, and educational for the code author.
Application 3: Legacy Code Evaluation
Scenario: You're deciding whether to refactor, rewrite, or keep old code.
Framework Application:
- ๐ Score the code on each checkpoint (1-5 scale)
- ๐ฏ Total score below 20/35? Consider rewrite.
- ๐ง Specific checkpoints failing? Targeted refactoring.
- โ Scoring well? Keep it and add tests.
Benefit: Data-driven decisions instead of "this code feels old."
Final Reflections: The Mindset Shift
The most important takeaway from this lesson isn't the seven checkpoints themselvesโit's the mindset shift from reactive to systematic thinking.
Before the framework:
- โ Wrong thinking: "I'll just run this and see if it works."
- โ Wrong thinking: "The AI wrote it, so it's probably fine."
- โ Wrong thinking: "I don't know what to look for."
After the framework:
- โ Correct thinking: "I have seven specific questions to answer about this code."
- โ Correct thinking: "AI is a tool; I'm responsible for verification."
- โ Correct thinking: "Even if I can't fix it, I can identify the concern category."
This shift from "code reviewer as critic" to "code reviewer as systematic quality engineer" is what makes you valuable in an AI-assisted development world. Anyone can complain that code is bad. Few can articulate precisely why, categorize the issue, and suggest specific improvements.
Your Immediate Next Steps
You've completed the foundation. Here's exactly what to do in the next 48 hours:
๐ฏ Step 1: Bookmark or print the Quick Reference Card from earlier in this section. Keep it visible while you work.
๐ฏ Step 2: Choose one code review to do today using the full framework. Set aside 30 minutes. Go slowly. Check all seven points explicitly.
๐ฏ Step 3: Start your Framework Journal. Create the seven sections. Add your first entry from today's review.
๐ฏ Step 4: Decide which specialized lesson you'll tackle first:
- Weak on modern patterns? โ Start with Outdated Patterns lesson
- Concerned about security? โ Start with Security & Edge Cases lesson
- Struggling with requirements? โ Start with Domain Logic lesson
๐ฏ Step 5: Schedule your first Weekly Review Retrospective. Put it in your calendar as a recurring event.
โ ๏ธ Critical Final Point: The framework is a tool, not a bureaucracy. If a code review requires only 3 checkpoints for your confidence, that's fine. But make it a conscious choice, not an oversight. The value is in systematic thinking, not box-checking.
Closing Thoughts
You started this lesson wondering how to review AI-generated code effectively. You now have a proven framework, a measurement system, a learning path, and concrete next steps. The Seven-Point Framework transforms the overwhelming task of code review into seven focused questions. Each question is answerable, teachable, and improvable.
As AI generates more of the world's code, developers who can systematically evaluate, improve, and validate that code become increasingly valuable. You're building that capability right now. The specialized lessons ahead will deepen your expertise in specific areas, but this foundationโthis systematic approach to breaking down and evaluating codeโis what separates good developers from great ones.
Welcome to your new code review practice. Your future self (and your teammates) will thank you for investing in this skill.
๐ฏ Remember: Every expert was once a beginner who refused to stay one. Your journey from conscious application to unconscious mastery starts with the next code review you do using this framework.