Your AI agent wrote React. That does not mean it should ship.
Most AI coding workflows fail because the model writes the code, explains the code, and then quietly convinces you the code is fine.
AgentProof React treats AI-generated React and Next.js code as untrusted until deterministic gates pass.
npx agentproof-react checkBad React in. Review report out. No model self-grading.
It follows the same production-agent safety pattern as agent-approval-gate: models can draft, but deterministic gates decide what moves forward.
Run the bad fixture first:
npm run demo:badIt exits with code 1 because the fixture contains common generated-code failures that should block shipping.
Example output:
AgentProof React
Deterministic review gates for AI-generated React.
Checked 1 React/Next.js source file.
❌ Errors: 6
⚠️ Warnings: 4
❌ Client component imports server-only APIs
examples/bad/UserList.tsx:3:1
Rule: next/no-server-import-in-client-component
Why: AI agents frequently cross Next.js server/client boundaries.
Fix: Move server logic to a server component, route handler, server action, or API boundary.
❌ Unstable index key in mapped list
examples/bad/UserList.tsx:26:17
Rule: react/no-index-key
Ship verdict: BLOCKED
Reason: AI-generated code is untrusted until deterministic gates pass.Run the good fixture:
npm run demo:goodUse directly with npx:
npx agentproof-react checkOr install it in a repo:
npm install -D agentproof-react{
"scripts": {
"agentproof": "agentproof-react check --strict"
}
}Scan changed, staged, or untracked git files when there are any; otherwise scan the current directory:
agentproof-react checkScan a path:
agentproof-react check src app componentsScan everything under the target path:
agentproof-react check --allFail on warnings too:
agentproof-react check --strictEmit JSON for CI, bots, or PR comments:
agentproof-react check --jsonExit codes:
0: no errors, or warnings only without--strict1: shipping is blocked by errors, or by warnings in--strictmode2: CLI usage error, such as an unknown option or missing target path
AgentProof React currently checks for:
- unstable index keys in mapped lists
useEffectderived-state patterns- server-only imports inside Next.js client components
- buttons missing explicit
type - images missing
alt - unsanitized
dangerouslySetInnerHTML - browser globals during render
- placeholder or fake implementation text
- suspicious empty
catchblocks - leftover console statements
This is intentionally not a replacement for ESLint, TypeScript, or tests.
It is a small AI-output review gate for the problems agents commonly produce when the code looks plausible but is not safe to ship.
Normal linting asks:
Does this code violate general project rules?
AgentProof React asks:
What would an AI agent plausibly fake, forget, or cross without noticing?
Unlike generic React quality tools, AgentProof React assumes the code was generated by an agent and treats it as untrusted until deterministic checks pass.
name: AgentProof React
on:
pull_request:
jobs:
agentproof:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
- run: npx agentproof-react check --strict- PR comment output
- configurable rule severity
- Next.js App Router specific gates
- Cursor / Claude Code / Codex changed-file detection
- SARIF output for GitHub code scanning
- rule packs for forms, auth, payments, and data fetching