AI code review that runs before you download — not after you ship

What gets reviewed automatically

Every Archiet generation runs through five AI code review dimensions before delivery:

1. Auth security review

• Are JWTs stored in httpOnly, Secure, SameSite=Lax cookies? (Not localStorage, not a plain cookie)
• Are all protected routes guarded with authentication middleware?
• Are passwords hashed with bcrypt — never stored in plaintext?
• Are secrets loaded from environment variables — not hardcoded?

Failures block delivery at the auth dimension. Auth defects are the most costly class of security vulnerability; finding them in a post-commit review after the app is live is already too expensive.

2. API contract coverage review

• Does every route defined in the OpenAPI 3.1 spec exist in the backend code?
• Do the route parameter names match between spec and implementation?
• Are all required response schemas present?

A spec and an implementation that diverge before the first deploy means every API client is already broken. The contract review catches this at generation time.

3. Migration completeness review

• Does every model field have a corresponding Alembic migration?
• Are all foreign key columns indexed?
• Are migration files in the correct sequence?

Missing migrations are the most common cause of production deploy failures on new applications. The review catches missing migrations before the code leaves Archiet.

4. File structure review

• Are all required pages present? (auth flows, settings, onboarding, forgot password, verify email)
• Are all required mobile screens present? (onboarding walkthrough, auth screens, settings tab)
• Are required config files present? (OpenAPI spec, Dockerfile, docker-compose, CI/CD workflow)
• Are App Store compliance files present? (EAS config, privacy policy screen, review prompt)

A production-ready application has a complete file structure. Partial output with missing pages is flagged, not silently shipped.

5. Mobile App Store compliance review

• Is the Expo EAS config correct for App Store and Google Play submission?
• Is the privacy policy screen present (required for App Store approval)?
• Is the review prompt implemented correctly (triggers App Store review prompt per guidelines)?
• Is the OTA update check implemented?

App Store rejection for missing compliance files costs a minimum of 24–72 hours. The review catches compliance issues before you download the code.

The quality score

Each dimension contributes to the 0–100 quality score. The score is computed automatically after every generation. A score below 80 means:

• The low-scoring dimensions are highlighted with specific failure reasons
• The generation is flagged before delivery — you can see what failed and why
• The auto-repair pass runs on flagged output (attempts to fix identified issues and re-scores)

The quality score is not marketing copy. It's a machine-computed, dimension-specific assessment that blocks delivery on known defects.

Beyond the automated review: the architecture scanner

Archiet also runs a secondary AI code review layer — the Archiverify scanner — on the generated output:

• Import coherence check: every module import is resolvable within the generated file tree
• Reachability check: every capability module is reachable from a production code path (no orphan modules that were generated but never wired in)
• Security scanner: checks for SQL injection patterns, code injection (eval/exec), hardcoded secrets, placeholder values, and cross-tenant data leaks
• SBT (Software Boot Test): for Python stacks, boots the generated application in a sandboxed environment and runs migration smoke tests

The SBT result determines the certification tier:

• Certified: application booted successfully, migrations ran
• Verified: static analysis passed, boot not attempted for this stack
• Flagged: defects found that require attention

What this means in practice

The alternative to integrated AI code review is manual review of each generated file, or a post-commit review after the code is live. With Archiet:

• Auth defects are caught before download, not after a security audit
• Missing migrations are caught before deploy, not after a production outage
• App Store non-compliance is caught before submission, not after rejection
• Orphan modules are caught before merge, not after a confused new engineer asks where capability_x.py is called

The code review is not a separate step. It's the last step before delivery.

CTA

Generate a production-grade codebase with AI code review built in — free plan, no credit card.

Every generation comes with a quality report. You see exactly what passed, what failed, and why — before you download a single file.

Start free at archiet.com.