Checklist for Reviewing AI-Generated Next.js Code

[ ] File is placed in the correct router — app/ or pages/, not both
[ ] Server Components do not import client-only modules (useState, useEffect, browser APIs)
[ ] Client Components are marked with "use client" at the top of the file
[ ] "use server" is only on async functions, not entire files that also export components
[ ] Dynamic route params are destructured from props.params, not a global
[ ] generateMetadata is async and awaits any data fetches it depends on
[ ] notFound() and redirect() are called from server context, not inside useEffect
[ ] loading.tsx and error.tsx are placed at the correct segment level
[ ] Route Groups (parentheses folders) are not expected to affect the URL
[ ] Parallel routes (@slot) are matched with a default.tsx fallback
[ ] Image component uses width and height or fill with a sized parent
[ ] next/link href is a string or object — no template literals with unencoded params
[ ] cookies() and headers() are only called inside Server Components or Route Handlers
[ ] searchParams in page.tsx is accessed as a prop, not via window.location

[ ] Environment variables exposed to the client are prefixed NEXT_PUBLIC_ intentionally
[ ] Server-only secrets are never referenced in "use client" files
[ ] Dynamic route segments are validated before use in DB queries or file paths
[ ] fetch() calls to internal APIs re-validate the session — no implicit trust of same-origin
[ ] Server Actions validate and sanitize all inputs before writing to the database
[ ] Server Actions are not exported from files that also export UI to avoid accidental exposure
[ ] CORS headers on Route Handlers are explicit and not set to * for credentialed requests
[ ] next.config.js headers() does not disable X-Frame-Options or CSP for non-embed pages
[ ] Redirects in middleware do not open-redirect on unvalidated query params
[ ] File uploads write to /tmp or object storage — never to the project directory

[ ] fetch() calls in Server Components use the correct cache option (force-cache, no-store, or revalidate)
[ ] generateStaticParams is present for dynamic routes that should be statically generated
[ ] Images use priority on above-the-fold hero images
[ ] Heavy client components are loaded with next/dynamic and ssr: false where appropriate
[ ] Database calls in Server Components are not duplicated per request — use React cache()
[ ] Large JSON passed from Server to Client Components is minimal (no full DB rows)
[ ] Fonts are loaded via next/font, not a remote stylesheet link
[ ] No synchronous fs or CPU-blocking calls in the render path
[ ] revalidatePath or revalidateTag is called after mutations, not on every request
[ ] Layouts that re-render on every navigation do not contain expensive data fetches

[ ] next.config.js output mode matches deployment target (standalone for Docker, default for Vercel)
[ ] Environment variable names in .env.example match what the code reads
[ ] Custom headers and rewrites in next.config.js are tested against the production host
[ ] Middleware matcher is scoped to the right paths — not running on _next/static assets
[ ] ISR revalidation period is intentional, not left at the default 0
[ ] opengraph-image.tsx and twitter-image.tsx are present for pages that need social previews
[ ] next build completes without TypeScript or ESLint errors
[ ] Edge Runtime is explicitly declared when using the edge runtime — fallback is Node.js

[ ] No fabricated Next.js APIs (e.g. getServerSideProps inside the app/ directory)
[ ] No Pages Router patterns (getStaticProps, getInitialProps) pasted into App Router files
[ ] No outdated fetch cache options — Next.js 15 changed defaults to no-store
[ ] AI has not mixed next-auth v4 and v5 (Auth.js) patterns in the same file
[ ] Third-party package imported is real and published — check npmjs.com
[ ] No phantom config options in next.config.js that Next.js silently ignores
[ ] Turbopack-specific config is not used when the project still runs webpack