{
  "id": "review-ai-generated-nextjs-code",
  "type": "checklists",
  "category": "checklists",
  "locale": "fr",
  "url": "/fr/checklists/review-ai-generated-nextjs-code",
  "title": "Liste de contrôle pour la révision du code Next.js généré par l'IA",
  "description": "Une liste de contrôle de révision humaine pour le code Next.js écrit par des agents de codage IA — App Router, Server Components, récupération de données et exactitude du déploiement.",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex",
    "Windsurf"
  ],
  "stack": [
    "Next.js",
    "TypeScript"
  ],
  "tags": [
    "nextjs",
    "review",
    "security",
    "typescript"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "Les agents IA mélangent souvent les conventions d'App Router et de Pages Router, abusent des Server Components, ou ignorent totalement l'invalidation du cache. Repérez-les avant leur mise en production.\n\n## Exactitude\n\n```txt\n[ ] File is placed in the correct router — app/ or pages/, not both\n[ ] Server Components do not import client-only modules (useState, useEffect, browser APIs)\n[ ] Client Components are marked with \"use client\" at the top of the file\n[ ] \"use server\" is only on async functions, not entire files that also export components\n[ ] Dynamic route params are destructured from props.params, not a global\n[ ] generateMetadata is async and awaits any data fetches it depends on\n[ ] notFound() and redirect() are called from server context, not inside useEffect\n[ ] loading.tsx and error.tsx are placed at the correct segment level\n[ ] Route Groups (parentheses folders) are not expected to affect the URL\n[ ] Parallel routes (@slot) are matched with a default.tsx fallback\n[ ] Image component uses width and height or fill with a sized parent\n[ ] next/link href is a string or object — no template literals with unencoded params\n[ ] cookies() and headers() are only called inside Server Components or Route Handlers\n[ ] searchParams in page.tsx is accessed as a prop, not via window.location\n```\n\n## Sécurité\n\n```txt\n[ ] Environment variables exposed to the client are prefixed NEXT_PUBLIC_ intentionally\n[ ] Server-only secrets are never referenced in \"use client\" files\n[ ] Dynamic route segments are validated before use in DB queries or file paths\n[ ] fetch() calls to internal APIs re-validate the session — no implicit trust of same-origin\n[ ] Server Actions validate and sanitize all inputs before writing to the database\n[ ] Server Actions are not exported from files that also export UI to avoid accidental exposure\n[ ] CORS headers on Route Handlers are explicit and not set to * for credentialed requests\n[ ] next.config.js headers() does not disable X-Frame-Options or CSP for non-embed pages\n[ ] Redirects in middleware do not open-redirect on unvalidated query params\n[ ] File uploads write to /tmp or object storage — never to the project directory\n```\n\n## Performances\n\n```txt\n[ ] fetch() calls in Server Components use the correct cache option (force-cache, no-store, or revalidate)\n[ ] generateStaticParams is present for dynamic routes that should be statically generated\n[ ] Images use priority on above-the-fold hero images\n[ ] Heavy client components are loaded with next/dynamic and ssr: false where appropriate\n[ ] Database calls in Server Components are not duplicated per request — use React cache()\n[ ] Large JSON passed from Server to Client Components is minimal (no full DB rows)\n[ ] Fonts are loaded via next/font, not a remote stylesheet link\n[ ] No synchronous fs or CPU-blocking calls in the render path\n[ ] revalidatePath or revalidateTag is called after mutations, not on every request\n[ ] Layouts that re-render on every navigation do not contain expensive data fetches\n```\n\n## Déploiement\n\n```txt\n[ ] next.config.js output mode matches deployment target (standalone for Docker, default for Vercel)\n[ ] Environment variable names in .env.example match what the code reads\n[ ] Custom headers and rewrites in next.config.js are tested against the production host\n[ ] Middleware matcher is scoped to the right paths — not running on _next/static assets\n[ ] ISR revalidation period is intentional, not left at the default 0\n[ ] opengraph-image.tsx and twitter-image.tsx are present for pages that need social previews\n[ ] next build completes without TypeScript or ESLint errors\n[ ] Edge Runtime is explicitly declared when using the edge runtime — fallback is Node.js\n```\n\n## Risques spécifiques à l'IA\n\n```txt\n[ ] No fabricated Next.js APIs (e.g. getServerSideProps inside the app/ directory)\n[ ] No Pages Router patterns (getStaticProps, getInitialProps) pasted into App Router files\n[ ] No outdated fetch cache options — Next.js 15 changed defaults to no-store\n[ ] AI has not mixed next-auth v4 and v5 (Auth.js) patterns in the same file\n[ ] Third-party package imported is real and published — check npmjs.com\n[ ] No phantom config options in next.config.js that Next.js silently ignores\n[ ] Turbopack-specific config is not used when the project still runs webpack\n```\n\n## Correction de l'invite\n\n```txt title=\"Fix Prompt\"\nReview this Next.js file against the checklist above. Identify any Server/Client\nComponent boundary violations, insecure environment variable exposure, missing\ncache directives, or fabricated APIs. Rewrite the file to be correct for the\nApp Router (Next.js 15) and return only the fixed code with a brief explanation\nof each change.\n```"
}