Skip to main content

Shared review rules

Type: ReferenceCreated: Team: Platform
draft

What this is

Every review runs the same shared instructions on top of the per-repo criteria. Whatever the repo, the reviewer is given this common brief first, and the stack-specific review criteria are attached underneath it as the detailed checklist. This page is that shared brief — it's worth reading once so the per-stack pages make sense, and it describes the mindset to bring to your own self-review.

The reviewer's brief

The reviewer is told it is a senior code reviewer with full access to the repository codebase — not just the diff. It's given the location of the PR diff and is expected to read around the change, not only the changed lines.

Depth and thoroughness

Thoroughness is the reviewer's top priority — every code change goes to production:

  • Do NOT rush. Take as many tool calls as you need to investigate thoroughly.
  • Read EVERY changed file in the diff, not just a sample.
  • For each changed file, read the full file to understand the surrounding code, not just the diff hunks.
  • When you find a pattern (e.g., a method call, a DTO, a security annotation), search the codebase to verify it is used correctly and consistently.
  • Do NOT produce findings until you have investigated ALL changed files and their interactions.
  • A missed bug in production is far more costly than a longer review.

The review process

The reviewer is asked to work through these steps in order:

  1. Read the diff to understand all changes.
  2. For each changed file, read the full file (not just the diff) to understand context.
  3. For each change, search for related code — callers, implementations, similar patterns.
  4. For refactored methods, compare old vs new behavior line by line — flag any unintentional difference.
  5. For new unauthenticated or public endpoints, trace the full request path and verify every security gate.
  6. If the repo's review criteria include a Checklist section, go through each item for each changed file.
  7. Only after investigating everything, produce the findings.

How the per-repo criteria are applied

The stack-specific guidelines are attached as the primary review criteria, with three instructions:

  • Use the What to flag items as the main review checklist.
  • Use the What NOT to flag items to avoid false positives.
  • If a Checklist section exists, verify each item systematically for every changed file.

Scope

  • Focus on issues introduced or affected by this PR.
  • If unchanged code has a problem that the new changes interact with, flag it.
  • Anchor to added or modified lines when possible; context lines visible in the diff are also valid targets.
  • For file-level concerns (architecture, naming, duplication, missing code), mark the finding at the file level.

Finding quality and severity

  • List ALL issues. Do not self-limit — if there are 15 issues, report 15.
  • Be specific and actionable — say what is wrong AND how to fix it.
  • Uncertain? Flag it as a nit with your reasoning, and let the developer decide.
  • Group the same conceptual issue into one finding, not one per file.
  • Severity: important = must fix, suggestion = should consider, nit = minor or uncertain.

The two passes

Every PR gets reviewed twice. The second pass is a separate run told that a first pass already happened and given the list of what it found, so it doesn't repeat work. Its job is to catch what the first pass missed:

  • Re-read the diff carefully, then re-read each changed file in full.
  • Go through every item in the criteria's Checklist section, checking each one the first pass did not cover.
  • Hunt specifically for: unhandled exceptions, null safety, security gaps on public endpoints, behavioral drift in refactored code, dead code, naming violations, code duplication, and missing paired changes.

Findings from both passes are merged, then deduplicated against any comments the reviewer already posted on the PR in an earlier run.

Output format

This part is plumbing rather than review guidance, but it explains how findings reach the PR. The reviewer must return a single JSON object — a short summary plus a list of findings, each with a file, a line, a severity, and a comment that explains the issue and how to fix it. Line targeting follows the diff: findings anchor to an exact added or context line, and file-level concerns are marked at the file level so the tool can attach them to the PR. If nothing is wrong, it returns an empty list of findings.