Skip to content

docs: configure AI review security and performance guidance#12405

Merged
zkochan merged 2 commits into
mainfrom
improve-cr
Jun 14, 2026
Merged

docs: configure AI review security and performance guidance#12405
zkochan merged 2 commits into
mainfrom
improve-cr

Conversation

@zkochan

@zkochan zkochan commented Jun 14, 2026

Copy link
Copy Markdown
Member

Summary

  • add shared AI review guidance to AGENTS.md, with security first and pnpm/pacquet/pnpr performance second
  • configure Qodo to apply that shared guidance through .pr_agent.toml
  • configure CodeRabbit to apply the same guidance through .coderabbit.yaml
  • include pnpm published advisory patterns as regression themes for both review tools

Validation

  • taplo lint --no-auto-config --no-schema .pr_agent.toml
  • Ruby YAML parse check for .coderabbit.yaml
  • git diff --check
  • pre-push hook: TypeScript build, pnpm compile/bundle, spellcheck, metadata lint, TypeScript lint

No changeset is needed because this only changes repository review-tool configuration and agent review guidance.


Written by an agent (Codex, GPT-5).

Summary by CodeRabbit

  • Chores
    • Updated code review tool configuration with security-first guidance and prioritization for performance regressions
    • Enhanced review agent settings, including comment placement policy and an inline severity threshold

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 14, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX issues (0) 🔗 Cross-repo conflicts (0)

Grey Divider


Informational

1. Duplicated guidance string ✓ Resolved 🐞 Bug ⚙ Maintainability
Description
The same long guidance sentence is duplicated in both .pr_agent.toml and .coderabbit.yaml, which
increases the chance the two tools’ instructions drift apart over time and become inconsistent with
each other and/or AGENTS.md. This is avoidable by making both configs only reference `AGENTS.md#AI
Review Guidance` (without re-stating the policy text inline).
Code

.pr_agent.toml[R32-34]

+issues_user_guidelines = """
+Apply the "AI Review Guidance" section in AGENTS.md. Security vulnerabilities are the first review priority; performance regressions in pnpm, pacquet, and pnpr are the second priority. Surface only issues tied to changed code, and explain the exploit path, impact, or hot path affected.
+"""
Evidence
Both bot configuration files embed the same long guidance sentence, making future updates
error-prone because changes must be kept in sync manually.

.pr_agent.toml[29-37]
.coderabbit.yaml[1-6]
AGENTS.md[127-153]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A long, policy-defining instruction string is duplicated across `.pr_agent.toml` and `.coderabbit.yaml`. Duplicated policy text tends to drift over time, creating conflicting guidance between tools.
## Issue Context
Both configs already point reviewers to `AGENTS.md` but also restate the policy sentence verbatim.
## Fix Focus Areas
- .pr_agent.toml[30-37]
- .coderabbit.yaml[2-6]
## Suggested fix
- Replace the duplicated multi-clause sentence in both files with a short reference only, e.g.:
- "Follow `AGENTS.md` → \"AI Review Guidance\"."
- Keep the full policy text solely in `AGENTS.md` so there is a single source of truth.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Two automated review tool configuration files are updated alongside documentation. AGENTS.md gains a "## AI Review Guidance" section with detailed security-first and performance-second review criteria. .coderabbit.yaml adds reviews.path_instructions referencing this guidance for all paths. .pr_agent.toml activates a [review_agent] section with comment placement and severity settings, replacing previously commented-out placeholders.

Changes

Automated Review Tool Configuration

Layer / File(s) Summary
Review guidance documentation
AGENTS.md
Adds "## AI Review Guidance" section with explicit security-first priorities covering supply-chain threats (manifests, lockfiles, tarballs, path traversal, symlinks, command injection, registry/network/auth) and performance-second priorities for pnpm/pacquet/pnpr regressions.
CodeRabbit and PR Agent configuration
.coderabbit.yaml, .pr_agent.toml
.coderabbit.yaml adds reviews.path_instructions for all paths referencing AGENTS.md guidance with security-first and performance-second criteria. .pr_agent.toml activates a [review_agent] section with comments_location_policy, inline_comments_severity_threshold set to 2, and multi-line issues_user_guidelines and compliance_user_guidelines blocks replacing previously commented-out placeholders.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~4 minutes

Possibly related PRs

  • pnpm/pnpm#12264: Introduced the .pr_agent.toml file with placeholder and commented [review_agent] section that this PR now fully activates with guideline content.
  • pnpm/pnpm#11475: Both PRs add new agent-oriented guidance sections to AGENTS.md to direct automated review behavior.

Poem

🐇 Hop hop, the config grows,
Security checks in tidy rows,
Supply chains watched, paths kept clean,
No injection left unseen.
Performance follows, second-best—
This rabbit's configs pass the test! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title accurately summarizes the main change: configuring AI review tools with security and performance guidance priorities.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch improve-cr

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Configure AI review tools for security-first and performance-second guidance
⚙️ Configuration changes ✨ Enhancement 🕐 10-20 Minutes

Grey Divider

Walkthroughs

Description
• Configure CodeRabbit and Qodo PR Agent to prioritize vulnerability detection first.
• Add performance review guidance as a secondary priority for hot paths.
• Encode pnpm advisory regression themes to focus review on known risk classes.
Diagram
graph TD
  R["Repository"] --> CR[".coderabbit.yaml"] --> TCR(["CodeRabbit"]) --> O[/"PR review feedback"/]
  R --> PA[".pr_agent.toml"] --> TPA(["Qodo PR Agent"]) --> O

  subgraph Legend
    direction LR
    _f["Config file"] ~~~ _s(["Review tool"]) ~~~ _o[/"Review output"/]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Single-source guidance (generate both configs)
  • ➕ Eliminates drift between CodeRabbit and PR Agent instructions
  • ➕ Makes future updates to security/performance themes faster and safer
  • ➖ Adds a generation step (script/CI) and onboarding complexity
  • ➖ May be overkill for infrequently changing guidance
2. Link to a shared SECURITY_REVIEW_GUIDE.md
  • ➕ Keeps both configs short while centralizing the canonical guidance
  • ➕ Easier to edit and review as normal documentation
  • ➖ Review tools may not reliably follow external links/content
  • ➖ Less explicit in-tool prompting may reduce adherence

Recommendation: Current approach (duplicating the same guidance into both tools) is reasonable for reliability—each tool gets explicit, self-contained instructions. To reduce long-term drift, consider either generating both configs from a shared source or adding a short “keep in sync” note and a lightweight checklist when updating the guidance.

Grey Divider

File Changes

Other (2)
.coderabbit.yaml Add CodeRabbit security-first path instructions and pnpm advisory regression themes +27/-0

Add CodeRabbit security-first path instructions and pnpm advisory regression themes

• Introduces a CodeRabbit configuration with global path instructions emphasizing vulnerability detection first and performance review second. Encodes pnpm advisory-derived regression themes (auth/token handling, lockfile integrity, path traversal, cache poisoning, script gating, and tarball semantics) to bias reviews toward known risky areas.

.coderabbit.yaml


.pr_agent.toml Tune Qodo PR Agent review/compliance guidance for security and performance +28/-4

Tune Qodo PR Agent review/compliance guidance for security and performance

• Updates PR Agent settings to allow both inline and summary comments and sets an inline severity threshold. Replaces prior placeholder guidance with detailed security-first review guidance (including pnpm advisory themes) and adds compliance guidelines to prevent weakening integrity, script gates, or hot-path performance.

.pr_agent.toml


Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 14, 2026

Copy link
Copy Markdown

Code review by qodo was updated up to the latest commit a070de4

@zkochan zkochan changed the title Configure AI review security and performance guidance docs: configure AI review security and performance guidance Jun 14, 2026
@zkochan zkochan merged commit 9874556 into main Jun 14, 2026
11 checks passed
@zkochan zkochan deleted the improve-cr branch June 14, 2026 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant