docs/user-guide/limitations-and-best-practices.md

# Limitations & Best Practices

## Limitations

### Context & Understanding
- **No business logic awareness** — AI only sees code, not product requirements
- **Limited context window** — the model has its own context window, which can hold a limited amount of information.
- **No decision history** — does not store the history of previous executions, only reads existing information in Pull Request.
- **Hallucinations** — may confidently suggest incorrect solutions or non-existent APIs
- **Large PR degradation** — review quality drops significantly for PRs with 1000+ lines changed

### Process Constraints
- **Does not replace humans** — final decision always belongs to the author and human reviewer
- **Slower on large PRs** — response time grows with the size of changes
- **No memory between PRs** — each review starts from scratch with no prior context
- **Trigger dependency** — only runs on configured events (`[no ai]` in title disables it)

## Best Practices

### Writing PRs for Better AI Review

- **Keep PRs small and focused** — one logical change per PR, ideally under 400 lines
- **Write a clear PR description** — explain *what* and *why*, not just *what changed*
- **Add `[no ai]` to title** when the PR is trivial (version bumps, typo fixes, formatting)
- **Split refactoring from feature changes** — mixed PRs confuse both AI and humans

### Working with AI Comments

- **Treat AI comments as suggestions, not mandates** — use your judgment
- **Verify all suggested code** before applying — AI can introduce bugs
- **Use `@kodobot` in comments** to ask follow-up questions about specific lines
- **Don't blindly resolve AI comments** — acknowledge or explain why you disagree
- **Re-trigger review after major changes** by pushing a new commit

### Security

- **Never put secrets in PR descriptions or comments** — AI logs may capture them
- **Store `anthropic_api_key` and `gitea_token` in repository secrets**, not in workflow files
- **Audit AI comments on security-sensitive PRs** (auth, crypto, infra) with extra care

### Team Workflow

- **Establish a policy** on when to override or ignore AI suggestions
Added docs folder 2026-03-12 12:03:22 +07:00			`# Limitations & Best Practices`

			`## Limitations`

			`### Context & Understanding`
			`- No business logic awareness — AI only sees code, not product requirements`
			`- Limited context window — the model has its own context window, which can hold a limited amount of information.`
			`- No decision history — does not store the history of previous executions, only reads existing information in Pull Request.`
			`- Hallucinations — may confidently suggest incorrect solutions or non-existent APIs`
			`- Large PR degradation — review quality drops significantly for PRs with 1000+ lines changed`

			`### Process Constraints`
			`- Does not replace humans — final decision always belongs to the author and human reviewer`
			`- Slower on large PRs — response time grows with the size of changes`
			`- No memory between PRs — each review starts from scratch with no prior context`
			- Trigger dependency — only runs on configured events (`[no ai]` in title disables it)

			`## Best Practices`

			`### Writing PRs for Better AI Review`

			`- Keep PRs small and focused — one logical change per PR, ideally under 400 lines`
			`- Write a clear PR description — explain what and why, not just what changed`
			- Add `[no ai]` to title when the PR is trivial (version bumps, typo fixes, formatting)
			`- Split refactoring from feature changes — mixed PRs confuse both AI and humans`

			`### Working with AI Comments`

			`- Treat AI comments as suggestions, not mandates — use your judgment`
			`- Verify all suggested code before applying — AI can introduce bugs`
			- Use `@kodobot` in comments to ask follow-up questions about specific lines
			`- Don't blindly resolve AI comments — acknowledge or explain why you disagree`
			`- Re-trigger review after major changes by pushing a new commit`

			`### Security`

			`- Never put secrets in PR descriptions or comments — AI logs may capture them`
			- Store `anthropic_api_key` and `gitea_token` in repository secrets, not in workflow files
			`- Audit AI comments on security-sensitive PRs (auth, crypto, infra) with extra care`

			`### Team Workflow`

			`- Establish a policy on when to override or ignore AI suggestions`