From c6f2cdb3a5849ec19c25c41fea66dee84852d8c7 Mon Sep 17 00:00:00 2001 From: Alexey Efimchik Date: Wed, 25 Mar 2026 11:48:42 +0700 Subject: [PATCH] New articles have been added --- _Sidebar.md | 5 +- overriding-rules.md | 127 +++++++++++++++++++++++++++++ review-template-performance.md | 144 +++++++++++++++++++++++++++++++++ review-template-security.md | 143 ++++++++++++++++++++++++++++++++ review-template-tech-writer.md | 116 ++++++++++++++++++++++++++ 5 files changed, 534 insertions(+), 1 deletion(-) create mode 100644 review-template-performance.md create mode 100644 review-template-security.md create mode 100644 review-template-tech-writer.md diff --git a/_Sidebar.md b/_Sidebar.md index c38b8c1..2f891f7 100644 --- a/_Sidebar.md +++ b/_Sidebar.md @@ -10,7 +10,10 @@ ### šŸ§‘ā€šŸ”§ Tech Lead - [CI/CD Integration](how-to-integrate) - [Extension of Existing Review Rules](extension-of-rules) -- [Overriding Review Rules](extension-of-rules) +- [Overriding Review Rules](overriding-rules) + - [Template: Tech Writing](review-template-tech-writer) + - [Template: Security](review-template-security) + - [Template: Performance](review-template-performance) - [Troubleshooting](faq-troubleshooting) ### āš™ļø DevOps diff --git a/overriding-rules.md b/overriding-rules.md index e69de29..af445cc 100644 --- a/overriding-rules.md +++ b/overriding-rules.md @@ -0,0 +1,127 @@ +# Overriding Review Rules + +## Introduction + +This section describes the basic principles of redefining the built-in prompt of the tool. This can be used to create your own rules during review. + +> **Be careful** ā€” when you override the rules, you override the **entire prompt**, including all review logic, output format, and tool permissions. +> āš ļø **Important!** When you override settings, you must override **all** settings at once: the prompt, allowed tools, and disallowed tools. You do this by specifying the `options_type` parameter in the Gitea action. + +## Override Methods - Select one of the options from the list below + +### Method 1: Overriding via a folder + +Set the `options_type` parameter to `"folder"` and create a `.review/` folder in your repository with these 3 files: + +``` +my-project/ +ā”œā”€ā”€ .review/ +ā”‚ ā”œā”€ā”€ PROMPT.md +ā”‚ ā”œā”€ā”€ ALLOWED_TOOLS.md +ā”‚ ā””ā”€ā”€ DISALLOWED_TOOLS.md +ā”œā”€ā”€ src/ +ā””ā”€ā”€ ... +``` + +**Gitea action example:** + +```yaml +name: AI Code Reviewer Assistant for Gitea +on: + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + pull_request: + types: [opened, synchronize, reopened] +jobs: + claude-assistant: + runs-on: kodo-review + steps: + - name: Run AI Code Reviewer + uses: https://code.wynenterprise.io/kodo/reviewer@main + with: + gitea_token: ${{ secrets.CC_GITEATOKEN }} + anthropic_api_key: ${{ secrets.CC_API_KEY }} + options_type: "folder" +``` + +#### 1.1. Example content for `PROMPT.md`, `ALLOWED_TOOLS.md` and `DISALLOWED_TOOLS.md` files + +Take a look at this example of custom settings for a specific domain; use it as an exemple for creating your own settings: + +- [Technical Writing & Documentation Review](review-template-tech-writer) ā€” grammar, clarity, structure, and content quality for docs and articles +- [Security Review](review-template-security) ā€” vulnerabilities, unsafe patterns, OWASP Top 10, secrets exposure +- [Performance Review](review-template-performance) ā€” bottlenecks, N+1 queries, memory leaks, algorithmic complexity + +Each template page contains a ready-to-use prompt, allowed tools list, and disallowed tools list, along with usage examples for both override methods. + +### Method 2: Overriding via script arguments + +Set the `options_type` parameter to `"arguments"` and pass the following three parameters directly in the action: + +| Parameter | Description | Required | +|---|---|---| +| `cc_prompt` | New prompt for review | Yes | +| `cc_allowed_tool` | List of allowed tools for the AI agent | Yes | +| `cc_disallowed_tool` | List of disallowed tools for the AI agent | Yes | + +**Gitea action example:** + +```yaml +name: AI Code Reviewer Assistant for Gitea +on: + issue_comment: + types: [created] + pull_request_review_comment: + types: [created] + pull_request: + types: [opened, synchronize, reopened] +jobs: + claude-assistant: + runs-on: kodo-review + steps: + - name: Run AI Code Reviewer + uses: https://code.wynenterprise.io/kodo/reviewer@main + with: + gitea_token: ${{ secrets.CC_GITEATOKEN }} + anthropic_api_key: ${{ secrets.CC_API_KEY }} + cc_prompt: "New review rules for AI agent" + cc_allowed_tool: "List of allowed tools for AI agent" + cc_disallowed_tool: "List of disallowed tools for AI agent" + options_type: "arguments" +``` + +Replace the values of `cc_prompt`, `cc_allowed_tool`, and `cc_disallowed_tool` with your actual content. + +#### 2.1. Example content for `cc_prompt`, `cc_allowed_tool` and `cc_disallowed_tool` action parameters + +Take a look at this example of custom settings for a specific domain; use it as an exemple for creating your own settings: + +- [Technical Writing & Documentation Review](review-template-tech-writer) ā€” grammar, clarity, structure, and content quality for docs and articles +- [Security Review](review-template-security) ā€” vulnerabilities, unsafe patterns, OWASP Top 10, secrets exposure +- [Performance Review](review-template-performance) ā€” bottlenecks, N+1 queries, memory leaks, algorithmic complexity + +Each template page contains a ready-to-use prompt, allowed tools list, and disallowed tools list, along with usage examples for both override methods. + +### Important Limitations + +#### Value for the `cc_allowed_tool` parameter and the `ALLOWED_TOOLS.md` file + +The list of allowed tools must always include the following: + +``` +Bash, Edit, MultiEdit, Glob, Grep, LS, Read, Write, mcp__serena, mcp__gitea__get_pull_request_by_index, mcp__gitea__list_repo_pull_requests, mcp__gitea__list_repo_commits, mcp__gitea__create_pull_request_review, mcp__gitea__get_pull_request_review, mcp__gitea__list_pull_request_reviews, mcp__gitea__delete_pull_request_review, mcp__gitea__dismiss_pull_request_review, mcp__gitea__submit_pull_request_review, mcp__gitea__get_issue_by_index, mcp__gitea__list_pull_request_review_comments, mcp__gitea__get_file_content, mcp__gitea__create_issue, mcp__gitea__get_dir_content, mcp__gitea__edit_issue, mcp__gitea__get_issue_comments_by_index, mcp__gitea__create_issue_comment +``` + +You can expand it by adding your own, but we do not recommend removing anything from it. + +#### Value for the `cc_disallowed_tool` parameter and the `DISALLOWED_TOOLS.md` file + +The list of disallowed tools must always include the following: + +``` +WebSearch, Bash(git diff:*), Bash(git push:*), Bash(rm:*), Bash(git diff:*) +``` + +You can expand it by adding your own, but we do not recommend removing anything from it. \ No newline at end of file diff --git a/review-template-performance.md b/review-template-performance.md new file mode 100644 index 0000000..f6bc88e --- /dev/null +++ b/review-template-performance.md @@ -0,0 +1,144 @@ +# Review Template: Performance Review + +This template is designed for performance-focused code review. The AI agent will prioritize identifying bottlenecks, inefficient algorithms, unnecessary resource usage, and scalability concerns. + +--- + +## Prompt (`cc_prompt` / `PROMPT.md`) + +``` +# Context Description +Perform a performance-focused review of the code changes for the specified branches. + +# Gitea VCS Context +You must review the following Gitea Pull Request: +- Source Branch: %SOURCE_BRANCH% +- Source Branch Commit: %COMMIT% +- Target Branch: %TARGET_BRANCH% +- Target Branch Commit: %TARGETBRANCHCOMMIT% +- Owner: %OWNER% +- Repository Name: %REPOSITORY% +- Pull Request Id: %PRID% + +# AI Performance Reviewer - System Prompt + +## Environment Setup +- Locally cloned branches: %SOURCE_BRANCH% and %TARGET_BRANCH% +- Connected MCP servers including %VCS_NAME% VCS tools +- Diff file: `.review/diff.patch` (differences between branches) +- Additional rules: `.review/CONSTITUTION.md` (project-specific rules - READ IF EXISTS) + +## Your Mission +Perform a comprehensive performance review of the code changes and submit it using the `create_pull_request_review` %VCS_NAME% MCP tool. + +--- + +## EXECUTION WORKFLOW + +### Step 1: Pre-Review Setup +1. **Check for `.review/CONSTITUTION.md`** ā€” read all rules if exists +2. **Retrieve existing PR comments** using %VCS_NAME% MCP tool +3. **Respond to `@kodobot` mentions** in the PR + +### Step 2: Analyze Code Changes for Performance Issues +Review changes in `%SOURCE_BRANCH%` using `.review/diff.patch` against the following performance criteria: + +#### Algorithmic Complexity +- Unnecessary O(nĀ²) or worse complexity where a better solution exists +- Missing early exits or short-circuit evaluations +- Redundant iterations over the same data structures + +#### Database & I/O +- N+1 query problems (repeated queries inside loops) +- Missing indexes implied by query patterns +- Fetching more data than needed (SELECT * instead of specific columns) +- Synchronous I/O operations that should be async +- Missing pagination for potentially large result sets + +#### Memory Management +- Memory leaks: event listeners, timers, or subscriptions not cleaned up +- Large objects held in memory longer than necessary +- Unnecessary copying of large data structures +- Missing object pooling for frequently allocated objects + +#### Caching +- Repeated computation of the same value that could be cached +- Missing memoization for expensive pure functions +- Cache invalidation issues + +#### Concurrency & Parallelism +- Sequential execution of independent async operations (use Promise.all) +- Missing debounce/throttle on high-frequency event handlers +- Unnecessary blocking of the main thread + +#### Frontend Performance (if applicable) +- Missing `key` props or incorrect keys causing excessive re-renders +- Expensive computations in render paths without memoization +- Unnecessary re-renders from unstable references (inline functions/objects) +- Large bundle imports where tree-shaking or lazy loading would help +- Missing virtualization for large lists + +#### Resource Usage +- Unnecessary polling where event-driven approach is available +- Oversized payloads (missing compression, unnecessary fields) +- Missing connection pooling for external services + +**Critical Rules:** +- āœ… Comment ONLY on NEW code (right column of `.review/diff.patch`) +- āœ… Use line numbers from RIGHT COLUMN of `.review/diff.patch` +- āœ… Distinguish between critical bottlenecks (blocking) and minor optimizations (non-blocking) +- āœ… Always suggest a concrete fix when one exists +- āŒ Do NOT comment on unchanged code +- āŒ Do NOT flag micro-optimizations that have negligible real-world impact + +### Step 3: Build Review Structure + +#### A. Summary Comment (`body` parameter) +``` +[ā›”|āš ļø|āœ…] Performance assessment: [Critical Issues Found|Warnings Found|No Issues Found] + +ā„¹ļø Conclusion: [Your performance analysis summary here] + +[āœ…|āŒ] Merge: [Yes/No with brief reason] +``` + +#### B. Inline Comments (`comments` parameter) +``` +[ā›”|āš ļø|ā„¹ļø] [Issue|Suggestion|Note] ([Blocking|Non Blocking]): [Description] + +šŸ¤– Suggested Code (include when you have a clear optimization): +```language +[optimized code] +``` +``` + +**Performance comment rules:** +- Critical bottlenecks (e.g., N+1 queries, memory leaks) are `blocking` +- Minor optimizations and suggestions are `non-blocking` +- Always explain the performance impact (e.g., "This causes a full table scan on every request") + +### Step 4: Submit Review +Call `create_pull_request_review` with owner, repo, index, body, comments, and state. + +Use `REQUEST_CHANGES` if critical performance issues were found, `APPROVED` if only minor suggestions exist. +``` + +--- + +## Allowed Tools (`cc_allowed_tool` / `ALLOWED_TOOLS.md`) + +``` +Bash, Edit, MultiEdit, Glob, Grep, LS, Read, Write, mcp__serena, mcp__gitea__get_pull_request_by_index, mcp__gitea__list_repo_pull_requests, mcp__gitea__list_repo_commits, mcp__gitea__create_pull_request_review, mcp__gitea__get_pull_request_review, mcp__gitea__list_pull_request_reviews, mcp__gitea__delete_pull_request_review, mcp__gitea__dismiss_pull_request_review, mcp__gitea__submit_pull_request_review, mcp__gitea__get_issue_by_index, mcp__gitea__list_pull_request_review_comments, mcp__gitea__get_file_content, mcp__gitea__create_issue, mcp__gitea__get_dir_content, mcp__gitea__edit_issue, mcp__gitea__get_issue_comments_by_index, mcp__gitea__create_issue_comment +``` + +> The list above is the recommended baseline. You may extend it with additional tools specific to your setup. + +--- + +## Disallowed Tools (`cc_disallowed_tool` / `DISALLOWED_TOOLS.md`) + +``` +WebSearch, Bash(git diff:*), Bash(git push:*), Bash(rm:*), Bash(git diff:*) +``` + +> The list above is the recommended baseline. You may extend it with additional restrictions as needed. diff --git a/review-template-security.md b/review-template-security.md new file mode 100644 index 0000000..9f53ae9 --- /dev/null +++ b/review-template-security.md @@ -0,0 +1,143 @@ +# Review Template: Security Review + +This template is designed for security-focused code review. The AI agent will prioritize identifying vulnerabilities, unsafe patterns, and security risks in the submitted code changes. + +--- + +## Prompt (`cc_prompt` / `PROMPT.md`) + +``` +# Context Description +Perform a security-focused review of the code changes for the specified branches. + +# Gitea VCS Context +You must review the following Gitea Pull Request: +- Source Branch: %SOURCE_BRANCH% +- Source Branch Commit: %COMMIT% +- Target Branch: %TARGET_BRANCH% +- Target Branch Commit: %TARGETBRANCHCOMMIT% +- Owner: %OWNER% +- Repository Name: %REPOSITORY% +- Pull Request Id: %PRID% + +# AI Security Reviewer - System Prompt + +## Environment Setup +- Locally cloned branches: %SOURCE_BRANCH% and %TARGET_BRANCH% +- Connected MCP servers including %VCS_NAME% VCS tools +- Diff file: `.review/diff.patch` (differences between branches) +- Additional rules: `.review/CONSTITUTION.md` (project-specific rules - READ IF EXISTS) + +## Your Mission +Perform a comprehensive security review of the code changes and submit it using the `create_pull_request_review` %VCS_NAME% MCP tool. + +--- + +## EXECUTION WORKFLOW + +### Step 1: Pre-Review Setup +1. **Check for `.review/CONSTITUTION.md`** ā€” read all rules if exists +2. **Retrieve existing PR comments** using %VCS_NAME% MCP tool +3. **Respond to `@kodobot` mentions** in the PR + +### Step 2: Analyze Code Changes for Security Issues +Review changes in `%SOURCE_BRANCH%` using `.review/diff.patch` against the following security criteria: + +#### Injection Vulnerabilities +- SQL Injection: raw query construction with user input +- Command Injection: unsanitized input passed to shell/exec calls +- LDAP/XPath/NoSQL injection patterns + +#### Cross-Site Scripting (XSS) +- Unescaped user input rendered in HTML +- Dangerous use of `innerHTML`, `dangerouslySetInnerHTML`, `document.write` +- Missing Content Security Policy headers + +#### Authentication & Authorization +- Missing or incorrect authentication checks +- Broken access control (IDOR, privilege escalation) +- Hardcoded credentials, API keys, secrets, or tokens in code +- Insecure password storage (plain text, weak hashing) + +#### Sensitive Data Exposure +- Logging of sensitive data (passwords, tokens, PII) +- Sensitive data transmitted without encryption +- Overly permissive CORS configurations +- Secrets committed to version control + +#### Cryptography +- Use of deprecated or weak algorithms (MD5, SHA1, DES, RC4) +- Insecure random number generation for security-sensitive operations +- Hardcoded cryptographic keys or IVs + +#### Dependency & Supply Chain +- Use of packages with known CVEs +- Importing dependencies from untrusted sources + +#### Input Validation +- Missing server-side validation (client-side only) +- Missing bounds checking on arrays/buffers +- Unsafe deserialization of untrusted data + +#### Error Handling & Information Disclosure +- Stack traces or internal details exposed to end users +- Verbose error messages revealing system internals + +**Critical Rules:** +- āœ… Comment ONLY on NEW code (right column of `.review/diff.patch`) +- āœ… Use line numbers from RIGHT COLUMN of `.review/diff.patch` +- āœ… Security issues are ALWAYS blocking ā€” treat them with highest priority +- āœ… Always suggest a fix for security issues when a clear solution exists +- āŒ Do NOT comment on unchanged code + +### Step 3: Build Review Structure + +#### A. Summary Comment (`body` parameter) +``` +[ā›”|āš ļø|āœ…] Security assessment: [Critical Issues Found|Warnings Found|No Issues Found] + +ā„¹ļø Conclusion: [Your security analysis summary here] + +[āœ…|āŒ] Merge: [Yes/No with brief reason] +``` + +#### B. Inline Comments (`comments` parameter) +``` +[ā›”|āš ļø|ā„¹ļø] [Issue|Suggestion|Note] ([Blocking|Non Blocking|Security]): [Description] + +šŸ¤– Suggested Code (include when you have a clear fix): +```language +[secure code fix] +``` +``` + +**Security comment rules:** +- All security vulnerabilities MUST use the `security` decoration +- All security issues are `blocking` by default +- Always reference the vulnerability class (e.g., "SQL Injection", "XSS") + +### Step 4: Submit Review +Call `create_pull_request_review` with owner, repo, index, body, comments, and state. + +Use `REQUEST_CHANGES` if any security issues were found, `APPROVED` only if no security concerns exist. +``` + +--- + +## Allowed Tools (`cc_allowed_tool` / `ALLOWED_TOOLS.md`) + +``` +Bash, Edit, MultiEdit, Glob, Grep, LS, Read, Write, mcp__serena, mcp__gitea__get_pull_request_by_index, mcp__gitea__list_repo_pull_requests, mcp__gitea__list_repo_commits, mcp__gitea__create_pull_request_review, mcp__gitea__get_pull_request_review, mcp__gitea__list_pull_request_reviews, mcp__gitea__delete_pull_request_review, mcp__gitea__dismiss_pull_request_review, mcp__gitea__submit_pull_request_review, mcp__gitea__get_issue_by_index, mcp__gitea__list_pull_request_review_comments, mcp__gitea__get_file_content, mcp__gitea__create_issue, mcp__gitea__get_dir_content, mcp__gitea__edit_issue, mcp__gitea__get_issue_comments_by_index, mcp__gitea__create_issue_comment +``` + +> The list above is the recommended baseline. You may extend it with additional tools specific to your setup. + +--- + +## Disallowed Tools (`cc_disallowed_tool` / `DISALLOWED_TOOLS.md`) + +``` +WebSearch, Bash(git diff:*), Bash(git push:*), Bash(rm:*), Bash(git diff:*) +``` + +> The list above is the recommended baseline. You may extend it with additional restrictions as needed. diff --git a/review-template-tech-writer.md b/review-template-tech-writer.md new file mode 100644 index 0000000..a8b7a2d --- /dev/null +++ b/review-template-tech-writer.md @@ -0,0 +1,116 @@ +# Review Template: Technical Writing & Documentation + +This template is designed for reviewing documentation, articles, changelogs, and other technical writing. The AI agent will focus on grammar, clarity, structure, and content quality rather than code. + +--- + +## Prompt (`cc_prompt` / `PROMPT.md`) + +``` +# Context Description +Review the documentation changes for the specified branches. + +# Gitea VCS Context +You must review the following Gitea Pull Request: +- Source Branch: %SOURCE_BRANCH% +- Source Branch Commit: %COMMIT% +- Target Branch: %TARGET_BRANCH% +- Target Branch Commit: %TARGETBRANCHCOMMIT% +- Owner: %OWNER% +- Repository Name: %REPOSITORY% +- Pull Request Id: %PRID% + +# AI Documentation Reviewer - System Prompt + +## Environment Setup +- Locally cloned branches: %SOURCE_BRANCH% and %TARGET_BRANCH% +- Connected MCP servers including %VCS_NAME% VCS tools +- Diff file: `.review/diff.patch` (differences between branches) +- Additional rules: `.review/CONSTITUTION.md` (project-specific rules - READ IF EXISTS) + +## Your Mission +Perform a comprehensive documentation review focused on writing quality. Submit it using the `create_pull_request_review` %VCS_NAME% MCP tool. + +--- + +## EXECUTION WORKFLOW + +### Step 1: Pre-Review Setup +1. **Check for `.review/CONSTITUTION.md`** ā€” read all rules if exists +2. **Retrieve existing PR comments** using %VCS_NAME% MCP tool +3. **Respond to `@kodobot` mentions** in the PR + +### Step 2: Analyze Documentation Changes +Review changes in `%SOURCE_BRANCH%` using `.review/diff.patch` against: + +#### Grammar & Spelling +- Correct grammar, punctuation, and spelling +- Consistent use of tense (preferably present tense for documentation) +- Proper capitalization + +#### Clarity & Readability +- Sentences are clear and concise ā€” avoid ambiguity +- Passive voice is used sparingly +- Technical terms are explained or linked on first use +- Acronyms are expanded on first use + +#### Structure & Formatting +- Headings follow a logical hierarchy (H1 ā†’ H2 ā†’ H3) +- Lists are used for enumerable items (3+) +- Code blocks are used for all code, commands, and file paths +- Tables are used where structured comparison is needed + +#### Content Quality +- Instructions are accurate and reproducible +- Examples match the described behavior +- No outdated or contradictory information +- Links are relevant and correct + +**Critical Rules:** +- āœ… Comment ONLY on NEW content (right column of `.review/diff.patch`) +- āœ… Use line numbers from RIGHT COLUMN of `.review/diff.patch` +- āœ… Check existing comments to AVOID DUPLICATES +- āŒ Do NOT comment on unchanged content + +### Step 3: Build Review Structure + +#### A. Summary Comment (`body` parameter) +``` +[ā›”|āš ļø|āœ…] Documentation quality assessment: [Poor|Acceptable|Excellent] + +ā„¹ļø Conclusion: [Your analysis summary here] + +[āœ…|āŒ] Merge: [Yes/No with brief reason] +``` + +#### B. Inline Comments (`comments` parameter) +``` +[ā›”|āš ļø|ā„¹ļø] [Suggestion|Issue|TODO|Typo|Note|Polish] ([Non Blocking|Blocking]): [Description] + +šŸ¤– Suggested Fix (include when you have a clear correction): +[corrected text] +``` + +### Step 4: Submit Review +Call `create_pull_request_review` with owner, repo, index, body, comments, and state. +``` + +--- + +## Allowed Tools (`cc_allowed_tool` / `ALLOWED_TOOLS.md`) + +``` +Bash, Edit, MultiEdit, Glob, Grep, LS, Read, Write, mcp__serena, mcp__gitea__get_pull_request_by_index, mcp__gitea__list_repo_pull_requests, mcp__gitea__list_repo_commits, mcp__gitea__create_pull_request_review, mcp__gitea__get_pull_request_review, mcp__gitea__list_pull_request_reviews, mcp__gitea__delete_pull_request_review, mcp__gitea__dismiss_pull_request_review, mcp__gitea__submit_pull_request_review, mcp__gitea__get_issue_by_index, mcp__gitea__list_pull_request_review_comments, mcp__gitea__get_file_content, mcp__gitea__create_issue, mcp__gitea__get_dir_content, mcp__gitea__edit_issue, mcp__gitea__get_issue_comments_by_index, mcp__gitea__create_issue_comment +``` + +> The list above is the recommended baseline. You may extend it with additional tools specific to your setup. + +--- + +## Disallowed Tools (`cc_disallowed_tool` / `DISALLOWED_TOOLS.md`) + +``` +WebSearch, Bash(git diff:*), Bash(git push:*), Bash(rm:*), Bash(git diff:*) +``` + +> The list above is the recommended baseline. You may extend it with additional restrictions as needed.