Skip to content

Commit 71ee667

Browse files
ZvonimirZvonimir
authored andcommitted
better codex prompt
1 parent b38223c commit 71ee667

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

.codex/review-prompt.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,40 +48,50 @@ If any check fails, skip the comment.
4848
### Pass 1: Blockers
4949

5050
#### Correctness
51+
5152
- Logic errors, off-by-one, null/undefined handling, incorrect assumptions, race conditions.
5253
- Boundary conditions — empty arrays, null inputs, zero values, maximum values.
5354
- Error handling — swallowed errors, missing error propagation, unhelpful error messages. Do not flag missing error handling for internal code that cannot reasonably fail.
55+
- Streaming/multipart handlers — verify a request cannot send multiple responses (e.g., multi-file parts triggering repeated `res.json()` calls). If a route expects one file, ensure parser limits and single-response guards exist.
5456

5557
#### Security
58+
5659
- Injection risks (SQL, command, XSS) when handling user input.
5760
- Hardcoded secrets — API keys, passwords, tokens in code.
5861
- Missing input validation at system boundaries (user input, external APIs). Not for internal function calls.
5962
- Auth bypass, privilege escalation, or missing authorization checks.
63+
- Filesystem path confinement — when IDs/paths come from requests, verify storage layers enforce root containment via resolved-path checks; do not rely only on caller-side sanitization.
6064

6165
#### API Compatibility
66+
6267
- Breaking changes to API response schemas or status codes without migration path.
6368
- Removed or renamed API endpoints, query parameters, or response fields that existing consumers depend on.
6469
- Database schema changes that require migration or backfill.
6570
- MCP tool signature changes (renamed tools, changed input schemas) that break existing clients.
71+
- HTTP status semantics — ensure client/input errors are 4xx and unexpected internal failures are 5xx; blanket 400 handling in catch-all paths is a correctness/API contract issue.
6672

6773
#### Tests for Changed Behavior
74+
6875
- New behavior must have corresponding tests covering core functionality and error handling.
6976
- Bug fixes must include a regression test that would have caught the original bug.
7077
- Changed behavior must have updated tests reflecting the new expectations.
7178
- If tests are present but brittle (testing implementation details rather than behavior), flag it.
79+
- For single-file upload endpoints, look for regression coverage of multi-file/malformed multipart inputs and confirm no double-response behavior.
7280

7381
Missing tests for changed behavior are blockers (`🔴 Bug`) only when the change affects user-facing behavior, API contracts, or data integrity. Missing tests for internal refactors or trivial changes are `🟡 Issue`.
7482

7583
### Pass 2: Maintainability
7684

7785
#### Code Bloat and Unnecessary Complexity
86+
7887
- **Excessive code** — More lines than necessary. Could this be done in fewer lines without sacrificing clarity?
7988
- **Over-engineering** — Abstractions, helpers, or utilities for one-time operations. Premature generalization. Feature flags or config for things that could just be code.
8089
- **Speculative generality** — Code handling hypothetical future requirements nobody asked for.
8190
- **Dead code** — Unused variables, unreachable branches, commented-out code.
8291
- **Duplicate code** — Same logic repeated instead of extracted. But do not suggest extraction for only 2-3 similar lines — that is premature abstraction.
8392

8493
#### Readability and Naming
94+
8595
- **Confusing variable/function names** — Names that don't describe what the thing is or does. Generic names like `data`, `result`, `item`, `temp`, `val` when a specific name would be clearer.
8696
- **Misleading names** — Names that suggest different behavior than what the code does.
8797
- **Inconsistent naming** — Not following conventions in the rest of the codebase.
@@ -91,20 +101,25 @@ Missing tests for changed behavior are blockers (`🔴 Bug`) only when the chang
91101
- **Unclear control flow** — Complex conditionals that could be simplified or decomposed.
92102

93103
#### Architecture and Pattern Violations
104+
94105
- **Inline validation instead of Zod schemas** — Validation logic written in code (if/else checks, manual type coercion) instead of using Zod schemas in `openAPIRoute()`. All request validation belongs in the schema, not handler code. This applies to both API routes and MCP tool `inputSchema`.
95106
- **Missing `openAPIRoute()` wrapper** — API endpoints defined without the OpenAPI wrapper.
96107
- **Wrong import paths in tests** — Tests importing from `src/` instead of `dist/`.
97108
- **Missing test categories** — Tests without "Core Functionality" and "Error Handling" describe blocks.
98109
- **Mixing concerns** — Route handlers doing business logic, database queries in API handlers, etc.
110+
- **Cross-provider behavior drift** — When multiple providers/implementations exist, verify shared options and output semantics behave consistently unless explicitly documented otherwise.
99111

100112
#### Hardcoded Values and Magic Constants
113+
101114
Flag only when the value is:
115+
102116
- **Reused 3+ times** in touched files or the diff — should be a named constant.
103117
- **Domain-significant** — timeout values, retry counts, port numbers, API URLs, status messages. Even if used once, these belong in constants or environment variables.
104118

105119
Do not flag one-off numeric literals that are self-explanatory in context (e.g., `array.slice(0, 2)`, `Math.round(x * 100) / 100`).
106120

107121
#### Performance (Only Obvious Issues)
122+
108123
- N+1 queries — database queries inside loops.
109124
- Blocking operations in async contexts — synchronous I/O in async code.
110125
- Unnecessary work in hot paths — redundant allocations, repeated computations.
@@ -120,6 +135,7 @@ Do not flag one-off numeric literals that are self-explanatory in context (e.g.,
120135
## Comment Format
121136

122137
Use severity prefixes:
138+
123139
- `🔴 Bug:` — Correctness error, security issue, API break, data integrity risk. Will cause incorrect behavior.
124140
- `🟡 Issue:` — Code quality problem that should be fixed. Bloated code, bad naming, pattern violation, missing tests.
125141
- `🔵 Nit:` — Minor improvement, optional.

0 commit comments

Comments
 (0)