|
| 1 | +# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json |
| 2 | +# |
| 3 | +# Review rules live in `.github/copilot-instructions.md` and `AGENTS.md` — |
| 4 | +# CodeRabbit picks both up automatically. This file only carries settings that |
| 5 | +# differ from CodeRabbit's defaults. |
| 6 | + |
| 7 | +reviews: |
| 8 | + profile: chill |
| 9 | + request_changes_workflow: false |
| 10 | + high_level_summary: true |
| 11 | + poem: false |
| 12 | + review_status: true |
| 13 | + collapse_walkthrough: true |
| 14 | + |
| 15 | + auto_review: |
| 16 | + enabled: true |
| 17 | + drafts: false |
| 18 | + base_branches: |
| 19 | + - main |
| 20 | + ignore_usernames: |
| 21 | + - 'dependabot[bot]' |
| 22 | + - 'dependabot-preview[bot]' |
| 23 | + labels: |
| 24 | + - '!dependabot' |
| 25 | + path_filters: |
| 26 | + - '!**/generated.ts' |
| 27 | + - '!**/node_modules/**' |
| 28 | + - '!**/dist/**' |
| 29 | + - '!**/build/**' |
| 30 | + - '!**/*.snap' |
| 31 | + |
| 32 | + # Cross-cutting rules live in .github/copilot-instructions.md. |
| 33 | + path_instructions: |
| 34 | + - path: 'server/graphql/modules/**' |
| 35 | + instructions: | |
| 36 | + - N+1: flag `await` inside loops over user-supplied IDs. DataLoader or |
| 37 | + a single batched query is the fix. |
| 38 | + - IDOR / authorization: verify each resolver checks that the caller |
| 39 | + owns or can access the specific resource ID, not just that they are |
| 40 | + authenticated. |
| 41 | + - Input validation: GraphQL schema shape is not enough — look for |
| 42 | + length, range, allowlist, and canonicalization checks on resolver |
| 43 | + arguments. |
| 44 | + - Schema stability: removing or renaming a GraphQL type or field |
| 45 | + breaks Apollo cache and downstream consumers. Additive changes are |
| 46 | + usually safe; removals deserve a migration plan. |
| 47 | +
|
| 48 | + - path: 'server/api.ts' |
| 49 | + instructions: | |
| 50 | + Auth, session, CSRF, CORS, and rate-limit middleware live here. |
| 51 | + AGENTS.md requires a maintainer for changes to this file — surface |
| 52 | + them even when the diff is small. Flag any change that disables a |
| 53 | + security control. |
| 54 | +
|
| 55 | + - path: 'server/**/Clickhouse*.ts' |
| 56 | + instructions: | |
| 57 | + Raw SQL is expected in the ClickHouse adapter files. Flag any string |
| 58 | + interpolation of user input — bound parameters are required. |
| 59 | +
|
| 60 | + - path: 'server/scylla/**' |
| 61 | + instructions: | |
| 62 | + Cassandra driver queries must use bound parameters. Flag string-built |
| 63 | + CQL with user input. |
| 64 | +
|
| 65 | + - path: 'server/iocContainer/**' |
| 66 | + instructions: | |
| 67 | + Services are registered here for BottleJS DI. Direct imports of |
| 68 | + service singletons elsewhere bypass test mocking and should be flagged. |
| 69 | +
|
| 70 | + - path: 'db/src/scripts/**' |
| 71 | + instructions: | |
| 72 | + Migrations are forward-only. Editing a migration that has already |
| 73 | + shipped is a red flag — add a new forward migration instead. Postgres |
| 74 | + role grants must use `CURRENT_USER`. New filenames use the |
| 75 | + `date -u +"%Y.%m.%dT%H.%M.%S"` prefix. |
| 76 | +
|
| 77 | + - path: 'client/**/*.{ts,tsx}' |
| 78 | + instructions: | |
| 79 | + - XSS: flag `dangerouslySetInnerHTML`, `innerHTML`, `document.write`, |
| 80 | + `javascript:` URLs, and unsanitized `href`/`src` from user input. |
| 81 | + Prefer `textContent`; sanitize with DOMPurify when raw HTML is |
| 82 | + unavoidable. |
| 83 | + - Token storage: auth tokens belong in HttpOnly, Secure, SameSite |
| 84 | + cookies — flag `localStorage` or `sessionStorage` use for tokens. |
| 85 | + - Open redirects: redirecting to a user-supplied URL without an |
| 86 | + allowlist is risky. |
| 87 | +
|
| 88 | + - path: '**/{package.json,package-lock.json}' |
| 89 | + instructions: | |
| 90 | + Dependency additions, removals, or upgrades (including transitive |
| 91 | + bumps) require human approval for license (Apache 2.0) and CVE review |
| 92 | + per AGENTS.md > "Human-approval-required actions". Surface every |
| 93 | + change so reviewers don't miss it. |
| 94 | +
|
| 95 | + # ESLint runs in CI; the others overlap with it or surface style noise. |
| 96 | + tools: |
| 97 | + eslint: |
| 98 | + enabled: false |
| 99 | + biome: |
| 100 | + enabled: false |
| 101 | + markdownlint: |
| 102 | + enabled: false |
| 103 | + oxc: |
| 104 | + enabled: false |
| 105 | + languagetool: |
| 106 | + enabled: false |
0 commit comments