|
| 1 | +<!-- |
| 2 | + - SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors |
| 3 | + - SPDX-License-Identifier: AGPL-3.0-or-later |
| 4 | +--> |
| 5 | +# Copilot Code Review Instructions |
| 6 | + |
| 7 | +## Scope |
| 8 | +Only review for the following: |
| 9 | +- **Bugs** |
| 10 | +- **Security**: Injection vulnerabilities (SQL, command, XSS), hardcoded |
| 11 | + secrets or credentials, insecure deserialization, broken auth, |
| 12 | + path traversal, unsafe use of eval or dynamic code execution. |
| 13 | + |
| 14 | +## Strict exclusions — do not comment on these |
| 15 | +- Code style, formatting, or whitespace |
| 16 | +- Naming conventions (variables, functions, classes, files) |
| 17 | +- Suggestions to refactor or restructure working code |
| 18 | +- Performance micro-optimizations unless they cause a measurable performance regression or issue |
| 19 | +- Alternative ways to write functionally equivalent code |
| 20 | + |
| 21 | +## If no bugs or security issues are found |
| 22 | +Leave a short positive review. Example: |
| 23 | +> "No bugs or security issues found. Looks good to me." |
| 24 | +
|
| 25 | +## Review format |
| 26 | +Do not include a summary or overview of the changes at the start of the review. |
| 27 | +Go directly to findings, or if there are none, leave only the approval line. |
| 28 | + |
| 29 | +## Comment format (when issues are found) |
| 30 | +For each issue, state: |
| 31 | +1. **Type**: Bug or Security |
| 32 | +2. **Severity**: Critical / High / Medium |
| 33 | +3. **Problem**: What is wrong and why it matters |
| 34 | +4. **Suggestion**: A concrete fix, not a vague recommendation |
| 35 | + |
| 36 | +Do not leave comments that don't fit this format. |
0 commit comments