Add GitHub Copilot code review custom instructions

Author: Qadra42

.github/copilot-instructions.md

@@ -0,0 +1,27 @@
+# Code Review Guidelines
+
+## Review Priorities
+
+- **CRITICAL**: Security vulnerabilities, logic errors, breaking changes, data loss
+- **IMPORTANT**: Missing validation, poor error handling, performance issues
+- **SUGGESTION**: Readability, minor optimizations
+
+## Review Principles
+
+- Be specific: reference exact lines and variables
+- Provide context: explain why something is problematic
+- Suggest solutions: show the fix, not just the problem
+- Be constructive: focus on code, not the author
+
+## Always Check
+
+- No hardcoded secrets or credentials
+- User input validated before use
+- Errors handled appropriately
+- Async operations properly awaited
+
+## Ignore
+
+- Formatting issues (handled by Prettier/ESLint)
+- Minor naming preferences
+- Style choices already consistent in codebase

.github/instructions/database.instructions.md

@@ -0,0 +1,38 @@
+---
+applyTo: "src/**/*.entity.ts,src/**/*.service.ts,src/**/*.repository.ts"
+---
+
+# Database Review
+
+## Queries
+
+- No raw SQL with string interpolation
+- Avoid queries inside loops (N+1 problem)
+- Paginate large result sets
+- Use transactions for multi-step operations
+
+## Relations
+
+- Define cascade options explicitly
+- Avoid eager loading of large relations
+- Consider lazy loading for optional relations
+
+## Performance
+
+- Add indexes on frequently queried columns
+- Use `select` to fetch only needed fields
+- Consider query builder for complex queries
+
+## Patterns
+
+```typescript
+// Bad: N+1
+for (const user of users) {
+  user.targets = await this.targetRepo.find({ user });
+}
+
+// Good: single query with relation
+const users = await this.userRepo.find({
+  relations: ['targets']
+});
+```

.github/instructions/nestjs.instructions.md

@@ -0,0 +1,43 @@
+---
+applyTo: "src/**/*.ts"
+---
+
+# NestJS Review
+
+## Architecture
+
+- Controllers should be thin: delegate logic to services
+- Services handle business logic, one responsibility per service
+- Use dependency injection via constructor, never instantiate manually
+
+## Validation
+
+- All DTOs must use `class-validator` decorators
+- Apply `ValidationPipe` on endpoints receiving user input
+- Transform and whitelist incoming data
+
+## Common Issues
+
+- Missing `@Injectable()` on providers
+- Business logic in controllers
+- Circular dependencies between modules
+- Missing guards on protected endpoints
+- Not awaiting async operations
+
+## Patterns
+
+```typescript
+// Good: thin controller
+@Post()
+create(@Body() dto: CreateDto) {
+  return this.service.create(dto);
+}
+
+// Bad: logic in controller
+@Post()
+create(@Body() dto: CreateDto) {
+  const validated = this.validate(dto);
+  const result = this.transform(validated);
+  return this.repository.save(result);
+}
+```

.github/instructions/security.instructions.md

@@ -0,0 +1,40 @@
+---
+applyTo: "src/auth/**/*,src/**/*.guard.ts,src/**/*.strategy.ts"
+---
+
+# Security Review (OWASP)
+
+## Authentication
+
+- JWT secrets must come from environment variables
+- Passwords must be hashed with bcrypt (min 10 rounds)
+- Never log or return passwords in responses
+- All protected endpoints must use AuthGuard
+
+## Injection Prevention
+
+- Use parameterized queries, never string concatenation
+- Validate and sanitize all user input
+- Escape data before rendering in responses
+
+## Access Control
+
+- Apply principle of least privilege
+- Verify user owns the resource before operations
+- Use guards for authorization, not just authentication
+
+## Session & Tokens
+
+- Set appropriate token expiration
+- Implement rate limiting on auth endpoints
+- Use secure cookie attributes (HttpOnly, Secure, SameSite)
+
+## Secrets
+
+```typescript
+// Good
+const secret = process.env.JWT_SECRET;
+
+// Bad
+const secret = 'my-secret-key';
+```

.github/instructions/testing.instructions.md

@@ -0,0 +1,34 @@
+---
+applyTo: "src/test/**/*,**/*.spec.ts,**/*.e2e-spec.ts"
+---
+
+# Testing Review
+
+## Test Quality
+
+- Tests must clean up in afterEach (close connections, clear data)
+- No hardcoded credentials or real secrets
+- Test edge cases: empty, null, boundaries
+- Test error paths, not just happy path
+
+## Isolation
+
+- No shared mutable state between tests
+- Tests must not depend on execution order
+- Each test should set up its own data
+
+## Assertions
+
+- Assert behavior, not implementation details
+- Use descriptive assertion messages
+- One logical assertion per test
+
+## Async
+
+```typescript
+// Good: proper async handling
+await expect(service.create(dto)).rejects.toThrow();
+
+// Bad: missing await
+expect(service.create(dto)).rejects.toThrow();
+```

PR_DESCRIPTION.md

@@ -0,0 +1,78 @@
+# Add GitHub Copilot Code Review Custom Instructions
+
+## Summary
+
+This PR adds layered custom instructions for GitHub Copilot Code Review, enabling automated, context-aware code reviews based on file paths and domains.
+
+## How It Works
+
+```
+                    ┌─────────────────────────────────────┐
+                    │   copilot-instructions.md (global)  │
+                    │   • Review priorities               │
+                    │   • General principles              │
+                    │   • Always applies to all files     │
+                    └──────────────────┬──────────────────┘
+                                       │
+          ┌────────────────────────────┼────────────────────────────┐
+          │                            │                            │
+          ▼                            ▼                            ▼
+┌─────────────────────┐  ┌─────────────────────┐  ┌─────────────────────┐
+│  nestjs.instructions │  │ security.instructions│  │  testing.instructions│
+│  ─────────────────── │  │  ─────────────────── │  │  ─────────────────── │
+│  applyTo: src/**/*.ts│  │  applyTo: src/auth/**│  │  applyTo: **/*.spec.ts│
+│                      │  │           *.guard.ts │  │           **/*.e2e-*  │
+│  • DI patterns       │  │           *.strategy │  │                      │
+│  • Thin controllers  │  │                      │  │  • Test isolation    │
+│  • DTO validation    │  │  • OWASP principles  │  │  • Cleanup in after  │
+└─────────────────────┘  │  • JWT security      │  │  • Edge cases        │
+                         │  • Input sanitization │  └─────────────────────┘
+                         └─────────────────────┘
+                                       │
+                                       ▼
+                         ┌─────────────────────┐
+                         │ database.instructions│
+                         │  ─────────────────── │
+                         │  applyTo: *.entity.ts│
+                         │           *.service  │
+                         │                      │
+                         │  • N+1 prevention    │
+                         │  • Query safety      │
+                         │  • Transactions      │
+                         └─────────────────────┘
+```
+
+## Layer Combination Examples
+
+| File Changed | Instructions Applied |
+|--------------|---------------------|
+| `src/auth/auth.service.ts` | global + nestjs + security + database |
+| `src/targets/target.entity.ts` | global + nestjs + database |
+| `src/test/users/login.e2e-spec.ts` | global + testing |
+| `src/users/users.controller.ts` | global + nestjs |
+
+## File Structure
+
+```
+.github/
+├── copilot-instructions.md          # Global rules (all PRs)
+└── instructions/
+    ├── nestjs.instructions.md       # NestJS patterns
+    ├── security.instructions.md     # Auth & OWASP
+    ├── database.instructions.md     # TypeORM & queries
+    └── testing.instructions.md      # Test quality
+```
+
+## Key Design Decisions
+
+- **Short files (<1000 chars each)**: Copilot only reads first 4,000 characters per file
+- **Imperative bullet points**: More effective than narrative paragraphs
+- **Priority system**: CRITICAL / IMPORTANT / SUGGESTION
+- **Code examples**: Show correct vs incorrect patterns
+- **No external links**: Copilot doesn't follow them
+
+## References
+
+- [GitHub Blog: Mastering Instruction Files](https://github.blog/ai-and-ml/unlocking-the-full-power-of-copilot-code-review-master-your-instructions-files/)
+- [Official Tutorial](https://docs.github.com/en/copilot/tutorials/use-custom-instructions)
+- [Community Examples](https://github.com/github/awesome-copilot)