From fac59302c44a46964c65223373a39e3982a214d2 Mon Sep 17 00:00:00 2001 From: Francisco Cuadra Date: Tue, 17 Mar 2026 23:53:35 -0300 Subject: [PATCH] Add GitHub Copilot code review custom instructions --- .github/copilot-instructions.md | 27 ++++++++++++ .github/instructions/database.instructions.md | 38 ++++++++++++++++ .github/instructions/nestjs.instructions.md | 43 +++++++++++++++++++ .github/instructions/security.instructions.md | 40 +++++++++++++++++ .github/instructions/testing.instructions.md | 34 +++++++++++++++ 5 files changed, 182 insertions(+) create mode 100644 .github/copilot-instructions.md create mode 100644 .github/instructions/database.instructions.md create mode 100644 .github/instructions/nestjs.instructions.md create mode 100644 .github/instructions/security.instructions.md create mode 100644 .github/instructions/testing.instructions.md diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..6711407 --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,27 @@ +# Code Review Guidelines + +## Review Priorities + +- **CRITICAL**: Security vulnerabilities, logic errors, breaking changes, data loss +- **IMPORTANT**: Missing validation, poor error handling, performance issues +- **SUGGESTION**: Readability, minor optimizations + +## Review Principles + +- Be specific: reference exact lines and variables +- Provide context: explain why something is problematic +- Suggest solutions: show the fix, not just the problem +- Be constructive: focus on code, not the author + +## Always Check + +- No hardcoded secrets or credentials +- User input validated before use +- Errors handled appropriately +- Async operations properly awaited + +## Ignore + +- Formatting issues (handled by Prettier/ESLint) +- Minor naming preferences +- Style choices already consistent in codebase diff --git a/.github/instructions/database.instructions.md b/.github/instructions/database.instructions.md new file mode 100644 index 0000000..fead910 --- /dev/null +++ b/.github/instructions/database.instructions.md @@ -0,0 +1,38 @@ +--- +applyTo: "src/**/*.entity.ts,src/**/*.service.ts,src/**/*.repository.ts" +--- + +# Database Review + +## Queries + +- No raw SQL with string interpolation +- Avoid queries inside loops (N+1 problem) +- Paginate large result sets +- Use transactions for multi-step operations + +## Relations + +- Define cascade options explicitly +- Avoid eager loading of large relations +- Consider lazy loading for optional relations + +## Performance + +- Add indexes on frequently queried columns +- Use `select` to fetch only needed fields +- Consider query builder for complex queries + +## Patterns + +```typescript +// Bad: N+1 +for (const user of users) { + user.targets = await this.targetRepo.find({ user }); +} + +// Good: single query with relation +const users = await this.userRepo.find({ + relations: ['targets'] +}); +``` diff --git a/.github/instructions/nestjs.instructions.md b/.github/instructions/nestjs.instructions.md new file mode 100644 index 0000000..4aa8e39 --- /dev/null +++ b/.github/instructions/nestjs.instructions.md @@ -0,0 +1,43 @@ +--- +applyTo: "src/**/*.ts" +--- + +# NestJS Review + +## Architecture + +- Controllers should be thin: delegate logic to services +- Services handle business logic, one responsibility per service +- Use dependency injection via constructor, never instantiate manually + +## Validation + +- All DTOs must use `class-validator` decorators +- Apply `ValidationPipe` on endpoints receiving user input +- Transform and whitelist incoming data + +## Common Issues + +- Missing `@Injectable()` on providers +- Business logic in controllers +- Circular dependencies between modules +- Missing guards on protected endpoints +- Not awaiting async operations + +## Patterns + +```typescript +// Good: thin controller +@Post() +create(@Body() dto: CreateDto) { + return this.service.create(dto); +} + +// Bad: logic in controller +@Post() +create(@Body() dto: CreateDto) { + const validated = this.validate(dto); + const result = this.transform(validated); + return this.repository.save(result); +} +``` diff --git a/.github/instructions/security.instructions.md b/.github/instructions/security.instructions.md new file mode 100644 index 0000000..f1ff487 --- /dev/null +++ b/.github/instructions/security.instructions.md @@ -0,0 +1,40 @@ +--- +applyTo: "src/auth/**/*,src/**/*.guard.ts,src/**/*.strategy.ts" +--- + +# Security Review (OWASP) + +## Authentication + +- JWT secrets must come from environment variables +- Passwords must be hashed with bcrypt (min 10 rounds) +- Never log or return passwords in responses +- All protected endpoints must use AuthGuard + +## Injection Prevention + +- Use parameterized queries, never string concatenation +- Validate and sanitize all user input +- Escape data before rendering in responses + +## Access Control + +- Apply principle of least privilege +- Verify user owns the resource before operations +- Use guards for authorization, not just authentication + +## Session & Tokens + +- Set appropriate token expiration +- Implement rate limiting on auth endpoints +- Use secure cookie attributes (HttpOnly, Secure, SameSite) + +## Secrets + +```typescript +// Good +const secret = process.env.JWT_SECRET; + +// Bad +const secret = 'my-secret-key'; +``` diff --git a/.github/instructions/testing.instructions.md b/.github/instructions/testing.instructions.md new file mode 100644 index 0000000..0ec822b --- /dev/null +++ b/.github/instructions/testing.instructions.md @@ -0,0 +1,34 @@ +--- +applyTo: "src/test/**/*,**/*.spec.ts,**/*.e2e-spec.ts" +--- + +# Testing Review + +## Test Quality + +- Tests must clean up in afterEach (close connections, clear data) +- No hardcoded credentials or real secrets +- Test edge cases: empty, null, boundaries +- Test error paths, not just happy path + +## Isolation + +- No shared mutable state between tests +- Tests must not depend on execution order +- Each test should set up its own data + +## Assertions + +- Assert behavior, not implementation details +- Use descriptive assertion messages +- One logical assertion per test + +## Async + +```typescript +// Good: proper async handling +await expect(service.create(dto)).rejects.toThrow(); + +// Bad: missing await +expect(service.create(dto)).rejects.toThrow(); +```