Add GitHub Copilot code review custom instructions

.github/copilot-instructions.md

@@ -0,0 +1,27 @@
+# Code Review Guidelines
+
+## Review Priorities
+
+- **CRITICAL**: Security vulnerabilities, logic errors, breaking changes, data loss
+- **IMPORTANT**: Missing validation, poor error handling, performance issues
+- **SUGGESTION**: Readability, minor optimizations
+
+## Review Principles
+
+- Be specific: reference exact lines and variables
+- Provide context: explain why something is problematic
+- Suggest solutions: show the fix, not just the problem
+- Be constructive: focus on code, not the author
+
+## Always Check
+
+- No hardcoded secrets or credentials
+- User input validated before use
+- Errors handled appropriately
+- Async operations properly awaited
+
+## Ignore
+
+- Formatting issues (handled by Prettier/ESLint)
+- Minor naming preferences
+- Style choices already consistent in codebase

.github/instructions/database.instructions.md

@@ -0,0 +1,38 @@
+---
+applyTo: "src/**/*.entity.ts,src/**/*.service.ts,src/**/*.repository.ts"
+---
+
+# Database Review
+
+## Queries
+
+- No raw SQL with string interpolation
+- Avoid queries inside loops (N+1 problem)
+- Paginate large result sets
+- Use transactions for multi-step operations
+
+## Relations
+
+- Define cascade options explicitly
+- Avoid eager loading of large relations
+- Consider lazy loading for optional relations
+
+## Performance
+
+- Add indexes on frequently queried columns
+- Use `select` to fetch only needed fields
+- Consider query builder for complex queries
+
+## Patterns
+
+```typescript
+// Bad: N+1
+for (const user of users) {
+  user.targets = await this.targetRepo.find({ user });
+}
+
+// Good: single query with relation
+const users = await this.userRepo.find({
+  relations: ['targets']
+});
+```

.github/instructions/nestjs.instructions.md

@@ -0,0 +1,43 @@
+---
+applyTo: "src/**/*.ts"
+---
+
+# NestJS Review
+
+## Architecture
+
+- Controllers should be thin: delegate logic to services
+- Services handle business logic, one responsibility per service
+- Use dependency injection via constructor, never instantiate manually
+
+## Validation
+
+- All DTOs must use `class-validator` decorators
+- Apply `ValidationPipe` on endpoints receiving user input
+- Transform and whitelist incoming data
+
+## Common Issues
+
+- Missing `@Injectable()` on providers
+- Business logic in controllers
+- Circular dependencies between modules
+- Missing guards on protected endpoints
+- Not awaiting async operations
+
+## Patterns
+
+```typescript
+// Good: thin controller
+@Post()
+create(@Body() dto: CreateDto) {
+  return this.service.create(dto);
+}
+
+// Bad: logic in controller
+@Post()
+create(@Body() dto: CreateDto) {
+  const validated = this.validate(dto);
+  const result = this.transform(validated);
+  return this.repository.save(result);
+}
+```

.github/instructions/security.instructions.md

@@ -0,0 +1,40 @@
+---
+applyTo: "src/auth/**/*,src/**/*.guard.ts,src/**/*.strategy.ts"
+---
+
+# Security Review (OWASP)
+
+## Authentication
+
+- JWT secrets must come from environment variables
+- Passwords must be hashed with bcrypt (min 10 rounds)
+- Never log or return passwords in responses
+- All protected endpoints must use AuthGuard
+
+## Injection Prevention
+
+- Use parameterized queries, never string concatenation
+- Validate and sanitize all user input
+- Escape data before rendering in responses
+
+## Access Control
+
+- Apply principle of least privilege
+- Verify user owns the resource before operations
+- Use guards for authorization, not just authentication
+
+## Session & Tokens
+
+- Set appropriate token expiration
+- Implement rate limiting on auth endpoints
+- Use secure cookie attributes (HttpOnly, Secure, SameSite)
+
+## Secrets
+
+```typescript
+// Good
+const secret = process.env.JWT_SECRET;
+
+// Bad
+const secret = 'my-secret-key';
+```

.github/instructions/testing.instructions.md

@@ -0,0 +1,34 @@
+---
+applyTo: "src/test/**/*,**/*.spec.ts,**/*.e2e-spec.ts"
+---
+
+# Testing Review
+
+## Test Quality
+
+- Tests must clean up in afterEach (close connections, clear data)
+- No hardcoded credentials or real secrets
+- Test edge cases: empty, null, boundaries
+- Test error paths, not just happy path
+
+## Isolation
+
+- No shared mutable state between tests
+- Tests must not depend on execution order
+- Each test should set up its own data
+
+## Assertions
+
+- Assert behavior, not implementation details
+- Use descriptive assertion messages
+- One logical assertion per test
+
+## Async
+
+```typescript
+// Good: proper async handling
+await expect(service.create(dto)).rejects.toThrow();
+
+// Bad: missing await
+expect(service.create(dto)).rejects.toThrow();
+```