feat(rules): add code-review.md rule to common rules

[xingzihai]

Summary

This PR adds a new code-review.md rule to the rules/common/ directory.

What's Added

A comprehensive code review standards rule that:

• Defines when to review - After code changes, before commits, before merging PRs
• Security review triggers - Authentication, user input, database queries, file operations, etc.
• Review checklist - Readability, function/file size, nesting depth, error handling, tests
• Severity levels - CRITICAL (block), HIGH (warn), MEDIUM (info), LOW (note)
• Agent references - Links to code-reviewer, security-reviewer, and language-specific reviewers
• Approval criteria - Clear guidelines for Approve/Warning/Block decisions
• Common issues to catch - Security, code quality, and performance issues

Why This Rule?

While the project has a detailed code-reviewer agent, there was no corresponding rule file in rules/common/ that defines:

1. When code reviews should be triggered
2. What the review checklist should include
3. How to categorize severity of issues
4. What approval criteria to use

This rule fills that gap and works alongside the existing agent.

Integration

This rule references and integrates with:

• testing.md - Test coverage requirements
• security.md - Security checklist
• git-workflow.md - Commit standards
• agents.md - Agent delegation

Testing

• Rule follows existing format (Markdown with sections)
• Rule references existing agents
• Rule is placed in correct directory (rules/common/)
• Commit follows conventional commit format

---

Added by contributor as part of open source contribution efforts.

Summary by CodeRabbit

• Documentation
  • Added comprehensive code review standards with mandatory review triggers and pre-merge checklists
  • Established security review criteria with severity levels and corresponding actions
  • Defined approval workflows, quality benchmarks, and minimum test coverage requirements (80%)
  • Provided guidelines for delegating review tasks across different domains

[coderabbitai]

📝 Walkthrough

Walkthrough

A new documentation file establishing code review standards has been added, defining mandatory review triggers, pre-merge checklists covering readability and quality checks, security review conditions, severity levels with corresponding actions, an agent delegation table, review workflow steps, and common issues to address during reviews.

Changes

Cohort / File(s)

Summary

Code Review Standards Documentation rules/common/code-review.md

New comprehensive code review guidelines including mandatory review triggers, pre-merge checklist items (readability, size/nesting limits, error handling, security checks, test coverage ≥80%), security review stop conditions, severity levels (CRITICAL/HIGH/MEDIUM/LOW), agent usage matrix for delegating tasks, step-by-step review workflow, common issues across security/quality/performance domains, approval criteria, and cross-references to related rules.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• affaan-m

Poem

🐰 A document of wisdom, now in place,
Guidelines and checklists to embrace,
Security checks and quality care,
Code review standards beyond compare,
Standards so clear, so thoughtfully made,
With rules for review, we'll never fade! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a new code-review.md rule to the common rules directory. It is concise, clear, and directly summarizes the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds rules/common/code-review.md, a new rule document that defines when code reviews are triggered, a review checklist, severity levels, agent references, and approval criteria. The rule fills a genuine gap in the project — a corresponding rule document for the existing code-reviewer agent — and follows the project's Markdown-with-sections format.

Key findings:

• Logical inconsistency (lines 48 & 100–103): The severity table classifies HIGH as "Should fix before merge," but the Approval Criteria section allows merging with a "Warning" when only HIGH issues are present. These two definitions directly contradict each other and should be reconciled before the rule is shipped.
• Agent table out of sync with agents.md (lines 57–63): typescript-reviewer, python-reviewer, and go-reviewer are listed here but are absent from the master rules/common/agents.md canonical table. Several other existing language-specific agents (kotlin-reviewer, cpp-reviewer, java-reviewer, flutter-reviewer) are omitted without acknowledgement.
• Missing trailing newline (line 116): The file does not end with a newline, inconsistent with every other file in rules/common/.

Confidence Score: 4/5

• Safe to merge after resolving the HIGH-vs-Warning logical inconsistency; remaining issues are cosmetic.
• The PR is a documentation-only addition with no executable code, so risk is low. The logical contradiction between the severity table and the Approval Criteria section is a real content bug that would give conflicting guidance to users of this rule, warranting a fix before merge. The other two issues (partial agent list and missing newline) are minor and do not block correctness.
• rules/common/code-review.md — Approval Criteria section contradicts the severity table for HIGH-level issues.

Important Files Changed

Filename	Overview
rules/common/code-review.md	New rule file defining code review standards; contains a logical inconsistency between the severity-level table (HIGH = "Should fix before merge") and the Approval Criteria section (HIGH → "Warning: merge with caution"), references agents not listed in the master agents.md, and is missing a trailing newline.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Code Written / Modified] --> B{Security-sensitive\nchange?}
    B -- Yes --> C[Use security-reviewer agent]
    B -- No --> D[Run git diff]
    C --> D
    D --> E[Security Checklist]
    E --> F[Code Quality Checklist]
    F --> G[Run Tests\nVerify ≥80% coverage]
    G --> H[Use appropriate agent\ncode-reviewer / language-reviewer]
    H --> I{Issues Found?}
    I -- CRITICAL --> J[🚫 BLOCK - Must fix before merge]
    I -- HIGH --> K[⚠️ WARN - Should fix before merge]
    I -- MEDIUM --> L[ℹ️ INFO - Consider fixing]
    I -- LOW --> M[📝 NOTE - Optional]
    I -- None --> N[✅ APPROVE]
    K --> O{Proceed?}
    O -- Fixed --> N
    O -- Merge with caution --> P[⚠️ WARNING decision]

Loading

_{Reviews (1): Last reviewed commit: "feat(rules): add code-review.md rule to ..." | Re-trigger Greptile}

[greptile-apps]

Approval criteria contradicts severity table

The severity table on line 48 defines HIGH as "Should fix before merge" with action WARN, yet the Approval Criteria here says HIGH issues only result in a "Warning (merge with caution)". These two definitions directly contradict each other: one says a HIGH issue must be resolved before merging, while the other allows merging with a warning.

Pick one consistent stance. If HIGH issues truly block merging, change the Approval Criteria to:

Suggested change

	- Unbounded queries - add constraints
	- Missing caching - cache expensive operations
	## Approval Criteria
	- **Approve**: No CRITICAL or HIGH issues
	- **Warning**: Only MEDIUM issues (merge with caution)
	- **Block**: CRITICAL or HIGH issues found

Alternatively, if merging with caution on HIGH issues is acceptable, update the severity table's action column for HIGH from "Should fix before merge" to "May merge with caution".

[greptile-apps]

Agent table out of sync with agents.md

The master rules/common/agents.md rule defines the canonical list of available agents. The agents typescript-reviewer, python-reviewer, and go-reviewer are listed here but are absent from that master list (which only includes rust-reviewer among language-specific reviewers).

Additionally, several language-specific agents that exist in the agents/ directory — kotlin-reviewer, cpp-reviewer, java-reviewer, flutter-reviewer — are silently omitted. Readers may not know they are available.

Consider either:

1. Aligning this table with the full list in agents.md, or
2. Adding a note such as "See agents.md for the complete list of available agents" instead of duplicating a partial subset.

Context Used: rules/common/agents.md (source)

[greptile-apps]

Missing trailing newline

The file does not end with a newline character. Most editors and POSIX tools expect a trailing newline, and it is consistent with every other file in rules/common/.

Suggested change

	- [agents.md](agents.md) - Agent delegation
	- [agents.md](agents.md) - Agent delegation

(Add a blank line after this line to ensure the file ends with a newline.)

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

rules/common/code-review.md (1)

12-13: Tighten reviewer-trigger wording to match repo practice.

Current wording scopes commit-time checks to shared branches/security triggers. Consider explicitly requiring code-reviewer after code changes and security-reviewer before commits involving sensitive areas, so this rule stays aligned with existing team workflow guidance.

Based on learnings: “Use code-reviewer agent immediately after writing or modifying code…” and “Use security-reviewer agent before committing any code, especially for security-sensitive code…”.

Also applies to: 33-41

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rules/common/code-review.md` around lines 12 - 13, Update the rule wording to
explicitly require running the code-reviewer agent immediately after writing or
modifying code and to require running the security-reviewer agent before
committing any changes that touch security-sensitive areas (auth, payments, user
data); replace the current vague phrases ("Before any commit to shared branches"
/ "When security-sensitive code is changed") with explicit instructions
referencing the code-reviewer and security-reviewer agents, and apply the same
wording change to the related section covering lines 33-41.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@rules/common/code-review.md`:
- Around line 106-107: The document has conflicting guidance: the rule that
"HIGH issues should be fixed before merge" and the approval criteria bullet
"**Warning**: Only HIGH issues (merge with caution)" disagree; update the
approval criteria so HIGH severity is treated as blocking (or else change the
severity rule) to be consistent. Specifically, replace the approval-criteria
bullet "**Warning**: Only HIGH issues (merge with caution)" with wording that
HIGH issues must be resolved before merge (or change the severity policy to
match the existing warning text), ensuring the "**Block**: CRITICAL issues
found" line remains accurate and the two statements are consistent.

---

Nitpick comments:
In `@rules/common/code-review.md`:
- Around line 12-13: Update the rule wording to explicitly require running the
code-reviewer agent immediately after writing or modifying code and to require
running the security-reviewer agent before committing any changes that touch
security-sensitive areas (auth, payments, user data); replace the current vague
phrases ("Before any commit to shared branches" / "When security-sensitive code
is changed") with explicit instructions referencing the code-reviewer and
security-reviewer agents, and apply the same wording change to the related
section covering lines 33-41.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f48a7124-af87-4a0d-a027-7c7cecbdc0fa

📥 Commits

Reviewing files that changed from the base of the PR and between 678fb6f and b5148f1.

📒 Files selected for processing (1)

• rules/common/code-review.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Approval criteria conflicts with your HIGH-severity rule.

Line 48 says HIGH issues should be fixed before merge, but Line 106 allows merge with only HIGH issues present. This creates contradictory enforcement and weakens the standard.

Suggested doc fix

-- **Warning**: Only HIGH issues (merge with caution)
+- **Warning**: Only MEDIUM/LOW issues (merge with caution)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- **Warning**: Only HIGH issues (merge with caution)
	- **Block**: CRITICAL issues found
	- **Warning**: Only MEDIUM/LOW issues (merge with caution)
	- **Block**: CRITICAL issues found

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rules/common/code-review.md` around lines 106 - 107, The document has
conflicting guidance: the rule that "HIGH issues should be fixed before merge"
and the approval criteria bullet "**Warning**: Only HIGH issues (merge with
caution)" disagree; update the approval criteria so HIGH severity is treated as
blocking (or else change the severity rule) to be consistent. Specifically,
replace the approval-criteria bullet "**Warning**: Only HIGH issues (merge with
caution)" with wording that HIGH issues must be resolved before merge (or change
the severity policy to match the existing warning text), ensuring the
"**Block**: CRITICAL issues found" line remains accurate and the two statements
are consistent.

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="rules/common/code-review.md">

<violation number="1" location="rules/common/code-review.md:106">
P2: HIGH severity handling is inconsistent: one section says fix before merge, another allows merge with caution for HIGH-only findings.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: HIGH severity handling is inconsistent: one section says fix before merge, another allows merge with caution for HIGH-only findings.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At rules/common/code-review.md, line 106:

<comment>HIGH severity handling is inconsistent: one section says fix before merge, another allows merge with caution for HIGH-only findings.</comment>

<file context>
@@ -0,0 +1,116 @@
+## Approval Criteria
+
+- **Approve**: No CRITICAL or HIGH issues
+- **Warning**: Only HIGH issues (merge with caution)
+- **Block**: CRITICAL issues found
+
</file context>

[affaan-m]

thanks, queued for review.