Define AI Code review configurations and instructions

[juanmrad]

Context & Requests for Reviewers

Initial Scaffolding for AI code review instructions. Defines expectations on what to look for and ignore linting errors.

Summary by CodeRabbit

• Chores
  • Configured repository AI review automation and adjusted auto-review behavior, review status, and walkthrough presentation to streamline PR reviews.
  • Added detailed, path-scoped review checklists and exclusion filters for generated/output paths and security-sensitive areas.
  • Added repository guidance for AI assistants with security and quality checklists and review tone guidance.
  • Updated dependency-update tooling to apply consistent labels and scopes for automated dependency PRs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a87230b0-380f-48aa-97ed-f18f5150c0d0

📥 Commits

Reviewing files that changed from the base of the PR and between 790be98 and 1a9aae9.

📒 Files selected for processing (1)

• .coderabbit.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .coderabbit.yaml

---

📝 Walkthrough

Walkthrough

Adds CodeRabbit review configuration, a Copilot instructions file with AI review checklists and tone guidance, and Dependabot label additions across multiple update blocks.

Changes

AI Review Configuration and Guidance

Layer / File(s)	Summary
CodeRabbit configuration .coderabbit.yaml	Configures CodeRabbit: sets review profile and walkthrough behavior, enables auto_review for main (drafts false) while excluding Dependabot, adds path_filters to skip generated/build artifacts and lockfiles, introduces path-scoped review checklists, and disables bundled lint/formatter tools.
Copilot review instructions .github/copilot-instructions.md	Repository-specific AI reviewer guidance: repo layout and generated code notes, scope to prioritize security/quality, concrete security checklist (secrets, injection, auth, logging, crypto, dep review), code-quality checklist (generated drift, error/async handling, type-safety), a “what not to flag” list, and terse review tone guidance.

Dependabot Configuration

Layer / File(s)	Summary
Dependabot labels update .github/dependabot.yml	Adds dependencies and dependabot labels to Docker and multiple npm update entries (root, /db, /migrator, /server, /client, /nodejs-instrumentation) while keeping existing schedule and semver-major ignore settings.

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides context about the changes but is incomplete. It covers the 'Context & Requests for Reviewers' section, but the required 'Tests' and optional 'Rollout Plan' sections are missing.	Add a 'Tests' section describing how these configuration changes were validated, and consider including a 'Rollout Plan' if there are deployment considerations.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: defining AI code review configurations and instructions across three files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch define-ai-code-review-instructions

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 51-52: Remove the invalid tool key "prettier" from the
reviews.tools section and delete the unsupported "ast-grep.enabled" property
under the ast-grep tool; instead, replace them with the correct configuration
fields per the CodeRabbit schema (consult the CodeRabbit schema docs for the
proper ast-grep keys such as "rules", "config", or "version" as applicable) so
that reviews.tools only contains valid tool identifiers and each tool uses
supported properties.

In @.github/copilot-instructions.md:
- Line 8: Update the package count in the sentence that begins "Four independent
packages, not an npm workspace:" to match the listed entries by changing "Four"
to "Five" (or remove one of the listed paths if the intent is four); ensure the
heading and the enumerated paths (/ (root), /server, /client, /db, /migrator)
remain consistent with the corrected numeric count.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 10f7796b-4283-40f1-b411-49438be7c63a

📥 Commits

Reviewing files that changed from the base of the PR and between 34e9c0d and 11b1187.

📒 Files selected for processing (2)

• .coderabbit.yaml
• .github/copilot-instructions.md

[julietshen]

looks mostly fine; i don't feel strongly about the path-scoped review but I think we should definitely add a what-not-to-flag section in instructions

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 25-31: The path_filters block currently excludes package-lock
files via the pattern '!**/package-lock.json', which conflicts with the
dependency-review rules that must surface lockfile-only transitive bumps; update
the path_filters to stop excluding lockfiles (remove the '!**/package-lock.json'
entry or narrow it to a more specific path that doesn't hide repo-level
lockfiles), ensuring package-lock.json (and other lockfiles you need surfaced)
are no longer filtered out so the rules referenced around lines 91-94 can detect
transitive dependency updates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 9dfeae30-0af3-4595-9f0d-ad3f2e673694

📥 Commits

Reviewing files that changed from the base of the PR and between a70e09a and 790be98.

📒 Files selected for processing (2)

• .coderabbit.yaml
• .github/copilot-instructions.md

✅ Files skipped from review due to trivial changes (1)

• .github/copilot-instructions.md