Code Review Workflows

AI-augmented code review is a three-tier system. Tier 1: automated Gemini review in CI catches bugs, security issues, and convention violations before a human ever looks at the PR. Tier 2: the human reviewer uses Gemini interactively to understand complex changes — "explain what this diff does," "what are the risks of this approach," "suggest a simpler alternative." Tier 3: the reviewer applies human judgment to architecture decisions, business logic correctness, and team dynamics that no AI can evaluate. This tiered system reduces the human reviewer's cognitive load while preserving their oversight on the decisions that matter most.

Custom review commands standardize the review process. A /review-security command runs a security-focused analysis. A /review-perf command checks for performance regressions. A /review-api command validates API contract changes. Each command encodes a specific review lens with a tailored prompt, output format, and severity thresholds. Reviewers run the relevant commands for the PR type and focus their manual review on the areas the AI does not cover.

[command]
description = "Security-focused code review"
prompt = """
Perform a security review of the current git diff (staged and unstaged changes).

Focus areas:
1. Authentication and authorization bypass
2. Input validation gaps
3. SQL/NoSQL injection vectors
4. XSS vulnerabilities in UI code
5. Sensitive data exposure (credentials, PII, tokens in logs)
6. Insecure dependencies
7. CSRF protection
8. Rate limiting gaps

For each finding:
- Severity: CRITICAL / HIGH / MEDIUM / LOW
- File and line
- Description of the vulnerability
- Suggested fix

If no security issues found, state explicitly: "No security issues detected."
Do not flag style issues or minor code quality concerns — this is a security review only.
"""