Last Updated: 2026-06-28
Config:
.coderabbit.yaml v2.8.0 (right-sized + advisory 2026-06-28; prior v2.7.2 / 2026-06-03)Status: ✅ Fully Configured — ADVISORY posture (does not block merges) Complete guide to CodeRabbit setup, configuration, and usage for the Encore OS Platform (repository: encoreos-platform). See also: CODERABBIT_IMPROVEMENTS.md (archived; recommendations implemented in v2.5.0).
What’s new since config v2.5.0 (2026-02-05)
Platform.coderabbit.yaml refresh (2026-05-15) aligns with CodeRabbit product updates through mid-2026:
- Security tools: Explicit enable for OpenGrep, TruffleHog, Trivy (IaC/containers), and Stylelint (CSS/SCSS), alongside existing ESLint/Biome/Semgrep/OSV/etc.
- Secrets:
gitleakscontinues to run; CodeRabbit now uses the Betterleaks backend (comment in config). - Slop detection:
slop_detection.label: "ai-slop"for PR triage when suspicious patterns are flagged. - Chat:
allow_non_org_members: falseso PR chat stays with org members (healthcare-appropriate default). - Labels:
core:cl,core:pm, andcore:itadded tolabeling_instructionsalongside existing core/platform labels. - Auto-pause:
auto_pause_after_reviewed_commits: 12— reviews pause after twelve reviewed commits; resume with@coderabbitai review(tune to0if you need every push reviewed without pause). - Knowledge base: Additional
filePatternsforUI_CONSISTENCY_REVIEW.mdandSPEC_COMMAND_CHEATSHEET.md. - Product surface (reference): CodeRabbit continues to ship Skills/CLI integration, finishing touches (autofix/simplify flows where enabled), issue planner, and multi-repo analysis — see CodeRabbit changelog for the latest.
Config v2.8.0 (2026-06-28) — right-sizing + advisory posture
A deep review found CodeRabbit was gate theater: an elaborate 1089-line hard-blocking config that (a) was chronically “prepaid credits exhausted” so it rarely ran, and (b) was not a branch-protection required check and is--admin-bypassed by babysit-automerge.yml — so blocking only produced
CHANGES_REQUESTED dismissal toil with zero real enforcement. It is nonetheless net-positive when it runs
(it caught the Plaid #1771 publicly-invocable edge fn + 4 criticals, and the WENO #1909 cross-org join / Part-2
gap). So we kept it and right-sized it to run reliably on the high-value lanes:
- Advisory posture:
request_changes_workflow: false,fail_commit_status: false. CodeRabbit comments but does not block. Process rule: on high-value lanes (edge fns, migrations, regulated cores), read its comments before merging. - Credit minimization:
path_filtersnow excludedocs/**,specs/**,*.md, generated files, and the bulk ofscripts/**(keepingscripts/database/**+scripts/security/**— the CI-gate logic).drafts: false;auto_pause_after_reviewed_commits: 12 → 3;base_branches: .* → [development, main]; issueauto_planningnarrowed to opt-in labels (plan-me,ready-for-engine). - Right-sizing: disabled dead-weight scanners with no surface in this repo (
checkov,htmlhint,stylelint,trivy,languagetool); removed the Core Boundary and Code Quality (Deterministic) custom checks becausenpm run check-architectureand thenorthsight/require-usequery-freshnessESLint rule already enforce them as REQUIRED CI — leaving the 3 semantic checks (Multi-Tenant & RLS, PHI/PII, Jurisdiction & EKRA). Trimmed CI-redundantpath_instructionbullets. - Promoted a recurring bug class to credit-free CI: new
scripts/database/check-view-security-invoker.tsin themigration-guardgate flags any newly-added migration that creates a view withoutsecurity_invoker = on(the CL-69 #1892 PHI-leak class) — caught even when CodeRabbit is out of credits. - Guide corrections: removed the non-existent
balanced/strictprofile values (onlychill/assertiveexist); fixed theearly_accessdescription; correctedreview_instructions→path_instructionsandpaths.ignored_paths→path_filtersin Troubleshooting.
learnings.approval_delay: 7 added (schema-verified);
skillspector + zizmor enabled with their target paths brought into path_filters scope
(automation/{skills,agents,commands}/**, .github/workflows/**); Rule B shipped as a credit-free
CI ratchet (scripts/security/check-edge-fn-org-scope.ts — flags edge-fn service-role writes trusting a
body-supplied org/user id, baseline-grandfathered); cost/sourcing analysis written
(CODERABBIT_COST_ANALYSIS_2026-06.md).
Still owner/dashboard (cannot be set from YAML): the actual funding decision — enable the
Usage-Based Add-On (capped auto-refill) vs. an Enterprise self-host quote (see the cost analysis); and
a recurring Scheduled Report as HIPAA evidence. Both are dashboard actions — see §Org-level settings below.
Config v2.7.2 (2026-06-03)
- Bug fix — config parsing/schema-validation errors resolved: Two issues flagged by CodeRabbit’s schema validation were fixed in
.coderabbit.yaml:reviews.suggested_reviewers_instructionswas authored as a free-text block scalar (string), but the v2 schema requires an array of{ reviewers: [{ handle, type }], instructions }objects. It is now structured correctly, with bare GitHub handles (no leading@) andtype: user. Addtype: groupentries for teams as the team grows (GitHub only).reviews.instructionsis not a field in the v2 schema and was being silently ignored. It was removed, and its guidance relocated totone_instructions(security / multi-tenancy / PHI-PII priority — already present) pluspath_instructionsfordocs/**/*.md(accuracy over markdown nits) and**/*.sh(correctness/idempotency over style; large-normalization transformation-logic focus).
- Stale comment corrected: the
pre_merge_checks.custom_checkscomment claimedmaxItems 5; the current schema allows up to 50 custom checks (we use 5). - How to verify: validate
.coderabbit.yamlagainstschema.v2.json(the# yaml-language-server: $schema=...directive enables this in editors), or run@coderabbitai configurationon a PR to confirm CodeRabbit accepts the parsed config.
Config v2.7.1 (2026-06-02)
- Bug fix — custom ast-grep rules now run:
tools.ast-grep.rule_dirspointed at a non-existentrules/directory, so the project’s custom rules were silently skipped. Corrected toeslint-rules/(no-core-to-core-import.yml,no-console-log.yml,no-return-null-loading.yml). - Presidio is now opt-in: As of 2026-05-08 the Microsoft Presidio analyzer no longer runs by default. The explicit
presidio.enabled: truein.coderabbit.yamlis required — removing it silently disables PHI/PII scanning. - New merge-blocking check — “Jurisdiction & EKRA Risk”: 5th
pre_merge_checks.custom_checksentry (mode: error) promotes PF-96 hardcoding and EKRA referral risk from advisory path instructions to a blocking gate. - Suggested reviewers aligned to CODEOWNERS:
suggested_reviewers_instructionsnow routes high-risk and regulated-core paths to the CODEOWNERS owner (single maintainer today; swap in SME handles as the team grows). - CLI minimum bumped to v0.5.0+: the
coderabbit-reviewskill documentscoderabbit doctor(diagnostics) andcoderabbit review findings(replay cached findings without spending a new review). - Bootstrap installs the CLI:
scripts/setup/web-env-setup.shnow installs the CodeRabbit CLI (skip with--skip-coderabbit).
Org-level settings (CodeRabbit dashboard — not in .coderabbit.yaml)
Some 2026 features are configured in the CodeRabbit web dashboard, not this repo’s YAML. They cannot be set from the repository and are tracked here so they aren’t forgotten:
- Global Overrides (shipped 2026-04-16): organization-wide enforcement settings that supersede per-repository
.coderabbit.yaml. Use to guarantee a baseline (e.g. assertive profile, request-changes workflow, secret scanning) across all Encore-OS repos. Configure under Organization Settings → Global Overrides. Relevant here becauseknowledge_base.learnings.scope/issues.scope/pull_requests.scopeare alreadyglobal. - Custom roles & permissions (2026-02-24) and the Custom Roles API (2026-05-31): per-resource access levels for who may override pre-merge checks. Pairs with our
pre_merge_checks.override_requested_reviewers_only: true. - Audit Logs (2026-03-25): tamper-resistant log of administrative actions, exportable via REST API — useful HIPAA evidence.
Owner runbook — make reviews actually run (dashboard)
The config right-sizing (v2.8.0) cut per-PR spend, but reviews still won’t run during agent-fleet bursts until the Usage-Based Add-On is enabled (see CODERABBIT_COST_ANALYSIS_2026-06.md for the cost model and the self-host comparison).- Confirm the plan is Pro Plus. Several enabled features (custom pre-merge checks, finishing touches) silently no-op below Pro+. Organization Settings → Billing/Plan.
- Enable the Usage-Based Add-On with auto-refill. Organization Settings → Usage / Add-On → turn on the add-on → set Auto-refill (refill threshold + top-off amount) and a monthly cap (~0.25/reviewed file). This is what ends “prepaid credits exhausted” — over-limit reviews then continue instead of silently skipping.
- Set up a Scheduled Report (HIPAA evidence). Organization Settings → Reports → Scheduled Reports → create a weekly or monthly report (review volume, findings, overrides) delivered to the owner / a shared inbox. Exportable, dated — cheap recurring compliance evidence. Record that it exists here once configured.
- Decide funding vs. self-host. Work the recommendation + checklist in the cost analysis (confirm seat count; confirm a BAA with CodeRabbit; get an Enterprise/self-host quote). For a behavioral-health ERP the deciding factor is likely the BAA / in-perimeter / audit-log posture, not raw cost.
Table of Contents
- Quick Start
- Setup
- Configuration
- CLI Commands
- Output Modes
- Workflow Patterns
- Reporting
- Best Practices
- Troubleshooting
Quick Start
Current Setup Status ✅
- ✅ CodeRabbit CLI: Installed (see
coderabbit --version) - ✅ Configuration:
.coderabbit.yamlv2.7.0+ with custom checks, path instructions, ast-grep rules, and knowledge base - ✅ Tools: ESLint, Biome, OXC, Gitleaks (Betterleaks), OpenGrep, TruffleHog, Trivy, Stylelint, Semgrep, OSV Scanner, SQLFluff, markdownlint, yamllint, shellcheck, and others (see
.coderabbit.yaml) - ✅ Profile: Assertive (comprehensive reviews)
- ✅ Knowledge Base: Root governance files (constitution.md, AGENTS.md, .cursor/BUGBOT.md, etc.) and auto-detected .cursorrules, AGENTS.md, .cursor/rules
Quick Commands
Common Workflows
Before Committing:bash scripts/utils/setup-coderabbit-aliases.sh once to install aliases.)
Plain reports (single file):
Setup
Installation (WSL recommended on Windows)
CodeRabbit CLI does not support native Windows; use WSL and optionally a Windows PATH wrapper. 1. Install in WSL (one-time) From a WSL terminal (in or outside the repo):~/.coderabbit/bin (or ~/.local/bin) and adds it to your shell PATH in ~/.bashrc / ~/.zshrc.
2. Add CodeRabbit to Windows PATH (optional)
To run coderabbit from PowerShell or CMD (and have it run inside WSL with the current directory), use the repo wrapper:
-
Add this repo’s
scripts/binfolder to your Windows user PATH:- Environment Variables → User (or System) → Path → Edit → New.
- Add the full path to
scripts\bin, e.g.C:\Users\YourName\encoreos-platform\scripts\bin. - OK and restart any open terminals.
-
From PowerShell/CMD, in your repo directory:
scripts/bin/coderabbit.cmd) runs wsl coderabbit ... with the current Windows directory converted to a WSL path. See scripts/bin/README.md for details.
Verify (from WSL):
coderabbit auth login fails with libsecret not available: See CODERABBIT_CLI_WSL_AUTH.md for the fix (install libsecret/gnome-keyring, use dbus-run-session).
Git Configuration (CRITICAL)
Configure git for Windows/WSL compatibility to prevent line-ending issues:Performance Optimization
Option A: Keep Repository in Windows (Current Setup)
- ✅ Pros: Works with Windows IDEs, easy file access
- ⚠️ Cons: Slower file I/O performance in WSL
- Best for: When you primarily use Windows-based tools
Option B: Clone to WSL Filesystem (Recommended for Performance)
- ✅ Pros: Much faster file operations, better WSL performance
- ⚠️ Cons: Need to use VS Code Remote - WSL for editing
- Best for: When you want optimal CodeRabbit performance
\\wsl$\Ubuntu\home\<user>\projects\encoreos-platform
VS Code Remote - WSL Integration (HIGHLY RECOMMENDED)
Benefits:- Edit files in Windows VS Code UI
- Terminal runs in WSL (native performance)
- Seamless integration with CodeRabbit CLI
- Best of both worlds
-
Install Extension:
- Open VS Code
- Install “Remote - WSL” extension (ms-vscode-remote.remote-wsl)
-
Open Project in WSL:
This opens VS Code in WSL mode automatically.
-
Use Integrated Terminal:
- VS Code terminal will be WSL by default
- Run
coderabbitdirectly (PATH already configured)
Convenience Aliases
Quick Setup (Recommended)
Run the setup script to automatically add aliases to your shell config:Manual Setup
Add to~/.bashrc or ~/.zshrc:
Recommended Setup for This Project
Based on your current setup, here’s the recommended configuration:Option 1: Hybrid Approach (Recommended)
- Keep repository in Windows (current location)
- Use VS Code Remote - WSL for editing
- Run CodeRabbit from WSL terminal (via VS Code integrated terminal)
- Best of both worlds: Windows file access + WSL performance
Option 2: Full WSL Migration (Best Performance)
- Clone repository to
~/projects/in WSL (e.g.encoreos-platform) - Use VS Code Remote - WSL exclusively
- Maximum performance for CodeRabbit and git operations
- Access files from Windows:
\\wsl$\Ubuntu\home\<user>\projects\
Setup Verification
Run the verification script:Configuration
Configuration File
Location:.coderabbit.yaml (repository root)
The configuration is optimized for:
- ✅ Multi-tenant healthcare platform security
- ✅ TypeScript/React/Supabase codebase
- ✅ Architecture boundary enforcement
- ✅ Security vulnerability detection
Key Settings
Source of truth:.coderabbit.yaml (repository root). Summary of current config:
Review Profile
Current:assertive (comprehensive)
Why:
- Enterprise healthcare platform needs thorough reviews
- Catches critical security issues
- Enforces architecture boundaries
- Multi-tenant isolation validation
chill: lenient — fewer, higher-confidence comments. Too lenient for healthcare/enterprise.assertive: ⭐ comprehensive — chosen for this platform.
⚠️ There is NObalancedorstrictprofile. The CodeRabbit v2 schema accepts onlychillandassertive; any other value is rejected/ignored. (Corrected 2026-06-28 — the prior guide listed non-existentbalanced/strictvalues, which would have silently broken the profile.)
Configuration Breakdown
Language & Access
- Language: English (US) for consistent terminology
- Early Access: Enabled for stable features only (per config comment)
Review Settings
- High-level summary provides PR overview
- Auto-review ensures all PRs get reviewed
- Drafts are reviewed to catch issues early
Paths Configuration
Included Paths:- ✅ Source code (
src/**) - ✅ Database migrations (
supabase/**) - ✅ Tests (
tests/**) - ✅ Specifications (
specs/**) - ✅ Documentation (
docs/**) - ✅ Configuration files (
*.yaml,*.json,*.ts)
- ❌ Dependencies (
node_modules/**) - ❌ Build artifacts (
dist/**,build/**) - ❌ Lock files (
*.lock,bun.lockb) - ❌ IDE configs (
.vscode/**,.idea/**) - ❌ Generated reports (
reports/**)
- Dependencies are external code (not our responsibility)
- Build artifacts are generated (review source instead)
- Lock files are auto-generated
- Reports are CodeRabbit output (circular)
Knowledge Base
The configuration points CodeRabbit to key documentation:- CodeRabbit understands our architecture rules
- Enforces core boundaries and import patterns
- Validates against our coding standards
- References integration patterns
Review Instructions
Custom instructions guide CodeRabbit to:- ✅ Enforce core boundaries (no cross-core imports)
- ✅ Validate import paths (
@/shared/,@/platform/) - ✅ Check multi-tenancy (organization_id, RLS)
- ✅ Flag security issues (PHI handling, RLS patterns)
- ✅ Verify performance patterns (React.lazy, QueryClient)
- ✅ Reference key documents
Configuration Priority
- Branch-specific
.coderabbit.yaml(if exists in feature branch) - Main branch
.coderabbit.yaml(fallback) - Organization defaults (if configured)
- CodeRabbit defaults (last resort)
Customization
Adjust Review Strictness
More lenient:Add More Documentation
Add toknowledge_base.code_guidelines.filePatterns:
Customize Paths
Include additional paths:Tools Configuration
ESLint:- Auto-detects
eslint.config.js - Catches linting violations
- Enforces code style
- Detects hardcoded secrets
- Critical for healthcare platform
- Aligns with secrets management policy
Path-Specific Instructions
CodeRabbit applies different review criteria based on file type: SQL Files (supabase/**/*.sql):
- RLS policies on ALL business tables
- SECURITY DEFINER functions (prevent recursion)
- Multi-tenant isolation (organization_id, site_id)
- No hardcoded secrets
- Proper indexes for performance
src/**/*.{ts,tsx}):
- React.lazy() for route components
- Skeleton loaders (not null)
- useCurrentUser hook usage
- Static Supabase imports
- useEffect for side effects
- No direct core-to-core imports
- No PHI/PII logging
- Zod validation for forms
supabase/functions/**/*.ts):
- JWT validation when using service role key
- Organization context extraction
- Organization_id filtering in ALL queries
- URL validation (prevent SSRF)
- CORS headers configured
- Error messages don’t leak PHI/PII
- Input validation on all parameters
tests/**/*.ts):
- RLS policy coverage
- Multi-tenant test scenarios
- No hardcoded secrets
- Proper cleanup and isolation
What CodeRabbit Flags
Security Issues:- ❌ Missing JWT validation in edge functions
- ❌ Missing organization_id in queries
- ❌ SSRF vulnerabilities (no URL validation)
- ❌ Hardcoded secrets or API keys
- ❌ PHI/PII in logs or error messages
- ❌ Direct imports between cores
- ❌ Missing organization_id in business tables
- ❌ RLS policies without SECURITY DEFINER functions
- ❌ Direct route imports (should use React.lazy)
- ❌
return nullfor loading states - ❌ Using
useStatefor side effects - ❌ Dynamic Supabase imports
- ❌ Missing error handling
- ❌ Non-null assertion operators (
!)
CLI Commands
Command Options
Review Types
--type uncommitted: Quick feedback on work-in-progress--type committed: Review staged/committed changes--type all: Comprehensive review (slower, more thorough)
Workflow Integration
Pre-Commit Reviews
Post-Commit Reviews
Output Modes
--prompt-only (Minimal, Token-Efficient)
Command: cr-quick or coderabbit --prompt-only
Output:
- ✅ Minimal prompts for AI assistants
- ✅ Token-efficient (saves API costs)
- ✅ Quick summaries
- ❌ No detailed explanations
- ❌ No code snippets
- ❌ No context/background
- AI coding assistants (Cursor, GitHub Copilot)
- Quick checks during development
- When you need minimal output
--plain (Detailed Feedback)
Command: coderabbit --plain or cr-plain
Output:
- ✅ Detailed explanations
- ✅ Code snippets and examples
- ✅ Context and background
- ✅ Actionable suggestions
- ✅ More comprehensive
- ❌ Larger output (more tokens)
- Manual code reviews
- Understanding issues deeply
- Learning from feedback
- Comprehensive analysis
- Unhandled promise rejections can crash the application
- Users won’t see error feedback
- Debugging becomes difficult
- CodeRabbit automatically reviews PRs in UI
- Most comprehensive feedback
- Team collaboration
Workflow Patterns
CodeRabbit + Lovable Workflow
This workflow uses CodeRabbit reports with Lovable for automated code improvements.Local Report Generation (cr-lovable)
Reports are generated locally via thecr-lovable aliases. No GitHub workflow is used.
Setup: Run once from the repo root to add aliases to your shell config:
reports/active/markdown/coderabbit-<timestamp>/):
Output directory:
reports/active/markdown/coderabbit-<timestamp>/
00-SUMMARY.md— Overview, severity counts, top impacted files, priority actions01-CRITICAL.md— Critical issues (security, architecture, data integrity)02-MAJOR.md— Major issues03-MINOR.md— Minor issues04-TRIVIAL.md— Trivial suggestions05-OUTSIDE-DIFF.md— Findings outside the diff (if any)00-PROMPT-ONLY.md— Present only when run with--prompt-only; token-efficient prompts for AI agents
Manual Workflow (Alternative)
Workflow Overview:Step-by-Step Process
1. Generate Detailed Report
Recommended (markdown by severity):- Runs CodeRabbit and parses output by severity
- Writes
00-SUMMARY.md,01-CRITICAL.mdthrough05-OUTSIDE-DIFF.mdinreports/active/markdown/coderabbit-<timestamp>/ - Optionally adds
00-PROMPT-ONLY.mdwhen using--prompt-only - Includes code snippets, explanations, and AI prompts in each severity file
2. Review the Report
3. Feed to Lovable
Option A: Copy Report Content
- Open the report file
- Copy the entire content
- Paste into Lovable chat with prompt:
Option B: Reference the File
- Upload the report file to Lovable
- Use prompt:
4. Lovable Applies Fixes
Lovable will:- ✅ Read the CodeRabbit report
- ✅ Understand the issues
- ✅ Apply suggested fixes
- ✅ Update code accordingly
- ✅ Maintain code quality
5. Iterate
After Lovable applies fixes:- Regenerate report to verify fixes:
- Check for remaining issues
- Repeat if needed
Example Lovable Prompts
Basic Prompt
Detailed Prompt
Integration with Development Workflow
Daily Development:When to Run Reviews
✅ Good times:- Before committing significant changes
- After implementing a feature
- Before creating a pull request
- When refactoring code
- Documentation-only changes
- Simple formatting fixes
- Generated files
Reporting
Quick Methods
Method 1: Simple Output Redirection
Save review output to a file:Method 2: Save Both Output and Errors
Capture both standard output and errors:Method 3: View and Save Simultaneously
Usetee to see output while saving:
Parse AI prompts from an existing PR
To extract CodeRabbit comments and AI prompts from a pull request on GitHub (e.g. to work through review feedback in Cursor/Copilot), use one of the PR-based parsers. Both fetch comments from the GitHub API and write markdown by severity; each also produces a consolidated AI prompt file you can copy-paste into another AI to fix all listed issues. Which script to use:
Requirements:
- Node parser:
GITHUB_TOKENwithrepo(orpublic_repofor public repos). For local runs, addGITHUB_TOKEN=ghp_...to.env.local(gitignored); the npm script loads it automatically. - Bash script: GitHub CLI (
gh) authenticated (gh auth login).
node --env-file=.env.local scripts/utils/parse-pr-coderabbit-comments.js <PR> [output-dir] or set GITHUB_TOKEN in your shell.
Output (Node): 00-SUMMARY.md, 01-CRITICAL.md through 05-UNCLASSIFIED.md, and 06-AI-PROMPT-CONSOLIDATED.md. The consolidated file contains one copy-paste block; paste it into Cursor, Copilot, or another AI to fix all listed issues. Individual findings also include Problem, Proposed Fix, and AI Agent Prompt in the severity files.
Output (Bash): 00-SUMMARY.md, 01-CRITICAL.md through 04-TRIVIAL.md, and 05-AI-PROMPT-CONSOLIDATED.md. Same use: copy the consolidated prompt into your AI assistant to address all comments.
Report Types
Quick Report (--prompt-only)
Command: cr-quick or coderabbit --prompt-only
Characteristics:
- ✅ Minimal output (token-efficient)
- ✅ Quick to generate
- ✅ Designed for AI assistants
- ❌ No detailed explanations
- ❌ No code snippets
- ❌ Limited context
- Quick checks during development
- AI assistant integration
- When you need minimal output
Detailed Report (--plain)
Command: cr-report or coderabbit --plain
Characteristics:
- ✅ Detailed explanations
- ✅ Code snippets included
- ✅ Context provided
- ✅ Actionable suggestions
- ✅ Issue categorization
- ❌ Larger file size
- ❌ Takes longer to generate
- Manual code reviews
- Feeding to Lovable
- Understanding issues deeply
- Comprehensive analysis
Report Comparison
For Lovable Workflow
✅ Use Detailed Report
Why:- Lovable needs context to understand issues
- Code snippets help Lovable see the problem
- Detailed explanations guide fixes
- Better results with more information
❌ Don’t Use Quick Report
Why:- Too minimal for Lovable
- Lacks context
- No code snippets
- Harder for Lovable to understand
Report Organization
Recommended Directory Structure
Using Aliases for Reports
The aliases configured in setup automatically:- Create
reports/directory if needed - Generate timestamped filenames
- Save both output and errors
- Provide confirmation message
cr-lovable aliases generate markdown files organized by severity in reports/active/markdown/coderabbit-<timestamp>/:
00-SUMMARY.md- Overview with counts and top impacted files01-CRITICAL.md- Critical issues (security, data integrity)02-MAJOR.md- Major issues (architecture, multi-tenancy)03-MINOR.md- Minor issues (code quality, best practices)04-TRIVIAL.md- Trivial issues (refactoring suggestions)05-OUTSIDE-DIFF.md- Issues outside the diff (if any)
Best Practices
1. Use Timestamps
Always include timestamps in filenames:2. Organize Reports
Create a dedicated directory:3. Include Context
Add metadata to reports:4. Review Type Selection
--type uncommitted: For work-in-progress reviews--type committed: For reviewing staged changes--type all: For comprehensive reviews
5. Output Format
--plain: Always use for reports (removes interactive formatting)--prompt-only: For minimal output (AI assistant integration)
Example Workflows
Daily Development Report:Best Practices
1. Review Before Committing
2. Use Appropriate Output Mode
- Development:
cr-plain(detailed feedback) - AI Assistants:
cr-quick(token-efficient) - CI/CD:
cr-report(save to file)
3. Address Security Issues First
CodeRabbit prioritizes:- Security vulnerabilities (SSRF, JWT validation, etc.)
- Multi-tenant isolation violations
- Architecture boundary violations
- Code quality issues
4. Review Reports Regularly
Checkreports/ directory for saved reviews:
- Full reports for comprehensive analysis
- Quick reports for AI assistant context
- Uncommitted reports for pre-commit checks
5. Keep Configuration Updated
When architecture changes:- Update
.coderabbit.yaml - Add new docs to knowledge base
- Update review instructions
6. Integrate with Workflow
- Run reviews before committing
- Use reports for documentation
- Share findings with team
7. Learnings and Quarterly Review
CodeRabbit stores learnings from PR feedback (scope set in.coderabbit.yaml under knowledge_base.learnings.scope). To keep reviews consistent:
- Quarterly: In the CodeRabbit app, go to Learnings and review/remove outdated or conflicting learnings. Filter by date or topic; delete learnings that reference deprecated patterns or old file layouts.
- Scope: Use
globalif all org repos share the same standards; uselocalif you have repos with different tech stacks to avoid cross-contamination. - Reinforcement: If learnings seem ignored, add a path instruction that says: “Before responding, review all Learnings to ensure none are ignored.”
Troubleshooting
Issue: CodeRabbit Not Found
Solution:Issue: Authentication Required
Solution:Issue: Authentication Failed (libsecret not available)
Symptoms: OAuth completes but CLI reportsError [ERR_SECRETS_PLATFORM_ERROR]: libsecret not available
Solution: See CODERABBIT_CLI_WSL_AUTH.md. In short: install libsecret-1-0, gnome-keyring, dbus-x11; run coderabbit auth login inside dbus-run-session.
Issue: Slow Performance (Windows Filesystem)
Symptoms: CodeRabbit runs slowly when repository is on Windows filesystem (/mnt/c/...)
Solutions:
-
Use VS Code Remote - WSL:
- Install “Remote - WSL” extension
- Open project in WSL mode:
code .(from WSL terminal)
-
Move Repository to WSL Filesystem (Optional):
Issue: Line Ending Conflicts
Solution:Issue: Reports Directory Not Found
Solution:Issue: Report File is Empty
Problem: Report file created but empty Solutions:-
Check if CodeRabbit found any changes:
-
Try with explicit type:
-
Check for errors:
Issue: Report Too Large
Problem: Report file is very large Solutions:- Review specific files only (if CodeRabbit supports it)
- Use
--prompt-onlyfor summary - Filter output:
Issue: CodeRabbit Not Using Configuration
Problem: CodeRabbit ignores.coderabbit.yaml
Solutions:
- Verify file is in repository root
- Check YAML syntax (use validator)
- Ensure file is committed to branch
- Check CodeRabbit app is installed
Issue: Knowledge Base Not Working
Problem: CodeRabbit doesn’t reference documentation Solutions:- Verify file paths are correct (relative to repo root)
- Ensure files exist and are committed
- Check file sizes (very large files may be skipped)
- Use absolute paths if needed
Issue: Too Many/Few Reviews
Problem: Reviews are too strict or lenient Solutions:- Adjust
reviews.profile: "assertive"→"chill"(those are the only two valid values) - Modify
reviews.path_instructions(NOTreview_instructions— that key does not exist) to be more/less specific - Update
reviews.path_filters(NOTpaths.ignored_paths) to exclude more files
Recent Improvements (2025-12-10)
Added Tools
- ✅ ESLint integration
- ✅ Gitleaks secret detection
Enhanced Path Instructions
- ✅ Edge function security patterns
- ✅ PHI/PII logging detection
- ✅ Config file review instructions
- ✅ Enhanced React/TypeScript patterns
Expanded Security Patterns
- ✅ SSRF prevention
- ✅ JWT validation requirements
- ✅ Error message security
- ✅ Input validation checks
Additional Resources
- CodeRabbit Docs: https://docs.coderabbit.ai
- Configuration Schema: https://coderabbit.ai/integrations/schema.v2.json
- Project Constitution:
constitution.md - AI Guide:
AI_GUIDE.md - Quick Reference: CODE_REVIEW_PROCESS.md - Daily commands section
Quick Reference Card
Maintained By: Development Team
Questions? See troubleshooting section, CODE_REVIEW_PROCESS.md for daily commands, or check CodeRabbit documentation.