Skip to main content
Version: 3.3.0
Last Updated: 2026-06-28
Config: .coderabbit.yaml v2.8.0 (right-sized + advisory 2026-06-28; prior v2.7.2 / 2026-06-03)
Status: ✅ Fully Configured — ADVISORY posture (does not block merges)
Complete guide to CodeRabbit setup, configuration, and usage for the Encore OS Platform (repository: encoreos-platform). See also: CODERABBIT_IMPROVEMENTS.md (archived; recommendations implemented in v2.5.0).

What’s new since config v2.5.0 (2026-02-05)

Platform .coderabbit.yaml refresh (2026-05-15) aligns with CodeRabbit product updates through mid-2026:
  • Security tools: Explicit enable for OpenGrep, TruffleHog, Trivy (IaC/containers), and Stylelint (CSS/SCSS), alongside existing ESLint/Biome/Semgrep/OSV/etc.
  • Secrets: gitleaks continues to run; CodeRabbit now uses the Betterleaks backend (comment in config).
  • Slop detection: slop_detection.label: "ai-slop" for PR triage when suspicious patterns are flagged.
  • Chat: allow_non_org_members: false so PR chat stays with org members (healthcare-appropriate default).
  • Labels: core:cl, core:pm, and core:it added to labeling_instructions alongside existing core/platform labels.
  • Auto-pause: auto_pause_after_reviewed_commits: 12 — reviews pause after twelve reviewed commits; resume with @coderabbitai review (tune to 0 if you need every push reviewed without pause).
  • Knowledge base: Additional filePatterns for UI_CONSISTENCY_REVIEW.md and SPEC_COMMAND_CHEATSHEET.md.
  • Product surface (reference): CodeRabbit continues to ship Skills/CLI integration, finishing touches (autofix/simplify flows where enabled), issue planner, and multi-repo analysis — see CodeRabbit changelog for the latest.

Config v2.8.0 (2026-06-28) — right-sizing + advisory posture

A deep review found CodeRabbit was gate theater: an elaborate 1089-line hard-blocking config that (a) was chronically “prepaid credits exhausted” so it rarely ran, and (b) was not a branch-protection required check and is --admin-bypassed by babysit-automerge.yml — so blocking only produced CHANGES_REQUESTED dismissal toil with zero real enforcement. It is nonetheless net-positive when it runs (it caught the Plaid #1771 publicly-invocable edge fn + 4 criticals, and the WENO #1909 cross-org join / Part-2 gap). So we kept it and right-sized it to run reliably on the high-value lanes:
  • Advisory posture: request_changes_workflow: false, fail_commit_status: false. CodeRabbit comments but does not block. Process rule: on high-value lanes (edge fns, migrations, regulated cores), read its comments before merging.
  • Credit minimization: path_filters now exclude docs/**, specs/**, *.md, generated files, and the bulk of scripts/** (keeping scripts/database/** + scripts/security/** — the CI-gate logic). drafts: false; auto_pause_after_reviewed_commits: 12 → 3; base_branches: .* → [development, main]; issue auto_planning narrowed to opt-in labels (plan-me, ready-for-engine).
  • Right-sizing: disabled dead-weight scanners with no surface in this repo (checkov, htmlhint, stylelint, trivy, languagetool); removed the Core Boundary and Code Quality (Deterministic) custom checks because npm run check-architecture and the northsight/require-usequery-freshness ESLint rule already enforce them as REQUIRED CI — leaving the 3 semantic checks (Multi-Tenant & RLS, PHI/PII, Jurisdiction & EKRA). Trimmed CI-redundant path_instruction bullets.
  • Promoted a recurring bug class to credit-free CI: new scripts/database/check-view-security-invoker.ts in the migration-guard gate flags any newly-added migration that creates a view without security_invoker = on (the CL-69 #1892 PHI-leak class) — caught even when CodeRabbit is out of credits.
  • Guide corrections: removed the non-existent balanced/strict profile values (only chill / assertive exist); fixed the early_access description; corrected review_instructionspath_instructions and paths.ignored_pathspath_filters in Troubleshooting.
Follow-up completed 2026-06-29 (same PR): learnings.approval_delay: 7 added (schema-verified); skillspector + zizmor enabled with their target paths brought into path_filters scope (automation/{skills,agents,commands}/**, .github/workflows/**); Rule B shipped as a credit-free CI ratchet (scripts/security/check-edge-fn-org-scope.ts — flags edge-fn service-role writes trusting a body-supplied org/user id, baseline-grandfathered); cost/sourcing analysis written (CODERABBIT_COST_ANALYSIS_2026-06.md). Still owner/dashboard (cannot be set from YAML): the actual funding decision — enable the Usage-Based Add-On (capped auto-refill) vs. an Enterprise self-host quote (see the cost analysis); and a recurring Scheduled Report as HIPAA evidence. Both are dashboard actions — see §Org-level settings below.

Config v2.7.2 (2026-06-03)

  • Bug fix — config parsing/schema-validation errors resolved: Two issues flagged by CodeRabbit’s schema validation were fixed in .coderabbit.yaml:
    • reviews.suggested_reviewers_instructions was authored as a free-text block scalar (string), but the v2 schema requires an array of { reviewers: [{ handle, type }], instructions } objects. It is now structured correctly, with bare GitHub handles (no leading @) and type: user. Add type: group entries for teams as the team grows (GitHub only).
    • reviews.instructions is not a field in the v2 schema and was being silently ignored. It was removed, and its guidance relocated to tone_instructions (security / multi-tenancy / PHI-PII priority — already present) plus path_instructions for docs/**/*.md (accuracy over markdown nits) and **/*.sh (correctness/idempotency over style; large-normalization transformation-logic focus).
  • Stale comment corrected: the pre_merge_checks.custom_checks comment claimed maxItems 5; the current schema allows up to 50 custom checks (we use 5).
  • How to verify: validate .coderabbit.yaml against schema.v2.json (the # yaml-language-server: $schema=... directive enables this in editors), or run @coderabbitai configuration on a PR to confirm CodeRabbit accepts the parsed config.

Config v2.7.1 (2026-06-02)

  • Bug fix — custom ast-grep rules now run: tools.ast-grep.rule_dirs pointed at a non-existent rules/ directory, so the project’s custom rules were silently skipped. Corrected to eslint-rules/ (no-core-to-core-import.yml, no-console-log.yml, no-return-null-loading.yml).
  • Presidio is now opt-in: As of 2026-05-08 the Microsoft Presidio analyzer no longer runs by default. The explicit presidio.enabled: true in .coderabbit.yaml is required — removing it silently disables PHI/PII scanning.
  • New merge-blocking check — “Jurisdiction & EKRA Risk”: 5th pre_merge_checks.custom_checks entry (mode: error) promotes PF-96 hardcoding and EKRA referral risk from advisory path instructions to a blocking gate.
  • Suggested reviewers aligned to CODEOWNERS: suggested_reviewers_instructions now routes high-risk and regulated-core paths to the CODEOWNERS owner (single maintainer today; swap in SME handles as the team grows).
  • CLI minimum bumped to v0.5.0+: the coderabbit-review skill documents coderabbit doctor (diagnostics) and coderabbit review findings (replay cached findings without spending a new review).
  • Bootstrap installs the CLI: scripts/setup/web-env-setup.sh now installs the CodeRabbit CLI (skip with --skip-coderabbit).

Org-level settings (CodeRabbit dashboard — not in .coderabbit.yaml)

Some 2026 features are configured in the CodeRabbit web dashboard, not this repo’s YAML. They cannot be set from the repository and are tracked here so they aren’t forgotten:
  • Global Overrides (shipped 2026-04-16): organization-wide enforcement settings that supersede per-repository .coderabbit.yaml. Use to guarantee a baseline (e.g. assertive profile, request-changes workflow, secret scanning) across all Encore-OS repos. Configure under Organization Settings → Global Overrides. Relevant here because knowledge_base.learnings.scope / issues.scope / pull_requests.scope are already global.
  • Custom roles & permissions (2026-02-24) and the Custom Roles API (2026-05-31): per-resource access levels for who may override pre-merge checks. Pairs with our pre_merge_checks.override_requested_reviewers_only: true.
  • Audit Logs (2026-03-25): tamper-resistant log of administrative actions, exportable via REST API — useful HIPAA evidence.
Action item: if/when sibling repos exist, set Global Overrides to enforce the security baseline org-wide rather than relying on each repo’s YAML.

Owner runbook — make reviews actually run (dashboard)

The config right-sizing (v2.8.0) cut per-PR spend, but reviews still won’t run during agent-fleet bursts until the Usage-Based Add-On is enabled (see CODERABBIT_COST_ANALYSIS_2026-06.md for the cost model and the self-host comparison).
  1. Confirm the plan is Pro Plus. Several enabled features (custom pre-merge checks, finishing touches) silently no-op below Pro+. Organization Settings → Billing/Plan.
  2. Enable the Usage-Based Add-On with auto-refill. Organization Settings → Usage / Add-On → turn on the add-on → set Auto-refill (refill threshold + top-off amount) and a monthly cap (~500tostart;500 to start; 0.25/reviewed file). This is what ends “prepaid credits exhausted” — over-limit reviews then continue instead of silently skipping.
  3. Set up a Scheduled Report (HIPAA evidence). Organization Settings → Reports → Scheduled Reports → create a weekly or monthly report (review volume, findings, overrides) delivered to the owner / a shared inbox. Exportable, dated — cheap recurring compliance evidence. Record that it exists here once configured.
  4. Decide funding vs. self-host. Work the recommendation + checklist in the cost analysis (confirm seat count; confirm a BAA with CodeRabbit; get an Enterprise/self-host quote). For a behavioral-health ERP the deciding factor is likely the BAA / in-perimeter / audit-log posture, not raw cost.

Table of Contents

  1. Quick Start
  2. Setup
  3. Configuration
  4. CLI Commands
  5. Output Modes
  6. Workflow Patterns
  7. Reporting
  8. Best Practices
  9. Troubleshooting

Quick Start

Current Setup Status ✅

  • CodeRabbit CLI: Installed (see coderabbit --version)
  • Configuration: .coderabbit.yaml v2.7.0+ with custom checks, path instructions, ast-grep rules, and knowledge base
  • Tools: ESLint, Biome, OXC, Gitleaks (Betterleaks), OpenGrep, TruffleHog, Trivy, Stylelint, Semgrep, OSV Scanner, SQLFluff, markdownlint, yamllint, shellcheck, and others (see .coderabbit.yaml)
  • Profile: Assertive (comprehensive reviews)
  • Knowledge Base: Root governance files (constitution.md, AGENTS.md, .cursor/BUGBOT.md, etc.) and auto-detected .cursorrules, AGENTS.md, .cursor/rules

Quick Commands

Common Workflows

Before Committing:
After Feature Complete:
Generate Reports (markdown by severity):
(Run bash scripts/utils/setup-coderabbit-aliases.sh once to install aliases.) Plain reports (single file):
See also: CODE_REVIEW_PROCESS.md for daily commands and quick start workflow

Setup

CodeRabbit CLI does not support native Windows; use WSL and optionally a Windows PATH wrapper. 1. Install in WSL (one-time) From a WSL terminal (in or outside the repo):
Or install globally via official installer:
The install script puts the binary in ~/.coderabbit/bin (or ~/.local/bin) and adds it to your shell PATH in ~/.bashrc / ~/.zshrc. 2. Add CodeRabbit to Windows PATH (optional) To run coderabbit from PowerShell or CMD (and have it run inside WSL with the current directory), use the repo wrapper:
  1. Add this repo’s scripts/bin folder to your Windows user PATH:
    • Environment Variables → User (or System) → Path → Edit → New.
    • Add the full path to scripts\bin, e.g. C:\Users\YourName\encoreos-platform\scripts\bin.
    • OK and restart any open terminals.
  2. From PowerShell/CMD, in your repo directory:
The wrapper (scripts/bin/coderabbit.cmd) runs wsl coderabbit ... with the current Windows directory converted to a WSL path. See scripts/bin/README.md for details. Verify (from WSL):
If coderabbit auth login fails with libsecret not available: See CODERABBIT_CLI_WSL_AUTH.md for the fix (install libsecret/gnome-keyring, use dbus-run-session).

Git Configuration (CRITICAL)

Configure git for Windows/WSL compatibility to prevent line-ending issues:
Why: Prevents line-ending conflicts between Windows (CRLF) and Linux (LF) when using git in both environments.

Performance Optimization

Option A: Keep Repository in Windows (Current Setup)

  • Pros: Works with Windows IDEs, easy file access
  • ⚠️ Cons: Slower file I/O performance in WSL
  • Best for: When you primarily use Windows-based tools
  • Pros: Much faster file operations, better WSL performance
  • ⚠️ Cons: Need to use VS Code Remote - WSL for editing
  • Best for: When you want optimal CodeRabbit performance
To migrate (optional):
Access from Windows: \\wsl$\Ubuntu\home\<user>\projects\encoreos-platform Benefits:
  • Edit files in Windows VS Code UI
  • Terminal runs in WSL (native performance)
  • Seamless integration with CodeRabbit CLI
  • Best of both worlds
Setup Steps:
  1. Install Extension:
    • Open VS Code
    • Install “Remote - WSL” extension (ms-vscode-remote.remote-wsl)
  2. Open Project in WSL:
    This opens VS Code in WSL mode automatically.
  3. Use Integrated Terminal:
    • VS Code terminal will be WSL by default
    • Run coderabbit directly (PATH already configured)

Convenience Aliases

Run the setup script to automatically add aliases to your shell config:

Manual Setup

Add to ~/.bashrc or ~/.zshrc:
Activate:
Based on your current setup, here’s the recommended configuration:
  • Keep repository in Windows (current location)
  • Use VS Code Remote - WSL for editing
  • Run CodeRabbit from WSL terminal (via VS Code integrated terminal)
  • Best of both worlds: Windows file access + WSL performance

Option 2: Full WSL Migration (Best Performance)

  • Clone repository to ~/projects/ in WSL (e.g. encoreos-platform)
  • Use VS Code Remote - WSL exclusively
  • Maximum performance for CodeRabbit and git operations
  • Access files from Windows: \\wsl$\Ubuntu\home\<user>\projects\

Setup Verification

Run the verification script:
Or manually verify:

Configuration

Configuration File

Location: .coderabbit.yaml (repository root) The configuration is optimized for:
  • ✅ Multi-tenant healthcare platform security
  • ✅ TypeScript/React/Supabase codebase
  • ✅ Architecture boundary enforcement
  • ✅ Security vulnerability detection

Key Settings

Source of truth: .coderabbit.yaml (repository root). Summary of current config:

Review Profile

Current: assertive (comprehensive) Why:
  • Enterprise healthcare platform needs thorough reviews
  • Catches critical security issues
  • Enforces architecture boundaries
  • Multi-tenant isolation validation
Valid values (only two):
  • chill: lenient — fewer, higher-confidence comments. Too lenient for healthcare/enterprise.
  • assertive: ⭐ comprehensive — chosen for this platform.
⚠️ There is NO balanced or strict profile. The CodeRabbit v2 schema accepts only chill and assertive; any other value is rejected/ignored. (Corrected 2026-06-28 — the prior guide listed non-existent balanced/strict values, which would have silently broken the profile.)

Configuration Breakdown

Language & Access

  • Language: English (US) for consistent terminology
  • Early Access: Enabled for stable features only (per config comment)

Review Settings

Benefits:
  • High-level summary provides PR overview
  • Auto-review ensures all PRs get reviewed
  • Drafts are reviewed to catch issues early

Paths Configuration

Included Paths:
  • ✅ Source code (src/**)
  • ✅ Database migrations (supabase/**)
  • ✅ Tests (tests/**)
  • ✅ Specifications (specs/**)
  • ✅ Documentation (docs/**)
  • ✅ Configuration files (*.yaml, *.json, *.ts)
Ignored Paths:
  • ❌ Dependencies (node_modules/**)
  • ❌ Build artifacts (dist/**, build/**)
  • ❌ Lock files (*.lock, bun.lockb)
  • ❌ IDE configs (.vscode/**, .idea/**)
  • ❌ Generated reports (reports/**)
Why exclude these?
  • Dependencies are external code (not our responsibility)
  • Build artifacts are generated (review source instead)
  • Lock files are auto-generated
  • Reports are CodeRabbit output (circular)

Knowledge Base

The configuration points CodeRabbit to key documentation:
Why this matters:
  • CodeRabbit understands our architecture rules
  • Enforces core boundaries and import patterns
  • Validates against our coding standards
  • References integration patterns

Review Instructions

Custom instructions guide CodeRabbit to:
  • ✅ Enforce core boundaries (no cross-core imports)
  • ✅ Validate import paths (@/shared/, @/platform/)
  • ✅ Check multi-tenancy (organization_id, RLS)
  • ✅ Flag security issues (PHI handling, RLS patterns)
  • ✅ Verify performance patterns (React.lazy, QueryClient)
  • ✅ Reference key documents

Configuration Priority

  1. Branch-specific .coderabbit.yaml (if exists in feature branch)
  2. Main branch .coderabbit.yaml (fallback)
  3. Organization defaults (if configured)
  4. CodeRabbit defaults (last resort)

Customization

Adjust Review Strictness

More lenient:
More comprehensive:

Add More Documentation

Add to knowledge_base.code_guidelines.filePatterns:
Note: File patterns are glob patterns. Root-level files apply to the whole repo; files in subdirectories apply only to their directory tree. Custom patterns supplement the auto-detected defaults (AGENTS.md, CLAUDE.md, .cursor/rules/, etc.) rather than replacing them.

Customize Paths

Include additional paths:
Exclude more patterns:

Tools Configuration

ESLint:
  • Auto-detects eslint.config.js
  • Catches linting violations
  • Enforces code style
Gitleaks:
  • Detects hardcoded secrets
  • Critical for healthcare platform
  • Aligns with secrets management policy

Path-Specific Instructions

CodeRabbit applies different review criteria based on file type: SQL Files (supabase/**/*.sql):
  • RLS policies on ALL business tables
  • SECURITY DEFINER functions (prevent recursion)
  • Multi-tenant isolation (organization_id, site_id)
  • No hardcoded secrets
  • Proper indexes for performance
React/TypeScript (src/**/*.{ts,tsx}):
  • React.lazy() for route components
  • Skeleton loaders (not null)
  • useCurrentUser hook usage
  • Static Supabase imports
  • useEffect for side effects
  • No direct core-to-core imports
  • No PHI/PII logging
  • Zod validation for forms
Edge Functions (supabase/functions/**/*.ts):
  • JWT validation when using service role key
  • Organization context extraction
  • Organization_id filtering in ALL queries
  • URL validation (prevent SSRF)
  • CORS headers configured
  • Error messages don’t leak PHI/PII
  • Input validation on all parameters
Test Files (tests/**/*.ts):
  • RLS policy coverage
  • Multi-tenant test scenarios
  • No hardcoded secrets
  • Proper cleanup and isolation

What CodeRabbit Flags

Security Issues:
  • ❌ Missing JWT validation in edge functions
  • ❌ Missing organization_id in queries
  • ❌ SSRF vulnerabilities (no URL validation)
  • ❌ Hardcoded secrets or API keys
  • ❌ PHI/PII in logs or error messages
Architecture Violations:
  • ❌ Direct imports between cores
  • ❌ Missing organization_id in business tables
  • ❌ RLS policies without SECURITY DEFINER functions
  • ❌ Direct route imports (should use React.lazy)
Code Quality:
  • return null for loading states
  • ❌ Using useState for side effects
  • ❌ Dynamic Supabase imports
  • ❌ Missing error handling
  • ❌ Non-null assertion operators (!)

CLI Commands

Command Options

Review Types

  • --type uncommitted: Quick feedback on work-in-progress
  • --type committed: Review staged/committed changes
  • --type all: Comprehensive review (slower, more thorough)

Workflow Integration

Pre-Commit Reviews

Post-Commit Reviews


Output Modes

--prompt-only (Minimal, Token-Efficient)

Command: cr-quick or coderabbit --prompt-only Output:
  • ✅ Minimal prompts for AI assistants
  • ✅ Token-efficient (saves API costs)
  • ✅ Quick summaries
  • ❌ No detailed explanations
  • ❌ No code snippets
  • ❌ No context/background
Best for:
  • AI coding assistants (Cursor, GitHub Copilot)
  • Quick checks during development
  • When you need minimal output
Example output:

--plain (Detailed Feedback)

Command: coderabbit --plain or cr-plain Output:
  • ✅ Detailed explanations
  • ✅ Code snippets and examples
  • ✅ Context and background
  • ✅ Actionable suggestions
  • ✅ More comprehensive
  • ❌ Larger output (more tokens)
Best for:
  • Manual code reviews
  • Understanding issues deeply
  • Learning from feedback
  • Comprehensive analysis
Example output:
Suggested fix:
Why this matters:
  • Unhandled promise rejections can crash the application
  • Users won’t see error feedback
  • Debugging becomes difficult
Before Committing:
For PRs:
  • CodeRabbit automatically reviews PRs in UI
  • Most comprehensive feedback
  • Team collaboration

Workflow Patterns

CodeRabbit + Lovable Workflow

This workflow uses CodeRabbit reports with Lovable for automated code improvements.

Local Report Generation (cr-lovable)

Reports are generated locally via the cr-lovable aliases. No GitHub workflow is used. Setup: Run once from the repo root to add aliases to your shell config:
Aliases (all produce markdown by severity in reports/active/markdown/coderabbit-<timestamp>/): Output directory: reports/active/markdown/coderabbit-<timestamp>/
  • 00-SUMMARY.md — Overview, severity counts, top impacted files, priority actions
  • 01-CRITICAL.md — Critical issues (security, architecture, data integrity)
  • 02-MAJOR.md — Major issues
  • 03-MINOR.md — Minor issues
  • 04-TRIVIAL.md — Trivial suggestions
  • 05-OUTSIDE-DIFF.md — Findings outside the diff (if any)
  • 00-PROMPT-ONLY.md — Present only when run with --prompt-only; token-efficient prompts for AI agents
Use with Lovable: Copy the summary or severity files and paste into Lovable for fixes.

Manual Workflow (Alternative)

Workflow Overview:

Step-by-Step Process

1. Generate Detailed Report
Recommended (markdown by severity):
Or plain report only:
What cr-lovable does:
  • Runs CodeRabbit and parses output by severity
  • Writes 00-SUMMARY.md, 01-CRITICAL.md through 05-OUTSIDE-DIFF.md in reports/active/markdown/coderabbit-<timestamp>/
  • Optionally adds 00-PROMPT-ONLY.md when using --prompt-only
  • Includes code snippets, explanations, and AI prompts in each severity file
2. Review the Report
3. Feed to Lovable
Option A: Copy Report Content
  1. Open the report file
  2. Copy the entire content
  3. Paste into Lovable chat with prompt:
Option B: Reference the File
  1. Upload the report file to Lovable
  2. Use prompt:
4. Lovable Applies Fixes
Lovable will:
  • ✅ Read the CodeRabbit report
  • ✅ Understand the issues
  • ✅ Apply suggested fixes
  • ✅ Update code accordingly
  • ✅ Maintain code quality
5. Iterate
After Lovable applies fixes:
  1. Regenerate report to verify fixes:
  2. Check for remaining issues
  3. Repeat if needed

Example Lovable Prompts

Basic Prompt

Detailed Prompt

Integration with Development Workflow

Daily Development:
Feature Completion:

When to Run Reviews

Good times:
  • Before committing significant changes
  • After implementing a feature
  • Before creating a pull request
  • When refactoring code
Skip reviews for:
  • Documentation-only changes
  • Simple formatting fixes
  • Generated files

Reporting

Quick Methods

Method 1: Simple Output Redirection

Save review output to a file:

Method 2: Save Both Output and Errors

Capture both standard output and errors:

Method 3: View and Save Simultaneously

Use tee to see output while saving:

Parse AI prompts from an existing PR

To extract CodeRabbit comments and AI prompts from a pull request on GitHub (e.g. to work through review feedback in Cursor/Copilot), use one of the PR-based parsers. Both fetch comments from the GitHub API and write markdown by severity; each also produces a consolidated AI prompt file you can copy-paste into another AI to fix all listed issues. Which script to use: Requirements:
  • Node parser: GITHUB_TOKEN with repo (or public_repo for public repos). For local runs, add GITHUB_TOKEN=ghp_... to .env.local (gitignored); the npm script loads it automatically.
  • Bash script: GitHub CLI (gh) authenticated (gh auth login).
Commands (example: PR 346):
Other examples:
Direct script (without npm): use node --env-file=.env.local scripts/utils/parse-pr-coderabbit-comments.js <PR> [output-dir] or set GITHUB_TOKEN in your shell. Output (Node): 00-SUMMARY.md, 01-CRITICAL.md through 05-UNCLASSIFIED.md, and 06-AI-PROMPT-CONSOLIDATED.md. The consolidated file contains one copy-paste block; paste it into Cursor, Copilot, or another AI to fix all listed issues. Individual findings also include Problem, Proposed Fix, and AI Agent Prompt in the severity files. Output (Bash): 00-SUMMARY.md, 01-CRITICAL.md through 04-TRIVIAL.md, and 05-AI-PROMPT-CONSOLIDATED.md. Same use: copy the consolidated prompt into your AI assistant to address all comments.

Report Types

Quick Report (--prompt-only)

Command: cr-quick or coderabbit --prompt-only Characteristics:
  • ✅ Minimal output (token-efficient)
  • ✅ Quick to generate
  • ✅ Designed for AI assistants
  • ❌ No detailed explanations
  • ❌ No code snippets
  • ❌ Limited context
File Size: ~5-10 KB (small) Best For:
  • Quick checks during development
  • AI assistant integration
  • When you need minimal output

Detailed Report (--plain)

Command: cr-report or coderabbit --plain Characteristics:
  • ✅ Detailed explanations
  • ✅ Code snippets included
  • ✅ Context provided
  • ✅ Actionable suggestions
  • ✅ Issue categorization
  • ❌ Larger file size
  • ❌ Takes longer to generate
File Size: ~50-200 KB (larger) Best For:
  • Manual code reviews
  • Feeding to Lovable
  • Understanding issues deeply
  • Comprehensive analysis

Report Comparison

For Lovable Workflow

✅ Use Detailed Report

Why:
  • Lovable needs context to understand issues
  • Code snippets help Lovable see the problem
  • Detailed explanations guide fixes
  • Better results with more information
Command:

❌ Don’t Use Quick Report

Why:
  • Too minimal for Lovable
  • Lacks context
  • No code snippets
  • Harder for Lovable to understand

Report Organization

Using Aliases for Reports

The aliases configured in setup automatically:
  • Create reports/ directory if needed
  • Generate timestamped filenames
  • Save both output and errors
  • Provide confirmation message
Usage:
Markdown Report Output: The cr-lovable aliases generate markdown files organized by severity in reports/active/markdown/coderabbit-<timestamp>/:
  • 00-SUMMARY.md - Overview with counts and top impacted files
  • 01-CRITICAL.md - Critical issues (security, data integrity)
  • 02-MAJOR.md - Major issues (architecture, multi-tenancy)
  • 03-MINOR.md - Minor issues (code quality, best practices)
  • 04-TRIVIAL.md - Trivial issues (refactoring suggestions)
  • 05-OUTSIDE-DIFF.md - Issues outside the diff (if any)

Best Practices

1. Use Timestamps

Always include timestamps in filenames:

2. Organize Reports

Create a dedicated directory:

3. Include Context

Add metadata to reports:

4. Review Type Selection

  • --type uncommitted: For work-in-progress reviews
  • --type committed: For reviewing staged changes
  • --type all: For comprehensive reviews

5. Output Format

  • --plain: Always use for reports (removes interactive formatting)
  • --prompt-only: For minimal output (AI assistant integration)

Example Workflows

Daily Development Report:
Feature Completion Report:

Best Practices

1. Review Before Committing

2. Use Appropriate Output Mode

  • Development: cr-plain (detailed feedback)
  • AI Assistants: cr-quick (token-efficient)
  • CI/CD: cr-report (save to file)

3. Address Security Issues First

CodeRabbit prioritizes:
  1. Security vulnerabilities (SSRF, JWT validation, etc.)
  2. Multi-tenant isolation violations
  3. Architecture boundary violations
  4. Code quality issues

4. Review Reports Regularly

Check reports/ directory for saved reviews:
  • Full reports for comprehensive analysis
  • Quick reports for AI assistant context
  • Uncommitted reports for pre-commit checks

5. Keep Configuration Updated

When architecture changes:
  • Update .coderabbit.yaml
  • Add new docs to knowledge base
  • Update review instructions

6. Integrate with Workflow

  • Run reviews before committing
  • Use reports for documentation
  • Share findings with team

7. Learnings and Quarterly Review

CodeRabbit stores learnings from PR feedback (scope set in .coderabbit.yaml under knowledge_base.learnings.scope). To keep reviews consistent:
  • Quarterly: In the CodeRabbit app, go to Learnings and review/remove outdated or conflicting learnings. Filter by date or topic; delete learnings that reference deprecated patterns or old file layouts.
  • Scope: Use global if all org repos share the same standards; use local if you have repos with different tech stacks to avoid cross-contamination.
  • Reinforcement: If learnings seem ignored, add a path instruction that says: “Before responding, review all Learnings to ensure none are ignored.”
Related: CodeRabbit Learnings

Troubleshooting

Issue: CodeRabbit Not Found

Solution:

Issue: Authentication Required

Solution:

Issue: Authentication Failed (libsecret not available)

Symptoms: OAuth completes but CLI reports Error [ERR_SECRETS_PLATFORM_ERROR]: libsecret not available Solution: See CODERABBIT_CLI_WSL_AUTH.md. In short: install libsecret-1-0, gnome-keyring, dbus-x11; run coderabbit auth login inside dbus-run-session.

Issue: Slow Performance (Windows Filesystem)

Symptoms: CodeRabbit runs slowly when repository is on Windows filesystem (/mnt/c/...) Solutions:
  1. Use VS Code Remote - WSL:
    • Install “Remote - WSL” extension
    • Open project in WSL mode: code . (from WSL terminal)
  2. Move Repository to WSL Filesystem (Optional):

Issue: Line Ending Conflicts

Solution:

Issue: Reports Directory Not Found

Solution:

Issue: Report File is Empty

Problem: Report file created but empty Solutions:
  1. Check if CodeRabbit found any changes:
  2. Try with explicit type:
  3. Check for errors:

Issue: Report Too Large

Problem: Report file is very large Solutions:
  1. Review specific files only (if CodeRabbit supports it)
  2. Use --prompt-only for summary
  3. Filter output:

Issue: CodeRabbit Not Using Configuration

Problem: CodeRabbit ignores .coderabbit.yaml Solutions:
  1. Verify file is in repository root
  2. Check YAML syntax (use validator)
  3. Ensure file is committed to branch
  4. Check CodeRabbit app is installed

Issue: Knowledge Base Not Working

Problem: CodeRabbit doesn’t reference documentation Solutions:
  1. Verify file paths are correct (relative to repo root)
  2. Ensure files exist and are committed
  3. Check file sizes (very large files may be skipped)
  4. Use absolute paths if needed

Issue: Too Many/Few Reviews

Problem: Reviews are too strict or lenient Solutions:
  1. Adjust reviews.profile: "assertive""chill" (those are the only two valid values)
  2. Modify reviews.path_instructions (NOT review_instructions — that key does not exist) to be more/less specific
  3. Update reviews.path_filters (NOT paths.ignored_paths) to exclude more files

Recent Improvements (2025-12-10)

Added Tools

  • ✅ ESLint integration
  • ✅ Gitleaks secret detection

Enhanced Path Instructions

  • ✅ Edge function security patterns
  • ✅ PHI/PII logging detection
  • ✅ Config file review instructions
  • ✅ Enhanced React/TypeScript patterns

Expanded Security Patterns

  • ✅ SSRF prevention
  • ✅ JWT validation requirements
  • ✅ Error message security
  • ✅ Input validation checks

Additional Resources


Quick Reference Card


Maintained By: Development Team
Questions? See troubleshooting section, CODE_REVIEW_PROCESS.md for daily commands, or check CodeRabbit documentation.