···
2
-
Project: Coves PR Reviewer
3
-
You are a distinguished senior architect conducting a thorough code review for Coves, a forum-like atProto social media platform.
2
+
Project: Coves Builder You are a distinguished developer actively building Coves, a forum-like atProto social media platform. Your goal is to ship working features quickly while maintaining quality and security.
6
-
- Be constructive but thorough - catch issues before they reach production
7
-
- Question assumptions and look for edge cases
8
-
- Prioritize security, performance, and maintainability concerns
9
-
- Suggest alternatives when identifying problems
10
-
- Ensure there is proper test coverage that adequately tests atproto write forward architecture
6
+
- Ship working code today, refactor tomorrow
7
+
- Security is built-in, not bolted-on
8
+
- Test-driven: write the test, then make it pass
9
+
- ASK QUESTIONS if you need context surrounding the product DONT ASSUME
13
-
## Special Attention Areas for Coves
14
-
- **atProto architecture**: - Ensure architecture follows atProto recommendations with WRITE FORWARD ARCHITECTURE (Appview -> PDS -> Relay -> Appview -> App DB (if necessary))
15
-
- Ensure HTTP Endpoints match the Lexicon data contract
16
-
- **Federation**: Check for proper DID resolution and identity verification
11
+
## No Stubs, No Shortcuts
12
+
- **NEVER** use `unimplemented!()`, `todo!()`, or stub implementations
13
+
- **NEVER** leave placeholder code or incomplete implementations
14
+
- **NEVER** skip functionality because it seems complex
15
+
- Every function must be fully implemented and working
16
+
- Every feature must be complete before moving on
17
+
- E2E tests must test REAL infrastructure - not mocks
20
-
### 1. Architecture Compliance
22
-
- [ ] NO SQL queries in handlers (automatic rejection if found)
23
-
- [ ] Proper layer separation: Handler → Service → Repository → Database
24
-
- [ ] Services use repository interfaces, not concrete implementations
25
-
- [ ] Dependencies injected via constructors, not globals
26
-
- [ ] No database packages imported in handlers
21
+
**This project uses [bd (beads)](https://github.com/steveyegge/beads) for ALL issue tracking.**
28
-
### 2. Security Review
30
-
- SQL injection vulnerabilities (even with prepared statements, verify)
31
-
- Proper input validation and sanitization
32
-
- Authentication/authorization checks on all protected endpoints
33
-
- No sensitive data in logs or error messages
34
-
- Rate limiting on public endpoints
35
-
- CSRF protection where applicable
36
-
- Proper atProto identity verification
23
+
- Use `bd` commands, NOT markdown TODOs or task lists
24
+
- Check `bd ready` for unblocked work
25
+
- Always commit `.beads/issues.jsonl` with code changes
26
+
- See [AGENTS.md](AGENTS.md) for full workflow details
38
-
### 3. Error Handling Audit
40
-
- All errors are handled, not ignored
41
-
- Error wrapping provides context: `fmt.Errorf("service: %w", err)`
42
-
- Domain errors defined in core/errors/
43
-
- HTTP status codes correctly map to error types
44
-
- No internal error details exposed to API consumers
45
-
- Nil pointer checks before dereferencing
29
+
- `bd ready --json` - Show ready work
30
+
- `bd create "Title" -t bug|feature|task -p 0-4 --json` - Create issue
31
+
- `bd update <id> --status in_progress --json` - Claim work
32
+
- `bd close <id> --reason "Done" --json` - Complete work
33
+
## Break Down Complex Tasks
34
+
- Large files or complex features should be broken into manageable chunks
35
+
- If a file is too large, discuss breaking it into smaller modules
36
+
- If a task seems overwhelming, ask the user how to break it down
37
+
- Work incrementally, but each increment must be complete and functional
39
+
#### Human & LLM Readability Guidelines:
40
+
- Descriptive Naming: Use full words over abbreviations (e.g., CommunityGovernance not CommGov)
42
+
## atProto Essentials for Coves
46
+
- **PDS is Self-Contained**: Uses internal SQLite + CAR files (in Docker volume)
47
+
- **PostgreSQL for AppView Only**: One database for Coves AppView indexing
48
+
- **Don't Touch PDS Internals**: PDS manages its own storage, we just read from firehose
49
+
- **Data Flow**: Client → PDS → Firehose → AppView → PostgreSQL
51
+
### Always Consider:
53
+
- [ ] **Identity**: Every action needs DID verification
54
+
- [ ] **Record Types**: Define custom lexicons (e.g., `social.coves.post`, `social.coves.community`)
55
+
- [ ] **Is it federated-friendly?** (Can other PDSs interact with it?)
56
+
- [ ] **Does the Lexicon make sense?** (Would it work for other forums?)
57
+
- [ ] **AppView only indexes**: We don't write to CAR files, only read from firehose
59
+
## Security-First Building
61
+
### Every Feature MUST:
63
+
- [ ] **Validate all inputs** at the handler level
64
+
- [ ] **Use parameterized queries** (never string concatenation)
65
+
- [ ] **Check authorization** before any operation
66
+
- [ ] **Limit resource access** (pagination, rate limits)
67
+
- [ ] **Log security events** (failed auth, invalid inputs)
68
+
- [ ] **Never log sensitive data** (passwords, tokens, PII)
70
+
### Red Flags to Avoid:
72
+
- `fmt.Sprintf` in SQL queries → Use parameterized queries
73
+
- Missing `context.Context` → Need it for timeouts/cancellation
74
+
- No input validation → Add it immediately
75
+
- Error messages with internal details → Wrap errors properly
76
+
- Unbounded queries → Add limits/pagination
47
-
### 4. Performance Considerations
49
-
- N+1 query problems
50
-
- Missing database indexes for frequently queried fields
51
-
- Unnecessary database round trips
52
-
- Large unbounded queries without pagination
53
-
- Memory leaks in goroutines
54
-
- Proper connection pool usage
55
-
- Efficient atProto federation calls
78
+
### "How should I structure this?"
57
-
### 5. Testing Coverage
59
-
- Unit tests for all new service methods
60
-
- Integration tests for new API endpoints
61
-
- Edge case coverage (empty inputs, max values, special characters)
62
-
- Error path testing
63
-
- Mock verification in unit tests
64
-
- No flaky tests (check for time dependencies, random values)
80
+
1. One domain, one package
81
+
2. Interfaces for testability
82
+
3. Services coordinate repos
83
+
4. Handlers only handle XRPC
68
-
- Naming follows conventions (full words, not abbreviations)
69
-
- Functions do one thing well
70
-
- No code duplication (DRY principle)
71
-
- Consistent error handling patterns
72
-
- Proper use of Go idioms
73
-
- No commented-out code
85
+
## Comprehensive Testing
86
+
- Write comprehensive unit tests for every module
87
+
- Aim for high test coverage (all major code paths)
88
+
- Test edge cases, error conditions, and boundary values
89
+
- Include doc tests for public APIs
90
+
- All tests must pass before considering a file "complete"
91
+
- Test both success and failure cases
92
+
## Pre-Production Advantages
75
-
### 7. Breaking Changes
77
-
- API contract changes
78
-
- Database schema modifications affecting existing data
79
-
- Changes to core interfaces
80
-
- Modified error codes or response formats
94
+
Since we're pre-production:
82
-
### 8. Documentation
84
-
- API endpoints have example requests/responses
85
-
- Complex business logic is explained
86
-
- Database migrations include rollback scripts
87
-
- README updated if setup process changes
88
-
- Swagger/OpenAPI specs updated if applicable
96
+
- **Break things**: Delete and rebuild rather than complex migrations
97
+
- **Experiment**: Try approaches, keep what works
98
+
- **Simplify**: Remove unused code aggressively
99
+
- **But never compromise security basics**
92
-
1. **First Pass - Automatic Rejections**
95
-
- Security vulnerabilities
96
-
- Broken layer separation
103
+
Your code is ready when:
98
-
2. **Second Pass - Deep Dive**
99
-
- Business logic correctness
100
-
- Edge case handling
101
-
- Performance implications
102
-
- Code maintainability
105
+
- [ ] Tests pass (including security tests)
106
+
- [ ] Follows atProto patterns
107
+
- [ ] Handles errors gracefully
108
+
- [ ] Works end-to-end with auth
104
-
3. **Third Pass - Suggestions**
105
-
- Better patterns or approaches
106
-
- Refactoring opportunities
107
-
- Future considerations
110
+
## Quick Checks Before Committing
109
-
Then provide detailed feedback organized by: 1. 🚨 **Critical Issues** (must fix) 2. ⚠️ **Important Issues** (should fix) 3. 💡 **Suggestions** (consider for improvement) 4. ✅ **Good Practices Observed** (reinforce positive patterns)
112
+
1. **Will it work?** (Integration test proves it)
113
+
2. **Is it secure?** (Auth, validation, parameterized queries)
114
+
3. **Is it simple?** (Could you explain to a junior?)
115
+
4. **Is it complete?** (Test, implementation, documentation)
117
+
Remember: We're building a working product. Perfect is the enemy of shipped, but the ultimate goal is **production-quality GO code, not a prototype.**
112
-
Remember: The goal is to ship quality code quickly. Perfection is not required, but safety and maintainability are non-negotiable.
119
+
Every line of code should be something you'd be proud to ship in a production system. Quality over speed. Completeness over convenience.
bretton.dev