# Review Policy

## Scope
- Applies to all code reviews in this repository.
- Overrides generic review defaults where explicitly stated.

## Critical Domains
- Authentication and authorization
- Data integrity and migrations
- Secrets, credentials, and PII handling
- Billing, quota, and financial calculations

## Must-Flag Findings
- Security vulnerabilities with practical exploit paths
- Silent data loss or corruption risks
- Backward-incompatible API or schema changes without migration plan
- Missing rollback/guardrails for risky deploy paths

## Usually Ignore
- Pure style nits unless they hide correctness issues
- Hypothetical edge cases without realistic trigger paths

## Repo-Specific Rules
- Add project rules here (framework constraints, architecture boundaries, test expectations)

## Required Review Output
- Severity: critical | high | medium | low
- File and line reference for every issue
- Why this is a bug/risk in this repository
- Concrete fix suggestion

# Review Checklist

## Correctness
- Logic matches intended behavior and existing contracts
- Error handling is explicit and testable

## Security
- No new injection/authz/secrets/PII exposure paths

## Data and Migrations
- Schema changes include compatibility and rollback notes

## Performance
- No obvious unbounded hot-path regressions

## Operations
- Logging/metrics/alerts are sufficient for new risk areas

## Testing
- Critical paths have adequate coverage for changed behavior

severity:
  critical:
    - remote code execution
    - auth bypass
    - irreversible data loss
  high:
    - privilege escalation
    - data corruption risk
    - breaking migration without rollback
  medium:
    - reliability regression on common paths
    - significant performance regression
  low:
    - minor maintainability risk
    - non-blocking robustness gaps
rules:
  require_file_line_reference: true
  require_concrete_fix: true
  deduplicate_findings: true