Add CodeRabbit configuration

[Muneerali199]

Adds the standardized CodeRabbit configuration file
as discussed here :https://discord.com/channels/1022871757289422898/1235508903450775622/1474646668183081010

[coderabbitai]

Warning

Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories.

📝 Walkthrough

Walkthrough

A new CodeRabbit YAML configuration file is introduced, establishing IDE autocompletion, automated issue enrichment with labeling and planning, and a comprehensive review workflow. The configuration integrates 12+ analysis tools, defines review profiles with per-PR controls, establishes labeling and review instructions for various programming languages, and sets path-based filters.

Changes

Cohort / File(s)

Summary

CodeRabbit Configuration .coderabbit.yaml

Adds comprehensive CodeRabbit configuration enabling IDE autocompletion, automated review workflows with high-level summaries and sequence diagrams, issue enrichment (labeling and planning), per-path instructions for multiple programming languages, and integrations with tools including shellcheck, ruff, markdownlint, biome, hadolint, swiftlint, phpstan, golangci-lint, yamllint, gitleaks, checkov, detekt, and eslint.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A config so grand, with tools aligned,
Automating checks of every kind,
Languages supported, filters refined,
Review workflows structured and designed—
CodeRabbit hops forth with purpose in mind! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add CodeRabbit configuration' directly and clearly describes the main change—the introduction of a new CodeRabbit YAML configuration file with comprehensive IDE and review automation settings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (3)

.coderabbit.yaml (3)

7-8: Early access enabled without clear justification.

The comment says "currently not using any specific early_access features," yet it's set to true. Enabling early access opts into potentially unstable, breaking features as they roll out. Consider setting this to false until a specific early-access feature is actually needed, or update the comment to reflect which feature you intend to use.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 7 - 8, The early access flag "early_access" is
enabled without justification; either disable it or document the specific
feature in use: change the "early_access" value to false to avoid opting into
unstable features, or update the surrounding comment to name the exact
early-access feature(s) you intend to use so the rationale is clear (refer to
the "early_access" entry in the .coderabbit.yaml file).

---

88-123: LGTM — tools section is valid per schema.

All tools are properly structured. Consider whether all of these are relevant to the project's actual tech stack (e.g., swiftlint, phpstan, golangci-lint, detekt for a project that may not use Swift/PHP/Go/Kotlin). Leaving them enabled is harmless (they simply won't trigger on unmatched files), but it does add noise to the configuration.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 88 - 123, The tools list in the
.coderabbit.yaml includes many linters (tools, swiftlint, phpstan,
golangci-lint, detekt) that may be irrelevant to the repository's tech stack and
can cause noise; update the tools mapping to disable or remove linters not used
by the project (e.g., remove or set enabled: false for swiftlint, phpstan,
golangci-lint, detekt) so only applicable tools remain enabled, keeping the
configuration minimal and easier to maintain.

---

273-280: Asset review instructions reference mobile-specific concerns (@2x/@3x variants).

The instructions mention @2x and @3x image variants, which are iOS/React Native conventions. If this is a web-only project, these aren't applicable. This is consistent with the mixed Expo/NextJS guidance seen earlier — worth clarifying the project's target platform(s) to keep instructions relevant.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 273 - 280, The asset review text references
mobile-specific image variants (`@2x/`@3x) which aren't applicable for web-only
projects; update the asset review block so it’s platform-aware: either remove
the `@2x/`@3x bullet and replace it with web-focused guidance (responsive sizes,
srcset/1x/2x, modern formats, and responsive breakpoints) when the project is
web-only, or make the checklist conditional/explicit about mobile targets if the
repo supports Expo/React Native; look for the bullets mentioning "@2x" and "@3x"
and adjust them to mention web alternatives (srcset, density descriptors) or
gate them behind a mobile-platform flag.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Around line 170-197: The NextJS guidance block currently enforces "Ensure that
\"use client\" is being used" and "only features that allow pure client-side
rendering are used" which conflicts with Next.js App Router defaults; update the
NextJS instructions (the NextJS bullet under the path "**/*.{ts,tsx,js,jsx}") to
recommend preferring server components by default and only using "use client"
when component requires client-only features (state, effects, browser APIs);
also split or remove Expo/React Native specific security items (the Security
bullets referencing "expo-secure-store" and "Validate deep linking
configurations") from this path and instead create separate path-instruction
entries for React Native/Expo files (e.g., matching mobile-specific file
patterns) or clearly mark platform-specific guidance so web Next.js reviews do
not get mobile-specific checks.
- Around line 67-68: The inline comment is misleading relative to the setting
request_changes_workflow: update the configuration or the comment so they match:
either set request_changes_workflow to false if you want only non-blocking
comments, or keep it true and change the parenthetical note to explain that it
will submit blocking "Request Changes" reviews and will auto-approve when
comments are resolved; modify the line containing request_changes_workflow to
reflect the chosen behavior and update the adjacent comment text accordingly.
- Around line 152-165: The reviews.instructions key is invalid and must be moved
into reviews.path_instructions using a catch-all glob; remove or rename
reviews.instructions and create reviews.path_instructions with the glob "**"
mapping to the same instruction block so the rules apply across all files (refer
to the reviews.instructions entry in the current .coderabbit.yaml and replace it
with reviews.path_instructions: { "**": <your instruction list> } while
preserving the original instruction text).

---

Nitpick comments:
In @.coderabbit.yaml:
- Around line 7-8: The early access flag "early_access" is enabled without
justification; either disable it or document the specific feature in use: change
the "early_access" value to false to avoid opting into unstable features, or
update the surrounding comment to name the exact early-access feature(s) you
intend to use so the rationale is clear (refer to the "early_access" entry in
the .coderabbit.yaml file).
- Around line 88-123: The tools list in the .coderabbit.yaml includes many
linters (tools, swiftlint, phpstan, golangci-lint, detekt) that may be
irrelevant to the repository's tech stack and can cause noise; update the tools
mapping to disable or remove linters not used by the project (e.g., remove or
set enabled: false for swiftlint, phpstan, golangci-lint, detekt) so only
applicable tools remain enabled, keeping the configuration minimal and easier to
maintain.
- Around line 273-280: The asset review text references mobile-specific image
variants (`@2x/`@3x) which aren't applicable for web-only projects; update the
asset review block so it’s platform-aware: either remove the `@2x/`@3x bullet and
replace it with web-focused guidance (responsive sizes, srcset/1x/2x, modern
formats, and responsive breakpoints) when the project is web-only, or make the
checklist conditional/explicit about mobile targets if the repo supports
Expo/React Native; look for the bullets mentioning "@2x" and "@3x" and adjust
them to mention web alternatives (srcset, density descriptors) or gate them
behind a mobile-platform flag.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Misleading comment contradicts the actual behavior.

The inline comment says "(just leave comments)", but request_changes_workflow: true does the opposite — it submits Request Changes reviews that block the PR, then auto-approves once all comments are resolved. Either flip the value to false if you only want non-blocking comments, or fix the comment.

Proposed fix (if intent is to document correctly)

-  # Automatically request changes on the PR (just leave comments)
-  request_changes_workflow: true
+  # Submit "Request Changes" reviews; auto-approve once all comments are resolved
+  request_changes_workflow: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Automatically request changes on the PR (just leave comments)
	request_changes_workflow: true
	# Submit "Request Changes" reviews; auto-approve once all comments are resolved
	request_changes_workflow: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 67 - 68, The inline comment is misleading
relative to the setting request_changes_workflow: update the configuration or
the comment so they match: either set request_changes_workflow to false if you
want only non-blocking comments, or keep it true and change the parenthetical
note to explain that it will submit blocking "Request Changes" reviews and will
auto-approve when comments are resolved; modify the line containing
request_changes_workflow to reflect the chosen behavior and update the adjacent
comment text accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# First, let's look at the file structure to understand the repo
echo "=== Repository structure ==="
git ls-files | head -20

echo -e "\n=== Looking for schema definitions or documentation ==="
fd -t f '\.(schema|md|yaml|yml|json)$' | grep -iE '(schema|config|coderabbit|doc)' | head -20

echo -e "\n=== Checking the actual .coderabbit.yaml file ==="
if [ -f ".coderabbit.yaml" ]; then
  wc -l .coderabbit.yaml
  echo "--- File exists, checking around lines 152-165 ---"
  sed -n '145,170p' .coderabbit.yaml
fi

Repository: AOSSIE-Org/OrgExplorer

Length of output: 2036

---

🏁 Script executed:

#!/bin/bash
# Search for any schema definition or documentation about reviews properties
echo "=== Searching for schema definitions ==="
find . -type f \( -name "*.json" -o -name "*.md" \) | xargs grep -l "additionalProperties" 2>/dev/null | head -10

echo -e "\n=== Searching for examples of reviews configuration ==="
rg -A 5 'reviews\s*:' --type yaml --type md 2>/dev/null | head -40

echo -e "\n=== Searching for path_instructions usage ==="
rg 'path_instructions' --type yaml --type md 2>/dev/null | head -20

Repository: AOSSIE-Org/OrgExplorer

Length of output: 631

---

🌐 Web query:

CodeRabbit .coderabbit.yaml schema reviews instructions property

💡 Result:

In CodeRabbit’s .coderabbit.yaml (schema: https://coderabbit.ai/integrations/schema.v2.json), there is no top-level reviews.instructions field; instead, “instructions” appears in these reviews properties: [1][2]

• reviews.high_level_summary_instructions: string (defaults to "") — customizes the high-level summary content/format. [1]
• reviews.auto_title_instructions: string (defaults to "") — customizes PR title generation. [1]
• reviews.labeling_instructions: array of objects (defaults to []) where each item has:
  • label: string
  • instructions: string (max length 3000) [1]
• reviews.path_instructions: array of objects (defaults to []) where each item has:
  • path: string (glob)
  • instructions: string (max length 20000) [1]

Sources: CodeRabbit YAML config (schema URL) [2], CodeRabbit configuration reference (updated 2026-02-11) [1].

---

reviews.instructions is not a valid configuration key — these review instructions will be silently ignored.

CodeRabbit's schema does not recognize instructions as a direct property under reviews. The valid properties are high_level_summary_instructions, auto_title_instructions, labeling_instructions, and path_instructions. To apply general review instructions across all files, move this configuration to path_instructions with a catch-all glob pattern **:

Proposed fix

-  # Review instructions that apply to all files
-  instructions: >-
-    - Verify that documentation and comments are free of spelling mistakes
-    - Ensure that test code is automated, comprehensive, and follows testing best practices
-    - Verify that all critical functionality is covered by tests
-    - Confirm that the code meets the project's requirements and objectives
-    - Confirm that copyright years are up-to date whenever a file is changed
-    - Point out redundant obvious comments that do not add clarity to the code
-    - Ensure that comments are concise and suggest more concise comment statements if possible
-    - Discourage usage of verbose comment styles such as NatSpec
-    - Look for code duplication
-    - Suggest code completions when:
-        - seeing a TODO comment
-        - seeing a FIXME comment
-
   # Custom review instructions for specific file patterns
   path_instructions:
+    # General instructions for all files
+    - path: "**"
+      instructions: |
+        - Verify that documentation and comments are free of spelling mistakes
+        - Ensure that test code is automated, comprehensive, and follows testing best practices
+        - Verify that all critical functionality is covered by tests
+        - Confirm that the code meets the project's requirements and objectives
+        - Confirm that copyright years are up-to date whenever a file is changed
+        - Point out redundant obvious comments that do not add clarity to the code
+        - Ensure that comments are concise and suggest more concise comment statements if possible
+        - Discourage usage of verbose comment styles such as NatSpec
+        - Look for code duplication
+        - Suggest code completions when:
+            - seeing a TODO comment
+            - seeing a FIXME comment
+
     # TypeScript/JavaScript files
     - path: "**/*.{ts,tsx,js,jsx}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 152 - 165, The reviews.instructions key is
invalid and must be moved into reviews.path_instructions using a catch-all glob;
remove or rename reviews.instructions and create reviews.path_instructions with
the glob "**" mapping to the same instruction block so the rules apply across
all files (refer to the reviews.instructions entry in the current
.coderabbit.yaml and replace it with reviews.path_instructions: { "**": <your
instruction list> } while preserving the original instruction text).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Contradictory NextJS guidance — enforcing "use client" everywhere undermines server components.

Lines 173–174 instruct the reviewer to ensure "use client" is always used and that only pure client-side rendering features are used. This contradicts Next.js App Router best practices, where server components are the default and preferred for performance. Blanket "use client" guidance will produce false-positive review comments on every server component.

Additionally, this block mixes Expo/React Native concerns (Line 190: expo-secure-store, Line 191: deep linking) with Next.js web concerns, which are distinct platforms. Consider splitting these into separate path-instruction entries or clarifying the project's actual stack.

Suggested revision for the NextJS section

         NextJS:
-        - Ensure that "use client" is being used
-        - Ensure that only features that allow pure client-side rendering are used
-        - NextJS best practices (including file structure, API routes, and static generation methods) are used.
+        - Ensure "use client" is only added to components that require client-side interactivity (e.g., hooks, event handlers, browser APIs).
+        - Prefer server components where possible for better performance.
+        - Follow NextJS best practices (file structure, API routes, static generation methods).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- path: "**/*.{ts,tsx,js,jsx}"
	instructions: |
	NextJS:
	- Ensure that "use client" is being used
	- Ensure that only features that allow pure client-side rendering are used
	- NextJS best practices (including file structure, API routes, and static generation methods) are used.
	TypeScript:
	- Avoid 'any', use explicit types
	- Prefer 'import type' for type imports
	- Review for significant deviations from Google JavaScript style guide. Minor style issues are not a priority
	- The code adheres to best practices associated with React
	- The code adheres to best practices associated with React PWA
	- The code adheres to best practices associated with SPA
	- The code adheres to best practices recommended by lighthouse or similar tools for performance
	- The code adheres to best practices associated with Node.js
	- The code adheres to best practices recommended for performance
	Security:
	- No exposed API keys or sensitive data
	- Use expo-secure-store for sensitive storage
	- Validate deep linking configurations
	- Check for common security vulnerabilities such as:
	- SQL Injection
	- XSS (Cross-Site Scripting)
	- CSRF (Cross-Site Request Forgery)
	- Insecure dependencies
	- Sensitive data exposure
	- path: "**/*.{ts,tsx,js,jsx}"
	instructions: |
	NextJS:
	- Ensure "use client" is only added to components that require client-side interactivity (e.g., hooks, event handlers, browser APIs).
	- Prefer server components where possible for better performance.
	- Follow NextJS best practices (file structure, API routes, static generation methods).
	TypeScript:
	- Avoid 'any', use explicit types
	- Prefer 'import type' for type imports
	- Review for significant deviations from Google JavaScript style guide. Minor style issues are not a priority
	- The code adheres to best practices associated with React
	- The code adheres to best practices associated with React PWA
	- The code adheres to best practices associated with SPA
	- The code adheres to best practices recommended by lighthouse or similar tools for performance
	- The code adheres to best practices associated with Node.js
	- The code adheres to best practices recommended for performance
	Security:
	- No exposed API keys or sensitive data
	- Use expo-secure-store for sensitive storage
	- Validate deep linking configurations
	- Check for common security vulnerabilities such as:
	- SQL Injection
	- XSS (Cross-Site Scripting)
	- CSRF (Cross-Site Request Forgery)
	- Insecure dependencies
	- Sensitive data exposure

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml around lines 170 - 197, The NextJS guidance block currently
enforces "Ensure that \"use client\" is being used" and "only features that
allow pure client-side rendering are used" which conflicts with Next.js App
Router defaults; update the NextJS instructions (the NextJS bullet under the
path "**/*.{ts,tsx,js,jsx}") to recommend preferring server components by
default and only using "use client" when component requires client-only features
(state, effects, browser APIs); also split or remove Expo/React Native specific
security items (the Security bullets referencing "expo-secure-store" and
"Validate deep linking configurations") from this path and instead create
separate path-instruction entries for React Native/Expo files (e.g., matching
mobile-specific file patterns) or clearly mark platform-specific guidance so web
Next.js reviews do not get mobile-specific checks.

[Muneerali199]

Sir @Zahnentferner , I would appreciate your review whenever you’re free. Please let me know if any further improvements are needed.