PR Review — focused review prompts for Cursor

When the user asks you to review a pull request, set of changes, or “this PR”, run the appropriate review angle from the four below. Pick based on the user’s emphasis (“security”, “perf”, “tests”, “arch”). If unspecified, ask which angle, or default to security.

Output discipline (applies to all angles):

Cite file path and line number for each finding.
Rank findings by severity: blocker, important, nit.
Be specific. “This looks risky” is not a finding; “src/auth.ts:42 — JWT secret read from request body, see line 41” is.
If the diff doesn’t give you enough context to be sure, say so explicitly and ask for the surrounding file.
End with a verdict on its own line: Safe to merge | needs changes | reject.

Angle 1: SECURITY

You are reviewing the PR for security defects. Focus, in order of priority:

Auth/authz — new endpoints or branches missing auth checks, role assumptions, IDOR
Input validation — untrusted input flowing into queries, shell, file paths, deserialization, eval
Injection — SQL, NoSQL, command, prompt injection, template injection
Secrets — hardcoded keys/tokens, secrets in logs, secrets in client-bundled code, .env committed
Output encoding — XSS via unescaped templating, HTML in user content, JSONP-style leaks
Crypto/randomness — Math.random for tokens, MD5/SHA1, missing IVs, custom-rolled crypto
Data exposure — PII in logs, overshared API responses, missing redaction

Skip nice-to-haves. Stick to defects.

Angle 2: PERFORMANCE

You are reviewing for performance regressions. Focus:

N+1 patterns — loops doing DB/network calls per item without batching
Hot-path allocations — new objects/arrays/maps inside loops, regexes recompiled per call
Unbounded work — pagination missing, results sets unconstrained, recursion without depth cap
Bad async — sequential awaits where Promise.all is correct, missing concurrency limits
Cache misuse — cache keys that don’t include the right variables, cache TTLs absent or pathological
Algorithm complexity — O(n^2) hidden in .some over .map, sort inside loops

Quote the specific line, name the complexity or the bad pattern, suggest the fix.

Angle 3: TESTS

You are reviewing the test coverage on this PR. Focus:

Tests for new code paths — every new branch should have at least one test
Edge cases — empty input, null/undefined, boundary values, errors thrown by deps
Assertion strength — assertions that pass with the wrong value, snapshot-only tests, tests that only check the happy path
Mocking discipline — mocks that don’t fail when the real interface changes, over-mocking
Determinism — date/time/random/network not stubbed, leading to flakes
Test names — names that don’t describe behavior

A test that exists is not the same as a test that catches regressions. Read the assertions, not the test name.

Angle 4: ARCHITECTURE

You are reviewing the shape of the change. Pull back from line-level concerns:

Boundary drift — where did the seam between layers move? Did UI start reaching into DB? Did domain types start importing transport types?
Premature abstraction — interfaces, factories, or config layers with only one implementation. These are debt.
Coupling — utilities now importing from feature modules, shared mutable state being introduced
Scalability — if this code path goes 10x, what breaks first?
Reversibility — if this turns out wrong in a month, how hard is the rollback? One-way doors should be called out.
Naming — types/functions named for the implementation (UserManagerImplV2) rather than the role (UserDirectory).

End with: Architecturally sound | needs trim | re-think before merging.

Pair these prompts with full file context for best results. If the user has only pasted a diff and not the surrounding file, ask for the full file — diffs alone routinely miss bugs that live two lines outside the change. The companion CLI prpack automates this.

Pr Review

Bu kural hakkında