The AI Pull Request Reviewer: Get a Senior Engineer's Eyes on Your Code Before Every Merge
Why this prompt matters
Most code bugs that reach production are not found in reviews because reviews are inconsistent — the reviewer is tired, distracted, or focuses on style while missing logic errors. A structured prompt with defined categories and required severity levels forces coverage of the issues that actually matter: correctness, security, and error handling. It also produces reviews that explain the why behind every finding, which builds understanding rather than just producing a checklist of changes to make.
What we use it for
You have a PR open, it's been waiting for review for two days, and the person who normally reviews your security-sensitive code is OOO. Or you are a solo developer shipping a feature and want a second pair of eyes before deploying. Or you are a senior engineer who wants to pre-check your own work before asking colleagues to spend time on it. This prompt gives you a structured review that covers the categories most likely to become production incidents.
Prompt
Role: Act as a senior software engineer with 10+ years of experience doing code reviews. You have a strong bias toward correctness, maintainability, and security. You write reviews that teach — not just list problems — because you want the author to understand the why, not just fix the what. Context: I am submitting a pull request for review. The code is written in [LANGUAGE: e.g., Python / TypeScript / Go / Rust / Java]. The codebase is [TYPE: e.g., a REST API / a frontend React app / a CLI tool / a data pipeline]. The PR is doing the following: [DESCRIBE WHAT THE PR DOES IN 1-3 SENTENCES]. The most important things for this codebase are [PRIORITIES: e.g., performance / security / readability / test coverage / backward compatibility]. Task: Review this code as a senior engineer doing a thorough pre-merge review. Go beyond surface-level issues. Look for: 1. Correctness bugs — logic errors, edge cases, off-by-one errors, null/undefined handling, incorrect assumptions about input 2. Security vulnerabilities — injection risks, authentication flaws, insecure data handling, exposed secrets, unsafe deserialization 3. Performance issues — unnecessary allocations, N+1 query patterns, blocking operations, missing indexes, inefficient algorithms 4. Maintainability problems — functions doing too much, poor naming, missing abstractions, code duplication, hard-coded values that should be configurable 5. Error handling gaps — unhandled exceptions, swallowed errors, missing logging for failure cases, no retry logic where needed 6. Test coverage — are the happy path, error cases, and edge cases all tested? Are the tests testing the right things? 7. API and interface design — is this the right abstraction? Will this be easy to change later? Are there breaking changes? 8. Concurrency and race conditions — if applicable to the language and context Constraints: - Every finding must include: the specific location or pattern (line, function, or concept), the severity (Critical / High / Medium / Low / Nitpick), and the explanation of why it is a problem — not just that it is. - Do not invent problems. Only flag what you can see in the code. - If something is genuinely well done, say so briefly — a good review acknowledges what works. - Do not rewrite the entire function in your review unless the existing implementation is fundamentally broken. - Separate blocking issues (must fix before merge) from non-blocking suggestions (good to fix, but optional for this PR). - If you lack enough context to assess something, say so explicitly rather than guessing. Output Format: 1. Summary (2-3 sentences: overall assessment, biggest concerns, merge readiness) 2. Blocking Issues — must fix before merge (severity, location, explanation, suggested fix) 3. Non-Blocking Issues — recommended improvements (severity, location, explanation) 4. Security Check — pass / flag / needs-closer-look, with brief reasoning 5. Test Coverage Assessment — adequate / thin / missing, with specific gaps 6. What is well done (1-3 specific positives) 7. Suggested questions for the author (things you need clarification on before approving) Code to review: [PASTE YOUR DIFF OR CODE HERE]
Result
SUMMARY
This PR adds a user authentication endpoint with JWT token issuance. The core logic is sound and the structure is clean, but there are two blocking security issues — a timing attack vulnerability in password comparison and missing token expiry validation — plus one high-severity missing error case that could expose internal stack traces to API consumers. Test coverage is thin on the error paths. Not merge-ready as-is, but close.
BLOCKING ISSUES
1. Timing attack in password comparison
Severity: Critical
Location: comparePasswords() function, line 34
Problem: Using a simple string equality check (userPassword === hashedPassword) for password comparison is vulnerable to timing attacks. An attacker who sends many requests can measure response time differences to enumerate valid usernames or reconstruct password hashes character by character.
Fix: Replace with a constant-time comparison function. In Node.js use crypto.timingSafeEqual(). In Python use hmac.compare_digest(). Never use == for secret comparisons.
2. JWT token expiry not validated on refresh
Severity: Critical
Location: refreshToken() handler, line 89
Problem: The refresh endpoint checks token signature validity but does not verify the exp claim against the current timestamp. An expired access token can be used to generate a fresh token indefinitely, effectively making tokens immortal and defeating the purpose of expiry.
Fix: Add explicit exp check: if (decoded.exp < Math.floor(Date.now() / 1000)) throw new TokenExpiredError(). Most JWT libraries have a built-in option for this — set ignoreExpiration: false explicitly rather than relying on default behavior.
3. Unhandled database error exposes stack trace
Severity: High
Location: loginHandler() catch block, line 67
Problem: The catch block re-throws the raw database error object directly to the Express error handler, which in the current middleware configuration will serialize the full stack trace into the 500 response body. This leaks internal file paths, dependency versions, and query structure to API consumers.
Fix: Log the raw error internally with a correlation ID, then return a generic error response: res.status(500).json({ error: 'Authentication service error', correlationId: uuid }).
NON-BLOCKING ISSUES
4. Magic numbers for token expiry
Severity: Medium
Location: Lines 45 and 102
Problem: Token expiry durations are hard-coded as 900 and 86400 (seconds). These should be named constants or environment-configurable values so they can be changed without a code deployment, and so the next developer understands what these numbers represent.
Suggestion: const ACCESS_TOKEN_TTL_SECONDS = parseInt(process.env.ACCESS_TOKEN_TTL ?? '900', 10)
5. Missing rate limiting on login endpoint
Severity: Medium
Location: loginHandler route registration
Problem: There is no rate limiting on POST /auth/login. This allows unlimited password brute-force attempts. This might be handled at the infrastructure level (API gateway, load balancer), but if not, it should be at the application level.
Suggestion: Add express-rate-limit or equivalent middleware, or at minimum document that infrastructure-level rate limiting covers this endpoint.
6. Function does two things
Severity: Low (Nitpick)
Location: validateAndDecodeToken(), line 78
Problem: This function both validates the token signature AND extracts the user ID from the payload, returning both as a tuple. These are two distinct concerns and should probably be separate functions, or the return value should be a typed object with clearly named fields rather than a positional tuple.
SECURITY CHECK: FLAG
Blocking issues (1 and 2) make this endpoint insecure in its current state. After fixes, recommend a second security-focused pass.
TEST COVERAGE ASSESSMENT: THIN
Happy path (valid credentials → token returned) is covered. Missing:
- Expired token refresh attempt (the blocking issue above)
- Invalid password attempt — verify 401, not 500
- Malformed JWT in Authorization header
- Database connection failure during login
- Rate limiting behavior (if applicable)
WHAT IS WELL DONE
1. Token rotation on refresh is implemented correctly — the old refresh token is invalidated when a new one is issued. This is easy to get wrong and it is done right here.
2. Password hashing uses bcrypt with a cost factor of 12, which is appropriate.
3. The middleware composition is clean and easy to follow.
QUESTIONS FOR THE AUTHOR
1. Is there infrastructure-level rate limiting on this endpoint? If yes, please document it in the code or README so it is not duplicated.
2. Is token revocation (logout/blocklist) in scope for this PR or a follow-up? The current architecture does not support it, which should be a conscious decision, not an oversight.
<p>Most developers have experienced both ends of the code review spectrum. On one end: the approver who clicks through in thirty seconds and leaves a single emoji. On the other: the senior engineer who comes back with two pages of line-by-line notes covering correctness, security, maintainability, and testing — and explains why each issue matters rather than just marking it wrong. The second kind of review makes you a better developer. It is also the kind that takes time to get, especially from people who are already overloaded.</p>
<p>This prompt is an attempt to bring some of that second experience to every pull request. It structures the review into the categories that matter — correctness bugs, security vulnerabilities, performance, error handling, test coverage — and requires the model to explain every finding with location, severity, and reasoning before suggesting a fix.</p>
<h2>The problem with generic "review my code" prompts</h2>
<p>Ask a language model to "review this code" without structure and you will usually get a flat list of observations with no prioritisation and no explanation of severity. The model may flag a variable naming inconsistency at the same level of urgency as a timing attack vulnerability. It may congratulate you on your clean structure and then fail to notice the unhandled null pointer that crashes in production on the first empty input.</p>
<p>The structure in this prompt forces prioritisation. Blocking issues — things that must be fixed before merge — are separated from non-blocking suggestions. Every finding requires a severity level (Critical, High, Medium, Low, Nitpick), a specific location, and an explanation of why the issue exists rather than just what to do about it. The security check and test coverage assessment are explicit sections rather than afterthoughts.</p>
<h2>How to use it</h2>
<p>Fill in four context fields at the top: the programming language, the type of codebase, a one-to-three sentence description of what the PR does, and the priorities that matter most for this codebase. Then paste the diff or the relevant code at the bottom.</p>
<p>The context fields make a meaningful difference to output quality. A model that knows this is a Python REST API with a security-first priority will catch different things than one reviewing Go CLI code where performance is the priority. The description of what the PR is trying to accomplish helps the model evaluate whether the implementation actually achieves the goal, rather than just checking style.</p>
<p>For very large PRs, paste the most critical files first — authentication, data handling, public API interfaces — and ask for a separate pass on utility or configuration changes. Most models with 100k+ context windows can handle medium-sized PRs in a single pass.</p>
<h2>What you get back</h2>
<p>The output format produces seven sections: a plain-language summary with merge readiness assessment, blocking issues with fixes, non-blocking suggestions, a security verdict, a test coverage assessment with specific gaps, acknowledgement of what is well done, and clarifying questions for the author. The example output in this post shows a review of a JWT authentication endpoint — note how the timing attack finding explains both the mechanism of the attack and the specific library function to use for the fix.</p>
<p>The "what is well done" section is not optional nicety. Reviews that only enumerate problems miss the signal that good code sends — that the author understands the design intent and should keep doing what works. It also models what thoughtful code review actually looks like for developers who have not yet had a senior engineer as a mentor.</p>
<h2>Limitations worth knowing</h2>
<p>This prompt produces better results on code the model has training exposure to. It will catch more issues in Python, TypeScript, Java, and Go than in niche domain-specific languages. It cannot analyse runtime behaviour, profiling traces, or production logs — only what is visible in the diff. For security-critical systems, AI code review should supplement rather than replace a human security review, particularly for cryptographic implementations and authentication flows.</p>
<p>The model will occasionally flag false positives — issues that are not actually bugs given context it does not have. The constraint asking it to explicitly flag when it lacks context helps reduce this, but treating every finding as a starting point for investigation rather than a verdict produces better outcomes.</p>