Code Review Prompts: Beyond "Looks Good to Me"
13 copy-ready AI code review prompts that surface real bugs, security holes, perf issues, and test gaps — plus which 2026 review bots to pair them with.
Code review, bug audit, SEO audit, Claude Code, Codex, refactor, tests, README, security audit.
36 articles
Coding prompts are not "write me this app" — good ones execute one concrete action in a known context: review a diff, write a test set, generate a README. This hub covers 12 dev scenarios: code review, bug audit, SEO audit, Claude Code execution, Codex review, refactor, test generation, READMEs, migration planning, architecture review, security audit, and deployment checks. Built for developers using Claude Code, Codex, Cursor, or similar AI coding tools.
New to this hub? Read these three first:
13 copy-ready AI code review prompts that surface real bugs, security holes, perf issues, and test gaps — plus which 2026 review bots to pair them with.
Whole-repo audit prompts for Claude Code, Codex, and Cursor — architecture smells, dead code, security risks, dependency drift, and test gaps in one structured pass.
12 copy-ready prompts to brief Claude Code (or Codex) on real engineering work — scoped features, surgical bug fixes, migrations, refactors, TDD, perf, CI debugging — mapped to Plan Mode and /rewind.
axe-core catches ~57% of WCAG issues. 12 copy-ready prompts for keyboard order, focus management, screen-reader copy, WCAG 2.2 target size, and motion preferences.
Go from "it broke" to a minimal, deterministic repro in one prompt. 12 copy-ready templates for shrinking inputs, isolating env, and writing a failing test that lasts.
Stop guessing at red CI. 12 prompt templates that narrow build and test failures by environment, cache, dependency, flake, and order of operations.
Stop dumping git log into release notes. 12 prompt templates to turn commits / PRs into a user-facing changelog that's honest, brief, and useful. Updated June 2026.
When CI is slow, flaky, or lies green, audit it. 12 copy-ready prompts for GitHub Actions / GitLab CI / CircleCI on caching, parallelism, secrets, and gates — with 2026 runner costs.
Inherited a 200-file codebase? 12 prompt templates to infer naming, layering, error-handling, and dependency conventions before you write a single new line.
axe-core catches ~57% of WCAG issues. 12 copy-ready prompts for keyboard order, focus management, screen-reader copy, WCAG 2.2 target size, and motion preferences.
Go from "it broke" to a minimal, deterministic repro in one prompt. 12 copy-ready templates for shrinking inputs, isolating env, and writing a failing test that lasts.
Stop guessing at red CI. 12 prompt templates that narrow build and test failures by environment, cache, dependency, flake, and order of operations.
Stop dumping git log into release notes. 12 prompt templates to turn commits / PRs into a user-facing changelog that's honest, brief, and useful. Updated June 2026.
When CI is slow, flaky, or lies green, audit it. 12 copy-ready prompts for GitHub Actions / GitLab CI / CircleCI on caching, parallelism, secrets, and gates — with 2026 runner costs.
Inherited a 200-file codebase? 12 prompt templates to infer naming, layering, error-handling, and dependency conventions before you write a single new line.
axe-core catches ~57% of WCAG issues. 12 copy-ready prompts for keyboard order, focus management, screen-reader copy, WCAG 2.2 target size, and motion preferences.
Go from "it broke" to a minimal, deterministic repro in one prompt. 12 copy-ready templates for shrinking inputs, isolating env, and writing a failing test that lasts.
Stop guessing at red CI. 12 prompt templates that narrow build and test failures by environment, cache, dependency, flake, and order of operations.
Stop dumping git log into release notes. 12 prompt templates to turn commits / PRs into a user-facing changelog that's honest, brief, and useful. Updated June 2026.
When CI is slow, flaky, or lies green, audit it. 12 copy-ready prompts for GitHub Actions / GitLab CI / CircleCI on caching, parallelism, secrets, and gates — with 2026 runner costs.
Inherited a 200-file codebase? 12 prompt templates to infer naming, layering, error-handling, and dependency conventions before you write a single new line.
12 migration review prompts that catch table-locking ALTERs, backfill races, and silent column drops across Postgres, MySQL, and SQLite. Tested against Opus 4.7 and GPT-5.5.
Turn a flaky, screenshot-heavy e2e suite into a small, fast, deterministic plan. 13 copy-ready prompts for journeys, selectors, auth fixtures, flake triage, and PR coverage, tuned for Playwright 1.59 (2026).
Before you flip the flag, run a rollout risk review. 12 prompts for phased rollout plans, guardrail metrics, abort criteria, and customer comms — tuned for 2026 tooling.
12 migration prompts that produce a real phased plan with rollback at every step, not "rewrite everything". Covers Next.js App Router, Postgres, auth swaps, monolith→service, monorepo.
12 prompt templates to hand work between Claude Code subagents — research, plan, implement, review, ship — without losing context. Updated for June 2026.
When p99 spikes, you need triage not vibes. 12 prompt templates for diffing perf signals, hunting N+1s, JS bundle bloat, render storms, and DB plan changes — current for June 2026.
14 copy-ready AI PR review prompts that find real issues — diff-scoped, blast-radius aware, severity-ranked. Plus the 2026 tool landscape (Copilot, Claude Code, CodeRabbit, Bugbot).
Release-day prompts that build a real go/no-go checklist, not a generic 'check the build'. 13 templates for staging, canary, rollback, and observability.
12 prompt templates to rank tech debt by impact × effort × decay risk — mapped to WSJF, with model picks for June 2026.
Stop asking AI to 'write tests for this.' 14 copy-ready unit-test prompts for boundaries, error paths, mocks vs fakes, parameterized suites, and regression locks — tuned for Vitest 4, Jest 30, pytest 9.
15 architecture review prompts that surface real layering bugs, dependency cycles, and boundary leaks — with file:line evidence, not generic "consider DDD" advice.
15 copy-ready prompts to audit Firebase Security Rules, indexes, Cloud Functions, Auth, and App Check — updated for 2nd-gen functions (June 2026).
Whole-repo audit prompts for Claude Code, Codex, and Cursor — architecture smells, dead code, security risks, dependency drift, and test gaps in one structured pass.
15 copy-ready Next.js App Router code review prompts for Next.js 16 — server/client boundaries, server actions, use cache, cacheTag, proxy.ts, streaming. Updated June 2026.
15 Supabase Row-Level Security review prompts: auth.uid() checks, WITH CHECK coverage, service_role bypass, storage bucket RLS, SECURITY DEFINER, and the (select auth.uid()) perf fix.
12 copy-ready prompts that walk a page as a keyboard-only and screen-reader user — semantics, focus, ARIA widgets, contrast, modal stacks, live regions — each finding mapped to a WCAG 2.2 criterion.
15 prompts that pressure-test REST and GraphQL contracts before they ship: naming, status codes, RFC 9457 errors, breaking changes, pagination, N+1, field-level auth.
13 copy-ready prompts that hunt specific bug families — race, null, off-by-one, leaks — before they ship. Tuned for Claude Opus 4.7, Cursor, and Codex (June 2026).
12 copy-ready prompts to brief Claude Code (or Codex) on real engineering work — scoped features, surgical bug fixes, migrations, refactors, TDD, perf, CI debugging — mapped to Plan Mode and /rewind.
13 copy-ready AI code review prompts that surface real bugs, security holes, perf issues, and test gaps — plus which 2026 review bots to pair them with.
12 copy-ready prompts that walk a schema like a future migrator: normalization, indexes, FK cascades, nullability, soft-delete, JSON columns, lock-safe migrations, ORM diff. Updated June 2026.
12 copy-ready prompts to pre-flight a deploy: env-var diff, DNS cutover, cache invalidation, smoke test, rollback drill, 24h watch, security headers, incident comms.
14 measure-first performance prompts for AI coding tools: LCP / INP / CLS / N+1 / TTFB / bundle / cache fixes, before-after Web Vitals diffs, and a premature-optimization detector. Current Core Web Vitals thresholds (June 2026) included.
13 copy-ready prompts to refactor React components in 2026: extract hooks, lift state, split server/client, audit memo in the React Compiler era, and kill prop-drilling.
12 copy-paste prompts for READMEs that move a new reader from git clone to a working install fast: skeleton, quickstart, install troubleshooting, examples, API table, and audit.
18 copy-ready prompts to plan, execute, and verify AI refactors without breaking behavior — for Claude Code, Cursor, and Codex. Module extraction, renames, async migrations, god-function splits.
12 AI prompts to audit your code against the OWASP Top 10:2025 — access control, auth, secrets, supply chain, file uploads, CORS, PII logging — and ship a finding-plus-fix list without hiring a pentester.
12 copy-ready prompts to AI-audit a content site — metadata, internal links, hreflang, thin pages, canonical, schema, cannibalization, Core Web Vitals — with exact thresholds and a fix per finding.
13 prompts for integration, E2E, snapshot, and contract tests with Vitest 3, pytest 9, and Playwright. Tests that catch real bugs, not coverage noise (June 2026).
14 copy-paste prompts to diagnose TypeScript errors fast: generics, conditional types, narrowing, module resolution, and .d.ts files. Updated for TS 6.0/7.0, June 2026.