Code review exists in balance. If we are too strict then PRs take forever, developers get frustrated, the business can't ship. If we are too relaxed then bugs reach production, technical debt accumulates, knowledge doesn't transfer.

The goal isn't maximum rigour. It's appropriate rigour — catching what matters without creating bottlenecks.

After years building healthcare software, I stopped asking "did we catch everything?" and started asking: what would make this process work for everyone?

How to Read This

If you...	Read...
Want the 2-minute version	Quick Reference below
Are new to code review	Quick Reference + The Two Rules — that's your foundation
Submit PRs for review	Part 1: For Authors
Review other people's code	Part 2: For Reviewers
Lead a team or care about velocity vs quality	Part 3: The Balance

Quick Reference

For Authors

Keep PRs small (less than 1 full day of work)
Self-review + Copilot review, and add your own PR comments to explain decisions
Use Copilot to generate the PR description, then review and refine it
If a PR can't be split, add comments guiding the reviewer to what needs attention vs what can be skimmed
Only respond to feedback when you disagree — the reviewer trusts you'll address agreed feedback (use "resolve conversation" to track progress)
Push back when appropriate, take it offline when stuck
If the reviewer you want is busy with high-priority tasks, ask someone else — check with team leader if unsure
If you haven't heard back within 24 hours, follow up ("friendly reminder about this PR" + link) — they may have missed it or be swamped

For Reviewers

Start with the PR description; read the ticket only if you need more context
Approve when it improves code health, even if not perfect
Focus on complexity, naming, and comments — not functionality or design
Trust that the developer followed requirements and the tester verified it
If feedback will take >5 mins to address, include the importance and priority
Be actionable, explain the why
Limit comments (≤12 per PR), talk directly if there's too much
Ask questions that assume the author is right — request a comment instead of challenging the decision
Look for what has caught you out in the past from your own code — share that experience
Sometimes it's good to add: "Here's a simpler approach for next time, but not worth refactoring now" — teaching without blocking
If you're busy with high-priority tasks, ask the author to find someone else or check with team leader

For Team Leaders

Too strict = slow delivery, frustrated developers
Too lax = bugs in production, technical debt, no knowledge transfer
If code review feels like bureaucracy, discuss with the team and improve the process
Design problems should be caught before coding, not in PR review
Automate the obvious (linting, formatting, style), focus humans on readability
If feedback relies on memory (conventions, rules, patterns), give it to the AI code reviewer — free up humans to focus on readability and "could I work on this later?"
If a guideline keeps getting missed, simplify it or automate it
Consistency beats cleverness — one way is better than five "correct" ways
Set explicit time expectations for reviews, e.g., no longer than 30 mins and within 24 hours

The Three Questions

Can I follow this? — Logic shallow? Names clear? Unusual parts explained?
Can I find this later? — Names searchable? Related code together?
Is this where I'd expect it? — Follows patterns? Boundaries clear?

What Reviewers Should (and Shouldn't) Check

Reviewer's Job	Not Reviewer's Job
Complexity — Can a future dev understand this?	Design — Should be agreed before coding
Naming — Are names clear to someone reading cold?	Functionality — That's Author + QA/testing's job
Comments — Do they explain the why, not the what?	Tests pass — That's CI's job
Unusual patterns explained — Is the weird stuff justified?	Style/formatting — That's linters' job
Security — Access control, PII exposure, input validation	Requirements met — Trust the developer and tester

The Two Rules (The "Operating System" of Healthy Reviews)

The Standard: Approve once it definitely improves overall code health, even if not perfect.
Speed: One business day max to respond to a review request.

Quality bar + velocity bar. Everything else flows from these.

Key Principles

Reading > Writing — Code is read far more than it's written. Optimise for the reader.
Self-documenting names — If you need a comment to explain what something does, rename it.
Comments explain why — Not what the code does, but why it exists and why it's written this way.
Consistency beats cleverness — Follow existing patterns, even if you know a "better" way.
Trust your colleagues — Review for maintainability, not to re-verify their work.

Part 1: For Authors

Your Job: Make the Reviewer's Life Easy

A good PR isn't just correct code. It's code that's easy to review. Every minute you invest in clarity saves your reviewer five minutes of confusion — and saves you a round-trip of "what does this do?" comments.

Before You Submit

Keep It Small

Large PRs are hard to review well. When a reviewer sees 800 lines, they either skim it and miss things, or put it off because it's daunting.

Aim for:

Less than one full day of work for each PR
One PR = one concern (bug fix, feature, refactor — not all three)
GitHub issues that are small enough to complete in one day of coding
At least weekly merging into live for large projects behind internal testing groups

If your PR is huge, ask: how can I avoid this next time?

And guide your reviewer. Add a few PR comments upfront explaining which sections need close attention and which can be skimmed (e.g., "This file is just generated migrations" or "The logic change is in lines 45-60, the rest is renaming"). Don't make them guess where the important bits are.

Use Copilot for Your PR Description

Don't stare at a blank description box. Use GitHub Copilot to generate a first draft — it can summarise your changes, identify what files were touched, and flag potential concerns.

Then review and refine it:

Does it explain what problem this solves?
Does it explain why this approach?
Does it call out what to focus on during review?
Does it mention what not to focus on (if something looks odd but is intentional)?

Copilot gets you 80% there in seconds. Your refinements add the context only you know.

Review Copilot's Code Review Feedback

Copilot will also review your code and leave comments. Treat these like any other reviewer's feedback — but with one addition:

If Copilot's feedback is wrong or nitpicky, let your tech lead know. They can update the Copilot code review instructions so it doesn't keep flagging the same unhelpful things. This improves the tool for everyone.

Make the Code Tell a Story

Your reviewer is reading cold. Help them follow it:

Shallow logic paths — If they have to jump through 10 methods to understand what happens, it's too deep
Clear names — calculateInvoiceTotal() not process(). GitChangeDetector not Helper.
Comments for the unusual — Explain why something exists, not what it does

The test: Could a new team member understand this in 5 minutes? If not, simplify or add context.

Self-Review First

Before requesting review, read your own diff as if you were the reviewer:

Any debug code left in?
Any TODOs without context (who, when, why)?
Any commented-out code that should be deleted?

Add your own PR comments to explain decisions, flag uncertainties, or pre-answer obvious questions. This saves round-trips and shows you've thought it through.

During Review

Only Respond When You Disagree

You don't need to reply "Done" to every comment. The reviewer trusts you'll address feedback you agree with — that's the default assumption.

Use "resolve conversation" to mark comments as addressed. This lets you track what's done and what's still pending, without cluttering the thread with acknowledgements.

Respond when:

You don't think the feedback is required and want to explain why
You need more context to understand the feedback
You've taken a different approach than suggested

This keeps conversation focused on areas where you and the reviewer genuinely see things differently.

Know When to Push Back

Not all feedback belongs in this PR:

Out of scope? "Good idea — I'll create a follow-up ticket."
Takes too long? "This is a bigger change — should we track it separately?"
Disagree? "I see the concern, but I went this way because X. What if we Y instead?"

Pushing back isn't conflict. It's collaboration.

Know When to Take It Offline

If you're three comments deep on the same issue and still not aligned, stop typing. A five-minute call beats an hour of async back-and-forth.

Choose the Right Reviewer

If the reviewer you want is busy with high-priority tasks, ask someone else. Check with your team leader if you're unsure who's available.

Follow Up

If you haven't heard back within 24 hours, follow up. The reviewer may have missed your request or be swamped with other work. A simple "friendly reminder about this PR" with a link makes it easy for them to jump back in.

Part 2: For Reviewers

Your Job: Verify Maintainability, Not Correctness

A common misconception: reviewers should verify the code works correctly.

No. That's the developer's job (they wrote it) and the tester's job (they verified it). If you're re-checking requirements and re-testing functionality, you're duplicating work and slowing everyone down.

Your job is to answer one question: Can a future developer understand and maintain this code?

What You Should Check

The Three Questions

When reviewing any code, ask:

Can I follow this? — Are logic paths shallow? Are names clear? Are unusual parts explained?
Can I find this later? — Are names searchable? Is related code together? Is logic buried in loops?
Is this where I'd expect it? — Does it follow existing patterns? Are boundaries clear?

If the answer to any is "no", that's your feedback.

Specifically Look For

Check	Why
Complexity	Can someone unfamiliar with this code understand it quickly?
Naming	Are names self-documenting? Would you find this in a search?
Comments	Do comments explain why, not what? Are unusual patterns justified?
Security	Access control checked before data access? PII protected? Input validated? Secrets exposed?

What You Should NOT Check

Don't Check	Why Not
Design/Architecture	Should be agreed before coding. Catching it in review means massive rework — that's a planning failure, not a review finding. (Exception: If you spot something genuinely dangerous — security hole, data loss risk, architectural landmine — escalate immediately. Don't let process trump safety. If you're unsure whether something is dangerous, escalate anyway — false positives are cheaper than missed incidents.)
Functionality	Trust the developer followed requirements. Trust the tester verified it. You're not QA. (Flag obvious mismatches if you spot them, but don't go hunting.)
Whether tests pass	That's CI's job.
Whether tests are correct	Requires domain knowledge you may not have. Trust the author. (Flag obvious gaps if you spot them, but don't audit every assertion.)
Style/formatting	That's linters' job. Automate it.

Exception: If you spot an obvious bug while reviewing, of course flag it. But looking for bugs shouldn't be your primary focus — except for security and PII issues, which are always worth actively checking.

The Two Rules

Every healthy code review culture runs on two rules:

The Standard: Approve once it definitely improves overall code health, even if not perfect.
Speed: One business day max to respond to a review request.

Quality bar + velocity bar. That's the operating system.

There's no such thing as perfect code — only better code. If the PR makes things better and doesn't introduce new problems, approve it. Don't hold it hostage for polish.

And don't let PRs sit. A PR waiting for review is a developer blocked. Respond within one business day, even if it's just "I'll get to this tomorrow morning."

The 30-Second Review Check

Before approving, ask:

✅ Can I understand what this does in under 5 minutes?
✅ Would I know where to find and change this later?
⚠️ Does anything here look dangerous? (security, data loss, access control, silent failure)

If yes to 1 & 2, and no to 3 → approve. If no to 1 or 2 → comment. If yes to 3 → escalate.

How to Give Feedback

Tag Severity (When It Matters)

If feedback will take longer than 5 minutes to address, tag it so authors know what's blocking vs advisory:

Tag	Meaning
[Important/Now]	Must change before merge
[Important/Later]	Should change, but can be a follow-up ticket
[Quick Fix]	Not critical, but easy to address before merge
[FYI]	Good to know for next time, no action needed now

Quick fixes don't need tags. But for anything substantial, tagging prevents authors spending hours on something you considered optional.

Be Actionable

Bad: "This is confusing."

Good: "I couldn't follow the logic here. Could you extract the validation into a separate method, or add a comment explaining why we check X before Y?"

Explain the Why

Don't just say what to change — say why it matters:

"This could cause issues if the user hasn't completed onboarding"
"This pattern makes it hard to find related logic later"
"We've had bugs in this area before when X wasn't checked"

When authors understand the reasoning, they learn.

Ask Questions That Assume the Author Is Right

If something looks wrong but you're not sure, ask for a comment rather than challenging the decision:

"Can you add a comment explaining why this doesn't use the existing validateInput() helper?"
"Can you add a comment explaining what happens if this is null?"
"Can you add a comment explaining why we need this check?"

The author knows more context than you. And if you're asking the question, future developers will too.

This approach works both ways: if there's a problem, the author will spot it while writing the comment. If it's fine, the codebase gets a useful comment. Either way, maintainability improves.

How Much Is Too Much?

Comment Limits

If you're leaving 20+ comments, something's wrong — either the PR is too big, or you're nitpicking.

Guidelines:

If your comment count feels high relative to the change size, talk instead
Roughly 20+ comments on a PR or 5+ on a single file is a signal something's off — either the PR is too big or we need to change approach
Batch related minor issues into one comment

When to Stop Typing and Start Talking

If a PR has fundamental issues — wrong approach, missing requirements, major concerns — don't leave 30 comments. Reach out directly:

"Hey, I started reviewing and have some bigger questions about the approach. Can we chat for 5 minutes?"

This is faster, kinder, and more effective.

When You're Too Busy

If someone asks for a code review and you're swamped with high-priority tasks, don't let their PR sit in limbo. Ask them to find someone else, or check with your team leader to reassign. A quick redirect is better than a week of silence.

Part 3: The Balance

Why This Matters for the Business

Code review exists in tension:

Too strict: PRs take forever, developers get frustrated, velocity drops
Too lax: Bugs reach production, technical debt accumulates, knowledge doesn't transfer

The goal isn't maximum rigour. It's appropriate rigour.

The Cost of Getting It Wrong

Too Strict

PRs regularly take 3+ days to merge
Authors dread submitting code for review
Feedback often gets marked "won't fix" because it's out of scope
Review comments outnumber lines changed

The worst pattern: Thorough, technically-correct feedback on a prototype that's going to change anyway. All that review work? Wasted.

Too Lax

The same bugs keep appearing
New team members struggle to understand the codebase
Only one person can work on certain areas

Catch Problems at the Right Stage

Different problems should be caught at different stages:

Problem	When to Catch	Not In Code Review
Wrong approach / design	Architecture discussion, ticket refinement, spike	❌ Too late — massive rework (but escalate if genuinely dangerous)
Missing requirements	Ticket refinement, dev-tester pairing	❌ That's planning failure
Doesn't work correctly	Developer testing, QA	❌ Reviewer isn't QA
Tests don't pass	CI pipeline	❌ Automated
Style violations	Linters, formatters	❌ Automated
Hard to understand	✅ Code review	This is reviewer's job
Hard to find later	✅ Code review	This is reviewer's job
Doesn't follow patterns	✅ Code review	This is reviewer's job
Security issues	✅ Code review	Access control, PII exposure, input validation

If design problems are regularly caught in code review, fix your planning process — don't make reviewers the gatekeepers for architectural decisions.

Practical Guidelines

Automate What You Can

If a rule matters enough to follow, it matters enough to automate:

Linting and formatting → CI
Complexity thresholds → static analysis
Security scanning → automated tools
Test coverage → CI

Machines check the metrics. Humans check the readability.

Set Time Expectations

Ambiguity creates friction. Be explicit:

First review: Within one business day
Feedback taking >30 mins: Flag it, discuss whether it belongs in this PR
Feedback creating hours of work: That's a new ticket, not a PR comment
Disagreement lasting >3 comments: Take it offline

Simplify Guidelines That Keep Getting Missed

If the same feedback keeps appearing and it's not quick to fix:

The guideline is too complicated — simplify it
The guideline isn't understood — discuss it in a team meeting
The guideline can be automated — add a linter rule

Don't keep leaving the same feedback. Fix the system.

Match Rigour to Context

Context	Review Depth
Prototype / spike	Does it work? Obvious security holes? Ship it.
Standard feature	Readability, patterns, basic security
Core infrastructure	Full rigour — this code will be here for years
Hotfix at 5pm Friday	Verify correctness and security, skip the nits

The Goal

Code review should make your codebase better and your team smarter — without making everyone miserable or grinding delivery to a halt.

For authors: Make the reviewer's job easier. For reviewers: Focus on readability, security, and patterns — trust the author on functionality. For the business: Ship quality code at a sustainable pace.

When it's working, code review feels like collaboration. When it's not, it feels like bureaucracy.

If it feels like bureaucracy, discuss with the team and improve the process.

This Guide Is a Living Document

These practices aren't carved in stone. They're a starting point — shaped by experience, but meant to evolve with your team.

If something isn't working, say so. If a guideline creates more friction than value, we should change it. If you spot a gap, fill it. If you disagree with something here, that's a conversation worth having.

The best processes emerge from teams who continuously refine how they work together. This document should reflect that.

Suggest improvements. Challenge assumptions. Make it better.