games: - type: scenario title: "PR Review Crisis" startHealth: 5 steps: - id: start situation: "A teammate opens a 2,000-line PR that touches auth, DB migrations, and 12 files. It's Friday afternoon. You're asked to review. How do you prioritize?" choices: - text: "Triage: skim for high-risk areas (auth, migrations, security), then focus feedback there first." consequence: "Smart. You use risk to prioritize. Auth and migrations deserve careful review; trivial changes can wait." health: 1 next: tone - text: "Review every line from top to bottom." consequence: "Thorough but inefficient. A 2000-line PR in one sitting leads to fatigue and missed issues." health: -1 next: tone - text: "Approve quickly and say you'll do a deeper pass later." consequence: "Approving without proper review risks merging bugs. Later rarely happens." health: -2 next: bad_choice - id: tone situation: "You find a security issue: the new auth path doesn't validate the redirect URL, enabling open redirect. How do you phrase the feedback?" choices: - text: "I noticed the redirect URL isn't validated — could lead to open redirect. Suggest we add a allowlist check." consequence: "Constructive and specific. You state the problem and a concrete fix. Professional tone." health: 1 next: disagreement - text: "This is a security hole. Why wasn't this caught before?" consequence: "Accusatory. The author may get defensive. Security matters, but tone affects collaboration." health: -1 next: disagreement - text: "LGTM with minor comments." consequence: "Open redirect is not minor. Undermining serious feedback can let bugs slip through." health: -2 next: bad_choice - id: disagreement situation: "The author disagrees with your feedback. They say the redirect is 'internal only' and low risk. You believe it's still exploitable. What do you do?" choices: - text: "Share a minimal exploit or reference (e.g. OWASP) and suggest discussing in a call if needed." consequence: "Evidence-based. You back your point with data. Opens constructive discussion." health: 1 next: approve_decision - text: "Insist they fix it or you won't approve." consequence: "Standing firm can be right, but escalating without evidence may create friction." health: 0 next: approve_decision - text: "Drop it and approve — they own the code." consequence: "Security issues shouldn't be dropped for ownership. You're responsible too as reviewer." health: -2 next: bad_choice - id: approve_decision situation: "The author fixed the redirect issue. You've reviewed the high-risk areas. The PR also has some style nitpicks and a few unclear variable names. Do you approve or request changes?" choices: - text: "Approve with a short list of non-blocking suggestions (style, naming) for follow-up." consequence: "Pragmatic. You unblock the author while capturing improvement ideas. Ship and iterate." health: 1 next: success - text: "Request changes — insist on fixing every nit before merge." consequence: "Perfectionism can block progress. Critical fixes yes; style nits can be follow-up." health: -1 next: success - text: "Approve without any other feedback." consequence: "You could have added value with non-blocking suggestions. Missed a teaching moment." health: 0 next: success - id: bad_choice situation: "That choice didn't serve the team. PR review should be constructive, risk-aware, and collaborative. Try to recover." choices: - text: "Restart with a better approach." consequence: "Every review is a chance to improve." health: 0 next: start - text: "Accept the consequences." consequence: "Sometimes we learn the hard way." health: 0 next: end - id: success situation: "The PR is merged. You provided focused, constructive feedback. The author appreciated the security catch. Well done!" choices: - text: "Continue." consequence: "You navigated the PR review crisis successfully." health: 0 next: end