Mental Model
Gemini's 2-million token window is like a conference room with every relevant document in your organization laid out on the table. Without a structured agenda (your prompt), the meeting produces chaos. With one, it produces the best decision in the room.
Most engineers using Gemini CLI for the first time make the same mistake: they throw a massive codebase into the context and ask a vague question. The model has access to everything but produces generic answers. The issue is not the model — it is the prompt.
This lesson teaches the structured prompting patterns that unlock the real power of long-context reasoning.
Why Prompting Matters More with Long Context
With a short-context model (4K–16K tokens), the model is forced to focus on exactly what you give it. With a 2-million-token window, the model has to decide what to pay attention to. Without explicit guidance, it tends to weight the beginning and end of the context most heavily — a phenomenon called positional attention bias.
The solution is structured prompts that explicitly direct attention:
# WEAK (relies on model to decide what matters):
"Review this codebase and tell me what's wrong."
# STRONG (tells model exactly where to look and what to evaluate):
"You are a Staff Security Engineer. Analyze ONLY the authentication
and authorization flows in this codebase. Specifically:
1. Find all places where user input touches a database query
2. Check for missing rate limiting on login endpoints
3. Verify JWT validation is happening before business logic
Ignore all non-auth code. Report findings in the format specified below."
The Four-Part Prompt Template
Every high-quality Gemini CLI prompt for technical tasks uses four components:
[ROLE]: Who is the model playing?
[TASK]: What specific action should it take?
[CONSTRAINTS]: What should it ignore? What standards apply?
[OUTPUT FORMAT]: Exactly how should it structure the response?
Example: Security Audit Prompt
gemini --all_files --yolo "
ROLE: You are a Principal Security Engineer at a fintech company with
10+ years of experience in OWASP Top 10 vulnerabilities, secure coding
in Java/Node.js, and PCI DSS compliance requirements.
TASK: Perform a security audit of the authentication and payment
processing code in this repository. Focus on:
1. SQL injection vulnerabilities in any query that touches user input
2. Hardcoded credentials or API keys in source code or config files
3. Missing or insufficient input validation before database operations
4. Insecure JWT implementation (algorithm confusion, weak secrets,
missing expiry validation)
5. Payment card data (PAN, CVV) appearing in logs or error messages
CONSTRAINTS:
- Ignore test files, documentation, and frontend code
- Do not suggest architectural rewrites — only flag specific,
actionable security issues
- Rate each finding: CRITICAL / HIGH / MEDIUM / LOW
- Only report findings you are confident about — do not speculate
OUTPUT FORMAT:
## Security Audit Report
### CRITICAL Findings
| File | Line | Vulnerability | Evidence | Remediation |
|------|------|---------------|----------|-------------|
...
### HIGH Findings
...
### Summary
Total findings: X (Y critical, Z high, N medium, M low)
Estimated remediation time: X hours
"
Chain-of-Thought Prompting for Complex Analysis
For complex reasoning tasks — like understanding a distributed system's failure modes or analyzing a race condition — standard prompts produce shallow analysis. Chain-of-thought (CoT) prompting forces the model to reason step-by-step before producing an answer.
Standard Prompt:
"What could cause the payment service to timeout under load?"
Result: Generic list of "database slow, network latency, connection pool exhausted."
Chain-of-Thought Prompt:
"Analyze the payment service timeout issue. Before giving your answer:
Step 1: Map the complete request path from API gateway → payment service
→ Stripe API → database, identifying all network hops.
Step 2: For each hop, identify the timeout configuration and what happens
when it fires.
Step 3: Identify any synchronous dependencies that could create cascading
timeouts (e.g., if Stripe times out, does it block the database connection
while waiting?).
Step 4: Check the connection pool configuration and calculate the maximum
concurrent requests the service can handle before pool exhaustion.
Only after completing Steps 1-4, provide your root cause analysis and
specific configuration changes that would prevent the timeout cascade."
Result: Specific, traceable analysis identifying the actual bottleneck.
The "Structured Walkthrough" Pattern
When asking Gemini to analyze a complex codebase feature, use the walkthrough pattern to prevent surface-level analysis:
gemini --all_files "
Walk me through the complete lifecycle of an order in this codebase.
For each step, tell me:
1. ENTRY POINT: Which class/function initiates this step?
2. DATA TRANSFORMATION: What data changes in this step?
3. EXTERNAL CALLS: Which external services or databases are called?
4. ERROR HANDLING: What happens if this step fails?
5. TESTS: Does this step have test coverage? (yes/no/partial)
Steps to trace:
- Order creation (checkout → database)
- Payment processing (database → Stripe API)
- Inventory reservation (payment success → inventory service)
- Order confirmation (inventory success → notification service)
After the walkthrough, identify the weakest link in the chain — the
step most likely to fail under production load of 1,000 orders/minute."
Constraint Injection: Telling Gemini What NOT to Do
One of the most important skills in long-context prompting is telling the model what to ignore. Without constraints, the model will try to incorporate every file in context — including irrelevant ones that dilute the analysis.
# WEAK: Model tries to analyze everything
gemini --all_files "Review the database access patterns."
# STRONG: Model knows exactly what to include and exclude
gemini --all_files "
Analyze the database access patterns in this service.
INCLUDE ONLY:
- Files in src/repository/ and src/service/
- Database configuration in src/config/DatabaseConfig.java
- Any SQL queries or JPQL expressions anywhere in the codebase
EXPLICITLY IGNORE:
- src/test/ (test code)
- src/api/ (HTTP layer — not relevant to DB access patterns)
- Any JavaScript or TypeScript files (this is a Java backend analysis)
- Documentation files
Focus your analysis on:
1. N+1 query problems (loops that trigger individual DB queries)
2. Missing indexes (queries that filter on non-indexed columns)
3. Transaction scope errors (business logic outside transactions that should be inside)
"
The "Staff Engineer Review" Pattern
This pattern produces the highest-quality code reviews from Gemini. It explicitly assigns a seniority level and forces the model to apply that lens:
gemini --all_files "
You are conducting a code review as a Staff Engineer at Netflix scale.
Your bar is high: you are looking for issues that would cause problems
at 10× our current traffic, not just issues in today's load.
Review the PaymentService class with this lens:
CORRECTNESS TIER (block merge if any found):
- Race conditions that cause data inconsistency
- Missing transaction boundaries around multi-step operations
- API contracts that don't match the implementation
RELIABILITY TIER (require fix before next release):
- Missing timeout on any external service call
- Missing circuit breaker on Stripe/payment processor calls
- Exception handling that swallows errors without logging
SCALE TIER (log as tech debt with ticket):
- Synchronous operations that should be async at 10× load
- Database queries that will degrade with table growth
- In-memory state that prevents horizontal scaling
STYLE TIER (suggest, not require):
- Naming that reduces readability
- Missing documentation on complex business rules
For each finding, provide: File, Line range, Category, Specific
issue, and Suggested fix with code example."
Iterative Refinement: The Multi-Turn Workflow
Gemini CLI's long context enables a powerful iterative workflow where each turn builds on the previous one without re-establishing context:
# Turn 1: Broad survey
gemini --all_files "Map all the places in this codebase where we
make HTTP calls to external services. List: service name, timeout
config, retry logic (yes/no), circuit breaker (yes/no)."
# Turn 2: Focus on the gaps (context preserved from turn 1)
gemini "Of the external service calls you just identified, focus on
the ones with NO circuit breaker. For each, estimate the blast
radius if that service goes down — how many user-facing features
break?"
# Turn 3: Generate the fix (context preserved from turns 1 & 2)
gemini "Generate the Resilience4j circuit breaker configuration for
the top 3 highest-blast-radius services you identified. Include
the Spring Bean configuration and the @CircuitBreaker annotation
changes for each service."
This is fundamentally different from starting a new conversation each time — the model already has the full context of the previous analysis, enabling deeper, more specific follow-up questions.
Output Format Templates
Always specify the output format explicitly. Ambiguous format instructions produce inconsistent results across sessions.
For Architecture Analysis
OUTPUT FORMAT:
## Component: [Name]
**Purpose**: [One sentence]
**Dependencies**: [List of services/databases it calls]
**Failure modes**: [What happens when it fails]
**Scale concerns**: [Bottlenecks at 10× current load]
**Recommendation**: [Critical change | Minor improvement | OK as-is]
For Code Review
OUTPUT FORMAT:
| Severity | File | Lines | Issue | Suggested Fix |
|----------|------|-------|-------|---------------|
| BLOCK | ... | ... | ... | ... |
| HIGH | ... | ... | ... | ... |
| MEDIUM | ... | ... | ... | ... |
For Incident Analysis
OUTPUT FORMAT:
## Root Cause
[2-3 sentences, specific to this codebase]
## Timeline of Failure
1. [Trigger event]
2. [First symptom]
3. [Cascade effect]
## Immediate Fix
[Specific code change or configuration change]
## Permanent Fix
[Architectural change to prevent recurrence]
## Detection Gap
[What monitoring/alerting would have caught this earlier]
Common Mistakes and How to Avoid Them
| Mistake | Symptom | Fix |
|---|---|---|
| Vague task | Generic, surface-level output | Add specific sub-questions (1, 2, 3...) |
| No output format | Inconsistent structure across sessions | Always specify exact table/section format |
| Missing constraints | Model analyzes irrelevant files | Add "IGNORE: test/, docs/, frontend/" |
| No role assignment | Generic "helpful assistant" tone | Assign specific role with domain expertise |
| Single-turn for complex task | Shallow analysis | Use iterative multi-turn refinement |
Key Takeaways
- A large context window is only valuable if your prompt structure forces the model to reason across all of it — not just the nearest text.
- Role + Task + Constraints + Output Format is the four-part prompt template that produces reliable outputs at scale.
- Chain-of-thought prompting reduces hallucinations on complex technical tasks by forcing step-by-step reasoning before a conclusion.