// Review pull requests for code quality, security vulnerabilities, best practices, and potential issues. Use when reviewing PRs, examining diffs, or providing code review feedback.
Build pricing pages, pricing cards, and plan displays with Flowglad. Use this skill when creating pricing tables, displaying subscription options, or building plan comparison interfaces.
Install and configure the Flowglad SDK for Next.js, Express, and React applications. Use this skill when adding billing to an app, setting up Flowglad for the first time, or configuring SDK providers and route handlers.
Perform large-scale refactors and renames in TypeScript codebases. Use when renaming symbols across files, doing pattern replacements, changing function signatures, or performing codebase-wide refactors. Prefer AST-aware tools over text-based replacements.
Resolve all failing CI checks and address PR review feedback on the current branch's PR. Runs tests locally, fixes failures, incorporates valid review comments, and resolves addressed feedback. Use when CI is red, after receiving PR feedback, or before merging.
Create incident postmortems by reading Slack incident channels and creating structured postmortem documents in Notion. Use when conducting postmortem reviews or documenting incident responses.
| name | contextual-review |
| description | Review pull requests for code quality, security vulnerabilities, best practices, and potential issues. Use when reviewing PRs, examining diffs, or providing code review feedback. |
Perform comprehensive reviews of code changes, implementation plans, and architecture decisions. Analyzes for quality, correctness, security, and adherence to project standards.
Before reviewing any code, read base-review.md. It establishes:
The base guidelines apply to ALL reviews. Area-specific guides add targeted checklists.
Based on what files changed, consult the appropriate reference:
| Changed Files | Reference |
|---|---|
platform/docs/ | docs-review.md - Documentation review guidelines |
platform/flowglad-next/src/db/schema/, openapi.json, api-contract/ | api-review.md - Data model and API review |
packages/ | packages-review.md - SDK package review |
playground/ | playground-review.md - Example project review |
platform/flowglad-next/ | platform-review.md - Main platform review |
For reviewing implementation plans before code is written:
| Review Type | Reference |
|---|---|
| Gameplans / Implementation Plans | gameplan-review.md - Pre-implementation plan review |
Read the relevant reference file(s) based on the diff to get area-specific checklists and guidelines.
Run gh pr checkout <PR> to get the PR code locally. If it fails, continue with the review.
First, understand the scope of changes:
# Get the diff statistics to understand what files changed
GetWorkspaceDiff with stat: true
# Then examine individual file changes
GetWorkspaceDiff with file: 'path/to/file'
Analyze changes across these dimensions:
| Category | Focus Areas |
|---|---|
| Correctness | Logic errors, edge cases, null handling, off-by-one errors |
| Security | Input validation, injection risks, auth/authz, secrets exposure |
| Performance | N+1 queries, unnecessary loops, missing indexes, memory leaks |
| Maintainability | Code clarity, naming, DRY violations, complexity |
| Testing | Test coverage, edge cases tested, test quality |
| Types | Type safety, proper typing, avoiding any |
For this codebase, also verify:
bun instead of npm or yarnmigrations:generate, never manual migrations.spyOn or dynamic importsany types in testsit block should have specific assertions, not toBeDefinedit with exhaustive assertionsUse the DiffComment tool to leave targeted feedback:
DiffComment({
comments: [
{
file: "path/to/file.ts",
lineNumber: 42,
body: "Potential SQL injection vulnerability. Consider using parameterized queries."
}
]
})
any without justification)Provide a structured review with:
## Summary
This PR adds user authentication using JWT tokens with refresh token support.
## Findings
### Critical
- **src/auth/token.ts:45**: JWT secret is hardcoded. Move to environment variable.
### High
- **src/auth/login.ts:23**: Missing rate limiting on login endpoint.
### Medium
- **src/auth/validate.ts:12**: Token expiration check should use `<=` not `<` to handle exact expiration time.
### Suggestions
- Consider adding request ID to auth logs for debugging.
## Positive Notes
- Good separation of concerns between token generation and validation
- Comprehensive error types for different auth failures
## Recommendation
**Request Changes** - Address the critical security issue before merging.
gh pr checkout <PR> (continue if it fails)GetWorkspaceDiff(stat: true)DiffComment for inline feedback