Menu
Review code changes for architecture, security, conventions, and quality compliance. Use when reviewing pull requests, code changes, or auditing code quality.
| name | om-code-review |
| description | Review code changes for architecture, security, conventions, and quality compliance. Use when reviewing pull requests, code changes, or auditing code quality. |
Review code changes against Open Mercato architecture rules, security requirements, and quality standards.
AGENTS.md for module conventions. Check .ai/specs/ for active specs. Read .ai/lessons.md for known pitfalls.references/review-checklist.md. Flag violations with severity, file, and fix suggestion.NEVER claim code is "ready to merge" without running these checks. If any step fails, it MUST be fixed before the review can pass.
| # | Command | What it checks | If it fails |
|---|---|---|---|
| 1 | yarn generate | Module registries are up to date | Run it — it generates missing files |
| 2 | yarn typecheck | TypeScript types are correct | Fix type errors |
| 3 | yarn test | All unit tests pass | Fix failing tests |
| 4 | yarn build | The app builds successfully | Fix build errors |
Rules:
# Code Review: {change description}
## Summary
{1-3 sentences: what the change does, overall assessment}
## CI/CD Verification
| Gate | Status | Notes |
|------|--------|-------|
| `yarn generate` | PASS/FAIL | |
| `yarn typecheck` | PASS/FAIL | |
| `yarn test` | PASS/FAIL | |
| `yarn build` | PASS/FAIL | |
## Findings
### Critical
{Security, data integrity, tenant isolation violations}
### High
{Architecture violations, missing required exports}
### Medium
{Convention violations, suboptimal patterns}
### Low
{Suggestions, minor improvements}
## Checklist
{From references/review-checklist.md — mark [x] passing, [ ] failing with explanation}
Omit empty severity sections.
| Severity | Criteria | Action |
|---|---|---|
| Critical | Security vulnerability, cross-tenant leak, data corruption, missing auth | MUST fix before merge |
| High | Architecture violation, missing required export, broken module contract | MUST fix before merge |
| Medium | Convention violation, suboptimal pattern, missing best practice | Should fix |
| Low | Style suggestion, minor improvement | Nice to have |
organization_id for tenant-scoped entitiesnew directlydata/extensions.tsdata/validators.tsfindWithDecryption instead of raw em.find/em.findOnerequireAuth, requireRoles, requireFeatures)yarn db:generate; scoped manual SQL is allowed only to avoid unrelated generated churn and must include .snapshot-open-mercato.jsonid)id, created_at, updated_at, deleted_at, is_active, organization_idCrudForm — never customDataTable — never manual markupflash() — never alert() or custom toastapiCall/apiCallOrThrow — never raw fetchCmd/Ctrl+Enter (submit), Escape (cancel)pageSize MUST be <= 100any types — use zod + z.infercatch blocksparseBooleanToken/parseBooleanWithDefaultyarn generate is needed. Verify auto-discovery paths..snapshot-open-mercato.json. Reject unrelated schema churn.openApi export, auth guards, zod validation, tenant filtering.events.ts with as const.CrudForm/DataTable, flash(), keyboard shortcuts, loading/error states.Approve (submit an approving review) and squash-merge a GitHub PR given only its number. Optionally file a follow-up issue at the same time. Use when the user says "approve and merge PR 123", "ship PR 123", "om-approve-merge 123", or gives a PR number with intent to merge.
Turn a review comment into a follow-up GitHub issue assigned to the PR author. Paste a link to a PR or a PR comment; the skill extracts the actionable ask from the comment, gathers PR context, and opens a tracking issue. Assignee is the comment's @-mention if present, otherwise the PR author. Use during code review when the user says "make a follow-up issue", "create an issue for this", "om-followup", or pastes a PR/comment link with that intent.
Browser-first GitHub issue fix workflow. Claims a GitHub issue, checks for existing solutions, creates an isolated worktree, reproduces the bug through the Browser against the ephemeral integration environment, records a failing Playwright integration test, fixes the bug, makes the test green, runs validation/review gates, pushes a branch, and opens a PR linked to the issue.
Scaffold a new module from scratch with all required files and conventions. Use when creating a new module, adding a new entity with CRUD, or bootstrapping module features (API routes, backend pages, DI, ACL, events, search). Triggers on "create module", "new module", "scaffold module", "add module", "bootstrap module", "generate module".
Implement a specification (or specific phases) using coordinated subagents with unit tests, integration tests, docs, and code-review compliance. Tracks progress by updating the spec. Triggers on "implement spec", "implement phases", "build from spec", "code the spec".
Design entities, relationships, and manage the migration lifecycle. Use when planning a data model, designing entities, choosing relationship patterns, adding cross-module references, or managing database migrations. Triggers on "design entity", "data model", "add entity", "database schema", "migration", "relationship", "many-to-many", "junction table", "foreign key", "jsonb", "add column".