name	solidity-pr-review
description	Review Solidity contracts, tests, and deployment scripts for security, code structure, and maintainability. Use when asked to review PRs, audit changes, enforce Solidity best practices, or validate contract-level correctness and test quality in this repository.

Solidity PR Review

Use this workflow to review contract changes with a security-first lens.

Review scope

Inspect these areas first:

policy-engine/contracts/src
vault/contracts/src
chainlink-cre-car-value-insurance/contracts/src
chainlink-cre-car-price-oracle/contracts/src
matching tests in each contracts/test folder
matching deploy scripts in each contracts/script folder

Process

Read changed files and identify behavior changes, not only style changes.
Check invariants and state-machine transitions (purchase, claim, payout, expiry, ownership transfer).
Check external calls, authorization, and value movement.
Check event emission and argument correctness.
Check test quality (happy path + revert paths + edge cases).
Return findings ordered by severity with file and line references.

Minimum security checks

Always verify:

Access control on admin and payout functions.
Reentrancy/call-order risks around value transfers.
Timestamp usage (block.timestamp) and expiry boundaries.
Integer math and decimal domain mismatches (e8 vs e6 vs wei).
Proper handling of zero-address and zero-value cases.
Correct custom errors and revert reasons for integration-facing failures.

Repository-specific rules

Treat these as hard requirements unless the user explicitly approves a protocol change:

Keep policy identity as tokenId == policyId.
Preserve locked events:
PolicyPurchased(uint256,address,bytes32,uint128,uint256,uint64)
PolicyClaimed(uint256,address,uint256,uint128,uint64)
Optional PremiumPaid(uint256,uint256)
Preserve feed hashing rule: keccak256(bytes(feedKeyString)).
Preserve oracle report decimal format: priceUsdE8.
Preserve settlement token assumptions: USDC-style 6 decimals in interfaces.

Security checklist

Restrict admin methods with role checks (onlyOwner, onlyManager, etc.).
Ensure claimed and similar flags update before external value transfer calls.
Prevent claims on non-existent, expired, or already-claimed policies.
Validate transfer return values for ERC-20 interactions.
Keep unit domains explicit (priceUsdE8, coverageUSDC, wei).
Reject stale or invalid oracle data where logic depends on freshness.
Emit integration-critical events consistently and in locked field order.

Output contract

Return:

Findings with severity and precise file references.
Missing tests and exact test cases to add.
Safe to merge? as yes, no, or yes-with-followups.

Solidity PR Review

Use this workflow to review contract changes with a security-first lens.

Review scope

Inspect these areas first:

policy-engine/contracts/src

vault/contracts/src

chainlink-cre-car-value-insurance/contracts/src

chainlink-cre-car-price-oracle/contracts/src

matching tests in each contracts/test folder

matching deploy scripts in each contracts/script folder

Process

Read changed files and identify behavior changes, not only style changes.

Check invariants and state-machine transitions (purchase, claim, payout, expiry, ownership transfer).

Check external calls, authorization, and value movement.

Check event emission and argument correctness.

Check test quality (happy path + revert paths + edge cases).

Return findings ordered by severity with file and line references.

Minimum security checks

Always verify:

Access control on admin and payout functions.

Reentrancy/call-order risks around value transfers.

Timestamp usage (block.timestamp) and expiry boundaries.

Integer math and decimal domain mismatches (e8 vs e6 vs wei).

Proper handling of zero-address and zero-value cases.

Correct custom errors and revert reasons for integration-facing failures.

Repository-specific rules

Treat these as hard requirements unless the user explicitly approves a protocol change:

Keep policy identity as tokenId == policyId.

Preserve locked events:

PolicyPurchased(uint256,address,bytes32,uint128,uint256,uint64)

PolicyClaimed(uint256,address,uint256,uint128,uint64)

Optional PremiumPaid(uint256,uint256)

Preserve feed hashing rule: keccak256(bytes(feedKeyString)).

Preserve oracle report decimal format: priceUsdE8.

Preserve settlement token assumptions: USDC-style 6 decimals in interfaces.

Security checklist

Restrict admin methods with role checks (onlyOwner, onlyManager, etc.).

Ensure claimed and similar flags update before external value transfer calls.

Prevent claims on non-existent, expired, or already-claimed policies.

Validate transfer return values for ERC-20 interactions.

Keep unit domains explicit (priceUsdE8, coverageUSDC, wei).

Reject stale or invalid oracle data where logic depends on freshness.

Emit integration-critical events consistently and in locked field order.

Output contract

Return:

Findings with severity and precise file references.

Missing tests and exact test cases to add.

Safe to merge? as yes, no, or yes-with-followups.

solidity-pr-review