Code Review Checklist

Use this as a PR review gate. Every PR should pass all applicable checks before merge.

Security

• Auth check → role check → ownership check (IDOR prevention) on every custom endpoint
• Zod validation on all request bodies before business logic
• No raw SQL strings — use MikroORM/DML parameterised queries
• File uploads: extension, MIME, size, filename sanitisation all present
• Stripe webhook: Stripe-Signature header verified before processing
• No secrets in code, logs, or error messages

Architecture

• No cross-module service calls inside service methods — use Workflows
• No "use client" on components that don't need it
• No localStorage for auth tokens or cart ID — cookies only
• No floats for prices — integers in cents
• Feature flag guard at entry point (route/middleware), not scattered in service

Testing

• New custom endpoint has integration test coverage
• New UI component has Storybook story
• New critical journey has Playwright test
• Test data cleaned up in afterAll

Observability

• Errors logged via logger_, not console.log
• New health-affecting dependencies included in /health check
• New Sentry alert configured for any new critical failure mode