Catch payment, auth, database, and migration bugs before you merge.
A focused PR risk review for founders and agencies shipping with Cursor, Claude Code, Codex, Lovable, or v0. Get only the issues worth fixing before launch or client delivery.
checkout-session-webhook
Generated report, ready for a founder or agency delivery thread.
Stripe webhook trusts request JSON without signature verification
app/api/stripe/webhook/route.ts:3
Webhook reads request JSON directly, then updates subscription state for completed checkout.
ImpactA forged request can activate subscriptions without payment.
Minimum fixVerify the raw body with the provider signature and process events idempotently.
Project creation route has no owner check
No regression test for paid access path
Risk paths that break launches
Payment, auth, tenant scope, database writes, migrations, deploy config, and critical test gaps.
A report people can act on
Each finding includes location, impact, minimum fix, and why it matters before merge or client delivery.
Paid review first, automation later
Start with one-off paid reviews, then move repeat teams to the GitHub App workflow.
Designed for the moment someone is about to merge.
The early product sells one-off reports. The product path reviews pull request diffs from GitHub App webhooks and turns high-risk findings into merge-blocking evidence inside the PR.
GitHub App or pasted diff
AI + deterministic rules
Only high-impact findings
Markdown, PR comment, or link
Start with paid reviews before subscriptions.
Payment-link first, then GitHub App subscriptions once repeat teams ask for every PR to be guarded.