code-reviewlisted

Review the current diff against path-scoped rules (secrets, RLS/tenant scoping, Stripe webhook verification, input validation, scope), flag changed code lacking tests, and run a quick security pass. Reports findings; nothing auto-fixed without approval.
evgenii-studitskikh/Claude-Code-SaaS-Studio · ★ 1 · Code & Development · score 80

Install: claude install-skill evgenii-studitskikh/Claude-Code-SaaS-Studio

Perform a structured, rule-driven review of the current working-tree diff, checking for the most critical SaaS security and correctness properties. Non-autonomous: all findings are reported as a prioritized list; nothing is changed without the user's explicit sign-off on each fix. ## Phases 1. **Get the diff** — read the current unstaged and staged changes. If no diff exists, ask the user which files or commits to review. Summarize the scope of the review (N files, N lines changed) before proceeding. 2. **Check for secrets** — scan all changed files for patterns that look like hardcoded secrets: API keys, JWTs, connection strings, private keys, and Stripe secret keys. Any match is a BLOCKING finding. Cross-check that `.env.example` uses placeholders and that `.gitignore` covers `.env*`. 3. **Verify RLS and tenant scoping** — for any server action or route handler, confirm that: (a) the Supabase client is initialized with the session cookie (not the service role key unless justified), (b) all queries that touch tenant data include a tenant-scoping filter, and (c) tenant ID is never sourced from unvalidated client input. 4. **Validate Stripe handling** — for any webhook handler, verify: (a) `stripe.webhooks.constructEvent` is called with the raw request body and `STRIPE_WEBHOOK_SECRET`, (b) event types are handled with idempotency (check for a processed-event record or Supabase upsert pattern), and (c) the handler returns 200 quickly and does heavy work asynchronously if neede