fxa-review-quick

# FXA Quick Review Review the most recent commit (or the commit specified in `$ARGUMENTS`) in a single pass, using FXA-specific knowledge. ## Step 1: Get Commit Info ```bash COMMIT_REF="${ARGUMENTS:-HEAD}" git show "$COMMIT_REF" --format="%H%n%an%n%ae%n%s%n%b" ``` ```bash COMMIT_REF="${ARGUMENTS:-HEAD}" git show --stat "$COMMIT_REF" ``` ## Step 2: Read Changed Files Use Read and Grep to examine the changed files and their surrounding context. Look at imports, callers, and related types to understand the full picture before judging. ## Step 3: Review Evaluate the diff through these lenses, in order of priority: **1. Security** - Hardcoded secrets, injection (SQL/XSS/command), missing input validation, auth bypasses - Sensitive data in logs or error messages (PII: emails, UIDs, tokens) — note: UIDs and emails in API response bodies are expected, focus on logs and error messages - Missing rate limiting on new public endpoints - Session token handling that bypasses established Hapi auth schemes - New endpoints missing `Content-Type` validation - User-controlled input passed to Redis keys without prefix/namespace **2. FXA Conventions** - Raw `Error` thrown in route handlers instead of `AppError` from `@fxa/accounts/errors` - `console.log` instead of the `log` object (mozlog format) - Cross-package imports using relative paths instead of `@fxa/<domain>/<package>` aliases - Circular or bi-directional dependencies between packages/libs — breaks build ordering - Auth-server ...