Review Pipeline

Matrix OS uses a strict review pipeline because the project mixes kernel, gateway, platform, shell, docs, and customer VPS runtime changes.

Pre-PR checklist

bun run typecheck
bun run check:patterns
bun run test
npx react-doctor@latest <project-dir>

Run React Doctor whenever a .tsx or .jsx file changes in shell/, home/apps/**, packages/ui/, or www/.

Review passes

1. Mechanical sweep: run the pattern scanner and fix bare catches, fetches without timeout signals, sync file I/O in request paths, and unbounded in-memory collections.
2. Trust-boundary sweep: classify changed files as route handler, filesystem, database, WebSocket/IPC, or UI state, then trace external input from entry to use.
3. Atomicity and failure-mode review: identify source of truth, lock/transaction scope, partial failure states, shutdown behavior, and explicitly deferred scope.

Common hard rules

• Every related multi-write database mutation needs a transaction or one targeted SQL statement.
• Every external fetch() needs signal: AbortSignal.timeout(ms).
• Mutating endpoints need body limits and route-boundary validation.
• Never expose provider names, raw database errors, filesystem paths, or raw Zod issues to clients.
• Every long-lived Map or Set needs a cap and eviction policy.
• Browser WebSocket auth needs explicit query-token support because browsers cannot set Authorization headers on upgrades.

PR discipline

All changes ship from a manual git worktree through a PR. Conventional Commit titles are required. Backend PRs should include source of truth, lock/transaction scope, acceptable orphan states, auth source of truth, and deferred scope.

See the internal reference: docs/dev/review-pipeline.md.