.coderabbit.yml

# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
language: "en-US"
early_access: false

reviews:
  assess_linked_issues: false
  collapse_walkthrough: true
  high_level_summary: false
  review_status: false
  suggested_labels: false
  suggested_reviewers: false
  poem: false

  profile: "assertive"

  auto_review:
    enabled: true
    drafts: false
    base_branches:
      - "develop"

  path_filters:
    - "includes/**"
    - "client/**"
    - "tests/**"
    - ".github/actions/**"
    - ".github/workflows/**"
    - "composer.json"
    - "composer.lock"
    - "package.json"
    - "package-lock.json"
    - "!assets/**"
    - "!build/**"
    - "!**/*.min.js"
    - "!**/*.map"

  path_instructions:
    - path: "includes/payment-methods/**/*.php"
      instructions: |
        This is high-churn, payment-critical code.
        Require null/empty guards before calling methods on orders, products, and tokens.
        Require explicit state-transition checks for payment lifecycle updates.
        Flag coupling risks between UPE gateway behavior and frontend checkout flows.
    - path: "includes/class-wc-stripe-webhook-handler.php"
      instructions: |
        Require strict webhook signature validation and idempotent event handling.
        Require safe handling for duplicate, delayed, or out-of-order events.
        Require defensive payload/type checks to prevent fatal errors on unexpected data.
    - path: "includes/class-wc-stripe-order-helper.php"
      instructions: |
        Treat order/refund metadata mapping as regression-prone.
        Require consistency checks between Stripe IDs and Woo order/refund metadata.
        Flag changes that can desynchronize refund or intent identifiers.
    - path: "includes/admin/**/*.php"
      instructions: |
        For settings/admin changes, require capability and nonce checks.
        Verify backward compatibility for existing options, defaults, and upgrade paths.
    - path: "client/blocks/**/*.{js,jsx,ts,tsx}"
      instructions: |
        This area has repeated optimized/express checkout regressions.
        Require robust async failure/retry handling and null-safe data access.
        Flag frontend/backend contract mismatches with gateway/payment-method behavior.
    - path: "client/classic/**/*.{js,jsx,ts,tsx}"
      instructions: |
        This area has repeated optimized/express checkout regressions.
        Require robust async failure/retry handling and null-safe data access.
        Flag frontend/backend contract mismatches with gateway/payment-method behavior.
    - path: "client/settings/**/*.{js,jsx,ts,tsx}"
      instructions: |
        Ensure admin UI settings behavior remains in sync with backend settings semantics.
        Flag changes that can desynchronize toggles/feature flags between UI and PHP.
    - path: "includes/**/*.php"
      instructions: |
        This is payment-critical backend code.
        Require capability/nonce checks on admin or REST entry points.
        Require input validation/sanitization and proper output escaping.
        For any order/subscription/customer mutation, require explicit state checks, ownership checks, and race-condition safety.
        For webhooks, require signature verification and idempotent processing before mutating state.
        Never expose secrets or sensitive payment/customer data in logs, notes, metadata, or errors.
        Preserve backward compatibility for existing hooks/options and supported WordPress/WooCommerce versions.
        Request PHPUnit coverage when behavior changes.
    - path: "client/**/*.{js,jsx,ts,tsx}"
      instructions: |
        Ensure async checkout/admin payment flows handle failures and retries safely.
        Ensure no secret keys or sensitive data are exposed client-side.
        Request Jest/Playwright coverage for behavior changes.
    - path: "tests/**/*.{php,js,ts,tsx}"
      instructions: |
        Prefer coverage of failure and edge cases: declines, duplicate webhooks, retry handling, partial refunds, stale order state.