Each PR is a realistic diff with planted bugs — the same kind a senior reviewer would catch in your interview loop.
Platform team asked every service to expose a /health endpoint so the load balancer can drop unhealthy instances and oncall has a single URL to hit at 2am. This PR adds it for the payments service. Reviewing before it gets wired into the LB config.
Finance flagged that monthly reconciliation between our internal ledger and the PSP's settlement reports has been drifting since refunds went live. This PR has the refund handler write a reversing entry to the ledger after a successful PSP call so books match. Reviewing whether this actually closes the drift.
Last week support flagged three customers double-charged when the mobile app retried after a flaky network. We're adding an Idempotency-Key header + middleware so retries return the original response instead of re-charging. Reviewing for production-readiness before we route real traffic through it.
Mobile team needs to let users edit name / email / avatar without re-sending the entire profile object every time. This PR adds PATCH /users/{id} for partial updates. Reviewing the PATCH semantics carefully — partial-update endpoints are where every team eventually ships a regression.
Product wants a per-user daily activity view in the customer dashboard. This PR adds GET /metrics/users/{id}/daily that aggregates 24-hour activity from a few database queries. Reviewing — customer-data endpoints have a different bar than internal analytics ones.
Customer service has been processing partial refunds manually through the PSP dashboard — slow, error-prone, no audit trail. This PR exposes POST /charges/{id}/refunds so the support tool can hit it directly. Reviewing for correctness and the audit story.
Adding `/healthz` so the LB and uptime checks have a stable target. Returns build SHA + version + uptime — readiness probe goes on `/readyz` in a separate PR. Tagging you for the API design + header choices.
We're cutting over from session cookies to JWT so mobile clients can authenticate without the cookie-jar dance. This PR adds the middleware that validates the bearer token, extracts the user, and attaches them to the request context. Reviewing carefully — auth bugs ship to every endpoint at once.
Black Friday traffic broke our polling-based order processor — we fell behind by 40 minutes and customers got delayed confirmation emails. This PR replaces the poller with a Kafka consumer so we scale horizontally and get backpressure for free. Reviewing before we cut traffic over.
Order processor needs basic instrumentation — adding logs around each stage and a Prometheus counter for throughput. Used the team's logging conventions doc. Open to feedback on log levels / label choices.
Profile page wants a "recent orders" section showing the user's last 10 orders with line items and product info. Hooked it up to the existing repos.
Auth team's new identity-service client is finally stable — moving login lookup over to it. Auth team owns user lifecycle now (active / banned / soft-deleted), so this should let us delete a chunk of our own bookkeeping. Last review I want before we route real traffic through this.
Customers want a v2 of the orders listing API — v1's response shape was painful to evolve and we're locking in v2 before adding new features. Mirrors v1's behavior with cleaner field names. Tagging you for the once-over before partner docs go out.
Customers want webhooks for our v2 API — they POST a URL and we fire HTTP callbacks on order events. This is the subscription endpoint plus the test-ping that fires immediately after creation so the customer can verify their endpoint received it. Auth team said the request middleware already injects the authenticated account into context.
Pricing service got hammered during last month's flash sale — adding a 60-second TTL cache in front so we don't blow it up again. Touches three files; pricing client now sits behind the cache wrapper. Need a once-over before we ship for the campaign next Friday.