Install Extension

VS Code / Cursor extension

Vibe code freely. MergeCore catches what seniors would flag.

Review a snippet, file, or git diff inside VS Code and Cursor. MergeCore spots risky pack-specific mistakes, weak AI-generated code, and messy logic — then helps you fix it before review begins.

Install ExtensionSee It Catch Real Issues

The workflow

Review code where it actually matters: before commit.

Run MergeCore on a snippet, file, staged diff, or working tree. Get actionable findings, severity scores, pack-aware feedback, and rewrites you can apply immediately.

MergeCore: Review Selection · Review Active File · Review Git Diff · Review Staged Diff

It is built for the moment confidence drops: after the code works, before someone else has to review the mess.

Why it helps

Fewer pointless PR comments. Better code shipped faster.

MergeCore reads project signals and applies versioned rules packs, so feedback feels closer to a sharp engineer than a generic AI lint pass.

Use it at the exact level you need

Review one risky method or an entire file. No need to wait for a full PR cycle to get useful feedback.

See issues where you're already working

Findings appear inside the editor, so you can fix problems while context is still fresh.

Review before team overhead

Catch weak assumptions, rough edges, and AI sludge before someone else has to point it out.

Get feedback that leads somewhere

Not vague complaints. Real findings, code examples, and practical rewrites.

Apply improvements instantly

Accept patches directly in-editor or export a markdown review for your team.

Built for modern stacks

Pack first. Add language, framework, testing, frontend, backend, mobile, and domain-specific rules without changing the review workflow.

// Rule Packs

Current rule packs, plus the next wave on the roadmap.

Shipping today from the repo: language, framework, testing, frontend, backend, mobile, and systems packs. Planned next: more community packs, domain packs, and stronger pack resolution.

Current rule packs
TypeScript
Type & app rules
React
Component review
Python
Service rules
Go
API & concurrency
Swift
App rules
Future rule packs
More Frameworks
Web & app packs
More Test Runners
Coverage & quality
Node
Backend JS services
Domain Packs
Team-specific rules

How Packs Work

Rule packs are structured, not hand-wavy.

MergeCore packs are made of a few clear files with different jobs: one says what the pack is, one defines the rules and scoring, one gives human shorthand for common problems, and one explains how an AI reviewer should apply the pack in practice.

Manifest & wiring

pack.json

The pack manifest tells MergeCore what the pack is called, which version it is, which files it publishes, and how hosts should resolve the rest of the pack.

  • Defines metadata like pack ID, title, version, tags, and compatibility details.
  • Points at the files the pack exposes, such as rubric, smells, and agent instructions.
  • Acts as the single lookup point when a host wants to load the pack correctly.

Rules & scoring

rubric.json

This is the scoring source of truth. It defines the rules, severities, penalties, and detection hints that shape how MergeCore judges a change.

  • Holds stable rule IDs, categories, titles, descriptions, and severity levels.
  • Controls how findings affect score so review output stays consistent and traceable.
  • Lets packs gate or tune rules for stack-specific contexts like Filament or Pest.

Human-facing shorthand

smells.json

The smell index translates deeper rules into named patterns people recognise quickly, which helps with triage, wording, and fix guidance.

  • Maps named smells back to rubric rules through rule references.
  • Adds quick summaries, layers, and typical-fix guidance for common problems.
  • Keeps reviewer wording practical without losing the rule-level source underneath.

How reviewers should think

agents.md

Agent instructions explain tone, priorities, evidence rules, and how the reviewer should apply the pack instead of just dumping raw rule text.

  • Defines stance like security before style and evidence before invention.
  • Keeps AI-assisted review aligned with the same language and standards across teams.
  • Bridges the gap between structured rules and useful, readable feedback.

Review modes · Personas

Pick the reviewer looking over your shoulder.

The same pack, the same rules, reviewed through a different lens. Personas tune emphasis, tone, and triage without ever inventing evidence or dropping the ground rules.

Default

MergeCore Default

Balanced senior-style review across the active pack.

  • correctness
  • security
  • maintainability
  • operability
Principal

Principal Engineer

Architecture obsessed. Boundaries, invariants, long-term cost.

  • architecture
  • boundaries
  • invariants
  • api-design
Startup CTO

Startup CTO

Ship fast, stay alive. Pragmatic over pristine.

  • shipability
  • risk-vs-speed
  • blast-radius
  • revert-cost
Security

Security Lead

Paranoid by trade. Treat every input as hostile.

  • auth
  • input-validation
  • secrets
  • data-exposure
Refactor

Refactor Veteran

Simplify aggressively. Delete more than you add.

  • simplicity
  • dead-code
  • duplication
  • control-flow
Mentor

Staff Mentor

Teaches juniors. Explains the why, not just the what.

  • teachability
  • rationale
  • idioms
  • pitfalls

Multi-level review buttons

One click picks the depth, not just the target.

Scope is how the code gets sent to the engine. A review level is what you want the engine to do with it — a quick sanity pass, a whole-file sweep, a flow across files, a proper PR review, or a broad disaster hunt.

QuickSelection

Quick Review

Current function only. Fast, focused sanity check.

FileActive file

File Review

Current file end-to-end, as a cohesive unit.

FlowFile + related context

Flow Review

Linked files plus the business process that runs through them.

PRGit diff

PR Review

Changed files with impact analysis across the diff.

DisasterActive file

Disaster Review

Find everything wrong. Broad, unsparing sweep.

Strong inline comments

Review comments that actually say something.

MergeCore rewrites its own output. Hedged openings, empty verdicts, and vague "refactor this" one-liners get caught by a defence-in-depth pass so every finding lands as a decision, not a suggestion.

Hedged opening

Weak

Consider maybe adding a null check here when the user is missing.

Strong

Guard against `user` being null before dereferencing `user.id`; otherwise this throws in the logged-out branch.

"Consider", "maybe", "might want to" — softeners that turn a call into a shrug — get stripped.

Empty verdict

Weak

This is a bit messy and could be cleaner.

Strong

Extract the three nested `try/catch` branches into `parsePayload()` so the happy path reads top-to-bottom.

"Needs work", "a bit messy", "could be better" describe a feeling, not a fix. They get replaced or dropped.

Targetless refactor

Weak

Refactor this.

Strong

Split `processOrder()` — the validation, pricing, and persistence steps each deserve their own function.

Bare "refactor this" names no target. Strong comments must say what to extract, split, rename, or remove.

Contextual memory

Review that remembers how your project is wired.

Before a review runs, MergeCore fingerprints the workspace: dependencies, test setup, TypeScript strictness, domain layout, and any conventions your team has declared. That profile is cached, auto-invalidated when it should be, and fed back into every review so feedback stays stack-aware.

Dependencies & runtime

package.json, composer.json, lockfiles, tsconfig — used to decide which packs apply and which ecosystem idioms to expect.

Domain layout

Detects patterns like Actions, Commands, Repositories, DTOs, typed requests, and service-over-helper style so findings match how your codebase is actually structured.

Testing style

Spots the test runner, assertion style, and fixtures in use so reviews point at tests the same way your repo already writes them.

Declared conventions

Team rules in .mergecore/conventions.json win on conflicts. Write them down once; every review respects them.

Profiles are cached per workspace with a short TTL and auto-invalidate the instant a lockfile, tsconfig, or conventions file changes — so the review that runs after composer require or npm install already knows about the new dependency.

What Breaks In Prod?

A scanner for the nine things that wake on-call up.

A pack-agnostic scanner dedicated to production-risk categories, not style. Built-in rules ship with the engine; packs contribute stack-specific rules as pure data, so adding coverage for a new framework never means shipping new scanner code.

race-conditions

Race conditions

Check-then-act, unsynchronised shared state, and concurrent writes that only fail under real traffic.

retry-duplication

Retry duplication

Non-idempotent work on retry paths — double charges, duplicate rows, and repeated side effects.

no-transactions

Missing transactions

Multi-step writes with no atomic boundary, leaving the system in half-committed states when one step fails.

bad-queue-retries

Bad queue retries

Infinite retries, no backoff, no dead-letter path — the reason a single bad job can drown the whole worker fleet.

memory-leaks

Memory leaks

Growing caches without bounds, listeners never torn down, closures that pin large objects for the life of the process.

n-plus-one

N+1 queries

Loops that fire one query per item. Fast in dev, fatal under real traffic. Number one cause of slow endpoints.

missing-indexes

Missing indexes

Queries on unindexed columns, sequential scans on tables that will grow, and joins without covering indexes.

no-rate-limits

No rate limits

Public endpoints with no throttle, outbound calls with no budget, cron paths that fan out unbounded.

weak-logging

Weak logging

Errors swallowed, logs with no correlation id, failures reported as info — the things that make incidents unsolvable at 3am.

Rules are data only: regex sources, language gates, and workspace-signal requirements. Malformed pack rules are dropped silently so one bad entry cannot break the scanner — built-ins remain authoritative.

Explain Why

Every criticism has to teach something.

A finding that says what is wrong but not why leaves the reader with nothing to internalise. MergeCore enforces a teaching bar: critical, error, and warning findings must carry a substantive why_it_matters, and hidden side effects get a dedicated callout so readers cannot miss them during review.

Shallow why

Weak

This is not best practice.

Teaches

The handler returns before the write completes; under load the client will see stale reads from the replica until the next commit catches up, which is how we got yesterday's incident.

Restates the rule

Unspecified risk

Weak

This might cause issues.

Teaches

Retrying the charge call on timeout without an idempotency key double-bills on the second attempt; Stripe keeps both charges and we have to refund manually.

No concrete cost named

Hidden side effect

Weak

This function silently swallows errors.

Teaches

The bare catch block discards the DB error, so the caller sees success while the row was never written; the read-back a few lines down returns empty and the endpoint responds 200 with no data.

Hidden side effect

The enforcement runs on both the engine and the host, so even a weakly-worded response from the model gets surfaced in the sidebar as a "Hidden side effect" tag or a neutral reviewer note — never silently accepted.

Entry points

Run review exactly where confidence drops.

Use MergeCore on the part of the change that feels risky, messy, or just too AI-written to trust on the first pass.

Selection review

Perfect for a risky block, fresh refactor, or the method that feels fine until you look twice.

mergecore.reviewSelection

Active file review

Run a full pass when the whole file needs a proper sanity check, not just one highlighted section.

mergecore.reviewFile

Working tree diff review

Check your in-progress branch before it turns into a pile of fixes, follow-ups, and reviewer comments.

mergecore.reviewGitDiff

Staged diff review

Give the exact staged patch one last senior-style pass before you commit it or send it up for review.

mergecore.reviewStagedDiff

Fits your setup

Easy to try. Serious when you need it.

The extension is designed so you can get a feel for the workflow immediately, then connect it to your configured MergeCore API environment when you are ready for the full backend-driven path.

  • Start without ceremony. You can install the extension and get through the review workflow without first wrestling with account setup, tokens, or external plumbing.
  • Connect your review backend when ready. When you want MergeCore running against your configured API, add your base URL and token in settings and switch the extension over to that path.
  • Stay in flow. The Review panel can open automatically after a run, and it can fall back to a beside tab when the activity-bar view is not available in your editor host.

Write fast. Review smart. Merge confidently.

Give the branch one last senior pass before review starts, and catch the stuff that makes people lose confidence fast.

See It Catch Real Issues