“cubic feels like adding a senior security engineer who works 24 / 7, only it was live two minutes after I clicked Install.”
— Bereket Engida, creator & lead maintainer of BetterAuth

BetterAuth powers authentication for more than 130,000 new TypeScript deployments every week—making it one of the most‑installed OSS packages on npm and a de‑facto layer of internet plumbing.

Maintained by YC‑backed founder Bereket Engida, the framework gives companies—from seed‑stage fintechs to Fortune 500 prototypes—the freedom to run auth on their own infra without SaaS lock‑in.

When Bereket became the single bottleneck on a project that had grown into “core infrastructure” for thousands of production apps, he needed a reviewer that was as rigorous as his own eyes but never slept.

After exhaustive tests of existing AI review bots, he chose cubic.

Challenge

Bereket personally reviewed every pull request—often a hundred or more every month. Because BetterAuth sits on the security boundary, a mistake isn’t a 500 error; it’s a vulnerability.

He had experimented with GitHub Copilot PR suggestions, CodeRabbit, and a handful of CLI‑driven LLM helpers, but found each one noisy and shallow: the tools blanketed diffs with cosmetic nits while overlooking deep TypeScript‑specific risks.

“I was skeptical after testing a couple of AI tools, but cubic proved itself on the very first pull request.”

Before cubic, the result was predictable: midnight review sessions, mounting fatigue, and the creeping fear that something critical would slip through.

Solution

Two-minute deploy, zero learning curve

Bereket connected cubic to GitHub and was done. The integration syncs bidirectionally, so contributors stay in the GitHub UI they already know.

Automatic first pass on every PR

Within minutes of a pull request opening, cubic runs a full review:

• Bugs & logic errors – null leaks, missing awaits, unreachable branches

• Security red flags – header tampering, token-scope regressions

• Tech-debt & duplication – copy-pasted helpers, dead code, TODO land-mines

“If a contributor hasn’t cleared cubic’s comments, I won’t even open the diff,” Bereket says. “Once they do, I get to focus on architecture instead of trivia.”

Because cubic catches the mechanical risks, Bereket’s review shifts to design decisions, API ergonomics, and long-term roadmap fit—work only a maintainer can do.

Real‑World Save: The CORS Header Catastrophe That Never Shipped

Two weeks after turning on cubic, a contributor proposed a bearer-token plugin. Hidden in forty lines of code was a single statement that overwrote Access-Control-Allow-Headers for every response.

If merged, thousands of downstream apps would have failed cross-origin requests and opened themselves to header-injection attacks.

cubic flagged the line as a Security issue three minutes after the PR opened. The contributor replaced the overwrite with an append, added a regression test, and the safe version shipped the same day—before any production tenant updated.

Outcomes

• First feedback in minutes, not days – Contributors stay engaged and iterate instead of abandoning PRs.

• Zero broken releases since cubic joined the repo—six consecutive versions without emergency patching.

• Human review spent on architecture – Bereket now comments on design choices, not bracket placement.

Looking Ahead

BetterAuth is expanding into managed dashboards, fraud protection, and global session storage.cubic’s upcoming performance and dependency‑health rules will guard that new surface area so the team can keep shipping infrastructure‑grade releases at startup speed.

“cubic feels like adding a senior security engineer who works 24/7.”

Try cubic on your own repo

If your project sits on the critical path—or if you simply value sleeping through the night—install cubic or book a live demo to watch it safeguard your very next PR.