beforemerge-supabase-review
BeforeMerge: Supabase Review
Comprehensive code review knowledge base for Supabase applications. Contains rules across 4 categories — security, performance, architecture, and quality — prioritized by impact.
When to Apply
Reference these rules when:
- Reviewing pull requests that touch Supabase queries, RLS policies, or migrations
- Writing new database tables, policies, or server-side Supabase calls
- Auditing existing code for RLS gaps, auth misuse, or query anti-patterns
- Refactoring Supabase integration for performance or maintainability
- Running pre-merge quality checks on Supabase-related changes
Rule Categories by Priority
| Priority | Category | Impact | Prefix | Focus |
|---|---|---|---|---|
| 1 | Security | CRITICAL | sec- |
RLS, auth, service role, migration safety |
| 2 | Performance | HIGH | perf- |
Query optimization, connection pooling, pagination |
| 3 | Architecture | MEDIUM | arch- |
Client selection, type generation, migration structure |
| 4 | Quality | LOW-MEDIUM | qual- |
Error handling, input validation, unchecked errors |
How to Use
Read individual rule files in rules/ for detailed explanations and code examples.
Each rule contains:
- Brief explanation of why it matters
- Incorrect code example with explanation
- Correct code example with explanation
- CWE/OWASP mapping where applicable
- References to official documentation
For the complete compiled guide: AGENTS.md
More from beforemerge/beforemerge-skills
beforemerge-react-review
Comprehensive code review rules for React applications (framework-agnostic). Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring React code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for React/TypeScript projects. Does not cover Next.js-specific patterns (see nextjs-review for that).
25beforemerge-fullstack-architecture-review
Code review rules for DRY/SOLID layered architecture in fullstack TypeScript applications. Covers dependency direction, service/repository patterns, factory injection, domain entities, security hardening, performance optimization, and code quality patterns. Use this skill when reviewing, writing, or refactoring fullstack TypeScript code with layered architecture — especially before merging pull requests. Triggers on tasks involving code review, architecture review, SOLID principles, clean architecture, or quality checks for fullstack TypeScript projects.
20beforemerge-nextjs-review
Comprehensive code review rules for Next.js, React, and TypeScript applications. Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring Next.js/React code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for React/Next.js/TypeScript projects.
20beforemerge-wordpress-review
Comprehensive code review rules for WordPress plugin and theme development. Covers security anti-patterns, performance pitfalls, architecture mistakes, and code quality issues. Use this skill when reviewing, writing, or refactoring WordPress/PHP code — especially before merging pull requests. Triggers on tasks involving code review, PR review, security audit, performance review, or quality checks for WordPress projects.
10beforemerge-nextjs-supabase-standards
Opinionated best practices for full-stack Next.js 14+ App Router applications with Supabase. Covers project structure, data fetching, auth, RLS, server actions, components, TypeScript, performance, error handling, security, and testing. Use this skill when building, reviewing, or auditing Next.js + Supabase applications. Triggers on tasks involving Supabase client usage, RLS policies, server actions, middleware auth, migration patterns, or component architecture decisions.
2