Review Prisma Patterns

This skill performs systematic code review of Prisma usage, catching critical violations, security vulnerabilities, and performance anti-patterns identified through comprehensive stress testing of AI coding agents.

---

1. Multiple PrismaClient Instances (80% of agents failed)
2. SQL Injection Vulnerabilities (40% of agents failed)
3. Missing Serverless Configuration (60% of agents failed)
4. Deprecated Buffer API (Prisma 6 breaking change)
5. Generic Error Handling (Missing P-code checks)
6. Missing Input Validation (No Zod/schema validation)
7. Inefficient Queries (Offset pagination, missing select optimization)

Each violation includes severity rating, remediation steps, and reference to detailed Prisma 6 skills.

Phase 1: Discovery

1. Find all Prisma usage:

   • Search for @prisma/client imports
   • Identify PrismaClient instantiation
   • Locate raw SQL operations

2. Identify project context:

   • Check for serverless deployment (vercel.json, lambda/, app/ directory)
   • Detect TypeScript vs JavaScript
   • Find schema.prisma location

Phase 2: Critical Issue Detection

Run validation checks in order of severity:

1. CRITICAL: SQL Injection (P0 - Security vulnerability)
2. CRITICAL: Multiple PrismaClient (P0 - Connection exhaustion)
3. HIGH: Serverless Misconfiguration (P1 - Production failures)
4. HIGH: Deprecated Buffer API (P1 - Runtime errors)
5. MEDIUM: Generic Error Handling (P2 - Poor UX)

Phase 3: Report Generation

1. Group findings by severity
2. Provide file path + line number
3. Include code snippet
4. Reference remediation skill
5. Estimate impact (Low/Medium/High/Critical)

P0 - CRITICAL (Must fix before deployment)

1. SQL Injection Detection

grep -rn "\$queryRawUnsafe\|Prisma\.raw" --include="*.ts" --include="*.js" .

Red flag: String concatenation with user input Fix: Use $queryRaw tagged template

2. Multiple PrismaClient Instances

grep -rn "new PrismaClient()" --include="*.ts" --include="*.js" . | wc -l

Red flag: Count > 1 Fix: Global singleton pattern

P1 - HIGH (Fix before production)

3. Missing Serverless Configuration

grep -rn "connection_limit=1" --include="*.env*" .

Red flag: No connection_limit in serverless app Fix: Add ?connection_limit=1 to DATABASE_URL

4. Deprecated Buffer API

grep -rn "Buffer\.from" --include="*.ts" --include="*.js" . | grep -i "bytes"

Red flag: Buffer usage with Prisma Bytes fields Fix: Use Uint8Array instead

See references/validation-checks.md for complete validation patterns with examples.

Step 1: Find Prisma Files

find . -type f \( -name "*.ts" -o -name "*.js" \) -exec grep -l "@prisma/client" {} \;

Step 2: Run All Checks

Execute checks in severity order (P0 → P3):

1. SQL Injection check
2. Multiple PrismaClient check
3. Serverless configuration check
4. Deprecated Buffer API check
5. Error handling check
6. Input validation check
7. Query efficiency check

Step 3: Generate Report

Format:

Prisma Code Review - [Project Name]
Generated: [timestamp]

CRITICAL Issues (P0): [count]
HIGH Issues (P1): [count]
MEDIUM Issues (P2): [count]
LOW Issues (P3): [count]

---

[P0] SQL Injection Vulnerability
File: src/api/users.ts:45
Impact: CRITICAL - Enables SQL injection attacks
Fix: Use $queryRaw tagged template
Reference: @prisma-6/SECURITY-sql-injection

[P0] Multiple PrismaClient Instances
Files: src/db.ts:3, src/api/posts.ts:12
Count: 3 instances found
Impact: CRITICAL - Connection pool exhaustion
Fix: Use global singleton pattern
Reference: @prisma-6/CLIENT-singleton-pattern

Provide structured review with:

Summary:

• Total files reviewed
• Issues by severity (P0/P1/P2/P3)
• Overall assessment (Pass/Needs Fixes/Critical Issues)

Detailed Findings: For each issue:

1. Severity badge ([P0] CRITICAL, [P1] HIGH, etc.)
2. Issue title
3. File path and line number
4. Code snippet (5 lines context)
5. Impact explanation
6. Specific remediation steps
7. Reference to detailed skill

Remediation Priority:

1. P0 issues must be fixed before deployment
2. P1 issues should be fixed before production
3. P2 issues improve code quality
4. P3 issues optimize performance

MUST:

• Check all 7 critical issue categories
• Report findings with file path + line number
• Include code snippets for context
• Reference specific Prisma 6 skills for remediation
• Group by severity (P0 → P3)

SHOULD:

• Prioritize P0 (CRITICAL) issues first
• Provide specific fix recommendations
• Estimate impact of each violation
• Consider project context (serverless vs traditional)

NEVER:

• Skip P0 security checks
• Report false positives without verification
• Recommend fixes without testing patterns
• Ignore serverless-specific issues in serverless projects

For detailed information on specific topics:

• Validation Checks: See references/validation-checks.md for all 7 validation patterns with detailed examples
• Example Reviews: See references/example-reviews.md for complete review examples (e-commerce, dashboard)

Load references when performing deep review or encountering specific violation patterns.

After generating review:

1. Verify Findings:

   • Re-run grep commands to confirm matches
   • Check context around flagged lines
   • Eliminate false positives

2. Test Remediation:

   • Verify recommended fixes are valid
   • Ensure skill references are accurate
   • Confirm impact assessments

3. Completeness Check:

   • All 7 categories checked
   • All Prisma files reviewed
   • Severity correctly assigned

---

Integration: This skill is discoverable by the review plugin via review: true frontmatter. Invoke with /review prisma-patterns or automatically when reviewing Prisma-based projects.

Performance: Review of typical project (50 files) completes in < 10 seconds using grep-based pattern matching.

Updates: As new Prisma violations emerge, add patterns to validation checks with corresponding skill references.