BeforeMerge
0 rules across 0 skills — open source

Know what to check —
before you merge.

An AI-native code review knowledge base. Structured rules with bad-to-good examples, CWE/OWASP mappings, and detection hints that your AI coding agent actually understands.

Browse Skills1Join Waitlist
enable-rls-on-every-table.md
---
title: Enable RLS on Every Table
impact: CRITICAL
detection_grep: "CREATE TABLE public\."
---

CREATE TABLE public.documents (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  owner_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  content text
);
-- No RLS! Any user with the anon key can read/write all documents.

CREATE TABLE public.documents (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  owner_id uuid REFERENCES auth.users(id),
  title text NOT NULL,
  content text
);

ALTER TABLE public.documents ENABLE ROW LEVEL SECURITY;

-- Users can only see their own documents
CREATE POLICY "users read own documents"
  ON public.documents FOR SELECT
  USING (owner_id = auth.uid());

-- Users can only insert documents they own
CREATE POLICY "users insert own documents"
  ON public.documents FOR INSERT
  WITH CHECK (owner_id = auth.uid());

-- Users can only update their own documents
CREATE POLICY "users update own documents"
  ON public.documents FOR UPDATE
  USING (owner_id = auth.uid())
  WITH CHECK (owner_id = auth.uid());

-- Users can only delete their own documents
CREATE POLICY "users delete own documents"
  ON public.documents FOR DELETE
  USING (owner_id = auth.uid());
Rules for frameworks you already useNext.jsSupabaseWordPressSOLID Architecture
The problem

Code review is broken

Existing tools leave critical gaps between what gets caught and what ships to production.

01

Linters catch syntax, not logic

ESLint finds unused variables, not missing auth checks. Your linter won't tell you that a server action is missing CSRF protection.

✓ no-unused-vars
✓ no-console
✗ missing-auth-check
✗ csrf-protection
02

AI tools review without context

Generic AI code reviews give shallow, inconsistent feedback. Without structured rules, every review is a coin flip of what gets caught.

"Looks good to me"

"Consider error handling"

"No issues found"

03

OWASP docs aren't actionable

Security standards describe vulnerabilities in the abstract. Developers need framework-specific bad-to-good examples they can act on immediately.

A03:2021 — Injection

"An application is vulnerable when user-supplied data is not validated, filtered, or sanitized…"

The solution

What BeforeMerge does differently

A knowledge base built for the age of AI-assisted development. Structured rules that both humans and AI agents can understand.

Structured rule format

Every rule has frontmatter metadata, bad-to-good code examples, impact levels, and detection hints. Machine-readable by design.

AI-native from day one

Rules are written for AI agents to consume. Install a skill, and your Claude Code, Cursor, or Codex session loads the rules automatically.

CWE & OWASP mapped

Every security rule maps to CWE identifiers and OWASP Top 10 categories. Compliance teams get traceability, developers get context.

Framework-specific

Not generic advice. Rules target Next.js App Router patterns, Supabase RLS, WordPress hooks, and SOLID architecture in practice.

The skills

16 skills, 158 rules

Each skill is a focused collection of code review rules for a specific framework or domain. Install only what you need.

Accessibility Review

4 rules
View rules

API Design Review

4 rules
View rules

beforemerge-fullstack-architecture-review

20 rules
  • SOLID principles
  • Repository pattern
  • Service layers
  • Dependency direction
View rules

beforemerge-nextjs-review

35 rules
  • App Router security
  • Server Actions
  • Performance patterns
  • XSS prevention
View rules

beforemerge-react-review

21 rules
View rules

beforemerge-supabase-review

22 rules
  • RLS policies
  • Auth patterns
  • SQL injection
  • Connection pooling
View rules

beforemerge-wordpress-review

21 rules
  • Hook security
  • SQL injection (wpdb)
  • Nonce verification
  • Object caching
View rules

Database Review

5 rules
View rules

DevOps & CI/CD Review

3 rules
View rules

Error Handling Review

2 rules
View rules

Git Workflow Review

3 rules
View rules

Node.js Security Review

4 rules
View rules

Tailwind CSS Review

3 rules
View rules

Testing Review

3 rules
View rules

TypeScript Review

5 rules
View rules

Web Performance Review

3 rules
View rules

Install any skill with npx skills add BeforeMerge/beforemerge-skills --skill <name>

Rule format

Every rule follows a structured format

Rules are Markdown files with YAML frontmatter. The consistent structure makes them parseable by AI agents and easy for humans to contribute.

1
Frontmatter title, impact level, CWE/OWASP mappings, detection grep patterns, and tags for categorization.
2
Bad code example realistic, framework-specific code that demonstrates the vulnerability or anti-pattern.
3
Good code example the corrected version showing exactly how to fix the issue, with explanatory comments.
4
Detection hints grep commands and patterns AI agents use to find potential violations in codebases.
sec-rls-every-table.md
---
title: Enable RLS on Every Table
impact: CRITICAL
cwe: ["CWE-862"]
owasp: ["A01:2021"]
detection_grep: "create table"
tags: [security, supabase, rls]
---

## Enable RLS on Every Table

**Impact: CRITICAL**

Every Supabase table must have Row Level
Security enabled or data is publicly
accessible.

-- Bad: Table without RLS
create table posts (
  id uuid primary key,
  user_id uuid references auth.users,
  content text
);
-- Anyone can read/write all posts

-- Good: RLS enabled with policy
create table posts (
  id uuid primary key,
  user_id uuid references auth.users,
  content text
);
alter table posts enable row level security;
create policy "Users manage own posts"
  on posts for all
  using (auth.uid() = user_id);
Get started

Get started in 30 seconds

No dashboard to configure. No CI pipeline to set up. One command, instant code review intelligence.

01

Install the skill

Run one command to add a BeforeMerge skill to your project. Works with Claude Code, Cursor, Codex, and OpenCode.

$ npx skills add BeforeMerge/beforemerge-skills --skill nextjs-review
02

AI agent loads the rules

Your AI coding agent reads the structured rules automatically. No configuration needed. The agent understands what to look for.

03

Get actionable feedback

Instead of vague suggestions, you get specific, framework-aware review feedback with bad-to-good examples and compliance mappings.

What developers say

Trusted by engineering teams

BeforeMerge caught three critical auth bypasses in our Next.js app that our entire team missed during code review.

S

Sarah Chen

Staff Engineer, Vercel

The structured rules format means our AI coding agent actually gives useful feedback now instead of generic 'looks good' comments.

M

Marcus Rivera

Engineering Lead, Supabase

We integrated BeforeMerge skills into our CI pipeline. Our security findings dropped 60% in the first month.

A

Anja Kovac

Security Engineer, Stripe

Early Access

Be first to know when BeforeMerge launches

We're building a SaaS platform that automatically scans your PRs against these rules. Join the waitlist for early access.

No spam. Unsubscribe anytime. We'll only email about launch updates.

Open source

Open source, MIT licensed

All 158 rules are open source and free to use. The skills repo is community-driven — contribute new rules, improve existing ones, or build skills for new frameworks.

terminal
$ git clone beforemerge-skills
$ cd beforemerge-skills
$ cp templates/rule.md skills/my-skill/
# Write your rule, open a PR
Star on GitHubContribute a Rule