Every merge should be a confident merge
BeforeMerge exists because code review shouldn't depend on who happens to be reviewing. Whether it's a senior engineer, a junior developer, or an AI agent — every review should check the same things, with the same rigor, every time.
We're building the knowledge base that makes that possible. Structured rules that both humans and AI understand, covering the security vulnerabilities, performance pitfalls, and architecture anti-patterns that linters miss and generic AI reviews skip.
What we believe
The principles that guide how we build BeforeMerge.
Actionable over abstract
Every rule has concrete bad-to-good code examples. Not theory — framework-specific patterns you can immediately apply to your codebase.
AI-first, human-readable
Rules are written so AI agents can parse and apply them automatically, but they're also clear and useful for human developers reading them directly.
Open by default
The core knowledge base is MIT licensed and open source. Security knowledge shouldn't be locked behind a paywall. Better code benefits everyone.
Standards-mapped
Rules map to CWE and OWASP categories not just for compliance, but because connecting patterns to established vulnerabilities helps developers understand impact.
Framework-specific depth
Generic security advice is easy to ignore. Rules that show exactly how a vulnerability manifests in your specific framework are impossible to dismiss.
Community-driven
The best code review knowledge comes from the collective experience of developers. Every contribution makes the entire community's reviews better.
Built by Peter Krzyzek
I've spent years reviewing code across Next.js, Supabase, WordPress, and full-stack TypeScript applications. The same patterns kept coming up: missing auth checks on server actions, RLS policies forgotten on new tables, N+1 queries hidden behind elegant abstractions.
Linters catch syntax issues. AI code assistants give surface-level feedback. But the real bugs — the security vulnerabilities, the performance killers, the architecture decisions that become tech debt — those require structured knowledge and systematic checking.
BeforeMerge is that structured knowledge. It started as my personal collection of code review rules, grew into a set of skills for AI coding agents, and is becoming a platform that brings this level of review to every team.
Why “BeforeMerge”?
The name captures the moment that matters most in software development: the decision to merge code into your main branch. Everything before that moment is an opportunity to catch issues. Everything after is damage control.
Most tools focus on what happens after code ships — error monitoring, incident response, post-mortem analysis. BeforeMerge focuses on what happens before. The code review. The moment where a structured check against known vulnerability patterns can prevent the incident entirely.
With AI coding agents becoming the primary way developers write code, the review step is more important than ever. AI can generate code faster than any human, but it can also generate vulnerable code faster than ever. BeforeMerge gives AI agents the knowledge to catch what they would otherwise miss.
Join us in building better reviews
Whether you contribute rules, use the skills in your workflow, or help spread the word — every contribution makes code review better for everyone.