GuideAI Coding Assistants

Use BeforeMerge with AI coding tools

Add structured code review rules to Claude Code, Cursor, Windsurf, and any AI assistant that reads markdown instructions. Pull rules from the BeforeMerge API to keep your team's reviews consistent and thorough — whether the reviewer is human or AI.

API Reference·Browse rules & skills

Quick start: Claude Code

Claude Code reads instructions from CLAUDE.md files in your project root and ~/.claude/CLAUDE.md globally. Add BeforeMerge rules directly, or reference the API for dynamic rule loading.

1

Add rules inline to CLAUDE.md

Copy rules from BeforeMerge directly into your project's CLAUDE.md file. Claude Code will follow them on every interaction.

CLAUDE.md
# Code Review Rules (from BeforeMerge)

## Security: Avoid raw SQL in Server Actions
Raw SQL queries in Server Actions bypass Row Level Security.
Always use the Supabase query builder or parameterized queries.

### Bad
```ts
const { data } = await supabase.rpc('raw_query', {
  sql: `SELECT * FROM users WHERE id = '${userId}'`
});
```

### Good
```ts
const { data } = await supabase
  .from('users')
  .select('*')
  .eq('id', userId);
```

## Performance: Avoid N+1 queries in React Server Components
Do not fetch related data inside .map() or loops in RSCs.
Fetch all related data in a single query with joins or .in() filters.
2

Reference rules by URL

Point Claude Code at BeforeMerge rule URLs. You can reference individual rules or entire collections.

CLAUDE.md
# Code Review Rules

Follow these BeforeMerge rules when reviewing or writing code:

## Security rules
- https://www.beforemerge.com/rules/abc12345-avoid-raw-sql-in-server-actions
- https://www.beforemerge.com/rules/def67890-validate-server-action-inputs

## Full collection
- https://www.beforemerge.com/collections/ghi11223-owasp-top-10
3

Pull rules via the API

Use a script to fetch the latest rules from the BeforeMerge API and write them to CLAUDE.md automatically. This keeps your rules up-to-date as the knowledge base evolves.

fetch-rules.sh
#!/bin/bash
# Fetch BeforeMerge rules and append to CLAUDE.md
API_KEY="bm_your_key_here"
BASE_URL="https://www.beforemerge.com/api/v1/public"

# Fetch a specific rule's full body
curl -s "$BASE_URL/rules/abc12345-avoid-raw-sql" \
  -H "Authorization: Bearer $API_KEY" \
  | jq -r '.data.body' >> CLAUDE.md

# Fetch all rules from a collection
curl -s "$BASE_URL/collections/ghi11223-owasp-top-10" \
  -H "Authorization: Bearer $API_KEY" \
  | jq -r '.data.items[].content.slug' \
  | while read slug; do
    curl -s "$BASE_URL/rules/$slug" \
      -H "Authorization: Bearer $API_KEY" \
      | jq -r '"## " + .data.title + "\n" + .data.body + "\n"'
  done >> CLAUDE.md

Using the public API

The BeforeMerge API lets you programmatically fetch rules, skills, and collections. All endpoints require an API key with the appropriate scope. See the full API reference for complete details.

GET/api/v1/public/rules

List all published rules. Filter by category, impact, skill, or tags.

bash
curl https://www.beforemerge.com/api/v1/public/rules \
  -H "Authorization: Bearer bm_your_key_here" \
  -G --data-urlencode "category=security" --data-urlencode "limit=10"
GET/api/v1/public/rules/{slug}

Get a specific rule with its full markdown body, detection patterns, and tags.

bash
curl https://www.beforemerge.com/api/v1/public/rules/abc12345-avoid-raw-sql \
  -H "Authorization: Bearer bm_your_key_here"
json
{
  "data": {
    "slug": "abc12345-avoid-raw-sql-in-server-actions",
    "title": "Avoid raw SQL in Server Actions",
    "description": "Raw SQL queries in Server Actions bypass Row Level Security.",
    "impact": "HIGH",
    "category": "security",
    "body": "## What to look for\n\nServer Actions that build SQL strings...",
    "tags": [{ "name": "sql", "slug": "sql" }]
  }
}
GET/api/v1/public/skills

List all published skills. Skills are bundles of related rules scoped to a framework or domain.

bash
curl https://www.beforemerge.com/api/v1/public/skills \
  -H "Authorization: Bearer bm_your_key_here"
GET/api/v1/public/skills/{slug}

Get a specific skill with its full description, rule count, and tags.

bash
curl https://www.beforemerge.com/api/v1/public/skills/def67890-next-js-security \
  -H "Authorization: Bearer bm_your_key_here"
GET/api/v1/public/collections/{slug}

Get a collection with all its items (rules, skills, knowledge). Use this to pull an entire curated rule set at once.

bash
curl https://www.beforemerge.com/api/v1/public/collections/ghi11223-owasp-top-10 \
  -H "Authorization: Bearer bm_your_key_here"

Full CLAUDE.md example

Here is a complete example of a project-level CLAUDE.md that integrates BeforeMerge rules. Place this file in your project root.

CLAUDE.md
# Project Instructions

## Code Review Rules (BeforeMerge)

When reviewing code or writing new code, follow these rules:

### Security
- Never use raw SQL in Server Actions — use the Supabase query builder
- Validate all Server Action inputs with Zod before processing
- Never expose service_role keys in client components
- Always check RLS policies when creating new tables

### Performance
- Avoid N+1 queries — use .select() with joins or .in() filters
- Do not fetch data inside .map() in React Server Components
- Use React.cache() for deduplicating data fetches within a render

### Architecture
- Server Actions go in dedicated files with "use server" at the top
- Keep client components at the leaf level of the component tree
- Use createClient() for authenticated reads, createAdminClient() for writes

## BeforeMerge Collections
For the full rule details, see:
- https://www.beforemerge.com/collections/ghi11223-owasp-top-10
- https://www.beforemerge.com/collections/jkl44556-nextjs-best-practices

## BeforeMerge API
Fetch updated rules: GET https://www.beforemerge.com/api/v1/public/rules
API docs: https://www.beforemerge.com/docs/api

For other AI coding tools

BeforeMerge rules work with any AI tool that reads markdown instructions. The format is the same — only the config file name changes.

Cursor

Config file: .cursorrules

Cursor reads project-level instructions from .cursorrules in your project root. Paste BeforeMerge rules directly into this file.

.cursorrules
# Code Review Rules (BeforeMerge)

## Security: Validate Server Action inputs
Always validate inputs to Server Actions using Zod schemas.
Never trust data from the client without validation.

## Performance: Avoid N+1 queries
Do not fetch related data in loops. Use batch queries with
.in() filters or joins to fetch all data in a single query.

## Architecture: Keep client components at the leaf level
Only add "use client" to the smallest component that needs
interactivity. Parent components should remain server components.

Windsurf

Config file: .windsurfrules

Windsurf reads from .windsurfrules in your project root. The format is identical to Cursor — use the same markdown content.

.windsurfrules
# Code Review Rules (BeforeMerge)

## Security: Never expose service_role keys
The Supabase service_role key bypasses RLS. Never import
createAdminClient() in client components or expose the key
in environment variables prefixed with NEXT_PUBLIC_.

## Security: Check RLS on new tables
Every new Supabase table must have RLS enabled and at least
one policy before merging. Tables without RLS are publicly
readable by default.

Any AI tool

Config file: .ai-rules.md (or equivalent)

For tools like Aider, Cline, Continue, or GitHub Copilot Workspace, use the same markdown format in whatever config file the tool reads. The key patterns work everywhere:

Paste rule text directly into your AI config file
Reference BeforeMerge URLs for the AI to fetch
Use the API to build scripts that auto-update your rules
Export collections as markdown and commit them to your repo

Automate rule updates

Keep your AI coding assistant's rules in sync with BeforeMerge by automating the fetch. Here are two common approaches.

npm / package.json script

Add a script to your package.json that fetches rules on npm install or as a standalone command.

package.json (partial)
{
  "scripts": {
    "fetch-rules": "bash scripts/fetch-beforemerge-rules.sh",
    "postinstall": "bash scripts/fetch-beforemerge-rules.sh"
  }
}

GitHub Actions (weekly sync)

Run a scheduled action that fetches the latest rules and opens a PR if anything changed.

.github/workflows/sync-rules.yml
name: Sync BeforeMerge Rules
on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9am
  workflow_dispatch:

jobs:
  sync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Fetch rules
        env:
          BM_API_KEY: ${{ secrets.BEFOREMERGE_API_KEY }}
        run: |
          curl -s "https://www.beforemerge.com/api/v1/public/rules?limit=100" \
            -H "Authorization: Bearer $BM_API_KEY" \
            | jq -r '.data[] | "## " + .title + "\n" + .description + "\n"' \
            > .ai-rules-generated.md
      - name: Open PR if changed
        uses: peter-evans/create-pull-request@v6
        with:
          title: "chore: update BeforeMerge rules"
          branch: chore/sync-beforemerge-rules

Start reviewing smarter

Browse the knowledge base, grab the rules you need, and add them to your AI coding assistant in minutes.

Browse rules & skillsAPI Reference