Browse 225 rules, 42 knowledge articles, and 28 prompt templates across security, performance, architecture, and quality.
225 rules
Every table must have Row Level Security enabled. Tables without RLS are fully accessible via the anon key.
Public pages (explore, content detail) should use createReadOnlyClient() with the anon key, not the service_role.
Files with "use client" must never import server-only modules like database clients, API keys, or service role credentials.
Only the Supabase URL and anon key should have NEXT_PUBLIC_ prefix. All other Supabase credentials are server-only.
Use the Image component from next/image instead of raw HTML img tags. It auto-optimizes format, size, and loading.
Serverless and edge environments exhaust database connections without a pooler. Use PgBouncer, Supavisor, or platform-native pooling.
Functions without a fixed search_path are vulnerable to search path injection attacks.
MySQL's utf8 charset only supports 3-byte characters. Use utf8mb4 for full Unicode support.
Every hosted database should have point-in-time recovery (PITR) enabled and tested.
Foreign key columns without indexes cause slow JOINs and cascade operations.
ALTER TABLE in MySQL can lock the entire table. Use ALGORITHM=INPLACE or tools like gh-ost for safe migrations.
Tables without primary keys cannot use logical replication and have degraded query performance.
Non-concurrent index creation locks the table for writes during the entire build.
The auth.users table is accessible through the API schema, leaking user data.
Tables in the public schema without Row Level Security allow unrestricted access through the API.
Unlike PostgreSQL, MySQL/InnoDB requires indexes on foreign key columns. Missing indexes cause slow JOINs.
SELECT * fetches all columns, wasting bandwidth and preventing covering index optimization.
Adding NOT NULL to an existing column requires a full table scan and exclusive lock.
Test migrations on a branch/copy before applying to production. Neon and PlanetScale have native branching.
WordPress provides context-specific escaping functions. Using the wrong one — or none — enables XSS. Match esc_html, esc_attr, esc_url, wp_kses to the output context. [CWE-79 · A07:2021]
Passing user input directly into SQL queries via $wpdb enables SQL injection. Always use $wpdb->prepare() with typed placeholders (%d, %s, %f, %i). [CWE-89 · A03:2021]
WordPress capabilities (current_user_can) are the authorization layer. Missing checks in REST endpoints, admin handlers, and AJAX allow subscribers to perform admin actions. [CWE-862 · A01:2021]
User input in include/require or file read/write paths allows attackers to read wp-config.php, delete files, or execute arbitrary PHP via ../ sequences. [CWE-22 · A01:2021]
PHP's unserialize() instantiates arbitrary classes and triggers magic methods. Deserialization of user input enables remote code execution via gadget chains. [CWE-502 · A08:2021]
BeforeMerge scans your pull requests against these rules automatically. Get actionable feedback before code ships to production.