Browse 354 rules, 42 knowledge articles, and 28 prompt templates across security, performance, architecture, and quality.
BeforeMerge scans your pull requests against these rules automatically. Get actionable feedback before code ships to production.
354 rules
Don't add "use client" to page or layout files. Extract the interactive part into a small client component.
Add loading.tsx to route segments with slow data fetching. It provides instant visual feedback during navigation.
Every route group should have an error.tsx to prevent crashes from propagating to the entire app.
Props to client components are serialized as JSON and sent to the browser. Don't pass full database records with sensitive fields.
Set "strict": true in tsconfig.json to catch null errors, implicit any, and type coercion bugs at compile time.
The any type disables all type checking. Use unknown and narrow the type, or use a specific type.
Use the Image component from next/image instead of raw HTML img tags. It auto-optimizes format, size, and loading.
Use next/dynamic to code-split large client-only components like editors, charts, and maps.
Each route group ((auth), (dashboard), (content)) should have its own error boundary to contain failures.
Use a structured logger like pino instead of console.log. Structured logs have timestamps, levels, and are filterable.
Always use environment variables for API keys, database credentials, and other secrets.
Use Zod or similar validation on all API routes and server actions. Never pass raw user input to database queries.
Maintain a .env.example file with all required variables (no values). New developers can't set up the project without it.
Write tests that verify: User A cannot read User B's data. Anon users cannot read private data. RLS bugs are data breaches.
Every server action that modifies data must call requireAuth() first to validate the user session and get orgId.
Tables in the public schema without Row Level Security allow unrestricted access through the API.
Every hosted database should have point-in-time recovery (PITR) enabled and tested.
Serverless and edge environments exhaust database connections without a pooler. Use PgBouncer, Supavisor, or platform-native pooling.
Test migrations on a branch/copy before applying to production. Neon and PlanetScale have native branching.
Functions without a fixed search_path are vulnerable to search path injection attacks.
Adding NOT NULL to an existing column requires a full table scan and exclusive lock.
Non-concurrent index creation locks the table for writes during the entire build.
The auth.users table is accessible through the API schema, leaking user data.
Foreign key columns without indexes cause slow JOINs and cascade operations.