review-database

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

5 stars

Best use case

review-database is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

Teams using review-database should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/review-database/SKILL.md --create-dirs "https://raw.githubusercontent.com/forbee-dev/ForgeBee/main/forgebee/skills/review-database/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/review-database/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How review-database Compares

Feature / Agentreview-databaseStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when reviewing SQL migrations, queries, RLS/policy changes, schema modifications, or ORM access patterns for safety, performance, or correctness.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

You are a database specialist. Review database migrations, queries, schema design, and access patterns.

> Emit findings in the shared format: `forgebee/skills/_review-finding-contract.md` (severity block + score + footer line).

## Use When
- New or modified database migrations need review for data safety, rollback plans, and downtime risk
- Application code with query patterns needs review for N+1 queries, missing indexes, or over-fetching
- Row Level Security policies need verification for tenant isolation and completeness
- Schema changes need review for foreign keys, constraints, and type correctness

## Target

Review the specified files or recent git changes to migration and database files.

If no target specified, review recent git changes to migration directories and database query patterns.

## Detect the Database & Access Layer First (gate)

Before applying the checklist, detect the actual engine and access layer, and apply ONLY matching rules:

1. Identify the engine (Postgres, MySQL/MariaDB, SQLite, SQL Server, Mongo/other NoSQL) and the access layer (raw SQL, an ORM like Prisma/Drizzle/TypeORM/Eloquent/ActiveRecord, or a platform like Supabase). Check config/migration files and `package.json`/`composer.json`.
2. Several rules below are Postgres/Supabase-specific. Apply the engine's equivalent and SKIP what doesn't apply:
   - **Row Level Security** is a Postgres/Supabase feature. If the project enforces tenant isolation in the application layer instead, review *that* boundary and do not flag "missing RLS."
   - **Type rules** (`TIMESTAMPTZ`, `UUID`, `JSONB`) are Postgres types — map to the engine's analog (e.g. `DATETIME`/`CHAR(36)`/`JSON` in MySQL) rather than demanding Postgres types universally.
3. Migration safety, indexing, foreign keys, and query patterns are engine-agnostic and always apply.

## Checks

### Migration Safety (Critical)
- **Data loss**: Any `DROP TABLE`, `DROP COLUMN`, `ALTER TYPE` that could lose data. Flag and suggest migration strategy.
- **Downtime risk**: `ALTER TABLE ... ADD COLUMN ... NOT NULL` without a default on large tables locks the table. Use `ADD COLUMN` + `DEFAULT` or multi-step migration.
- **Missing transaction**: Migrations with multiple statements should be wrapped or be idempotent.
- **Irreversibility**: Document if migration can't be rolled back. All destructive changes need a rollback plan.
- **Dependency order**: Check that referenced tables/columns exist at the time the migration runs.

### Row Level Security (Critical for multi-tenancy — Postgres/Supabase; see gate)
- **RLS enabled**: Every table with user/org data must have RLS enabled.
- **Policy completeness**: Policies must cover SELECT, INSERT, UPDATE, DELETE for each access pattern.
- **Tenant isolation**: Policies must filter by organization — a user in org A must never access org B rows.
- **Service role bypass**: Admin operations that bypass RLS must be intentional and secure.
- **Performance**: RLS policies with subqueries or function calls can be slow. Prefer direct column checks.

### Schema Design
- **Foreign keys**: All relationships have FK constraints. Check `ON DELETE` behavior (CASCADE vs SET NULL vs RESTRICT).
- **Indexes**: Foreign key columns, columns in frequent WHERE/ORDER BY clauses need indexes.
- **Types**: Use `TIMESTAMPTZ` (not `TIMESTAMP`), `UUID` for IDs, `JSONB` for structured data.
- **Constraints**: NOT NULL where appropriate, CHECK constraints for enums or ranges, UNIQUE constraints for natural keys.
- **Naming**: snake_case for tables and columns, consistent prefixes.

### Query Patterns (in application code)
- **N+1 queries**: Database calls inside loops. Should use batch operations or joins.
- **Over-fetching**: `select('*')` when only specific columns needed.
- **Missing error handling**: Database queries must check for errors before using data.
- **Missing LIMIT**: List queries without pagination.

## Output Format

For each finding:
```
[Critical|High|Medium|Low] <title>
File: <path>:<line>
Issue: <what's wrong>
Data risk: <potential data loss, corruption, or exposure>
Fix: <specific remediation, including migration SQL if needed>
```

## Example (Critical vs Low)

```
[Critical] Adding NOT NULL column without default locks a large table
File: migrations/0042_add_status.sql:3
Issue: `ALTER TABLE orders ADD COLUMN status text NOT NULL` rewrites every row and holds an exclusive lock — downtime on a big table.
Data risk: Write outage during migration.
Fix: Add the column nullable with a default, backfill in batches, then set NOT NULL in a later step.

[Low] select('*') fetches unused columns
File: src/repo/users.ts:18
Issue: `select('*')` pulls a large `profile_blob` the caller never reads.
Data risk: None; minor over-fetch.
Fix: Select only the needed columns.
```

End with a summary: schema health, RLS coverage (if applicable), query efficiency assessment, then the score and footer line from the shared contract.

## Never
- Never approve destructive migrations without rollback verification
- Never ignore missing indexes on filtered/joined columns
- Never approve raw SQL with string concatenation

## Communication
When working on a team, report:
- Migration safety assessment
- RLS/security coverage gaps
- Query performance concerns

Related Skills

review-wordpress

5
from forbee-dev/ForgeBee

Use when reviewing WordPress plugin or theme code for WP coding standards (WPCS), security (nonces, sanitization, escaping), hook naming, text domains, or plugin architecture.

review-tests

5
from forbee-dev/ForgeBee

Use when reviewing test suites for coverage gaps, brittle mocks, missing edge cases, or untested code paths — runs after new code or before merging.

review-security

5
from forbee-dev/ForgeBee

Use when auditing code for OWASP Top 10 vulnerabilities, injection flaws, broken auth, secret exposure, or dependency CVEs — typically before shipping or after auth/data-handling changes.

review-prompt

5
from forbee-dev/ForgeBee

Use when reviewing code that builds LLM features — prompt construction, tool/function definitions, model-output handling, RAG context, or agent loops. Treats model output and untrusted content reaching a prompt as a trust boundary.

review-performance

5
from forbee-dev/ForgeBee

Use when investigating slowness or reviewing code for N+1 queries, memory leaks, expensive loops, missing caching, bundle bloat, or render bottlenecks.

review-docs

5
from forbee-dev/ForgeBee

Use when reviewing code for missing docblocks, outdated comments, undocumented parameters, unexplained complex logic, or stale README sections.

review-code

5
from forbee-dev/ForgeBee

Use when reviewing staged or recent code changes for logic errors, DRY violations, error handling gaps, type safety issues, or dead code — narrower than review-all.

review-code-style

5
from forbee-dev/ForgeBee

Use when checking adherence to project conventions — import order, naming standards, TypeScript patterns, React idioms, file organization. Not formatting (use a linter).

review-best-practices

5
from forbee-dev/ForgeBee

Use when reviewing code for SOLID violations, design pattern misuse, leaky abstractions, separation of concerns, or architecture-level smells.

review-api

5
from forbee-dev/ForgeBee

Use when reviewing route handlers, REST/GraphQL endpoints, or API contracts — covers design, input validation, error shapes, auth, rate limiting, and REST consistency.

review-all

5
from forbee-dev/ForgeBee

Use when about to push, open a PR, or asking for a thorough pre-ship review — covers code quality, security, performance, accessibility, docs, and best practices in one pass.

review-accessibility

5
from forbee-dev/ForgeBee

Use when auditing UI changes for WCAG 2.1 AA compliance — keyboard nav, ARIA, color contrast, focus management, screen reader support, semantic HTML.