reviewing-prisma-patterns

djankies/reviewing-prisma-patterns

Coding

About

SKILL.md

Review Prisma Patterns

This skill performs systematic code review of Prisma usage, catching critical violations, security vulnerabilities, and performance anti-patterns identified through comprehensive stress testing of AI coding agents.

This skill systematically reviews Prisma codebases for 7 critical violation categories that cause production failures, security vulnerabilities, and performance degradation. Based on real-world failures found in 5 AI agents producing 30 violations during stress testing.

This skill activates when: - User requests code review of Prisma-based projects - Performing security audit on database operations - Investigating production issues (connection exhaustion, SQL injection, performance) - Pre-deployment validation of Prisma code - Working with files containing @prisma/client imports

The review checks for critical issues across 7 categories:

Multiple PrismaClient Instances (80% of agents failed)
SQL Injection Vulnerabilities (40% of agents failed)
Missing Serverless Configuration (60% of agents failed)
Deprecated Buffer API (Prisma 6 breaking change)
Generic Error Handling (Missing P-code checks)
Missing Input Validation (No Zod/schema validation)
Inefficient Queries (Offset pagination, missing select optimization)

Each violation includes severity rating, remediation steps, and reference to detailed Prisma 6 skills.

## Standard Review Workflow

Phase 1: Discovery

Find all Prisma usage:
- Search for @prisma/client imports
- Identify PrismaClient instantiation
- Locate raw SQL operations
Identify project context:
- Check for serverless deployment (vercel.json, lambda/, app/ directory)
- Detect TypeScript vs JavaScript
- Find schema.prisma location

Phase 2: Critical Issue Detection

Run validation checks in order of severity:

CRITICAL: SQL Injection (P0 - Security vulnerability)
CRITICAL: Multiple PrismaClient (P0 - Connection exhaustion)
HIGH: Serverless Misconfiguration (P1 - Production failures)
HIGH: Deprecated Buffer API (P1 - Runtime errors)
MEDIUM: Generic Error Handling (P2 - Poor UX)

Phase 3: Report Generation

Group findings by severity
Provide file path + line number
Include code snippet
Reference remediation skill
Estimate impact (Low/Medium/High/Critical)

## Quick Check Summary

P0 - CRITICAL (Must fix before deployment)

1. SQL Injection Detection

grep -rn "\$queryRawUnsafe\|Prisma\.raw" --include="*.ts" --include="*.js" .

Red flag: String concatenation with user input Fix: Use $queryRaw tagged template

2. Multiple PrismaClient Instances

grep -rn "new PrismaClient()" --include="*.ts" --include="*.js" . | wc -l

Red flag: Count > 1 Fix: Global singleton pattern

P1 - HIGH (Fix before production)

3. Missing Serverless Configuration

grep -rn "connection_limit=1" --include="*.env*" .

Red flag: No connection_limit in serverless app Fix: Add ?connection_limit=1 to DATABASE_URL

4. Deprecated Buffer API

grep -rn "Buffer\.from" --include="*.ts" --include="*.js" . | grep -i "bytes"

Red flag: Buffer usage with Prisma Bytes fields Fix: Use Uint8Array instead

See references/validation-checks.md for complete validation patterns with examples.

## Automated Review Process

Step 1: Find Prisma Files

find . -type f \( -name "*.ts" -o -name "*.js" \) -exec grep -l "@prisma/client" {} \;

Step 2: Run All Checks

Execute checks in severity order (P0 → P3):

SQL Injection check
Multiple PrismaClient check
Serverless configuration check
Deprecated Buffer API check
Error handling check
Input validation check
Query efficiency check

Step 3: Generate Report

Format:

Prisma Code Review - [Project Name]
Generated: [timestamp]

CRITICAL Issues (P0): [count]
HIGH Issues (P1): [count]
MEDIUM Issues (P2): [count]
LOW Issues (P3): [count]

---

[P0] SQL Injection Vulnerability
File: src/api/users.ts:45
Impact: CRITICAL - Enables SQL injection attacks
Fix: Use $queryRaw tagged template
Reference: @prisma-6/SECURITY-sql-injection

[P0] Multiple PrismaClient Instances
Files: src/db.ts:3, src/api/posts.ts:12
Count: 3 instances found
Impact: CRITICAL - Connection pool exhaustion
Fix: Use global singleton pattern
Reference: @prisma-6/CLIENT-singleton-pattern

## Report Format

Provide structured review with:

Summary:

Total files reviewed
Issues by severity (P0/P1/P2/P3)
Overall assessment (Pass/Needs Fixes/Critical Issues)

Detailed Findings: For each issue:

Severity badge ([P0] CRITICAL, [P1] HIGH, etc.)
Issue title
File path and line number
Code snippet (5 lines context)
Impact explanation
Specific remediation steps
Reference to detailed skill

Remediation Priority:

P0 issues must be fixed before deployment
P1 issues should be fixed before production
P2 issues improve code quality
P3 issues optimize performance

## Review Guidelines

MUST:

Check all 7 critical issue categories
Report findings with file path + line number
Include code snippets for context
Reference specific Prisma 6 skills for remediation
Group by severity (P0 → P3)

SHOULD:

Prioritize P0 (CRITICAL) issues first
Provide specific fix recommendations
Estimate impact of each violation
Consider project context (serverless vs traditional)

NEVER:

Skip P0 security checks
Report false positives without verification
Recommend fixes without testing patterns
Ignore serverless-specific issues in serverless projects

## Reference Files

For detailed information on specific topics:

Validation Checks: See references/validation-checks.md for all 7 validation patterns with detailed examples
Example Reviews: See references/example-reviews.md for complete review examples (e-commerce, dashboard)

Load references when performing deep review or encountering specific violation patterns.

## Review Validation

After generating review:

Verify Findings:
- Re-run grep commands to confirm matches
- Check context around flagged lines
- Eliminate false positives
Test Remediation:
- Verify recommended fixes are valid
- Ensure skill references are accurate
- Confirm impact assessments
Completeness Check:
- All 7 categories checked
- All Prisma files reviewed
- Severity correctly assigned

Integration: This skill is discoverable by the review plugin via review: true frontmatter. Invoke with /review prisma-patterns or automatically when reviewing Prisma-based projects.

Performance: Review of typical project (50 files) completes in < 10 seconds using grep-based pattern matching.

Updates: As new Prisma violations emerge, add patterns to validation checks with corresponding skill references.