# Checklist for Reviewing AI-Generated SQL Queries

> A human review checklist for SQL written by AI coding agents — correctness, injection, performance, and migrations.

**Type:** Checklist  
**Tools:** Cursor, Claude Code, Codex  
**Stack:** PostgreSQL, TypeScript  
**Updated:** 2026-06-08

---

AI writes SQL fast, but not always safely. Run every AI-generated query through
this before merging.

## Correctness

```txt
[ ] Joins use the right keys (no accidental cross joins)
[ ] NULL handling is intentional (COALESCE / IS NULL, not = NULL)
[ ] Aggregates have correct GROUP BY columns
[ ] Pagination is stable (ORDER BY a unique column)
```

## Security

```txt
[ ] No string-concatenated SQL — parameterised queries only
[ ] User input never reaches identifiers (table/column names)
[ ] Row-level access is enforced (tenant_id / user_id filter present)
```

## Performance

```txt
[ ] Queries hit an index (check EXPLAIN for Seq Scan on large tables)
[ ] No SELECT * in hot paths
[ ] N+1 patterns batched or joined
```

## Migrations

```txt
[ ] Migration is reversible (or explicitly one-way and documented)
[ ] No blocking locks on large tables during deploy
[ ] Defaults/backfills won't rewrite the whole table synchronously
```

## Fix Prompt

```txt title="Fix Prompt"
Review this SQL against the checklist above. Parameterise any concatenated
input, add the missing tenant filter, and confirm the query uses an index
with EXPLAIN. Return the corrected query only.
```