{
  "id": "ai-rules-for-postgresql-apps",
  "type": "rules",
  "category": "rules",
  "locale": "en",
  "url": "/rules/ai-rules-for-postgresql-apps",
  "title": "AI Coding Rules for PostgreSQL Apps",
  "description": "AGENTS.md rules for PostgreSQL-backed apps covering query safety, migration discipline, indexing conventions, and preventing agents from writing N+1 queries.",
  "tools": [
    "Cursor",
    "Claude Code",
    "Codex",
    "Windsurf"
  ],
  "stack": [
    "PostgreSQL",
    "TypeScript",
    "Next.js"
  ],
  "tags": [
    "agents-md",
    "postgres",
    "typescript",
    "security",
    "conventions"
  ],
  "difficulty": null,
  "updated": "2026-06-08",
  "markdown": "Drop this in your repo root as `AGENTS.md`. It applies to any project where PostgreSQL is the primary data store, whether accessed via Prisma, Drizzle, `postgres.js`, or raw SQL.\n\n## AGENTS.md\n\n```md title=\"AGENTS.md\"\n# Project Rules — PostgreSQL Apps\n\n## Hard rules — data safety\n- NEVER generate SQL that concatenates user input into a query string. Always use\n  parameterised queries (`$1`, `$2` placeholders) or the ORM's parameter binding.\n  SQL injection via agent-generated queries is a real attack vector.\n- NEVER run `DROP TABLE`, `TRUNCATE`, or `DELETE FROM <table>` without a `WHERE`\n  clause in application code. These must be wrapped in a transaction that can be\n  rolled back, and must require explicit developer confirmation before execution.\n- NEVER write a migration that removes a column without first deploying a version of\n  the application that stops reading that column. Column removal is a two-deploy\n  operation: (1) stop reading; (2) drop.\n- All schema changes must be applied via migration files (Drizzle Kit, Flyway,\n  `migrate`, or Prisma Migrate). Never apply schema changes by running `ALTER TABLE`\n  directly against production.\n\n## Query conventions\n- Every query that returns a list MUST have a `LIMIT`. There is no acceptable reason\n  for a user-facing endpoint to return an unbounded result set.\n- Use `EXPLAIN ANALYZE` to check query plans for new queries on tables with more than\n  10,000 rows before merging. Agents should output the plan in a comment block when\n  writing a non-trivial query.\n- Avoid `SELECT *`. Name every column you need. This makes queries self-documenting\n  and prevents accidental exposure of sensitive columns (hashed passwords, tokens).\n- N+1 patterns are forbidden. If you load a list of records and then query related\n  data per row in a loop, refactor to a single JOIN query or a batched `IN` query.\n- Use `JOIN` instead of correlated subqueries for relation lookups — correlated\n  subqueries run once per row and are almost always slower.\n\n## Indexing rules\n- Every foreign key column MUST have an index. PostgreSQL does not create these\n  automatically (unlike MySQL). Missing FK indexes cause sequential scans on join.\n- Columns used in `WHERE` clauses on high-read tables should have indexes. When\n  adding a query that filters by a new column, check whether an index exists and\n  add one in the same migration if it does not.\n- Use partial indexes (`WHERE deleted_at IS NULL`) for soft-delete patterns — they\n  are far smaller and faster than full-table indexes when most rows are soft-deleted.\n- Never create an index on a column with very low cardinality (e.g. a boolean\n  `is_active` with 90% `true`). PostgreSQL will ignore the index and scan anyway.\n\n## Connection and pooling\n- Import the database client from `src/lib/db.ts` (the singleton or pool). Never\n  instantiate a new client per request — this exhausts connections instantly under load.\n- In serverless environments (Next.js API routes, Edge Functions), use a connection\n  pooler (PgBouncer, Neon connection pooling, Supabase pgbouncer mode) between the\n  application and PostgreSQL. Direct connections from serverless are not sustainable.\n- Set `statement_timeout` and `lock_timeout` on the connection or session for\n  long-running operations to prevent them from blocking the entire application.\n\n## Transactions\n- Any operation that writes to more than one table must be wrapped in a transaction.\n  Partial writes leave the database in an inconsistent state.\n- Keep transactions as short as possible. Do not make network requests (HTTP calls,\n  external APIs) inside a transaction — this holds locks for the duration of the\n  network call.\n\n## Definition of done\n- No string-interpolated SQL in the codebase (`grep -r \"query\\`\" src/` should return\n  only parameterised template tag usage, not concatenation).\n- All new tables have primary key and foreign key indexes.\n- All `findMany` / `SELECT` queries have `LIMIT`.\n- Migration files are committed and named descriptively.\n- `tsc --noEmit` passes (typed query results match schema types).\n```\n\n## Why these rules\n\n- **No string-concatenated SQL, ever** is the foundational rule. Parameterised queries are not just a best practice — they are the only defence against SQL injection, and agents under time pressure will concatenate when they do not know how to express a query with a specific ORM's parameter syntax.\n- **Column removal is a two-deploy operation** prevents the most common zero-downtime migration mistake. If the application still reads a column when the migration drops it, every inflight request at the moment of migration fails. Agents do not naturally reason about deployment windows when generating schema changes.\n\n## Good fit\n\n- Any production application using PostgreSQL where data integrity and query performance matter: SaaS apps, content platforms, e-commerce backends, analytics pipelines.\n\n## Not a fit\n\n- SQLite-based apps or projects where the database is truly ephemeral (test fixtures, local dev seeds) — the migration discipline and indexing rules are unnecessary overhead."
}