CtrlK
BlogDocsLog inGet started
Tessl Logo

igmarin/rails-agent-skills

Curated library of AI agent skills for Ruby on Rails development. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and workflow automation.

98

1.38x
Quality

99%

Does it follow best practices?

Impact

98%

1.38x

Average score across 26 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

SKILL.mdrails-code-review/

name:
rails-code-review
description:
Reviews Rails pull requests, focusing on controller/model conventions, migration safety, query performance, and Rails Way compliance. Covers routing, ActiveRecord, security, caching, and background jobs. Use when reviewing existing Rails code for quality, conducting a PR review, or doing a code review on Ruby on Rails (RoR) code.

Rails Code Review (The Rails Way)

When reviewing Rails code, analyze it against the following areas. When writing new code, follow rails-code-conventions (principles, logging, path rules) and rails-stack-conventions (stack-specific UI and Rails patterns).

Core principle: Review early, review often. Self-review before PR. Re-review after significant changes.

HARD-GATE: After implementation (before PR)

After green tests + linters pass + YARD + doc updates:
1. Self-review the full branch diff using the Review Order below.
2. Fix Critical items; resolve or ticket Suggestion items.
3. Only then open the PR.
generate-tasks must include a "Code review before merge" task.

Quick Reference

AreaKey Checks
RoutingRESTful, shallow nesting, named routes, constraints
ControllersSkinny, strong params, before_action scoping
ModelsStructure order, inverse_of, enum values, scopes over callbacks
QueriesN+1 prevention, exists? over present?, find_each for batches
MigrationsReversible, indexed, foreign keys, concurrent indexes
SecurityStrong params, parameterized queries, no html_safe abuse
CachingFragment caching, nested caching, ETags
JobsIdempotent, retriable, appropriate backend

Review Order

Work through the diff in this sequence. See REVIEW_CHECKLIST.md for the full per-area check criteria.

Configuration → Routing → Controllers → Views → Models → Associations → Queries → Migrations → Validations → I18n → Sessions → Security → Caching → Jobs → Tests

Critical checks to spot immediately:

# N+1 — one query per record in a collection
posts.each { |post| post.author.name }       # Bad
posts.includes(:author).each { |post| post.author.name }  # Good

# Privilege escalation via permit!
params.require(:user).permit!                # Bad — never in production
params.require(:user).permit(:name, :email)  # Good

Additional Critical patterns:

  • Business logic in controller action (multi-step domain workflow) — flag as Critical; extract to a service object. A controller action doing more than coordinate (call one service, handle response) is a Critical finding.
  • Missing authorization check on sensitive action — flag as Critical.

Severity Levels

Use these levels when reporting findings:

LevelMeaningAction
CriticalSecurity risk, data loss, or crashBlock merge — must fix before approval; mandatory re-review after fix
SuggestionConvention violation or performance concernFix in this PR; create a tracked follow-up ticket only if the fix requires significant redesign
Nice to haveStyle improvement, minor optimizationOptional — author's discretion; no follow-up required

Re-Review Loop

When critical or significant findings were addressed, re-review before merging:

Review → Categorize findings (Critical / Suggestion / Nice to have)
       → Developer addresses findings
       → Critical findings fixed? → Re-review the diff
       → Suggestion items resolved or ticketed?
       → All green → Approve PR

Re-review triggers:

  • Any Critical finding was present → mandatory re-review after fixes
  • More than 3 Suggestion items addressed → re-review recommended
  • Logic or architecture changed during feedback → re-review required

Skip re-review only when: All findings were Nice to have or single-line fixes with zero logic change.

Pitfalls

PitfallWhat to do
"Skinny controller" means move to modelMove to services — avoid fat models
Skipping N+1 check because "it's just one query"One query per record in a collection is N+1
permit! for conveniencePrivilege escalation risk — always whitelist attributes
Index added in same migration as columnOn large tables, separate migration with algorithm: :concurrent
Callbacks for business logicCallbacks are for persistence-level concerns, not orchestration
Approving after Critical fix without re-reviewingA fix can introduce new issues — re-review is mandatory
Controller action > ~15 linesExtract to service — controllers orchestrate, not implement
Model with > 3 callbacksExtract to service or observer
html_safe/raw on user-provided contentXSS risk — escape or sanitize first
Migration combining schema change and data backfillSplit: schema migration first, then data migration

Integration

SkillWhen to chain
rails-review-responseWhen the developer receives feedback and must decide what to implement
rails-architecture-reviewWhen review reveals structural problems
rails-security-reviewWhen review reveals security concerns
rails-migration-safetyWhen reviewing migrations on large tables
refactor-safelyWhen review suggests refactoring

rails-code-review

REVIEW_CHECKLIST.md

SKILL.md

README.md

tile.json