Entry points identified first

Domain logic layer checked

Models and callbacks inspected

High: business logic in callbacks

High: controller multi-step workflow

Boundary problems prioritised

Medium finding identified

Affected files per finding

Risk described per finding

Improvement per finding

Concerns and helpers checked

Pass ID not object

Load record in perform

Idempotency check present

Side effect after guard

retry_on with attempts

discard_on permanent error

Thin perform — service delegation

Recurring in recurring.yml

Solid Queue adapter

Spec covers idempotency

Spec written for job

Self.call delegation

Instance call method

Success response key

Success response nesting

Error response key

Error response nesting

File location

Frozen string literal

Module namespace

No raw exceptions returned

Stable behavior statement

Characterization tests before refactoring

Characterization tests target current code

Smallest safe sequence proposed

Test run evidence per step

No behavior mixed with structure

Temporary compatibility noted

No forbidden confidence claims

One boundary extracted per step

Auth includes HTTParty

Auth credential validation

No hardcoded credentials

Auth token caching

Client::Error class

HTTP error wrapping

JSON error wrapping

Timeout configured

Missing config raises Client::Error

Retry constant

Spec covers error path

Error message constants

YARD on self.call

YARD on other public methods

Class-only service used

No instance state in class-only service

README present

Frozen string literal

Response format

Module namespace matches directory

Constants not duplicated inline

Transaction present

Transaction scope correct

SQL sanitization used

No SQL string interpolation

Module namespace

File path correct

README present

Frozen string literal

Response format

Error constants

Builder initializer attributes

Builder attribute filtering

Builder response parsing

Entity ATTRIBUTES constant

Entity DEFAULT_QUERY constant

Entity SEARCH_QUERY constant

Entity self.fetcher wiring

sanitize_sql usage

FactoryBot hash factory

Factory in correct directory

ShelterApi module namespace

No raw interpolation in queries

Version constant updated

CHANGELOG updated

Upgrade notes produced

Semantic version bump correct

Version bump reasoning provided

Gemspec verified

Test suite mentioned

Blockers called out

CHANGELOG entries are specific

No release without CHANGELOG

Early input validation

Specific rescue clauses

StandardError rescue

Error logged

Error hash returned

No exception leakage

Partial success response

Frozen string literal

Response format consistency

Backtrace logged for unexpected errors

Factory attributes minimal

SendgridClient mocked

No real HTTP/email calls

ActiveRecord finders NOT mocked

Factory file exists

SendgridClient failure case tested

RecordNotFound case tested

let used for factory setup

External mock at class method level

Factory attributes match service usage

Dataloader for association

Field-level guard on sensitive field

No type-only auth for sensitive field

Mutation returns errors array

Mutation no unhandled raise

Introspection disabled in production

max_depth set

max_complexity set

Dedicated resolver class

Connection type for paginated list

schema.execute in specs

descriptions on fields

Auth file exists

Client file exists

Fetcher file exists

Builder file exists

Domain entity file exists

Auth self.default

Auth token caching

Client::Error class

Client constants

Fetcher DI constructor

Fetcher constants

Builder attribute filtering

Entity ATTRIBUTES constant

Entity DEFAULT_QUERY constant

README present

File saved to /tasks/

Introduction section

Goals section

User Stories section

Functional Requirements section

Non-Goals section

Design and Technical Considerations

Implementation Surface section

Success Metrics section

Open Questions section

No implementation code

What/why focus

Next steps suggestion

isolate_namespace used

configure block pattern

Configuration class

Configurable user class

No hard-coded host constant

Migrations not auto-applied

Host contract documented

lib/audit_trail.rb minimal

Dummy app routes mount engine

Model namespaced

Engine type justified

Postman v2.1 schema

Correct file location

base_url variable used

All endpoints present

HTTP methods correct

Headers included

Body examples for POST/PUT

Syntactically valid JSON

URL path parameters

Correct severity levels used

permit! flagged Critical

N+1 query identified

Missing index flagged

Business logic in controller flagged

Review covers multiple areas

Each finding includes mitigation

Re-review explicitly required

html_safe / raw usage flagged

Severity action prescribed per level

Spec file at mirrored path

RSpec.describe uses module::class

describe for method

context for scenario variations

let used for test data

No let! for non-setup data

No 'and' in example descriptions

Frozen string literal

Subject defined

let_it_be NOT used

Auth/authz reviewed first

Parameter handling reviewed

Query safety reviewed

High severity: SQL injection identified

High severity: missing authz identified

Medium severity finding identified

Attack path per finding

Affected file per finding

Mitigation per finding

Exploitability focus

Secrets and output reviewed

Orchestrator call length

Sub-services extracted

Orchestrator delegates, not implements

No HTTP response returned

Data-only return

Single responsibility

Frozen string literal

File structure

Response format

Error handling

SERVICE_MAP constant

Factory NullService fallback

NullService never raises

Correct file structure

Single entry point API

Concrete overrides should_calculate?

Concrete overrides compute_result

NullService spec context

Variant spec coverage

Frozen string literal

SERVICE_MAP key type consistency

shared_examples defined

shared_examples consumed twice or more

travel_to used

Expiry true at >30 days

Expiry false at <30 days

let_it_be NOT used

Shared examples in spec/support/

403 response asserted in shared behavior

Model spec path correct

type: :request used

type: :controller NOT used

Model spec file exists

type: :model used

No system or feature spec

Request spec in spec/requests/

Endpoint URL in describe

Endpoint success case covered

Endpoint failure case covered

Model uniqueness validation tested

Feature branch task 0.0

TDD write-spec sub-task

TDD run-spec-fail sub-task

TDD implement sub-task

TDD run-spec-pass sub-task

Exact file paths in sub-tasks

Saved in /tasks/ with correct name

YARD post-implementation gate

Documentation update task

Code review gate

Relevant Files section

process_log.md exists

Spec content before implementation

Expected failure documented

Test design phase present

Implementation plan before code

No implementation code before spec phase

At least three distinct phases

Spec file exists

Implementation file exists

Spec uses describe/context structure

Class-level summary

self.call @param

@option for hash keys

self.call @return

@raise for InvalidPlanError

@raise for PaymentGatewayError

supported_plans @return

English only

No logic changes

initialize documented

@example present

No what-comments

Why-comments on business rules

Why-comment on design tradeoff

Tagged note present

Tagged note has actionable context

Comment on MAX_DISCOUNT rationale

Comment on promo branching logic

Domain concept referenced

Comment on inactive subscription guard

No code duplicated in comments

No sort column interpolation

Sort column allowlist

Sort direction allowlist

Bound params or sanitize_sql_array for WHERE

No user input in order() string

Allowlist as constant or frozen structure

No send or eval with user column

Comment on raw SQL rationale

Safe fallback on invalid input

Frozen string literal

Static first argument

Hash second argument

Dynamic data in hash only

event: key present

Domain-specific hash fields

Multiple log levels

No interpolation in any logger call

At least four log statements

Failure path logged at error level

No puts or p for logging

URL path versioning used

Both V1 and V2 namespaces present

V2 controller inherits from V1

V2 overrides only changed actions

Deprecation concern exists

Deprecation header emitted

Sunset header emitted

V1 controller includes Deprecatable

Backward compatibility spec present

Sunset timeline documented

V1 endpoints not removed

Baseline documented

N+1 bottleneck named

Regression spec written

Regression spec asserts fixed count

Owner eager loaded

Tasks association optimized

EXPLAIN ANALYZE output present

Seq Scan / Index Scan interpreted

Fix precedes regression spec claim

Profiling tool mentioned

Query count improvement quantified

All 8 classification attributes present

area values from allowed set

execution_order values from allowed set

BE | prefix on backend tickets

FE | prefix on frontend tickets

No prefix on non-area tickets

Five sections present in each ticket

Summary states outcome only

Technical Notes scope correct

Foundation/API before client sequencing

Draft-only output

target_bucket values from allowed set

type values from allowed set

Policy class replaces inline logic

No presence-only checks remain

authorize called in controller

Index uses policy_scope

Policy class inherits ApplicationPolicy

Admin role permitted in policy

Owner role permitted in policy

Non-owner role denied in policy

Guest role tested in specs

permit_action matchers in policy spec

Request spec covers multiple roles