igmarin/rails-agent-skills
Curated library of 41 public AI agent skills for Ruby on Rails development. Organized by category: planning, testing, code-quality, ddd, engines, infrastructure, api, patterns, context, and orchestration. Covers code review, architecture, security, testing (RSpec), engines, service objects, DDD patterns, and TDD automation. Repository workflows remain documented in GitHub but are intentionally excluded from the Tessl tile.
95
93%
Does it follow best practices?
Impact
96%
1.77xAverage score across 41 eval scenarios
Passed
No known issues
SKILL.mdworkflows/review/
- name:
- review
- license:
- MIT
- description:
- Multi-pass Rails code review workflow that identifies bugs, security vulnerabilities, and architectural issues; assigns severity levels (Critical, Suggestion, Nice-to-have); and generates actionable review comments with a mandatory re-review loop for Critical findings. Use for full PR review workflows, multi-pass security or architecture audits, or implementing and verifying responses to review feedback. Trigger: review this PR, full code review, multi-pass review, audit security vulnerabilities, review architecture, respond to review feedback, implement review fixes.
- metadata:
- {"version":"1.0.0","user-invocable":"true","entry_point":"Invoke when conducting full PR review, multi-pass security/architecture audit, or implementing review feedback","phases":"Phase 1: Systematic Review, Phase 2: Deep Dive, Phase 3: Respond","hard_gates":"Security Check, Architecture Check, Findings Assessment, Re-review for Critical","dependencies":"code-review, security-check, review-architecture, respond-to-review","keywords":"rails, review, audit, security, architecture, workflow, pr, feedback"}
Review Workflow
Orchestrates systematic code review with optional deep dives for security/architecture and response handling.
Workflow Phases
Phase 1: Systematic Review
Load primary review skill:
- code-review — Systematic Rails PR review
Concrete checklist per changed file:
- Verify
before_actioncallbacks match route constraints and cover all sensitive actions - Check every
.save,.update,.destroycall has error handling or a!bang with rescue - Confirm strong parameters whitelist only the required attributes — no
permit! - Identify any
where/findcalls inside loops (N+1 risk) and flag for extraction - Confirm
authorize(or equivalent policy check) is called before rendering any resource - Validate model associations use appropriate
dependent:options to prevent orphaned records - Check callbacks (
before_save,after_create, etc.) for side-effects that cross domain boundaries - Confirm test coverage exists for the changed logic path
Output format per file: [CRITICAL|SUGGESTION|NICE-TO-HAVE] <file>:<line> — <finding>
Example Critical finding comment:
[CRITICAL] app/controllers/orders_controller.rb:42 — Missing authorisation check;
any authenticated user can access another user's order. Add `authorize @order`
before rendering.Example Suggestion comment:
[SUGGESTION] app/models/order.rb:17 — `Order.where(user: current_user)` called
inside a loop; extract to a scoped query to avoid N+1.Decision Gate — Security Check:
- Security concerns found? → Proceed to Phase 2 (Security)
- No security concerns → Skip to Phase 2 (Architecture check)
Phase 2: Deep Dive (Optional)
Branch A — Security Review (if triggered):
- skills/code-quality/security-check — Deep security audit
- Auth & session management
- Authorization & IDOR
- Input validation & SQL injection
- Output encoding & XSS
- Secrets handling
Decision Gate — Architecture Check:
- Architecture issues found? → Proceed to Architecture Review
- No architecture issues → Skip to Phase 3
Branch B — Architecture Review (if triggered):
- skills/code-quality/review-architecture — Structural review
- Boundary recommendations
- Extraction suggestions
- Coupling assessment
Phase 3: Respond
Decision Gate — Findings Assessment:
| Finding Level | Action |
|---|---|
| None/minor | Proceed to merge |
| Critical | Must fix before merge |
| Suggestion | Fix in this PR or ticket separately |
If Critical findings:
- skills/code-quality/respond-to-review — Evaluate and implement fixes
TDD Enforcement for Critical Fixes
Before implementing any code fix:
- testing/plan-tests — Choose the best test to reproduce the Critical issue
- testing/write-tests — Write failing test that reproduces the Critical finding
- Test Verification — Confirm test FAILS for the right reason (reproduces the issue)
- Fix Proposal — Propose minimal fix to address the root cause
- User Approval — Wait for explicit confirmation
- Implement Fix — Apply minimal code change
- Verify PASS — Confirm test now PASSES (issue is resolved)
- Regression Check — Run full test suite to ensure no new issues
HARD GATE — Fix Verification:
- Reproduction test EXISTS and FAILS before fix (confirms issue)
- Reproduction test PASSES after fix (confirms resolution)
- Full test suite PASSES (no regressions)
- If test fails: Fix is incomplete or incorrect, revise and re-test
- Validation checkpoint — For each Critical item, confirm a corresponding code change exists before marking resolved:
- List each Critical finding by ID
- For each: identify the changed file and line, verify the fix addresses the root cause
- Confirm reproduction test exists and passes
- Only mark resolved when the change is present and correct
- Re-review mandatory — Return to Phase 1 (code-review)
- Repeat until all Critical items are resolved
Proceed-to-merge summary format:
## Review Complete — Approved for Merge
- Critical findings: 0 remaining
- Suggestions addressed: <n> fixed, <n> ticketed as <TICKET-IDs>
- Files reviewed: <list>
- Re-review cycles: <n>If Suggestions only:
- Fix accepted items (one at a time)
- Document deferred items as tickets
- Proceed to merge
Severity Levels
| Level | Definition | Action Required |
|---|---|---|
| Critical | Security vulnerability, data loss, production risk | Fix before merge |
| Suggestion | Improvement opportunity, tech debt | Fix now or ticket |
| Nice to have | Optional enhancement | Does not block |
Anti-Patterns to Avoid
- Performative agreement: "LGTM! Will address in follow-up" without actually fixing
- Skipping re-review: Critical fixes must be re-reviewed
- Scope creep: Don't turn review into feature work — ticket separately
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31
scenario-32
scenario-33
scenario-34
scenario-35
scenario-36
scenario-37
scenario-38
scenario-39
scenario-40
scenario-41
mcp_server
skills
api
generate-api-collection
implement-graphql
code-quality
apply-code-conventions
apply-stack-conventions
assets
snippets
code-review
refactor-code
respond-to-review
review-architecture
security-check
context
load-context
setup-environment
ddd
define-domain-language
model-domain
review-domain-boundaries
engines
create-engine
create-engine-installer
document-engine
extract-engine
release-engine
review-engine
test-engine
upgrade-engine
infrastructure
implement-background-job
implement-hotwire
optimize-performance
review-migration
seed-database
version-api
orchestration
skill-router
patterns
create-service-object
implement-calculator-pattern
write-yard-docs
planning
create-prd
generate-tasks
plan-tickets
testing
plan-tests
test-service
triage-bug
write-tests
workflows