From superpowers-rails
Enforces Rails controller conventions: thin controllers, Pundit authorization, message passing, RESTful CRUD for state changes, and Turbo responses.
How this skill is triggered — by the user, by Claude, or both
Slash command
/superpowers-rails:rails-controller-conventionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Controllers are thin request handlers. They authorize, delegate to models, and respond — nothing more.
Controllers are thin request handlers. They authorize, delegate to models, and respond — nothing more.
authorize. No exceptionsrails-model-conventions)resource :closure not post :close. Create enables, destroy disablesEvery controller action MUST call authorize to enforce Pundit policies.
def create
@article = Article.new(article_params)
authorize @article # BEFORE performing the action
@article.save!
redirect_to @article
end
def index
authorize Article # Class, not instance
@articles = policy_scope(Article)
end
[:companies, resource] for namespaced policiesindex/new: authorize the class (no instance yet)# WRONG - reaching into associations
@bookmark = current_user.academy_bookmarks.find_by(academy: @academy)
# RIGHT - ask the object
@bookmark = current_user.bookmark_for(@academy)
See rails-model-conventions for the full pattern and model-side implementation.
State changes are CRUD on a nested resource, not custom actions. See rails-model-conventions for the concern side.
resources :cards do
resource :closure, only: %i[create destroy]
end
class ClosuresController < ApplicationController
def create
authorize @card, :close?
@card.close
# respond with turbo_stream
end
def destroy
authorize @card, :reopen?
@card.reopen
# respond with turbo_stream
end
end
Authorize against the parent record using intent-named policy methods. No state logic in the controller.
| Do | Don't |
|---|---|
resource :closure | post :close, :reopen |
authorize @resource in every action | Skip authorization |
user.bookmarked?(academy) | user.bookmarks.exists?(...) |
| Model methods for state | Inline association queries |
| Turbo Streams | JSON responses |
| 7 RESTful actions | Custom action proliferation |
authorizeRemember: Controllers authorize and delegate. Everything else belongs in models.
2plugins reuse this skill
First indexed Jul 13, 2026
npx claudepluginhub fryga-io/superpowers-railsBuilds RESTful Rails controllers with 7 standard actions, nested resources, skinny architecture, reusable concerns, and strong parameters. Enforces thin controllers and security rules.
Guides Rails code with rubocop-rails-omakase conventions on Turbo Streams, controllers, concerns, services, modern Ruby style, enums, scopes, error handling, and Minitest testing.
Applies 37signals/DHH conventions to Ruby and Rails code: rich domain models, CRUD controllers, concerns, database-backed state, and minimal gems. Covers controllers, models, views (Turbo/Stimulus), architecture, testing (Minitest/fixtures), and code review.