From rails-agent-skills
Orchestrates GraphQL API development through four phases: domain modeling, schema design, TDD, and security review. Includes field-level authorization, cursor pagination, and N+1 elimination.
How this skill is triggered — by the user, by Claude, or both
Slash command
/rails-agent-skills:graphqlThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Steps:**
Steps:
Example Domain → Schema Mapping:
| Domain Concept | GraphQL Construct | Owning Context |
|---|---|---|
| Order (entity) | Types::OrderType | Orders |
| Customer (entity) | Types::CustomerType | Accounts |
| PlaceOrder (command) | Mutations::PlaceOrder | Orders |
| Order.lineItems | Types::LineItemType (connection) | Orders |
HARD GATE — Domain Language:
If gate fails: Return to domain discovery.
Steps:
authorized? on sensitive types and fields (see Phase 4 for the full security checklist)errors fieldHARD GATE — Schema Validation:
Verify schema validity using graphql-ruby's built-in tools:
namespace :graphql do
task validate: :environment do
puts MySchema.to_definition
puts "Schema valid."
end
end
bundle exec rake graphql:validate
Example Type:
module Types
class OrderType < Types::BaseObject
field :id, ID, null: false
field :customer, Types::CustomerType, null: false
field :total, Float, null: false
field :status, String, null: false
def self.authorized?(object, context)
context[:current_user].can_read?(object)
end
end
end
For every resolver or mutation:
HARD GATE — Test Verification:
Example Resolver Test:
RSpec.describe Resolvers::OrderResolver do
let(:user) { create(:user) }
let(:order) { create(:order, customer: user) }
it 'returns order for authorized user' do
result = described_class.new(object: nil, context: { current_user: user }).resolve(id: order.id)
expect(result).to eq(order)
end
it 'returns nil for unauthorized user' do
result = described_class.new(object: nil, context: { current_user: create(:user) }).resolve(id: order.id)
expect(result).to be_nil
end
end
This is the authoritative phase for all authorization and security requirements.
Steps:
authorized? guardGraphQL::Batch or dataloaderrescue_from on the schema class catches StandardError and returns a generic messageHARD GATE — Security Check:
Example Security Configuration:
class MySchema < GraphQL::Schema
use GraphQL::Batch
query Types::QueryType
mutation Types::MutationType
max_depth 10
max_complexity 100
rescue_from(StandardError) do |err|
raise GraphQL::ExecutionError, "An error occurred"
end
end
| Problem | Remediation |
|---|---|
| Schema validation fails | Check circular references with MySchema.to_definition; verify all referenced types are defined |
| Authorization bypass detected | Add authorized? to the affected type, write a failing spec, re-run Phase 4 |
| N+1 queries | Identify with bullet gem; add GraphQL::Batch loader or dataloader for the association |
app/graphql/types/, app/graphql/mutations/, app/graphql/resolvers/ — not one filenpx claudepluginhub igmarin/rails-agent-skillsDesigns, implements, and reviews GraphQL APIs in Rails with graphql-ruby, enforcing TDD, dataloader-based N+1 prevention, auth guards, and mutation error shapes.
Designs GraphQL schemas, resolvers, and subscriptions for Rails using graphql-ruby. Prevents N+1 queries with batch loaders, adds pagination, and authorization with Pundit.
Designs and reviews GraphQL schemas, resolvers, mutations, pagination, and data-loading patterns. Use when building or refactoring GraphQL APIs.