Production-ready safety checklists for Rails implementation. Covers nil safety, ActiveRecord patterns, security vulnerabilities, error handling, and performance. Use before marking any file complete during implementation phases.
Rails safety checklists for nil safety, N+1 queries, security vulnerabilities, error handling, and performance. Use before marking any file complete during implementation.
/plugin marketplace add Kaakati/rails-enterprise-dev/plugin install reactree-rails-dev@manifest-marketplaceThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Comprehensive safety checklists to prevent common Rails bugs and vulnerabilities during implementation.
Use these checklists before marking any file complete during Phase 4 (Implementation).
Prevent NoMethodError: undefined method for nil errors.
# BAD - Crashes if user is nil
user.email.downcase
# GOOD - Safe navigation
user&.email&.downcase
# BAD - Crashes if find_by returns nil
User.find_by(email: email).name
# GOOD - Handle nil explicitly
User.find_by(email: email)&.name || "Unknown"
Checklist:
&.) for potentially nil objectsfind_by! or handle find_by returning nilhash.compact.eachPrevent N+1 queries, validation failures, and data integrity issues.
# BAD - N+1 queries
Post.all.each { |p| puts p.author.name }
# GOOD - Eager loading
Post.includes(:author).each { |p| puts p.author.name }
# BAD - Silent validation failure
user.save
# GOOD - Handle validation explicitly
if user.save
redirect_to user
else
render :edit, status: :unprocessable_entity
end
Checklist:
includes/joins to prevent N+1 queriesPrevent SQL injection, XSS, mass assignment, and other vulnerabilities.
# BAD - SQL injection
User.where("email = '#{params[:email]}'")
# GOOD - Parameterized query
User.where(email: params[:email])
User.where("email = ?", params[:email])
# BAD - Mass assignment vulnerability
User.create(params[:user])
# GOOD - Strong parameters
User.create(user_params)
private
def user_params
params.require(:user).permit(:name, :email)
end
Checklist:
sanitize or strip_tags)has_secure_password for authenticationPrevent crashes, ensure proper logging, and return meaningful errors.
# BAD - Catches everything, hides bugs
rescue => e
render json: { error: e.message }
# GOOD - Specific exception handling
rescue ActiveRecord::RecordNotFound => e
render json: { error: "Resource not found" }, status: :not_found
rescue ActiveRecord::RecordInvalid => e
render json: { errors: e.record.errors.full_messages }, status: :unprocessable_entity
Checklist:
StandardErrorRails.logger.error("Context: #{e.message}")Prevent slow queries, memory bloat, and inefficient operations.
# BAD - Loads all records into memory
User.all.map(&:email)
# GOOD - Only fetches emails
User.pluck(:email)
# BAD - Counts by loading records
User.all.any?
# GOOD - Uses SQL EXISTS
User.exists?
# BAD - Loads all records at once
User.all.each { |u| process(u) }
# GOOD - Batches of 1000
User.find_each { |u| process(u) }
Checklist:
pluck/select for specific columnsexists? instead of any? or count > 0find_each for large collectionsPrevent data loss and ensure reversible migrations.
# GOOD - Complete migration with all safety measures
class CreateOrders < ActiveRecord::Migration[7.1]
def change
create_table :orders do |t|
t.references :user, null: false, foreign_key: true, index: true
t.string :status, null: false, default: 'pending'
t.decimal :total, precision: 10, scale: 2, null: false
t.timestamps
end
add_index :orders, :status
add_index :orders, [:user_id, :status]
end
end
Checklist:
null: false for required columnsdown method if needed)# Pattern: Safe navigation chain
result = object&.method1&.method2&.method3
# Pattern: Filter nil from collections
hash.compact.each do |key, value|
# key and value are guaranteed non-nil
end
# Pattern: Explicit nil checks
if value.nil?
handle_missing_value
else
process(value)
end
# Pattern: Preload in controller
def index
@posts = Post.includes(:author, :comments, :tags)
end
# Pattern: Counter cache in model
class Post < ApplicationRecord
belongs_to :author, counter_cache: true
end
# Pattern: Test with Bullet gem
# config/environments/development.rb
Bullet.enable = true
Bullet.rails_logger = true
# Pattern: Define strong parameters for every action
class PostsController < ApplicationController
private
def post_params
params.require(:post).permit(:title, :body, :published_at)
end
def filter_params
params.permit(:status, :author_id, :created_after)
end
end
# Pattern: Parameterized queries only
User.where("email LIKE ?", "%#{sanitized_input}%")
User.where(status: params[:status])
This skill provides quick checklists. For detailed patterns, examples, and edge cases, reference the rails-error-prevention skill:
# Discover full error prevention patterns
cat .claude/skills/rails-error-prevention/SKILL.md
Cross-reference:
rails-error-prevention Section 2rails-error-prevention Section 3rails-error-prevention Section 4rails-error-prevention Section 5During Phase 4 (Implementation), before marking each file complete:
# Implementation workflow
# 1. Generate code for file
# 2. Run implementation-safety checklist
# 3. Fix any issues found
# 4. Run tests
# 5. Mark file complete
This skill should be used when the user asks to "create an agent", "add an agent", "write a subagent", "agent frontmatter", "when to use description", "agent examples", "agent tools", "agent colors", "autonomous agent", or needs guidance on agent structure, system prompts, triggering conditions, or agent development best practices for Claude Code plugins.
This skill should be used when the user asks to "create a slash command", "add a command", "write a custom command", "define command arguments", "use command frontmatter", "organize commands", "create command with file references", "interactive command", "use AskUserQuestion in command", or needs guidance on slash command structure, YAML frontmatter fields, dynamic arguments, bash execution in commands, user interaction patterns, or command development best practices for Claude Code.
This skill should be used when the user asks to "create a hook", "add a PreToolUse/PostToolUse/Stop hook", "validate tool use", "implement prompt-based hooks", "use ${CLAUDE_PLUGIN_ROOT}", "set up event-driven automation", "block dangerous commands", or mentions hook events (PreToolUse, PostToolUse, Stop, SubagentStop, SessionStart, SessionEnd, UserPromptSubmit, PreCompact, Notification). Provides comprehensive guidance for creating and implementing Claude Code plugin hooks with focus on advanced prompt-based hooks API.