ag0os/rails-controller-patterns
skills/rails-controller-patterns/SKILL.md
Analyzes and recommends Rails controller patterns including RESTful design, strong parameters, before_actions, response handling, and routing. Use when building controllers, defining routes, handling params, or managing request/response flow. NOT for model validations, service object internals, view templates, or background job logic.
$ install --global
skillsauthnpx skillsauth add ag0os/rails-dev-plugin rails-controller-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 22, 2026, 3:48 AM135.6s2 files scanned
SKILL.md
- name:
- rails-controller-patterns
- description:
- Analyzes and recommends Rails controller patterns including RESTful design, strong parameters, before_actions, response handling, and routing. Use when building controllers, defining routes, handling params, or managing request/response flow. NOT for model validations, service object internals, view templates, or background job logic.
- allowed-tools:
- Read, Grep, Glob
Rails Controller Patterns
Generate controllers following standard Rails RESTful conventions (7 actions, resourceful routing, before_actions, strong params).
Supporting Documentation
- patterns.md - Detailed controller patterns and examples
Core Principles
- Thin controllers: Handle HTTP concerns only; delegate business logic to its axis-appropriate home — on Axis A (
rails-stack-profiles),nativedelegates to models and concerns,extracteddelegates to service objects - RESTful by default: Stick to 7 standard actions; create new resource controllers for custom actions
- Strong parameters always: Never trust user input; use
params.expect(Rails 8+) - Consistent responses:
redirect_toafter success,render :action, status:on failure - One resource per controller: Avoid multi-resource controllers
- Dedicated resource controllers: Prefer
Cards::ClosuresControlleroverpost :closeonCardsController
Strong Parameters: params.expect (Rails 8+)
params.expect replaces params.require().permit() with a cleaner, more secure API. Check Gemfile.lock for Rails version before using.
# Basic
params.expect(post: [:title, :content])
# Arrays
params.expect(post: [:title, tags: []])
# Nested attributes
params.expect(user: [:name, :email, profile_attributes: [:bio, :avatar]])
# Dynamic hash attributes
params.expect(product: [:name, :price, metadata: {}])
# Legacy syntax (Rails < 8)
params.require(:post).permit(:title, :content)
Dedicated Resource Controllers
Treat state changes as resources instead of adding custom member actions. This keeps controllers focused and RESTful.
# Bad - custom actions bloat the controller
resources :cards do
post :close
post :reopen
end
# Good - resource controllers
resources :cards do
scope module: :cards do
resource :closure # create = close, destroy = reopen
resource :pin # create = pin, destroy = unpin
end
end
Error Handling
class ApplicationController < ActionController::Base
rescue_from ActiveRecord::RecordNotFound, with: :not_found
rescue_from ActionPolicy::Unauthorized, with: :forbidden
private
def not_found
respond_to do |format|
format.html { render "errors/not_found", status: :not_found }
format.json { render json: { error: "Not found" }, status: :not_found }
end
end
def forbidden
respond_to do |format|
format.html { redirect_back fallback_location: root_path, alert: "Not authorized." }
format.json { render json: { error: "Forbidden" }, status: :forbidden }
end
end
end
Anti-Patterns
| Anti-Pattern | Problem | Fix |
|-------------|---------|-----|
| Fat controllers (50+ line actions) | Hard to test and maintain | Move logic to its axis-appropriate home (see Principle 1) |
| Business logic in controllers | Violates SRP | Move logic to its axis-appropriate home (see Principle 1) |
| Custom member actions (:close, :archive) | Controller grows unbounded | Create dedicated resource controllers (Cards::ClosuresController) |
| params.permit! | Allows all params (mass assignment) | Use params.expect with explicit fields |
| Deeply nested routes (>1 level) | Confusing URLs and helpers | Use shallow: true or flat routes |
| Skipping authentication filters | Security vulnerability | Apply before_action broadly, skip selectively |
| Multiple respond_to blocks | Code duplication | Use respond_to once or separate API controllers |
Status Code Checklist
- Return
status: :unprocessable_entity(422) for validation failures - Return
status: :not_found(404) for missing records - Return
status: :forbidden(403) for authorization failures - Return
status: :see_other(303) forredirect_toafter DELETE - Use
rescue_fromin ApplicationController for consistent error responses
Output Format
When analyzing or creating controllers, provide:
- Controller file with proper structure and thin actions
- Route entries for
config/routes.rb - Before actions for auth, resource loading
- Strong params method with explicit field list
- Error handling strategy (rescue_from or inline)
Related Skills
ag0os/refactoring-guidance
development
VerifiedTrustedCommunity
WHAT: Language-agnostic corrective guidance for the refactoring phase. WHEN: Agent is restructuring code, fixing code smells, reducing complexity, or improving maintainability. NOT FOR: Writing new features, debugging runtime errors, performance tuning, or object design decisions.
4SKILL.mdUpdated May 22, 2026
ag0os/rails-views-patterns
tools
VerifiedTrustedCommunity
Analyzes Rails view templates, partials, layouts, helpers, and form patterns for best practices. Use when reviewing ERB templates, improving view performance with fragment caching, fixing form helpers, organizing partials, adding accessibility attributes, or evaluating collection rendering. NOT for Stimulus/Turbo logic (use hotwire-patterns), controller concerns, or API-only responses.
4SKILL.mdUpdated Mar 31, 2026
ag0os/rails-testing-patterns
testing
VerifiedTrustedCommunity
Analyzes Rails test suites and recommends testing best practices for RSpec and Minitest. Use when writing new tests, reviewing test coverage, fixing flaky tests, improving test performance, choosing between test types (unit, integration, system, request), or setting up factories and fixtures. NOT for production monitoring, deployment verification, or load/stress testing infrastructure.
4SKILL.mdUpdated Mar 31, 2026
ag0os/rails-stack-profiles
development
VerifiedTrustedCommunity
Detects a Rails project's architecture axes — logic placement (native vs extracted) and delivery (html vs api) — so other skills load profile-appropriate guidance without inline conditionals. Use when planning architecture or when a recommendation depends on where business logic lives or whether the app renders HTML or serves JSON. NOT for test framework, job backend, cache store, or auth library choices — those are orthogonal facts detected by project-conventions.
4SKILL.mdUpdated Mar 31, 2026