Implementation Safety Skill
Comprehensive safety checklists to prevent common Rails bugs and vulnerabilities during implementation.
Quick Reference
Use these checklists before marking any file complete during Phase 4 (Implementation).
1. Nil Safety Checklist
Prevent NoMethodError: undefined method for nil errors.
# BAD - Crashes if user is nil user.email.downcase # GOOD - Safe navigation user&.email&.downcase # BAD - Crashes if find_by returns nil User.find_by(email: email).name # GOOD - Handle nil explicitly User.find_by(email: email)&.name || "Unknown"
Checklist:
- • Use safe navigation (
&.) for potentially nil objects - • Add presence validations for required attributes
- • Handle nil cases explicitly in conditionals
- • Use
find_by!or handlefind_byreturning nil - • Check for nil before calling methods
- • Filter nil values from collections:
hash.compact.each
2. ActiveRecord Safety Checklist
Prevent N+1 queries, validation failures, and data integrity issues.
# BAD - N+1 queries
Post.all.each { |p| puts p.author.name }
# GOOD - Eager loading
Post.includes(:author).each { |p| puts p.author.name }
# BAD - Silent validation failure
user.save
# GOOD - Handle validation explicitly
if user.save
redirect_to user
else
render :edit, status: :unprocessable_entity
end
Checklist:
- • Use
includes/joinsto prevent N+1 queries - • Add validations for all user inputs
- • Handle validation failures explicitly
- • Add indexes on foreign keys
- • Use scopes instead of class methods for queries
- • Add counter caches for frequently accessed counts
3. Security Checklist
Prevent SQL injection, XSS, mass assignment, and other vulnerabilities.
# BAD - SQL injection
User.where("email = '#{params[:email]}'")
# GOOD - Parameterized query
User.where(email: params[:email])
User.where("email = ?", params[:email])
# BAD - Mass assignment vulnerability
User.create(params[:user])
# GOOD - Strong parameters
User.create(user_params)
private
def user_params
params.require(:user).permit(:name, :email)
end
Checklist:
- • Strong parameters for all user inputs
- • No string interpolation in SQL queries
- • Sanitize HTML output (
sanitizeorstrip_tags) - • No mass assignment without whitelisting
- • Use
has_secure_passwordfor authentication - • No sensitive data in logs or error messages
4. Error Handling Checklist
Prevent crashes, ensure proper logging, and return meaningful errors.
# BAD - Catches everything, hides bugs
rescue => e
render json: { error: e.message }
# GOOD - Specific exception handling
rescue ActiveRecord::RecordNotFound => e
render json: { error: "Resource not found" }, status: :not_found
rescue ActiveRecord::RecordInvalid => e
render json: { errors: e.record.errors.full_messages }, status: :unprocessable_entity
Checklist:
- • Rescue specific exceptions, not
StandardError - • Log errors with context:
Rails.logger.error("Context: #{e.message}") - • Return meaningful error messages (not raw exceptions)
- • Handle edge cases (empty arrays, nil values, zero amounts)
- • Use Result pattern for service objects
5. Performance Checklist
Prevent slow queries, memory bloat, and inefficient operations.
# BAD - Loads all records into memory
User.all.map(&:email)
# GOOD - Only fetches emails
User.pluck(:email)
# BAD - Counts by loading records
User.all.any?
# GOOD - Uses SQL EXISTS
User.exists?
# BAD - Loads all records at once
User.all.each { |u| process(u) }
# GOOD - Batches of 1000
User.find_each { |u| process(u) }
Checklist:
- • Use
pluck/selectfor specific columns - • Use
exists?instead ofany?orcount > 0 - • Use
find_eachfor large collections - • Add database indexes for frequently queried columns
- • Use counter caches instead of repeated count queries
6. Migration Safety Checklist
Prevent data loss and ensure reversible migrations.
# GOOD - Complete migration with all safety measures
class CreateOrders < ActiveRecord::Migration[7.1]
def change
create_table :orders do |t|
t.references :user, null: false, foreign_key: true, index: true
t.string :status, null: false, default: 'pending'
t.decimal :total, precision: 10, scale: 2, null: false
t.timestamps
end
add_index :orders, :status
add_index :orders, [:user_id, :status]
end
end
Checklist:
- • Add indexes on all foreign keys
- • Include
null: falsefor required columns - • Add unique indexes for uniqueness constraints
- • Make migrations reversible (provide
downmethod if needed) - • Add default values where appropriate
- • Use precision/scale for decimal columns
7. Specific Error Prevention
NoMethodError Prevention
# Pattern: Safe navigation chain result = object&.method1&.method2&.method3 # Pattern: Filter nil from collections hash.compact.each do |key, value| # key and value are guaranteed non-nil end # Pattern: Explicit nil checks if value.nil? handle_missing_value else process(value) end
N+1 Query Prevention
# Pattern: Preload in controller def index @posts = Post.includes(:author, :comments, :tags) end # Pattern: Counter cache in model class Post < ApplicationRecord belongs_to :author, counter_cache: true end # Pattern: Test with Bullet gem # config/environments/development.rb Bullet.enable = true Bullet.rails_logger = true
Security Vulnerability Prevention
# Pattern: Define strong parameters for every action
class PostsController < ApplicationController
private
def post_params
params.require(:post).permit(:title, :body, :published_at)
end
def filter_params
params.permit(:status, :author_id, :created_after)
end
end
# Pattern: Parameterized queries only
User.where("email LIKE ?", "%#{sanitized_input}%")
User.where(status: params[:status])
8. Integration with Rails Error Prevention Skill
This skill provides quick checklists. For detailed patterns, examples, and edge cases, reference the rails-error-prevention skill:
# Discover full error prevention patterns cat .claude/skills/rails-error-prevention/SKILL.md
Cross-reference:
- •Nil Safety →
rails-error-preventionSection 2 - •ActiveRecord Safety →
rails-error-preventionSection 3 - •Security →
rails-error-preventionSection 4 - •Error Handling →
rails-error-preventionSection 5
Usage in Implementation Phase
During Phase 4 (Implementation), before marking each file complete:
- •Read this skill for quick checklist reference
- •Review the file against each applicable checklist
- •Fix any violations before proceeding
- •Mark file complete only after all checks pass
# Implementation workflow # 1. Generate code for file # 2. Run implementation-safety checklist # 3. Fix any issues found # 4. Run tests # 5. Mark file complete