Marketplace

Use Rails built-in authentication, never Devise

rails

Use `has_secure_password`, `authenticate_by`, `generates_token_for`. Never use Devise/Sorcery/Clearance.

Critical in 2 rulesets

Use Rails credentials for secrets

rails

Rails.application.credentials for secrets. `rails credentials:edit`. Environment-specific credentials. Never commit master.key.

Critical in 55 rulesets

Use Strong Parameters correctly

rails

Whitelist attributes explicitly. Never `.permit!`. Use `require(:model).permit(:field)`.

Critical in 2 rulesets

High

12 rules

Use RuboCop for Ruby linting

linting

RuboCop with .rubocop.yml config. Inherit from rubocop-rails, rubocop-minitest. Auto-correct safe cops.

High in 3 rulesets

Avoid N+1 queries

rails

Use `includes`/`preload`/`eager_load` for associations. Use Bullet gem in development.

Fat models, skinny controllers

rails

Controllers: auth, params, call service, render. Logic in models/services/form objects/query objects.

Use background jobs for slow operations

rails

Email, file processing, API calls, reports → background jobs (SolidQueue/Sidekiq). Keep requests <200ms.

Use database constraints

rails

Add NOT NULL, UNIQUE indexes, foreign keys, check constraints. Don't rely only on ActiveRecord validations.

High in 7 rulesets

Use Hotwire for interactivity

rails

Use Turbo (Drive/Frames/Streams) + Stimulus before React/Vue. JS frameworks only for complex client state.

Use Hotwire for Rails interactivity

rails

Turbo Drive for SPA-like nav. Turbo Frames for partials. Turbo Streams for real-time. Stimulus for JS sprinkles.

Use Minitest for Rails testing

rails

Minitest only—no RSpec. Rails default, fast, simple, fixtures-integrated.

High in 8 rulesets

Use Pundit for authorization

rails

Pundit policies for authorization. `authorize @record` in controllers. Policy classes match models.

High in 3 rulesets

Use service objects for complex operations

rails

Service objects for multi-model operations. Single public method (call). Return Result/Response objects. Keep models focused on persistence.

Use Sidekiq for background jobs

rails

Sidekiq for heavy background work. Redis required. Use perform_later. Retries with exponential backoff.

High in 3 rulesets

Use SolidQueue for Rails 8 jobs

rails

SolidQueue: Rails 8 default job backend. Database-backed. No Redis needed. Mission Control for monitoring.

Medium

9 rules

Use Action Cable for WebSockets

rails

Action Cable for WebSockets. Channels for subscriptions. Redis adapter for multi-server. Use Turbo Streams when possible.

Use Active Storage for file uploads

rails

Active Storage for uploads. Direct uploads for large files. Variants for images. S3/GCS for production.

Use has_many :through over HABTM

rails

Always `has_many :through` with explicit join model. Never `has_and_belongs_to_many`.

Use Importmap for Rails JavaScript

rails

Importmap for JS without bundling. Pin packages from CDN or vendor. Works with Hotwire. No node_modules.

Use Propshaft for Rails assets

rails

Propshaft for asset pipeline. Simpler than Sprockets. No compilation, just fingerprinting. Rails 8 default.

Use scopes for common queries

rails

Define scopes for reusable queries. Enables chaining: `Order.recent.completed.for_user(user)`.

Use SolidCable for Action Cable

rails

SolidCable: database-backed pub/sub for Action Cable. No Redis needed. Rails 8 default.

Use SolidCache for Rails caching

rails

SolidCache: database-backed cache. No Redis needed. Good for most apps. Rails 8 default.