This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
This is a Rails 8.1 API application that serves as the backend for NativeAppTemplate iOS/Android mobile applications. It's a multi-tenant SaaS application with token-based authentication, role-based authorization, and RESTful API endpoints. Ruby 4.0.2, PostgreSQL, Solid Queue/Cable/Cache.
bin/setup # Installs all dependencies, prepares database, builds assetsbin/dev # Starts Rails server, CSS watcher, JS bundlerbin/rails test # Run all tests
bin/rails test test/path/to/test.rb # Run specific test file
bin/rails test test/path/to/test.rb:42 # Run specific test linebin/rubocop # Ruby code linting
bundle exec erb_lint --lint-all # ERB template linting
bin/brakeman # Security vulnerability scanning
bin/bundler-audit # Audit gems for known security defectsbin/ci # Runs setup, rubocop, bundler-audit, brakeman, tests, and seedsbin/rails db:create db:migrate # Create and migrate database
bin/rails db:seed_fu # Load seed data (uses seed-fu gem)
bin/rails db:reset # Drop, create, migrate, and seedbin/rails console # Rails console
bin/rails dbconsole # Database console- All API endpoints are under
/api/v1/namespace - Token-based authentication using
devise_token_auth - Separate namespaces for different user types (e.g.,
/api/v1/shopkeeper/) - JSON API specification for responses using
jsonapi-serializer - CORS enabled for cross-origin requests
- Authentication: Devise Token Auth with headers-based token management
- Authorization: Pundit policies for resource-level permissions
- Multi-tenancy: acts_as_tenant for complete data isolation between accounts
- RBAC: Role and Permission models for fine-grained access control
Account- Top-level tenant/organizationShopkeeper- Main user type (belongs to Account)Shop- Core business entity (belongs to Account)ItemTag- Belongs to Shop with unique name constraintRole&Permission- Authorization system- State machines implemented with AASM gem
- Solid Queue for background jobs (database-backed, no Redis needed)
- Solid Cable for Action Cable (database-backed)
- Solid Cache for caching in production/staging
- Monitor jobs at
/madmin/jobs(Mission Control)
- Minitest for all tests (models, controllers, integration, policies)
- WebMock for stubbing external HTTP requests
- Parallel test execution supported (10 workers by default)
- Comprehensive test coverage across all layers:
- Model tests: test/models/ - Validations, associations, callbacks, state machines
- Policy tests: test/policies/ - Authorization rules for all user roles
- Controller tests: test/controllers/ - API endpoints, authentication, authorization
- Integration tests: test/integration/ - End-to-end user flows
- Test helpers:
json_responsefor parsing JSON API responsescreate_new_auth_tokenfor generating auth headers (Devise Token Auth)- Fixtures in test/fixtures/ and seed data in db/fixtures/test/
- Run tests:
bin/rails test(205 tests, 402 assertions)
HOST(Wi-Fi IP) andPORTare required in.env;Procfile.devuses${HOST:?...}so Rails fails loudly if unset, anddevelopment.rbusesENV.fetch("HOST")foraction_mailer.default_url_options. Must matchNATEMPLATE_API_DOMAINin the iOS scheme and Androidgradle.properties. Never127.0.0.1,localhost, or0.0.0.0.- Mailbin for email testing at
/mailbin - Admin interface at
/madmin - Tailwind CSS compiled by tailwindcss-rails gem
- Use
seed-fufor database seeding (not standard Rails seeds) - API responses follow JSON API specification
- All API controllers inherit from
Api::V1::BaseController - Tenant isolation handled automatically via
AccountMiddleware - Image processing with Active Storage and
image_processinggem
- Configured for Render.com deployment
- Build script:
bin/render-build.sh - Web server:
bin/render-start.sh - Solid Queue runs in Puma via
SOLID_QUEUE_IN_PUMA=true
IMPORTANT: Always run these checks and fix all errors before committing code:
bin/rubocop- Fix all RuboCop offenses before committing
- Run
bin/rubocop -ato auto-correct safe offenses - Review and manually fix remaining issues
bin/brakeman- Fix all security vulnerabilities before committing
- Review warnings and address potential security issues
- Never commit code with security vulnerabilities
bin/rails test- Ensure all tests pass before committing
- Add tests for new features or bug fixes
-
bin/rubocop- No lint errors -
bin/brakeman- No security issues -
bin/rails test- All tests passing - Code reviewed for quality and security
- Add route in
config/routes.rbunder appropriate namespace - Create controller inheriting from
Api::V1::BaseController - Add Pundit policy in
app/policies/with authorization rules - Create serializer in
app/serializers/ - Write controller tests in
test/controllers/testing all actions and edge cases
- Model tests: Test validations, associations, callbacks, scopes, and business logic
- Policy tests: Test authorization for all roles (admin, managers, members, guest)
- Controller tests: Test CRUD operations, authentication requirements, authorization checks
- Use
ActsAsTenant.with_tenant(@account)when testing multi-tenant models - Fixtures are loaded automatically from test/fixtures/*.yml
- Test data seeds loaded from db/fixtures/test/*.rb in setup hook
- All models should include
acts_as_tenant :account - Current account accessible via
current_accountin controllers - Tenant switching handled by
AccountMiddleware
- Create job class in
app/jobs/ - Specify queue with
queue_as :default(or :critical, :low, etc.) - Call with
MyJob.perform_later(args)
Create test passing all of path including unhappy path. Creating and updating that test is must.