rails-securitylisted

# Rails Security ## When to use This skill is the Rails-specific layer on top of `secure-coding`. Convention over configuration covers a lot, but anyone going against the grain (string interpolation in `.where`, `.html_safe` on user input, CSRF off because "it was hard") gets vulnerabilities back. Triggers on: - A question like "review this Rails app", "Brakeman triage", "Devise hardening", "mass-assignment check", "is our CSP OK", "force SSL". - Presence of `Gemfile`, `config/application.rb`, `config/environments/production.rb`, `config/routes.rb`, Devise setup under `config/initializers/devise.rb`, Pundit/CanCanCan policies. - A PR that touches `html_safe`, `raw`, `.where("... #{x} ...")`, `skip_before_action :verify_authenticity_token`, or `skip_forgery_protection`. - A Brakeman report that needs triaging. - A handoff from `security-review` where Rails is in the stack. ### When NOT (handoff) - General Ruby secure-coding → `secure-coding`. - API design (Rails API-only mode overlaps with `api-security`) → that skill for OWASP API Top 10, here for Rails-specific implementation. - SAST tool orchestration → `sast-orchestrator`. Brakeman is Rails-specific and belongs here. - Dep vulns in gems → `cve-triage` (via `bundle audit` or OSV-scanner). - Container/K8s deploy → `container-hardening` / `k8s-security`. - Secrets in `config/master.key` or `credentials.yml.enc` on disk → `secrets-scanner`. This skill only covers the Rails credentials model. ## Approach Six phases. Bra