Config Templates
rails-cto init drops a set of config files into your project that every skill in the plugin expects. This page describes what each file is, which skill uses it, and what's safe to customize.
All of these files are templates, not locks. You can edit them for your project's needs. The doctor command will flag drift from the bundled template but won't prevent you from diverging. See rails-cto doctor for details.
.rubocop.yml
Used by: rails-cto-qa
Based on rubocop-rails-omakase with project-specific overrides:
- Max line length: 100 characters
- Frozen string literal comment required: every
.rbfile must start with# frozen_string_literal: true - Ordered Gemfile entries: gems must be alphabetically sorted within each group
The file inherits from the Omakase cops and adds custom rules via the gem's built-in RuboCop extension.
Safe to customize: project-specific exclusions (Exclude: under a cop), relaxed line lengths for specific file globs, and any cop you genuinely disagree with. Avoid disabling core style cops like Style/FrozenStringLiteralComment — the /rails-cto-engineer skill expects them to be enforced.
.reek.yml
Used by: rails-cto-static-analysis
Reek detects common code smells — long methods, too many instance variables, feature envy, and so on. The bundled config tunes the thresholds to match the One Person Framework philosophy: small methods, small classes, low coupling.
Safe to customize: per-file exclusions, relaxed thresholds for generated code, and exemptions for established patterns in your codebase.
.bundler-audit.yml
Used by: rails-cto-security
bundler-audit scans your Gemfile.lock against the RubySec advisory database. The config file lets you ignore specific CVEs (for example, if you've backported a fix yourself or are waiting on an upstream release).
Safe to customize: the ignore: list for CVEs you've already addressed. Don't disable the whole scan.
config/brakeman.yml
Used by: rails-cto-security
Brakeman scans Rails code for common vulnerability patterns — SQL injection, mass assignment, XSS, CSRF, and more. The config file controls scan options, severity thresholds, and ignore rules.
Safe to customize: adding paths to --skip-files for vendored or generated code. Ignoring specific warnings should be done via brakeman.ignore (generated by bundle exec brakeman -I), not by loosening the config.
.herb/rewriters/align-attributes.mjs
Used by: rails-cto-erb
A Herb rewriter that aligns HTML attributes in ERB templates. When the ERB skill runs, it invokes this rewriter to auto-format attribute indentation so that templates stay scannable regardless of how the agent typed them.
Not safe to customize. This file implements a specific formatting rule the ERB skill depends on. If you disagree with the rule, file an issue at the plugin repo rather than editing the rewriter locally.
.herb/rules/no-inline-styles.mjs
Used by: rails-cto-erb and rails-cto-tailwind
A Herb lint rule that flags any style="..." attribute in an ERB template. The Tailwind skill treats inline styles as an anti-pattern — anything you'd write as a style attribute should be a Tailwind utility class instead.
Not safe to customize — this rule is what makes the "no inline styles" gate work.
SimpleCov patch in test/test_helper.rb
Used by: rails-cto-qa and rails-cto-minitest
Not a file the gem installs, but a patch it inserts. init adds:
require "simplecov"
require "simplecov_json_formatter"
SimpleCov.start "rails" do
formatter SimpleCov::Formatter::JSONFormatter
endThe QA skill reads coverage/coverage.json after running tests to evaluate per-file coverage. Without the JSON formatter, that file won't exist and the coverage check will silently skip.
Safe to customize: you can extend the SimpleCov.start block with filters and groups, but keep the JSON formatter in place.