Skip to content

[CI] (e2f7ab0) rails/fizzy#2431

Closed
wizard-ci-bot[bot] wants to merge 1 commit into
mainfrom
wizard-ci-e2f7ab0-rails-fizzy
Closed

[CI] (e2f7ab0) rails/fizzy#2431
wizard-ci-bot[bot] wants to merge 1 commit into
mainfrom
wizard-ci-e2f7ab0-rails-fizzy

Conversation

@wizard-ci-bot

@wizard-ci-bot wizard-ci-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

Automated wizard CI run

Source: wizard-pr
Trigger ID: e2f7ab0
App: rails/fizzy
App directory: apps/rails/fizzy
Workbench branch: wizard-ci-e2f7ab0-rails-fizzy
Wizard branch: release-please--branches--main--components--wizard
Context Mill branch: main
PostHog (MCP) branch: master
Timestamp: 2026-07-06T22:12:04.485Z
Duration: 472.2s

YARA Scanner

✓ 193 tool calls scanned, 2 violations detected

  [BLOCKED] pii_in_capture_call (HIGH) — PostToolUse:Edit
  [BLOCKED] hardcoded_posthog_host (HIGH) — PostToolUse:Write

No violations: ✓ 191 clean scans

⚠️ YARA violations detected — see report above

@wizard-ci-bot

wizard-ci-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown
Author

Now I have all the information needed to write the review.


PR Evaluation Report

Summary

This PR integrates PostHog into a Ruby on Rails app ("fizzy") by adding the posthog-ruby and posthog-rails gems, creating a Rails initializer with auto exception capture and ActiveJob instrumentation, instrumenting 13 controllers with capture and identify calls, adding a posthog_distinct_id method to the User model, and embedding the posthog-js snippet in the layout for frontend tracking. A critical syntax error in the imports controller will prevent the app from loading.

Files changed Lines added Lines removed
19 +298 -3

Confidence score: 3/5 🤔

  • Syntax error in imports_controller.rb: The file has an extra end on line 59, confirmed by ruby -c. This will crash the app with a SyntaxError when this controller is loaded. Remove the extra end on line 59. [CRITICAL]
  • Hardcoded "anonymous" fallback distinct ID: PosthogTrackable.distinct_id_for_identity returns the string "anonymous" when identity is nil. All unauthenticated users would be merged into a single person profile, corrupting analytics data. Should generate a unique ID or skip capture entirely. [CRITICAL]
  • Frontend api_host may be empty: If POSTHOG_HOST env var is unset, the meta tag renders with empty content, and posthog.init() receives api_host: "", which will break the frontend SDK. Add a fallback default (e.g., https://us.i.posthog.com). [MEDIUM]
  • No reverse proxy configured: The frontend posthog-js snippet sends data directly to PostHog, which ad blockers will intercept. [MEDIUM]

File changes

Filename Score Description
Gemfile 5/5 Correctly adds posthog-ruby and posthog-rails gems
config/initializers/posthog.rb 4/5 Good initializer with proper Rails config; PosthogTrackable module is fine but the "anonymous" fallback is problematic
app/models/user.rb 5/5 Adds posthog_distinct_id using identity.id with fallback to id; posthog_properties helper is a nice touch
app/views/layouts/shared/_head.html.erb 3/5 PostHog JS snippet with identify from meta tags; fragile when POSTHOG_HOST is nil
app/controllers/application_controller.rb 5/5 Adds current_user helper correctly mapped to Current.user
app/controllers/account/imports_controller.rb 1/5 Syntax error: extra end on line 59 breaks the file
app/controllers/signups_controller.rb 4/5 Good capture/exception handling; potential nil reference on identity in rescue
app/controllers/sessions/magic_links_controller.rb 4/5 Good identify + capture pattern; distinct_id may be nil in rescue if error occurs before assignment
app/controllers/signups/completions_controller.rb 4/5 Good signup completion tracking with identify
app/controllers/join_codes_controller.rb 4/5 Good join code tracking with identify
app/controllers/cards_controller.rb 5/5 Clean dual-path card creation tracking
app/controllers/cards/comments_controller.rb 5/5 Clean comment creation tracking
app/controllers/webhooks_controller.rb 5/5 Clean webhook creation tracking
app/controllers/webhooks/activations_controller.rb 5/5 Clean webhook activation tracking
app/controllers/account/cancellations_controller.rb 5/5 Clean account cancellation tracking
app/controllers/account/exports_controller.rb 5/5 Clean export tracking
app/controllers/users/data_exports_controller.rb 5/5 Clean data export tracking
app/controllers/users/verifications_controller.rb 5/5 Clean verification tracking
posthog-setup-report.md 2/5 Unnecessary file; should not be committed

App sanity check ❌

Criteria Result Description
App builds and runs No Syntax error in imports_controller.rb prevents loading
Preserves existing env vars & configs Yes Existing code untouched except for PostHog additions
No syntax or type errors No Extra end in imports controller confirmed by ruby -c
Correct imports/exports Yes require 'posthog' and gem declarations are correct
Minimal, focused changes Yes Changes are focused on PostHog integration
Pre-existing issues None

Issues

  • Syntax error in imports controller: apps/basic-integration/rails/fizzy/app/controllers/account/imports_controller.rb:60 has an extra end that causes SyntaxError. Remove line 59 ( end). [CRITICAL]
  • Unnecessary report file: posthog-setup-report.md is a wizard artifact that should not be committed. [LOW]

Other completed criteria

  • Environment variables loaded from ENV in initializer and layout template
  • Gemfile additions are valid with correct gem names
  • current_user helper method correctly delegates to Current.user
  • posthog_distinct_id on User model follows Rails conventions

PostHog implementation ⚠️

Criteria Result Description
PostHog SDKs installed Yes posthog-ruby and posthog-rails gems in Gemfile + posthog-js script snippet in layout
PostHog client initialized Yes PostHog.init in initializer with api_key/host from ENV; PostHog::Rails.configure with auto_capture_exceptions, ActiveJob instrumentation; posthog-js init in _head.html.erb
capture() Yes 13 meaningful capture calls across controllers using PostHog.capture class method
identify() Yes PostHog.identify in join_codes, magic_links, signups/completions; frontend posthog.identify from meta tag. However, distinct_id_for_identity uses "anonymous" fallback which merges all unknown users
Error tracking Yes auto_capture_exceptions: true, report_rescued_exceptions: true, auto_instrument_active_job: true, plus manual capture_exception calls with positional args (correct)
Reverse proxy No Frontend snippet sends directly to PostHog host; no reverse proxy configured

Issues

  • Hardcoded "anonymous" distinct ID fallback: PosthogTrackable.distinct_id_for_identity returns "anonymous" when identity is nil. Every unauthenticated user who triggers a capture/identify would be merged into one person profile, severely corrupting data. Use a per-request unique ID (e.g., SecureRandom.uuid) or skip the capture entirely when identity is unavailable. [CRITICAL]
  • No reverse proxy: The posthog-js snippet loads from PostHog's CDN and sends data directly to us.i.posthog.com. Ad blockers will block these requests. Configure a reverse proxy through the Rails app or a CDN. [MEDIUM]
  • Frontend api_host fragile when POSTHOG_HOST unset: The meta tag for host renders as empty content when the env var is nil. The JS posthog.init gets api_host: "" which will break. Add a default like ENV.fetch("POSTHOG_HOST", "https://us.i.posthog.com"). [MEDIUM]
  • Potential nil distinct_id in rescue blocks: In magic_links_controller.rb and signups_controller.rb, if an exception occurs before distinct_id is assigned, capture_exception receives nil. In signups, identity may also be undefined in the rescue scope. [LOW]

Other completed criteria

  • API key correctly loaded from ENV["POSTHOG_PROJECT_TOKEN"] — not hardcoded in source
  • Host correctly loaded from ENV["POSTHOG_HOST"]
  • Uses PostHog.capture() class-level methods as required by posthog-rails (not instance methods)
  • capture_exception uses positional args correctly (not keyword args)
  • PostHog::Rails.configure correctly sets user_id_method: :posthog_distinct_id
  • Frontend snippet uses person_profiles: 'identified_only' — good practice
  • posthog_distinct_id defined on User model for automatic user association in error reports

PostHog insights and events ✅

Filename PostHog events Description
signups_controller.rb signup_started Tracks initial signup form submission with signup method
signups/completions_controller.rb signup_completed, identify Tracks signup completion and identifies user with account context
sessions/magic_links_controller.rb magic_link_authenticated, identify Tracks magic link login with method info and identifies user
join_codes_controller.rb join_code_redeemed, identify Tracks join code redemption and identifies joining user
cards_controller.rb card_created Tracks card creation with board context and creation type (draft vs published)
cards/comments_controller.rb comment_created Tracks comment creation with card/board context
webhooks_controller.rb webhook_created Tracks webhook creation with subscribed actions count
webhooks/activations_controller.rb webhook_activated Tracks webhook activation
account/exports_controller.rb account_export_requested Tracks account export requests
account/imports_controller.rb account_import_started, capturedException Tracks imports with exception handling
account/cancellations_controller.rb account_cancelled Tracks account deletion with actor role
users/data_exports_controller.rb data_export_requested Tracks personal data export requests
users/verifications_controller.rb user_verified Tracks user verification completion
Multiple controllers capturedException (auto) Automatic exception capture via auto_capture_exceptions: true

Issues

No issues with event quality.

Other completed criteria

  • Events represent real user actions across the full product lifecycle (signup → login → use → export → cancel)
  • Events enable product insights: signup funnel (started → completed), card creation trends, webhook adoption, account churn
  • Events include relevant contextual properties (account_id, board_id, card_id, creation_type, signup_method, etc.)
  • No PII in capture event properties — names and emails only appear in identify person properties (correct placement)
  • Event names use consistent snake_case naming with descriptive [object]_[verb] convention

Reviewed by wizard workbench PR evaluator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants