[CI] (97c6d9f) rails/fizzy

[wizard-ci-bot]

Automated wizard CI run

Source: wizard-pr
Trigger ID: 97c6d9f
App: rails/fizzy
App directory: apps/rails/fizzy
Workbench branch: wizard-ci-97c6d9f-rails-fizzy
Wizard branch: release-please--branches--main--components--wizard
Context Mill branch: main
PostHog (MCP) branch: master
Timestamp: 2026-06-23T16:16:16.413Z
Duration: 886.4s

[wizard-ci-bot]

---

PR Evaluation Report

Summary

This PR integrates PostHog into a Ruby on Rails app ("Fizzy") by adding posthog-ruby and posthog-rails gems with a well-structured initializer, injecting the posthog-js snippet in the frontend layout, adding PostHog.capture calls across 13 controllers covering key product flows, and defining posthog_distinct_id/posthog_properties helpers on the User model.

Files changed	Lines added	Lines removed
20	+128	-0

Confidence score: 4/5 👍

• Email used as distinct_id: posthog_distinct_id returns identity&.email_address || id, and auth controllers use identity.email_address directly. Raw email addresses as distinct IDs cause fragmented data when emails change and mix PII into the identity layer. Should use a stable identifier like the user's database id. [CRITICAL]
• No .env.example: POSTHOG_PROJECT_TOKEN and POSTHOG_HOST are required but no .env.example or equivalent committed file documents them for collaborators. [MEDIUM]
• No reverse proxy: The posthog-js frontend snippet sends requests directly to PostHog's servers, making it vulnerable to ad blockers. A reverse proxy should be configured in the Rails app. [MEDIUM]

---

File changes

Filename	Score	Description
Gemfile	5/5	Correctly adds posthog-ruby (with require: 'posthog') and posthog-rails gems
config/initializers/posthog.rb	5/5	Well-structured initializer with PostHog.init block and PostHog::Rails.configure, enables auto exception capture, ActiveJob instrumentation, and user context
app/models/user.rb	3/5	Adds posthog_distinct_id and posthog_properties but distinct_id falls back to email address
app/controllers/application_controller.rb	5/5	Adds current_user helper needed by posthog-rails for user context association
app/views/layouts/shared/_head.html.erb	3/5	Adds posthog-js snippet with proper initialization but uses .to_json.html_safe which is an XSS risk if user properties contain </script>
app/controllers/sessions/magic_links_controller.rb	3/5	Captures sign-in and identifies user but uses raw identity.email_address as distinct_id
app/controllers/sessions_controller.rb	3/5	Captures sign-out but uses raw identity.email_address as distinct_id
app/controllers/signups/completions_controller.rb	3/5	Captures signup completion and identifies user but uses raw email as distinct_id
app/controllers/boards_controller.rb	5/5	Captures board_created and board_deleted with relevant properties
app/controllers/boards/publications_controller.rb	5/5	Captures board_published and board_unpublished
app/controllers/boards/columns_controller.rb	5/5	Captures column_created with relevant properties
app/controllers/cards_controller.rb	5/5	Captures card_created via JSON format path
app/controllers/cards/publishes_controller.rb	5/5	Captures card_created via publish flow
app/controllers/cards/closures_controller.rb	5/5	Captures card_closed and card_reopened
app/controllers/cards/comments_controller.rb	5/5	Captures comment_created
app/controllers/cards/goldnesses_controller.rb	5/5	Captures card_gilded
app/controllers/cards/not_nows_controller.rb	5/5	Captures card_postponed
app/controllers/account/cancellations_controller.rb	5/5	Captures account_cancelled
.gitignore	5/5	Adds .env to gitignore
posthog-setup-report.md	5/5	Comprehensive setup report with event table and next steps

---

App sanity check ⚠️

Criteria	Result	Description
App builds and runs	Yes	Valid Ruby syntax throughout, gems are correctly specified
Preserves existing env vars & configs	Yes	Only additions, no existing code modified destructively
No syntax or type errors	Yes	All Ruby and ERB syntax is valid
Correct imports/exports	Yes	gem 'posthog-ruby', require: 'posthog' and gem 'posthog-rails' are correct per docs
Minimal, focused changes	Yes	All changes relate to PostHog integration
Pre-existing issues	None	No pre-existing issues noted

Issues

• No .env.example file: POSTHOG_PROJECT_TOKEN and POSTHOG_HOST are required env vars but no .env.example or similar committed file documents them. The .env file itself is gitignored. The setup report mentions this as a TODO but it should have been created. [MEDIUM]
• XSS risk with html_safe: Current.user.posthog_properties.to_json.html_safe in the layout template could allow XSS if any user property contains </script>. Should use json_escape or the j helper instead. [LOW]

Other completed criteria

• All changes are relevant to PostHog integration
• Correct files modified for Rails framework (Gemfile, initializer, controllers, model, layout)
• Code follows existing codebase patterns (indentation, naming, structure)
• No unnecessary modifications or reformatting

---

PostHog implementation ⚠️

Criteria	Result	Description
PostHog SDKs installed	Yes	posthog-ruby and posthog-rails gems in Gemfile, plus posthog-js snippet in layout
PostHog client initialized	Yes	PostHog.init block in initializer with PostHog::Rails.configure for Rails-specific options; posthog-js initialized in _head.html.erb with posthog.init()
capture()	Yes	15 meaningful PostHog.capture calls across controllers using class-level methods as documented
identify()	No	Uses raw email address (identity.email_address) as distinct_id in auth controllers, and posthog_distinct_id model method also returns email as primary value. Per rubric, raw email addresses as distinct IDs cause fragmented data
Error tracking	Yes	auto_capture_exceptions: true, report_rescued_exceptions: true, auto_instrument_active_job: true correctly configured
Reverse proxy	No	posthog-js frontend snippet sends requests directly to PostHog host with no reverse proxy configured

Issues

• Raw email as distinct_id: The posthog_distinct_id method returns identity&.email_address || id. In auth controllers (magic_links_controller, sessions_controller, signups/completions_controller), identity.email_address is used directly as distinct_id. Email addresses are mutable PII — if a user changes their email, they become a different person in PostHog. Should use a stable identifier like id (database primary key) consistently. [CRITICAL]
• Inconsistent distinct_id resolution: Auth controllers use identity.email_address directly while other controllers use Current.user.posthog_distinct_id. While these resolve to the same value currently, this inconsistency is fragile and would break if the posthog_distinct_id method were updated to use id instead. [MEDIUM]
• No reverse proxy for posthog-js: The frontend snippet loads from PostHog's CDN and sends events directly to the PostHog host. Ad blockers will block these requests. Should configure a reverse proxy in the Rails app (e.g., via config/routes.rb proxy or nginx). [MEDIUM]

Other completed criteria

• API key loaded from environment variable via ENV.fetch("POSTHOG_PROJECT_TOKEN", nil)
• Host correctly loaded from environment variable via ENV.fetch("POSTHOG_HOST", nil)
• Uses PostHog.capture() and PostHog.identify() class-level methods as documented for Rails
• PostHog.init block pattern used correctly (not manual PostHog::Client.new)
• capture_user_context: true with current_user_method: :current_user properly configured
• user_id_method: :posthog_distinct_id configured on the Rails config
• Test mode enabled for test environment
• Error callback configured with Rails.logger.error
• Frontend posthog-js correctly identifies current user on page load

---

PostHog insights and events ✅

Filename	PostHog events	Description
sessions/magic_links_controller.rb	user_signed_in	Tracks magic link authentication with sign_in_method property
sessions_controller.rb	user_signed_out	Tracks explicit logout
signups/completions_controller.rb	signup_completed	Tracks signup completion with account_id
boards_controller.rb	board_created, board_deleted	Tracks board lifecycle with board metadata
boards/publications_controller.rb	board_published, board_unpublished	Tracks board visibility changes
boards/columns_controller.rb	column_created	Tracks workflow stage creation
cards_controller.rb, cards/publishes_controller.rb	card_created	Tracks card creation from two paths
cards/closures_controller.rb	card_closed, card_reopened	Tracks card resolution lifecycle
cards/not_nows_controller.rb	card_postponed	Tracks card postponement
cards/comments_controller.rb	comment_created	Tracks collaboration activity
cards/goldnesses_controller.rb	card_gilded	Tracks card prioritization
account/cancellations_controller.rb	account_cancelled	Tracks account churn
config/initializers/posthog.rb	capturedException (automatic)	Auto-captures unhandled and rescued exceptions, plus ActiveJob failures

Issues

No issues — event quality is strong.

Other completed criteria

• Events represent real user actions (authentication, content creation, board management, account lifecycle)
• Events enable product insights: signup funnel (user_signed_in → signup_completed), card completion funnel (card_created → card_closed), engagement trends, churn monitoring
• Events include contextual properties (board_id, card_id, board_name, sign_in_method, etc.)
• No PII in event properties — email and name are only set via PostHog.identify person properties and frontend posthog.identify()
• Event names are descriptive, consistent snake_case, and follow [object]_[verb] convention

---

Reviewed by wizard workbench PR evaluator