Query params arrive as strings, and ad-hoc parsing logic tends to drift across endpoints. I use Zod preprocessors to coerce values like page size and booleans, then validate the result. This keeps the handler readable and makes parsing rules shareable

When updates can happen from multiple places, model-level broadcasts keep the UI consistent across tabs without sprinkling stream logic in controllers. Use after-commit hooks so broadcasts only occur once the write is durable.

I use clean_<fieldname>() to validate individual fields and clean() to validate field combinations. Raising ValidationError shows the message to the user near the appropriate field. For cross-field validation (like 'end date must be after start

If you fan out work (HTTP calls, DB reads, image processing), the failure mode isn’t just “slow,” it’s “everything gets slow” because you saturate CPU or downstream connections. A semaphore is a simple way to cap concurrency. The important part is mak

Counters (likes, votes, bookmarks) are classic UI glue. I keep the counter itself in a small partial with a stable id and update it via turbo streams on create/destroy. The controller can render a turbo_stream.replace of the counter plus (optionally)

When a form submits inside a Turbo Frame, a normal redirect can sometimes feel odd (especially if the redirect response doesn’t include the matching frame). A clean approach is to set the Turbo-Location header for Turbo requests. Turbo interprets it a

A small UX win: disable the like button immediately and re-enable on failure. Turbo gives you events; Stimulus coordinates button state and the server still returns the canonical count.

I generally prefer running migrations in a separate release step, but for smaller deployments it’s sometimes pragmatic to run them at startup. The failure mode to avoid is “every instance runs migrations at once.” The pattern here uses Postgres adviso

When a dependency is failing, you don’t want to keep hammering it. A simple circuit breaker trips after N failures and short-circuits for a cooldown window. It protects your app and your vendor.

Webhook endpoints should assume the internet is hostile. I verify the request with an HMAC signature derived from the raw body and a shared secret, and I use hmac.Equal to avoid timing leaks. The key detail is reading the body exactly once: the server