ariadna 1.2.3 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3937059c39a236024b08eb67fea88f5ec4ac193e13c9a99a5a34b365a7f9d53e
-  data.tar.gz: 7b4b5a4dbc80527bfbe6202336dbe85bee931ac323a976a0207f0e3ccb3cd3e8
+  metadata.gz: a3292cf913eaab6a58897e041b3d334f63b8d7ed95591a291595cb43e1c108e4
+  data.tar.gz: 78026d0448227242095141f4dbf8f9583ceecd0c334912912b5d229638f34617
 SHA512:
-  metadata.gz: bf468ce4109266ccc1e8c42191a45977e3f5ef15aaeaca7d98e60490fc46fb7022511563bfd5a24cebb5ec20ab480142cdff6b9f8b5776e6b1a99b8bbad805b2
-  data.tar.gz: d1bc65ed4561f7f842d60276fa1362447fcbf1fe5e152a96c038d38c7e4fa8bf1324285a9032c2be9cb3519205e20136e0de757a7e869adbe691e2c01e29c3ab
+  metadata.gz: f6a9a7e4b55b6fe338a4c7135e8ddbc9b15c918a2152f20bfda7efeb4f195a2e8d09412f1a3c66acbd895609938be5b197a571bd14dff7de34b47f45ac96d553
+  data.tar.gz: 2c725bd9aa6a133b5421c2f5a84ebe3c8d3122ac02b41591f78489b626d5f1e1a9d6181b1765728bf01b9a1bd77719a59c038817e6b5f7e8fd6faee4b6d5fe8e

data/data/agents/ariadna-phase-researcher.md

@@ -460,7 +460,7 @@ Research is complete when:
 
 Quality indicators:
 
-- **Specific, not vague:** "Devise 4.9 with OmniAuth 2.1" not "use Devise"
+- **Specific, not vague:** "Rails 8 auth generator with has_secure_password" not "add authentication"
 - **Verified, not assumed:** Findings cite Context7 or official docs
 - **Honest about gaps:** LOW confidence items flagged, unknowns admitted
 - **Actionable:** Planner could create tasks based on this research

data/data/ariadna/references/checkpoints.md

@@ -124,30 +124,32 @@ Plans execute autonomously. Checkpoints formalize interaction points where human
 ```
 
 **Example: Auth Provider Selection**
+Note: Only present this checkpoint if the user explicitly asks to evaluate auth gems. For new projects, default to `has_secure_password` (Rails 8 auth generator) without asking.
 ```xml
 <task type="checkpoint:decision" gate="blocking">
   <decision>Select authentication approach</decision>
   <context>
-    Need user authentication for the app. Three solid options with different tradeoffs.
+    Need user authentication for the app. Rails built-in auth is the recommended default.
+    Only consider external gems if the user explicitly requests them.
   </context>
   <options>
+    <option id="has_secure_password">
+      <name>has_secure_password (built-in) — Recommended</name>
+      <pros>No dependencies, full control, simple and lightweight, easy to understand, Rails 8 auth generator scaffolds everything</pros>
+      <cons>More manual setup for advanced features (OAuth, 2FA)</cons>
+    </option>
     <option id="devise">
-      <name>Devise</name>
-      <pros>Most popular Rails auth gem, full-featured (registration, password reset, OAuth), well-maintained</pros>
+      <name>Devise (only if explicitly requested)</name>
+      <pros>Full-featured (registration, password reset, OAuth), well-maintained</pros>
       <cons>Heavy dependency, opinionated, can be hard to customize deeply</cons>
     </option>
-    <option id="has_secure_password">
-      <name>has_secure_password (built-in)</name>
-      <pros>No dependencies, full control, simple and lightweight, easy to understand</pros>
-      <cons>More manual setup, you build everything yourself (password reset, OAuth)</cons>
-    </option>
     <option id="rodauth">
-      <name>Rodauth</name>
+      <name>Rodauth (only if explicitly requested)</name>
       <pros>Security-focused, modular features, database-backed configuration, excellent 2FA</pros>
-      <cons>Smaller community than Devise, different conventions, steeper learning curve</cons>
+      <cons>Smaller community, different conventions, steeper learning curve</cons>
     </option>
   </options>
-  <resume-signal>Select: devise, has_secure_password, or rodauth</resume-signal>
+  <resume-signal>Select: has_secure_password (default), devise, or rodauth</resume-signal>
 </task>
 ```
 
@@ -314,20 +316,20 @@ Decision: Which auth approach should we use?
 Context: Need user authentication. Three options with different tradeoffs.
 
 Options:
-  1. devise - Full-featured auth gem, batteries included
+  1. has_secure_password - Built-in Rails (Recommended)
+     Pros: No dependencies, full control, simple, Rails 8 auth generator scaffolds everything
+     Cons: More manual setup for advanced features (OAuth, 2FA)
+
+  2. devise - Full-featured auth gem (only if explicitly requested)
      Pros: Registration, password reset, OAuth support, well-maintained
      Cons: Heavy dependency, opinionated, hard to customize deeply
 
-  2. has_secure_password - Built-in Rails, lightweight
-     Pros: No dependencies, full control, simple and easy to understand
-     Cons: More manual setup, build password reset and OAuth yourself
-
-  3. rodauth - Security-focused, modular
+  3. rodauth - Security-focused, modular (only if explicitly requested)
      Pros: Excellent 2FA, database-backed config, modular features
      Cons: Smaller community, different conventions, steeper learning curve
 
 ────────────────────────────────────────────────────────
-→ YOUR ACTION: Select devise, has_secure_password, or rodauth
+→ YOUR ACTION: Select has_secure_password (default), devise, or rodauth
 ────────────────────────────────────────────────────────
 ```
 
@@ -581,7 +583,7 @@ timeout 30 bash -c 'until curl -s localhost:3000 > /dev/null 2>&1; do sleep 1; d
 <task type="auto">
   <name>Create user model and migration</name>
   <files>app/models/user.rb, db/migrate/xxx_create_users.rb</files>
-  <action>Generate User model with Devise or has_secure_password, run migration</action>
+  <action>Generate User model with has_secure_password (Rails 8 auth generator), run migration</action>
   <verify>bin/rails db:migrate succeeds, User.count returns 0</verify>
 </task>
 

data/data/ariadna/references/rails-conventions.md

@@ -16,7 +16,7 @@ Pre-baked Rails knowledge for Ariadna planning and execution agents. This docume
 | Real-time UI | Turbo (Hotwire) | Turbo Drive, Frames, Streams |
 | JS Sprinkles | Stimulus (Hotwire) | Controllers for interactive behavior |
 | CSS | Tailwind CSS or Propshaft | Rails 8 defaults to Propshaft asset pipeline |
-| Auth | Rails built-in `has_secure_password` or Devise | Rails 8 includes auth generator |
+| Auth | Rails 8 built-in authentication (`has_secure_password` + auth generator) | No external gems needed |
 | Email | Action Mailer | Built-in |
 | File Upload | Active Storage | Built-in |
 | API | Rails API mode or Jbuilder | Built-in |
@@ -24,6 +24,9 @@ Pre-baked Rails knowledge for Ariadna planning and execution agents. This docume
 | Linting | RuboCop + rubocop-rails | Standard community linting |
 
 **What NOT to use (and why):**
+- Devise unless explicitly requested by the user — Rails 8 auth generator + `has_secure_password` covers signup, login, password reset, session management out of the box
+- Pundit/CanCanCan unless explicitly requested — `before_action` checks + `Current` context handle authorization for most apps without adding a gem
+- acts_as_tenant — use `Current.account` scoping with explicit scopes (see backend guide); no gem needed for path-based multi-tenancy
 - Factories (FactoryBot) when fixtures suffice — fixtures are faster, declarative, and Rails-native
 - RSpec unless the project already uses it — Minitest is simpler and Rails-native
 - Webpacker/Shakapacker — replaced by importmap-rails or jsbundling-rails
@@ -32,6 +35,28 @@ Pre-baked Rails knowledge for Ariadna planning and execution agents. This docume
 
 </standard_stack>
 
+<rails_defaults_first>
+
+## Rails Defaults First (Opinionated)
+
+For new projects, ALWAYS start with Rails built-in solutions. Only introduce external gems when the user explicitly requests them or requirements demonstrably exceed what Rails provides.
+
+| Need | Rails Default | External Gem (only if explicitly requested) |
+|------|--------------|---------------------------------------------|
+| Authentication | `has_secure_password` + Rails 8 auth generator | Devise |
+| Authorization | `before_action` + `Current` context | Pundit, CanCanCan |
+| Multi-tenancy | `Current.account` + explicit scoping | acts_as_tenant |
+| Background Jobs | Solid Queue | Sidekiq |
+| Caching | Solid Cache | Redis |
+| WebSockets | Solid Cable | Redis + AnyCable |
+| Testing | Minitest + fixtures | RSpec + FactoryBot |
+
+**Why:** External gems add dependencies, upgrade burden, and conceptual overhead. Rails 8 ships with excellent defaults that cover 90% of use cases. Starting with built-ins keeps the app simple and maintainable.
+
+**The rule:** Never recommend Devise, Pundit, acts_as_tenant, or similar gems as the default choice for new projects. If the user hasn't asked for them, use Rails built-ins. If the user asks for "authentication", build it with `has_secure_password`. If they ask for "authorization", use `before_action` checks. If they ask for "multi-tenancy", use `Current.account` scoping.
+
+</rails_defaults_first>
+
 <architecture_patterns>
 
 ## Rails Architecture Patterns
@@ -369,8 +394,8 @@ These domains are well-understood in Rails and don't need web research:
 | Models & Migrations | ActiveRecord, validations, associations, concerns | No |
 | Controllers & Routes | RESTful resources, before_action, strong params | No |
 | Views & Templates | ERB, partials, layouts, content_for | No |
-| Authentication | has_secure_password, Devise, Rails 8 auth generator | No |
-| Authorization | Pundit, CanCanCan, or hand-rolled | No |
+| Authentication | Rails 8 auth generator, has_secure_password | No |
+| Authorization | before_action + Current context, hand-rolled | No |
 | Background Jobs | Solid Queue, ActiveJob | No |
 | Email | Action Mailer, letter_opener | No |
 | File Uploads | Active Storage | No |

data/data/ariadna/templates/codebase/architecture.md

@@ -214,7 +214,7 @@ Template for `.ariadna_planning/codebase/ARCHITECTURE.md` - captures conceptual
 - [Approach: e.g., "Rails authentication generator with `Authentication` concern", "has_secure_password with custom auth", "OmniAuth for OAuth"]
 
 **Authorization:**
-- [Approach: e.g., "Pundit policies", "CanCanCan abilities", "Custom `before_action` checks"]
+- [Approach: e.g., "Custom `before_action` checks with `Current` context", "Pundit policies (if explicitly chosen)", "CanCanCan abilities (if explicitly chosen)"]
 
 **Caching:**
 - [Approach: e.g., "Fragment caching in views", "Russian doll caching", "Rails.cache with Solid Cache/Redis"]

data/data/ariadna/templates/codebase/stack.md

@@ -123,7 +123,7 @@ Template for `.ariadna_planning/codebase/STACK.md` - captures the technology fou
 
 **Critical:**
 - authentication (built-in) — Session-based auth
-- authorization - custom implementation (no gem) — Role-based access control, pundit
+- authorization - custom implementation (before_action + Current) — Role-based access control
 - solid_queue — Background jobs (Rails 8 default)
 
 **Infrastructure:**

data/data/ariadna/templates/research-project/ARCHITECTURE.md

@@ -164,7 +164,7 @@ test/                      # [test framework: Minitest (default) or spec/ if RSp
 ### Authentication and Authorization
 
 **Authentication:** [Rails authentication generator / has_secure_password / custom / other]
-**Authorization:** [Custom / Pundit / CanCanCan / Action Policy / other]
+**Authorization:** [Custom (before_action + Current context) / Pundit (if explicitly requested) / other]
 
 ### Internationalization (I18n)
 

data/data/ariadna/templates/research-project/STACK.md

@@ -59,7 +59,7 @@ Template for `.ariadna_planning/research/STACK.md` — discovered technology sta
 | Category | Discovered Value | Evidence |
 |----------|-----------------|----------|
 | Authentication | [Rails authentication generator/Rodauth/Clearance/custom/none] | [Gemfile, user model] |
-| Authorization | [Custom/Pundit/CanCanCan/Action Policy/none] | [Gemfile, policy files] |
+| Authorization | [Custom (before_action + Current) / Pundit (if explicitly requested) / none] | [Gemfile, policy files] |
 | OAuth/social login | [OmniAuth/Doorkeeper/none] | [Gemfile, initializers] |
 | API authentication | [API tokens/JWT/OAuth2/none] | [Gemfile, controller concerns] |
 
@@ -223,7 +223,7 @@ bin/rails server
 
 **Authentication & Authorization:**
 - Look for `Authentication` concern generated by `rails generate authentication`.
-- Look for `app/policies/` (Pundit) or `app/models/ability.rb` (CanCanCan) or custom authorization logic.
+- Look for custom authorization in `before_action` filters and `Current` context (preferred), or `app/policies/` (Pundit) or `app/models/ability.rb` (CanCanCan) if gems were chosen.
 - Check `app/models/user.rb` for authentication modules.
 
 **Testing:**

data/data/ariadna/templates/research-project/SUMMARY.md

@@ -53,7 +53,7 @@ Template for `.ariadna_planning/research/SUMMARY.md` — executive summary of pr
 
 **Authentication & authorization:**
 - [Auth solution]: [purpose] — [why recommended — e.g., Rails authentication generator for session-based auth]
-- [Authorization]: [purpose] — [why recommended — e.g., before_action, Pundit for policies, Action Policy for scalable rules]
+- [Authorization]: [purpose] — [why recommended — e.g., before_action + Current context (default), Pundit only if explicitly requested]
 
 **Additional gems:**
 - [Gem]: [purpose] — [why recommended]

data/lib/ariadna/version.rb

@@ -1,3 +1,3 @@
 module Ariadna
-  VERSION = "1.2.3"
+  VERSION = "1.3.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ariadna
 version: !ruby/object:Gem::Version
-  version: 1.2.3
+  version: 1.3.0
 platform: ruby
 authors:
 - Jorge Alvarez