panda-core 0.11.0 → 0.12.5

data/app/components/panda/core/admin/statistics_component.rb

@@ -8,9 +8,9 @@ module Panda
         prop :value, _Nilable(_Union(String, Integer, Float))
 
         def view_template
-          div(class: "overflow-hidden p-4 bg-gradient-to-br rounded-lg border-2 from-light/20 to-light border-mid") do
-            dt(class: "text-base font-medium truncate text-dark") { @metric }
-            dd(class: "mt-1 text-3xl font-medium tracking-tight text-dark") { @value }
+          div(class: "overflow-hidden p-4 bg-gradient-to-br rounded-lg border-2 from-primary-50/20 to-primary-50 border-primary-400") do
+            dt(class: "text-base font-medium truncate text-primary-900") { @metric }
+            dd(class: "mt-1 text-3xl font-medium tracking-tight text-primary-900") { @value }
           end
         end
       end

data/app/components/panda/core/admin/tab_bar_component.rb

@@ -21,7 +21,7 @@ module Panda
             select(
               id: "tabs",
               name: "tabs",
-              class: "block py-1.5 pr-10 pl-3 w-full text-gray-900 rounded-md border-0 ring-1 ring-inset focus:ring-2 focus:ring-inset ring-mid focus:border-panda-dark focus:ring-panda-dark"
+              class: "block py-1.5 pr-10 pl-3 w-full text-gray-900 rounded-md border-0 ring-1 ring-inset focus:ring-2 focus:ring-inset ring-primary-400 focus:border-primary-600 focus:ring-primary-600"
             ) do
               @tabs.each do |tab|
                 option { tab[:name] }
@@ -46,7 +46,7 @@ module Panda
         def render_tab(tab, is_current = false)
           classes = "py-4 px-1 text-sm font-medium whitespace-nowrap border-b-2 "
           classes += if is_current || tab[:current]
-            "border-panda-dark text-panda-dark"
+            "border-primary-600 text-primary-600"
           else
             "border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300"
           end
@@ -66,7 +66,7 @@ module Panda
         end
 
         def render_view_button(type, selected: false)
-          button_class = "p-1.5 text-gray-400 rounded-md focus:ring-2 focus:ring-inset focus:outline-none focus:ring-panda-dark"
+          button_class = "p-1.5 text-gray-400 rounded-md focus:ring-2 focus:ring-inset focus:outline-none focus:ring-primary-600"
           button_class += if selected
             " ml-0.5 bg-white shadow-sm"
           else

data/app/components/panda/core/admin/table_component.rb

@@ -33,7 +33,7 @@ module Panda
         private
 
         def render_table_with_rows
-          div(class: "table overflow-x-auto mb-12 w-full rounded-lg border border-dark", style: "table-layout: fixed;") do
+          div(class: "table overflow-x-auto mb-12 w-full rounded-lg border border-gray-700", style: "table-layout: fixed;") do
             render_header
             render_rows
           end
@@ -49,7 +49,7 @@ module Panda
 
         def render_header
           div(class: "table-header-group") do
-            div(class: "table-row text-base font-medium text-white bg-dark") do
+            div(class: "table-row text-base font-medium text-white bg-gray-800") do
               @columns.each_with_index do |column, i|
                 header_classes = "table-cell sticky top-0 z-10 p-4"
                 header_classes += " rounded-tl-md" if i.zero?
@@ -70,7 +70,7 @@ module Panda
                 data: {post_id: row.id}
               ) do
                 @columns.each do |column|
-                  div(class: "table-cell py-5 px-3 h-20 text-sm align-middle whitespace-nowrap border-b border-dark/20") do
+                  div(class: "table-cell py-5 px-3 h-20 text-sm align-middle whitespace-nowrap border-b border-gray-700/20") do
                     # Capture the cell content by calling the block with the row
                     render_cell_content(row, column.cell)
                   end

data/app/controllers/panda/core/admin/sessions_controller.rb

@@ -10,7 +10,10 @@ module Panda
         skip_before_action :authenticate_admin_user!, only: [:new, :create, :destroy, :failure]
 
         def new
-          @providers = Core.config.authentication_providers.keys
+          # Only show providers that have valid credentials configured
+          @providers = Core.config.authentication_providers.select do |_key, config|
+            config[:client_id].present? && config[:client_secret].present?
+          end.keys
         end
 
         def create

data/app/javascript/panda/core/controllers/navigation_toggle_controller.js

@@ -21,7 +21,7 @@ export default class extends Controller {
   connect() {
     // Ensure menu starts in correct state
     // Check if this menu should be expanded by default (if a child is active)
-    const hasActiveChild = this.menuTarget.querySelector(".bg-mid")
+    const hasActiveChild = this.menuTarget.querySelector(".bg-primary-500")
     if (hasActiveChild) {
       this.expand()
     } else {

data/app/models/panda/core/user.rb

@@ -19,16 +19,15 @@ module Panda
 
       before_save :downcase_email
 
+      # Determine which column stores admin flag (supports legacy `admin` and new `is_admin`)
+      def self.admin_column
+        # Prefer canonical `admin` if available, otherwise fall back to legacy `is_admin`
+        @admin_column ||= column_names.include?("admin") ? "admin" : "is_admin"
+      end
+
       # Scopes
-      # Support both 'admin' (newer) and 'is_admin' (older) column names
       scope :admins, -> {
-        if column_names.include?("admin")
-          where(admin: true)
-        elsif column_names.include?("is_admin")
-          where(is_admin: true)
-        else
-          none
-        end
+        where(admin_column => true)
       }
 
       def self.find_or_create_from_auth_hash(auth_hash)
@@ -45,10 +44,10 @@ module Panda
         end
 
         attributes = {
-          email: auth_hash.info.email.downcase,
-          name: auth_hash.info.name || "Unknown User",
-          image_url: auth_hash.info.image,
-          is_admin: User.count.zero? # First user is admin
+          :email => auth_hash.info.email.downcase,
+          :name => auth_hash.info.name || "Unknown User",
+          :image_url => auth_hash.info.image,
+          admin_column => User.count.zero? # First user is admin
         }
 
         user = create!(attributes)
@@ -62,10 +61,20 @@ module Panda
       end
 
       # Admin status check
-      # Note: Column is named 'admin' in newer schemas, 'is_admin' in older ones
       def admin?
-        self[:admin] || self[:is_admin] || false
+        ActiveRecord::Type::Boolean.new.cast(admin)
+      end
+
+      # Support both legacy `admin` and new `is_admin` columns
+      def admin
+        self[self.class.admin_column]
+      end
+
+      def admin=(value)
+        self[self.class.admin_column] = ActiveRecord::Type::Boolean.new.cast(value)
       end
+      alias_method :is_admin, :admin
+      alias_method :is_admin=, :admin=
 
       def active_for_authentication?
         true

data/app/views/layouts/panda/core/admin.html.erb

@@ -5,7 +5,7 @@
       <%= render "panda/core/admin/shared/sidebar" %>
     </div>
   </div>
-  <div class="flex flex-col flex-1 mt-16 ml-0 lg:mt-0 lg:ml-72" id="panda-inner-container" <% if content_for :sidebar %> data-controller="toggle" data-action="keydown.esc->modal#close" tabindex="-1"<% end %>>
+  <div class="flex flex-col flex-1 mt-16 ml-0 lg:mt-0 lg:ml-72" id="panda-inner-container" <% if content_for :sidebar %> data-controller="toggle" data-action="keydown.esc@window->toggle#hide keydown.escape@window->toggle#hide" tabindex="-1"<% end %>>
   <section id="panda-main" class="flex flex-row h-full">
     <div class="flex-1 h-full" id="panda-primary-content">
       <%= render "panda/core/admin/shared/breadcrumbs" %>
@@ -60,6 +60,15 @@
           <% end %>
         </div>
       </div>
+      <script>
+        window.addEventListener('keydown', function(e) {
+          if (e.key === 'Escape') {
+            document.querySelectorAll('[data-toggle-target="toggleable"]').forEach(function(el) {
+              el.classList.add('hidden');
+            });
+          }
+        });
+      </script>
     <% end %>
   </section>
 </div>

data/app/views/panda/core/admin/dashboard/_default_content.html.erb

@@ -15,7 +15,7 @@
             <div class="ml-5 w-0 flex-1">
               <dt class="text-sm font-medium text-gray-500 truncate">Content Management</dt>
               <dd class="mt-1 text-lg font-semibold text-gray-900">
-                <%= link_to "Manage CMS", panda_cms.admin_cms_dashboard_path, class: "text-indigo-600 hover:text-indigo-900" %>
+                <%= link_to "Manage CMS", panda_cms.admin_cms_dashboard_path, class: "text-primary-600 hover:text-primary-800" %>
               </dd>
             </div>
           </div>
@@ -35,7 +35,7 @@
           <div class="ml-5 w-0 flex-1">
             <dt class="text-sm font-medium text-gray-500 truncate">My Profile</dt>
             <dd class="mt-1 text-lg font-semibold text-gray-900">
-              <%= link_to "Edit Profile", edit_admin_my_profile_path, class: "text-indigo-600 hover:text-indigo-900" %>
+              <%= link_to "Edit Profile", edit_admin_my_profile_path, class: "text-primary-600 hover:text-primary-800" %>
             </dd>
           </div>
         </div>
@@ -58,7 +58,7 @@
               <div class="ml-5 w-0 flex-1">
                 <dt class="text-sm font-medium text-gray-500 truncate"><%= card[:title] %></dt>
                 <dd class="mt-1 text-lg font-semibold text-gray-900">
-                  <%= link_to card[:link_text], card[:path], class: "text-indigo-600 hover:text-indigo-900" %>
+                  <%= link_to card[:link_text], card[:path], class: "text-primary-600 hover:text-primary-800" %>
                 </dd>
               </div>
             </div>

data/app/views/panda/core/admin/sessions/new.html.erb

@@ -7,9 +7,8 @@
       <%= Panda::Core.config.login_page_title || "Sign in to your account" %>
     </h2>
   </div>
-  <% if @providers&.any? || Panda::Core.config.authentication_providers.any? %>
-    <% providers = @providers || Panda::Core.config.authentication_providers.keys %>
-    <% providers.each do |provider| %>
+  <% if @providers&.any? %>
+    <% @providers.each do |provider| %>
       <% provider_config = Panda::Core.config.authentication_providers[provider] %>
       <% provider_path = provider_config&.dig(:path_name) || provider %>
       <div class="mt-4 text-center sm:mx-auto sm:w-full sm:max-w-sm">

data/app/views/panda/core/admin/shared/_sidebar.html.erb

@@ -42,7 +42,7 @@
                     data-action="click->navigation-toggle#toggle"
                     aria-controls="sub-menu-<%= index %>"
                     aria-expanded="false"
-                    class="<%= is_active ? 'bg-mid text-white' : 'text-white hover:bg-mid/60' %> transition-all group flex items-center w-full gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal">
+                    class="<%= is_active ? 'bg-primary-500 text-white' : 'text-white hover:bg-primary-500/60' %> transition-all group flex items-center w-full gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal">
               <span class="text-center w-6"><i class="<%= item[:icon] %> text-xl fa-fw"></i></span>
               <span class="flex-1 text-left"><%= item[:label] %></span>
               <i class="fa-solid fa-chevron-right text-xs transition-transform duration-150 ease-in-out"
@@ -56,14 +56,14 @@
                 <%
                   child_is_active = child[:path] && (request.path == child[:path] || request.path.starts_with?(child[:path] + "/"))
                 %>
-                <%= link_to child[:path], class: "#{child_is_active ? 'bg-mid text-white' : 'text-white hover:bg-mid/60'} group flex items-center w-full py-2 pr-2 pl-11 rounded-md text-sm font-normal transition-all" do %>
+                <%= link_to child[:path], class: "#{child_is_active ? 'bg-primary-500 text-white' : 'text-white hover:bg-primary-500/60'} group flex items-center w-full py-2 pr-2 pl-11 rounded-md text-sm font-normal transition-all" do %>
                   <%= child[:label] %>
                 <% end %>
               <% end %>
             </div>
           </div>
         <% else %>
-          <%= link_to item[:path], class: "#{is_active ? "bg-mid text-white relative flex items-center transition-all py-3 px-2 mb-2 rounded-md group gap-x-3 text-base leading-6 font-normal" : "text-white hover:bg-mid/60 transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal"}" do %>
+          <%= link_to item[:path], class: "#{is_active ? "bg-primary-500 text-white relative flex items-center transition-all py-3 px-2 mb-2 rounded-md group gap-x-3 text-base leading-6 font-normal" : "text-white hover:bg-primary-500/60 transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal"}" do %>
             <span class="text-center w-6"><i class="<%= item[:icon] %> text-xl fa-fw"></i></span>
             <span><%= item[:label] %></span>
           <% end %>
@@ -71,7 +71,7 @@
       </li>
     <% end %>
     <li>
-      <%= button_to panda_core.admin_logout_path, method: :delete, id: "logout-link", data: { turbo: false }, class: "text-white hover:bg-mid/60 transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal w-full" do %>
+      <%= button_to panda_core.admin_logout_path, method: :delete, id: "logout-link", data: { turbo: false }, class: "text-white hover:bg-primary-500/60 transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal w-full" do %>
         <span class="text-center w-6"><i class="text-xl fa-solid fa-door-open fa-fw"></i></span>
         <span>Logout</span>
       <% end %>
@@ -81,7 +81,7 @@
         # Check if we're in the my_profile section
         is_my_profile_active = request.path.starts_with?("#{Panda::Core.config.admin_path}/my_profile")
       %>
-      <%= link_to panda_core.admin_my_profile_path, class: "#{is_my_profile_active ? 'bg-mid text-white' : 'text-white hover:bg-mid/60'} transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal w-full", title: "My Profile" do %>
+      <%= link_to panda_core.admin_my_profile_path, class: "#{is_my_profile_active ? 'bg-primary-500 text-white' : 'text-white hover:bg-primary-500/60'} transition-all group flex items-center gap-x-3 py-3 px-2 mb-2 rounded-md text-base leading-6 font-normal w-full", title: "My Profile" do %>
         <% if current_user.avatar.attached? %>
           <span class="text-center w-6"><%= image_tag main_app.url_for(current_user.avatar), alt: current_user.name, class: "w-auto h-7 rounded-full object-cover" %></span>
         <% elsif !current_user.image_url.to_s.empty? %>

data/config/brakeman.ignore

@@ -0,0 +1,51 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "29d5b60b583fc98e293f6ac47f153bbf5db48a03963f8c9a7711bd251ecf2d81",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/panda/core/testing/support/system/cuprite_helpers.rb",
+      "line": 78,
+      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "system(\"ffmpeg -y -framerate 8 -pattern_type glob -i '#{File.join(dir, \"frames\")}/*.png' -c:v libx264 -pix_fmt yuv420p '#{capybara_artifacts_dir.join(\"#{example.metadata[:full_description].parameterize}.mp4\")}'\\n\")",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Panda::Core::Testing::CupriteHelpers",
+        "method": "record_video!"
+      },
+      "user_input": "File.join(dir, \"frames\")",
+      "confidence": "Medium",
+      "cwe_id": [
+        77
+      ],
+      "note": "This does not use user input and is based on environment variables and the current folder"
+    },
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "d3c339f054cbd511956e04eaf8763bc722bd2e4559a1c1fec58749abef9792cd",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/panda/core/testing/support/system/chrome_verification.rb",
+      "line": 43,
+      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "Process.spawn(*[BrowserPath.resolve, v.nil? ? (\"--#{k}\") : (\"--#{k}=#{v}\"), \"about:blank\"], :out => (File::NULL), :err => (File::NULL))",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Panda::Core::Testing::Support::System::ChromeVerification",
+        "method": "s(:self).verify!"
+      },
+      "user_input": "k",
+      "confidence": "Medium",
+      "cwe_id": [
+        77
+      ],
+      "note": "Chrome verification uses a fixed set of browser flags from CHROME_FLAGS constant; no user input is accepted"
+    }
+  ],
+  "brakeman_version": "7.1.1"
+}

data/db/migrate/20250809000001_create_panda_core_users.rb

@@ -11,7 +11,7 @@ class CreatePandaCoreUsers < ActiveRecord::Migration[7.1]
       t.string :name
       t.string :email, null: false
       t.string :image_url
-      t.boolean :is_admin, default: false, null: false
+      t.boolean :admin, default: false, null: false
       t.string :current_theme
       t.string :oauth_avatar_url
       t.timestamps

data/db/migrate/20251203100000_rename_is_admin_to_admin_in_panda_core_users.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class RenameIsAdminToAdminInPandaCoreUsers < ActiveRecord::Migration[7.1]
+  def up
+    # If apps created an `is_admin` column during the brief rename, move it back
+    return unless column_exists?(:panda_core_users, :is_admin)
+    return if column_exists?(:panda_core_users, :admin)
+
+    rename_column :panda_core_users, :is_admin, :admin
+  end
+
+  def down
+    return unless column_exists?(:panda_core_users, :admin)
+    return if column_exists?(:panda_core_users, :is_admin)
+
+    rename_column :panda_core_users, :admin, :is_admin
+  end
+end

data/lib/panda/core/asset_loader.rb

@@ -45,7 +45,7 @@ module Panda
 
           # In production, prefer local compiled assets over GitHub
           # Only use GitHub assets when explicitly enabled or when local assets aren't available
-          if Rails.env.production?
+          if Rails.env.production? || Rails.env.staging?
             # Check if compiled assets exist locally
             return false if compiled_assets_available?
 

data/lib/panda/core/configuration.rb

@@ -1,3 +1,5 @@
+require "active_support/core_ext/numeric/bytes"
+
 module Panda
   module Core
     class Configuration
@@ -7,6 +9,7 @@ module Panda
         :cache_store,
         :parent_controller,
         :parent_mailer,
+        :auto_mount_engine,
         :mailer_sender,
         :mailer_default_url_options,
         :session_token_cookie,
@@ -38,6 +41,7 @@ module Panda
         @cache_store = :memory_store
         @parent_controller = "ActionController::API"
         @parent_mailer = "ActionMailer::Base"
+        @auto_mount_engine = true
         @mailer_sender = "support@example.com"
         @mailer_default_url_options = {host: "localhost:3000"}
         @session_token_cookie = :panda_session

data/lib/panda/core/engine/admin_controller_config.rb

@@ -10,9 +10,13 @@ module Panda
         included do
           # Create AdminController alias after controllers are loaded
           # This allows other gems to inherit from Panda::Core::AdminController
-          initializer "panda_core.admin_controller_alias", after: :load_config_initializers do
+          config.to_prepare do
+            # Use on_load to ensure ActionController is available
             ActiveSupport.on_load(:action_controller_base) do
-              Panda::Core.const_set(:AdminController, Panda::Core::Admin::BaseController) unless Panda::Core.const_defined?(:AdminController)
+              # Create the alias if it doesn't exist
+              unless Panda::Core.const_defined?(:AdminController)
+                Panda::Core.const_set(:AdminController, Panda::Core::Admin::BaseController)
+              end
             end
           end
         end

data/lib/panda/core/engine/autoload_config.rb

@@ -3,21 +3,20 @@
 module Panda
   module Core
     class Engine < ::Rails::Engine
-      # Autoload paths configuration
       module AutoloadConfig
         extend ActiveSupport::Concern
 
         included do
-          config.eager_load_namespaces << Panda::Core::Engine
+          # These must run BEFORE initialization, so this is allowed
+          config.autoload_paths << root.join("app/builders")
+          config.autoload_paths << root.join("app/components")
+          config.autoload_paths << root.join("app/services")
+          config.autoload_paths << root.join("app/models")
+          config.autoload_paths << root.join("app/helpers")
+          config.autoload_paths << root.join("app/constraints")
 
-          # Add engine's app directories to autoload paths
-          # Note: Only add the root directories, not nested subdirectories
-          # Zeitwerk will automatically discover nested modules from these roots
-          config.autoload_paths += Dir[root.join("app", "models")]
-          config.autoload_paths += Dir[root.join("app", "controllers")]
-          config.autoload_paths += Dir[root.join("app", "builders")]
-          config.autoload_paths += Dir[root.join("app", "components")]
-          config.autoload_paths += Dir[root.join("app", "services")]
+          # Mirror eager-load as needed
+          config.eager_load_paths.concat(config.autoload_paths)
         end
       end
     end

data/lib/panda/core/engine/omniauth_config.rb

@@ -1,51 +1,109 @@
 # frozen_string_literal: true
 
+require "active_support/concern"
+
 module Panda
   module Core
     class Engine < ::Rails::Engine
-      # OmniAuth configuration
       module OmniauthConfig
         extend ActiveSupport::Concern
 
+        PROVIDER_REGISTRY = {
+          # Microsoft
+          "microsoft" => :microsoft_graph,
+          "microsoft_graph" => :microsoft_graph,
+
+          # Google
+          "google" => :google_oauth2,
+          "google_oauth2" => :google_oauth2,
+          "gmail" => :google_oauth2,
+
+          # GitHub
+          "github" => :github,
+          "gh" => :github,
+
+          # Developer
+          "developer" => :developer
+        }.freeze
+
         included do
-          initializer "panda_core.omniauth" do |app|
-            # Load OAuth provider gems
-            require_relative "../oauth_providers"
-            Panda::Core::OAuthProviders.setup
-
-            # Mount OmniAuth at configurable admin path
-            app.middleware.use OmniAuth::Builder do
-              # Configure OmniAuth to use the configured admin path
-              configure do |config|
-                config.path_prefix = "#{Panda::Core.config.admin_path}/auth"
-                # POST-only for CSRF protection (CVE-2015-9284)
-                # All login forms use POST via form_tag method: "post"
-                config.allowed_request_methods = [:post]
-              end
+          if respond_to?(:initializer)
+            initializer "panda_core.omniauth" do |app|
+              require_relative "../oauth_providers"
+              Panda::Core::OAuthProviders.setup
 
-              Panda::Core.config.authentication_providers.each do |provider_name, settings|
-                # Build provider options, allowing custom path name override
-                provider_options = settings[:options] || {}
-
-                # If path_name is specified, use it to override the default strategy name in URLs
-                if settings[:path_name].present?
-                  provider_options = provider_options.merge(name: settings[:path_name])
-                end
-
-                case provider_name.to_s
-                when "microsoft_graph"
-                  provider :microsoft_graph, settings[:client_id], settings[:client_secret], provider_options
-                when "google_oauth2"
-                  provider :google_oauth2, settings[:client_id], settings[:client_secret], provider_options
-                when "github"
-                  provider :github, settings[:client_id], settings[:client_secret], provider_options
-                when "developer"
-                  provider :developer if Rails.env.development?
-                end
+              load_yaml_provider_overrides!
+              mount_omniauth_middleware(app)
+
+              # Configure OmniAuth globals AFTER all initializers have run
+              # This ensures Panda::Core.config.admin_path has been set by the app
+              app.config.after_initialize do
+                configure_omniauth_globals
               end
             end
           end
         end
+
+        private
+
+        # 1. YAML overrides
+        def load_yaml_provider_overrides!
+          path = Panda::Core::Engine.root.join("config/providers.yml")
+          return unless File.exist?(path)
+
+          yaml = YAML.load_file(path) || {}
+          (yaml["providers"] || {}).each do |name, settings|
+            Panda::Core.config.authentication_providers[name.to_s] ||= {}
+            Panda::Core.config.authentication_providers[name.to_s].deep_merge!(settings)
+          end
+        end
+
+        # 2. Global settings
+        def configure_omniauth_globals
+          OmniAuth.configure do |c|
+            c.allowed_request_methods = [:post]
+            c.path_prefix = "#{Panda::Core.config.admin_path}/auth"
+          end
+        end
+
+        # 3. Middleware insertion
+        def mount_omniauth_middleware(app)
+          ctx = self  # Capture the Engine/Concern context
+
+          Panda::Core::Middleware.use(app, OmniAuth::Builder) do
+            Panda::Core.config.authentication_providers.each do |name, settings|
+              ctx.send(:configure_provider, self, name, settings)
+            end
+          end
+        end
+
+        # 4. Provider builder
+        def configure_provider(builder, name, settings)
+          symbol = PROVIDER_REGISTRY[name.to_s]
+
+          unless symbol
+            Rails.logger.warn("[panda-core] Unknown OmniAuth provider: #{name.inspect}")
+            return
+          end
+
+          return if symbol == :developer && !Rails.env.development?
+
+          # Skip providers without credentials (except developer which doesn't need them)
+          has_credentials = settings[:client_id].present? && settings[:client_secret].present?
+          if symbol != :developer && !has_credentials
+            Rails.logger.info("[panda-core] Skipping OmniAuth provider #{name.inspect}: missing client_id or client_secret")
+            return
+          end
+
+          options = (settings[:options] || {}).dup
+          options[:name] = settings[:path_name] if settings[:path_name].present?
+
+          if settings[:client_id] && settings[:client_secret]
+            builder.provider symbol, settings[:client_id], settings[:client_secret], options
+          else
+            builder.provider symbol, options
+          end
+        end
       end
     end
   end

data/lib/panda/core/engine/route_config.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Automatically mount the engine into host applications
+      module RouteConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Append Core routes to the host app after initialization so
+          # engine routes are available without manual mounting.
+          config.after_initialize do |app|
+            next unless Panda::Core.config.auto_mount_engine
+
+            route_set = app.routes
+            already_mounted =
+              route_set.routes.any? do |route|
+                route.app == Panda::Core::Engine ||
+                  (route.app.respond_to?(:app) && route.app.app == Panda::Core::Engine)
+              end
+            already_mounted ||= route_set.named_routes.key?(:panda_core)
+
+            next if already_mounted
+
+            route_set.append do
+              # Re-check inside the mapper to avoid duplicate mounts during reloads
+              next if route_set.named_routes.key?(:panda_core)
+
+              mount Panda::Core::Engine => "/", :as => "panda_core"
+            end
+          end
+        end
+      end
+    end
+  end
+end