panda-core 0.7.1 → 0.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 80a35426761da785e847321996703aad6eeecb6262b2a781a3d1379bb0d438fd
-  data.tar.gz: 6eac8f3b86fb4054c6c54083a22bea5d3c6471f4aca43f06e1ab78726c6aa870
+  metadata.gz: 2d1c4f83377c0b031d5a68ef550668e6ce9d0e09f9d0865da9ab7a5b7349d981
+  data.tar.gz: c82ab418857a1b1961270f417f69ae9e236e1bb36fb3612b7c6e7001ac440cc9
 SHA512:
-  metadata.gz: ee2a264cbd6d014680f7773fd56749331de84f30b12c34a6eb87132a3f7c99e8f2fd97c32c6126bea35ecedb3301d9763d4826bbfe44f5f34fa5d2e92cb1ee86
-  data.tar.gz: 9df32b3390d72b00a4588bf1d0a88666fabdf9a519ed48712736316d66a6581467c1fb48fbacbd59244f7d319533110b9cec37807edc37984ce395f7b31cd5ba
+  metadata.gz: 3ab5424862f54e04222d4a8909487e0179e5a73ba1852cce491bd0767cfd26d177d02e720317c610d610275bd895f757cec61d337708a211fd12240db6d3fe47
+  data.tar.gz: d24d95c56a5ceac68c0713e51cb029a63b27f88476bf1d93007ae6822a472ea456d919e833c0f26817489dee98af8407a3d6f958b8f2d73846a8b5a064e51dd1

data/lib/panda/core/engine/admin_controller_config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # AdminController alias configuration
+      module AdminControllerConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Create AdminController alias after controllers are loaded
+          # This allows other gems to inherit from Panda::Core::AdminController
+          initializer "panda_core.admin_controller_alias", after: :load_config_initializers do
+            ActiveSupport.on_load(:action_controller_base) do
+              Panda::Core.const_set(:AdminController, Panda::Core::Admin::BaseController) unless Panda::Core.const_defined?(:AdminController)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/autoload_config.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Autoload paths configuration
+      module AutoloadConfig
+        extend ActiveSupport::Concern
+
+        included do
+          config.eager_load_namespaces << Panda::Core::Engine
+
+          # Add engine's app directories to autoload paths
+          # Note: Only add the root directories, not nested subdirectories
+          # Zeitwerk will automatically discover nested modules from these roots
+          config.autoload_paths += Dir[root.join("app", "models")]
+          config.autoload_paths += Dir[root.join("app", "controllers")]
+          config.autoload_paths += Dir[root.join("app", "builders")]
+          config.autoload_paths += Dir[root.join("app", "components")]
+          config.autoload_paths += Dir[root.join("app", "services")]
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/generator_config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Generator configuration
+      module GeneratorConfig
+        extend ActiveSupport::Concern
+
+        included do
+          config.generators do |g|
+            g.test_framework :rspec
+            g.fixture_replacement :factory_bot
+            g.factory_bot dir: "spec/factories"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/importmap_config.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Importmap configuration
+      module ImportmapConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Add importmap paths from the engine
+          initializer "panda_core.importmap", before: "importmap" do |app|
+            if app.config.respond_to?(:importmap)
+              # Create a new array if frozen
+              app.config.importmap.paths = app.config.importmap.paths.dup if app.config.importmap.paths.frozen?
+
+              # Add our paths
+              app.config.importmap.paths << root.join("config/importmap.rb")
+
+              # Handle cache sweepers similarly
+              if app.config.importmap.cache_sweepers.frozen?
+                app.config.importmap.cache_sweepers = app.config.importmap.cache_sweepers.dup
+              end
+              app.config.importmap.cache_sweepers << root.join("app/javascript")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/inflections_config.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Inflections configuration
+      module InflectionsConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Load inflections early to ensure proper constant resolution
+          initializer "panda_core.inflections", before: :load_config_initializers do
+            ActiveSupport::Inflector.inflections(:en) do |inflect|
+              inflect.acronym "CMS"
+              inflect.acronym "SEO"
+              inflect.acronym "AI"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/middleware_config.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Middleware configuration for static assets
+      module MiddlewareConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Make files in public available to the main app (e.g. /panda-core-assets/panda-logo.png)
+          config.middleware.use Rack::Static,
+            urls: ["/panda-core-assets"],
+            root: Panda::Core::Engine.root.join("public"),
+            header_rules: [
+              # Disable caching in development for instant CSS updates
+              [:all, {"Cache-Control" => Rails.env.development? ? "no-cache, no-store, must-revalidate" : "public, max-age=31536000"}]
+            ]
+
+          # Make JavaScript files available for importmap
+          # Serve from app/javascript with proper MIME types
+          config.middleware.use Rack::Static,
+            urls: ["/panda", "/panda/core"],
+            root: Panda::Core::Engine.root.join("app/javascript"),
+            header_rules: [
+              [:all, {"Cache-Control" => Rails.env.development? ? "no-cache, no-store, must-revalidate" : "public, max-age=31536000",
+                      "Content-Type" => "text/javascript; charset=utf-8"}]
+            ]
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/omniauth_config.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # OmniAuth configuration
+      module OmniauthConfig
+        extend ActiveSupport::Concern
+
+        included do
+          initializer "panda_core.omniauth" do |app|
+            # Load OAuth provider gems
+            require_relative "../oauth_providers"
+            Panda::Core::OAuthProviders.setup
+
+            # Mount OmniAuth at configurable admin path
+            app.middleware.use OmniAuth::Builder do
+              # Configure OmniAuth to use the configured admin path
+              configure do |config|
+                config.path_prefix = "#{Panda::Core.config.admin_path}/auth"
+                # POST-only for CSRF protection (CVE-2015-9284)
+                # All login forms use POST via form_tag method: "post"
+                config.allowed_request_methods = [:post]
+              end
+
+              Panda::Core.config.authentication_providers.each do |provider_name, settings|
+                # Build provider options, allowing custom path name override
+                provider_options = settings[:options] || {}
+
+                # If path_name is specified, use it to override the default strategy name in URLs
+                if settings[:path_name].present?
+                  provider_options = provider_options.merge(name: settings[:path_name])
+                end
+
+                case provider_name.to_s
+                when "microsoft_graph"
+                  provider :microsoft_graph, settings[:client_id], settings[:client_secret], provider_options
+                when "google_oauth2"
+                  provider :google_oauth2, settings[:client_id], settings[:client_secret], provider_options
+                when "github"
+                  provider :github, settings[:client_id], settings[:client_secret], provider_options
+                when "developer"
+                  provider :developer if Rails.env.development?
+                end
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/phlex_config.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Phlex configuration
+      module PhlexConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Load Phlex base component after Rails application is initialized
+          # This ensures Rails.application.routes is available
+          initializer "panda_core.phlex_base", after: :load_config_initializers do
+            require "phlex"
+            require "phlex-rails"
+            require "literal"
+            require "tailwind_merge"
+
+            # Load the base component
+            require root.join("app/components/panda/core/base")
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine/test_config.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    class Engine < ::Rails::Engine
+      # Test environment configuration
+      module TestConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # For testing: Don't expose engine migrations since we use "copy to host app" strategy
+          # In test environment, migrations should be copied to the host app
+          if Rails.env.test?
+            config.paths["db/migrate"] = []
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/engine.rb

@@ -19,131 +19,36 @@ ensure
   $stderr = original_stderr
 end
 
+# Load engine configuration modules
+require_relative "engine/test_config"
+require_relative "engine/autoload_config"
+require_relative "engine/middleware_config"
+require_relative "engine/importmap_config"
+require_relative "engine/omniauth_config"
+require_relative "engine/phlex_config"
+require_relative "engine/admin_controller_config"
+
 module Panda
   module Core
     class Engine < ::Rails::Engine
       isolate_namespace Panda::Core
 
-      # For testing: Don't expose engine migrations since we use "copy to host app" strategy
-      # In test environment, migrations should be copied to the host app
-      if Rails.env.test?
-        config.paths["db/migrate"] = []
-      end
-
-      config.eager_load_namespaces << Panda::Core::Engine
+      # Include shared configuration modules
+      include Shared::InflectionsConfig
+      include Shared::GeneratorConfig
 
-      # Add engine's app directories to autoload paths
-      # Note: Only add the root directories, not nested subdirectories
-      # Zeitwerk will automatically discover nested modules from these roots
-      config.autoload_paths += Dir[root.join("app", "models")]
-      config.autoload_paths += Dir[root.join("app", "controllers")]
-      config.autoload_paths += Dir[root.join("app", "builders")]
-      config.autoload_paths += Dir[root.join("app", "components")]
-      config.autoload_paths += Dir[root.join("app", "services")]
-
-      # Make files in public available to the main app (e.g. /panda-core-assets/panda-logo.png)
-      config.middleware.use Rack::Static,
-        urls: ["/panda-core-assets"],
-        root: Panda::Core::Engine.root.join("public"),
-        header_rules: [
-          # Disable caching in development for instant CSS updates
-          [:all, {"Cache-Control" => Rails.env.development? ? "no-cache, no-store, must-revalidate" : "public, max-age=31536000"}]
-        ]
-
-      # Make JavaScript files available for importmap
-      # Serve from app/javascript with proper MIME types
-      config.middleware.use Rack::Static,
-        urls: ["/panda", "/panda/core"],
-        root: Panda::Core::Engine.root.join("app/javascript"),
-        header_rules: [
-          [:all, {"Cache-Control" => Rails.env.development? ? "no-cache, no-store, must-revalidate" : "public, max-age=31536000",
-                  "Content-Type" => "text/javascript; charset=utf-8"}]
-        ]
-
-      config.generators do |g|
-        g.test_framework :rspec
-        g.fixture_replacement :factory_bot
-        g.factory_bot dir: "spec/factories"
-      end
+      # Include engine-specific configuration modules
+      include TestConfig
+      include AutoloadConfig
+      include MiddlewareConfig
+      include ImportmapConfig
+      include OmniauthConfig
+      include PhlexConfig
+      include AdminControllerConfig
 
       initializer "panda_core.config" do |app|
         # Configuration is already initialized with defaults in Configuration class
       end
-
-      # Add importmap paths from the engine
-      initializer "panda_core.importmap", before: "importmap" do |app|
-        if app.config.respond_to?(:importmap)
-          # Create a new array if frozen
-          app.config.importmap.paths = app.config.importmap.paths.dup if app.config.importmap.paths.frozen?
-
-          # Add our paths
-          app.config.importmap.paths << root.join("config/importmap.rb")
-
-          # Handle cache sweepers similarly
-          if app.config.importmap.cache_sweepers.frozen?
-            app.config.importmap.cache_sweepers = app.config.importmap.cache_sweepers.dup
-          end
-          app.config.importmap.cache_sweepers << root.join("app/javascript")
-        end
-      end
-
-      initializer "panda_core.omniauth" do |app|
-        # Load OAuth provider gems
-        require_relative "oauth_providers"
-        Panda::Core::OAuthProviders.setup
-
-        # Mount OmniAuth at configurable admin path
-        app.middleware.use OmniAuth::Builder do
-          # Configure OmniAuth to use the configured admin path
-          configure do |config|
-            config.path_prefix = "#{Panda::Core.config.admin_path}/auth"
-            # POST-only for CSRF protection (CVE-2015-9284)
-            # All login forms use POST via form_tag method: "post"
-            config.allowed_request_methods = [:post]
-          end
-
-          Panda::Core.config.authentication_providers.each do |provider_name, settings|
-            # Build provider options, allowing custom path name override
-            provider_options = settings[:options] || {}
-
-            # If path_name is specified, use it to override the default strategy name in URLs
-            if settings[:path_name].present?
-              provider_options = provider_options.merge(name: settings[:path_name])
-            end
-
-            case provider_name.to_s
-            when "microsoft_graph"
-              provider :microsoft_graph, settings[:client_id], settings[:client_secret], provider_options
-            when "google_oauth2"
-              provider :google_oauth2, settings[:client_id], settings[:client_secret], provider_options
-            when "github"
-              provider :github, settings[:client_id], settings[:client_secret], provider_options
-            when "developer"
-              provider :developer if Rails.env.development?
-            end
-          end
-        end
-      end
-
-      # Load Phlex base component after Rails application is initialized
-      # This ensures Rails.application.routes is available
-      initializer "panda_core.phlex_base", after: :load_config_initializers do
-        require "phlex"
-        require "phlex-rails"
-        require "literal"
-        require "tailwind_merge"
-
-        # Load the base component
-        require root.join("app/components/panda/core/base")
-      end
-
-      # Create AdminController alias after controllers are loaded
-      # This allows other gems to inherit from Panda::Core::AdminController
-      initializer "panda_core.admin_controller_alias", after: :load_config_initializers do
-        ActiveSupport.on_load(:action_controller_base) do
-          Panda::Core.const_set(:AdminController, Panda::Core::Admin::BaseController) unless Panda::Core.const_defined?(:AdminController)
-        end
-      end
     end
   end
 end

data/lib/panda/core/shared/generator_config.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    module Shared
+      # Shared generator configuration for all panda gems
+      # This ensures consistent generator behavior across the ecosystem
+      module GeneratorConfig
+        extend ActiveSupport::Concern
+
+        included do
+          config.generators do |g|
+            g.orm :active_record, primary_key_type: :uuid
+            g.test_framework :rspec, fixture: true
+            g.fixture_replacement nil
+            g.view_specs false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/shared/inflections_config.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    module Shared
+      # Shared inflections configuration for all panda gems
+      # Ensures consistent constant naming across the ecosystem
+      module InflectionsConfig
+        extend ActiveSupport::Concern
+
+        included do
+          # Load inflections early to ensure proper constant resolution
+          initializer "panda.inflections", before: :load_config_initializers do
+            ActiveSupport::Inflector.inflections(:en) do |inflect|
+              inflect.acronym "CMS"
+              inflect.acronym "SEO"
+              inflect.acronym "AI"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/panda/core/testing/rails_helper.rb

@@ -29,10 +29,9 @@ Shoulda::Matchers.configure do |config|
 end
 
 # Load all support files from panda-core
-panda_core_support_path = Gem.loaded_specs["panda-core"]&.full_gem_path
-if panda_core_support_path
-  Dir[File.join(panda_core_support_path, "spec/support/**/*.rb")].sort.each { |f| require f }
-end
+# Files are now in lib/panda/core/testing/support/ to be included in the published gem
+support_path = File.expand_path("../support", __FILE__)
+Dir[File.join(support_path, "**/*.rb")].sort.each { |f| require f }
 
 RSpec.configure do |config|
   # Include panda-core route helpers by default

data/lib/panda/core/testing/support/authentication_helpers.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Panda
+  module Core
+    module AuthenticationHelpers
+      # Create test users with fixed IDs for consistent fixture references
+      def create_admin_user
+        Panda::Core::User.find_or_create_by!(id: "8f481fcb-d9c8-55d7-ba17-5ea5d9ed8b7a") do |user|
+          user.email = "admin@test.example.com"
+          user.firstname = "Admin"
+          user.lastname = "User"
+          user.admin = true
+        end
+      end
+
+      def create_regular_user
+        Panda::Core::User.find_or_create_by!(id: "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d") do |user|
+          user.email = "user@test.example.com"
+          user.firstname = "Regular"
+          user.lastname = "User"
+          user.admin = false
+        end
+      end
+
+      # For request specs - set session directly
+      def sign_in_as(user)
+        session[:user_id] = user.id
+        Panda::Core::Current.user = user
+      end
+
+      # For system specs - use test session endpoint if available
+      def login_as_admin
+        admin_user = create_admin_user
+        if defined?(Panda::CMS)
+          # CMS provides test session endpoint
+          post "/admin/test_sessions", params: {user_id: admin_user.id}
+        else
+          # Fall back to direct session setting
+          sign_in_as(admin_user)
+        end
+      end
+
+      def login_as_regular_user
+        regular_user = create_regular_user
+        if defined?(Panda::CMS)
+          post "/admin/test_sessions", params: {user_id: regular_user.id}
+        else
+          sign_in_as(regular_user)
+        end
+      end
+    end
+  end
+end
+
+RSpec.configure do |config|
+  # Include authentication helpers for all spec types (model, request, system, component, etc.)
+  config.include Panda::Core::AuthenticationHelpers
+end

data/lib/panda/core/testing/support/authentication_test_helpers.rb

@@ -0,0 +1,260 @@
+# frozen_string_literal: true
+
+# Comprehensive authentication test helpers for Panda Core and consuming gems
+# This module provides helpers for:
+# - Creating test users with fixed IDs
+# - OAuth mocking and configuration
+# - Test session management
+# - Request and system test authentication
+
+module Panda
+  module Core
+    module AuthenticationTestHelpers
+      # ============================================================================
+      # USER CREATION HELPERS
+      # ============================================================================
+
+      # Create an admin user with fixed ID for consistent fixture references
+      def create_admin_user(attributes = {})
+        ensure_columns_loaded
+        admin_id = "8f481fcb-d9c8-55d7-ba17-5ea5d9ed8b7a"
+        Panda::Core::User.find_or_create_by!(id: admin_id) do |user|
+          user.email = attributes[:email] || "admin@example.com"
+          user.firstname = attributes[:firstname] || "Admin" if user.respond_to?(:firstname=)
+          user.lastname = attributes[:lastname] || "User" if user.respond_to?(:lastname=)
+          user.name = attributes[:name] || "Admin User" if user.respond_to?(:name=) && !user.respond_to?(:firstname=)
+          user.image_url = attributes[:image_url] || default_image_url if user.respond_to?(:image_url=)
+          # Use is_admin for the actual column, but support both for compatibility
+          if user.respond_to?(:is_admin=)
+            user.is_admin = attributes.fetch(:admin, true)
+          elsif user.respond_to?(:admin=)
+            user.admin = attributes.fetch(:admin, true)
+          end
+          # Only set OAuth fields if they exist on the model
+          user.uid = attributes[:uid] || "admin_oauth_uid_123" if user.respond_to?(:uid=)
+          user.provider = attributes[:provider] || "google_oauth2" if user.respond_to?(:provider=)
+        end
+      end
+
+      # Create a regular user with fixed ID for consistent fixture references
+      def create_regular_user(attributes = {})
+        ensure_columns_loaded
+        regular_id = "9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d"
+        Panda::Core::User.find_or_create_by!(id: regular_id) do |user|
+          user.email = attributes[:email] || "user@example.com"
+          user.firstname = attributes[:firstname] || "Regular" if user.respond_to?(:firstname=)
+          user.lastname = attributes[:lastname] || "User" if user.respond_to?(:lastname=)
+          user.name = attributes[:name] || "Regular User" if user.respond_to?(:name=) && !user.respond_to?(:firstname=)
+          user.image_url = attributes[:image_url] || default_image_url(dark: true) if user.respond_to?(:image_url=)
+          # Use is_admin for the actual column, but support both for compatibility
+          if user.respond_to?(:is_admin=)
+            user.is_admin = attributes.fetch(:admin, false)
+          elsif user.respond_to?(:admin=)
+            user.admin = attributes.fetch(:admin, false)
+          end
+          # Only set OAuth fields if they exist on the model
+          user.uid = attributes[:uid] || "user_oauth_uid_456" if user.respond_to?(:uid=)
+          user.provider = attributes[:provider] || "google_oauth2" if user.respond_to?(:provider=)
+        end
+      end
+
+      # Backwards compatibility with fixture access patterns
+      def admin_user
+        ensure_columns_loaded
+        @admin_user ||= Panda::Core::User.find_by(email: "admin@example.com") || create_admin_user
+      end
+
+      def regular_user
+        ensure_columns_loaded
+        @regular_user ||= Panda::Core::User.find_by(email: "user@example.com") || create_regular_user
+      end
+
+      # ============================================================================
+      # OMNIAUTH HELPERS
+      # ============================================================================
+
+      def clear_omniauth_config
+        OmniAuth.config.mock_auth.clear
+        Rails.application.env_config.delete("omniauth.auth") if defined?(Rails.application)
+      end
+
+      def mock_oauth_for_user(user, provider: :google_oauth2)
+        clear_omniauth_config
+        OmniAuth.config.test_mode = true
+        OmniAuth.config.mock_auth[provider] = OmniAuth::AuthHash.new({
+          provider: provider.to_s,
+          uid: (user.respond_to?(:uid) ? user.uid : nil) || user.id,
+          info: {
+            email: user.email,
+            name: user.name,
+            image: user.respond_to?(:image_url) ? user.image_url : nil
+          },
+          credentials: {
+            token: "mock_token_#{user.id}",
+            expires_at: Time.now + 1.week
+          }
+        })
+      end
+
+      # ============================================================================
+      # REQUEST SPEC HELPERS (Direct Session Manipulation)
+      # ============================================================================
+
+      # For request specs - set session directly (fast, no HTTP requests)
+      def sign_in_as(user)
+        # This works in request specs where we have direct access to the session
+        begin
+          if respond_to?(:session)
+            session[:user_id] = user.id
+          end
+        rescue NoMethodError
+          # Session method doesn't exist in this context (e.g., system specs)
+        end
+        Panda::Core::Current.user = user
+        user
+      end
+
+      # ============================================================================
+      # SYSTEM SPEC HELPERS (HTTP-based Authentication)
+      # ============================================================================
+
+      # For system specs - use test session endpoint (works across processes)
+      # This uses the TestSessionsController which is only available in test environment
+      #
+      # NOTE: Due to Cuprite's redirect handling, we visit the target path directly
+      # after setting up the session via the test endpoint. Flash messages won't be
+      # available in system tests due to cross-process timing. Use request specs
+      # to test flash messages (see authentication_request_spec.rb).
+      def login_with_test_endpoint(user, return_to: nil, expect_success: true)
+        return_path = return_to || determine_default_redirect_path
+
+        # Visit the test login endpoint (sets session via Redis)
+        # Note: Capybara/Cuprite may not follow the redirect properly, so we
+        # manually navigate to the expected destination
+        visit "/admin/test_login/#{user.id}?return_to=#{return_path}"
+
+        # Wait briefly for session to be set
+        sleep 0.2
+
+        # Manually visit the destination since Cuprite doesn't reliably follow redirects
+        if expect_success
+          visit return_path
+          # Wait for page to load
+          sleep 0.2
+
+          # Verify we're on the expected path
+          expect(page).to have_current_path(return_path, wait: 2)
+        end
+      end
+
+      # Convenience method: Login with Google OAuth provider (using test endpoint)
+      def login_with_google(user, expect_success: true)
+        login_with_test_endpoint(user, return_to: determine_default_redirect_path, expect_success: expect_success)
+      end
+
+      # Convenience method: Login with GitHub OAuth provider (using test endpoint)
+      def login_with_github(user, expect_success: true)
+        login_with_test_endpoint(user, return_to: determine_default_redirect_path, expect_success: expect_success)
+      end
+
+      # Convenience method: Login with Microsoft OAuth provider (using test endpoint)
+      def login_with_microsoft(user, expect_success: true)
+        login_with_test_endpoint(user, return_to: determine_default_redirect_path, expect_success: expect_success)
+      end
+
+      # High-level helper: Login as admin (creates user if needed)
+      def login_as_admin(attributes = {})
+        user = create_admin_user(attributes)
+        if respond_to?(:visit)
+          # System spec - use test endpoint
+          login_with_test_endpoint(user, expect_success: true)
+        else
+          # Request spec - use direct session
+          sign_in_as(user)
+        end
+        user
+      end
+
+      # High-level helper: Login as regular user (creates user if needed)
+      def login_as_user(attributes = {})
+        user = create_regular_user(attributes)
+        if respond_to?(:visit)
+          # System spec - regular users get redirected to login
+          login_with_test_endpoint(user, expect_success: false)
+        else
+          # Request spec - use direct session
+          sign_in_as(user)
+        end
+        user
+      end
+
+      # Manual OAuth login (slower, but tests actual OAuth flow)
+      # Use this when you need to test the OAuth callback handler itself
+      def manual_login_with_oauth(user, provider: :google_oauth2)
+        mock_oauth_for_user(user, provider: provider)
+
+        visit admin_login_path
+        expect(page).to have_css("#button-sign-in-#{provider}")
+        find("#button-sign-in-#{provider}").click
+
+        Rails.application.env_config["omniauth.auth"] = OmniAuth.config.mock_auth[provider]
+      end
+
+      # ============================================================================
+      # PRIVATE HELPER METHODS
+      # ============================================================================
+
+      private
+
+      def ensure_columns_loaded
+        return if @columns_loaded
+        Panda::Core::User.connection.schema_cache.clear!
+        Panda::Core::User.reset_column_information
+        @columns_loaded = true
+      end
+
+      def default_image_url(dark: false)
+        color = dark ? "%23999" : "%23ccc"
+        "data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='100' height='100'%3E%3Crect width='100' height='100' fill='#{color}'/%3E%3C/svg%3E"
+      end
+
+      def determine_default_redirect_path
+        # Check if we're in a CMS context
+        if defined?(Panda::CMS)
+          "/admin/cms"
+        else
+          "/admin"
+        end
+      end
+
+      def admin_login_path
+        if defined?(panda_core)
+          panda_core.admin_login_path
+        else
+          "/admin/login"
+        end
+      end
+
+      def admin_root_path
+        if defined?(panda_core)
+          panda_core.admin_root_path
+        else
+          "/admin"
+        end
+      end
+    end
+  end
+end
+
+# Configure RSpec to include these helpers in appropriate test types
+RSpec.configure do |config|
+  config.include Panda::Core::AuthenticationTestHelpers, type: :request
+  config.include Panda::Core::AuthenticationTestHelpers, type: :system
+  config.include Panda::Core::AuthenticationTestHelpers, type: :controller
+end
+
+# Configure OmniAuth for testing
+OmniAuth.config.test_mode = true
+OmniAuth.config.on_failure = proc { |env|
+  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
+}

data/lib/panda/core/testing/support/generator_spec_helper.rb

@@ -0,0 +1,97 @@
+require "rails/generators"
+
+module GeneratorSpecHelper
+  extend ActiveSupport::Concern
+
+  included do
+    before(:each) do
+      prepare_destination
+      @original_stdout = $stdout
+      $stdout = File.new(File::NULL, "w")
+    end
+
+    after(:each) do
+      FileUtils.rm_rf(destination_root)
+      $stdout = @original_stdout
+    end
+  end
+
+  def destination_root
+    @destination_root ||= File.expand_path("../../tmp/generators", __dir__)
+  end
+
+  def prepare_destination
+    FileUtils.rm_rf(destination_root)
+    FileUtils.mkdir_p(destination_root)
+  end
+
+  def run_generator(args = [])
+    args = Array(args)
+    # Use the generator namespace instead of class name
+    generator_name = described_class.namespace
+    Rails::Generators.invoke(generator_name, args, destination_root: destination_root)
+  end
+
+  def generator
+    @generator ||= described_class.new([], destination_root: destination_root)
+  end
+
+  def file_exists?(path)
+    File.exist?(File.join(destination_root, path))
+  end
+
+  def read_file(path)
+    File.read(File.join(destination_root, path))
+  end
+
+  private
+
+  def capture(stream)
+    stream = stream.to_s
+    captured_stream = StringIO.new
+
+    # Map stream names to their global variables to avoid eval
+    streams = {
+      "stdout" => $stdout,
+      "stderr" => $stderr,
+      "stdin" => $stdin
+    }
+
+    original_stream = streams[stream]
+    case stream
+    when "stdout"
+      $stdout = captured_stream
+    when "stderr"
+      $stderr = captured_stream
+    when "stdin"
+      $stdin = captured_stream
+    else
+      raise ArgumentError, "Unsupported stream: #{stream}"
+    end
+
+    yield
+    captured_stream.string
+  ensure
+    case stream
+    when "stdout"
+      $stdout = original_stream
+    when "stderr"
+      $stderr = original_stream
+    when "stdin"
+      $stdin = original_stream
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include GeneratorSpecHelper, type: :generator
+
+  # Ensure generator tests have a clean environment
+  config.before(:each, type: :generator) do
+    prepare_destination
+  end
+
+  config.after(:each, type: :generator) do
+    FileUtils.rm_rf(destination_root) if defined?(destination_root)
+  end
+end

data/lib/panda/core/testing/support/html_helpers.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module HtmlHelpers
+  def normalize_html(html)
+    html.gsub(/\s+/, " ").strip
+  end
+end
+
+RSpec.configure do |config|
+  config.include HtmlHelpers
+end

data/lib/panda/core/testing/support/omniauth_setup.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Configure authentication providers for tests
+RSpec.configure do |config|
+  config.before(:each, type: :controller) do
+    # Set up test authentication providers
+    Panda::Core.configure do |core_config|
+      core_config.authentication_providers = {
+        google_oauth2: {
+          client_id: "test_client_id",
+          client_secret: "test_client_secret",
+          options: {}
+        }
+      }
+    end
+  end
+end

data/lib/panda/core/testing/support/service_stubs.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require "tempfile"
+require "base64"
+
+# Stub services that make external HTTP requests to prevent them in tests
+RSpec.configure do |config|
+  config.before(:each) do
+    # Stub URI.open to prevent external HTTP requests when downloading avatars
+    # This affects AttachAvatarService which downloads avatars from OAuth providers
+    # Tests that specifically need real HTTP requests can override this stub
+    allow(URI).to receive(:open).and_wrap_original do |original_method, *args, **kwargs, &block|
+      url = args[0]
+
+      # Only stub avatar downloads from OAuth providers and test URLs
+      if /googleusercontent\.com|githubusercontent\.com|graph\.microsoft\.com|example\.com/.match?(url.to_s)
+        # Use the actual test fixture file instead of creating a fake file
+        # This ensures compatibility with Active Storage
+        fixture_path = Panda::Core::Engine.root.join("spec", "fixtures", "files", "test_image.jpg")
+        downloaded_file = File.open(fixture_path, "rb")
+
+        # Add methods that AttachAvatarService expects
+        downloaded_file.define_singleton_method(:content_type) { "image/jpeg" }
+        downloaded_file.define_singleton_method(:size) { File.size(fixture_path) }
+
+        # Call the block with our file if a block is given
+        if block_given?
+          result = block.call(downloaded_file)
+          downloaded_file.close unless downloaded_file.closed?
+          result
+        else
+          downloaded_file
+        end
+      else
+        # For other URLs, use the original method
+        original_method.call(*args, **kwargs, &block)
+      end
+    end
+  end
+end

data/lib/panda/core/testing/support/setup.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+def pause
+  $stderr.write "Press enter to continue"
+  $stdin.gets
+end
+
+def debugit
+  # Cuprite-specific debugging method
+  page.driver.debug
+end

data/lib/panda/core/version.rb

@@ -2,6 +2,6 @@
 
 module Panda
   module Core
-    VERSION = "0.7.1"
+    VERSION = "0.7.3"
   end
 end

data/lib/panda/core.rb

@@ -15,4 +15,6 @@ require_relative "core/configuration"
 require_relative "core/asset_loader"
 require_relative "core/debug"
 require_relative "core/services/base_service"
+require_relative "core/shared/inflections_config"
+require_relative "core/shared/generator_config"
 require_relative "core/engine" if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: panda-core
 version: !ruby/object:Gem::Version
-  version: 0.7.1
+  version: 0.7.3
 platform: ruby
 authors:
 - Otaina Limited
@@ -461,6 +461,15 @@ files:
 - lib/panda/core/configuration.rb
 - lib/panda/core/debug.rb
 - lib/panda/core/engine.rb
+- lib/panda/core/engine/admin_controller_config.rb
+- lib/panda/core/engine/autoload_config.rb
+- lib/panda/core/engine/generator_config.rb
+- lib/panda/core/engine/importmap_config.rb
+- lib/panda/core/engine/inflections_config.rb
+- lib/panda/core/engine/middleware_config.rb
+- lib/panda/core/engine/omniauth_config.rb
+- lib/panda/core/engine/phlex_config.rb
+- lib/panda/core/engine/test_config.rb
 - lib/panda/core/media.rb
 - lib/panda/core/notifications.rb
 - lib/panda/core/oauth_providers.rb
@@ -468,9 +477,18 @@ files:
 - lib/panda/core/rake_tasks.rb
 - lib/panda/core/seo.rb
 - lib/panda/core/services/base_service.rb
+- lib/panda/core/shared/generator_config.rb
+- lib/panda/core/shared/inflections_config.rb
 - lib/panda/core/sluggable.rb
 - lib/panda/core/subscribers/authentication_subscriber.rb
 - lib/panda/core/testing/rails_helper.rb
+- lib/panda/core/testing/support/authentication_helpers.rb
+- lib/panda/core/testing/support/authentication_test_helpers.rb
+- lib/panda/core/testing/support/generator_spec_helper.rb
+- lib/panda/core/testing/support/html_helpers.rb
+- lib/panda/core/testing/support/omniauth_setup.rb
+- lib/panda/core/testing/support/service_stubs.rb
+- lib/panda/core/testing/support/setup.rb
 - lib/panda/core/version.rb
 - lib/tasks/assets.rake
 - lib/tasks/panda/core/migrations.rake