pg_sql_triggers 1.1.1 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dff79b71aeff432cbe9324568f94bd358c76ca9161162f47b8513401eb783dd1
-  data.tar.gz: 524af402547aa3ef6be32605089e177a2cde1e7cae2548affa657c2af283cbf1
+  metadata.gz: 54f76c538693c37b1572cb914462269eb8c3600473c1a7c26efda0a7e02eefe5
+  data.tar.gz: 8574ff3bb8f835a11f8cec850c5adbff7f17be65a1461b8f8e87242ab3e50b62
 SHA512:
-  metadata.gz: e57441cf88cfd3e6deb7f9523286fbe862add9c0d07eef5ac127857c20f417b34ed4dc1a307a3c5c15012afbeb8524b566a2c5a5d0ad2b9284f60010bd7be99b
-  data.tar.gz: b216be1abbea025ff653cde512a309258e211443e86b049d74b37417ef1df3633559b274c78870fba8498fe4afbd36db72de11c45c446a4e80e717491fe72765
+  metadata.gz: 5e7ccb4983c43cad0aee550a741e341a3feda8a2fd5541be1786a92ffc26894a80eb8081e57493e6eb05697a362cafaa3fee325b288a716f4f1e8c3de989966e
+  data.tar.gz: f24548a2b4fa7f0bb274d11d2085b87e716c44e08923782eee93ffb0d86500892ffca3b6d7c69ba53e1f886743646ac0c8695097589ecb7db4280152b4c1dccf

data/.rubocop.yml

@@ -118,6 +118,21 @@ RSpec/MultipleExpectations:
 RSpec/SpecFilePathFormat:
   Enabled: false
 
+RSpec/AnyInstance:
+  Enabled: false
+
+RSpec/LetSetup:
+  Enabled: false
+
+RSpec/NestedGroups:
+  Enabled: false
+
+RSpec/VerifiedDoubles:
+  Enabled: false
+
+RSpec/RepeatedExample:
+  Enabled: false
+
 # Capybara
 Capybara/RSpec/PredicateMatcher:
   Enabled: false

data/CHANGELOG.md

@@ -7,6 +7,62 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.2.0] - 2026-01-02
+
+### Added
+- **SQL Capsules**: Emergency SQL execution feature for critical operations
+  - Named SQL capsules with environment declaration and purpose description
+  - Capsule class for creating and managing SQL capsules
+  - Executor class for safe, transactional SQL execution
+  - Permission checks (Admin role required for execution)
+  - Kill switch protection for all executions
+  - Checksum calculation and storage in registry
+  - Comprehensive logging of all operations
+  - Web UI for creating, viewing, and executing SQL capsules
+  - Console API: `PgSqlTriggers::SQL::Executor.execute(capsule, actor:, confirmation:)`
+
+- **Drop & Re-Execute Flow**: Operational controls for trigger lifecycle management
+  - `TriggerRegistry#drop!` method for safely dropping triggers
+    - Admin permission required
+    - Kill switch protection
+    - Reason field (required and logged)
+    - Typed confirmation required in protected environments
+    - Transactional execution
+    - Removes trigger from database and registry
+  - `TriggerRegistry#re_execute!` method for fixing drifted triggers
+    - Admin permission required
+    - Kill switch protection
+    - Shows drift diff before execution
+    - Reason field (required and logged)
+    - Typed confirmation required in protected environments
+    - Transactional execution
+    - Drops and re-creates trigger from registry definition
+  - Web UI buttons for drop and re-execute on trigger detail page
+  - Controller actions with proper permission checks and error handling
+  - Interactive modals with reason input and confirmation fields
+  - Drift comparison shown before re-execution
+
+- **Enhanced Permissions Enforcement**:
+  - Console APIs with permission checks:
+    - `PgSqlTriggers::Registry.enable(trigger_name, actor:, confirmation:)`
+    - `PgSqlTriggers::Registry.disable(trigger_name, actor:, confirmation:)`
+    - `PgSqlTriggers::Registry.drop(trigger_name, actor:, reason:, confirmation:)`
+    - `PgSqlTriggers::Registry.re_execute(trigger_name, actor:, reason:, confirmation:)`
+  - Permission checks enforced at console API level
+  - Rake tasks already protected by kill switch
+  - Clear error messages for permission violations
+
+### Fixed
+- Improved error handling for trigger enable/disable operations
+- Better logging for drop and re-execute operations
+- Fixed rubocop linting issues
+
+### Security
+- All destructive operations (drop, re-execute, SQL capsule execution) require Admin permissions
+- Kill switch protection enforced across all new features
+- Typed confirmation required in protected environments
+- Comprehensive audit logging for all operations
+
 ## [1.1.1] - 2025-12-31
 
 ### Changed

data/COVERAGE.md

@@ -1,8 +1,8 @@
 # Code Coverage Report
 
-**Total Coverage: 95.4%**
+**Total Coverage: 95.33%**
 
-Covered: 1678 / 1759 lines
+Covered: 2040 / 2140 lines
 
 ---
 
@@ -10,47 +10,51 @@ Covered: 1678 / 1759 lines
 
 | File | Coverage | Covered Lines | Missed Lines | Total Lines |
 |------|----------|---------------|--------------|-------------|
-| `lib/pg_sql_triggers/testing/dry_run.rb` | 100.0% ✅ | 24 | 0 | 24 |
-| `lib/pg_sql_triggers/testing.rb` | 100.0% ✅ | 6 | 0 | 6 |
-| `lib/pg_sql_triggers/registry/validator.rb` | 100.0% ✅ | 5 | 0 | 5 |
-| `lib/pg_sql_triggers/registry.rb` | 100.0% ✅ | 18 | 0 | 18 |
-| `lib/pg_sql_triggers/permissions/checker.rb` | 100.0% ✅ | 15 | 0 | 15 |
-| `lib/pg_sql_triggers/permissions.rb` | 100.0% ✅ | 11 | 0 | 11 |
-| `lib/pg_sql_triggers/migrator/safety_validator.rb` | 100.0% ✅ | 110 | 0 | 110 |
-| `lib/pg_sql_triggers/migrator/pre_apply_diff_reporter.rb` | 100.0% ✅ | 75 | 0 | 75 |
-| `lib/pg_sql_triggers/migrator/pre_apply_comparator.rb` | 100.0% ✅ | 123 | 0 | 123 |
-| `lib/pg_sql_triggers/migration.rb` | 100.0% ✅ | 4 | 0 | 4 |
-| `lib/generators/trigger/migration_generator.rb` | 100.0% ✅ | 27 | 0 | 27 |
-| `lib/generators/pg_sql_triggers/install_generator.rb` | 100.0% ✅ | 18 | 0 | 18 |
-| `lib/pg_sql_triggers/generator/service.rb` | 100.0% ✅ | 93 | 0 | 93 |
-| `lib/pg_sql_triggers/generator/form.rb` | 100.0% ✅ | 36 | 0 | 36 |
-| `lib/pg_sql_triggers/generator.rb` | 100.0% ✅ | 4 | 0 | 4 |
 | `lib/pg_sql_triggers/dsl/trigger_definition.rb` | 100.0% ✅ | 37 | 0 | 37 |
-| `lib/pg_sql_triggers.rb` | 100.0% ✅ | 45 | 0 | 45 |
+| `lib/pg_sql_triggers/generator.rb` | 100.0% ✅ | 4 | 0 | 4 |
+| `lib/pg_sql_triggers/generator/form.rb` | 100.0% ✅ | 36 | 0 | 36 |
+| `lib/pg_sql_triggers/generator/service.rb` | 100.0% ✅ | 101 | 0 | 101 |
+| `lib/generators/pg_sql_triggers/install_generator.rb` | 100.0% ✅ | 18 | 0 | 18 |
+| `lib/generators/trigger/migration_generator.rb` | 100.0% ✅ | 27 | 0 | 27 |
+| `lib/pg_sql_triggers/migration.rb` | 100.0% ✅ | 4 | 0 | 4 |
+| `lib/pg_sql_triggers/migrator/pre_apply_diff_reporter.rb` | 100.0% ✅ | 75 | 0 | 75 |
+| `lib/pg_sql_triggers/migrator/safety_validator.rb` | 100.0% ✅ | 110 | 0 | 110 |
+| `lib/pg_sql_triggers/permissions.rb` | 100.0% ✅ | 11 | 0 | 11 |
+| `lib/pg_sql_triggers/permissions/checker.rb` | 100.0% ✅ | 15 | 0 | 15 |
+| `lib/pg_sql_triggers/registry.rb` | 100.0% ✅ | 41 | 0 | 41 |
+| `lib/pg_sql_triggers/registry/validator.rb` | 100.0% ✅ | 5 | 0 | 5 |
+| `lib/pg_sql_triggers/sql/capsule.rb` | 100.0% ✅ | 28 | 0 | 28 |
+| `lib/pg_sql_triggers/sql/executor.rb` | 100.0% ✅ | 63 | 0 | 63 |
+| `lib/pg_sql_triggers/testing.rb` | 100.0% ✅ | 6 | 0 | 6 |
+| `lib/pg_sql_triggers/testing/syntax_validator.rb` | 100.0% ✅ | 58 | 0 | 58 |
+| `lib/pg_sql_triggers/testing/dry_run.rb` | 100.0% ✅ | 24 | 0 | 24 |
 | `config/initializers/pg_sql_triggers.rb` | 100.0% ✅ | 10 | 0 | 10 |
 | `app/models/pg_sql_triggers/application_record.rb` | 100.0% ✅ | 3 | 0 | 3 |
 | `app/controllers/pg_sql_triggers/application_controller.rb` | 100.0% ✅ | 28 | 0 | 28 |
-| `app/controllers/pg_sql_triggers/dashboard_controller.rb` | 100.0% ✅ | 25 | 0 | 25 |
-| `app/controllers/pg_sql_triggers/migrations_controller.rb` | 100.0% ✅ | 63 | 0 | 63 |
+| `lib/pg_sql_triggers.rb` | 100.0% ✅ | 45 | 0 | 45 |
 | `lib/pg_sql_triggers/dsl.rb` | 100.0% ✅ | 9 | 0 | 9 |
-| `lib/pg_sql_triggers/drift.rb` | 100.0% ✅ | 13 | 0 | 13 |
 | `lib/pg_sql_triggers/drift/db_queries.rb` | 100.0% ✅ | 24 | 0 | 24 |
+| `lib/pg_sql_triggers/drift.rb` | 100.0% ✅ | 13 | 0 | 13 |
+| `lib/pg_sql_triggers/migrator/pre_apply_comparator.rb` | 99.19% ✅ | 122 | 1 | 123 |
 | `lib/pg_sql_triggers/drift/detector.rb` | 98.48% ✅ | 65 | 1 | 66 |
-| `lib/pg_sql_triggers/registry/manager.rb` | 96.36% ✅ | 53 | 2 | 55 |
+| `app/controllers/pg_sql_triggers/sql_capsules_controller.rb` | 97.18% ✅ | 69 | 2 | 71 |
+| `app/controllers/pg_sql_triggers/dashboard_controller.rb` | 96.67% ✅ | 29 | 1 | 30 |
+| `app/controllers/pg_sql_triggers/triggers_controller.rb` | 96.43% ✅ | 81 | 3 | 84 |
 | `lib/generators/pg_sql_triggers/trigger_migration_generator.rb` | 96.3% ✅ | 26 | 1 | 27 |
 | `lib/pg_sql_triggers/sql/kill_switch.rb` | 96.0% ✅ | 96 | 4 | 100 |
 | `lib/pg_sql_triggers/migrator.rb` | 95.42% ✅ | 125 | 6 | 131 |
-| `app/controllers/pg_sql_triggers/generator_controller.rb` | 94.68% ✅ | 89 | 5 | 94 |
+| `lib/pg_sql_triggers/registry/manager.rb` | 95.08% ✅ | 58 | 3 | 61 |
 | `app/controllers/pg_sql_triggers/tables_controller.rb` | 94.44% ✅ | 17 | 1 | 18 |
+| `lib/pg_sql_triggers/database_introspection.rb` | 94.29% ✅ | 66 | 4 | 70 |
 | `lib/pg_sql_triggers/drift/reporter.rb` | 94.12% ✅ | 96 | 6 | 102 |
 | `lib/pg_sql_triggers/engine.rb` | 92.86% ✅ | 13 | 1 | 14 |
-| `lib/pg_sql_triggers/database_introspection.rb` | 92.86% ✅ | 65 | 5 | 70 |
+| `app/models/pg_sql_triggers/trigger_registry.rb` | 92.25% ✅ | 119 | 10 | 129 |
 | `lib/pg_sql_triggers/testing/safe_executor.rb` | 91.89% ✅ | 34 | 3 | 37 |
+| `app/controllers/pg_sql_triggers/generator_controller.rb` | 91.49% ✅ | 86 | 8 | 94 |
 | `lib/pg_sql_triggers/sql.rb` | 90.91% ✅ | 10 | 1 | 11 |
-| `lib/pg_sql_triggers/testing/syntax_validator.rb` | 89.66% ⚠️ | 52 | 6 | 58 |
-| `app/models/pg_sql_triggers/trigger_registry.rb` | 84.62% ⚠️ | 55 | 10 | 65 |
-| `lib/pg_sql_triggers/testing/function_tester.rb` | 79.1% ⚠️ | 53 | 14 | 67 |
-| `config/routes.rb` | 16.67% ❌ | 3 | 15 | 18 |
+| `lib/pg_sql_triggers/testing/function_tester.rb` | 89.55% ⚠️ | 60 | 7 | 67 |
+| `app/controllers/pg_sql_triggers/migrations_controller.rb` | 81.4% ⚠️ | 70 | 16 | 86 |
+| `config/routes.rb` | 12.5% ❌ | 3 | 21 | 24 |
 
 ---
 

data/README.md

@@ -97,9 +97,38 @@ Multi-layered safety mechanism preventing accidental destructive operations in p
 ### Web Dashboard
 Visual interface for managing triggers, running migrations, and executing SQL capsules.
 
+### SQL Capsules
+Emergency SQL execution feature for critical operations with Admin permission requirements, kill switch protection, and comprehensive logging.
+
+### Drop & Re-Execute Flow
+Operational controls for trigger lifecycle management with drop and re-execute capabilities, drift comparison, and required reason logging.
+
 ### Permissions
 Three-tier permission system (Viewer, Operator, Admin) with customizable authorization.
 
+## Console API
+
+PgSqlTriggers provides a comprehensive console API for managing triggers programmatically:
+
+```ruby
+# Enable/disable triggers
+PgSqlTriggers::Registry.enable("users_email_validation", actor: current_user, confirmation: "EXECUTE TRIGGER_ENABLE")
+PgSqlTriggers::Registry.disable("users_email_validation", actor: current_user, confirmation: "EXECUTE TRIGGER_DISABLE")
+
+# Drop and re-execute triggers
+PgSqlTriggers::Registry.drop("old_trigger", actor: current_user, reason: "No longer needed", confirmation: "EXECUTE TRIGGER_DROP")
+PgSqlTriggers::Registry.re_execute("drifted_trigger", actor: current_user, reason: "Fix drift", confirmation: "EXECUTE TRIGGER_RE_EXECUTE")
+
+# Execute SQL capsules
+capsule = PgSqlTriggers::SQL::Capsule.new(
+  name: "emergency_fix",
+  environment: "production",
+  purpose: "Fix critical data issue",
+  sql: "UPDATE users SET status = 'active' WHERE id = 123"
+)
+PgSqlTriggers::SQL::Executor.execute(capsule, actor: current_user, confirmation: "EXECUTE SQL")
+```
+
 ## Examples
 
 For working examples and complete demonstrations, check out the [example repository](https://github.com/samaswin/pg_triggers_example).

data/app/controllers/pg_sql_triggers/application_controller.rb

@@ -10,7 +10,7 @@ module PgSqlTriggers
     before_action :check_permissions?
 
     # Helper methods available in views
-    helper_method :current_environment, :kill_switch_active?, :expected_confirmation_text
+    helper_method :current_environment, :kill_switch_active?, :expected_confirmation_text, :current_actor
 
     private
 

data/app/controllers/pg_sql_triggers/dashboard_controller.rb

@@ -2,6 +2,8 @@
 
 module PgSqlTriggers
   class DashboardController < ApplicationController
+    before_action :check_viewer_permission
+
     def index
       @triggers = PgSqlTriggers::TriggerRegistry.order(created_at: :desc)
 
@@ -41,5 +43,13 @@ module PgSqlTriggers
         @per_page = 20
       end
     end
+
+    private
+
+    def check_viewer_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :view_triggers)
+
+      redirect_to root_path, alert: "Insufficient permissions. Viewer role required."
+    end
   end
 end

data/app/controllers/pg_sql_triggers/migrations_controller.rb

@@ -4,6 +4,8 @@ module PgSqlTriggers
   # Controller for managing trigger migrations via web UI
   # Provides actions to run migrations up, down, and redo
   class MigrationsController < ApplicationController
+    before_action :check_operator_permission
+
     def up
       # Check kill switch before running migration
       check_kill_switch(operation: :ui_migration_up, confirmation: params[:confirmation_text])
@@ -73,18 +75,16 @@ module PgSqlTriggers
       target_version = params[:version]&.to_i
       PgSqlTriggers::Migrator.ensure_migrations_table!
 
+      current_version = PgSqlTriggers::Migrator.current_version
+      if current_version.zero?
+        flash[:warning] = "No migrations to redo."
+        redirect_to root_path
+        return
+      end
+
       if target_version
-        PgSqlTriggers::Migrator.run_down(target_version)
-        PgSqlTriggers::Migrator.run_up(target_version)
-        flash[:success] = "Migration #{target_version} redone successfully."
+        redo_target_migration(target_version, current_version)
       else
-        current_version = PgSqlTriggers::Migrator.current_version
-        if current_version.zero?
-          flash[:warning] = "No migrations to redo."
-          redirect_to root_path
-          return
-        end
-
         PgSqlTriggers::Migrator.run_down
         PgSqlTriggers::Migrator.run_up
         flash[:success] = "Last migration redone successfully."
@@ -98,5 +98,57 @@ module PgSqlTriggers
       flash[:error] = "Failed to redo migration: #{e.message}"
       redirect_to root_path
     end
+
+    private
+
+    def check_operator_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :apply_trigger)
+
+      redirect_to root_path, alert: "Insufficient permissions. Operator role required."
+    end
+
+    def redo_target_migration(target_version, current_version)
+      # For redo, we need to rollback the specific migration and re-apply it
+      # If target_version is the current version, rollback the last migration
+      # Otherwise, rollback to one version before target, then run up to target
+      if current_version == target_version
+        # Rollback the last migration (which is the target)
+        PgSqlTriggers::Migrator.run_down
+      elsif current_version > target_version
+        rollback_to_before_target(target_version)
+      else
+        # Target version is not applied yet, just run it up
+        PgSqlTriggers::Migrator.run_up(target_version)
+        flash[:success] = "Migration #{target_version} redone successfully."
+        redirect_to root_path
+        return
+      end
+
+      # Now run up to the target version
+      PgSqlTriggers::Migrator.run_up(target_version)
+      flash.now[:success] = "Migration #{target_version} redone successfully."
+    end
+
+    def rollback_to_before_target(target_version)
+      # Rollback to one version before target (this will rollback target_version too)
+      # Find the migration just before target_version
+      all_migrations = PgSqlTriggers::Migrator.migrations.sort_by(&:version)
+      prev_migration = all_migrations.find { |m| m.version < target_version }
+      if prev_migration
+        # Rollback to the previous migration (this rolls back target_version)
+        PgSqlTriggers::Migrator.run_down(prev_migration.version)
+      else
+        # No previous migration, target_version is the first migration
+        # Rollback all migrations until we're below target_version
+        rollback_until_below_target(target_version)
+      end
+    end
+
+    def rollback_until_below_target(target_version)
+      while PgSqlTriggers::Migrator.current_version >= target_version
+        PgSqlTriggers::Migrator.run_down
+        break if PgSqlTriggers::Migrator.current_version.zero?
+      end
+    end
   end
 end

data/app/controllers/pg_sql_triggers/sql_capsules_controller.rb

@@ -0,0 +1,161 @@
+# frozen_string_literal: true
+
+module PgSqlTriggers
+  class SqlCapsulesController < ApplicationController
+    before_action :check_admin_permission, only: [:execute]
+    before_action :check_operator_permission, only: %i[new create show]
+    before_action :load_capsule, only: %i[show execute]
+
+    def show
+      unless @capsule
+        redirect_to new_sql_capsule_path, alert: "Capsule not found"
+        return
+      end
+
+      @checksum = @capsule.checksum
+      @can_execute = can_execute_capsule?
+    end
+
+    def new
+      @capsule_name = params[:name] || ""
+      @environment = params[:environment] || current_environment
+      @purpose = params[:purpose] || ""
+      @sql = params[:sql] || ""
+    end
+
+    def create
+      # Strip whitespace from parameters
+      @capsule_name = params[:name].to_s.strip
+      @environment = params[:environment].to_s.strip
+      @purpose = params[:purpose].to_s.strip
+      @sql = params[:sql].to_s.strip
+
+      capsule = build_capsule_from_params
+
+      # Save the capsule to registry
+      result = save_capsule_to_registry(capsule)
+
+      if result[:success]
+        redirect_to sql_capsule_path(id: @capsule_name),
+                    notice: "SQL Capsule '#{capsule.name}' created successfully"
+      else
+        flash.now[:alert] = result[:message]
+        render :new
+      end
+    rescue ArgumentError => e
+      flash.now[:alert] = "Invalid capsule: #{e.message}"
+      render :new
+    end
+
+    def execute
+      unless @capsule
+        redirect_to new_sql_capsule_path, alert: "Capsule not found"
+        return
+      end
+
+      # Check kill switch with confirmation
+      check_kill_switch(
+        operation: :execute_sql_capsule,
+        confirmation: params[:confirmation]
+      )
+
+      # Execute the capsule
+      result = PgSqlTriggers::SQL::Executor.execute(
+        @capsule,
+        actor: current_actor,
+        confirmation: params[:confirmation],
+        dry_run: false
+      )
+
+      if result[:success]
+        flash[:notice] = result[:message]
+      else
+        flash[:alert] = result[:message]
+      end
+      redirect_to sql_capsule_path(id: params[:id])
+    rescue PgSqlTriggers::KillSwitchError => e
+      flash[:alert] = "Kill switch blocked execution: #{e.message}"
+      redirect_to sql_capsule_path(id: params[:id])
+    rescue PgSqlTriggers::PermissionError => e
+      flash[:alert] = "Permission denied: #{e.message}"
+      redirect_to sql_capsule_path(id: params[:id])
+    rescue StandardError => e
+      Rails.logger.error("SQL Capsule execution failed: #{e.message}\n#{e.backtrace.join("\n")}")
+      flash[:alert] = "Execution failed: #{e.message}"
+      redirect_to sql_capsule_path(id: params[:id])
+    end
+
+    private
+
+    def check_admin_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :execute_sql)
+
+      redirect_to dashboard_path, alert: "Insufficient permissions. Admin role required."
+    end
+
+    def check_operator_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :generate_trigger)
+
+      redirect_to dashboard_path, alert: "Insufficient permissions. Operator role required."
+    end
+
+    def build_capsule_from_params
+      PgSqlTriggers::SQL::Capsule.new(
+        name: params[:name].to_s.strip,
+        environment: params[:environment].to_s.strip,
+        purpose: params[:purpose].to_s.strip,
+        sql: params[:sql].to_s.strip
+      )
+    end
+
+    def save_capsule_to_registry(capsule)
+      # Check if capsule already exists
+      existing = PgSqlTriggers::TriggerRegistry.find_by(
+        trigger_name: capsule.registry_trigger_name,
+        source: "manual_sql"
+      )
+
+      if existing
+        return {
+          success: false,
+          message: "A capsule with this name already exists. Please choose a different name."
+        }
+      end
+
+      # Create new registry entry
+      registry_entry = PgSqlTriggers::TriggerRegistry.new(
+        trigger_name: capsule.registry_trigger_name,
+        table_name: "manual_sql_execution",
+        version: Time.current.to_i,
+        checksum: capsule.checksum,
+        source: "manual_sql",
+        function_body: capsule.sql,
+        condition: capsule.purpose,
+        environment: capsule.environment,
+        enabled: false # Not executed yet
+      )
+
+      if registry_entry.save
+        { success: true, message: "Capsule saved successfully" }
+      else
+        { success: false, message: "Failed to save capsule: #{registry_entry.errors.full_messages.join(', ')}" }
+      end
+    rescue StandardError => e
+      Rails.logger.error("Failed to save capsule to registry: #{e.message}")
+      { success: false, message: "Failed to save capsule: #{e.message}" }
+    end
+
+    def load_capsule
+      return if params[:id].blank?
+
+      @capsule = PgSqlTriggers::SQL::Executor.send(
+        :load_capsule_from_registry,
+        params[:id]
+      )
+    end
+
+    def can_execute_capsule?
+      PgSqlTriggers::Permissions.can?(current_actor, :execute_sql)
+    end
+  end
+end

data/app/controllers/pg_sql_triggers/triggers_controller.rb

@@ -0,0 +1,165 @@
+# frozen_string_literal: true
+
+module PgSqlTriggers
+  # Controller for managing individual triggers via web UI
+  # Provides actions to enable and disable triggers
+  class TriggersController < ApplicationController
+    before_action :set_trigger, only: %i[show enable disable drop re_execute]
+    before_action :check_viewer_permission, only: [:show]
+    before_action :check_operator_permission, only: %i[enable disable]
+    before_action :check_admin_permission, only: %i[drop re_execute]
+
+    def show
+      # Load trigger details and drift information
+      @drift_info = calculate_drift_info
+    end
+
+    def enable
+      # Check kill switch before enabling trigger
+      check_kill_switch(operation: :ui_trigger_enable, confirmation: params[:confirmation_text])
+
+      @trigger.enable!(confirmation: params[:confirmation_text])
+      flash[:success] = "Trigger '#{@trigger.trigger_name}' enabled successfully."
+      redirect_to redirect_path
+    rescue PgSqlTriggers::KillSwitchError => e
+      flash[:error] = e.message
+      redirect_to redirect_path
+    rescue StandardError => e
+      Rails.logger.error("Enable failed: #{e.message}\n#{e.backtrace.join("\n")}")
+      flash[:error] = "Failed to enable trigger: #{e.message}"
+      redirect_to redirect_path
+    end
+
+    def disable
+      # Check kill switch before disabling trigger
+      check_kill_switch(operation: :ui_trigger_disable, confirmation: params[:confirmation_text])
+
+      @trigger.disable!(confirmation: params[:confirmation_text])
+      flash[:success] = "Trigger '#{@trigger.trigger_name}' disabled successfully."
+      redirect_to redirect_path
+    rescue PgSqlTriggers::KillSwitchError => e
+      flash[:error] = e.message
+      redirect_to redirect_path
+    rescue StandardError => e
+      Rails.logger.error("Disable failed: #{e.message}\n#{e.backtrace.join("\n")}")
+      flash[:error] = "Failed to disable trigger: #{e.message}"
+      redirect_to redirect_path
+    end
+
+    def drop
+      # Validate required parameters
+      if params[:reason].blank?
+        flash[:error] = "Reason is required for dropping a trigger."
+        redirect_to redirect_path
+        return
+      end
+
+      # Check kill switch before dropping trigger
+      check_kill_switch(operation: :trigger_drop, confirmation: params[:confirmation_text])
+
+      # Drop the trigger
+      @trigger.drop!(
+        reason: params[:reason],
+        confirmation: params[:confirmation_text],
+        actor: current_actor
+      )
+
+      flash[:success] = "Trigger '#{@trigger.trigger_name}' dropped successfully."
+      redirect_to dashboard_path
+    rescue PgSqlTriggers::KillSwitchError => e
+      flash[:error] = e.message
+      redirect_to redirect_path
+    rescue ArgumentError => e
+      flash[:error] = "Invalid request: #{e.message}"
+      redirect_to redirect_path
+    rescue StandardError => e
+      Rails.logger.error("Drop failed: #{e.message}\n#{e.backtrace.join("\n")}")
+      flash[:error] = "Failed to drop trigger: #{e.message}"
+      redirect_to redirect_path
+    end
+
+    def re_execute
+      # Validate required parameters
+      if params[:reason].blank?
+        flash[:error] = "Reason is required for re-executing a trigger."
+        redirect_to redirect_path
+        return
+      end
+
+      # Check kill switch before re-executing trigger
+      check_kill_switch(operation: :trigger_re_execute, confirmation: params[:confirmation_text])
+
+      # Re-execute the trigger
+      @trigger.re_execute!(
+        reason: params[:reason],
+        confirmation: params[:confirmation_text],
+        actor: current_actor
+      )
+
+      flash[:success] = "Trigger '#{@trigger.trigger_name}' re-executed successfully."
+      redirect_to redirect_path
+    rescue PgSqlTriggers::KillSwitchError => e
+      flash[:error] = e.message
+      redirect_to redirect_path
+    rescue ArgumentError => e
+      flash[:error] = "Invalid request: #{e.message}"
+      redirect_to redirect_path
+    rescue StandardError => e
+      Rails.logger.error("Re-execute failed: #{e.message}\n#{e.backtrace.join("\n")}")
+      flash[:error] = "Failed to re-execute trigger: #{e.message}"
+      redirect_to redirect_path
+    end
+
+    private
+
+    def set_trigger
+      @trigger = PgSqlTriggers::TriggerRegistry.find(params[:id])
+    rescue ActiveRecord::RecordNotFound
+      flash[:error] = "Trigger not found."
+      redirect_to root_path
+    end
+
+    def check_viewer_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :view_triggers)
+
+      redirect_to root_path, alert: "Insufficient permissions. Viewer role required."
+    end
+
+    def check_operator_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :enable_trigger)
+
+      redirect_to root_path, alert: "Insufficient permissions. Operator role required."
+    end
+
+    def check_admin_permission
+      return if PgSqlTriggers::Permissions.can?(current_actor, :drop_trigger)
+
+      redirect_to root_path, alert: "Insufficient permissions. Admin role required."
+    end
+
+    def redirect_path
+      # Redirect back to the referring page if possible, otherwise to dashboard
+      params[:redirect_to].presence || request.referer || root_path
+    end
+
+    def calculate_drift_info
+      # Get drift information for this trigger
+      drift_reporter = PgSqlTriggers::Drift::Reporter.new
+      drift_summary = drift_reporter.summary
+
+      # Find this trigger in the drift summary
+      drifted_triggers = drift_summary[:triggers] || []
+      drift_data = drifted_triggers.find { |t| t[:trigger_name] == @trigger.trigger_name }
+
+      {
+        has_drift: drift_data.present?,
+        drift_type: drift_data&.dig(:drift_type),
+        expected_sql: drift_data&.dig(:expected_sql),
+        actual_sql: drift_data&.dig(:actual_sql)
+      }
+    rescue StandardError => e
+      Rails.logger.error("Failed to calculate drift: #{e.message}")
+      { has_drift: false, drift_type: nil, expected_sql: nil, actual_sql: nil }
+    end
+  end
+end