pg_sql_triggers 1.2.0 → 1.4.0

data/app/controllers/pg_sql_triggers/triggers_controller.rb

@@ -4,10 +4,10 @@ module PgSqlTriggers
   # Controller for managing individual triggers via web UI
   # Provides actions to enable and disable triggers
   class TriggersController < ApplicationController
-    before_action :set_trigger, only: %i[show enable disable drop re_execute]
     before_action :check_viewer_permission, only: [:show]
     before_action :check_operator_permission, only: %i[enable disable]
     before_action :check_admin_permission, only: %i[drop re_execute]
+    before_action :set_trigger, only: %i[show enable disable drop re_execute]
 
     def show
       # Load trigger details and drift information
@@ -18,7 +18,7 @@ module PgSqlTriggers
       # Check kill switch before enabling trigger
       check_kill_switch(operation: :ui_trigger_enable, confirmation: params[:confirmation_text])
 
-      @trigger.enable!(confirmation: params[:confirmation_text])
+      @trigger.enable!(confirmation: params[:confirmation_text], actor: current_actor)
       flash[:success] = "Trigger '#{@trigger.trigger_name}' enabled successfully."
       redirect_to redirect_path
     rescue PgSqlTriggers::KillSwitchError => e
@@ -34,7 +34,7 @@ module PgSqlTriggers
       # Check kill switch before disabling trigger
       check_kill_switch(operation: :ui_trigger_disable, confirmation: params[:confirmation_text])
 
-      @trigger.disable!(confirmation: params[:confirmation_text])
+      @trigger.disable!(confirmation: params[:confirmation_text], actor: current_actor)
       flash[:success] = "Trigger '#{@trigger.trigger_name}' disabled successfully."
       redirect_to redirect_path
     rescue PgSqlTriggers::KillSwitchError => e
@@ -119,24 +119,6 @@ module PgSqlTriggers
       redirect_to root_path
     end
 
-    def check_viewer_permission
-      return if PgSqlTriggers::Permissions.can?(current_actor, :view_triggers)
-
-      redirect_to root_path, alert: "Insufficient permissions. Viewer role required."
-    end
-
-    def check_operator_permission
-      return if PgSqlTriggers::Permissions.can?(current_actor, :enable_trigger)
-
-      redirect_to root_path, alert: "Insufficient permissions. Operator role required."
-    end
-
-    def check_admin_permission
-      return if PgSqlTriggers::Permissions.can?(current_actor, :drop_trigger)
-
-      redirect_to root_path, alert: "Insufficient permissions. Admin role required."
-    end
-
     def redirect_path
       # Redirect back to the referring page if possible, otherwise to dashboard
       params[:redirect_to].presence || request.referer || root_path

data/app/helpers/pg_sql_triggers/permissions_helper.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module PgSqlTriggers
+  module PermissionsHelper
+    # Check if the current actor can perform an action
+    #
+    # @param action [Symbol, String] The action to check
+    # @return [Boolean] True if the actor can perform the action
+    def can?(action)
+      PgSqlTriggers::Permissions.can?(current_actor, action, environment: current_environment)
+    end
+
+    # Check if the current actor can view triggers
+    def can_view_triggers?
+      can?(:view_triggers)
+    end
+
+    # Check if the current actor can enable/disable triggers
+    def can_enable_disable_triggers?
+      can?(:enable_trigger)
+    end
+
+    # Check if the current actor can drop triggers
+    def can_drop_triggers?
+      can?(:drop_trigger)
+    end
+
+    # Check if the current actor can execute SQL capsules
+    def can_execute_sql?
+      can?(:execute_sql)
+    end
+
+    # Check if the current actor can generate triggers
+    def can_generate_triggers?
+      can?(:generate_trigger)
+    end
+
+    # Check if the current actor can apply triggers (run migrations)
+    def can_apply_triggers?
+      can?(:apply_trigger)
+    end
+  end
+end

data/app/models/pg_sql_triggers/audit_log.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+module PgSqlTriggers
+  # Audit log model for tracking all trigger operations
+  class AuditLog < PgSqlTriggers::ApplicationRecord
+    self.table_name = "pg_sql_triggers_audit_log"
+
+    # Scopes
+    scope :for_trigger, ->(trigger_name) { where(trigger_name: trigger_name) }
+    scope :for_operation, ->(operation) { where(operation: operation) }
+    scope :for_environment, ->(env) { where(environment: env) }
+    scope :successful, -> { where(status: "success") }
+    scope :failed, -> { where(status: "failure") }
+    scope :recent, -> { order(created_at: :desc) }
+
+    # Validations
+    validates :operation, presence: true
+    validates :status, presence: true, inclusion: { in: %w[success failure] }
+
+    # Class methods for logging operations
+    class << self
+      # Log a successful operation
+      #
+      # @param operation [Symbol, String] The operation being performed
+      # @param trigger_name [String, nil] The trigger name (if applicable)
+      # @param actor [Hash] Information about who performed the action
+      # @param environment [String, nil] The environment
+      # @param reason [String, nil] Reason for the operation
+      # @param confirmation_text [String, nil] Confirmation text used
+      # @param before_state [Hash, nil] State before operation
+      # @param after_state [Hash, nil] State after operation
+      # @param diff [String, nil] Diff information
+      # rubocop:disable Metrics/ParameterLists
+      def log_success(operation:, trigger_name: nil, actor: nil, environment: nil,
+                      reason: nil, confirmation_text: nil, before_state: nil,
+                      after_state: nil, diff: nil)
+        create!(
+          trigger_name: trigger_name,
+          operation: operation.to_s,
+          actor: serialize_actor(actor),
+          environment: environment,
+          status: "success",
+          reason: reason,
+          confirmation_text: confirmation_text,
+          before_state: before_state,
+          after_state: after_state,
+          diff: diff
+        )
+      rescue StandardError => e
+        Rails.logger.error("Failed to log audit entry: #{e.message}") if defined?(Rails.logger)
+        nil
+      end
+      # rubocop:enable Metrics/ParameterLists
+
+      # Log a failed operation
+      #
+      # @param operation [Symbol, String] The operation being performed
+      # @param trigger_name [String, nil] The trigger name (if applicable)
+      # @param actor [Hash] Information about who performed the action
+      # @param environment [String, nil] The environment
+      # @param error_message [String] Error message
+      # @param reason [String, nil] Reason for the operation (if provided before failure)
+      # @param confirmation_text [String, nil] Confirmation text used
+      # @param before_state [Hash, nil] State before operation
+      # rubocop:disable Metrics/ParameterLists
+      def log_failure(operation:, error_message:, trigger_name: nil, actor: nil, environment: nil, reason: nil,
+                      confirmation_text: nil, before_state: nil)
+        create!(
+          trigger_name: trigger_name,
+          operation: operation.to_s,
+          actor: serialize_actor(actor),
+          environment: environment,
+          status: "failure",
+          error_message: error_message,
+          reason: reason,
+          confirmation_text: confirmation_text,
+          before_state: before_state
+        )
+      rescue StandardError => e
+        Rails.logger.error("Failed to log audit entry: #{e.message}") if defined?(Rails.logger)
+        nil
+      end
+      # rubocop:enable Metrics/ParameterLists
+
+      # Get audit log entries for a specific trigger
+      #
+      # @param trigger_name [String] The trigger name
+      # @return [ActiveRecord::Relation] Audit log entries for the trigger
+      def for_trigger_name(trigger_name)
+        for_trigger(trigger_name).recent
+      end
+
+      private
+
+      def serialize_actor(actor)
+        return nil if actor.nil?
+
+        if actor.is_a?(Hash)
+          actor
+        else
+          { type: actor.class.name, id: actor.id.to_s }
+        end
+      end
+    end
+  end
+end

data/app/models/pg_sql_triggers/trigger_registry.rb

@@ -1,6 +1,26 @@
 # frozen_string_literal: true
 
 module PgSqlTriggers
+  # ActiveRecord model representing a trigger in the registry.
+  #
+  # This model tracks all triggers managed by pg_sql_triggers, including their
+  # state, version, checksum, and drift status.
+  #
+  # @example Query triggers
+  #   # Find a trigger
+  #   trigger = PgSqlTriggers::TriggerRegistry.find_by(trigger_name: "users_email_validation")
+  #
+  #   # Check drift status
+  #   trigger.drifted?  # => true/false
+  #   trigger.in_sync?  # => true/false
+  #
+  # @example Enable/disable triggers
+  #   trigger.enable!(actor: current_user, confirmation: "EXECUTE TRIGGER_ENABLE")
+  #   trigger.disable!(actor: current_user, confirmation: "EXECUTE TRIGGER_DISABLE")
+  #
+  # @example Drop and re-execute triggers
+  #   trigger.drop!(reason: "No longer needed", actor: current_user, confirmation: "EXECUTE TRIGGER_DROP")
+  #   trigger.re_execute!(reason: "Fix drift", actor: current_user, confirmation: "EXECUTE TRIGGER_RE_EXECUTE")
   # rubocop:disable Metrics/ClassLength
   class TriggerRegistry < PgSqlTriggers::ApplicationRecord
     self.table_name = "pg_sql_triggers_registry"
@@ -19,36 +39,59 @@ module PgSqlTriggers
     scope :for_environment, ->(env) { where(environment: [env, nil]) }
     scope :by_source, ->(source) { where(source: source) }
 
-    # Drift detection methods
+    # Returns the current drift state of this trigger.
+    #
+    # @return [String] One of: "in_sync", "drifted", "manual_override", "disabled", "dropped", "unknown"
     def drift_state
       result = PgSqlTriggers::Drift.detect(trigger_name)
       result[:state]
     end
 
+    # Returns detailed drift detection result for this trigger.
+    #
+    # @return [Hash] Drift result with keys: :state, :trigger_name, :expected_sql, :actual_sql, etc.
     def drift_result
       PgSqlTriggers::Drift::Detector.detect(trigger_name)
     end
 
+    # Checks if this trigger has drifted from its expected state.
+    #
+    # @return [Boolean] true if trigger has drifted, false otherwise
     def drifted?
       drift_state == PgSqlTriggers::DRIFT_STATE_DRIFTED
     end
 
+    # Checks if this trigger is in sync with its expected state.
+    #
+    # @return [Boolean] true if trigger is in sync, false otherwise
     def in_sync?
       drift_state == PgSqlTriggers::DRIFT_STATE_IN_SYNC
     end
 
+    # Checks if this trigger has been dropped from the database.
+    #
+    # @return [Boolean] true if trigger has been dropped, false otherwise
     def dropped?
       drift_state == PgSqlTriggers::DRIFT_STATE_DROPPED
     end
 
-    def enable!(confirmation: nil)
+    # Enables this trigger in the database and updates the registry.
+    #
+    # @param confirmation [String, nil] Optional confirmation text for kill switch protection
+    # @param actor [Hash, nil] Information about who is performing the action (must have :type and :id keys)
+    # @raise [PgSqlTriggers::KillSwitchError] If kill switch blocks the operation
+    # @return [PgSqlTriggers::TriggerRegistry] self
+    def enable!(confirmation: nil, actor: nil)
+      actor ||= { type: "Console", id: "TriggerRegistry#enable!" }
+      before_state = capture_state
+
       # Check kill switch before enabling trigger
       # Use Rails.env for kill switch check, not the trigger's environment field
       PgSqlTriggers::SQL::KillSwitch.check!(
         operation: :trigger_enable,
         environment: Rails.env,
         confirmation: confirmation,
-        actor: { type: "Console", id: "TriggerRegistry#enable!" }
+        actor: actor
       )
 
       # Check if trigger exists in database before trying to enable it
@@ -71,12 +114,16 @@ module PgSqlTriggers
         rescue ActiveRecord::StatementInvalid, StandardError => e
           # If trigger doesn't exist or can't be enabled, continue to update registry
           Rails.logger.warn("Could not enable trigger: #{e.message}") if defined?(Rails.logger)
+          log_audit_failure(:trigger_enable, actor, e.message, before_state: before_state)
+          raise
         end
       end
 
       # Update the registry record (always update, even if trigger doesn't exist)
       begin
         update!(enabled: true)
+        after_state = capture_state
+        log_audit_success(:trigger_enable, actor, before_state: before_state, after_state: after_state)
       rescue ActiveRecord::StatementInvalid, StandardError => e
         # If update! fails, try update_column which bypasses validations and callbacks
         # and might not use execute in the same way
@@ -85,6 +132,8 @@ module PgSqlTriggers
           # rubocop:disable Rails/SkipsModelValidations
           update_column(:enabled, true)
           # rubocop:enable Rails/SkipsModelValidations
+          after_state = capture_state
+          log_audit_success(:trigger_enable, actor, before_state: before_state, after_state: after_state)
         rescue StandardError => update_error
           # If update_column also fails, just set the in-memory attribute
           # The test might reload, but we've done our best
@@ -92,18 +141,29 @@ module PgSqlTriggers
           Rails.logger.warn("Could not update registry via update_column: #{update_error.message}") if defined?(Rails.logger)
           # rubocop:enable Layout/LineLength
           self.enabled = true
+          after_state = capture_state
+          log_audit_success(:trigger_enable, actor, before_state: before_state, after_state: after_state)
         end
       end
     end
 
-    def disable!(confirmation: nil)
+    # Disables this trigger in the database and updates the registry.
+    #
+    # @param confirmation [String, nil] Optional confirmation text for kill switch protection
+    # @param actor [Hash, nil] Information about who is performing the action (must have :type and :id keys)
+    # @raise [PgSqlTriggers::KillSwitchError] If kill switch blocks the operation
+    # @return [PgSqlTriggers::TriggerRegistry] self
+    def disable!(confirmation: nil, actor: nil)
+      actor ||= { type: "Console", id: "TriggerRegistry#disable!" }
+      before_state = capture_state
+
       # Check kill switch before disabling trigger
       # Use Rails.env for kill switch check, not the trigger's environment field
       PgSqlTriggers::SQL::KillSwitch.check!(
         operation: :trigger_disable,
         environment: Rails.env,
         confirmation: confirmation,
-        actor: { type: "Console", id: "TriggerRegistry#disable!" }
+        actor: actor
       )
 
       # Check if trigger exists in database before trying to disable it
@@ -126,12 +186,16 @@ module PgSqlTriggers
         rescue ActiveRecord::StatementInvalid, StandardError => e
           # If trigger doesn't exist or can't be disabled, continue to update registry
           Rails.logger.warn("Could not disable trigger: #{e.message}") if defined?(Rails.logger)
+          log_audit_failure(:trigger_disable, actor, e.message, before_state: before_state)
+          raise
         end
       end
 
       # Update the registry record (always update, even if trigger doesn't exist)
       begin
         update!(enabled: false)
+        after_state = capture_state
+        log_audit_success(:trigger_disable, actor, before_state: before_state, after_state: after_state)
       rescue ActiveRecord::StatementInvalid, StandardError => e
         # If update! fails, try update_column which bypasses validations and callbacks
         # and might not use execute in the same way
@@ -140,6 +204,8 @@ module PgSqlTriggers
           # rubocop:disable Rails/SkipsModelValidations
           update_column(:enabled, false)
           # rubocop:enable Rails/SkipsModelValidations
+          after_state = capture_state
+          log_audit_success(:trigger_disable, actor, before_state: before_state, after_state: after_state)
         rescue StandardError => update_error
           # If update_column also fails, just set the in-memory attribute
           # The test might reload, but we've done our best
@@ -147,17 +213,30 @@ module PgSqlTriggers
           Rails.logger.warn("Could not update registry via update_column: #{update_error.message}") if defined?(Rails.logger)
           # rubocop:enable Layout/LineLength
           self.enabled = false
+          after_state = capture_state
+          log_audit_success(:trigger_disable, actor, before_state: before_state, after_state: after_state)
         end
       end
     end
 
+    # Drops this trigger from the database and removes it from the registry.
+    #
+    # @param reason [String] Required reason for dropping the trigger
+    # @param confirmation [String, nil] Optional confirmation text for kill switch protection
+    # @param actor [Hash, nil] Information about who is performing the action (must have :type and :id keys)
+    # @raise [ArgumentError] If reason is missing or empty
+    # @raise [PgSqlTriggers::KillSwitchError] If kill switch blocks the operation
+    # @return [true] If drop succeeds
     def drop!(reason:, confirmation: nil, actor: nil)
+      actor ||= { type: "Console", id: "TriggerRegistry#drop!" }
+      before_state = capture_state
+
       # Check kill switch before dropping trigger
       PgSqlTriggers::SQL::KillSwitch.check!(
         operation: :trigger_drop,
         environment: Rails.env,
         confirmation: confirmation,
-        actor: actor || { type: "Console", id: "TriggerRegistry#drop!" }
+        actor: actor
       )
 
       # Validate reason is provided
@@ -170,21 +249,42 @@ module PgSqlTriggers
         drop_trigger_from_database
         destroy!
         log_drop_success
+        log_audit_success(:trigger_drop, actor, reason: reason, confirmation_text: confirmation,
+                                                before_state: before_state, after_state: { status: "dropped" })
       end
+    rescue StandardError => e
+      log_audit_failure(:trigger_drop, actor, e.message, reason: reason,
+                                                         confirmation_text: confirmation, before_state: before_state)
+      raise
     end
 
+    # Re-executes this trigger by dropping and recreating it.
+    #
+    # @param reason [String] Required reason for re-executing the trigger
+    # @param confirmation [String, nil] Optional confirmation text for kill switch protection
+    # @param actor [Hash, nil] Information about who is performing the action (must have :type and :id keys)
+    # @raise [ArgumentError] If reason is missing or empty, or if function_body is blank
+    # @raise [PgSqlTriggers::KillSwitchError] If kill switch blocks the operation
+    # @return [PgSqlTriggers::TriggerRegistry] self
     def re_execute!(reason:, confirmation: nil, actor: nil)
+      actor ||= { type: "Console", id: "TriggerRegistry#re_execute!" }
+      before_state = capture_state
+      drift_info = begin
+        drift_result
+      rescue StandardError
+        nil
+      end
+
       # Check kill switch before re-executing trigger
       PgSqlTriggers::SQL::KillSwitch.check!(
         operation: :trigger_re_execute,
         environment: Rails.env,
         confirmation: confirmation,
-        actor: actor || { type: "Console", id: "TriggerRegistry#re_execute!" }
+        actor: actor
       )
 
       # Validate reason is provided
       raise ArgumentError, "Reason is required" if reason.nil? || reason.to_s.strip.empty?
-      raise StandardError, "Cannot re-execute: missing function_body" if function_body.blank?
 
       log_re_execute_attempt(reason)
 
@@ -193,7 +293,18 @@ module PgSqlTriggers
         drop_existing_trigger_for_re_execute
         recreate_trigger
         update_registry_after_re_execute
+        after_state = capture_state
+        diff = drift_info ? "#{drift_info[:expected_sql]} -> #{after_state[:function_body]}" : nil
+        log_audit_success(:trigger_re_execute, actor, reason: reason, confirmation_text: confirmation,
+                                                      before_state: before_state, after_state: after_state, diff: diff)
       end
+    rescue StandardError => e
+      log_audit_failure(
+        :trigger_re_execute, actor, e.message, reason: reason,
+                                               confirmation_text: confirmation,
+                                               before_state: before_state
+      )
+      raise
     end
 
     private
@@ -209,7 +320,8 @@ module PgSqlTriggers
         version,
         function_body || "",
         condition || "",
-        timing || "before"
+        timing || "before",
+        for_each || "row"
       ].join)
     end
 
@@ -281,17 +393,110 @@ module PgSqlTriggers
     end
 
     def recreate_trigger
-      ActiveRecord::Base.connection.execute(function_body)
-      Rails.logger.info "[TRIGGER_RE_EXECUTE] Re-created trigger" if defined?(Rails.logger)
+      sql = function_body.presence || build_trigger_sql_from_definition
+      raise StandardError, "Cannot re-execute: missing function_body" if sql.blank?
+
+      ActiveRecord::Base.connection.execute(sql)
+      if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+        Rails.logger.info "[TRIGGER_RE_EXECUTE] Re-created trigger"
+      end
     rescue ActiveRecord::StatementInvalid, StandardError => e
-      Rails.logger.error("[TRIGGER_RE_EXECUTE] Failed: #{e.message}") if defined?(Rails.logger)
+      if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+        Rails.logger.error("[TRIGGER_RE_EXECUTE] Failed: #{e.message}")
+      end
       raise
     end
 
+    # Build a CREATE TRIGGER SQL statement from the stored DSL definition JSON.
+    # Used by re_execute! when function_body is absent (the normal case for DSL triggers).
+    def build_trigger_sql_from_definition
+      return nil if definition.blank?
+
+      defn = JSON.parse(definition)
+      fn_name = defn["function_name"]
+      return nil if fn_name.blank?
+
+      t_name      = table_name
+      timing_kw   = (defn["timing"] || timing || "BEFORE").upcase
+      events      = Array(defn["events"]).map { |e| e.to_s.upcase }.join(" OR ")
+      events      = "INSERT" if events.blank?
+      cond        = defn["condition"] || condition
+      for_each_kw = (defn["for_each"] || for_each || "row").upcase
+
+      sql = "CREATE TRIGGER #{quote_identifier(trigger_name)} "
+      sql += "#{timing_kw} #{events} ON #{quote_identifier(t_name)} "
+      sql += "FOR EACH #{for_each_kw} "
+      sql += "WHEN (#{cond}) " if cond.present?
+      sql += "EXECUTE FUNCTION #{fn_name}();"
+      sql
+    rescue JSON::ParserError
+      nil
+    end
+
     def update_registry_after_re_execute
-      update!(enabled: true, last_executed_at: Time.current)
+      update!(last_executed_at: Time.current)
+      if !enabled && ActiveRecord::Base.connection.table_exists?(table_name)
+        quoted_table   = quote_identifier(table_name)
+        quoted_trigger = quote_identifier(trigger_name)
+        ActiveRecord::Base.connection.execute(
+          "ALTER TABLE #{quoted_table} DISABLE TRIGGER #{quoted_trigger};"
+        )
+      end
       Rails.logger.info "[TRIGGER_RE_EXECUTE] Updated registry" if defined?(Rails.logger)
     end
+
+    # Audit logging helpers
+    def capture_state
+      {
+        enabled: enabled,
+        version: version,
+        checksum: checksum,
+        table_name: table_name,
+        source: source,
+        environment: environment,
+        installed_at: installed_at&.iso8601,
+        function_body: function_body
+      }
+    end
+
+    # rubocop:disable Metrics/ParameterLists
+    def log_audit_success(operation, actor, reason: nil, confirmation_text: nil,
+                          before_state: nil, after_state: nil, diff: nil)
+      return unless defined?(PgSqlTriggers::AuditLog)
+
+      PgSqlTriggers::AuditLog.log_success(
+        operation: operation,
+        trigger_name: trigger_name,
+        actor: actor,
+        environment: Rails.env,
+        reason: reason,
+        confirmation_text: confirmation_text,
+        before_state: before_state,
+        after_state: after_state,
+        diff: diff
+      )
+    rescue StandardError => e
+      Rails.logger.error("Failed to log audit entry: #{e.message}") if defined?(Rails.logger)
+    end
+
+    def log_audit_failure(operation, actor, error_message, reason: nil,
+                          confirmation_text: nil, before_state: nil)
+      return unless defined?(PgSqlTriggers::AuditLog)
+
+      PgSqlTriggers::AuditLog.log_failure(
+        operation: operation,
+        trigger_name: trigger_name,
+        actor: actor,
+        environment: Rails.env,
+        error_message: error_message,
+        reason: reason,
+        confirmation_text: confirmation_text,
+        before_state: before_state
+      )
+    rescue StandardError => e
+      Rails.logger.error("Failed to log audit entry: #{e.message}") if defined?(Rails.logger)
+    end
+    # rubocop:enable Metrics/ParameterLists
   end
   # rubocop:enable Metrics/ClassLength
 end

data/app/views/layouts/pg_sql_triggers/application.html.erb

@@ -18,7 +18,7 @@
       <div>
         <%= link_to "Dashboard", root_path, style: "color: white; margin-right: 1rem;" %>
         <%= link_to "Tables", tables_path, style: "color: white; margin-right: 1rem;" %>
-        <%= link_to "Generator", new_generator_path, style: "color: white;" %>
+        <%= link_to "Audit Log", audit_logs_path, style: "color: white;" %>
       </div>
     </div>
   </nav>
@@ -35,7 +35,7 @@
     <% if flash[:error] %>
       <div style="background: #f8d7da; color: #721c24; padding: 1rem; margin-bottom: 1rem; border-radius: 4px; border-left: 4px solid #dc3545;">
         <% error_message = flash[:error].to_s %>
-        <% if error_message.include?("Kill switch is active") %>
+        <% if error_message.include?("Kill switch is active") || error_message.include?("KILL_SWITCH") %>
           <%# Format kill switch error messages nicely %>
           <% lines = error_message.split("\n") %>
 
@@ -55,16 +55,35 @@
 
           <%# Instructions section with preserved formatting %>
           <div style="margin-top: 0.5rem;">
-            <%# Extract and format the instructions portion %>
-            <% instructions_start = error_message.index("To override") || 0 %>
-            <% instructions_text = error_message[instructions_start..-1] %>
+            <%# Extract and format the instructions/recovery portion %>
+            <% recovery_start = error_message.index("Recovery:") || error_message.index("To override") || 0 %>
+            <% recovery_text = error_message[recovery_start..-1] %>
+            <% if recovery_text.start_with?("Recovery:") %>
+              <% recovery_text = recovery_text.sub("Recovery:", "").strip %>
+            <% end %>
             <div style="white-space: pre-wrap; word-wrap: break-word; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', Arial, sans-serif; line-height: 1.6;">
-              <%= instructions_text.strip %>
+              <%= recovery_text.strip %>
+            </div>
+          </div>
+        <% elsif error_message.include?("Permission denied") || error_message.include?("PERMISSION_DENIED") %>
+          <%# Format permission error messages %>
+          <div style="display: flex; align-items: flex-start; margin-bottom: 0.5rem;">
+            <span style="font-size: 1.5em; margin-right: 0.75rem;">🔒</span>
+            <div style="flex: 1;">
+              <div style="font-weight: bold; font-size: 1.1em; margin-bottom: 0.5rem;">Permission Denied</div>
+              <div style="white-space: pre-wrap; word-wrap: break-word;"><%= error_message %></div>
             </div>
           </div>
         <% else %>
           <%# Regular error message - preserve formatting %>
           <div style="white-space: pre-wrap; word-wrap: break-word;"><%= error_message %></div>
+          <% if Rails.env.development? && defined?(exception) && exception %>
+            <%# Show stack trace in development %>
+            <details style="margin-top: 1rem; padding-top: 1rem; border-top: 1px solid #f5c6cb;">
+              <summary style="cursor: pointer; font-weight: bold; color: #721c24;">Stack Trace (Development Only)</summary>
+              <pre style="background: rgba(0,0,0,0.05); padding: 0.5rem; margin-top: 0.5rem; border-radius: 4px; overflow-x: auto; font-size: 0.85em;"><%= exception.backtrace.first(10).join("\n") %></pre>
+            </details>
+          <% end %>
         <% end %>
       </div>
     <% end %>