plutonium 0.37.0 → 0.38.0

data/lib/plutonium/resource/controllers/presentable.rb

@@ -24,16 +24,18 @@ module Plutonium
         end
 
         def submittable_attributes
-          @submittable_attributes ||= begin
-            submittable_attributes = permitted_attributes
-            if current_parent && !submit_parent?
-              submittable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
-            end
-            if scoped_to_entity? && !submit_scoped_entity?
-              submittable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
-            end
-            submittable_attributes
+          @submittable_attributes ||= submittable_attributes_for(action_name)
+        end
+
+        def submittable_attributes_for(action)
+          submittable_attributes = permitted_attributes_for(action)
+          if current_parent && !submit_parent?
+            submittable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
+          end
+          if scoped_to_entity? && !submit_scoped_entity?
+            submittable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
           end
+          submittable_attributes
         end
 
         def build_collection
@@ -44,8 +46,8 @@ module Plutonium
           current_definition.detail_class.new(resource_record!, resource_fields: presentable_attributes, resource_associations: permitted_associations, resource_definition: current_definition)
         end
 
-        def build_form(record = resource_record!)
-          current_definition.form_class.new(record, resource_fields: submittable_attributes, resource_definition: current_definition)
+        def build_form(record = resource_record!, action: action_name)
+          current_definition.form_class.new(record, resource_fields: submittable_attributes_for(action), resource_definition: current_definition)
         end
 
         def present_parent? = false

data/lib/plutonium/resource/policy.rb

@@ -8,11 +8,82 @@ module Plutonium
     class Policy < ::ActionPolicy::Base
       authorize :user, allow_nil: false
       authorize :entity_scope, allow_nil: true
+      authorize :parent, optional: true
+      authorize :parent_association, optional: true
 
       relation_scope do |relation|
-        next relation unless entity_scope
+        default_relation_scope(relation)
+      end
+
+      # Wraps apply_scope to verify default_relation_scope was called.
+      # This prevents accidental multi-tenancy leaks when overriding relation_scope.
+      def apply_scope(relation, type:, **options)
+        @_default_relation_scope_applied = false
+        result = super
+        verify_default_relation_scope_applied! if type == :active_record_relation
+        result
+      end
 
-        relation.associated_with(entity_scope)
+      # Explicitly skip the default relation scope verification.
+      #
+      # Call this when you intentionally want to bypass parent/entity scoping.
+      # This should be rare - consider using a separate portal instead.
+      #
+      # @example Skipping default scoping (use sparingly)
+      #   relation_scope do |relation|
+      #     skip_default_relation_scope!
+      #     relation.where(featured: true)  # No parent/entity scoping
+      #   end
+      def skip_default_relation_scope!
+        @_default_relation_scope_applied = true
+      end
+
+      # Applies Plutonium's default scoping (parent or entity) to a relation.
+      #
+      # This method MUST be called in any custom relation_scope to ensure proper
+      # parent/entity scoping. Failure to call it will raise an error.
+      #
+      # @example Overriding inherited scope while keeping default scoping
+      #   # Parent policy has custom filtering you want to replace
+      #   class AdminPostPolicy < PostPolicy
+      #     relation_scope do |relation|
+      #       # Replace inherited scope but keep Plutonium's parent/entity scoping
+      #       default_relation_scope(relation)
+      #     end
+      #   end
+      #
+      # @example Adding filtering on top of default scoping
+      #   relation_scope do |relation|
+      #     default_relation_scope(relation).where(published: true)
+      #   end
+      #
+      # @param relation [ActiveRecord::Relation] The relation to scope
+      # @return [ActiveRecord::Relation] The scoped relation
+      def default_relation_scope(relation)
+        @_default_relation_scope_applied = true
+
+        if parent || parent_association
+          unless parent && parent_association
+            raise ArgumentError, "parent and parent_association must both be provided together"
+          end
+
+          # Parent association scoping (nested routes)
+          # The parent was already entity-scoped during authorization, so children
+          # accessed through the parent don't need additional entity scoping
+          assoc_reflection = parent.class.reflect_on_association(parent_association)
+          if assoc_reflection.collection?
+            # has_many: merge with the association's scope
+            parent.public_send(parent_association).merge(relation)
+          else
+            # has_one: scope by foreign key
+            relation.where(assoc_reflection.foreign_key => parent.id)
+          end
+        elsif entity_scope
+          # Entity scoping (multi-tenancy)
+          relation.associated_with(entity_scope)
+        else
+          relation
+        end
       end
 
       # Sends a method and raises an error if the method is not implemented.
@@ -162,6 +233,18 @@ module Plutonium
         record.instance_of?(Class) ? record : record.class
       end
 
+      # Verifies that default_relation_scope was called during scope application.
+      # Raises an error if it wasn't, preventing accidental multi-tenancy leaks.
+      def verify_default_relation_scope_applied!
+        return if @_default_relation_scope_applied
+
+        raise <<~MSG.squish
+          #{self.class.name} did not call `default_relation_scope` in its relation_scope.
+          This can cause multi-tenancy leaks. Either call `default_relation_scope(relation)`
+          or `super(relation)` in your relation_scope block.
+        MSG
+      end
+
       # Autodetects the permitted fields for a given method.
       #
       # @param method_name [Symbol] The name of the method.

data/lib/plutonium/resource/record/routes.rb

@@ -12,10 +12,40 @@ module Plutonium
         end
 
         class_methods do
+          # Returns metadata for has_many associations that can be routed
+          # @return [Array<Hash>] Array of hashes with :name, :klass, :plural keys
+          def routable_has_many_associations
+            return @routable_has_many_associations if defined?(@routable_has_many_associations) && !Rails.env.local?
+
+            @routable_has_many_associations = reflect_on_all_associations(:has_many).map do |assoc|
+              {name: assoc.name, klass: assoc.klass, plural: assoc.klass.model_name.plural}
+            end
+          end
+
+          # Returns metadata for has_one associations that can be routed
+          # @return [Array<Hash>] Array of hashes with :name, :klass, :plural keys
+          def routable_has_one_associations
+            return @routable_has_one_associations if defined?(@routable_has_one_associations) && !Rails.env.local?
+
+            @routable_has_one_associations = reflect_on_all_associations(:has_one)
+              .reject { |assoc| assoc.options[:through] }
+              .map do |assoc|
+                {name: assoc.name, klass: assoc.klass, plural: assoc.klass.model_name.plural}
+              end
+          end
+
+          # @deprecated Use routable_has_many_associations instead
           def has_many_association_routes
             return @has_many_association_routes if defined?(@has_many_association_routes) && !Rails.env.local?
 
-            @has_many_association_routes = reflect_on_all_associations(:has_many).map { |assoc| assoc.klass.model_name.plural }
+            @has_many_association_routes = routable_has_many_associations.map { |info| info[:plural] }
+          end
+
+          # @deprecated Use routable_has_one_associations instead
+          def has_one_association_routes
+            return @has_one_association_routes if defined?(@has_one_association_routes) && !Rails.env.local?
+
+            @has_one_association_routes = routable_has_one_associations.map { |info| info[:plural] }
           end
 
           def all_nested_attributes_options

data/lib/plutonium/routing/mapper_extensions.rb

@@ -2,6 +2,9 @@
 
 module Plutonium
   module Routing
+    # Prefix used for nested resource routes to disambiguate from user-defined routes
+    NESTED_ROUTE_PREFIX = "nested_"
+
     # MapperExtensions module provides additional functionality for route mapping in Plutonium applications.
     #
     # This module extends the functionality of Rails' routing mapper to support Plutonium-specific features,
@@ -77,10 +80,43 @@ module Plutonium
       # @param resource [Class] The parent resource class.
       # @return [void]
       def define_nested_resource_routes(resource)
-        nested_configs = route_set.resource_route_config_for(*resource.has_many_association_routes)
-        nested_configs.each do |nested_config|
-          resources "nested_#{nested_config[:route_name]}", **nested_config[:route_options] do
-            instance_exec(&nested_config[:block]) if nested_config[:block]
+        # has_many associations use plural routes
+        resource.routable_has_many_associations.each do |assoc_info|
+          base_config = route_set.resource_route_config_for(assoc_info[:plural])[0]
+          next unless base_config
+
+          # Register with association-based key: "parent_plural/association_name"
+          nested_key = "#{resource.model_name.plural}/#{assoc_info[:name]}"
+          nested_config = base_config.merge(
+            association_name: assoc_info[:name],
+            resource_class: assoc_info[:klass]
+          )
+          route_set.resource_route_config_lookup[nested_key] = nested_config
+
+          resources "#{NESTED_ROUTE_PREFIX}#{assoc_info[:name]}", **base_config[:route_options].except(:path) do
+            instance_exec(&base_config[:block]) if base_config[:block]
+          end
+        end
+
+        # has_one associations use singular routes
+        resource.routable_has_one_associations.each do |assoc_info|
+          base_config = route_set.resource_route_config_for(assoc_info[:plural])[0]
+          next unless base_config
+
+          # Register with association-based key and singular route type
+          nested_key = "#{resource.model_name.plural}/#{assoc_info[:name]}"
+          nested_config = base_config.merge(
+            route_type: :resource,
+            association_name: assoc_info[:name],
+            resource_class: assoc_info[:klass]
+          )
+          route_set.resource_route_config_lookup[nested_key] = nested_config
+
+          resource "#{NESTED_ROUTE_PREFIX}#{assoc_info[:name]}", **base_config[:route_options].except(:path) do
+            original_collection = method(:collection)
+            define_singleton_method(:collection) { |&_| } # no-op for singular resources
+            instance_exec(&base_config[:block]) if base_config[:block]
+            define_singleton_method(:collection, original_collection)
           end
         end
       end

data/lib/plutonium/routing/route_set_extensions.rb

@@ -83,6 +83,8 @@ module Plutonium
       end
 
       # @return [Hash] A lookup table for resource route configurations.
+      # Keys are either plural names (e.g., "profiles") for top-level routes
+      # or "parent_plural/child_plural" (e.g., "users/profiles") for nested routes.
       def resource_route_config_lookup
         @resource_route_config_lookup ||= {}
       end
@@ -107,6 +109,7 @@ module Plutonium
       # @return [Hash] The complete resource configuration.
       def create_resource_config(resource, route_name, concern_name, options = {}, &block)
         {
+          resource_class: resource,
           route_type: options[:singular] ? :resource : :resources,
           route_name: route_name,
           concern_name: concern_name,

data/lib/plutonium/ui/breadcrumbs.rb

@@ -101,7 +101,7 @@ module Plutonium
                       d: "m1 9 4-4-4-4"
                     )
                   end
-                  link_to resource_name_plural(resource_class),
+                  link_to helpers.nestable_resource_name_plural(resource_class),
                     resource_url_for(resource_class),
                     class: "ms-1 text-sm font-medium text-[var(--pu-text-muted)] hover:text-primary-600 md:ms-2 transition-colors"
                 end

data/lib/plutonium/ui/display/resource.rb

@@ -48,11 +48,14 @@ module Plutonium
 
             title = object.class.human_attribute_name(name)
             src = case reflection.macro
-            when :belongs_to, :has_one
+            when :belongs_to
               associated = object.public_send name
               resource_url_for(associated, parent: nil) if associated
+            when :has_one
+              associated = object.public_send name
+              resource_url_for(associated, parent: object, association: name)
             when :has_many
-              resource_url_for(reflection.klass, parent: object)
+              resource_url_for(reflection.klass, parent: object, association: name)
             end
 
             next unless src

data/lib/plutonium/ui/form/components/key_value_store.rb

@@ -60,6 +60,12 @@ module Plutonium
           end
 
           def render_key_value_pairs
+            # Hidden sentinel input ensures the field is always present in params when the
+            # component is rendered. Without this, removing all pairs would submit nothing,
+            # making it impossible to distinguish "field not in form" from "field cleared".
+            # This allows normalize_input to return nil (preserve existing) vs {} (clear field).
+            input(type: :hidden, name: "#{field_name}[_submitted]", value: "1", autocomplete: "off", hidden: true)
+
             div(class: "key-value-pairs space-y-2", data_key_value_store_target: "container") do
               pairs.each_with_index do |(key, value), index|
                 render_key_value_pair(key, value, index)
@@ -196,19 +202,25 @@ module Plutonium
             attributes.fetch(:limit, DEFAULT_LIMIT)
           end
 
-          # Override from ExtractsInput concern to normalize form parameters
+          # Override from ExtractsInput concern to normalize form parameters.
+          # Returns nil if field wasn't submitted (preserves existing value),
+          # or a Hash (possibly empty) if the field was in the form.
           def normalize_input(input_value)
             case input_value
             when Hash
-              if input_value.keys.all? { |k| k.to_s.match?(/^\d+$/) }
+              # Remove the sentinel key before processing
+              params = input_value.except("_submitted", :_submitted)
+
+              if params.keys.all? { |k| k.to_s.match?(/^\d+$/) }
                 # Handle indexed form params: {"0" => {"key" => "foo", "value" => "bar"}}
-                process_indexed_params(input_value)
+                process_indexed_params(params)
               else
                 # Handle direct hash params
-                input_value.reject { |k, v| k.blank? || (v.blank? && v != false) }
+                params.reject { |k, v| k.blank? || (v.blank? && v != false) }
               end
             when nil
-              {}
+              # Field was not submitted at all - preserve existing value
+              nil
             end
           end
 

data/lib/plutonium/ui/page/index.rb

@@ -7,7 +7,7 @@ module Plutonium
         private
 
         def page_title
-          super || current_definition.index_page_title || resource_name_plural(resource_class)
+          super || current_definition.index_page_title || helpers.nestable_resource_name_plural(resource_class)
         end
 
         def page_description

data/lib/plutonium/version.rb

@@ -1,5 +1,5 @@
 module Plutonium
-  VERSION = "0.37.0"
+  VERSION = "0.38.0"
   NEXT_MAJOR_VERSION = VERSION.split(".").tap { |v|
     v[1] = v[1].to_i + 1
     v[2] = 0

data/lib/tasks/release.rake

@@ -102,7 +102,7 @@ namespace :release do
   desc "Build front-end assets"
   task :build_frontend do
     puts "Building front-end assets..."
-    system("npm run build") || abort("Front-end build failed")
+    system("yarn build") || abort("Front-end build failed")
     puts "✓ Built front-end assets"
   end
 

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@radioactive-labs/plutonium",
-  "version": "0.37.0",
+  "version": "0.38.0",
   "description": "Build production-ready Rails apps in minutes, not days. Convention-driven, fully customizable, AI-ready.",
   "type": "module",
   "main": "src/js/core.js",
@@ -33,6 +33,7 @@
     "@tailwindcss/forms": "^0.5.10",
     "@tailwindcss/postcss": "^4.0.9",
     "@tailwindcss/typography": "^0.5.16",
+    "chokidar-cli": "^3.0.0",
     "concurrently": "^8.2.2",
     "cssnano": "^7.0.2",
     "esbuild": "^0.20.1",
@@ -48,10 +49,10 @@
     "vitepress-plugin-mermaid": "^2.0.17"
   },
   "scripts": {
-    "dev": "concurrently \"npm run css:dev\" \"npm run js:dev\"",
-    "build": "npm run js:prod && npm run css:prod",
-    "prepare": "npm run build",
-    "css:dev": "postcss src/css/plutonium.entry.css -o src/build/plutonium.css --watch --dev",
+    "dev": "concurrently \"yarn css:dev\" \"yarn js:dev\"",
+    "build": "yarn js:prod && yarn css:prod",
+    "prepare": "yarn build",
+    "css:dev": "chokidar \"src/css/**/*.css\" \"src/js/**/*.js\" \"app/views/**/*.{rb,erb,js}\" \"lib/plutonium/**/*.rb\" -c \"postcss src/css/plutonium.entry.css -o src/build/plutonium.css --dev\" --initial",
     "js:dev": "node esbuild.config.js --dev",
     "css:prod": "postcss src/css/plutonium.entry.css -o app/assets/plutonium.css && postcss src/css/plutonium.entry.css -o src/dist/css/plutonium.css",
     "js:prod": "node esbuild.config.js",

data/plutonium.gemspec

@@ -44,7 +44,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "phlex-rails"
   spec.add_dependency "phlex-tabler_icons"
   spec.add_dependency "phlexi-field", ">= 0.2.0"
-  spec.add_dependency "phlexi-form", ">= 0.13.0"
+  spec.add_dependency "phlexi-form", ">= 0.14.0"
   spec.add_dependency "phlexi-table", ">= 0.2.0"
   spec.add_dependency "phlexi-display", ">= 0.2.0"
   spec.add_dependency "phlexi-menu", ">= 0.4.0"

data/src/js/controllers/key_value_store_controller.js

@@ -25,6 +25,7 @@ export default class extends Controller {
     this.updatePairIndices(newPair, index)
 
     this.containerTarget.appendChild(newPair)
+    this.updateIndices()
     this.updateAddButtonState()
 
     // Focus on the key input of the new pair
@@ -52,9 +53,11 @@ export default class extends Controller {
 
       if (keyInput) {
         keyInput.name = keyInput.name.replace(/\[\d+\]/, `[${index}]`)
+        keyInput.id = keyInput.id.replace(/_\d+_/, `_${index}_`)
       }
       if (valueInput) {
         valueInput.name = valueInput.name.replace(/\[\d+\]/, `[${index}]`)
+        valueInput.id = valueInput.id.replace(/_\d+_/, `_${index}_`)
       }
     })
   }
@@ -65,6 +68,9 @@ export default class extends Controller {
       if (input.name) {
         input.name = input.name.replace('__INDEX__', index)
       }
+      if (input.id) {
+        input.id = input.id.replace('___INDEX___', `_${index}_`)
+      }
     })
   }
 

data/src/js/controllers/resource_drop_down_controller.js

@@ -42,14 +42,14 @@ export default class extends Controller {
           {
             name: 'flip',
             options: {
-              fallbackPlacements: ['left-end', 'right-start', 'right-end', 'bottom-start', 'bottom-end', 'top-start', 'top-end'],
-              boundary: 'clippingParents',
+              fallbackPlacements: ['bottom-end', 'bottom-start', 'top', 'top-end', 'top-start'],
+              boundary: 'viewport',
             },
           },
           {
             name: 'preventOverflow',
             options: {
-              boundary: 'clippingParents',
+              boundary: 'viewport',
               altAxis: true,
               padding: 8,
             },