plutonium 0.42.0 → 0.43.1

data/lib/generators/pu/saas/membership_generator.rb

@@ -39,14 +39,14 @@ module Pu
 
       def validate_models_exist!
         user_model_path = File.join("app", "models", "#{normalized_user_name}.rb")
-        entity_model_path = File.join("app", "models", "#{normalized_entity_name}.rb")
+        entity_model_path = File.join(dest_root, "app", "models", "#{full_entity_path}.rb")
 
         unless File.exist?(Rails.root.join(user_model_path))
           raise "User model '#{normalized_user_name}' does not exist at #{user_model_path}. Please create it first with: rails g pu:saas:user #{options[:user]}"
         end
 
-        unless File.exist?(Rails.root.join(entity_model_path))
-          raise "Entity model '#{normalized_entity_name}' does not exist at #{entity_model_path}. Please create it first with: rails g pu:saas:entity #{options[:entity]}"
+        unless File.exist?(entity_model_path)
+          raise "Entity model '#{full_entity_path}' does not exist at #{entity_model_path}. Please create it first with: rails g pu:saas:entity #{options[:entity]}"
         end
       end
 
@@ -63,7 +63,7 @@ module Pu
         return unless migration_file
 
         insert_into_file migration_file,
-          indent("add_index :#{membership_table_name}, [:#{normalized_entity_name}_id, :#{normalized_user_name}_id], unique: true\n", 4),
+          indent("add_index :#{full_membership_table_name}, [:#{normalized_entity_name}_id, :#{normalized_user_name}_id], unique: true\n", 4),
           before: /^  end\s*$/
       end
 
@@ -78,18 +78,18 @@ module Pu
       end
 
       def add_role_enum_to_model
-        model_file = File.join("app", "models", "#{membership_model_name}.rb")
+        model_file = File.join(dest_root, "app", "models", "#{full_membership_path}.rb")
 
-        return unless File.exist?(Rails.root.join(model_file))
+        return unless File.exist?(model_file)
 
         enum_definition = "enum :role, #{roles_enum}\n"
         insert_into_file model_file, indent(enum_definition, 2), before: /^\s*# add enums above\./
       end
 
       def add_unique_validation_to_model
-        model_file = File.join("app", "models", "#{membership_model_name}.rb")
+        model_file = File.join(dest_root, "app", "models", "#{full_membership_path}.rb")
 
-        return unless File.exist?(Rails.root.join(model_file))
+        return unless File.exist?(model_file)
 
         validation = "validates :#{normalized_user_name}, uniqueness: {scope: :#{normalized_entity_name}_id, message: \"is already a member of this #{normalized_entity_name.humanize.downcase}\"}\n"
         insert_into_file model_file, indent(validation, 2), before: /^\s*# add validations above\./
@@ -101,9 +101,9 @@ module Pu
       end
 
       def add_association_to_entity_model
-        entity_model_path = File.join("app", "models", "#{normalized_entity_name}.rb")
+        entity_model_path = File.join(dest_root, "app", "models", "#{full_entity_path}.rb")
 
-        return unless File.exist?(Rails.root.join(entity_model_path))
+        return unless File.exist?(entity_model_path)
 
         associations = <<~RUBY
           has_many :#{membership_table_name}, dependent: :destroy
@@ -117,17 +117,24 @@ module Pu
 
         return unless File.exist?(Rails.root.join(user_model_path))
 
-        associations = <<~RUBY
-          has_many :#{membership_table_name}, dependent: :destroy
-          has_many :#{normalized_entity_name.pluralize}, through: :#{membership_table_name}
-        RUBY
+        associations = if dest_namespace
+          <<~RUBY
+            has_many :#{membership_table_name}, class_name: "#{full_membership_class_name}", dependent: :destroy
+            has_many :#{normalized_entity_name.pluralize}, through: :#{membership_table_name}, source: :#{normalized_entity_name}
+          RUBY
+        else
+          <<~RUBY
+            has_many :#{membership_table_name}, dependent: :destroy
+            has_many :#{normalized_entity_name.pluralize}, through: :#{membership_table_name}
+          RUBY
+        end
         inject_into_file user_model_path, indent(associations, 2), before: /^\s*# add has_many associations above\.\n/
       end
 
       def add_associated_with_scope_to_entity
-        entity_model_path = File.join("app", "models", "#{normalized_entity_name}.rb")
+        entity_model_path = File.join(dest_root, "app", "models", "#{full_entity_path}.rb")
 
-        return unless File.exist?(Rails.root.join(entity_model_path))
+        return unless File.exist?(entity_model_path)
 
         scope_code = <<~RUBY
           scope :associated_with_#{normalized_user_name}, ->(#{normalized_user_name}) { joins(:#{membership_table_name}).where(#{membership_table_name}: {#{normalized_user_name}_id: #{normalized_user_name}.id}) }
@@ -136,8 +143,8 @@ module Pu
       end
 
       def find_migration_file
-        migration_dir = File.join("db", "migrate")
-        Dir[Rails.root.join(migration_dir, "*_create_#{membership_table_name}.rb")].first
+        migration_dir = File.join(dest_root, "db", "migrate")
+        Dir[File.join(migration_dir, "*_create_#{full_membership_table_name}.rb")].first
       end
 
       def membership_model_name
@@ -150,7 +157,7 @@ module Pu
 
       def membership_attributes
         [
-          "#{normalized_entity_name}:references",
+          "#{full_entity_name}:references",
           "#{normalized_user_name}:references",
           "role:integer",
           *Array(options[:extra_attributes])
@@ -161,6 +168,48 @@ module Pu
 
       def normalized_entity_name = options[:entity].underscore
 
+      def dest_namespace
+        return nil if main_app?
+
+        selected_destination_feature.underscore
+      end
+
+      def main_app?
+        selected_destination_feature == "main_app"
+      end
+
+      def dest_root
+        if main_app?
+          Rails.root
+        else
+          Rails.root.join("packages", dest_namespace)
+        end
+      end
+
+      def full_entity_path
+        [dest_namespace, normalized_entity_name].compact.join("/")
+      end
+
+      def full_membership_path
+        [dest_namespace, membership_model_name].compact.join("/")
+      end
+
+      def full_entity_name
+        full_entity_path
+      end
+
+      def full_membership_table_name
+        full_membership_path.tr("/", "_").pluralize
+      end
+
+      def full_membership_class_name
+        full_membership_path.camelize
+      end
+
+      def full_entity_class_name
+        full_entity_path.camelize
+      end
+
       def roles
         Array(options[:roles]).flat_map { |r| r.split(",") }.map(&:strip)
       end

data/lib/generators/pu/saas/setup_generator.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-return unless defined?(Rodauth::Rails)
-
 require "rails/generators/base"
 require_relative "../lib/plutonium_generators"
 
@@ -46,6 +44,7 @@ module Pu
         desc: "Available roles for API client memberships"
 
       def start
+        ensure_rodauth_installed
         generate_user
         generate_entity unless options[:skip_entity]
         generate_membership unless options[:skip_membership]
@@ -56,6 +55,12 @@ module Pu
 
       private
 
+      def ensure_rodauth_installed
+        return if File.exist?(Rails.root.join("app/rodauth/rodauth_app.rb"))
+
+        invoke "pu:rodauth:install"
+      end
+
       def generate_user
         # Use class-based invocation to avoid Thor's invoke caching
         klass = Rails::Generators.find_by_namespace("pu:saas:user")

data/lib/generators/pu/saas/user_generator.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-return unless defined?(Rodauth::Rails)
-
 require "rails/generators/named_base"
 require_relative "../lib/plutonium_generators"
 

data/lib/plutonium/auth/rodauth.rb

@@ -9,6 +9,7 @@ module Plutonium
           included do
             helper_method :current_user
             helper_method :logout_url
+            helper_method :profile_url
           end
 
           private
@@ -27,6 +28,13 @@ module Plutonium
             rodauth.logout_path
           end
 
+          # Override this method to return your profile page URL.
+          # When defined, a "Profile" link will appear in the user menu.
+          # Example: rodauth.change_password_path or your custom profile_path
+          def profile_url
+            nil
+          end
+
           define_singleton_method(:to_s) { "Plutonium::Auth::Rodauth(:#{name})" }
           define_singleton_method(:inspect) { "Plutonium::Auth::Rodauth(:#{name})" }
         RUBY

data/lib/plutonium/core/controller.rb

@@ -207,7 +207,11 @@ module Plutonium
             url_args[:action] ||= :index if index == args.length - 1
           elsif element.is_a?(Class)
             controller_chain << element.to_s.pluralize
-            url_args[:action] ||= :index if index == args.length - 1 && parent.present?
+            if index == args.length - 1
+              # Singular resources have no index, default to show
+              is_singular = current_engine.routes.singular_resource_route?(element.model_name.plural)
+              url_args[:action] ||= is_singular ? :show : :index
+            end
           else
             model_class = element.class
             if model_class.respond_to?(:base_class) && model_class != model_class.base_class
@@ -223,8 +227,7 @@ module Plutonium
               else
                 model_class.model_name.plural
               end
-              resource_route_config = current_engine.routes.resource_route_config_for(route_key)[0]
-              is_singular = resource_route_config&.dig(:route_type) == :resource
+              is_singular = current_engine.routes.singular_resource_route?(route_key)
               url_args[:id] = element.to_param unless is_singular
               url_args[:action] ||= :show
             else
@@ -236,7 +239,7 @@ module Plutonium
 
         url_args[:"#{parent.model_name.singular}_id"] = parent.to_param if parent.present?
         if scoped_to_entity? && scoped_entity_strategy == :path
-          url_args[scoped_entity_param_key] = current_scoped_entity
+          url_args[scoped_entity_param_key] = current_scoped_entity.to_param
         end
 
         if !url_args.key?(:format) && request.present? && request.format.present? && !request.format.symbol.in?([:html, :turbo_stream])

data/lib/plutonium/core/controllers/authorizable.rb

@@ -30,7 +30,11 @@ module Plutonium
         end
 
         def entity_scope_for_authorize
-          current_scoped_entity if scoped_to_entity?
+          # Use the instance variable directly to avoid circular dependency.
+          # When authorizing the scoped entity itself (in fetch_current_scoped_entity),
+          # @current_scoped_entity is not yet set, so this returns nil, which is correct
+          # since we can't use the entity as its own authorization scope.
+          @current_scoped_entity if scoped_to_entity?
         end
 
         def verify_authorized

data/lib/plutonium/definition/base.rb

@@ -75,6 +75,13 @@ module Plutonium
       # global default
       breadcrumbs true
 
+      # forms
+      # Controls the "Save and add another" / "Update and continue editing" buttons
+      # nil = auto-detect (hidden for singular resources, shown for plural)
+      # true = always show
+      # false = always hide
+      inheritable_config_attr :submit_and_continue
+
       def initialize
         super
       end

data/lib/plutonium/helpers/display_helper.rb

@@ -14,6 +14,12 @@ module Plutonium
         resource_name resource_class, 2
       end
 
+      # Returns the appropriate label for a resource (singular for singular resources, plural otherwise)
+      def resource_label(resource_class)
+        is_singular = current_engine.routes.singular_resource_route?(resource_class.model_name.plural)
+        resource_name(resource_class, is_singular ? 1 : 2)
+      end
+
       # Returns a human-readable name for a nested collection using the association name.
       # Falls back to resource_name_plural if not in a nested context.
       # Uses I18n via human_attribute_name for proper localization.

data/lib/plutonium/profile/security_section.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Plutonium
+  module Profile
+    # Renders security settings links based on enabled Rodauth features.
+    class SecuritySection < Plutonium::UI::Component::Base
+      FEATURES = {
+        change_password: {
+          label: "Change Password",
+          description: "Update your account password",
+          icon: Phlex::TablerIcons::Key,
+          path_method: :change_password_path
+        },
+        change_login: {
+          label: "Change Email",
+          description: "Update your email address",
+          icon: Phlex::TablerIcons::Mail,
+          path_method: :change_login_path
+        },
+        otp: {
+          label: "Two-Factor Authentication",
+          description: "Add an extra layer of security",
+          icon: Phlex::TablerIcons::DeviceMobile,
+          path_method: :otp_setup_path
+        },
+        recovery_codes: {
+          label: "Recovery Codes",
+          description: "View or regenerate backup codes",
+          icon: Phlex::TablerIcons::FileCode,
+          path_method: :recovery_codes_path
+        },
+        webauthn: {
+          label: "Security Keys",
+          description: "Manage passkeys and security keys",
+          icon: Phlex::TablerIcons::Fingerprint,
+          path_method: :webauthn_setup_path
+        },
+        active_sessions: {
+          label: "Active Sessions",
+          description: "View and manage your sessions",
+          icon: Phlex::TablerIcons::DevicesCheck,
+          path_method: :active_sessions_path
+        },
+        close_account: {
+          label: "Close Account",
+          description: "Permanently delete your account",
+          icon: Phlex::TablerIcons::Trash,
+          path_method: :close_account_path,
+          danger: true
+        }
+      }.freeze
+
+      def view_template
+        div(class: "mt-8") do
+          render_section_header
+          render_feature_links
+        end
+      end
+
+      private
+
+      def render_section_header
+        div(class: "mb-4") do
+          h2(class: "text-lg font-semibold text-[var(--pu-text)]") { "Security Settings" }
+          p(class: "text-sm text-[var(--pu-text-muted)]") { "Manage your account security" }
+        end
+      end
+
+      def render_feature_links
+        div(
+          class: "bg-[var(--pu-card-bg)] border border-[var(--pu-card-border)] rounded-[var(--pu-radius-lg)] divide-y divide-[var(--pu-border)]",
+          style: "box-shadow: var(--pu-shadow-sm)"
+        ) do
+          enabled_features.each do |feature, config|
+            render_feature_link(feature, config)
+          end
+        end
+      end
+
+      def render_feature_link(feature, config)
+        path = helpers.rodauth.send(config[:path_method])
+        danger = config[:danger]
+
+        a(
+          href: path,
+          class: tokens(
+            "flex items-center gap-4 p-4 hover:bg-[var(--pu-surface-alt)] transition-colors first:rounded-t-[var(--pu-radius-lg)] last:rounded-b-[var(--pu-radius-lg)]",
+            danger ? "text-[var(--pu-text-danger)]" : "text-[var(--pu-text)]"
+          )
+        ) do
+          # Icon
+          div(class: "flex-shrink-0") do
+            render config[:icon].new(class: "w-5 h-5")
+          end
+
+          # Content
+          div(class: "flex-grow") do
+            div(class: "font-medium") { config[:label] }
+            div(class: "text-sm text-[var(--pu-text-muted)]") { config[:description] }
+          end
+
+          # Arrow
+          div(class: "flex-shrink-0 text-[var(--pu-text-muted)]") do
+            render Phlex::TablerIcons::ChevronRight.new(class: "w-5 h-5")
+          end
+        end
+      end
+
+      def enabled_features
+        FEATURES.select { |feature, _config| feature_enabled?(feature) }
+      end
+
+      def feature_enabled?(feature)
+        helpers.rodauth.features.include?(feature)
+      end
+    end
+  end
+end

data/lib/plutonium/resource/controller.rb

@@ -104,6 +104,13 @@ module Plutonium
         end
       end
 
+      # Returns true if current resource is registered as a singular route
+      # (e.g., `resource :profile` vs `resources :users`)
+      # @return [Boolean]
+      def singular_resource_context?
+        current_resource_route_config&.[](:route_type) == :resource
+      end
+
       # Extracts the association name from the current nested route
       # e.g., for route /posts/:post_id/nested_comments, returns :comments
       # @return [Symbol, nil] The association name
@@ -242,14 +249,17 @@ module Plutonium
       # Overrides entity scoping parameters
       # @param [Hash] input_params The input parameters
       def override_entity_scoping_params(input_params)
-        if scoped_to_entity?
-          if input_params.key?(scoped_entity_param_key) || resource_class.method_defined?(:"#{scoped_entity_param_key}=")
-            input_params[scoped_entity_param_key] = current_scoped_entity
-          end
+        return unless scoped_to_entity?
 
-          if input_params.key?(:"#{scoped_entity_param_key}_id") || resource_class.method_defined?(:"#{scoped_entity_param_key}_id=")
-            input_params[:"#{scoped_entity_param_key}_id"] = current_scoped_entity.id
-          end
+        # Use the detected association if available, otherwise fall back to param_key
+        assoc_name = scoped_entity_association || scoped_entity_param_key
+
+        if input_params.key?(assoc_name) || resource_class.method_defined?(:"#{assoc_name}=")
+          input_params[assoc_name] = current_scoped_entity
+        end
+
+        if input_params.key?(:"#{assoc_name}_id") || resource_class.method_defined?(:"#{assoc_name}_id=")
+          input_params[:"#{assoc_name}_id"] = current_scoped_entity.id
         end
       end
 

data/lib/plutonium/resource/controllers/interactive_actions.rb

@@ -29,12 +29,7 @@ module Plutonium
         # GET /resources/1/record_actions/:interactive_action
         def interactive_record_action
           build_interactive_record_action_interaction
-
-          if helpers.current_turbo_frame == "remote_modal"
-            render layout: false, formats: [:html]
-          else
-            render :interactive_record_action, formats: [:html]
-          end
+          render :interactive_record_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/1/record_actions/:interactive_action
@@ -67,7 +62,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_record_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_record_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -82,16 +77,7 @@ module Plutonium
         def interactive_resource_action
           skip_verify_current_authorized_scope!
           build_interactive_resource_action_interaction
-
-          respond_to do |format|
-            format.any(:html, :turbo_stream) do
-              if helpers.current_turbo_frame == "remote_modal"
-                render layout: false, formats: [:html]
-              else
-                render :interactive_resource_action, formats: [:html]
-              end
-            end
-          end
+          render :interactive_resource_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/resource_actions/:interactive_action
@@ -125,7 +111,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_resource_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_resource_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -139,12 +125,7 @@ module Plutonium
         # GET /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
         def interactive_bulk_action
           build_interactive_bulk_action_interaction
-
-          if helpers.current_turbo_frame == "remote_modal"
-            render layout: false, formats: [:html]
-          else
-            render :interactive_bulk_action, formats: [:html]
-          end
+          render :interactive_bulk_action, layout: modal_layout, formats: [:html]
         end
 
         # POST /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
@@ -177,7 +158,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_bulk_action, formats: [:html], status: :unprocessable_content
+                  render :interactive_bulk_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -190,6 +171,11 @@ module Plutonium
 
         private
 
+        # Returns false for modal requests (skip layout), nil otherwise (use default layout)
+        def modal_layout
+          helpers.current_turbo_frame.present? ? false : nil
+        end
+
         def current_interactive_action
           @current_interactive_action = interactive_resource_actions[params[:interactive_action].to_sym]
         end

data/lib/plutonium/resource/controllers/presentable.rb

@@ -17,7 +17,7 @@ module Plutonium
               presentable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
             end
             if scoped_to_entity? && !present_scoped_entity?
-              presentable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+              presentable_attributes -= scoped_entity_field_names
             end
             presentable_attributes
           end
@@ -33,11 +33,49 @@ module Plutonium
             submittable_attributes -= [parent_input_param, :"#{parent_input_param}_id"]
           end
           if scoped_to_entity? && !submit_scoped_entity?
-            submittable_attributes -= [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+            submittable_attributes -= scoped_entity_field_names
           end
           submittable_attributes
         end
 
+        # Returns all field names related to the scoped entity.
+        # Finds associations by class to handle cases where param_key differs from association name.
+        def scoped_entity_field_names
+          field_names = [scoped_entity_param_key, :"#{scoped_entity_param_key}_id"]
+
+          assoc_name = scoped_entity_association
+          if assoc_name
+            field_names << assoc_name
+            field_names << :"#{assoc_name}_id"
+          end
+
+          field_names.uniq
+        end
+
+        # Returns the name of the belongs_to association pointing to the scoped entity class.
+        # Raises if multiple associations exist (ambiguous - user must configure manually).
+        # @return [Symbol, nil] the association name or nil if not found
+        def scoped_entity_association
+          return @scoped_entity_association if defined?(@scoped_entity_association)
+
+          matching_assocs = resource_class.reflect_on_all_associations(:belongs_to).select do |assoc|
+            assoc.klass.name == scoped_entity_class.name
+          rescue NameError
+            false
+          end
+
+          if matching_assocs.size > 1
+            assoc_names = matching_assocs.map(&:name).join(", ")
+            raise <<~MSG.squish
+              #{resource_class} has multiple associations to #{scoped_entity_class}: #{assoc_names}.
+              Plutonium cannot auto-detect which one to use for entity scoping.
+              Override `scoped_entity_association` in your controller to specify the association.
+            MSG
+          end
+
+          @scoped_entity_association = matching_assocs.first&.name
+        end
+
         def build_collection
           current_definition.collection_class.new(@resource_records, resource_fields: presentable_attributes, resource_definition: current_definition)
         end
@@ -47,7 +85,12 @@ module Plutonium
         end
 
         def build_form(record = resource_record!, action: action_name, form_action: nil, **)
-          form_options = {resource_fields: submittable_attributes_for(action), resource_definition: current_definition, **}
+          form_options = {
+            resource_fields: submittable_attributes_for(action),
+            resource_definition: current_definition,
+            singular_resource: singular_resource_context?,
+            **
+          }
           form_options[:action] = form_action unless form_action.nil?
           current_definition.form_class.new(record, **form_options)
         end

data/lib/plutonium/resource/record/associated_with.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# lib/plutonium/resource/associations.rb
 module Plutonium
   module Resource
     module Record
@@ -9,6 +8,13 @@ module Plutonium
 
         included do
           scope :associated_with, ->(record) do
+            # If scoping to same class, just match by ID (e.g., Team scoped to Team)
+            # Compare by name to handle Rails class reloading (different object_id after reload)
+            if klass.name == record.class.name
+              pk = klass.primary_key
+              return where(pk => record.public_send(pk))
+            end
+
             named_scope = :"associated_with_#{record.model_name.singular}"
             return send(named_scope, record) if respond_to?(named_scope)