plutonium 0.49.0 → 0.49.1

data/lib/generators/pu/saas/welcome/templates/app/views/layouts/welcome.html.erb.tt

@@ -7,7 +7,11 @@
   <meta name="csrf-param" content="authenticity_token" />
   <meta name="csrf-token" content="<%%= form_authenticity_token %>" />
   <%%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
-  <%%= javascript_importmap_tags %>
+  <%% if defined?(Importmap) %>
+    <%%= javascript_importmap_tags %>
+  <%% else %>
+    <%%= javascript_include_tag "application", "data-turbo-track": "reload", defer: true %>
+  <%% end %>
 </head>
 <body class="antialiased min-h-screen bg-[var(--pu-body)]">
   <main class="p-4 min-h-screen flex flex-col items-center justify-center gap-2 px-6 py-8 mx-auto lg:py-0">

data/lib/plutonium/invites/concerns/invite_token.rb

@@ -125,9 +125,9 @@ module Plutonium
 
           transaction do
             update!(
-              state: :accepted,
-              accepted_at: Time.current,
-              user: user
+              :state => :accepted,
+              :accepted_at => Time.current,
+              user_attribute => user
             )
 
             create_membership_for(user)
@@ -135,6 +135,14 @@ module Plutonium
           end
         end
 
+        # Override to specify the user association name on the invite model.
+        # Defaults to :user. Override when the invite model's `belongs_to`
+        # uses a different name (e.g., :spender_account, :staff_user).
+        # @return [Symbol]
+        def user_attribute
+          :user
+        end
+
         # Override this method to specify the mailer class.
         #
         # @return [Class] the mailer class for sending invitation emails

data/lib/plutonium/invites/concerns/invite_user.rb

@@ -37,12 +37,12 @@ module Plutonium
 
         def execute
           attrs = {
-            entity: entity,
             email: email,
             role: role,
             invited_by: current_user,
             **additional_invite_attributes
           }
+          attrs[invite_entity_attribute] = entity
           attrs[:invitable] = invitable if invitable.present?
 
           invite_class.create!(attrs)
@@ -109,6 +109,15 @@ module Plutonium
           entity.class.name.underscore.to_sym
         end
 
+        # Override to specify the entity association name on the invite model.
+        # Defaults to :entity, matching the convention documented on InviteToken.
+        # When the invite model uses a concrete `belongs_to :<entity_name>`
+        # instead, override this to return that association name.
+        # @return [Symbol]
+        def invite_entity_attribute
+          :entity
+        end
+
         def role_is_present
           errors.add(:role, :blank) if role.blank?
         end
@@ -130,9 +139,9 @@ module Plutonium
           return unless email.present? && entity.present?
 
           pending = invite_class.find_by(
-            entity: entity,
-            email: email,
-            state: :pending
+            invite_entity_attribute => entity,
+            :email => email,
+            :state => :pending
           )
           errors.add(:email, "already has a pending invitation") if pending
         end

data/lib/plutonium/invites/controller.rb

@@ -35,6 +35,7 @@ module Plutonium
       extend ActiveSupport::Concern
 
       included do
+        append_view_path File.expand_path("app/views", Plutonium.root)
         helper_method :current_user if respond_to?(:helper_method)
       end
 
@@ -72,7 +73,7 @@ module Plutonium
         return unless (@invite = load_and_validate_invite(params[:token]))
 
         unless current_user
-          redirect_to invitation_path(token: params[:token]),
+          redirect_to invitation_path_for(params[:token]),
             alert: "Please sign in to accept this invitation"
           return
         end
@@ -174,6 +175,18 @@ module Plutonium
         raise NotImplementedError, "#{self.class}#invite_class must return the invite model class"
       end
 
+      # Override to customize the invitation URL helper.
+      # Default uses Rails' `invitation_path(token:)` helper, which is what
+      # `pu:invites:install` generates for single-flow apps. Multi-flow apps
+      # whose generator scoped the route as `<prefix>_invitation_path` should
+      # override this.
+      #
+      # @param token [String] the invitation token
+      # @return [String] the URL path
+      def invitation_path_for(token)
+        invitation_path(token: token)
+      end
+
       # Override to specify the user model class.
       #
       # @return [Class] the user model class

data/lib/plutonium/invites/pending_invite_check.rb

@@ -8,39 +8,34 @@ module Plutonium
     # (e.g., WelcomeController, DashboardController) to check for
     # pending invitations stored in cookies.
     #
-    # @example Basic usage
-    #   class WelcomeController < ApplicationController
-    #     include Plutonium::Invites::PendingInviteCheck
+    # Hosts may override either `invite_classes` (preferred — returns
+    # an Array of invite classes to check, in priority order) or
+    # `invite_class` (single class, kept for backward compatibility).
     #
-    #     def index
-    #       return if redirect_to_pending_invite!
-    #
-    #       # Normal post-login flow...
-    #       redirect_to dashboard_path
-    #     end
-    #
-    #     private
-    #
-    #     def invite_class
-    #       Invites::UserInvite
-    #     end
+    # @example Single invite class
+    #   def invite_class
+    #     ::Invites::UserInvite
     #   end
     #
+    # @example Multiple invite classes
+    #   def invite_classes
+    #     [::Invites::FunderInvite, ::Invites::SpenderInvite]
+    #   end
     module PendingInviteCheck
       extend ActiveSupport::Concern
 
+      included do
+        append_view_path File.expand_path("app/views", Plutonium.root)
+      end
+
       private
 
       # Check for a pending invitation and redirect if found.
-      #
-      # @return [Boolean] true if redirected, false otherwise
       def redirect_to_pending_invite!
         token = cookies.encrypted[:pending_invitation]
         return false unless token
 
-        invite = invite_class.find_for_acceptance(token)
-
-        if invite
+        if find_pending_invite(token)
           redirect_to invitation_path(token: token)
           true
         else
@@ -49,14 +44,12 @@ module Plutonium
         end
       end
 
-      # Returns the pending invite if one exists.
-      #
-      # @return [Object, nil] the pending invite or nil
+      # Returns the pending invite if one exists across any invite_classes.
       def pending_invite
         token = cookies.encrypted[:pending_invitation]
         return nil unless token
 
-        invite = invite_class.find_for_acceptance(token)
+        invite = find_pending_invite(token)
         unless invite
           cookies.delete(:pending_invitation)
           return nil
@@ -65,11 +58,27 @@ module Plutonium
         invite
       end
 
-      # Override to specify the invite model class.
-      #
-      # @return [Class] the invite model class
+      # Override to specify multiple invite model classes (preferred).
+      # Defaults to `[invite_class]` for backward compatibility.
+      # @return [Array<Class>]
+      def invite_classes
+        [invite_class]
+      end
+
+      # Override to specify a single invite model class. Maintained for
+      # backward compatibility; prefer `invite_classes` for multi-flow apps.
+      # @return [Class]
       def invite_class
-        raise NotImplementedError, "#{self.class}#invite_class must return the invite model class"
+        raise NotImplementedError,
+          "#{self.class}#invite_class or #invite_classes must return the invite model class(es)"
+      end
+
+      def find_pending_invite(token)
+        invite_classes.each do |klass|
+          invite = klass.find_for_acceptance(token)
+          return invite if invite
+        end
+        nil
       end
     end
   end

data/lib/plutonium/resource/controllers/interactive_actions.rb

@@ -29,7 +29,7 @@ module Plutonium
         # GET /resources/1/record_actions/:interactive_action
         def interactive_record_action
           build_interactive_record_action_interaction
-          render :interactive_record_action, layout: modal_layout, formats: [:html]
+          render :interactive_record_action, formats: [:html], **modal_render_options
         end
 
         # POST /resources/1/record_actions/:interactive_action
@@ -62,7 +62,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_record_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
+                  render :interactive_record_action, formats: [:html], content_type: "text/html", **modal_render_options, status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -77,7 +77,7 @@ module Plutonium
         def interactive_resource_action
           skip_verify_current_authorized_scope!
           build_interactive_resource_action_interaction
-          render :interactive_resource_action, layout: modal_layout, formats: [:html]
+          render :interactive_resource_action, formats: [:html], **modal_render_options
         end
 
         # POST /resources/resource_actions/:interactive_action
@@ -111,7 +111,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_resource_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
+                  render :interactive_resource_action, formats: [:html], content_type: "text/html", **modal_render_options, status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -125,7 +125,7 @@ module Plutonium
         # GET /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
         def interactive_bulk_action
           build_interactive_bulk_action_interaction
-          render :interactive_bulk_action, layout: modal_layout, formats: [:html]
+          render :interactive_bulk_action, formats: [:html], **modal_render_options
         end
 
         # POST /resources/bulk_actions/:interactive_action?ids[]=1&ids[]=2
@@ -158,7 +158,7 @@ module Plutonium
                 end
               else
                 format.any(:html, :turbo_stream) do
-                  render :interactive_bulk_action, layout: modal_layout, formats: [:html], status: :unprocessable_content
+                  render :interactive_bulk_action, formats: [:html], content_type: "text/html", **modal_render_options, status: :unprocessable_content
                 end
                 format.any do
                   @errors = @interaction.errors
@@ -171,9 +171,13 @@ module Plutonium
 
         private
 
-        # Returns false for modal requests (skip layout), nil otherwise (use default layout)
-        def modal_layout
-          helpers.current_turbo_frame.present? ? false : nil
+        # Render options for modal-aware actions. Returns `{ layout: false }` for
+        # turbo-frame requests so the bare frame is rendered, and an empty hash
+        # for top-level requests so the controller's default layout proc applies.
+        # (Passing `layout: nil` explicitly is treated as "no layout" by Rails,
+        # which is why we omit the key entirely on the default path.)
+        def modal_render_options
+          helpers.current_turbo_frame.present? ? {layout: false} : {}
         end
 
         def current_interactive_action

data/lib/plutonium/resource/policy.rb

@@ -67,16 +67,31 @@ module Plutonium
             raise ArgumentError, "parent and parent_association must both be provided together"
           end
 
-          # Parent association scoping (nested routes)
-          # The parent was already entity-scoped during authorization, so children
-          # accessed through the parent don't need additional entity scoping
+          # Parent association scoping (nested routes).
+          #
+          # The parent context is set on the policy for the whole request, so it
+          # leaks into sibling lookups too — e.g. a SecureAssociation field on
+          # the child's form authorizes an unrelated resource scope while
+          # parent/parent_association are still set. Only apply parent scoping
+          # when the relation actually corresponds to the parent's named
+          # association; otherwise fall through to entity scoping so we don't
+          # produce an incoherent (and silently empty) result.
           assoc_reflection = parent.class.reflect_on_association(parent_association)
-          if assoc_reflection.collection?
-            # has_many: merge with the association's scope
-            parent.public_send(parent_association).merge(relation)
+          if assoc_reflection && relation.klass <= assoc_reflection.klass
+            # The parent was already entity-scoped during authorization, so
+            # children accessed through the parent don't need additional
+            # entity scoping.
+            if assoc_reflection.collection?
+              # has_many: merge with the association's scope
+              parent.public_send(parent_association).merge(relation)
+            else
+              # has_one: scope by foreign key
+              relation.where(assoc_reflection.foreign_key => parent.id)
+            end
+          elsif entity_scope
+            relation.associated_with(entity_scope)
           else
-            # has_one: scope by foreign key
-            relation.where(assoc_reflection.foreign_key => parent.id)
+            relation
           end
         elsif entity_scope
           # Entity scoping (multi-tenancy)

data/lib/plutonium/ui/layout/sidebar.rb

@@ -35,7 +35,7 @@ module Plutonium
         def render_content(&)
           div(
             id: "sidebar-navigation-content",
-            data: {turbo_permanent: true},
+            data: {turbo_permanent: true, sidebar_target: "scroll"},
             class: "overflow-y-auto py-5 px-3 h-full bg-[var(--pu-surface)] border-r border-[var(--pu-border)]",
             &
           )

data/lib/plutonium/version.rb

@@ -1,5 +1,5 @@
 module Plutonium
-  VERSION = "0.49.0"
+  VERSION = "0.49.1"
   NEXT_MAJOR_VERSION = VERSION.split(".").tap { |v|
     v[1] = v[1].to_i + 1
     v[2] = 0

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@radioactive-labs/plutonium",
-  "version": "0.49.0",
+  "version": "0.49.1",
   "description": "Build production-ready Rails apps in minutes, not days. Convention-driven, fully customizable, AI-ready.",
   "type": "module",
   "main": "src/js/core.js",

data/src/js/controllers/flatpickr_controller.js

@@ -54,7 +54,30 @@ export default class extends Controller {
     }
 
     if (this.modal) {
+      // Inside a <dialog> opened via showModal(), the dialog establishes its
+      // own containing block in the top layer. flatpickr's default positioning
+      // computes document coordinates but the calendar (appended to the
+      // dialog) interprets them relative to the dialog's box, placing the
+      // calendar far from the input. Append to the modal and reposition
+      // manually relative to the modal's bounding rect.
       options.appendTo = this.modal;
+      options.position = (instance) => {
+        const input = instance.altInput || instance.input;
+        const inputRect = input.getBoundingClientRect();
+        const modalRect = this.modal.getBoundingClientRect();
+        const cal = instance.calendarContainer;
+        const calHeight = cal.offsetHeight;
+        const spaceBelow = window.innerHeight - inputRect.bottom;
+        const showAbove = spaceBelow < calHeight && inputRect.top > calHeight;
+        const top = showAbove
+          ? inputRect.top - modalRect.top - calHeight - 2
+          : inputRect.bottom - modalRect.top + 2;
+        cal.style.top = `${top}px`;
+        cal.style.left = `${inputRect.left - modalRect.left}px`;
+        cal.style.right = "auto";
+        cal.classList.toggle("arrowTop", !showAbove);
+        cal.classList.toggle("arrowBottom", showAbove);
+      };
     }
 
     return options;

data/src/js/controllers/sidebar_controller.js

@@ -1,3 +1,30 @@
 import { Controller } from "@hotwired/stimulus";
 
-export default class extends Controller {}
+// Persists across controller reconnects so the value saved on
+// turbo:before-render is still available on turbo:render, even though
+// the <aside> hosting this controller is replaced during navigation.
+let savedScrollTop = 0;
+
+export default class extends Controller {
+  static targets = ["scroll"];
+
+  connect() {
+    this.beforeRender = this.beforeRender.bind(this);
+    this.afterRender = this.afterRender.bind(this);
+    document.addEventListener("turbo:before-render", this.beforeRender);
+    document.addEventListener("turbo:render", this.afterRender);
+  }
+
+  disconnect() {
+    document.removeEventListener("turbo:before-render", this.beforeRender);
+    document.removeEventListener("turbo:render", this.afterRender);
+  }
+
+  beforeRender() {
+    if (this.hasScrollTarget) savedScrollTop = this.scrollTarget.scrollTop;
+  }
+
+  afterRender() {
+    if (this.hasScrollTarget) this.scrollTarget.scrollTop = savedScrollTop;
+  }
+}

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: plutonium
 version: !ruby/object:Gem::Version
-  version: 0.49.0
+  version: 0.49.1
 platform: ruby
 authors:
 - Stefan Froelich
 bindir: exe
 cert_chain: []
-date: 2026-05-04 00:00:00.000000000 Z
+date: 2026-05-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: zeitwerk
@@ -610,6 +610,8 @@ files:
 - docs/superpowers/plans/2026-04-08-plutonium-skills-overhaul.md
 - docs/superpowers/plans/2026-04-14-plutonium-testing.md
 - docs/superpowers/plans/2026-04-14-plutonium-testing.md.tasks.json
+- docs/superpowers/plans/2026-05-06-multi-invite-model-support.md
+- docs/superpowers/plans/2026-05-06-multi-invite-model-support.md.tasks.json
 - docs/superpowers/specs/2026-04-08-plutonium-skills-overhaul-design.md
 - docs/superpowers/specs/2026-04-14-plutonium-testing-design.md
 - esbuild.config.js
@@ -1142,7 +1144,7 @@ metadata:
   homepage_uri: https://radioactive-labs.github.io/plutonium-core/
   source_code_uri: https://github.com/radioactive-labs/plutonium-core
 post_install_message: |
-  ⚠️  Plutonium 0.49.0 — breaking change
+  ⚠️  Plutonium 0.49.1 — breaking change
 
   Entity-scoped URL helpers and path params have been renamed from
   `<entity>_scope_*` to `<entity>_scoped_*`.