plutonium 0.62.0 → 0.62.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 62c3179e6fc69beaae9e39a5892a478bd41c546fcf0fb580dea6a4aa9680e296
4
- data.tar.gz: 94c2ce8570a323536961196170f8cb7187efe724834485edfd210a783147cbe8
3
+ metadata.gz: 1bf12b730a106a86a4944705ef1bfffe79d245e56b2585906f3b7787db9ead84
4
+ data.tar.gz: da3e1fc7f6d708abb473e1e18b53ea612181c2637480781b4423ce8af3d4e7e4
5
5
  SHA512:
6
- metadata.gz: 0b9dc172a16b74c0f313606cefe964a661842aacd63c21df3ed3cb9ca20179439d2f302b53658305a375ee2b752aacf056244eb0a6875e2a31e20276b8055a2c
7
- data.tar.gz: e1f47b1429392d82253f27e8268309e129d33e5d62716b04c669c13e24cc4e3b34d74728d154189c116124319c7155911e49000be008ea72a2bbdd64fecc3dbd
6
+ metadata.gz: 49e628c86ad4fe1bcdb032bbcd773c4c26b4ad98626e977d1ae573e4c024245275f988609815b0ac0599d4a3077a1d2c0704b473a5c3b9f2a74491cb65cd6a12
7
+ data.tar.gz: df9ba22d2a3e1c1e3504f06c1c435ecccc22fc2712b651e03458677794edc3ee7c53ed64b40666a0278fc8e016dd1e71883011ddd4a3b8d519267b592b5bfdff
data/CHANGELOG.md CHANGED
@@ -2,6 +2,21 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file.
4
4
 
5
+ ## [0.62.1] - 2026-07-07
6
+
7
+ ### Bug Fixes
8
+
9
+ - Split grouped error classes into per-constant files
10
+ - Fall back to index when deleting from the record's own page
11
+
12
+ ### Documentation
13
+
14
+ - Add SECURITY.md and auto-bump its version series on release
15
+
16
+ ### Miscellaneous Tasks
17
+
18
+ - Require RubyGems MFA and disable CI auto-release
19
+
5
20
  ## [0.62.0] - 2026-07-04
6
21
 
7
22
  ### Bug Fixes
@@ -67,11 +82,11 @@ All notable changes to this project will be documented in this file.
67
82
 
68
83
  ## [0.60.5] - 2026-06-30
69
84
 
70
- ### 🐛 Bug Fixes
85
+ ### Bug Fixes
71
86
 
72
- - *(ui)* Coerce ActiveStorage::Filename to String for HTML title attributes
87
+ - Coerce ActiveStorage::Filename to String for HTML title attributes
73
88
 
74
- ### âš™ī¸ Miscellaneous Tasks
89
+ ### Miscellaneous Tasks
75
90
 
76
91
  - Update yarn.lock and .yarnrc.yml after yarn install
77
92
 
data/SECURITY.md ADDED
@@ -0,0 +1,57 @@
1
+ # Security Policy
2
+
3
+ We take the security of Plutonium seriously. Because Plutonium is a framework
4
+ that other applications are built on, a vulnerability here can affect many
5
+ downstream apps. We appreciate your help in disclosing issues responsibly.
6
+
7
+ ## Supported Versions
8
+
9
+ Plutonium is pre-1.0 and evolving quickly. Security fixes are released against
10
+ the **latest published version** only. If you are running an older release,
11
+ please upgrade before reporting an issue to confirm it still reproduces.
12
+
13
+ | Version | Supported |
14
+ | ------- | ------------------ |
15
+ | Latest release (`0.62.x`) | :white_check_mark: |
16
+ | Older releases | :x: |
17
+
18
+ ## Reporting a Vulnerability
19
+
20
+ **Please do not report security vulnerabilities through public GitHub issues,
21
+ discussions, or pull requests.**
22
+
23
+ Instead, use one of the following private channels:
24
+
25
+ - **Preferred:** [Open a private vulnerability report](https://github.com/radioactive-labs/plutonium-core/security/advisories/new)
26
+ via GitHub Security Advisories.
27
+ - **Email:** [sfroelich01@gmail.com](mailto:sfroelich01@gmail.com) with the
28
+ subject line `[SECURITY] Plutonium`.
29
+
30
+ To help us triage quickly, please include as much of the following as you can:
31
+
32
+ - The Plutonium version (and Rails version) affected.
33
+ - A description of the vulnerability and its impact.
34
+ - Steps to reproduce, or a proof-of-concept.
35
+ - Any known workarounds.
36
+
37
+ ## What to Expect
38
+
39
+ - **Acknowledgement:** We aim to acknowledge your report within **3 business days**.
40
+ - **Assessment:** We will investigate and let you know whether the report is
41
+ accepted, along with our expected timeline for a fix.
42
+ - **Disclosure:** We follow a coordinated disclosure process. We will work with
43
+ you to agree on a disclosure date once a fix is available, and we are happy to
44
+ credit you in the advisory unless you prefer to remain anonymous.
45
+
46
+ Please give us a reasonable opportunity to address the issue before any public
47
+ disclosure.
48
+
49
+ ## Scope
50
+
51
+ Security reports about the Plutonium framework code in this repository are in
52
+ scope. Issues in applications *built with* Plutonium, or in third-party
53
+ dependencies, should be reported to their respective maintainers — though if you
54
+ believe a dependency issue is triggered by how Plutonium uses it, we would like
55
+ to hear about it.
56
+
57
+ Thank you for helping keep Plutonium and its community safe.
@@ -212,13 +212,25 @@ module Plutonium
212
212
  end
213
213
 
214
214
  def redirect_url_after_destroy
215
- if (return_to = url_from(params[:return_to])) && return_to != request.url
215
+ if (return_to = url_from(params[:return_to])) && !same_resource_url?(return_to)
216
216
  return return_to
217
217
  end
218
218
 
219
219
  resource_url_for(resource_class)
220
220
  end
221
221
 
222
+ # A return_to pointing at the just-deleted record's own show/edit page
223
+ # would 404 on the follow-up request, so treat those as unusable and let
224
+ # the caller fall back to the index. We compare paths because return_to
225
+ # is the bare record URL while request.url still carries ?return_to=.
226
+ def same_resource_url?(return_to)
227
+ return false unless resource_record?
228
+
229
+ target_path = URI.parse(return_to).path
230
+ record_path = URI.parse(resource_url_for(resource_record!)).path
231
+ target_path == record_path || target_path == "#{record_path}/edit"
232
+ end
233
+
222
234
  def preferred_action_after_submit
223
235
  @preferred_action_after_submit = begin
224
236
  if %w[new edit show index].include? params[:commit]
@@ -1,5 +1,5 @@
1
1
  module Plutonium
2
- VERSION = "0.62.0"
2
+ VERSION = "0.62.1"
3
3
  NEXT_MAJOR_VERSION = VERSION.split(".").tap { |v|
4
4
  v[1] = v[1].to_i + 1
5
5
  v[2] = 0
@@ -0,0 +1,8 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Plutonium
4
+ module Wizard
5
+ # Raised when a wizard requires an anchor record but none is available.
6
+ class NotAnchoredError < StandardError; end
7
+ end
8
+ end
@@ -2,14 +2,6 @@
2
2
 
3
3
  module Plutonium
4
4
  module Wizard
5
- # Raised when a wizard requires an anchor record but none is available.
6
- class NotAnchoredError < StandardError; end
7
-
8
- # Raised when the `wizard_class` route default does not resolve to a
9
- # Plutonium::Wizard::Base subclass (a misconfigured mount, or a tampered
10
- # path parameter).
11
- class UnknownWizardError < StandardError; end
12
-
13
5
  # Raised when a wizard step fails. Carries the attribute the error should be
14
6
  # attached to (defaults to +:base+) so it can be surfaced on a form.
15
7
  class StepError < StandardError
@@ -0,0 +1,10 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Plutonium
4
+ module Wizard
5
+ # Raised when the `wizard_class` route default does not resolve to a
6
+ # Plutonium::Wizard::Base subclass (a misconfigured mount, or a tampered
7
+ # path parameter).
8
+ class UnknownWizardError < StandardError; end
9
+ end
10
+ end
@@ -1,6 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
- require_relative "wizard/errors"
4
3
  require_relative "wizard/configuration"
5
4
 
6
5
  module Plutonium
@@ -23,6 +23,7 @@ RELEASE_CLIFF_CONFIG = ".cliff.toml"
23
23
  RELEASE_VERSION_FILE = "lib/plutonium/version.rb"
24
24
  RELEASE_PACKAGE_JSON = "package.json"
25
25
  RELEASE_NPM_PACKAGE = "@radioactive-labs/plutonium"
26
+ RELEASE_SECURITY_FILE = "SECURITY.md"
26
27
 
27
28
  namespace :release do
28
29
  # --- helpers --------------------------------------------------------------
@@ -89,6 +90,21 @@ namespace :release do
89
90
  File.write(RELEASE_PACKAGE_JSON, pkg.gsub(/"version":\s*"[\d.]+"/, %("version": "#{version}")))
90
91
  puts "✓ #{RELEASE_PACKAGE_JSON}"
91
92
 
93
+ # Bump the supported-version series in SECURITY.md (e.g. `0.62.x`), so the
94
+ # policy always names the current release series. Skipped if the file or the
95
+ # expected `X.Y.x` marker is missing — a release must never fail over this.
96
+ if File.exist?(RELEASE_SECURITY_FILE)
97
+ series = "#{version.split(".").first(2).join(".")}.x"
98
+ security = File.read(RELEASE_SECURITY_FILE)
99
+ updated = security.gsub(/`\d+\.\d+\.x`/, "`#{series}`")
100
+ if updated == security
101
+ puts "â€ĸ #{RELEASE_SECURITY_FILE} — no `X.Y.x` marker found, skipping"
102
+ else
103
+ File.write(RELEASE_SECURITY_FILE, updated)
104
+ puts "✓ #{RELEASE_SECURITY_FILE}"
105
+ end
106
+ end
107
+
92
108
  # Changelog — same config CI uses for release notes, so they agree.
93
109
  abort "git-cliff not found. Install with: brew install git-cliff" unless git_cliff?
94
110
  system("git-cliff", "--config", RELEASE_CLIFF_CONFIG, "--tag", "v#{version}", "-o", "CHANGELOG.md") ||
data/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@radioactive-labs/plutonium",
3
- "version": "0.62.0",
3
+ "version": "0.62.1",
4
4
  "description": "Build production-ready Rails apps in minutes, not days. Convention-driven, fully customizable, AI-ready.",
5
5
  "type": "module",
6
6
  "main": "src/js/core.js",
data/plutonium.gemspec CHANGED
@@ -15,6 +15,9 @@ Gem::Specification.new do |spec|
15
15
  spec.required_ruby_version = ">= 3.2.2"
16
16
 
17
17
  spec.metadata["allowed_push_host"] = "https://rubygems.org"
18
+ # Require multi-factor auth for privileged RubyGems actions (push, yank,
19
+ # owner changes). `gem push` will prompt for an OTP at release time.
20
+ spec.metadata["rubygems_mfa_required"] = "true"
18
21
 
19
22
  spec.post_install_message = <<~MSG
20
23
  â„šī¸ Plutonium — breaking change introduced in 0.49.0
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: plutonium
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.62.0
4
+ version: 0.62.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stefan Froelich
8
8
  bindir: exe
9
9
  cert_chain: []
10
- date: 2026-07-04 00:00:00.000000000 Z
10
+ date: 2026-07-07 00:00:00.000000000 Z
11
11
  dependencies:
12
12
  - !ruby/object:Gem::Dependency
13
13
  name: zeitwerk
@@ -467,6 +467,7 @@ files:
467
467
  - LICENSE.txt
468
468
  - README.md
469
469
  - Rakefile
470
+ - SECURITY.md
470
471
  - app/assets/plutonium.css
471
472
  - app/assets/plutonium.ico
472
473
  - app/assets/plutonium.js
@@ -1289,12 +1290,12 @@ files:
1289
1290
  - lib/plutonium/wizard/data.rb
1290
1291
  - lib/plutonium/wizard/driving.rb
1291
1292
  - lib/plutonium/wizard/dsl.rb
1292
- - lib/plutonium/wizard/errors.rb
1293
1293
  - lib/plutonium/wizard/field_capture.rb
1294
1294
  - lib/plutonium/wizard/field_importer.rb
1295
1295
  - lib/plutonium/wizard/gate.rb
1296
1296
  - lib/plutonium/wizard/instance_key.rb
1297
1297
  - lib/plutonium/wizard/lazy_persisted.rb
1298
+ - lib/plutonium/wizard/not_anchored_error.rb
1298
1299
  - lib/plutonium/wizard/resume.rb
1299
1300
  - lib/plutonium/wizard/review_step.rb
1300
1301
  - lib/plutonium/wizard/route_resolution.rb
@@ -1303,10 +1304,12 @@ files:
1303
1304
  - lib/plutonium/wizard/state.rb
1304
1305
  - lib/plutonium/wizard/step.rb
1305
1306
  - lib/plutonium/wizard/step_adapter.rb
1307
+ - lib/plutonium/wizard/step_error.rb
1306
1308
  - lib/plutonium/wizard/store/active_record.rb
1307
1309
  - lib/plutonium/wizard/store/base.rb
1308
1310
  - lib/plutonium/wizard/store/memory.rb
1309
1311
  - lib/plutonium/wizard/sweep_job.rb
1312
+ - lib/plutonium/wizard/unknown_wizard_error.rb
1310
1313
  - lib/rodauth/features/case_insensitive_login.rb
1311
1314
  - lib/rodauth/plugins.rb
1312
1315
  - lib/tasks/.keep
@@ -1387,6 +1390,7 @@ licenses:
1387
1390
  - MIT
1388
1391
  metadata:
1389
1392
  allowed_push_host: https://rubygems.org
1393
+ rubygems_mfa_required: 'true'
1390
1394
  homepage_uri: https://radioactive-labs.github.io/plutonium-core/
1391
1395
  source_code_uri: https://github.com/radioactive-labs/plutonium-core
1392
1396
  post_install_message: |