plutonium 0.51.0 → 0.52.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5fd905a5d5a930d6805e0df02632a59a0c5ecd9052c190d341f22264640c3425
-  data.tar.gz: db6fbe37f645953c545c1f1fcd10ef82e0dc58cc996b47c2ef574812b0d6394b
+  metadata.gz: b3015426fb7d1a742cd436928a9a8e2c24597f391d68657b8f00ed31058cf59c
+  data.tar.gz: 20bf4101ff956923bf01b28ad890bc5000760a5181ab65ac07f83f2bb739b0d7
 SHA512:
-  metadata.gz: d30de7e455c8798a60a92777141197507595f8a5d37b7e9d355e0530d4590369470f24a36f62554f6c2dcede93e9de8ac0dc6e732fa8f984b64b41d75525a3a2
-  data.tar.gz: e95d855a9d9aee83d2edc4dac9d44f001389d4ef0f10cc9338f13c371e6798db4f73f67197b2d03b8699111ab8cb56ec8ed7335b34ec622c08dff9d8af336b1d
+  metadata.gz: 14b0e28c435b199564a46eae98b84c4273c2783344a3257dcb9adc872002c8e761e058f7f76fbe909b3419facd0e90e1d9ee1a3c8fa5f128189eb1df6e365761
+  data.tar.gz: 19e6dfaf2c2526fcb4cfadba2eb2e09fa294141abb2175f52348f45d050d975aa92b59541d8aa5eb4c14b2bd973f60b45abea9498ea20bc7340529d8e2f96370

data/.claude/skills/plutonium-app/SKILL.md

@@ -505,6 +505,8 @@ register_resource ::Post
 register_resource ::Profile, singular: true   # if --singular
 ```
 
+Re-running `pu:res:conn` for the same resource is **idempotent** — already-registered entries report `identical` and are not duplicated. Insertion falls back gracefully when the conventional `# register resources above` marker is missing (uses the `routes.draw do` opening), and warns clearly if it can't find any anchor.
+
 ### Generated controller
 
 ```ruby

data/.claude/skills/plutonium-auth/SKILL.md

@@ -45,7 +45,6 @@ rails generate pu:rodauth:account user [options]
 |---|---|
 | `--defaults` | Enables login, logout, remember, password reset |
 | `--kitchen_sink` | Enables ALL features |
-| `--primary` | Mark as primary account (no URL prefix) |
 | `--no-mails` | Skip mailer setup |
 | `--argon2` | Use Argon2 instead of bcrypt |
 | `--api_only` | JSON API only (no sessions) |
@@ -90,12 +89,15 @@ rails generate pu:rodauth:admin admin --extra-attributes=name:string,department:
 enum :role, super_admin: 0, admin: 1
 ```
 
-Rake task for direct admin creation:
+Rake task for direct admin creation (namespace is `rodauth`, task name is the account name):
 
 ```bash
-rails rodauth_admin:create[admin@example.com,password123]
+EMAIL=admin@example.com rails rodauth:admin
+# (run without EMAIL to be prompted)
 ```
 
+Creates the account and sends a verification email; the admin sets their own password through the flow. No password is passed on the command line.
+
 ### SaaS setup — `pu:saas:setup` (meta-generator)
 
 Creates the User + Entity + Membership trio AND runs:
@@ -109,7 +111,7 @@ Don't generate another entity portal after this. Pass `--force` to re-run.
 
 ```bash
 rails g pu:saas:setup --user Customer --entity Organization
-rails g pu:saas:setup --user Customer --entity Organization --roles=member,admin
+rails g pu:saas:setup --user Customer --entity Organization --roles=admin,member
 rails g pu:saas:setup --user Customer --entity Organization --no-allow-signup
 rails g pu:saas:setup --user Customer --entity Organization \
   --user-attributes=name:string --entity-attributes=slug:string

data/.claude/skills/plutonium-behavior/SKILL.md

@@ -18,7 +18,7 @@ For tenant-scoped `relation_scope` and entity scoping, load [[plutonium-tenancy]
 - **`ActiveRecord::RecordInvalid` is NOT rescued automatically in interactions.** Always rescue when using `create!` / `update!` / `save!`, return `failed(e.record.errors)`.
 - **Return `succeed(...)` or `failed(...)`** from `execute` — the controller can't tell what happened otherwise.
 - **Redirect is automatic on success** — only use `with_redirect_response` for a *different* destination.
-- **`relation_scope` must compose with `default_relation_scope(relation)` explicitly** — not `super`. See [[plutonium-tenancy]].
+- **`relation_scope` must end up calling `default_relation_scope(relation)` somewhere in the chain.** Prefer calling it explicitly. `super` works when extending a parent policy (e.g., a package base) that itself calls it. See [[plutonium-tenancy]].
 - **For `has_cents` fields, use the virtual name (`:price`), not `:price_cents`** in `permitted_attributes_for_*`.
 - **Custom action ⇒ policy method.** `action :publish` needs `def publish?` on the policy (undefined methods return `false`).
 - **Named custom routes.** When adding custom routes, always pass `as:` so `resource_url_for` can build URLs.

data/.claude/skills/plutonium-tenancy/SKILL.md

@@ -15,7 +15,7 @@ Cross-references back to [[plutonium-resource]] (models, definitions) and [[plut
 
 ## 🚨 Critical (read first)
 
-- **Never bypass `default_relation_scope`.** Overriding `relation_scope` with `where(organization: ...)` or manual joins to the entity triggers `verify_default_relation_scope_applied!`. Always call `default_relation_scope(relation)` explicitly — not `super`.
+- **Never bypass `default_relation_scope`.** Overriding `relation_scope` with `where(organization: ...)` or manual joins to the entity triggers `verify_default_relation_scope_applied!`. Make sure `default_relation_scope(relation)` is called somewhere in the chain — explicitly here, or via `super` to a parent policy (e.g., a package base) that calls it.
 - **Always declare an association path from model to entity.** Direct `belongs_to`, `has_one :through`, or a custom `associated_with_<entity>` scope. If `associated_with` can't resolve, Plutonium raises. Fix the **model**, not the policy.
 - **Parent scoping beats entity scoping.** When a parent is present (nested resource), `default_relation_scope` scopes via the parent, NOT via `entity_scope`. Don't double-scope.
 - **One level of nesting only.** Grandparent → parent → child nested routes are NOT supported. Use top-level routes for deeper relationships.
@@ -170,7 +170,7 @@ relation_scope { |r| r.joins(:project).where(projects: {organization_id: current
 relation_scope { |r| r.where(published: true) }
 ```
 
-**Do not use `super`** from inside `relation_scope`. Call `default_relation_scope(relation)` explicitly — `super` semantics depend on how ActionPolicy's DSL registered the scope.
+**Prefer calling `default_relation_scope(relation)` explicitly** instead of relying on `super`. `super` works when you're extending a parent policy (e.g., a package-level base) that itself calls `default_relation_scope` — but it's brittle against `Plutonium::Resource::Policy` directly because `super`'s semantics depend on how ActionPolicy's DSL registered the scope. The runtime verification checks `default_relation_scope` was hit somewhere — not that you wrote it in this class.
 
 ### Intentionally skipping
 
@@ -235,6 +235,7 @@ entity_scope
 
 - **Multiple associations to the same entity class.** E.g. `Match belongs_to :home_team, :away_team` both pointing at `Team`. Plutonium raises — override `scoped_entity_association` on the controller to pick one (`def scoped_entity_association = :home_team`).
 - **`param_key` differs from association name.** Fine — Plutonium matches by **class**, not param key. `scope_to_entity Competition::Team, param_key: :team` works with `belongs_to :competition_team`.
+- **Default `param_key` includes `_scoped` suffix.** `scope_to_entity Organization` produces routes like `/organization_scoped/:organization_scoped_id/posts` to avoid colliding with a `belongs_to :organization` on child models. Pass `param_key:` (and optionally `route_key:`) to override for cleaner URLs.
 - **Forgetting compound uniqueness.** `validates :code, uniqueness: true` leaks across tenants. Use `uniqueness: {scope: :organization_id}`.
 - **"Temporary" `where` bypass for debugging.** Use `skip_default_relation_scope!` explicitly. Never leave a `where` bypass in code.
 
@@ -421,10 +422,18 @@ rails generate pu:invites:install
 | `--entity-model=NAME` | `Entity` | Entity model name |
 | `--user-model=NAME` | `User` | User model name |
 | `--invite-model=NAME` | `<EntityModel><UserModel>Invite` | Invite class name (omit for single-flow apps) |
-| `--membership-model=NAME` | `EntityUser` | Membership join model |
-| `--roles=ROLES` | `member,admin` | Comma-separated |
+| `--membership-model=NAME` | `EntityUser` | Membership join model (must already exist; roles are read from its `enum :role`) |
 | `--rodauth=NAME` | `user` | Rodauth configuration for signup |
 | `--enforce-domain` | `false` | Require invited email domain to match entity |
+| `--dest=PACKAGE` | `main_app` | Package where the entity model lives (controls where `invite_user_interaction.rb` is generated) |
+
+::: 🚨 No `--roles` flag here
+Role list is derived from the membership model's `enum :role`. Set roles via `pu:saas:membership --roles=...` (or edit the enum directly). **Index 0 is the most privileged** — typically `owner`, which the invite UI excludes from selectable choices; new invitees default to the second role (`roles[1]`).
+:::
+
+::: 🚨 ActiveRecord encryption keys required
+The invite model uses `encrypts :token, deterministic: true`. Without configured AR encryption keys, creating or accepting an invite raises `ActiveRecord::Encryption::Errors::Configuration`. The generator detects this and warns at install time — generate keys with `bin/rails db:encryption:init`, then paste the printed `active_record_encryption:` block into `config/credentials.yml.enc` (or set the equivalent `ACTIVE_RECORD_ENCRYPTION_*` ENV vars in production).
+:::
 
 ### What gets created
 
@@ -619,13 +628,23 @@ class Invites::UserInvite < Invites::ResourceRecord
 end
 ```
 
-### Domain enforcement / custom roles
+### Domain enforcement
 
 ```bash
 rails g pu:invites:install --enforce-domain
-rails g pu:invites:install --roles=viewer,editor,admin,owner
 ```
 
+### Custom roles
+
+Set roles when generating the membership model (ordering: index 0 = most privileged):
+
+```bash
+rails g pu:saas:membership --user Customer --entity Organization --roles=admin,editor,viewer
+# → enum :role, { owner: 0, admin: 1, editor: 2, viewer: 3 }   (owner auto-prepended)
+```
+
+Or edit `enum :role` on the existing membership model directly. Then run `pu:invites:install`.
+
 ## Portal connection
 
 ```ruby

data/.claude/skills/plutonium-testing/SKILL.md

@@ -207,7 +207,9 @@ current_account(portal: :admin)
 with_portal(:org) { ... }                  # scoped portal switch
 ```
 
-**Override hook for non-Rodauth apps:** define `sign_in_for_tests(account, portal:)` in your test class (or in `test/support/plutonium_testing.rb` for project-wide use). `AuthHelpers` will defer to it.
+**Default Rodauth login expects `password: "password123"`** — `login_as` POSTs to `/<account_table>/login` with that hardcoded password. Either seed test accounts with it (fixtures/factories) or override via `sign_in_for_tests` below.
+
+**Override hook for non-Rodauth apps (or to bypass Rodauth in tests):** define `sign_in_for_tests(account, portal:)` in your test class (or in `test/support/plutonium_testing.rb` for project-wide use). `AuthHelpers` will defer to it.
 
 ```ruby
 def sign_in_for_tests(account, portal:)

data/.claude/skills/plutonium-ui/SKILL.md

@@ -351,8 +351,8 @@ end
 class PostDefinition < ResourceDefinition
   class Table < Table
     def view_template
-      render_search_bar
-      render_scopes_bar
+      render_toolbar
+      render_scopes_pills
 
       if collection.empty?
         render_empty_card
@@ -371,7 +371,7 @@ end
 
 | Method | Purpose |
 |---|---|
-| `render_search_bar`, `render_scopes_bar` | Toolbar pieces |
+| `render_toolbar`, `render_scopes_pills`, `render_filter_pills`, `render_bulk_actions_toolbar` | Toolbar pieces |
 | `render_table` | Default table |
 | `render_empty_card` | Empty state |
 | `render_footer` | Pagination |

data/CHANGELOG.md

@@ -1,3 +1,20 @@
+## [0.52.0] - 2026-05-21
+
+### 🐛 Bug Fixes
+
+- *(generators)* Use inclusion validation for required booleans
+- *(generators/assets)* Warn on failed yarn add instead of silently continuing
+- *(docs)* Let StopWriting terminals scroll horizontally instead of overflowing the column
+- *(docs)* Drop misleading 15-min claim — hero CTA → 'Tutorial', getting-started title → 'Learn Plutonium by building'
+- *(generators,docs)* Tutorial walkthrough + reference audit (#57)
+- *(ui/form)* Scope form ids per turbo frame to prevent stream-replace collisions
+- *(ui/form)* Hide secure_association "+" inside secondary modal
+- *(js/form)* Dedupe pre_submit hidden field on repeat change events
+- *(ui)* Form error alert margin + include model name in New/Edit page titles
+
+### ⚙️ Miscellaneous Tasks
+
+- *(appraisal)* Refresh rails-8.1 gemfile.lock for v0.51.0
 ## [0.51.0] - 2026-05-14
 
 ### 🚀 Features