rails-ai-context 5.9.1 → 5.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63fa43e2446217a8b226ba3fd59b0345c7e4fec6300acd0ab877354339187dac
-  data.tar.gz: 0d12192067351b3e28e1ae8ba16792be31a8e340e356b4b261249345a2295fa3
+  metadata.gz: b022525ce9aa13c5b6d5f21a46f13db5ae84dac04f346adc40eeb2b315f9fcaa
+  data.tar.gz: 9e9f7bd60ecdab6a5d1599e560762c8c7d95a8973f5d001c4573d00f55b2a594
 SHA512:
-  metadata.gz: 6d3f4378d84b890464cdda8c550195430987c05970b892184bda610fb727f7614d943b46141e4b3f7b39642503deacf71b76fca933923aada849e1c39f887fef
-  data.tar.gz: 4632cbf34995fb74922c19f89988d7bd4a5dfb3cdac98ab78e8ab3d08bac11f84c3cab0df68364b46740c133fdda22bd7311400dd5381d857b611cb4de2fe6e7
+  metadata.gz: 7dca71cfea9fb5106b40f5eaebd119e36bcd1cbcbdd41b8dcd8ba4b11eb802dbb647d0c90db88b4d21a98d303ed2ed42f605ca7278a245a76155fc57cb0366cf
+  data.tar.gz: baaeaa8a5eec91ba86c6aee32f5a0d459ebcc7f14c1eaec64e7110afe7368985e005b92dcdee960606525806d652cd63f5eb1092773765cbe831857cffde75a1

data/CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.10.0] — 2026-04-20
+
+### Added — 8 new introspectors closing RAILS_NERVOUS_SYSTEM.md gaps
+
+An audit against [`RAILS_NERVOUS_SYSTEM.md`](RAILS_NERVOUS_SYSTEM.md) identified 9 framework sections where introspection was missing or partial. This release ships the 8 introspectors needed to close them (the 9th — §11 Query interface — was already covered by `:conventions` via `load_async` / `.async_*` scanning). All are wired into `PRESETS[:full]`. The gem now exposes **39 introspectors** (up from 31).
+
+- **`InitializerIntrospector` (`:initializers`, §2).** Enumerates `Rails.application.initializers` — every initializer's name, owner, declared `before:` / `after:` ordering edges, and the `source_location` of its block. Also summarizes each `config/initializers/*.rb` file (initializer count + the top `config.*` setters it touches) so AI can jump straight to user-owned boot code.
+- **`AutoloadIntrospector` (`:autoload`, §3).** Zeitwerk presence, both `Rails.autoloaders.main` and `.once` with their collapsed dirs + ignored paths + root dirs, raw `autoload_paths` / `autoload_once_paths` / `eager_load_paths`, the resolved `eager_load` boolean, plus custom inflection rules extracted from `config/initializers/*.rb` (`inflect.acronym` / `.plural` / `.singular` / `.irregular` / `.uncountable` / `.human`). Paths are root-relative.
+- **`ConnectionPoolIntrospector` (`:connection_pool`, §10).** Per-database adapter config: `pool`, `checkout_timeout`, `idle_timeout`, `reaping_frequency`, `prepared_statements`, `advisory_locks`, replica flag, role, connection-handler pool counts per role (`:writing` / `:reading`), and automatic shard selector detection (Rails 7.1+ `ActiveRecord::Middleware::ShardSelector`). Complements `:database_stats` (which only returns row counts).
+- **`ActiveSupportIntrospector` (`:active_support`, §17).** Covers ActiveSupport runtime surface other introspectors leave untouched: Concerns in `app/**/concerns/` (with `ActiveSupport::Concern` / `included do` / `class_methods do` flags), `Rails.application.deprecators` registry keys, MessageEncryptor + MessageVerifier usage scan across `lib/` + `app/`, TaggedLogging configuration (`config.log_tags` + initializer-based `ActiveSupport::TaggedLogging.new`), active on-load hooks, and cache-store options.
+- **`CredentialsIntrospector` (`:credentials`, §30).** Default `config/credentials.yml.enc` + every per-env `config/credentials/<env>.yml.enc`, master-key source resolution (`env:RAILS_MASTER_KEY` / `file:config/master.key` / `missing`), `config.require_master_key` flag, arbitrary encrypted configs (`config/<name>.yml.enc` pairs), and top-level credential **key names only** — decrypted hash is inspected for `.keys` and nothing more. A regression spec asserts no known credential value appears in the output.
+- **`SecurityIntrospector` (`:security`, §32).** Framework-level security controls `auth_introspector` doesn't cover: `config.force_ssl`, SSL options (HSTS `expires` / `subdomains` / `preload`, `redirect`, `secure_cookies`), `config.hosts` + `host_authorization` options, `ContentSecurityPolicy` directives (including `report_only`), `PermissionsPolicy` directives, CSRF config (`protect_from_forgery` declaration, `per_form_csrf_tokens`, `forgery_protection_origin_check`), cookie session options (`:key`, `:secure`, `:httponly`, `:same_site`, `:domain`, `:path`, `:expire_after`), and Rails 7.2+ `allow_browser` calls per controller.
+- **`ObservabilityIntrospector` (`:observability`, §34 + §38).** `ActiveSupport::LogSubscriber.log_subscribers` catalog (class + namespace), full `ActiveSupport::Notifications` subscriber registry walked via `@string_subscribers` / `@other_subscribers` / legacy `@subscribers` (handles Rails 7.0/7.1/8.x variants — grouped by pattern with subscriber count + sample class name), `ActionDispatch::ServerTiming` middleware detection + `config.server_timing` flag, Rails 8.1 `event_reporter` availability, log level + tags + `colorize_logging`, and a static catalog of 60+ canonical Rails event names across 10 subsystems (`action_controller`, `action_view`, `active_record`, `active_job`, `action_mailer`, `action_mailbox`, `action_cable`, `active_support`, `active_storage`, `railties`).
+- **`EnvIntrospector` (`:env`, §36).** Curated catalog of 30+ Rails-related ENV vars (core, server, bundler, assets, boot, secrets, database, cache, deploy, platform, observability, testing) partitioned into `set` / `unset`. Safe vars (`RAILS_ENV`, `RAILS_MAX_THREADS`, `PORT`, etc.) return their value. Sensitive vars (`SECRET_KEY_BASE`, `RAILS_MASTER_KEY`, `DATABASE_URL`, `REDIS_URL`, `KAMAL_REGISTRY_PASSWORD`, etc.) return `redacted: true` only — the value never leaves the process. Also scans `config/`/`app/`/`lib/` for app-specific `ENV["X"]` / `ENV.fetch("X")` references beyond the catalog.
+
+### Why these specifically
+
+Each corresponds to a `RAILS_NERVOUS_SYSTEM.md` section the audit flagged as uncovered. Partial-coverage sections (§2 filenames, §3 Zeitwerk presence, §17 CurrentAttributes, §27 Solid Trifecta, §30 boolean, §32 CORS/CSP/force_ssl, §34 N+1 anti-patterns, §36 puma/procfile) are preserved — the new introspectors complement rather than replace existing ones.
+
+### Preset wiring
+
+All 8 are in `PRESETS[:full]`. None are in `PRESETS[:standard]` — they're framework-runtime data most valuable in `full` mode where comprehensive context outranks boot speed. `config.introspectors.size` for `:full` is now `39` (from `31`). The configuration spec was updated accordingly.
+
+### Tests
+
+Every new introspector ships with a unit spec under `spec/lib/rails_ai_context/introspectors/*_introspector_spec.rb`, plus an orchestrator-level assertion in `spec/lib/rails_ai_context/introspector_spec.rb` that all 8 keys land in the context hash, plus a real-Rails-app e2e spec at `spec/e2e/nervous_system_introspectors_spec.rb` (8 examples, run via `E2E=1`). Specs assert shape guarantees, error absence, category-specific invariants, and the `CredentialsIntrospector` / `EnvIntrospector` specs include explicit sentinel-value leak assertions (a secret is injected, then the output hash is searched for the sentinel string). The full non-e2e suite runs **2154 examples, 0 failures**.
+
+### Fixed — post-review hardening
+
+Three parallel code reviews (security/data-leak, Rails-version correctness, CLAUDE.md invariant compliance) surfaced the following issues, all addressed in this release:
+
+- **`ObservabilityIntrospector#detect_event_reporter` crashed on Rails 8.1.** The original code called `reporter.tagged` without a block to read "registered tags". `ActiveSupport::EventReporter#tagged` delegates unconditionally to `TagStack#with_tags(&block)` which `yield`s — a blockless call raises `LocalJumpError`. The outer `rescue` caught it and returned `{ available: false }`, which silently misreported Rails 8.1 apps as lacking the event reporter and dropped the `subscriber_count` too. The `entry[:tags]` line was removed; `tagged` is stack-scoped context, not an introspectable keyspace. `subscriber_count` is still reported.
+- **`ObservabilityIntrospector#extract_subscribers_from_notifier` had dead code.** A "legacy `@subscribers` (array)" fallback claimed to support Rails 7.0, but Rails 7.0 already used `@string_subscribers` + `@other_subscribers`. The flat `@subscribers` ivar hasn't existed since Rails ≤ 5.x, so the branch was unreachable across the entire 7.1 / 7.2 / 8.0 CI matrix. Removed. Also: the `subscriber_raw_pattern` helper now unwraps `ActiveSupport::Notifications::Fanout::Subscribers::Matcher` one level deep so Regexp-pattern subscribers surface as `"pattern.source"` instead of `"#<…::Matcher:0x…>"`.
+- **`CredentialsIntrospector` leaked paths via `e.message`.** Both the top-level `rescue` and `inspect_default_credentials`'s rescue returned `{ error: e.message }` in the output hash. OS-level errors (`Errno::EACCES`, `Errno::ENOENT`) and OpenSSL decryption failures include absolute paths with the OS username in their message — credentials-adjacent data that shouldn't leave the process. Both rescues now return `{ error: "…failed", exception_class: e.class.name }`; `e.message` stays in the `ENV["DEBUG"]`-gated stderr log where it's fine. New regression specs inject a `Errno::EACCES` with a path containing `/Users/alice/secret/master.key` and assert neither `"/Users/alice"` nor `"alice/secret"` appears anywhere in the output.
+- **`EnvIntrospector` classified `BUNDLE_PATH` and `BUNDLE_GEMFILE` as safe-to-return.** Both are absolute filesystem paths that usually contain the OS username (e.g. `/Users/alice/.bundle`). Flipped to `safe: false` so only presence is reported, matching the treatment of other path-containing vars (`DATABASE_URL`, `REDIS_URL`, etc.).
+- **`ActiveSupportIntrospector` + `EnvIntrospector` had non-deterministic directory walks.** Both called `Dir.glob(...).first(2000)` to cap traversal on large monorepos, but `Dir.glob` ordering is filesystem-dependent, so the selected 2000-file slice could differ run-to-run. Both now call `Dir.glob(...).sort.first(2000)`, matching the `.sort` already used by the other new introspectors.
+- **Spec-coverage gaps on ivar-derived paths.** The reviewers flagged that three silently-failing paths had no assertions: initializer `:source` capture (via `@block.source_location`), connection_pool `:pool_config` shape, and the `@other_subscribers` Regexp-pattern branch in the Fanout walk. All three now have targeted assertions — a silent drift if any of these ivars is renamed upstream will now fail CI.
+
 ## [5.9.1] — 2026-04-20
 
 ### Fixed — `GetConcern` missed plural concern names (#78)

data/CONTRIBUTING.md

@@ -19,7 +19,7 @@ The test suite uses [Combustion](https://github.com/pat/combustion) to boot a mi
 ```
 lib/rails_ai_context/
 ├── cli/               # CLI tool runner (tool_runner.rb) — executes MCP tools from rake/Thor
-├── introspectors/     # 31 introspectors (schema, models, routes, etc.)
+├── introspectors/     # 39 introspectors (schema, models, routes, etc.)
 ├── tools/             # 38 MCP tools with detail levels and pagination
 ├── serializers/       # Per-assistant formatters + shared ToolGuideHelper
 ├── server.rb          # MCP server setup (stdio + HTTP)

data/README.md

@@ -21,7 +21,7 @@
 <br>
 [![Ruby](https://img.shields.io/badge/Ruby-3.2%20%7C%203.3%20%7C%203.4-CC342D)](https://github.com/crisnahine/rails-ai-context)
 [![Rails](https://img.shields.io/badge/Rails-7.1%20%7C%207.2%20%7C%208.0-CC0000)](https://github.com/crisnahine/rails-ai-context)
-[![Tests](https://img.shields.io/badge/Tests-2078%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
+[![Tests](https://img.shields.io/badge/Tests-2154%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 </div>
@@ -397,7 +397,7 @@ Enabled by default. Disable with `config.anti_hallucination_rules = false` if yo
 
 ```mermaid
 graph TD
-    A["Your Rails App\nmodels + schema + routes + controllers + views + jobs"] -->|"31 introspectors"| B
+    A["Your Rails App\nmodels + schema + routes + controllers + views + jobs"] -->|"39 introspectors"| B
 
     B["rails-ai-context\nPrism AST parsing · Cached · Confidence-tagged\nVFS: rails-ai-context:// URIs introspected fresh"]
 
@@ -459,7 +459,7 @@ Both paths ask which AI tools you use (Claude Code, Cursor, GitHub Copilot, Open
 | **[Configuration](docs/CONFIGURATION.md)** | 40+ config options with defaults |
 | **[AI Tool Setup](docs/SETUP.md)** | Claude, Cursor, Copilot, OpenCode, Codex |
 | **[Architecture](docs/ARCHITECTURE.md)** | System design and internals |
-| **[Introspectors](docs/INTROSPECTORS.md)** | All 31 introspectors and AST engine |
+| **[Introspectors](docs/INTROSPECTORS.md)** | All 39 introspectors and AST engine |
 | **[Security](docs/SECURITY.md)** | 4-layer SQL safety and file blocking |
 | **[CLI Reference](docs/CLI.md)** | Commands and argument syntax |
 | **[Standalone](docs/STANDALONE.md)** | Use without Gemfile entry |
@@ -508,7 +508,7 @@ if defined?(RailsAiContext)
   RailsAiContext.configure do |config|
     config.ai_tools   = %i[claude cursor] # Which AI tools to generate for
     config.tool_mode  = :mcp              # :mcp (default) or :cli
-    config.preset     = :full             # :full (31 introspectors) or :standard (17)
+    config.preset     = :full             # :full (39 introspectors) or :standard (17)
   end
 end
 ```
@@ -543,7 +543,7 @@ end
 ## About
 
 Built by a Rails developer with 10+ years of production experience.<br>
-2078 tests + 100-example e2e harness. 38 tools. 5 resource templates. 31 introspectors. Standalone or in-Gemfile.<br>
+2154 tests + 100-example e2e harness. 38 tools. 5 resource templates. 39 introspectors. Standalone or in-Gemfile.<br>
 MIT licensed. [Contributions welcome.](CONTRIBUTING.md)
 
 <br>

data/docs/ARCHITECTURE.md

@@ -18,7 +18,7 @@ graph TD
         A["models + schema + routes + controllers + views + jobs + config"]
     end
 
-    A -->|"31 introspectors"| gem
+    A -->|"39 introspectors"| gem
 
     subgraph gem["rails-ai-context"]
         direction TB
@@ -101,7 +101,7 @@ flowchart LR
 
 ### Introspectors (`lib/rails_ai_context/introspectors/`)
 
-31 modules that extract structured data from your Rails app. Each introspector:
+39 modules that extract structured data from your Rails app. Each introspector:
 
 - Returns a Hash (never raises — wraps errors in `{ error: msg }`)
 - Is registered in `INTROSPECTOR_MAP` with a symbol key

data/docs/CONFIGURATION.md

@@ -56,7 +56,7 @@ preset: full
 
 | Option | Type | Default | Description |
 |:-------|:-----|:--------|:------------|
-| `preset` | Symbol | `:full` | `:full` (31 introspectors) or `:standard` (17 introspectors) |
+| `preset` | Symbol | `:full` | `:full` (39 introspectors) or `:standard` (17 introspectors) |
 | `context_mode` | Symbol | `:compact` | `:compact` (context files capped at ~150 lines) or `:full` (no line cap) |
 | `introspectors` | Array of symbols | (from preset) | Override the introspector list directly |
 | `generate_root_files` | Boolean | `true` | Set `false` to generate split rules only, no root CLAUDE.md/AGENTS.md |
@@ -155,7 +155,7 @@ preset: full
 
 ## Presets
 
-### `:full` (default) — 31 introspectors
+### `:full` (default) — 39 introspectors
 
 All available introspectors. Best for comprehensive context.
 

data/docs/FAQ.md

@@ -99,7 +99,7 @@ PostgreSQL, MySQL, and SQLite. Each gets database-specific safety mechanisms (re
 
 ### What's the difference between `:full` and `:standard` preset?
 
-- **`:full`** (default) — 31 introspectors. Comprehensive context for every aspect of your app.
+- **`:full`** (default) — 39 introspectors. Comprehensive context for every aspect of your app.
 - **`:standard`** — 17 introspectors. Faster, covers the essentials (schema, models, routes, controllers, tests, etc.).
 
 ### What's `:compact` vs `:full` context mode?

data/docs/GUIDE.md

@@ -24,7 +24,7 @@
 | [Configuration](CONFIGURATION.md) | Every config option |
 | [AI Tool Setup](SETUP.md) | Per-editor setup |
 | [Architecture](ARCHITECTURE.md) | System design and internals |
-| [Introspectors](INTROSPECTORS.md) | All 31 introspectors |
+| [Introspectors](INTROSPECTORS.md) | All 39 introspectors |
 | [Security](SECURITY.md) | Security model and SQL safety |
 | [CLI Reference](CLI.md) | All commands and argument syntax |
 | [Standalone Mode](STANDALONE.md) | Use without Gemfile |
@@ -1192,7 +1192,7 @@ if defined?(RailsAiContext)
   RailsAiContext.configure do |config|
     # --- Introspectors ---
 
-    # Presets: :full (31 introspectors, default) or :standard (17)
+    # Presets: :full (39 introspectors, default) or :standard (17)
     config.preset = :full
 
     # Cherry-pick on top of a preset
@@ -1311,7 +1311,7 @@ end
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `preset` | Symbol | `:full` | Introspector preset (`:full` or `:standard`) |
-| `introspectors` | Array | 31 (full preset) | Which introspectors to run |
+| `introspectors` | Array | 39 (full preset) | Which introspectors to run |
 | `context_mode` | Symbol | `:compact` | `:compact` or `:full` |
 | `claude_max_lines` | Integer | `150` | Max lines for CLAUDE.md in compact mode |
 | `max_tool_response_chars` | Integer | `200_000` | Safety cap for MCP tool responses |
@@ -1398,7 +1398,7 @@ Core Rails structure only. Use `config.preset = :standard` for a lighter footpri
 | `performance` | N+1 query risks, missing counter_cache, missing FK indexes, Model.all anti-patterns, eager load candidates. |
 | `i18n` | Default locale, available locales, locale files with key counts, backend class, parse errors. |
 
-### Full preset (31 introspectors) — default
+### Full preset (39 introspectors) — default
 
 Includes all standard introspectors plus:
 
@@ -1534,11 +1534,11 @@ OpenCode uses **per-directory lazy-loading**: when the agent reads a file, it wa
 
 | Setup | Coverage | Notes |
 |-------|----------|-------|
-| Rails full-stack (ERB + Hotwire) | 31/31 | All introspectors relevant |
-| Rails + Inertia.js (React/Vue) | ~25/31 | Views/Turbo partially useful, backend fully covered |
-| Rails API + React/Next.js SPA | ~23/31 | Schema, models, routes, API, auth, jobs — all covered |
-| Rails API + mobile app | ~23/31 | Same as SPA — backend introspection is identical |
-| Rails engine (mountable gem) | ~18/31 | Core introspectors (schema, models, routes, gems) work |
+| Rails full-stack (ERB + Hotwire) | 39/39 | All introspectors relevant |
+| Rails + Inertia.js (React/Vue) | ~33/39 | Views/Turbo partially useful, backend fully covered |
+| Rails API + React/Next.js SPA | ~31/39 | Schema, models, routes, API, auth, jobs — all covered |
+| Rails API + mobile app | ~31/39 | Same as SPA — backend introspection is identical |
+| Rails engine (mountable gem) | ~26/39 | Core introspectors (schema, models, routes, gems) work |
 
 Frontend introspectors (views, Turbo, Stimulus, assets) degrade gracefully — they report nothing when those features aren't present.
 

data/docs/INTROSPECTORS.md

@@ -2,7 +2,7 @@
 
 # Introspectors
 
-**31 modules that extract structured data from your Rails application.**
+**39 modules that extract structured data from your Rails application.**
 
 [Architecture](ARCHITECTURE.md) · [Configuration](CONFIGURATION.md) · [Tools Reference](TOOLS.md) · [Security](SECURITY.md)
 
@@ -21,7 +21,7 @@ Each introspector:
 
 ## Presets
 
-### `:full` (default) — all 31 introspectors
+### `:full` (default) — all 39 introspectors
 
 Best for comprehensive AI context. Covers every aspect of your app.
 
@@ -49,13 +49,16 @@ graph LR
         S16["performance"] ~~~ S17["i18n"]
     end
 
-    subgraph full_only["Full Preset adds +14"]
+    subgraph full_only["Full Preset adds +22"]
         direction TB
         F1["views"] ~~~ F2["database_stats"] ~~~ F3["api"]
         F4["active_storage"] ~~~ F5["action_text"] ~~~ F6["action_mailbox"]
         F7["rake_tasks"] ~~~ F8["assets"] ~~~ F9["devops"]
         F10["seeds"] ~~~ F11["middleware"] ~~~ F12["engines"]
         F13["multi_database"] ~~~ F14["frontend_frameworks"]
+        F15["initializers"] ~~~ F16["autoload"] ~~~ F17["connection_pool"]
+        F18["active_support"] ~~~ F19["credentials"] ~~~ F20["security"]
+        F21["observability"] ~~~ F22["env"]
     end
 
     standard --> full_only
@@ -74,7 +77,7 @@ end
 
 ---
 
-## All 31 introspectors
+## All 39 introspectors
 
 ### Core
 
@@ -148,6 +151,21 @@ end
 | TestIntrospector | `:tests` | Test framework, file counts, coverage hints |
 | PerformanceIntrospector | `:performance` | N+1 risks, missing indexes, counter_cache hints |
 
+### Runtime & Framework Internals
+
+These introspectors map directly onto [`RAILS_NERVOUS_SYSTEM.md`](../RAILS_NERVOUS_SYSTEM.md) sections and capture framework-level surface that `:config`, `:auth`, and `:middleware` don't.
+
+| Introspector | Key | Nervous-system § | What it extracts |
+|:-------------|:----|:---|:-----------------|
+| InitializerIntrospector | `:initializers` | §2 | `Rails.application.initializers` graph: name, owner, `before:`/`after:` edges, block `source_location`, per-file `config/initializers/*.rb` summary |
+| AutoloadIntrospector | `:autoload` | §3 | Zeitwerk presence, autoloaders (`:main` / `:once`) with collapsed + ignored dirs, `autoload_paths`, `eager_load_paths`, custom inflections (`acronym`, `plural`, `singular`, `irregular`) |
+| ConnectionPoolIntrospector | `:connection_pool` | §10 | Per-database adapter config: pool size, `checkout_timeout`, `reaping_frequency`, `prepared_statements`, `advisory_locks`, replica flag, connection-handler roles, automatic shard selector detection |
+| ActiveSupportIntrospector | `:active_support` | §17 | Concerns in `app/**/concerns/` (ActiveSupport::Concern flags, `included do`/`class_methods do` blocks), deprecators registry, MessageEncryptor/Verifier usage, TaggedLogging config, common on-load hooks, cache store options |
+| CredentialsIntrospector | `:credentials` | §30 | Default + per-env encrypted files, master-key source (`env:RAILS_MASTER_KEY` vs `file:config/master.key` vs missing), `require_master_key` flag, arbitrary encrypted configs (`config/*.yml.enc`), top-level key **names only** (never values) |
+| SecurityIntrospector | `:security` | §32 | `force_ssl`, SSL options (HSTS `expires`/`subdomains`/`preload`), `host_authorization` hosts, ContentSecurityPolicy directives + `report_only`, PermissionsPolicy directives, CSRF config (`protect_from_forgery`, `per_form_csrf_tokens`, `origin_check`), cookie session options, Rails 7.2+ `allow_browser` usage |
+| ObservabilityIntrospector | `:observability` | §34 + §38 | `ActiveSupport::LogSubscriber.log_subscribers` catalog, AS::Notifications subscriber registry (pattern + count + sample class), `ActionDispatch::ServerTiming` middleware detection, Rails 8.1 `event_reporter` availability, log level + tags, canonical Rails event-name catalog (10 subsystems) |
+| EnvIntrospector | `:env` | §36 | Catalog of 30+ Rails-related ENV vars partitioned into `set` / `unset`; safe vars (`RAILS_ENV`, `RAILS_MAX_THREADS`, etc.) return values, sensitive vars (`SECRET_KEY_BASE`, `DATABASE_URL`, `RAILS_MASTER_KEY`, etc.) return `redacted: true` only; scans `config/`/`app/`/`lib/` for app-specific `ENV["X"]` references |
+
 ---
 
 ## AST-based introspection

data/docs/TROUBLESHOOTING.md

@@ -247,7 +247,7 @@ Without it, the tool reports "not installed" but the gem works fine otherwise.
 
 ### "Introspection is slow"
 
-1. Use `:standard` preset (17 introspectors vs 31)
+1. Use `:standard` preset (17 introspectors vs 39)
 2. Increase cache TTL: `config.cache_ttl = 300`
 3. Check schema file size: `rails ai:doctor` warns if too large
 4. Check view count: many views slow down view introspection

data/docs/index.md

@@ -25,7 +25,7 @@ Works with Claude Code, Cursor, GitHub Copilot, OpenCode, and Codex CLI.
 | **[Tools Reference](TOOLS.md)** | All 38 tools with every parameter |
 | **[Configuration](CONFIGURATION.md)** | 40+ config options with defaults |
 | **[CLI Reference](CLI.md)** | Commands and argument syntax |
-| **[Introspectors](INTROSPECTORS.md)** | All 31 introspectors and AST engine |
+| **[Introspectors](INTROSPECTORS.md)** | All 39 introspectors and AST engine |
 
 ## Learn
 

data/lib/rails_ai_context/configuration.rb

@@ -78,7 +78,8 @@ module RailsAiContext
       full: %i[schema models routes jobs gems conventions stimulus database_stats controllers views view_templates turbo
                i18n config active_storage action_text auth api tests rake_tasks assets
                devops action_mailbox migrations seeds middleware engines multi_database
-               components performance frontend_frameworks]
+               components performance frontend_frameworks
+               initializers autoload connection_pool active_support credentials security observability env]
     }.freeze
 
     # MCP server settings

data/lib/rails_ai_context/introspector.rb

@@ -80,7 +80,15 @@ module RailsAiContext
       multi_database: Introspectors::MultiDatabaseIntrospector,
       components: Introspectors::ComponentIntrospector,
       performance: Introspectors::PerformanceIntrospector,
-      frontend_frameworks: Introspectors::FrontendFrameworkIntrospector
+      frontend_frameworks: Introspectors::FrontendFrameworkIntrospector,
+      initializers: Introspectors::InitializerIntrospector,
+      autoload: Introspectors::AutoloadIntrospector,
+      connection_pool: Introspectors::ConnectionPoolIntrospector,
+      active_support: Introspectors::ActiveSupportIntrospector,
+      credentials: Introspectors::CredentialsIntrospector,
+      security: Introspectors::SecurityIntrospector,
+      observability: Introspectors::ObservabilityIntrospector,
+      env: Introspectors::EnvIntrospector
     }.freeze
 
     private

data/lib/rails_ai_context/introspectors/active_support_introspector.rb

@@ -0,0 +1,173 @@
+# frozen_string_literal: true
+
+module RailsAiContext
+  module Introspectors
+    # Extracts ActiveSupport runtime surface that other introspectors don't
+    # cover: Concerns registry (`app/**/concerns`), Deprecators registry,
+    # MessageEncryptor/MessageVerifier usage, and TaggedLogging tags.
+    # Covers RAILS_NERVOUS_SYSTEM.md §17 (ActiveSupport).
+    class ActiveSupportIntrospector
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call
+        {
+          concerns: extract_concerns,
+          deprecators: extract_deprecators,
+          message_verifier_usage: extract_message_verifier_usage,
+          tagged_logging: detect_tagged_logging,
+          on_load_hooks: common_on_load_hooks,
+          cache_usage: detect_cache_usage
+        }
+      rescue => e
+        $stderr.puts "[rails-ai-context] ActiveSupportIntrospector#call failed: #{e.message}" if ENV["DEBUG"]
+        { error: e.message }
+      end
+
+      private
+
+      def root
+        app.root.to_s
+      end
+
+      CONCERN_DIRS = %w[
+        app/models/concerns
+        app/controllers/concerns
+        app/jobs/concerns
+        app/mailers/concerns
+        app/channels/concerns
+      ].freeze
+
+      def extract_concerns
+        result = {}
+        CONCERN_DIRS.each do |rel_dir|
+          dir = File.join(root, rel_dir)
+          next unless Dir.exist?(dir)
+
+          modules = Dir.glob(File.join(dir, "**/*.rb")).sort.filter_map do |path|
+            content = RailsAiContext::SafeFile.read(path) or next
+            mod_name = File.basename(path, ".rb").camelize
+            entry = { name: mod_name, file: path.sub("#{root}/", "") }
+            entry[:uses_active_support_concern] = true if content.include?("ActiveSupport::Concern")
+            entry[:included_blocks] = content.scan(/^\s*included\s+do\b/).size
+            entry[:class_methods_block] = content.include?("class_methods do")
+            entry
+          end
+          result[rel_dir] = modules if modules.any?
+        end
+        result
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_concerns failed: #{e.message}" if ENV["DEBUG"]
+        {}
+      end
+
+      # Rails 7.1+ registers deprecators per gem/component via
+      # `Rails.application.deprecators`. Return the registered keys.
+      def extract_deprecators
+        return [] unless app.respond_to?(:deprecators)
+        registry = app.deprecators
+        return [] unless registry
+
+        keys = if registry.respond_to?(:each) && registry.respond_to?(:map)
+          registry.map { |name, _d| name.to_s }
+        elsif registry.instance_variable_defined?(:@deprecators)
+          (registry.instance_variable_get(:@deprecators) || {}).keys.map(&:to_s)
+        else
+          []
+        end
+        keys.compact.sort.uniq
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_deprecators failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      # Scan `lib/` + `app/` for calls into ActiveSupport::MessageEncryptor and
+      # ActiveSupport::MessageVerifier. Used for tokens, signed IDs, etc.
+      def extract_message_verifier_usage
+        hits = []
+        %w[lib app].each do |rel|
+          dir = File.join(root, rel)
+          next unless Dir.exist?(dir)
+
+          # Sort before slicing — Dir.glob ordering is filesystem-dependent
+          # and would produce non-deterministic output on large monorepos.
+          Dir.glob(File.join(dir, "**/*.rb")).sort.first(2000).each do |path|
+            content = RailsAiContext::SafeFile.read(path) or next
+            next unless content.match?(/MessageEncryptor|MessageVerifier/)
+            relative = path.sub("#{root}/", "")
+            hits << { file: relative, encryptor: content.include?("MessageEncryptor"), verifier: content.include?("MessageVerifier") }
+          end
+        end
+        hits
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_message_verifier_usage failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      def detect_tagged_logging
+        result = { configured: false }
+        config_logger = app.config.log_tags
+        if config_logger.is_a?(Array) && config_logger.any?
+          result[:configured] = true
+          result[:tags] = config_logger.map(&:to_s)
+        end
+
+        # Initializer pattern: Rails.logger = ActiveSupport::TaggedLogging.new(…)
+        Dir.glob(File.join(root, "config/initializers/*.rb")).each do |path|
+          content = RailsAiContext::SafeFile.read(path) or next
+          if content.include?("ActiveSupport::TaggedLogging")
+            result[:configured] = true
+            result[:initializer] = path.sub("#{root}/", "")
+            break
+          end
+        end
+        result
+      rescue => e
+        $stderr.puts "[rails-ai-context] detect_tagged_logging failed: #{e.message}" if ENV["DEBUG"]
+        { configured: false }
+      end
+
+      # The canonical lazy hooks that Railties expose. Report which have at
+      # least one subscriber attached so AI can reason about load-order.
+      COMMON_HOOKS = %i[
+        active_record before_initialize after_initialize
+        action_controller action_controller_base action_controller_api
+        action_view action_mailer active_job active_storage
+        action_cable action_text action_mailbox
+      ].freeze
+
+      def common_on_load_hooks
+        return [] unless defined?(ActiveSupport) && ActiveSupport.respond_to?(:on_load)
+        registry = ActiveSupport.instance_variable_get(:@load_hooks)
+        return [] unless registry.respond_to?(:each_key)
+
+        registry.each_key.filter_map do |name|
+          next unless COMMON_HOOKS.include?(name)
+          callbacks = registry[name]
+          callback_count = callbacks.respond_to?(:size) ? callbacks.size : 0
+          { hook: name.to_s, callbacks: callback_count } if callback_count > 0
+        end.sort_by { |h| h[:hook] }
+      rescue => e
+        $stderr.puts "[rails-ai-context] common_on_load_hooks failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      def detect_cache_usage
+        store = app.config.cache_store
+        entry = {
+          store: store.is_a?(Array) ? store.first.to_s : store.to_s
+        }
+        if store.is_a?(Array) && store.last.is_a?(Hash)
+          entry[:options] = store.last.keys.map(&:to_s)
+        end
+        entry
+      rescue => e
+        $stderr.puts "[rails-ai-context] detect_cache_usage failed: #{e.message}" if ENV["DEBUG"]
+        {}
+      end
+    end
+  end
+end

data/lib/rails_ai_context/introspectors/autoload_introspector.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+module RailsAiContext
+  module Introspectors
+    # Extracts the autoloading configuration: Zeitwerk vs Classic, custom
+    # inflections, autoload/eager-load paths, collapsed dirs, and ignored
+    # paths. Covers RAILS_NERVOUS_SYSTEM.md §3 (Autoloading — Zeitwerk).
+    class AutoloadIntrospector
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      # @return [Hash] autoloader configuration
+      def call
+        {
+          mode: detect_mode,
+          zeitwerk_available: zeitwerk_available?,
+          autoloaders: extract_autoloaders,
+          autoload_paths: relativize(app.config.autoload_paths),
+          autoload_once_paths: relativize(app.config.autoload_once_paths),
+          eager_load_paths: relativize(app.config.eager_load_paths),
+          eager_load: !!app.config.eager_load,
+          custom_inflections: extract_custom_inflections
+        }
+      rescue => e
+        $stderr.puts "[rails-ai-context] AutoloadIntrospector#call failed: #{e.message}" if ENV["DEBUG"]
+        { error: e.message }
+      end
+
+      private
+
+      def root
+        app.root.to_s
+      end
+
+      def zeitwerk_available?
+        defined?(Zeitwerk) && defined?(Rails) && Rails.respond_to?(:autoloaders) && Rails.autoloaders.respond_to?(:main)
+      end
+
+      def detect_mode
+        return "zeitwerk" if zeitwerk_available?
+        return "classic" if defined?(Rails) && app.config.respond_to?(:autoloader) && app.config.autoloader == :classic
+        "unknown"
+      end
+
+      # Return per-autoloader metadata: name, collapsed dirs, ignored paths.
+      # Rails exposes `Rails.autoloaders.main` and `.once` by default.
+      def extract_autoloaders
+        return [] unless zeitwerk_available?
+
+        %i[main once].filter_map do |kind|
+          loader = Rails.autoloaders.public_send(kind) if Rails.autoloaders.respond_to?(kind)
+          next unless loader
+
+          entry = { name: kind.to_s }
+          entry[:tag] = loader.tag.to_s if loader.respond_to?(:tag)
+          entry[:collapsed] = relativize(extract_collapsed(loader))
+          entry[:ignored]   = relativize(extract_ignored(loader))
+          entry[:root_dirs] = relativize(extract_root_dirs(loader))
+          entry
+        rescue => e
+          $stderr.puts "[rails-ai-context] extract autoloader #{kind} failed: #{e.message}" if ENV["DEBUG"]
+          { name: kind.to_s, error: e.message }
+        end
+      end
+
+      def extract_collapsed(loader)
+        collapsed = loader.instance_variable_get(:@collapse_dirs)
+        return [] unless collapsed
+        collapsed.respond_to?(:to_a) ? collapsed.to_a.map(&:to_s) : []
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_collapsed failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      def extract_ignored(loader)
+        ignored = loader.instance_variable_get(:@ignored_paths)
+        return [] unless ignored
+        ignored.respond_to?(:to_a) ? ignored.to_a.map(&:to_s) : []
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_ignored failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      def extract_root_dirs(loader)
+        return loader.dirs.to_a if loader.respond_to?(:dirs) && loader.dirs.respond_to?(:to_a)
+        roots = loader.instance_variable_get(:@roots)
+        return roots.keys.map(&:to_s) if roots.respond_to?(:keys)
+        []
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_root_dirs failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      # Collect `inflect` blocks and `Zeitwerk::Inflector` customizations
+      # declared in config/initializers/*.rb.
+      def extract_custom_inflections
+        dir = File.join(root, "config/initializers")
+        return [] unless Dir.exist?(dir)
+
+        inflections = []
+        Dir.glob(File.join(dir, "*.rb")).sort.each do |path|
+          content = RailsAiContext::SafeFile.read(path) or next
+          rel = path.sub("#{root}/", "")
+
+          # inflect "api" => "API", "xml" => "XML"
+          content.scan(/inflect\(?\s*((?:["'][^"']+["']\s*=>\s*["'][^"']+["'],?\s*)+)/).each do |match|
+            pairs = match[0].scan(/["']([^"']+)["']\s*=>\s*["']([^"']+)["']/)
+            inflections.concat(pairs.map { |k, v| { file: rel, rule: "#{k} => #{v}" } })
+          end
+
+          # inflect.acronym "API" / inflect.plural /…/, "…" / inflect.irregular "…", "…"
+          # Matches both inside `do |inflect|` blocks and via direct Inflector calls.
+          content.scan(/\binflect\.(acronym|plural|singular|irregular|uncountable|human)\s+["']([^"']+)["'](?:\s*,\s*["']([^"']+)["'])?/).each do |method, arg1, arg2|
+            rule = arg2 ? "#{method}: #{arg1} => #{arg2}" : "#{method}: #{arg1}"
+            inflections << { file: rel, rule: rule }
+          end
+        end
+        inflections.uniq
+      rescue => e
+        $stderr.puts "[rails-ai-context] extract_custom_inflections failed: #{e.message}" if ENV["DEBUG"]
+        []
+      end
+
+      def relativize(paths)
+        Array(paths).map do |p|
+          s = p.to_s
+          s.start_with?(root) ? s.sub("#{root}/", "") : s
+        end
+      end
+    end
+  end
+end