rails-ai-context 5.9.1 → 5.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63fa43e2446217a8b226ba3fd59b0345c7e4fec6300acd0ab877354339187dac
-  data.tar.gz: 0d12192067351b3e28e1ae8ba16792be31a8e340e356b4b261249345a2295fa3
+  metadata.gz: 21293efcd236f2ea0b04dd95564369f21e071a0373e71343caa740db9a2eb9f1
+  data.tar.gz: 0b9487187d0af78dc5e3fdd02f6f0910a132c69d306d0472ee98174baa9773d4
 SHA512:
-  metadata.gz: 6d3f4378d84b890464cdda8c550195430987c05970b892184bda610fb727f7614d943b46141e4b3f7b39642503deacf71b76fca933923aada849e1c39f887fef
-  data.tar.gz: 4632cbf34995fb74922c19f89988d7bd4a5dfb3cdac98ab78e8ab3d08bac11f84c3cab0df68364b46740c133fdda22bd7311400dd5381d857b611cb4de2fe6e7
+  metadata.gz: '016190a6a753c61f7363a7ad61855c153ef2a9c0d98e2ffb95dd164a1c1310deb9a8963b9afed5ff2c12d12644a93470d2d1d38bb510ddda69579e77f8941755'
+  data.tar.gz: 730deb817f8800b7468d4dd09e0af68c1a1429e4475c19e05eefc77d1e2728a246e2e4e2ba04249685de7a9b70c6248742773225d75df2b13d5e2fcd73694307

data/CHANGELOG.md

@@ -5,6 +5,95 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.11.0] — 2026-05-24
+
+### Changed — Prism AST migration: all introspectors now use structural code extraction
+
+Every introspector that scans `.rb` files has been migrated from regex-based pattern matching to Prism AST-based structural extraction. This is a zero-regression internal refactor -- all introspector outputs are verified identical via side-by-side comparison, 2257 unit tests, 119 E2E tests, and live validation against a production-scale Rails 8.1 app (39/39 introspectors, 41/41 tool invocations, 0 failures).
+
+**What changed internally:**
+
+- **`SourceIntrospector.walk(path, listener_map)`** -- new generic API that accepts any combination of listener classes or Proc factories, enabling ad-hoc AST extraction without modifying the core dispatcher. Supports both `Class` values (instantiated via `.new`) and `-> { Instance }` lambdas for configurable listeners.
+- **11 new listener classes** for patterns beyond the original 7 model-level listeners:
+  - `GenericMacroListener` -- configurable no-receiver call detector (handles most Rails DSL patterns including `self.method` calls)
+  - `ChainedCallListener` -- method calls with receivers (`.variant()`, `.includes()`, `.create()`)
+  - `VariantCallListener` -- ActiveStorage variant detection
+  - `MailboxRoutingListener` -- ActionMailbox routing + lifecycle callbacks
+  - `MiddlewareConfigListener` -- `config.middleware.use/insert_before/insert_after/unshift`
+  - `EnvAccessListener` -- `ENV["KEY"]` / `ENV.fetch("KEY")` with block-default detection
+  - `MountListener` -- `mount Engine, at: "/path"` (both keyword and hash-rocket syntax)
+  - `RakeTaskDslListener` -- `namespace`/`desc`/`task` with deps and args (handles string + symbol deps)
+  - `GemfileDslListener` -- `gem`/`group`/`source` with group-scope tracking
+  - `SchemaDslListener` -- `create_table`/`t.type`/`t.index`/`add_foreign_key`/`create_enum`/`check_constraint`
+  - `MigrationDslListener` -- `create_table`/`add_column`/`add_index`/`rename_column`/`add_reference` and 6 more actions
+- **28 introspectors converted**: ActiveStorage, ActionText, ActionMailbox, Middleware, ActiveSupport, Auth, Security, Controller (all 9 regex blocks including strong params, filters, rescue_from, rate_limit, respond_to, turbo_stream), Convention, Turbo, MultiDatabase, Performance, Job, Model, Component, View, Api, AssetPipeline, DevOps, Env, Gem, RakeTask, Engine, Seeds, Test, Schema, Config.
+- **181 regex patterns intentionally remain** in categories where Prism cannot help: non-Ruby files (JS/TS/ERB/Haml -- 78), keyword/content matching (22), config assignments (15), runtime SQL/YAML (25), and complex partial patterns (41).
+
+**What didn't change:**
+
+- All introspector output formats are identical. No consumer-facing API changes.
+- All 39 MCP tools work exactly as before.
+- Runtime reflection paths (ActiveRecord, Rails config, I18n, etc.) are untouched.
+- Non-Ruby file scanning (YAML, JSON, ERB, JS, Procfile, Dockerfile, Gemfile.lock) is untouched.
+
+**Why this matters:**
+
+- Regex scanning matches patterns in comments, strings, and dead code. AST extraction only matches actual code structure -- fewer false positives.
+- Multi-line declarations that broke regex (e.g., `devise` with 9 modules across 3 lines, `before_action` with complex `only:`/`except:` constraints) are now parsed correctly by Prism.
+- The `AstCache` provides thread-safe LRU caching of parse results, so repeated walks of the same file are free.
+- New listeners are composable -- introspectors mix and match listeners via `SourceIntrospector.walk(path, { key: Listener })` without coupling.
+
+### Fixed
+
+- Avoid false-positive route helper warnings when `rails_validate` sees locally defined Ruby methods ending in `_path` or `_url` (#83, thanks @curi).
+- Preserve newline-separated staged file names in the generated pre-commit validation hook (#83).
+
+### Tests
+
+- 2257 unit examples (up from 2154), 0 failures
+- 119 E2E examples, 0 failures
+- 47 edge-case tests for controller, auth, and security AST conversions
+- 10 listener edge-case tests (block-syntax ENV defaults, string rake deps, insert-with-index middleware, hash-rocket mounts, complex gem lines)
+- Side-by-side regression comparison: all 39 introspector outputs verified identical between old regex and new AST code
+
+## [5.10.0] — 2026-04-20
+
+### Added — 8 new introspectors closing RAILS_NERVOUS_SYSTEM.md gaps
+
+An audit against [`RAILS_NERVOUS_SYSTEM.md`](RAILS_NERVOUS_SYSTEM.md) identified 9 framework sections where introspection was missing or partial. This release ships the 8 introspectors needed to close them (the 9th — §11 Query interface — was already covered by `:conventions` via `load_async` / `.async_*` scanning). All are wired into `PRESETS[:full]`. The gem now exposes **39 introspectors** (up from 31).
+
+- **`InitializerIntrospector` (`:initializers`, §2).** Enumerates `Rails.application.initializers` — every initializer's name, owner, declared `before:` / `after:` ordering edges, and the `source_location` of its block. Also summarizes each `config/initializers/*.rb` file (initializer count + the top `config.*` setters it touches) so AI can jump straight to user-owned boot code.
+- **`AutoloadIntrospector` (`:autoload`, §3).** Zeitwerk presence, both `Rails.autoloaders.main` and `.once` with their collapsed dirs + ignored paths + root dirs, raw `autoload_paths` / `autoload_once_paths` / `eager_load_paths`, the resolved `eager_load` boolean, plus custom inflection rules extracted from `config/initializers/*.rb` (`inflect.acronym` / `.plural` / `.singular` / `.irregular` / `.uncountable` / `.human`). Paths are root-relative.
+- **`ConnectionPoolIntrospector` (`:connection_pool`, §10).** Per-database adapter config: `pool`, `checkout_timeout`, `idle_timeout`, `reaping_frequency`, `prepared_statements`, `advisory_locks`, replica flag, role, connection-handler pool counts per role (`:writing` / `:reading`), and automatic shard selector detection (Rails 7.1+ `ActiveRecord::Middleware::ShardSelector`). Complements `:database_stats` (which only returns row counts).
+- **`ActiveSupportIntrospector` (`:active_support`, §17).** Covers ActiveSupport runtime surface other introspectors leave untouched: Concerns in `app/**/concerns/` (with `ActiveSupport::Concern` / `included do` / `class_methods do` flags), `Rails.application.deprecators` registry keys, MessageEncryptor + MessageVerifier usage scan across `lib/` + `app/`, TaggedLogging configuration (`config.log_tags` + initializer-based `ActiveSupport::TaggedLogging.new`), active on-load hooks, and cache-store options.
+- **`CredentialsIntrospector` (`:credentials`, §30).** Default `config/credentials.yml.enc` + every per-env `config/credentials/<env>.yml.enc`, master-key source resolution (`env:RAILS_MASTER_KEY` / `file:config/master.key` / `missing`), `config.require_master_key` flag, arbitrary encrypted configs (`config/<name>.yml.enc` pairs), and top-level credential **key names only** — decrypted hash is inspected for `.keys` and nothing more. A regression spec asserts no known credential value appears in the output.
+- **`SecurityIntrospector` (`:security`, §32).** Framework-level security controls `auth_introspector` doesn't cover: `config.force_ssl`, SSL options (HSTS `expires` / `subdomains` / `preload`, `redirect`, `secure_cookies`), `config.hosts` + `host_authorization` options, `ContentSecurityPolicy` directives (including `report_only`), `PermissionsPolicy` directives, CSRF config (`protect_from_forgery` declaration, `per_form_csrf_tokens`, `forgery_protection_origin_check`), cookie session options (`:key`, `:secure`, `:httponly`, `:same_site`, `:domain`, `:path`, `:expire_after`), and Rails 7.2+ `allow_browser` calls per controller.
+- **`ObservabilityIntrospector` (`:observability`, §34 + §38).** `ActiveSupport::LogSubscriber.log_subscribers` catalog (class + namespace), full `ActiveSupport::Notifications` subscriber registry walked via `@string_subscribers` / `@other_subscribers` / legacy `@subscribers` (handles Rails 7.0/7.1/8.x variants — grouped by pattern with subscriber count + sample class name), `ActionDispatch::ServerTiming` middleware detection + `config.server_timing` flag, Rails 8.1 `event_reporter` availability, log level + tags + `colorize_logging`, and a static catalog of 60+ canonical Rails event names across 10 subsystems (`action_controller`, `action_view`, `active_record`, `active_job`, `action_mailer`, `action_mailbox`, `action_cable`, `active_support`, `active_storage`, `railties`).
+- **`EnvIntrospector` (`:env`, §36).** Curated catalog of 30+ Rails-related ENV vars (core, server, bundler, assets, boot, secrets, database, cache, deploy, platform, observability, testing) partitioned into `set` / `unset`. Safe vars (`RAILS_ENV`, `RAILS_MAX_THREADS`, `PORT`, etc.) return their value. Sensitive vars (`SECRET_KEY_BASE`, `RAILS_MASTER_KEY`, `DATABASE_URL`, `REDIS_URL`, `KAMAL_REGISTRY_PASSWORD`, etc.) return `redacted: true` only — the value never leaves the process. Also scans `config/`/`app/`/`lib/` for app-specific `ENV["X"]` / `ENV.fetch("X")` references beyond the catalog.
+
+### Why these specifically
+
+Each corresponds to a `RAILS_NERVOUS_SYSTEM.md` section the audit flagged as uncovered. Partial-coverage sections (§2 filenames, §3 Zeitwerk presence, §17 CurrentAttributes, §27 Solid Trifecta, §30 boolean, §32 CORS/CSP/force_ssl, §34 N+1 anti-patterns, §36 puma/procfile) are preserved — the new introspectors complement rather than replace existing ones.
+
+### Preset wiring
+
+All 8 are in `PRESETS[:full]`. None are in `PRESETS[:standard]` — they're framework-runtime data most valuable in `full` mode where comprehensive context outranks boot speed. `config.introspectors.size` for `:full` is now `39` (from `31`). The configuration spec was updated accordingly.
+
+### Tests
+
+Every new introspector ships with a unit spec under `spec/lib/rails_ai_context/introspectors/*_introspector_spec.rb`, plus an orchestrator-level assertion in `spec/lib/rails_ai_context/introspector_spec.rb` that all 8 keys land in the context hash, plus a real-Rails-app e2e spec at `spec/e2e/nervous_system_introspectors_spec.rb` (8 examples, run via `E2E=1`). Specs assert shape guarantees, error absence, category-specific invariants, and the `CredentialsIntrospector` / `EnvIntrospector` specs include explicit sentinel-value leak assertions (a secret is injected, then the output hash is searched for the sentinel string). The full non-e2e suite runs **2154 examples, 0 failures**.
+
+### Fixed — post-review hardening
+
+Three parallel code reviews (security/data-leak, Rails-version correctness, CLAUDE.md invariant compliance) surfaced the following issues, all addressed in this release:
+
+- **`ObservabilityIntrospector#detect_event_reporter` crashed on Rails 8.1.** The original code called `reporter.tagged` without a block to read "registered tags". `ActiveSupport::EventReporter#tagged` delegates unconditionally to `TagStack#with_tags(&block)` which `yield`s — a blockless call raises `LocalJumpError`. The outer `rescue` caught it and returned `{ available: false }`, which silently misreported Rails 8.1 apps as lacking the event reporter and dropped the `subscriber_count` too. The `entry[:tags]` line was removed; `tagged` is stack-scoped context, not an introspectable keyspace. `subscriber_count` is still reported.
+- **`ObservabilityIntrospector#extract_subscribers_from_notifier` had dead code.** A "legacy `@subscribers` (array)" fallback claimed to support Rails 7.0, but Rails 7.0 already used `@string_subscribers` + `@other_subscribers`. The flat `@subscribers` ivar hasn't existed since Rails ≤ 5.x, so the branch was unreachable across the entire 7.1 / 7.2 / 8.0 CI matrix. Removed. Also: the `subscriber_raw_pattern` helper now unwraps `ActiveSupport::Notifications::Fanout::Subscribers::Matcher` one level deep so Regexp-pattern subscribers surface as `"pattern.source"` instead of `"#<…::Matcher:0x…>"`.
+- **`CredentialsIntrospector` leaked paths via `e.message`.** Both the top-level `rescue` and `inspect_default_credentials`'s rescue returned `{ error: e.message }` in the output hash. OS-level errors (`Errno::EACCES`, `Errno::ENOENT`) and OpenSSL decryption failures include absolute paths with the OS username in their message — credentials-adjacent data that shouldn't leave the process. Both rescues now return `{ error: "…failed", exception_class: e.class.name }`; `e.message` stays in the `ENV["DEBUG"]`-gated stderr log where it's fine. New regression specs inject a `Errno::EACCES` with a path containing `/Users/alice/secret/master.key` and assert neither `"/Users/alice"` nor `"alice/secret"` appears anywhere in the output.
+- **`EnvIntrospector` classified `BUNDLE_PATH` and `BUNDLE_GEMFILE` as safe-to-return.** Both are absolute filesystem paths that usually contain the OS username (e.g. `/Users/alice/.bundle`). Flipped to `safe: false` so only presence is reported, matching the treatment of other path-containing vars (`DATABASE_URL`, `REDIS_URL`, etc.).
+- **`ActiveSupportIntrospector` + `EnvIntrospector` had non-deterministic directory walks.** Both called `Dir.glob(...).first(2000)` to cap traversal on large monorepos, but `Dir.glob` ordering is filesystem-dependent, so the selected 2000-file slice could differ run-to-run. Both now call `Dir.glob(...).sort.first(2000)`, matching the `.sort` already used by the other new introspectors.
+- **Spec-coverage gaps on ivar-derived paths.** The reviewers flagged that three silently-failing paths had no assertions: initializer `:source` capture (via `@block.source_location`), connection_pool `:pool_config` shape, and the `@other_subscribers` Regexp-pattern branch in the Fanout walk. All three now have targeted assertions — a silent drift if any of these ivars is renamed upstream will now fail CI.
+
 ## [5.9.1] — 2026-04-20
 
 ### Fixed — `GetConcern` missed plural concern names (#78)

data/CONTRIBUTING.md

@@ -19,7 +19,7 @@ The test suite uses [Combustion](https://github.com/pat/combustion) to boot a mi
 ```
 lib/rails_ai_context/
 ├── cli/               # CLI tool runner (tool_runner.rb) — executes MCP tools from rake/Thor
-├── introspectors/     # 31 introspectors (schema, models, routes, etc.)
+├── introspectors/     # 39 introspectors (schema, models, routes, etc.)
 ├── tools/             # 38 MCP tools with detail levels and pagination
 ├── serializers/       # Per-assistant formatters + shared ToolGuideHelper
 ├── server.rb          # MCP server setup (stdio + HTTP)

data/README.md

@@ -21,7 +21,7 @@
 <br>
 [![Ruby](https://img.shields.io/badge/Ruby-3.2%20%7C%203.3%20%7C%203.4-CC342D)](https://github.com/crisnahine/rails-ai-context)
 [![Rails](https://img.shields.io/badge/Rails-7.1%20%7C%207.2%20%7C%208.0-CC0000)](https://github.com/crisnahine/rails-ai-context)
-[![Tests](https://img.shields.io/badge/Tests-2078%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
+[![Tests](https://img.shields.io/badge/Tests-2257%20passing-brightgreen)](https://github.com/crisnahine/rails-ai-context/actions)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 
 </div>
@@ -397,7 +397,7 @@ Enabled by default. Disable with `config.anti_hallucination_rules = false` if yo
 
 ```mermaid
 graph TD
-    A["Your Rails App\nmodels + schema + routes + controllers + views + jobs"] -->|"31 introspectors"| B
+    A["Your Rails App\nmodels + schema + routes + controllers + views + jobs"] -->|"39 introspectors"| B
 
     B["rails-ai-context\nPrism AST parsing · Cached · Confidence-tagged\nVFS: rails-ai-context:// URIs introspected fresh"]
 
@@ -459,7 +459,7 @@ Both paths ask which AI tools you use (Claude Code, Cursor, GitHub Copilot, Open
 | **[Configuration](docs/CONFIGURATION.md)** | 40+ config options with defaults |
 | **[AI Tool Setup](docs/SETUP.md)** | Claude, Cursor, Copilot, OpenCode, Codex |
 | **[Architecture](docs/ARCHITECTURE.md)** | System design and internals |
-| **[Introspectors](docs/INTROSPECTORS.md)** | All 31 introspectors and AST engine |
+| **[Introspectors](docs/INTROSPECTORS.md)** | All 39 introspectors and AST engine |
 | **[Security](docs/SECURITY.md)** | 4-layer SQL safety and file blocking |
 | **[CLI Reference](docs/CLI.md)** | Commands and argument syntax |
 | **[Standalone](docs/STANDALONE.md)** | Use without Gemfile entry |
@@ -508,7 +508,7 @@ if defined?(RailsAiContext)
   RailsAiContext.configure do |config|
     config.ai_tools   = %i[claude cursor] # Which AI tools to generate for
     config.tool_mode  = :mcp              # :mcp (default) or :cli
-    config.preset     = :full             # :full (31 introspectors) or :standard (17)
+    config.preset     = :full             # :full (39 introspectors) or :standard (17)
   end
 end
 ```
@@ -543,7 +543,7 @@ end
 ## About
 
 Built by a Rails developer with 10+ years of production experience.<br>
-2078 tests + 100-example e2e harness. 38 tools. 5 resource templates. 31 introspectors. Standalone or in-Gemfile.<br>
+2154 tests + 100-example e2e harness. 38 tools. 5 resource templates. 39 introspectors. Standalone or in-Gemfile.<br>
 MIT licensed. [Contributions welcome.](CONTRIBUTING.md)
 
 <br>

data/docs/ARCHITECTURE.md

@@ -18,7 +18,7 @@ graph TD
         A["models + schema + routes + controllers + views + jobs + config"]
     end
 
-    A -->|"31 introspectors"| gem
+    A -->|"39 introspectors"| gem
 
     subgraph gem["rails-ai-context"]
         direction TB
@@ -26,7 +26,7 @@ graph TD
         subgraph engine["Introspection Engine"]
             direction LR
             I["Introspectors\n31 modules\nPresets\nCached"]
-            AST["AST Engine\nPrism\n7 listeners\nConfidence tags"]
+            AST["AST Engine\nPrism\n20 listeners\nConfidence tags"]
             H["Hydration Layer\nSchema hints\ninjected into\ntool responses"]
         end
 
@@ -101,7 +101,7 @@ flowchart LR
 
 ### Introspectors (`lib/rails_ai_context/introspectors/`)
 
-31 modules that extract structured data from your Rails app. Each introspector:
+39 modules that extract structured data from your Rails app. Each introspector:
 
 - Returns a Hash (never raises — wraps errors in `{ error: msg }`)
 - Is registered in `INTROSPECTOR_MAP` with a symbol key

data/docs/CONFIGURATION.md

@@ -56,7 +56,7 @@ preset: full
 
 | Option | Type | Default | Description |
 |:-------|:-----|:--------|:------------|
-| `preset` | Symbol | `:full` | `:full` (31 introspectors) or `:standard` (17 introspectors) |
+| `preset` | Symbol | `:full` | `:full` (39 introspectors) or `:standard` (17 introspectors) |
 | `context_mode` | Symbol | `:compact` | `:compact` (context files capped at ~150 lines) or `:full` (no line cap) |
 | `introspectors` | Array of symbols | (from preset) | Override the introspector list directly |
 | `generate_root_files` | Boolean | `true` | Set `false` to generate split rules only, no root CLAUDE.md/AGENTS.md |
@@ -155,7 +155,7 @@ preset: full
 
 ## Presets
 
-### `:full` (default) — 31 introspectors
+### `:full` (default) — 39 introspectors
 
 All available introspectors. Best for comprehensive context.
 

data/docs/FAQ.md

@@ -99,7 +99,7 @@ PostgreSQL, MySQL, and SQLite. Each gets database-specific safety mechanisms (re
 
 ### What's the difference between `:full` and `:standard` preset?
 
-- **`:full`** (default) — 31 introspectors. Comprehensive context for every aspect of your app.
+- **`:full`** (default) — 39 introspectors. Comprehensive context for every aspect of your app.
 - **`:standard`** — 17 introspectors. Faster, covers the essentials (schema, models, routes, controllers, tests, etc.).
 
 ### What's `:compact` vs `:full` context mode?

data/docs/GUIDE.md

@@ -24,7 +24,7 @@
 | [Configuration](CONFIGURATION.md) | Every config option |
 | [AI Tool Setup](SETUP.md) | Per-editor setup |
 | [Architecture](ARCHITECTURE.md) | System design and internals |
-| [Introspectors](INTROSPECTORS.md) | All 31 introspectors |
+| [Introspectors](INTROSPECTORS.md) | All 39 introspectors |
 | [Security](SECURITY.md) | Security model and SQL safety |
 | [CLI Reference](CLI.md) | All commands and argument syntax |
 | [Standalone Mode](STANDALONE.md) | Use without Gemfile |
@@ -1192,7 +1192,7 @@ if defined?(RailsAiContext)
   RailsAiContext.configure do |config|
     # --- Introspectors ---
 
-    # Presets: :full (31 introspectors, default) or :standard (17)
+    # Presets: :full (39 introspectors, default) or :standard (17)
     config.preset = :full
 
     # Cherry-pick on top of a preset
@@ -1311,7 +1311,7 @@ end
 | Option | Type | Default | Description |
 |--------|------|---------|-------------|
 | `preset` | Symbol | `:full` | Introspector preset (`:full` or `:standard`) |
-| `introspectors` | Array | 31 (full preset) | Which introspectors to run |
+| `introspectors` | Array | 39 (full preset) | Which introspectors to run |
 | `context_mode` | Symbol | `:compact` | `:compact` or `:full` |
 | `claude_max_lines` | Integer | `150` | Max lines for CLAUDE.md in compact mode |
 | `max_tool_response_chars` | Integer | `200_000` | Safety cap for MCP tool responses |
@@ -1398,7 +1398,7 @@ Core Rails structure only. Use `config.preset = :standard` for a lighter footpri
 | `performance` | N+1 query risks, missing counter_cache, missing FK indexes, Model.all anti-patterns, eager load candidates. |
 | `i18n` | Default locale, available locales, locale files with key counts, backend class, parse errors. |
 
-### Full preset (31 introspectors) — default
+### Full preset (39 introspectors) — default
 
 Includes all standard introspectors plus:
 
@@ -1534,11 +1534,11 @@ OpenCode uses **per-directory lazy-loading**: when the agent reads a file, it wa
 
 | Setup | Coverage | Notes |
 |-------|----------|-------|
-| Rails full-stack (ERB + Hotwire) | 31/31 | All introspectors relevant |
-| Rails + Inertia.js (React/Vue) | ~25/31 | Views/Turbo partially useful, backend fully covered |
-| Rails API + React/Next.js SPA | ~23/31 | Schema, models, routes, API, auth, jobs — all covered |
-| Rails API + mobile app | ~23/31 | Same as SPA — backend introspection is identical |
-| Rails engine (mountable gem) | ~18/31 | Core introspectors (schema, models, routes, gems) work |
+| Rails full-stack (ERB + Hotwire) | 39/39 | All introspectors relevant |
+| Rails + Inertia.js (React/Vue) | ~33/39 | Views/Turbo partially useful, backend fully covered |
+| Rails API + React/Next.js SPA | ~31/39 | Schema, models, routes, API, auth, jobs — all covered |
+| Rails API + mobile app | ~31/39 | Same as SPA — backend introspection is identical |
+| Rails engine (mountable gem) | ~26/39 | Core introspectors (schema, models, routes, gems) work |
 
 Frontend introspectors (views, Turbo, Stimulus, assets) degrade gracefully — they report nothing when those features aren't present.
 

data/docs/INTROSPECTORS.md

@@ -2,7 +2,7 @@
 
 # Introspectors
 
-**31 modules that extract structured data from your Rails application.**
+**39 modules that extract structured data from your Rails application.**
 
 [Architecture](ARCHITECTURE.md) · [Configuration](CONFIGURATION.md) · [Tools Reference](TOOLS.md) · [Security](SECURITY.md)
 
@@ -21,7 +21,7 @@ Each introspector:
 
 ## Presets
 
-### `:full` (default) — all 31 introspectors
+### `:full` (default) — all 39 introspectors
 
 Best for comprehensive AI context. Covers every aspect of your app.
 
@@ -49,13 +49,16 @@ graph LR
         S16["performance"] ~~~ S17["i18n"]
     end
 
-    subgraph full_only["Full Preset adds +14"]
+    subgraph full_only["Full Preset adds +22"]
         direction TB
         F1["views"] ~~~ F2["database_stats"] ~~~ F3["api"]
         F4["active_storage"] ~~~ F5["action_text"] ~~~ F6["action_mailbox"]
         F7["rake_tasks"] ~~~ F8["assets"] ~~~ F9["devops"]
         F10["seeds"] ~~~ F11["middleware"] ~~~ F12["engines"]
         F13["multi_database"] ~~~ F14["frontend_frameworks"]
+        F15["initializers"] ~~~ F16["autoload"] ~~~ F17["connection_pool"]
+        F18["active_support"] ~~~ F19["credentials"] ~~~ F20["security"]
+        F21["observability"] ~~~ F22["env"]
     end
 
     standard --> full_only
@@ -74,7 +77,7 @@ end
 
 ---
 
-## All 31 introspectors
+## All 39 introspectors
 
 ### Core
 
@@ -148,6 +151,21 @@ end
 | TestIntrospector | `:tests` | Test framework, file counts, coverage hints |
 | PerformanceIntrospector | `:performance` | N+1 risks, missing indexes, counter_cache hints |
 
+### Runtime & Framework Internals
+
+These introspectors map directly onto [`RAILS_NERVOUS_SYSTEM.md`](../RAILS_NERVOUS_SYSTEM.md) sections and capture framework-level surface that `:config`, `:auth`, and `:middleware` don't.
+
+| Introspector | Key | Nervous-system § | What it extracts |
+|:-------------|:----|:---|:-----------------|
+| InitializerIntrospector | `:initializers` | §2 | `Rails.application.initializers` graph: name, owner, `before:`/`after:` edges, block `source_location`, per-file `config/initializers/*.rb` summary |
+| AutoloadIntrospector | `:autoload` | §3 | Zeitwerk presence, autoloaders (`:main` / `:once`) with collapsed + ignored dirs, `autoload_paths`, `eager_load_paths`, custom inflections (`acronym`, `plural`, `singular`, `irregular`) |
+| ConnectionPoolIntrospector | `:connection_pool` | §10 | Per-database adapter config: pool size, `checkout_timeout`, `reaping_frequency`, `prepared_statements`, `advisory_locks`, replica flag, connection-handler roles, automatic shard selector detection |
+| ActiveSupportIntrospector | `:active_support` | §17 | Concerns in `app/**/concerns/` (ActiveSupport::Concern flags, `included do`/`class_methods do` blocks), deprecators registry, MessageEncryptor/Verifier usage, TaggedLogging config, common on-load hooks, cache store options |
+| CredentialsIntrospector | `:credentials` | §30 | Default + per-env encrypted files, master-key source (`env:RAILS_MASTER_KEY` vs `file:config/master.key` vs missing), `require_master_key` flag, arbitrary encrypted configs (`config/*.yml.enc`), top-level key **names only** (never values) |
+| SecurityIntrospector | `:security` | §32 | `force_ssl`, SSL options (HSTS `expires`/`subdomains`/`preload`), `host_authorization` hosts, ContentSecurityPolicy directives + `report_only`, PermissionsPolicy directives, CSRF config (`protect_from_forgery`, `per_form_csrf_tokens`, `origin_check`), cookie session options, Rails 7.2+ `allow_browser` usage |
+| ObservabilityIntrospector | `:observability` | §34 + §38 | `ActiveSupport::LogSubscriber.log_subscribers` catalog, AS::Notifications subscriber registry (pattern + count + sample class), `ActionDispatch::ServerTiming` middleware detection, Rails 8.1 `event_reporter` availability, log level + tags, canonical Rails event-name catalog (10 subsystems) |
+| EnvIntrospector | `:env` | §36 | Catalog of 30+ Rails-related ENV vars partitioned into `set` / `unset`; safe vars (`RAILS_ENV`, `RAILS_MAX_THREADS`, etc.) return values, sensitive vars (`SECRET_KEY_BASE`, `DATABASE_URL`, `RAILS_MASTER_KEY`, etc.) return `redacted: true` only; scans `config/`/`app/`/`lib/` for app-specific `ENV["X"]` references |
+
 ---
 
 ## AST-based introspection

data/docs/TROUBLESHOOTING.md

@@ -247,7 +247,7 @@ Without it, the tool reports "not installed" but the gem works fine otherwise.
 
 ### "Introspection is slow"
 
-1. Use `:standard` preset (17 introspectors vs 31)
+1. Use `:standard` preset (17 introspectors vs 39)
 2. Increase cache TTL: `config.cache_ttl = 300`
 3. Check schema file size: `rails ai:doctor` warns if too large
 4. Check view count: many views slow down view introspection

data/docs/index.md

@@ -25,7 +25,7 @@ Works with Claude Code, Cursor, GitHub Copilot, OpenCode, and Codex CLI.
 | **[Tools Reference](TOOLS.md)** | All 38 tools with every parameter |
 | **[Configuration](CONFIGURATION.md)** | 40+ config options with defaults |
 | **[CLI Reference](CLI.md)** | Commands and argument syntax |
-| **[Introspectors](INTROSPECTORS.md)** | All 31 introspectors and AST engine |
+| **[Introspectors](INTROSPECTORS.md)** | All 39 introspectors and AST engine |
 
 ## Learn