rigortype 0.1.11 → 0.1.13

data/plugins/rigor-rails-routes/lib/rigor/plugin/rails_routes/analyzer.rb

@@ -15,34 +15,126 @@ module Rigor
 
         # Built-in Rails helpers we don't want to flag as
         # unknown. The plugin's HelperTable describes
-        # user-declared routes; Rails ships built-in helpers
-        # (`url_for`, `polymorphic_path`, …) the plugin
-        # deliberately ignores.
+        # user-declared routes; Rails (and a small set of
+        # widely-used asset gems) ship built-in helpers
+        # (`url_for`, `polymorphic_path`, vite_ruby's
+        # `vite_asset_path`, …) the plugin deliberately ignores.
         BUILTIN_PASSTHROUGH = %w[
           url_for_path url_for_url
           polymorphic_path polymorphic_url
+          vite_asset_path vite_asset_url
+          expose_path expose_url
+          asset_path asset_url
+          image_path image_url
+          javascript_path javascript_url
+          stylesheet_path stylesheet_url
+          font_path font_url
+          video_path video_url
+          audio_path audio_url
         ].freeze
 
         Diagnostic = Struct.new(:path, :line, :column, :severity, :rule, :message, keyword_init: true)
 
         module_function
 
+        # RSpec / Minitest DSL methods that DECLARE a memoized
+        # local — `let(:foo) { ... }`, `subject(:foo) { ... }`,
+        # plus the bang and let_it_be variants. The first
+        # positional Symbol argument is the local name. A bare
+        # `subject { ... }` (no arg) defines `:subject` itself.
+        SHADOWING_DSL = %i[
+          let let! let_it_be let_it_be!
+          subject subject!
+        ].freeze
+
+        # Paths under which `unknown-helper` is suppressed. Route
+        # helpers are not customarily resolved through these
+        # directories, so a bare `shared_inbox_url` call inside
+        # `app/models/account.rb` (the call-site is the
+        # `accounts.shared_inbox_url` AR column accessor — same
+        # name as a hypothetical route helper) or a `default_url`
+        # inside `lib/paperclip/url_generator_extensions.rb` (the
+        # call-site is `Paperclip::UrlGenerator#default_url`, a
+        # gem-side instance method) would be a false positive.
+        # The core engine's `call.undefined-method` still catches
+        # a genuinely unreachable receiver. Cheap path-prefix
+        # check; no AR-column / gem-include analysis required.
+        SKIP_UNKNOWN_HELPER_PATHS = [
+          %r{(?:\A|/)app/models/},
+          %r{(?:\A|/)app/services/},
+          %r{(?:\A|/)app/workers/},
+          %r{(?:\A|/)app/finders/},
+          %r{(?:\A|/)app/policies/},
+          %r{(?:\A|/)app/validators/},
+          %r{(?:\A|/)app/uploaders/},
+          %r{(?:\A|/)lib/},
+          %r{(?:\A|/)db/},
+          %r{(?:\A|/)config/}
+        ].freeze
+
         # @param path [String] file being analysed
         # @param root [Prism::Node]
         # @param helper_table [HelperTable]
         # @return [Array<Diagnostic>]
         def diagnose(path:, root:, helper_table:)
+          suppress_unknown = SKIP_UNKNOWN_HELPER_PATHS.any? { |re| path.match?(re) }
+          # Same SKIP set silences `wrong-arity` too. A call
+          # like `group_path` inside `app/services/groups/nested_
+          # create_service.rb` is almost certainly the service's
+          # own instance method (`attr_accessor :group_path`) —
+          # both the unknown-helper check and the arity check
+          # against a registered route helper would FP.
           diagnostics = []
+          # Pre-walk the file to collect every name that
+          # shadows a route helper at call time: `let(:foo)`,
+          # `subject(:foo)`, `def foo`, and explicit local
+          # assignments (`foo_url = "..."`). At the call site
+          # `foo` then resolves to the shadowing local, not to
+          # the registered route helper — firing `unknown-helper`
+          # / `wrong-arity` against the helper would be a false
+          # positive against canonical RSpec idioms (Mastodon
+          # has 200+ such patterns in `spec/`).
+          shadowing = collect_shadowing_names(root)
+
           walk(root) do |call_node|
             name = call_node.name.to_s
             next unless name.end_with?("_path") || name.end_with?("_url")
             next if BUILTIN_PASSTHROUGH.include?(name)
+            next if shadowing.include?(name)
 
             entry = helper_table.find(name)
             if entry
+              # When the file is in a `SKIP_UNKNOWN_HELPER_PATHS`
+              # directory (models / services / workers / lib /
+              # …), don't emit the info or arity diagnostic
+              # against a registered helper either — the call
+              # is more likely the file's own instance method
+              # (e.g. `group_path` as an `attr_accessor`) that
+              # happens to share a name with a registered
+              # route helper. The unknown-helper suppression
+              # already silences the inverse case.
+              next if suppress_unknown
+
               diagnostics << info_diagnostic(path, call_node, entry)
               arity_diagnostic = arity_check(path, call_node, entry, helper_table)
               diagnostics << arity_diagnostic if arity_diagnostic
+            elsif helper_table.recognised?(name)
+              # Custom helper (discovered via
+              # `app/helpers/**/*.rb`) or a dynamic-provider
+              # Devise OmniAuth helper. We do NOT have an
+              # arity / path to validate — the helper is just
+              # known-to-exist. Skip the arity / info
+              # diagnostic; the absence of an `unknown-helper`
+              # error is the user-visible outcome.
+              next
+            elsif suppress_unknown
+              # File is in a directory where route helpers are
+              # not customarily resolved (models / lib / db /
+              # config). Skip `unknown-helper` to avoid false
+              # positives on AR column accessors / gem-side
+              # instance methods that happen to end in `_url` /
+              # `_path`.
+              next
             else
               diagnostics << unknown_helper_diagnostic(path, call_node, name, helper_table)
             end
@@ -50,6 +142,52 @@ module Rigor
           diagnostics
         end
 
+        # Walks the AST once and returns the Set of names that
+        # shadow a route helper for this file. Includes:
+        #
+        # - `def name` declarations (any level — the
+        #   per-method-scope visibility model Ruby uses means a
+        #   local `def` shadows the helper at every call site
+        #   reachable from where it is defined; we approximate
+        #   "reachable" with "anywhere in the same file").
+        # - RSpec `let` / `let!` / `let_it_be` / `let_it_be!` /
+        #   `subject` / `subject!` declarations.
+        # - Local assignments at any scope
+        #   (`foo_url = "..."`).
+        def collect_shadowing_names(root)
+          names = Set.new
+          walk_for_shadowing(root, names)
+          names
+        end
+
+        def walk_for_shadowing(node, names)
+          return unless node.is_a?(Prism::Node)
+
+          case node
+          when Prism::DefNode
+            names << node.name.to_s if node.receiver.nil?
+          when Prism::LocalVariableWriteNode
+            names << node.name.to_s
+          when Prism::CallNode
+            record_let_like_name(node, names)
+          end
+
+          node.compact_child_nodes.each { |child| walk_for_shadowing(child, names) }
+        end
+
+        def record_let_like_name(call_node, names)
+          return unless call_node.receiver.nil?
+          return unless SHADOWING_DSL.include?(call_node.name)
+
+          arg = call_node.arguments&.arguments&.first
+          if arg.is_a?(Prism::SymbolNode)
+            names << arg.unescaped
+          elsif call_node.name == :subject && call_node.arguments.nil?
+            # Bare `subject { ... }` defines `:subject` itself.
+            names << "subject"
+          end
+        end
+
         def walk(node, &)
           return unless node.is_a?(Prism::Node)
 
@@ -66,6 +204,25 @@ module Rigor
           node.receiver.nil? && (node.name.to_s.end_with?("_path") || node.name.to_s.end_with?("_url"))
         end
 
+        # Paths where the implicit-params-fill pattern is
+        # idiomatic — controllers / mailers / views routinely
+        # call `*_path` / `*_url` helpers with fewer args than
+        # the route's static placeholder count because Rails
+        # fills `:foo_id` segments from `request.params` at
+        # runtime (controllers / views) or from the call's
+        # polymorphic-friendly receiver (mailers).
+        IMPLICIT_FILL_PATHS = [
+          %r{(?:\A|/)app/controllers/},
+          %r{(?:\A|/)app/mailers/},
+          %r{(?:\A|/)app/views/},
+          %r{(?:\A|/)app/components/},
+          %r{(?:\A|/)app/helpers/}
+        ].freeze
+
+        def implicit_fill_path?(path)
+          IMPLICIT_FILL_PATHS.any? { |re| path.match?(re) }
+        end
+
         def info_diagnostic(path, call_node, entry)
           location = call_node.location
           method_label = entry.http_method ? entry.http_method.to_s.upcase : "*"
@@ -80,7 +237,8 @@ module Rigor
         end
 
         def arity_check(path, call_node, entry, helper_table)
-          actual = (call_node.arguments&.arguments || []).size
+          args = call_node.arguments&.arguments || []
+          actual = args.size
           # Uncountable nouns (`news` / `series` / `media`) cause
           # Rails to register two entries under the same helper
           # name — `news_path` accepts both arity 0 (index) and
@@ -88,7 +246,38 @@ module Rigor
           # accepts_arity? checks the full set.
           return nil if helper_table.accepts_arity?(entry.name, actual)
 
-          arities = helper_table.acceptable_arities(entry.name).sort
+          # Rails accepts a kwargs-only call shape that supplies
+          # route segments by name:
+          #   short_account_status_url(account_username: u, id: i)
+          # for the route `/@:account_username/:id` (arity 2).
+          # Our positional-arg count is 1 (the KeywordHashNode),
+          # so the strict check rejects — but Rails would
+          # resolve every segment from the hash. When the call
+          # has a trailing KeywordHashNode AND the positional
+          # count (excluding it) is `<= expected_arity`, accept
+          # — the kwargs may carry the missing segments.
+          if args.last.is_a?(Prism::KeywordHashNode)
+            positional = actual - 1
+            return nil if helper_table.acceptable_arities(entry.name).any? { |exp| positional <= exp }
+          end
+
+          # Underflow tolerance for controllers / mailers /
+          # views. A `redirect_to namespace_project_milestones_path`
+          # inside `Projects::MilestonesController` legitimately
+          # passes 0 args — Rails fills the missing `:namespace_id`
+          # / `:project_id` segments from `request.params` at
+          # runtime. Mailers reach helpers polymorphically too
+          # (`project_commit_url(commit)` resolves project from
+          # commit.project). Silence when `actual < min_arity`
+          # AND the call site is in a controller / mailer / view
+          # directory (where the implicit-params-fill pattern is
+          # idiomatic). Overflow (`actual > max_arity`) still
+          # fires — that's almost always a typo.
+          arities_set = helper_table.acceptable_arities(entry.name)
+          min_arity = arities_set.min
+          return nil if actual < min_arity && implicit_fill_path?(path)
+
+          arities = arities_set.sort
           expected = arities.length == 1 ? arities.first.to_s : "#{arities.first}..#{arities.last}"
           location = call_node.location
           Diagnostic.new(

data/plugins/rigor-rails-routes/lib/rigor/plugin/rails_routes/devise_routes.rb

@@ -0,0 +1,264 @@
+# frozen_string_literal: true
+
+module Rigor
+  module Plugin
+    class RailsRoutes < Rigor::Plugin::Base
+      # Generates the catalogue of route helpers a `devise_for
+      # :resources` call adds to a Rails app's routing table.
+      # The set is fixed and well-documented (the
+      # [Devise wiki](https://github.com/heartcombo/devise/wiki/How-To:-Add-routes-helpers)
+      # enumerates every generated helper); the generator
+      # mirrors it.
+      #
+      # Used by `RoutesParser` when it sees a top-level
+      # `devise_for :name` (or `devise_for :name, skip:
+      # [...]`) call. Each generated helper is materialised as
+      # a `HelperTable::Entry` so the analyzer's
+      # `unknown-helper` rule recognises them and the arity
+      # check accepts the canonical signatures (Devise helpers
+      # take zero positional args plus an optional trailing
+      # options hash, which `HelperTable#accepts_arity?`
+      # already handles via the `arity + 1` rule).
+      #
+      # Scope:
+      #
+      # - Recognises the standard six controllers
+      #   (`:sessions`, `:passwords`, `:confirmations`,
+      #   `:unlocks`, `:registrations`, `:omniauth_callbacks`).
+      # - Honours `skip: [...]` to suppress controllers the
+      #   project disables.
+      # - Honours `path: "..."` to remap the URL path (does
+      #   NOT remap the helper-name prefix — Devise uses the
+      #   resource name for the helper, not the path).
+      # - Does NOT yet honour `as: "..."` overrides, `class_name:`,
+      #   `controllers: { ... }` (these are rare; expand on
+      #   demand).
+      # - `omniauth_callbacks` helpers are dynamic — the
+      #   provider name is supplied at call time
+      #   (`user_facebook_omniauth_authorize_path`) and Devise
+      #   declares them from the configured providers, which
+      #   live in an initializer this static parser does not
+      #   read. We register the SHAPE-FAMILY suffix matchers
+      #   `_omniauth_authorize_path` / `_omniauth_callback_path`
+      #   via a separate hook (see `OMNIAUTH_HELPER_PATTERNS`);
+      #   these are NOT in the table but consulted by the
+      #   `Analyzer.allowed_dynamic_pattern?` check.
+      module DeviseRoutes
+        # The standard Devise controllers and the helper
+        # actions each generates. Keys are the controller
+        # name; values are arrays of `[helper_prefix,
+        # http_method, action]` triples — `helper_prefix` is
+        # the part BEFORE the resource-name segment (Rails
+        # produces `<prefix>_<resource>_<suffix>_path`; for
+        # the bare `<resource>_session_path` shape the prefix
+        # is empty).
+        CONTROLLER_HELPERS = {
+          sessions: [
+            ["new", "session", :get, :new],
+            [nil, "session", :post, :create],
+            ["destroy", "session", :delete, :destroy]
+          ],
+          passwords: [
+            ["new", "password", :get, :new],
+            ["edit", "password", :get, :edit],
+            [nil, "password", :get, :show]
+          ],
+          confirmations: [
+            ["new", "confirmation", :get, :new],
+            [nil, "confirmation", :get, :show]
+          ],
+          unlocks: [
+            ["new", "unlock", :get, :new],
+            [nil, "unlock", :get, :show]
+          ],
+          registrations: [
+            ["cancel", "registration", :get, :show],
+            ["new", "registration", :get, :new],
+            ["edit", "registration", :get, :edit],
+            [nil, "registration", :get, :show]
+          ]
+        }.freeze
+
+        # Dynamic-provider helper patterns. `_omniauth_authorize_path`
+        # and `_omniauth_callback_path` are generated per
+        # configured provider (Facebook, GitHub, …) by an
+        # initializer this parser does not read. We treat any
+        # `<resource>_<provider>_omniauth_(authorize|callback)_(path|url)`
+        # call as recognised when the resource is one the
+        # project declared via `devise_for`.
+        OMNIAUTH_SUFFIXES = %w[
+          _omniauth_authorize_path _omniauth_authorize_url
+          _omniauth_callback_path _omniauth_callback_url
+        ].freeze
+
+        module_function
+
+        # @param resource [String, Symbol] the `devise_for`
+        #   argument — typically `:users`. Used as both the
+        #   helper-name segment (`new_user_session_path`) and
+        #   to derive the resource path.
+        # @param skip [Array<Symbol>] controllers the project
+        #   disables via `devise_for :users, skip: [:registrations]`.
+        # @return [Array<HelperTable::Entry>] one entry per
+        #   generated `_path` helper. The caller is expected to
+        #   pair `_url` variants the same way `RoutesParser` does
+        #   for other entries.
+        def generate(resource:, skip: [])
+          resource_segment = singularize(resource.to_s)
+          skip_set = skip.to_set(&:to_sym)
+          entries = []
+
+          CONTROLLER_HELPERS.each do |controller, actions|
+            next if skip_set.include?(controller)
+
+            actions.each do |(prefix, suffix, http_method, action)|
+              helper = if prefix
+                         "#{prefix}_#{resource_segment}_#{suffix}_path"
+                       else
+                         "#{resource_segment}_#{suffix}_path"
+                       end
+              path = devise_path_for(resource_segment, controller, action)
+              entries << HelperTable::Entry.new(
+                name: helper,
+                arity: 0,
+                path: path,
+                http_method: http_method,
+                action: action
+              )
+            end
+          end
+
+          # Devise also ships *scoped* helpers
+          # (`Devise::Controllers::UrlHelpers`) that DROP the
+          # resource segment and take the scope as a positional
+          # argument: `new_password_path(resource_name)` is the
+          # bare form of `new_user_password_path`. Used inside
+          # `Auth::PasswordsController < Devise::PasswordsController`
+          # (Mastodon's idiom). Arity 1 (the scope), and a
+          # trailing options-hash bumps it via the existing
+          # `arity + 1` rule.
+          entries.concat(scoped_helpers(skip_set))
+
+          # `omniauth_authorize_path(scope, provider)` and
+          # `omniauth_callback_path(scope, provider)` are
+          # `Devise::Controllers::UrlHelpers` scoped helpers
+          # that delegate to the OmniAuth gem. Arity 2.
+          unless skip_set.include?(:omniauth_callbacks)
+            %w[omniauth_authorize_path omniauth_callback_path].each do |name|
+              entries << HelperTable::Entry.new(
+                name: name,
+                arity: 2,
+                path: "/users/auth/:provider",
+                http_method: :get,
+                action: :show
+              )
+            end
+          end
+
+          entries
+        end
+
+        # Scoped helpers Devise exposes inside its controllers.
+        # The arity-1 family — caller supplies the resource
+        # scope (`:user` etc.) as the first positional arg.
+        # Names mirror the qualified `<scope>_<name>_path`
+        # entries above, minus the scope segment.
+        SCOPED_HELPERS = {
+          sessions: %w[new_session_path session_path destroy_session_path],
+          passwords: %w[new_password_path edit_password_path password_path],
+          confirmations: %w[new_confirmation_path confirmation_path],
+          unlocks: %w[new_unlock_path unlock_path],
+          registrations: %w[cancel_registration_path new_registration_path edit_registration_path registration_path]
+        }.freeze
+        private_constant :SCOPED_HELPERS
+
+        def scoped_helpers(skip_set)
+          SCOPED_HELPERS.flat_map do |controller, names|
+            next [] if skip_set.include?(controller)
+
+            names.map do |name|
+              HelperTable::Entry.new(
+                name: name,
+                arity: 1,
+                path: "/<scope>",
+                http_method: :get,
+                action: :show
+              )
+            end
+          end
+        end
+
+        # Returns the set of OmniAuth pattern suffixes the
+        # analyzer accepts for a given resource. The analyzer
+        # consults this set (via `HelperTable#allows_omniauth?`)
+        # when a `*_path` / `*_url` call's name does not match
+        # any registered entry and its prefix matches a Devise
+        # resource.
+        def omniauth_suffixes
+          OMNIAUTH_SUFFIXES
+        end
+
+        # The same tiny singularizer used by `RoutesParser`.
+        # We duplicate the catalogue here so this module does
+        # not need to reach into `Context`'s private state.
+        UNCOUNTABLE = %w[
+          equipment information rice money species series fish
+          sheep jeans police news media settings
+        ].to_set.freeze
+        private_constant :UNCOUNTABLE
+
+        def singularize(word)
+          return word if UNCOUNTABLE.include?(word)
+          return "#{word.chomp('ies')}y" if word.end_with?("ies") && word.length > 3
+          return word.chomp("es") if word.end_with?("ses") || word.end_with?("xes")
+          # `ss` preserved — Rails default inflector behaviour.
+          return word if word.end_with?("ss")
+          return word.chomp("s") if word.end_with?("s")
+
+          word
+        end
+
+        # Approximate path generation. We don't honour the
+        # `path:` Devise option here because the helper NAME
+        # is what the analyzer cares about; the `path` field is
+        # informational and surfaces only in the `:helper` info
+        # diagnostic.
+        def devise_path_for(resource_segment, controller, action)
+          plural = "#{resource_segment}s"
+          base = "/#{plural}"
+          case controller
+          when :sessions then session_path_for(action)
+          when :registrations then registration_path_for(action, base)
+          else "#{base}/#{controller}#{action_suffix(action)}"
+          end
+        end
+
+        def session_path_for(action)
+          case action
+          when :new then "/users/sign_in"
+          when :create then "/users/sign_in"
+          when :destroy then "/users/sign_out"
+          else "/users/sign_in"
+          end
+        end
+
+        def registration_path_for(action, base)
+          case action
+          when :new then "#{base}/sign_up"
+          when :edit then "#{base}/edit"
+          when :show then base
+          else base
+          end
+        end
+
+        def action_suffix(action)
+          case action
+          when :new then "/new"
+          when :edit then "/edit"
+          else ""
+          end
+        end
+      end
+    end
+  end
+end

data/plugins/rigor-rails-routes/lib/rigor/plugin/rails_routes/doorkeeper_routes.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Rigor
+  module Plugin
+    class RailsRoutes < Rigor::Plugin::Base
+      # Generates the catalogue of OAuth route helpers a
+      # `use_doorkeeper do ... end` block adds to a Rails app's
+      # routing table. The set is the Doorkeeper gem's
+      # documented default — see Doorkeeper's
+      # [Routing](https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-routes)
+      # documentation; this module mirrors the canonical
+      # helper names.
+      #
+      # Used by `RoutesParser` when it sees a `use_doorkeeper`
+      # call. Each generated helper is materialised as a
+      # `HelperTable::Entry` so the analyzer's
+      # `unknown-helper` rule recognises them. Arity for the
+      # `oauth_application_path(:id)` / `oauth_authorized_application_path(:id)`
+      # forms is 1 (the `:id`); all other Doorkeeper helpers
+      # are arity 0.
+      #
+      # Scope:
+      #
+      # - Recognises the standard helper set: authorization,
+      #   token, revoke, introspect, token_info, userinfo,
+      #   applications (resources), authorized_applications.
+      # - Honours `skip_controllers <names>` inside the block
+      #   to omit the named controller's helpers.
+      # - Does NOT yet honour `controllers ...:` remappings —
+      #   those change WHICH class serves the route but not
+      #   the helper NAMES, so omitting them is sound.
+      # - Does NOT yet honour custom `as:` / `at:` on
+      #   `use_doorkeeper` itself.
+      module DoorkeeperRoutes
+        # Per-controller helper catalogue. Keys are the
+        # `skip_controllers :<key>` names; values are the
+        # entries (name + arity + path + http_method).
+        # Both `_path` and `_url` variants are paired by
+        # `RoutesParser` after registration.
+        CONTROLLER_HELPERS = {
+          authorizations: [
+            ["oauth_authorization_path", 0, "/oauth/authorize", :get, :show],
+            ["oauth_authorization_url",  0, "/oauth/authorize", :get, :show]
+          ],
+          tokens: [
+            ["oauth_token_path", 0, "/oauth/token", :post, :create],
+            ["oauth_token_url",  0, "/oauth/token", :post, :create],
+            ["oauth_revoke_path", 0, "/oauth/revoke", :post, :create],
+            ["oauth_revoke_url",  0, "/oauth/revoke", :post, :create],
+            ["oauth_introspect_path", 0, "/oauth/introspect", :post, :create],
+            ["oauth_introspect_url",  0, "/oauth/introspect", :post, :create]
+          ],
+          token_info: [
+            ["oauth_token_info_path", 0, "/oauth/token/info", :get, :show],
+            ["oauth_token_info_url",  0, "/oauth/token/info", :get, :show]
+          ],
+          userinfo: [
+            ["oauth_userinfo_path", 0, "/oauth/userinfo", :get, :show],
+            ["oauth_userinfo_url",  0, "/oauth/userinfo", :get, :show]
+          ],
+          applications: [
+            ["oauth_applications_path", 0, "/oauth/applications", :get, :index],
+            ["oauth_applications_url",  0, "/oauth/applications", :get, :index],
+            ["new_oauth_application_path", 0, "/oauth/applications/new", :get, :new],
+            ["new_oauth_application_url",  0, "/oauth/applications/new", :get, :new],
+            ["edit_oauth_application_path", 1, "/oauth/applications/:id/edit", :get, :edit],
+            ["edit_oauth_application_url",  1, "/oauth/applications/:id/edit", :get, :edit],
+            ["oauth_application_path", 1, "/oauth/applications/:id", :get, :show],
+            ["oauth_application_url",  1, "/oauth/applications/:id", :get, :show]
+          ],
+          authorized_applications: [
+            ["oauth_authorized_applications_path", 0, "/oauth/authorized_applications", :get, :index],
+            ["oauth_authorized_applications_url",  0, "/oauth/authorized_applications", :get, :index],
+            ["oauth_authorized_application_path", 1, "/oauth/authorized_applications/:id", :delete, :destroy],
+            ["oauth_authorized_application_url",  1, "/oauth/authorized_applications/:id", :delete, :destroy]
+          ]
+        }.freeze
+
+        module_function
+
+        # @param skip [Array<Symbol>] controller names the
+        #   project omits via `skip_controllers :name, ...`.
+        # @return [Array<HelperTable::Entry>] flattened entries.
+        def generate(skip: [])
+          skip_set = skip.to_set(&:to_sym)
+          CONTROLLER_HELPERS.flat_map do |controller, rows|
+            next [] if skip_set.include?(controller)
+
+            rows.map do |name, arity, path, http_method, action|
+              HelperTable::Entry.new(
+                name: name, arity: arity, path: path,
+                http_method: http_method, action: action
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end