simple_authorize 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 705f75951bbd55e8352217a91088812ddb17a0914f5674c2e04c3ff5623d0f28
-  data.tar.gz: 94af211cac4be86bac47e46d1f2e06ae6342d4d5fbc7bf0e41fe5e9f82591287
+  metadata.gz: 1e7ec7dc4e13ab781a1379671cb043b2a03956c29e32554ff00624ee57cd009a
+  data.tar.gz: d0fb3ae9757d4ccd93250a09847630e5f4958c32498bff21047cf1e903cc4c19
 SHA512:
-  metadata.gz: 56b1be714196ca98cdced6ea2556e64c5086be5b4ed923eee1434cc939252fea1ac72fe905cb0b2e035db45075d3b91f373f139b64b32d78a3449d558f481374
-  data.tar.gz: bd6f0bb6cf73dfcfbd8dde7e0be6a08d0073fa3f23ca7c18121a626c84c83692fc0f3bd2e1efb25131a132e22c188682eb30f99aa5370e05303104526eaecc0d
+  metadata.gz: ca8717f9564cdbe1fe7873e7c5c7f10452a8825d83170565f306272e9b5cfcbd18adf181081e3603c58e206eb743e6ee4b4b8d1a4fd477a11d5946a5bd793fea
+  data.tar.gz: cbe20818849f24ee61dec25ec75f08ba22c1bf75f5c9c2c1021cdaea3548aa01b084e009d16391c60568897148f13d2ba95e1c2817ae6c9697dea29fec9983a8

data/.overcommit.yml

@@ -0,0 +1,55 @@
+# Overcommit configuration
+# See https://github.com/sds/overcommit for full documentation
+
+# Verify signatures for overcommit config to prevent tampering
+verify_signatures: true
+
+# Run these hooks before commits
+PreCommit:
+  RuboCop:
+    enabled: true
+    description: 'Checking code style with RuboCop'
+    required: true
+    quiet: false
+    command: ['bundle', 'exec', 'rubocop']
+
+  TrailingWhitespace:
+    enabled: true
+    description: 'Checking for trailing whitespace'
+
+  YamlSyntax:
+    enabled: true
+    description: 'Checking YAML syntax'
+
+# Run these hooks before pushes (more extensive checks)
+PrePush:
+  RuboCop:
+    enabled: true
+    description: 'Running RuboCop before push'
+    required: true
+
+  Minitest:
+    enabled: true
+    description: 'Running Minitest suite'
+    required: true
+
+  RSpec:
+    enabled: true
+    description: 'Running RSpec suite'
+    required: true
+
+  # TruffleHog - scan for secrets
+  # Note: Requires truffleHog to be installed
+  # Install: brew install truffleHog (macOS) or pip install truffleHog
+  CustomScript:
+    enabled: true
+    description: 'Scanning for secrets with TruffleHog'
+    required: false  # Optional since it requires external installation
+    command: ['sh', '-c', 'if command -v trufflehog >/dev/null 2>&1; then trufflehog filesystem . --only-verified --fail; else echo "TruffleHog not installed - skipping secret scan"; fi']
+
+# Run these hooks after checkout
+PostCheckout:
+  BundleInstall:
+    enabled: true
+    description: 'Running bundle install after checkout'
+    required: false

data/CHANGELOG.md

@@ -5,49 +5,141 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [1.1.0] - 2025-11-05
 
 ### Added
-- Policy generator (`rails g simple_authorize:policy ModelName`) with support for:
-  - Namespaced models (e.g., `Admin::Post`)
-  - RSpec or Minitest test generation
-  - Automatic test scaffolding with CRUD and scope tests
-- Policy caching for performance optimization:
-  - Request-level memoization of policy instances
-  - Automatic scoping by user, record, and policy class
-  - Configurable via `config.enable_policy_cache`
-  - `clear_policy_cache` method for manual cache clearing
-  - Automatic cache clearing in `reset_authorization` for tests
-- Instrumentation and audit logging via ActiveSupport::Notifications:
-  - Emits events for `authorize`, `authorize_headless`, and `policy_scope` calls
-  - Rich payload with user, record, query, result, and timing information
-  - Enabled by default, configurable via `config.enable_instrumentation`
-  - Perfect for security audits, debugging, and monitoring
-- Initial release of SimpleAuthorize
-- Policy-based authorization system
-- Controller concern with authorization methods
-- Base policy class with default deny-all policies
-- Policy scope support for filtering collections
-- Strong parameters integration via `permitted_attributes` and `policy_params`
-- Automatic verification module (opt-in)
-- Headless policy support for policies without models
-- Namespace support for policies
-- Role-based helper methods (`admin_user?`, `contributor_user?`, `viewer_user?`)
-- Custom error handling with `NotAuthorizedError`
-- Install generator (`rails generate simple_authorize:install`)
-- Configuration system via initializer
-- Comprehensive documentation and examples
-- Test helper methods for easy testing
-- Backwards compatibility aliases for Pundit-style usage
-
-## [0.1.0] - 2025-11-01
+
+#### Policy Composition
+- **Reusable Policy Modules** - Built-in modules for common authorization patterns
+- **Ownable Module** - Ownership-based authorization helpers
+- **Publishable Module** - Publishing workflow authorization
+- **Timestamped Module** - Time-based access control
+- **Approvable Module** - Approval workflow helpers
+- **SoftDeletable Module** - Soft deletion authorization
+- **Custom Module Support** - Easy creation of custom authorization modules
+
+#### Context-Aware Policies
+- **Request Context** - Pass additional context to policies (IP, time, location, etc.)
+- **Controller Integration** - `authorization_context` method for building context
+- **Context in Scopes** - Context available in Policy::Scope classes
+- **Common Patterns** - Built-in support for geographic restrictions, time-based access, rate limiting
+
+## [1.0.0] - 2025-11-03
 
 ### Added
-- Initial gem structure
-- Core authorization framework extracted from production Rails application
-- MIT license
-- README with comprehensive documentation
-- Generator templates for installation
 
-[Unreleased]: https://github.com/scottlaplant/simple_authorize/compare/v0.1.0...HEAD
+#### Core Authorization
+- **Policy Generator** - Rails generator for creating policy classes (`rails g simple_authorize:policy ModelName`)
+- **Install Generator** - Setup wizard creating initializer and base policy (`rails g simple_authorize:install`)
+- **Headless Policies** - Authorization for actions without a specific record
+- **Batch Authorization** - Efficiently authorize multiple records with `authorize_all`, `authorized_records`, and `partition_records`
+
+#### Performance & Caching
+- **Policy Caching** - Request-level memoization to reduce database queries and improve performance
+- **Configurable Cache** - Enable/disable policy caching via `config.enable_policy_cache`
+
+#### Instrumentation & Monitoring
+- **ActiveSupport::Notifications** - Comprehensive instrumentation for authorization events
+- **Audit Logging** - Track authorization attempts, denials, and policy scope usage
+- **Custom Event Subscribers** - Hook into `authorize.simple_authorize` and `policy_scope.simple_authorize` events
+
+#### API Support
+- **JSON/XML Error Responses** - Automatic API-friendly error responses with proper HTTP status codes
+- **API Request Detection** - Intelligent detection of API requests (JSON/XML format and headers)
+- **Configurable Error Details** - Control error detail level with `config.api_error_details`
+- **Status Code Handling** - 401 Unauthorized vs 403 Forbidden based on authentication state
+
+#### Attribute-Level Authorization
+- **Visible Attributes** - Control which attributes users can view (`visible_attributes`, `visible_attributes_for_action`)
+- **Editable Attributes** - Control which attributes users can modify (`editable_attributes`, `editable_attributes_for_action`)
+- **Filter Helpers** - Automatically filter attribute hashes based on policy rules
+- **Strong Parameters Integration** - `policy_params` method for seamless Rails strong parameters integration
+
+#### Testing Support
+- **RSpec Matchers** - `permit_action`, `forbid_action`, `permit_mass_assignment`, `forbid_mass_assignment`
+- **RSpec Helpers** - `permit_editing`, `forbid_editing`, `permit_viewing`, `forbid_viewing`
+- **Minitest Helpers** - `assert_permit_action`, `assert_forbid_action` for Minitest users
+- **Policy Testing** - Comprehensive test helpers for both testing frameworks
+
+#### Internationalization
+- **I18n Support** - Configurable error messages with internationalization support
+- **Custom Translations** - Per-policy and per-action error message translations
+- **Configurable Scope** - Customize I18n scope with `config.i18n_scope`
+- **Fallback Messages** - Graceful fallback to default messages when translations are missing
+
+#### Security & Best Practices
+- **Authorization Verification** - `verify_authorized` and `verify_policy_scoped` to catch missing authorization
+- **Skip Authorization** - Explicit `skip_authorization` and `skip_policy_scope` methods
+- **Auto-Verify Module** - Optional automatic verification with `include SimpleAuthorize::Controller::AutoVerify`
+- **Safe Redirects** - Security-conscious redirect handling preventing open redirect vulnerabilities
+
+#### Developer Experience
+- **Comprehensive Documentation** - Extensive README with examples and best practices
+- **Error Messages** - Clear, actionable error messages for common mistakes
+- **Helper Methods** - View helpers automatically included (`policy`, `policy_scope`, `authorized_user`)
+- **Role Helpers** - Convenient `admin_user?`, `contributor_user?`, `viewer_user?` methods
+
+### Changed
+- Improved error handling with detailed exception information
+- Enhanced policy class resolution with namespace support
+- Better cache key generation for policy instances
+
+### Fixed
+- Policy scope resolution for collection classes
+- Safe referrer path handling for redirects
+- API request detection edge cases
+
+### Security
+- Added protection against open redirect vulnerabilities in `safe_referrer_path`
+- Implemented proper HTTP status codes (401 vs 403) for API errors
+- Enhanced authorization verification to prevent bypass attempts
+
+## [0.1.0] - Initial Development
+
+### Added
+- Basic policy-based authorization
+- Core authorization methods (`authorize`, `policy`, `policy_scope`)
+- Integration with Rails controllers
+- Basic test helpers
+- Initial documentation
+
+---
+
+## Upgrading
+
+### From 0.1.0 to 1.0.0
+
+**Breaking Changes:**
+None - v1.0.0 is fully backward compatible with 0.1.0.
+
+**New Features:**
+All features listed above are opt-in and won't affect existing implementations.
+
+**Recommended Updates:**
+1. Run `rails g simple_authorize:install` to generate the configuration file
+2. Enable policy caching for better performance: `config.enable_policy_cache = true`
+3. Enable instrumentation for monitoring: `config.enable_instrumentation = true`
+4. Add RSpec matchers to your spec_helper: `require 'simple_authorize/rspec'`
+
+**Configuration:**
+```ruby
+# config/initializers/simple_authorize.rb
+SimpleAuthorize.configure do |config|
+  config.enable_policy_cache = true       # Enable request-level policy caching
+  config.enable_instrumentation = true    # Enable ActiveSupport::Notifications
+  config.api_error_details = false        # Exclude sensitive details in API errors
+  config.i18n_enabled = true              # Enable I18n support
+  config.i18n_scope = "simple_authorize"  # I18n translation scope
+  config.default_error_message = "You are not authorized to perform this action."
+end
+```
+
+## Support
+
+- **Documentation**: [README.md](README.md)
+- **Issues**: [GitHub Issues](https://github.com/scottlaplant/simple_authorize/issues)
+- **Security**: [SECURITY.md](SECURITY.md)
+- **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md)
+
+[1.0.0]: https://github.com/scottlaplant/simple_authorize/releases/tag/v1.0.0
 [0.1.0]: https://github.com/scottlaplant/simple_authorize/releases/tag/v0.1.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,129 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+**simpleauthorize@gmail.com**.
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

data/CONTRIBUTING.md

@@ -0,0 +1,182 @@
+# Contributing to SimpleAuthorize
+
+Thank you for your interest in contributing to SimpleAuthorize! We welcome contributions from everyone.
+
+## Code of Conduct
+
+This project and everyone participating in it is governed by our [Code of Conduct](CODE_OF_CONDUCT.md). By participating, you are expected to uphold this code. Please report unacceptable behavior to simpleauthorize@gmail.com.
+
+## How Can I Contribute?
+
+### Reporting Bugs
+
+Before creating bug reports, please check the existing issues to avoid duplicates. When creating a bug report, include as many details as possible:
+
+* **Use a clear and descriptive title**
+* **Describe the exact steps to reproduce the problem**
+* **Provide specific examples** to demonstrate the steps
+* **Describe the behavior you observed** and what you expected
+* **Include Ruby version, Rails version, and gem version**
+* **Include any error messages or stack traces**
+
+### Suggesting Enhancements
+
+Enhancement suggestions are tracked as GitHub issues. When creating an enhancement suggestion:
+
+* **Use a clear and descriptive title**
+* **Provide a step-by-step description** of the suggested enhancement
+* **Explain why this enhancement would be useful**
+* **List any alternative solutions** you've considered
+
+### Pull Requests
+
+* Fill in the pull request template
+* Follow the Ruby style guide (RuboCop will check this)
+* Include tests for new features or bug fixes
+* Update documentation as needed
+* Ensure all tests pass (`bundle exec rake test` and `bundle exec rspec`)
+* Ensure RuboCop passes (`bundle exec rubocop`)
+
+## Development Setup
+
+1. **Fork and clone the repository**
+   ```bash
+   git clone https://github.com/YOUR_USERNAME/simple_authorize.git
+   cd simple_authorize
+   ```
+
+2. **Install dependencies**
+   ```bash
+   bundle install
+   ```
+
+3. **Set up git hooks with Overcommit**
+   ```bash
+   # Install git hooks
+   bundle exec overcommit --install
+
+   # (Optional) Install TruffleHog for secret scanning
+   # macOS: brew install truffleHog
+   # Linux: pip install truffleHog
+   ```
+
+   This sets up automatic checks before commits and pushes:
+   * **Pre-commit**: RuboCop, trailing whitespace, YAML syntax
+   * **Pre-push**: RuboCop, Minitest, RSpec, TruffleHog (if installed)
+   * **Post-checkout**: Automatic bundle install
+
+   To skip hooks temporarily (not recommended):
+   ```bash
+   git push --no-verify
+   ```
+
+4. **Run tests**
+   ```bash
+   # Run Minitest suite
+   bundle exec rake test
+
+   # Run RSpec suite
+   bundle exec rspec
+
+   # Run RuboCop
+   bundle exec rubocop
+
+   # Run all checks
+   bundle exec rake
+   ```
+
+5. **Create a feature branch**
+   ```bash
+   git checkout -b my-new-feature
+   ```
+
+## Testing
+
+We maintain high test coverage (89%+) and use both Minitest and RSpec:
+
+* **Minitest**: `test/` directory - for integration and controller tests
+* **RSpec**: `spec/` directory - for unit tests and matchers
+
+Please ensure your changes include appropriate tests:
+
+```ruby
+# Minitest example
+test "authorize succeeds when policy allows" do
+  result = controller.authorize(post, :show?)
+  assert_equal post, result
+end
+
+# RSpec example
+it "permits action when policy allows" do
+  expect { policy.show? }.to permit_action
+end
+```
+
+## Code Style
+
+We follow the Ruby Style Guide and enforce it with RuboCop:
+
+* Use 2 spaces for indentation
+* Use double quotes for strings
+* Keep lines under 120 characters
+* Write descriptive method and variable names
+* Add comments for complex logic
+
+Run RuboCop with:
+```bash
+bundle exec rubocop
+```
+
+Auto-fix issues with:
+```bash
+bundle exec rubocop -a
+```
+
+## Documentation
+
+* Update README.md if you add features
+* Add YARD documentation to public methods
+* Update CHANGELOG.md with your changes
+* Keep comments up-to-date with code changes
+
+## Commit Messages
+
+* Use present tense ("Add feature" not "Added feature")
+* Use imperative mood ("Move cursor to..." not "Moves cursor to...")
+* Limit first line to 72 characters
+* Reference issues and pull requests after the first line
+
+Example:
+```
+Add policy caching for improved performance
+
+Implements request-level memoization for policy instances
+to reduce database queries and improve response times.
+
+Fixes #123
+```
+
+## Release Process
+
+Maintainers will handle releases:
+
+1. Update version in `lib/simple_authorize/version.rb`
+2. Update CHANGELOG.md with release notes
+3. Commit changes
+4. Run `bundle exec rake release`
+
+## Questions?
+
+Feel free to:
+* Open an issue for questions
+* Email us at simpleauthorize@gmail.com
+* Check existing documentation in the README
+
+## Recognition
+
+Contributors will be:
+* Listed in the CHANGELOG for their contributions
+* Credited in release notes
+* Added to a CONTRIBUTORS file (if created)
+
+Thank you for contributing to SimpleAuthorize! 🎉

data/README.md

@@ -11,6 +11,8 @@ SimpleAuthorize is a lightweight, powerful authorization framework for Rails tha
 - **Policy-Based Authorization** - Define authorization rules in dedicated policy classes
 - **Scope Filtering** - Automatically filter collections based on user permissions
 - **Role-Based Access** - Built-in support for role-based authorization
+- **Policy Composition** - Mix and match reusable authorization modules
+- **Context-Aware Policies** - Make authorization decisions based on request context (IP, time, location, etc.)
 - **Zero Dependencies** - No external gems required (only Rails)
 - **Strong Parameters Integration** - Automatically build permitted params from policies
 - **Test Friendly** - Easy to test policies in isolation
@@ -394,6 +396,217 @@ SimpleAuthorize.configure do |config|
 end
 ```
 
+## Policy Composition
+
+Policy Composition allows you to build complex authorization policies by combining reusable modules. This promotes DRY code and consistent authorization patterns across your application.
+
+### Using Built-in Policy Modules
+
+SimpleAuthorize provides several ready-to-use policy modules:
+
+```ruby
+class ArticlePolicy < ApplicationPolicy
+  include SimpleAuthorize::PolicyModules::Ownable
+  include SimpleAuthorize::PolicyModules::Publishable
+
+  def show?
+    published? || owner_or_admin?
+  end
+
+  def update?
+    owner_or_admin? && not_published?
+  end
+end
+```
+
+### Available Policy Modules
+
+#### Ownable
+Provides ownership-based authorization:
+- `owner?` - Check if user owns the record
+- `owner_or_admin?` - Check if user is owner or admin
+- `can_modify?` - Common pattern for modification rights
+
+#### Publishable
+For content with draft/published states:
+- `published?` - Check if record is published
+- `can_publish?` - Check if user can publish
+- `can_preview?` - Check if user can preview drafts
+
+#### Timestamped
+Time-based authorization:
+- `expired?` - Check if record has expired
+- `within_time_window?` - Check if record is in valid time range
+- `locked?` - Check if record is time-locked
+
+#### Approvable
+For approval workflows:
+- `approved?` - Check if record is approved
+- `can_approve?` - Check if user can approve (not their own content)
+- `can_submit_for_approval?` - Check if user can submit for approval
+
+#### SoftDeletable
+For soft deletion support:
+- `soft_deleted?` - Check if record is soft deleted
+- `can_restore?` - Check if user can restore
+- `can_permanently_destroy?` - Check if user can hard delete
+
+### Creating Custom Policy Modules
+
+```ruby
+module MyApp::PolicyModules::Subscribable
+  protected
+
+  def subscriber?
+    user&.subscriptions&.active&.any?
+  end
+
+  def premium_subscriber?
+    user&.subscription&.premium?
+  end
+
+  def can_access_premium_content?
+    premium_subscriber? || admin?
+  end
+end
+
+class PremiumContentPolicy < ApplicationPolicy
+  include MyApp::PolicyModules::Subscribable
+
+  def show?
+    can_access_premium_content?
+  end
+end
+```
+
+## Context-Aware Policies
+
+Context-Aware Policies allow you to make authorization decisions based on additional context beyond just the user and record. This is useful for IP-based restrictions, time-based access, rate limiting, and more.
+
+### Basic Usage
+
+Override the `authorization_context` method in your controller:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include SimpleAuthorize::Controller
+
+  private
+
+  def authorization_context
+    {
+      ip_address: request.remote_ip,
+      user_agent: request.user_agent,
+      current_time: Time.current,
+      country: request.location&.country,
+      two_factor_verified: session[:two_factor_verified],
+      user_plan: current_user&.subscription&.plan
+    }
+  end
+end
+```
+
+### Using Context in Policies
+
+Access context in your policies through the `context` method:
+
+```ruby
+class SecureDocumentPolicy < ApplicationPolicy
+  def show?
+    # Require 2FA for sensitive documents
+    return false unless context[:two_factor_verified]
+
+    # Check IP restrictions
+    return false unless trusted_ip?
+
+    owner_or_admin?
+  end
+
+  private
+
+  def trusted_ip?
+    return true if context[:ip_address].nil?
+
+    trusted_ips = ["192.168.1.0/24", "10.0.0.0/8"]
+    trusted_ips.any? { |range| IPAddr.new(range).include?(context[:ip_address]) }
+  end
+end
+```
+
+### Common Context Patterns
+
+#### Geographic Restrictions
+```ruby
+class RegionalContentPolicy < ApplicationPolicy
+  def show?
+    allowed_countries = ["US", "CA", "UK"]
+    allowed_countries.include?(context[:country]) || admin?
+  end
+end
+```
+
+#### Time-Based Access
+```ruby
+class BusinessHoursPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    hour = context[:current_time].hour
+    hour >= 9 && hour < 17  # 9 AM to 5 PM only
+  end
+end
+```
+
+#### Rate Limiting
+```ruby
+class ApiPolicy < ApplicationPolicy
+  def create?
+    return true if admin?
+
+    request_count = context[:request_count] || 0
+    request_count < 100  # Limit to 100 requests
+  end
+end
+```
+
+#### Plan-Based Features
+```ruby
+class ExportPolicy < ApplicationPolicy
+  def export?
+    case context[:user_plan]
+    when "enterprise"
+      true
+    when "pro"
+      owner_or_admin?
+    when "basic"
+      admin?
+    else
+      false
+    end
+  end
+end
+```
+
+### Context with Policy Scopes
+
+Context is also available in policy scopes:
+
+```ruby
+class DocumentPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      if context[:department]
+        scope.where(department: context[:department])
+      elsif user.admin?
+        scope.all
+      else
+        scope.where(user: user)
+      end
+    end
+  end
+end
+```
+
 ## Advanced Features
 
 ### Headless Policies

data/SECURITY.md

@@ -6,7 +6,8 @@ We release patches for security vulnerabilities. Currently supported versions:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.1.x   | :white_check_mark: |
+| 1.0.x   | :white_check_mark: |
+| < 1.0   | :x:                |
 
 ## Reporting a Vulnerability
 
@@ -14,8 +15,11 @@ We take the security of SimpleAuthorize seriously. If you discover a security vu
 
 ### How to Report
 
-1. **DO NOT** open a public GitHub issue for security vulnerabilities
-2. Use GitHub's private vulnerability reporting feature (see "Security" tab in the repository)
+**Please DO NOT open a public GitHub issue for security vulnerabilities.**
+
+Please report security vulnerabilities to: **simpleauthorize@gmail.com**
+
+Alternatively, you can use GitHub's private vulnerability reporting feature (see "Security" tab in the repository).
 
 ### What to Include
 

data/lib/simple_authorize/controller.rb

@@ -141,9 +141,9 @@ module SimpleAuthorize
       if SimpleAuthorize.configuration.enable_policy_cache
         policy_cache_key = build_policy_cache_key(record, policy_class)
         @_policy_cache ||= {}
-        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record)
+        @_policy_cache[policy_cache_key] ||= policy_class.new(authorized_user, record, context: authorization_context)
       else
-        policy_class.new(authorized_user, record)
+        policy_class.new(authorized_user, record, context: authorization_context)
       end
     rescue NameError
       raise PolicyNotDefinedError, "unable to find policy `#{policy_class}` for `#{record}`"
@@ -163,7 +163,7 @@ module SimpleAuthorize
       error = nil
 
       begin
-        result = policy_scope_class.new(authorized_user, scope).resolve
+        result = policy_scope_class.new(authorized_user, scope, context: authorization_context).resolve
       rescue NameError
         error = PolicyNotDefinedError.new("unable to find scope `#{policy_scope_class}` for `#{scope}`")
       end
@@ -277,6 +277,26 @@ module SimpleAuthorize
       current_user
     end
 
+    # Build context for authorization (can be overridden)
+    # Override this method in your ApplicationController to provide
+    # context data for policies
+    #
+    # Example:
+    #   def authorization_context
+    #     {
+    #       ip_address: request.remote_ip,
+    #       user_agent: request.user_agent,
+    #       subdomain: request.subdomain,
+    #       current_time: Time.current,
+    #       request_count: rate_limiter.count_for(current_user),
+    #       two_factor_verified: session[:two_factor_verified],
+    #       user_plan: current_user&.subscription&.plan
+    #     }
+    #   end
+    def authorization_context
+      {}
+    end
+
     # Clear the policy cache
     def clear_policy_cache
       @_policy_cache = nil

data/lib/simple_authorize/policy.rb

@@ -5,9 +5,10 @@ module SimpleAuthorize
   class Policy
     attr_reader :user, :record
 
-    def initialize(user, record)
+    def initialize(user, record, context: nil)
       @user = user
       @record = record
+      @context = context
     end
 
     # Default policies - deny everything by default
@@ -64,6 +65,10 @@ module SimpleAuthorize
     # Helper methods
     protected
 
+    def context
+      @context || {}
+    end
+
     def admin?
       user&.admin?
     end
@@ -96,9 +101,10 @@ module SimpleAuthorize
     class Scope
       attr_reader :user, :scope
 
-      def initialize(user, scope)
+      def initialize(user, scope, context: nil)
         @user = user
         @scope = scope
+        @context = context
       end
 
       def resolve
@@ -107,6 +113,10 @@ module SimpleAuthorize
 
       protected
 
+      def context
+        @context || {}
+      end
+
       def admin?
         user&.admin?
       end

data/lib/simple_authorize/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module SimpleAuthorize
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/lib/simple_authorize.rb

@@ -5,6 +5,7 @@ require_relative "simple_authorize/version"
 require_relative "simple_authorize/configuration"
 require_relative "simple_authorize/controller"
 require_relative "simple_authorize/policy"
+require_relative "simple_authorize/policy_modules"
 require_relative "simple_authorize/test_helpers"
 
 # SimpleAuthorize provides a lightweight authorization framework for Rails applications

data/spec/examples.txt

@@ -1,51 +1,51 @@
 example_id                             | status | run_time        |
 -------------------------------------- | ------ | --------------- |
-./spec/rspec_matchers_spec.rb[1:1:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:1:1:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:1:3] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:2:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:2:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:1:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:1:3:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:4:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:1:4:2] | passed | 0.00012 seconds |
+./spec/rspec_matchers_spec.rb[1:2:1:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00011 seconds |
-./spec/rspec_matchers_spec.rb[1:2:3:1] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00007 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:2:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:2:3:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:2:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:2:4:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:2] | passed | 0.00011 seconds |
+./spec/rspec_matchers_spec.rb[1:3:1:3] | passed | 0.00005 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:3:3:1] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:3:2] | passed | 0.00005 seconds |
 ./spec/rspec_matchers_spec.rb[1:3:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:3:4:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:3:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:4:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:4:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:2:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:4:3:1] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:4:3:1] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:4:4:1] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:4:4:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:4:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:1:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:5:2:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:4:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:1] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:5:3:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:4:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:5:4:2] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:6:1:1] | passed | 0.00003 seconds |
+./spec/rspec_matchers_spec.rb[1:6:2:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:2:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:3:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:6:3:2] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:6:3:2] | passed | 0.00004 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:4:1] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:6:4:2] | passed | 0.00003 seconds |
 ./spec/rspec_matchers_spec.rb[1:7:1:1] | passed | 0.00004 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00005 seconds |
-./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00003 seconds |
-./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00156 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:2] | passed | 0.00004 seconds |
+./spec/rspec_matchers_spec.rb[1:7:1:3] | passed | 0.00005 seconds |
+./spec/rspec_matchers_spec.rb[1:7:2:1] | passed | 0.00118 seconds |

data/spec/spec_helper.rb

@@ -1,9 +1,5 @@
 # frozen_string_literal: true
 
-# Start SimpleCov before anything else
-require "simplecov"
-SimpleCov.command_name "RSpec"
-
 $LOAD_PATH.unshift File.expand_path("../lib", __dir__)
 require "simple_authorize"
 require "simple_authorize/rspec"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: simple_authorize
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Scott
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-11-03 00:00:00.000000000 Z
+date: 2025-11-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -80,31 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: simplecov
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.22'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.22'
 description: SimpleAuthorize is a lightweight authorization framework for Rails that
   provides policy-based access control, role management, and scope filtering without
   requiring external gems. Inspired by Pundit but completely standalone.
 email:
-- scottlaplant@users.noreply.github.com
+- simpleauthorize@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".overcommit.yml"
 - ".simplecov"
 - CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -137,6 +126,7 @@ metadata:
   source_code_uri: https://github.com/scottlaplant/simple_authorize
   changelog_uri: https://github.com/scottlaplant/simple_authorize/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/scottlaplant/simple_authorize/issues
+  documentation_uri: https://github.com/scottlaplant/simple_authorize/wiki
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []