source_monitor 0.13.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ba447fce3d49e4605a01154bfbf1a28179ac1833ba1f240add5f1b9adae3ecb3
-  data.tar.gz: 5c90d5148475fd74aa53568df2df60e7143613496df6b985d98acfb5fd84b4c6
+  metadata.gz: 35e62d7d750d8d9fe1cff82806de1846d27fe505fad819551e48474f864b1499
+  data.tar.gz: 2f6889306b930aa78caec52cc92c7c6919ba379955a6d0484cc8bf44f52dcf6f
 SHA512:
-  metadata.gz: 4427aaa63507229534a56998290cc6175a18116bba7881c80ce16ef97c9b2dee9b64a4fd37f4d30cac2155805fa19b53258dbb7831f28581ffba56f1a67d814e
-  data.tar.gz: 1b072b1041d24be68a54f2c3a282101c29129fa0e5b34aff15a1ef07f2665ed494760cf37b7827b19cc399b1332cd720696519b2ab46e0c17df0d1a850e28fd0
+  metadata.gz: 3ca0f0c0a9d6e1c2557c501a2a51bc9dee52e486b78cb78f1384232f5af704c209026e514f1dea2ea94c6962d502856add17c57b4afc79c462ed8fa39da8d236
+  data.tar.gz: ed49ec4ce672c5850b2bc3f3a6d73e31f1d08d6c8f7b1a779258db69ac9cdb48d1aa6e8478784a0f89bf161ec81bad31b79485455373a702240a1580ad31f6dc

data/.claude/skills/sm-configuration-setting/reference/settings-catalog.md

@@ -157,6 +157,7 @@ Has `reset!` method. The `adapter=` setter validates against `VALID_ADAPTERS`.
 | `authorize_handler` | Handler/nil | `nil` | Authorization handler |
 | `current_user_method` | Symbol/nil | `nil` | Method name for current user |
 | `user_signed_in_method` | Symbol/nil | `nil` | Method name for signed-in check |
+| `open_access` | Boolean | `false` | Opt out of the fail-closed access guard (demo/non-production only); ignored when a handler is configured |
 
 Has `reset!` method.
 

data/.claude/skills/sm-configure/SKILL.md

@@ -66,10 +66,17 @@ config.http.retry_max = 3
 ```
 
 ### Authentication (Devise)
+SourceMonitor is **fail-closed by default**: with no `authenticate_with`/`authorize_with`
+handler configured, every engine route returns `403 Forbidden`. Configure a handler
+to protect the dashboard (the handler decides access and bypasses the fail-closed guard):
 ```ruby
 config.authentication.authenticate_with :authenticate_user!
 config.authentication.authorize_with ->(c) { c.current_user&.admin? }
 ```
+For local demos/sandboxes only, opt out of the fail-closed guard (non-production):
+```ruby
+config.authentication.open_access = true # default: false -- demo/non-production only
+```
 
 ### Image Downloads (Active Storage)
 ```ruby
@@ -167,7 +174,7 @@ end
 - [ ] Initializer exists at `config/initializers/source_monitor.rb`
 - [ ] Queue names match `config/queue.yml` (or `config/solid_queue.yml`) entries
 - [x] Dispatcher config includes `recurring_schedule: config/recurring.yml` (handled by install generator)
-- [ ] Authentication hooks configured for host auth system
+- [ ] Authentication decision made: configure `authenticate_with`/`authorize_with` (fail-closed default) OR set `config.authentication.open_access = true` for demos only
 - [ ] HTTP timeouts appropriate for target feeds
 - [ ] Retention policy set for production
 - [ ] Workers restarted after configuration changes

data/.claude/skills/sm-configure/reference/configuration-reference.md

@@ -283,10 +283,17 @@ config.realtime.solid_cable.connects_to = { database: { writing: :cable } }
 
 Class: `SourceMonitor::Configuration::AuthenticationSettings`
 
+**Fail-closed by default.** When no `authenticate_with`/`authorize_with` handler is
+configured and `open_access` is `false`, the engine denies every route with
+`403 Forbidden` (see `SourceMonitor::Security::Authentication.access_denied_by_default?`).
+Configuring either handler makes the handler authoritative and bypasses the
+fail-closed guard.
+
 | Setting | Type | Default | Description |
 |---|---|---|---|
 | `current_user_method` | Symbol/nil | `nil` | Controller method to get current user |
 | `user_signed_in_method` | Symbol/nil | `nil` | Controller method to check sign-in status |
+| `open_access` | Boolean | `false` | Opt out of the fail-closed guard so engine routes are public. **Demo/non-production only.** Ignored when a handler is configured. |
 
 ### Methods
 
@@ -312,6 +319,10 @@ config.authentication.authorize_with ->(controller) {
 config.authentication.authorize_with do
   redirect_to root_path unless current_user&.admin?
 end
+
+# Open access (demo/non-production only) -- disables the fail-closed guard.
+# Leave commented/false in production. A configured handler always wins.
+config.authentication.open_access = true # default: false
 ```
 
 ---

data/.claude/skills/sm-event-handler/SKILL.md

@@ -98,7 +98,7 @@ Fires after a feed fetch finishes (success or failure).
 | Field | Type | Description |
 |---|---|---|
 | `source` | `SourceMonitor::Source` | The fetched source |
-| `result` | Object | The fetch result |
+| `result` | `SourceMonitor::Fetching::FeedFetcher::Result` | The fetch result |
 | `status` | String | Result status |
 | `occurred_at` | Time | When the event fired |
 

data/.claude/skills/sm-event-handler/reference/events-api.md

@@ -112,7 +112,7 @@ Fired by `Events.after_fetch_completed` after a feed fetch finishes.
 ```ruby
 FetchCompletedEvent = Struct.new(
   :source,      # SourceMonitor::Source - the fetched source
-  :result,      # Object - fetch result
+  :result,      # SourceMonitor::Fetching::FeedFetcher::Result - fetch result
   :status,      # String - result status
   :occurred_at, # Time - when the event fired
   keyword_init: true

data/.claude/skills/sm-host-setup/SKILL.md

@@ -119,7 +119,7 @@ After installation, review and customize the initializer. Key areas:
 | Section | Purpose |
 |---|---|
 | Queue settings | Queue names, concurrency, namespace |
-| Authentication | `authenticate_with`, `authorize_with` hooks |
+| Authentication | **Fail-closed by default** -- configure `authenticate_with`/`authorize_with` hooks, or set `open_access = true` for demos only |
 | HTTP client | Timeouts, proxy, retries |
 | Fetching | Adaptive scheduling intervals and factors |
 | Health | Auto-pause/resume thresholds |
@@ -152,7 +152,17 @@ SOURCE_MONITOR_SETUP_TELEMETRY=true bin/source_monitor verify
 # Logs to log/source_monitor_setup.log
 ```
 
-## Devise Integration
+## Authentication (Fail-Closed by Default)
+
+SourceMonitor is **fail-closed by default**: with no `authenticate_with`/`authorize_with`
+handler configured, every engine route (including create/update/delete/enqueue actions)
+returns `403 Forbidden`. You must make one of two choices during setup:
+
+1. **Configure a handler** (recommended) -- the handler decides access and bypasses the
+   fail-closed guard.
+2. **Set `config.authentication.open_access = true`** -- opts out of the guard so routes
+   are public. **Demo/non-production only.** A configured handler always takes precedence
+   over this flag.
 
 When Devise is detected, the guided installer offers to wire authentication hooks:
 
@@ -238,6 +248,6 @@ end
 - [x] `Procfile.dev` includes `jobs:` entry for Solid Queue (handled by generator)
 - [x] Dispatcher config includes `recurring_schedule: config/recurring.yml` (handled by generator)
 - [ ] Solid Queue workers started
-- [ ] Authentication hooks configured in initializer
+- [ ] Authentication decision made (engine is fail-closed by default): handler configured via `authenticate_with`/`authorize_with`, OR `config.authentication.open_access = true` for demos only
 - [ ] `bin/source_monitor verify` passes
 - [ ] Dashboard accessible at mount path

data/.claude/skills/sm-host-setup/reference/initializer-template.md

@@ -57,7 +57,12 @@ SourceMonitor.configure do |config|
   # ===========================================================================
   # Authentication
   # ===========================================================================
+  # SECURITY: SourceMonitor is FAIL-CLOSED by default. If you do not configure
+  # an authentication or authorization handler below, every engine route
+  # (including create/update/delete/enqueue actions) returns 403 Forbidden.
   # Handlers: Symbol (invoked on controller) or callable (receives controller).
+  # As soon as a handler is configured it decides access and the fail-closed
+  # guard no longer applies.
 
   # Authenticate before accessing any SourceMonitor page.
   # config.authentication.authenticate_with :authenticate_user!
@@ -71,6 +76,12 @@ SourceMonitor.configure do |config|
   # config.authentication.current_user_method = :current_user
   # config.authentication.user_signed_in_method = :user_signed_in?
 
+  # Explicit opt-in for open/unauthenticated access. Leave commented out in
+  # production. Only enable for local demos or sandboxes where engine routes
+  # are deliberately public.
+  # WARNING: non-production / demo only -- this disables the fail-closed guard.
+  # config.authentication.open_access = true
+
   # ===========================================================================
   # HTTP Client
   # ===========================================================================

data/.claude/skills/sm-host-setup/reference/setup-checklist.md

@@ -57,6 +57,10 @@ bin/rails db:migrate
 
 ## Phase 5: Configure Authentication
 
+**Fail-closed by default.** With no handler configured, every engine route returns
+`403 Forbidden`. Make one of two choices: configure a handler (recommended) OR opt into
+open access for demos only.
+
 Edit `config/initializers/source_monitor.rb`:
 
 ```ruby
@@ -68,10 +72,14 @@ SourceMonitor.configure do |config|
   }
   config.authentication.current_user_method = :current_user
   config.authentication.user_signed_in_method = :user_signed_in?
+
+  # OR, for local demos/sandboxes only (non-production) -- opt out of the
+  # fail-closed guard so routes are public. A configured handler always wins.
+  # config.authentication.open_access = true
 end
 ```
 
-- [ ] Authentication hook configured
+- [ ] Authentication decision made: handler configured (fail-closed default) OR `open_access = true` set for demos only
 - [ ] Authorization hook configured (if needed)
 
 ## Phase 6: Configure Workers

data/.claude/skills/sm-upgrade/reference/version-history.md

@@ -2,6 +2,18 @@
 
 Version-specific migration notes for each major/minor version transition. Agents should reference this file when guiding users through multi-version upgrades.
 
+## 0.13.1 to 0.14.0
+
+**Key changes:**
+- **BREAKING — Fail-closed by default** (#129): engine routes return `403 Forbidden` unless `config.authentication.authenticate_with` or `config.authentication.authorize_with` is configured, OR `config.authentication.open_access = true` is explicitly set (non-production only).
+- **Request flashes response-local** (#130): flash toasts no longer broadcast to the global `source_monitor_notifications` ActionCable stream; rendered inline on HTML loads and appended on turbo_stream responses instead. Background operational toasts stay global but context-free.
+- **Gem package excludes `.claude` internals** (#131): only `.claude/skills/sm-*` shipped; agents, hooks, `settings.json`, commands, and non-`sm-*` skills excluded.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. **Action required (auth):** in `config/initializers/source_monitor.rb`, ensure at least one of `authenticate_with`, `authorize_with`, or `open_access = true` (demo/sandbox only). Without one, all engine routes return `403`.
+3. No migrations or other breaking API changes; flash/packaging changes apply transparently.
+
 ## 0.12.4 to 0.13.0
 
 **Key changes:**

data/CHANGELOG.md

@@ -15,6 +15,25 @@ All notable changes to this project are documented below. The format follows [Ke
 
 - No unreleased changes yet.
 
+## [0.14.0] - 2026-05-28
+
+### Security (BREAKING)
+- **Fail-closed engine access by default** (#129). When the host app has configured no authentication/authorization handler, every mounted SourceMonitor route now returns `403 Forbidden` instead of being publicly accessible. Previously `authenticate!`/`authorize!` were silent no-ops when unconfigured, so create/update/delete/enqueue routes were public by omission.
+  - **Migration:** Configure a handler — `config.authentication.authenticate_with` and/or `config.authentication.authorize_with` — to gate the engine with your host auth stack. Configured handlers are honored exactly as before.
+  - **Demo opt-in:** To intentionally keep routes public (local demos/sandboxes only), set `config.authentication.open_access = true` (default `false`). Do not enable this in production.
+
+### Fixed
+- **Request flashes no longer leak across users** (#130). Request flash toasts were broadcast to a global ActionCable stream (`source_monitor_notifications`) that every connected browser tab subscribed to, so one user's flash could appear on every user's screen. Flashes are now delivered response-local — rendered inline on full-page HTML loads and appended to the turbo_stream response otherwise — reaching only the requesting tab. Background operational toasts (fetch/scrape completion) remain global but carry no per-user request context.
+
+### Changed
+- **Gem package no longer ships `.claude` internals** (#131). The packaged gem now excludes `.claude` agents, hooks, agent-memory, `settings.json`, commands, and non-`sm-*` skills; only the intended `.claude/skills/sm-*` SourceMonitor skills are shipped. Packaging is also now CWD-independent so the skill files are included deterministically.
+
+## [0.13.1] - 2026-05-28
+
+### Fixed
+- Preserve the public `after_fetch_completed` payload as `FeedFetcher::Result`; the PR #118 fetch outcome objects remain an internal refactor detail.
+- Keep inactive sources out of sources-index scrape recommendation badges, matching the shared recommendation query used by dashboard and bulk enablement.
+
 ## [0.13.0] - 2026-03-24
 
 ### Changed

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    source_monitor (0.13.0)
+    source_monitor (0.14.0)
       cssbundling-rails (~> 1.4)
       faraday (~> 2.9)
       faraday-follow_redirects (~> 0.4)

data/README.md

@@ -9,8 +9,8 @@ SourceMonitor is a production-ready Rails 8 mountable engine for ingesting, norm
 In your host Rails app:
 
 ```bash
-bundle add source_monitor --version "~> 0.13.0"
-# or add `gem "source_monitor", "~> 0.13.0"` manually, then run:
+bundle add source_monitor --version "~> 0.14.0"
+# or add `gem "source_monitor", "~> 0.14.0"` manually, then run:
 bundle install
 ```
 
@@ -46,7 +46,7 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 Before running any SourceMonitor commands inside your host app, add the gem and install dependencies:
 
 ```bash
-bundle add source_monitor --version "~> 0.13.0"
+bundle add source_monitor --version "~> 0.14.0"
 # or edit your Gemfile, then run
 bundle install
 ```

data/VERSION

@@ -1 +1 @@
-0.13.0
+0.14.0

data/app/assets/builds/source_monitor/application.css

@@ -1927,6 +1927,10 @@ video {
   box-shadow: var(--tw-ring-offset-shadow, 0 0 #0000), var(--tw-ring-shadow, 0 0 #0000), var(--tw-shadow);
 }
 
+.fm-admin .outline {
+  outline-style: solid;
+}
+
 .fm-admin .ring-1 {
   --tw-ring-offset-shadow: var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);
   --tw-ring-shadow: var(--tw-ring-inset) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color);

data/app/controllers/source_monitor/application_controller.rb

@@ -4,11 +4,13 @@ module SourceMonitor
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception, prepend: true
 
+    before_action :enforce_source_monitor_access_default
     before_action :authenticate_source_monitor_user
     before_action :authorize_source_monitor_access
 
-    helper_method :source_monitor_current_user, :source_monitor_user_signed_in?
-    after_action :broadcast_flash_toasts
+    helper_method :source_monitor_current_user, :source_monitor_user_signed_in?,
+      :source_monitor_flash_toasts
+    after_action :append_flash_toasts_to_turbo_stream
 
     rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
 
@@ -40,6 +42,30 @@ module SourceMonitor
     TOAST_DURATION_DEFAULT = 5000
     TOAST_DURATION_ERROR = 6000
 
+    # Fail-closed guard: when the host app has configured no authentication or
+    # authorization handler and has not explicitly opted into open access, deny
+    # all engine routes. Configured handlers short-circuit this and decide for
+    # themselves (see SourceMonitor::Security::Authentication).
+    def enforce_source_monitor_access_default
+      return unless SourceMonitor::Security::Authentication.access_denied_by_default?(self)
+
+      source_monitor_access_forbidden
+    end
+
+    def source_monitor_access_forbidden
+      message = "SourceMonitor access is not configured"
+      respond_to do |format|
+        format.html { render plain: message, status: :forbidden }
+        format.turbo_stream do
+          render turbo_stream: turbo_stream.append("flash",
+            partial: "source_monitor/shared/toast",
+            locals: { message: message, level: :error }),
+            status: :forbidden
+        end
+        format.json { render json: { error: message }, status: :forbidden }
+      end
+    end
+
     def authenticate_source_monitor_user
       SourceMonitor::Security::Authentication.authenticate!(self)
     end
@@ -60,22 +86,55 @@ module SourceMonitor
       level.to_sym == :error ? TOAST_DURATION_ERROR : TOAST_DURATION_DEFAULT
     end
 
-    def broadcast_flash_toasts
-      return if flash.empty?
-      return unless request.format.html? || request.format.turbo_stream?
+    # Request flashes are delivered response-local, never broadcast over the
+    # global ActionCable notification stream. On full-page HTML loads the layout
+    # renders the toasts inline (see +source_monitor_flash_toasts+); on
+    # turbo_stream responses we append the toasts to the response body so they
+    # reach only the requesting tab.
+    def source_monitor_flash_toasts
+      payloads = flash_toast_payloads
+      # Reading via the layout consumes the flash for this request so it does
+      # not linger into the next one.
+      flash.discard unless payloads.empty?
+      payloads
+    end
 
-      flash.each do |key, message|
-        next if message.blank?
+    def append_flash_toasts_to_turbo_stream
+      return unless request.format.turbo_stream?
+      return if response.redirect?
+
+      payloads = flash_toast_payloads
+      return if payloads.empty?
+
+      streams = payloads.map do |payload|
+        view_context.turbo_stream.append(
+          "source_monitor_notifications",
+          partial: "source_monitor/shared/toast",
+          locals: {
+            message: payload[:message],
+            level: payload[:level],
+            delay_ms: toast_delay_for(payload[:level])
+          }
+        )
+      end
 
-        Array(message).each do |msg|
-          SourceMonitor::Realtime.broadcast_toast(
-            message: msg,
-            level: FLASH_LEVELS[key.to_sym] || :info
-          )
+      response.body = "#{response.body}#{streams.join}"
+      flash.discard
+    end
+
+    # Builds the list of toast payloads ({ message:, level: }) for the current
+    # request's flash. Used by both the inline layout renderer and the
+    # turbo_stream after_action so request flashes stay response-local.
+    def flash_toast_payloads
+      return [] if flash.empty?
+
+      flash.flat_map do |key, message|
+        Array(message).filter_map do |msg|
+          next if msg.blank?
+
+          { message: msg, level: FLASH_LEVELS[key.to_sym] || :info }
         end
       end
-    ensure
-      flash.discard
     end
   end
 end

data/app/controllers/source_monitor/bulk_scrape_enablements_controller.rb

@@ -33,7 +33,7 @@ module SourceMonitor
 
     def resolve_source_ids
       if params.dig(:bulk_scrape_enablement, :select_all_pages) == "true"
-        Source.scrape_candidates.pluck(:id)
+        SourceMonitor::Analytics::ScrapeRecommendations.new.candidate_ids
       else
         raw_ids = Array(params.dig(:bulk_scrape_enablement, :source_ids))
         raw_ids.map(&:to_i).reject(&:zero?)

data/app/controllers/source_monitor/import_sessions/bulk_configuration.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "source_monitor/import_sessions/entry_normalizer"
+
 module SourceMonitor
   module ImportSessions
     module BulkConfiguration
@@ -33,7 +35,7 @@ module SourceMonitor
         entry = selected_entries_for_identity.first
         return fallback_identity unless entry
 
-        normalized = normalize_entry(entry)
+        normalized = SourceMonitor::ImportSessions::EntryNormalizer.normalize(entry)
         {
           name: normalized[:title].presence || normalized[:feed_url] || fallback_identity[:name],
           feed_url: normalized[:feed_url].presence || fallback_identity[:feed_url],