source_monitor 0.13.1 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d863378a0fb5338b1b1fe89c40c0c0ab9705b3ce60c45889eabf1ed626d27cf1
-  data.tar.gz: d3a56da362430857991b85ab2b24ef10b5e2641dc312ecbe2a302bdca1a8352b
+  metadata.gz: 35e62d7d750d8d9fe1cff82806de1846d27fe505fad819551e48474f864b1499
+  data.tar.gz: 2f6889306b930aa78caec52cc92c7c6919ba379955a6d0484cc8bf44f52dcf6f
 SHA512:
-  metadata.gz: 885cf285ecc91bf09f2bca2bd9f384cea7f36e1c966a0a74a20d7f87a9df8f69da79dd8363762111c3e206dfe1668ddbefc46cdda71c4e83eaeb138099e74a25
-  data.tar.gz: b38579d624e4e66f5f051ce3aab2e61249fb549310e73e1959cdc0d67aef7fb63ff7c18232563269b2e826c5eb08f2a01bb5cf78f992df90bba3a0649d4d7a21
+  metadata.gz: 3ca0f0c0a9d6e1c2557c501a2a51bc9dee52e486b78cb78f1384232f5af704c209026e514f1dea2ea94c6962d502856add17c57b4afc79c462ed8fa39da8d236
+  data.tar.gz: ed49ec4ce672c5850b2bc3f3a6d73e31f1d08d6c8f7b1a779258db69ac9cdb48d1aa6e8478784a0f89bf161ec81bad31b79485455373a702240a1580ad31f6dc

data/.claude/skills/sm-configuration-setting/reference/settings-catalog.md

@@ -157,6 +157,7 @@ Has `reset!` method. The `adapter=` setter validates against `VALID_ADAPTERS`.
 | `authorize_handler` | Handler/nil | `nil` | Authorization handler |
 | `current_user_method` | Symbol/nil | `nil` | Method name for current user |
 | `user_signed_in_method` | Symbol/nil | `nil` | Method name for signed-in check |
+| `open_access` | Boolean | `false` | Opt out of the fail-closed access guard (demo/non-production only); ignored when a handler is configured |
 
 Has `reset!` method.
 

data/.claude/skills/sm-configure/SKILL.md

@@ -66,10 +66,17 @@ config.http.retry_max = 3
 ```
 
 ### Authentication (Devise)
+SourceMonitor is **fail-closed by default**: with no `authenticate_with`/`authorize_with`
+handler configured, every engine route returns `403 Forbidden`. Configure a handler
+to protect the dashboard (the handler decides access and bypasses the fail-closed guard):
 ```ruby
 config.authentication.authenticate_with :authenticate_user!
 config.authentication.authorize_with ->(c) { c.current_user&.admin? }
 ```
+For local demos/sandboxes only, opt out of the fail-closed guard (non-production):
+```ruby
+config.authentication.open_access = true # default: false -- demo/non-production only
+```
 
 ### Image Downloads (Active Storage)
 ```ruby
@@ -167,7 +174,7 @@ end
 - [ ] Initializer exists at `config/initializers/source_monitor.rb`
 - [ ] Queue names match `config/queue.yml` (or `config/solid_queue.yml`) entries
 - [x] Dispatcher config includes `recurring_schedule: config/recurring.yml` (handled by install generator)
-- [ ] Authentication hooks configured for host auth system
+- [ ] Authentication decision made: configure `authenticate_with`/`authorize_with` (fail-closed default) OR set `config.authentication.open_access = true` for demos only
 - [ ] HTTP timeouts appropriate for target feeds
 - [ ] Retention policy set for production
 - [ ] Workers restarted after configuration changes

data/.claude/skills/sm-configure/reference/configuration-reference.md

@@ -283,10 +283,17 @@ config.realtime.solid_cable.connects_to = { database: { writing: :cable } }
 
 Class: `SourceMonitor::Configuration::AuthenticationSettings`
 
+**Fail-closed by default.** When no `authenticate_with`/`authorize_with` handler is
+configured and `open_access` is `false`, the engine denies every route with
+`403 Forbidden` (see `SourceMonitor::Security::Authentication.access_denied_by_default?`).
+Configuring either handler makes the handler authoritative and bypasses the
+fail-closed guard.
+
 | Setting | Type | Default | Description |
 |---|---|---|---|
 | `current_user_method` | Symbol/nil | `nil` | Controller method to get current user |
 | `user_signed_in_method` | Symbol/nil | `nil` | Controller method to check sign-in status |
+| `open_access` | Boolean | `false` | Opt out of the fail-closed guard so engine routes are public. **Demo/non-production only.** Ignored when a handler is configured. |
 
 ### Methods
 
@@ -312,6 +319,10 @@ config.authentication.authorize_with ->(controller) {
 config.authentication.authorize_with do
   redirect_to root_path unless current_user&.admin?
 end
+
+# Open access (demo/non-production only) -- disables the fail-closed guard.
+# Leave commented/false in production. A configured handler always wins.
+config.authentication.open_access = true # default: false
 ```
 
 ---

data/.claude/skills/sm-host-setup/SKILL.md

@@ -119,7 +119,7 @@ After installation, review and customize the initializer. Key areas:
 | Section | Purpose |
 |---|---|
 | Queue settings | Queue names, concurrency, namespace |
-| Authentication | `authenticate_with`, `authorize_with` hooks |
+| Authentication | **Fail-closed by default** -- configure `authenticate_with`/`authorize_with` hooks, or set `open_access = true` for demos only |
 | HTTP client | Timeouts, proxy, retries |
 | Fetching | Adaptive scheduling intervals and factors |
 | Health | Auto-pause/resume thresholds |
@@ -152,7 +152,17 @@ SOURCE_MONITOR_SETUP_TELEMETRY=true bin/source_monitor verify
 # Logs to log/source_monitor_setup.log
 ```
 
-## Devise Integration
+## Authentication (Fail-Closed by Default)
+
+SourceMonitor is **fail-closed by default**: with no `authenticate_with`/`authorize_with`
+handler configured, every engine route (including create/update/delete/enqueue actions)
+returns `403 Forbidden`. You must make one of two choices during setup:
+
+1. **Configure a handler** (recommended) -- the handler decides access and bypasses the
+   fail-closed guard.
+2. **Set `config.authentication.open_access = true`** -- opts out of the guard so routes
+   are public. **Demo/non-production only.** A configured handler always takes precedence
+   over this flag.
 
 When Devise is detected, the guided installer offers to wire authentication hooks:
 
@@ -238,6 +248,6 @@ end
 - [x] `Procfile.dev` includes `jobs:` entry for Solid Queue (handled by generator)
 - [x] Dispatcher config includes `recurring_schedule: config/recurring.yml` (handled by generator)
 - [ ] Solid Queue workers started
-- [ ] Authentication hooks configured in initializer
+- [ ] Authentication decision made (engine is fail-closed by default): handler configured via `authenticate_with`/`authorize_with`, OR `config.authentication.open_access = true` for demos only
 - [ ] `bin/source_monitor verify` passes
 - [ ] Dashboard accessible at mount path

data/.claude/skills/sm-host-setup/reference/initializer-template.md

@@ -57,7 +57,12 @@ SourceMonitor.configure do |config|
   # ===========================================================================
   # Authentication
   # ===========================================================================
+  # SECURITY: SourceMonitor is FAIL-CLOSED by default. If you do not configure
+  # an authentication or authorization handler below, every engine route
+  # (including create/update/delete/enqueue actions) returns 403 Forbidden.
   # Handlers: Symbol (invoked on controller) or callable (receives controller).
+  # As soon as a handler is configured it decides access and the fail-closed
+  # guard no longer applies.
 
   # Authenticate before accessing any SourceMonitor page.
   # config.authentication.authenticate_with :authenticate_user!
@@ -71,6 +76,12 @@ SourceMonitor.configure do |config|
   # config.authentication.current_user_method = :current_user
   # config.authentication.user_signed_in_method = :user_signed_in?
 
+  # Explicit opt-in for open/unauthenticated access. Leave commented out in
+  # production. Only enable for local demos or sandboxes where engine routes
+  # are deliberately public.
+  # WARNING: non-production / demo only -- this disables the fail-closed guard.
+  # config.authentication.open_access = true
+
   # ===========================================================================
   # HTTP Client
   # ===========================================================================

data/.claude/skills/sm-host-setup/reference/setup-checklist.md

@@ -57,6 +57,10 @@ bin/rails db:migrate
 
 ## Phase 5: Configure Authentication
 
+**Fail-closed by default.** With no handler configured, every engine route returns
+`403 Forbidden`. Make one of two choices: configure a handler (recommended) OR opt into
+open access for demos only.
+
 Edit `config/initializers/source_monitor.rb`:
 
 ```ruby
@@ -68,10 +72,14 @@ SourceMonitor.configure do |config|
   }
   config.authentication.current_user_method = :current_user
   config.authentication.user_signed_in_method = :user_signed_in?
+
+  # OR, for local demos/sandboxes only (non-production) -- opt out of the
+  # fail-closed guard so routes are public. A configured handler always wins.
+  # config.authentication.open_access = true
 end
 ```
 
-- [ ] Authentication hook configured
+- [ ] Authentication decision made: handler configured (fail-closed default) OR `open_access = true` set for demos only
 - [ ] Authorization hook configured (if needed)
 
 ## Phase 6: Configure Workers

data/.claude/skills/sm-upgrade/reference/version-history.md

@@ -2,6 +2,18 @@
 
 Version-specific migration notes for each major/minor version transition. Agents should reference this file when guiding users through multi-version upgrades.
 
+## 0.13.1 to 0.14.0
+
+**Key changes:**
+- **BREAKING — Fail-closed by default** (#129): engine routes return `403 Forbidden` unless `config.authentication.authenticate_with` or `config.authentication.authorize_with` is configured, OR `config.authentication.open_access = true` is explicitly set (non-production only).
+- **Request flashes response-local** (#130): flash toasts no longer broadcast to the global `source_monitor_notifications` ActionCable stream; rendered inline on HTML loads and appended on turbo_stream responses instead. Background operational toasts stay global but context-free.
+- **Gem package excludes `.claude` internals** (#131): only `.claude/skills/sm-*` shipped; agents, hooks, `settings.json`, commands, and non-`sm-*` skills excluded.
+
+**Action items:**
+1. `bundle update source_monitor`
+2. **Action required (auth):** in `config/initializers/source_monitor.rb`, ensure at least one of `authenticate_with`, `authorize_with`, or `open_access = true` (demo/sandbox only). Without one, all engine routes return `403`.
+3. No migrations or other breaking API changes; flash/packaging changes apply transparently.
+
 ## 0.12.4 to 0.13.0
 
 **Key changes:**

data/CHANGELOG.md

@@ -13,6 +13,21 @@ All notable changes to this project are documented below. The format follows [Ke
 
 ## [Unreleased]
 
+- No unreleased changes yet.
+
+## [0.14.0] - 2026-05-28
+
+### Security (BREAKING)
+- **Fail-closed engine access by default** (#129). When the host app has configured no authentication/authorization handler, every mounted SourceMonitor route now returns `403 Forbidden` instead of being publicly accessible. Previously `authenticate!`/`authorize!` were silent no-ops when unconfigured, so create/update/delete/enqueue routes were public by omission.
+  - **Migration:** Configure a handler — `config.authentication.authenticate_with` and/or `config.authentication.authorize_with` — to gate the engine with your host auth stack. Configured handlers are honored exactly as before.
+  - **Demo opt-in:** To intentionally keep routes public (local demos/sandboxes only), set `config.authentication.open_access = true` (default `false`). Do not enable this in production.
+
+### Fixed
+- **Request flashes no longer leak across users** (#130). Request flash toasts were broadcast to a global ActionCable stream (`source_monitor_notifications`) that every connected browser tab subscribed to, so one user's flash could appear on every user's screen. Flashes are now delivered response-local — rendered inline on full-page HTML loads and appended to the turbo_stream response otherwise — reaching only the requesting tab. Background operational toasts (fetch/scrape completion) remain global but carry no per-user request context.
+
+### Changed
+- **Gem package no longer ships `.claude` internals** (#131). The packaged gem now excludes `.claude` agents, hooks, agent-memory, `settings.json`, commands, and non-`sm-*` skills; only the intended `.claude/skills/sm-*` SourceMonitor skills are shipped. Packaging is also now CWD-independent so the skill files are included deterministically.
+
 ## [0.13.1] - 2026-05-28
 
 ### Fixed

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    source_monitor (0.13.1)
+    source_monitor (0.14.0)
       cssbundling-rails (~> 1.4)
       faraday (~> 2.9)
       faraday-follow_redirects (~> 0.4)

data/README.md

@@ -9,8 +9,8 @@ SourceMonitor is a production-ready Rails 8 mountable engine for ingesting, norm
 In your host Rails app:
 
 ```bash
-bundle add source_monitor --version "~> 0.13.1"
-# or add `gem "source_monitor", "~> 0.13.1"` manually, then run:
+bundle add source_monitor --version "~> 0.14.0"
+# or add `gem "source_monitor", "~> 0.14.0"` manually, then run:
 bundle install
 ```
 
@@ -46,7 +46,7 @@ This exposes `bin/source_monitor` (via Bundler binstubs) so you can run the guid
 Before running any SourceMonitor commands inside your host app, add the gem and install dependencies:
 
 ```bash
-bundle add source_monitor --version "~> 0.13.1"
+bundle add source_monitor --version "~> 0.14.0"
 # or edit your Gemfile, then run
 bundle install
 ```

data/VERSION

@@ -1 +1 @@
-0.13.0
+0.14.0

data/app/controllers/source_monitor/application_controller.rb

@@ -4,11 +4,13 @@ module SourceMonitor
   class ApplicationController < ActionController::Base
     protect_from_forgery with: :exception, prepend: true
 
+    before_action :enforce_source_monitor_access_default
     before_action :authenticate_source_monitor_user
     before_action :authorize_source_monitor_access
 
-    helper_method :source_monitor_current_user, :source_monitor_user_signed_in?
-    after_action :broadcast_flash_toasts
+    helper_method :source_monitor_current_user, :source_monitor_user_signed_in?,
+      :source_monitor_flash_toasts
+    after_action :append_flash_toasts_to_turbo_stream
 
     rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
 
@@ -40,6 +42,30 @@ module SourceMonitor
     TOAST_DURATION_DEFAULT = 5000
     TOAST_DURATION_ERROR = 6000
 
+    # Fail-closed guard: when the host app has configured no authentication or
+    # authorization handler and has not explicitly opted into open access, deny
+    # all engine routes. Configured handlers short-circuit this and decide for
+    # themselves (see SourceMonitor::Security::Authentication).
+    def enforce_source_monitor_access_default
+      return unless SourceMonitor::Security::Authentication.access_denied_by_default?(self)
+
+      source_monitor_access_forbidden
+    end
+
+    def source_monitor_access_forbidden
+      message = "SourceMonitor access is not configured"
+      respond_to do |format|
+        format.html { render plain: message, status: :forbidden }
+        format.turbo_stream do
+          render turbo_stream: turbo_stream.append("flash",
+            partial: "source_monitor/shared/toast",
+            locals: { message: message, level: :error }),
+            status: :forbidden
+        end
+        format.json { render json: { error: message }, status: :forbidden }
+      end
+    end
+
     def authenticate_source_monitor_user
       SourceMonitor::Security::Authentication.authenticate!(self)
     end
@@ -60,22 +86,55 @@ module SourceMonitor
       level.to_sym == :error ? TOAST_DURATION_ERROR : TOAST_DURATION_DEFAULT
     end
 
-    def broadcast_flash_toasts
-      return if flash.empty?
-      return unless request.format.html? || request.format.turbo_stream?
+    # Request flashes are delivered response-local, never broadcast over the
+    # global ActionCable notification stream. On full-page HTML loads the layout
+    # renders the toasts inline (see +source_monitor_flash_toasts+); on
+    # turbo_stream responses we append the toasts to the response body so they
+    # reach only the requesting tab.
+    def source_monitor_flash_toasts
+      payloads = flash_toast_payloads
+      # Reading via the layout consumes the flash for this request so it does
+      # not linger into the next one.
+      flash.discard unless payloads.empty?
+      payloads
+    end
 
-      flash.each do |key, message|
-        next if message.blank?
+    def append_flash_toasts_to_turbo_stream
+      return unless request.format.turbo_stream?
+      return if response.redirect?
+
+      payloads = flash_toast_payloads
+      return if payloads.empty?
+
+      streams = payloads.map do |payload|
+        view_context.turbo_stream.append(
+          "source_monitor_notifications",
+          partial: "source_monitor/shared/toast",
+          locals: {
+            message: payload[:message],
+            level: payload[:level],
+            delay_ms: toast_delay_for(payload[:level])
+          }
+        )
+      end
 
-        Array(message).each do |msg|
-          SourceMonitor::Realtime.broadcast_toast(
-            message: msg,
-            level: FLASH_LEVELS[key.to_sym] || :info
-          )
+      response.body = "#{response.body}#{streams.join}"
+      flash.discard
+    end
+
+    # Builds the list of toast payloads ({ message:, level: }) for the current
+    # request's flash. Used by both the inline layout renderer and the
+    # turbo_stream after_action so request flashes stay response-local.
+    def flash_toast_payloads
+      return [] if flash.empty?
+
+      flash.flat_map do |key, message|
+        Array(message).filter_map do |msg|
+          next if msg.blank?
+
+          { message: msg, level: FLASH_LEVELS[key.to_sym] || :info }
         end
       end
-    ensure
-      flash.discard
     end
   end
 end

data/app/views/layouts/source_monitor/application.html.erb

@@ -19,6 +19,12 @@
       <div id="source_monitor_notifications"
            data-notification-container-target="list"
            class="flex w-full flex-col gap-3">
+        <%# Request flashes render response-local here (never broadcast to all tabs). %>
+        <% source_monitor_flash_toasts.each do |toast| %>
+          <%= render "source_monitor/shared/toast",
+                message: toast[:message],
+                level: toast[:level] %>
+        <% end %>
       </div>
       <div data-notification-container-target="badge"
            class="pointer-events-auto hidden">

data/docs/configuration.md

@@ -137,6 +137,11 @@ Call `config.realtime.action_cable_config` if you need a full hash for environme
 
 ## Authentication Helpers
 
+**Fail-closed by default.** SourceMonitor denies access to every engine route
+(returning `403 Forbidden`) unless you configure an authentication or
+authorization handler. This prevents the engine's create/update/delete/enqueue
+routes from being public by accident.
+
 Protect the dashboard with host-specific auth in one place:
 
 ```ruby
@@ -148,7 +153,19 @@ config.authentication.current_user_method = :current_user
 config.authentication.user_signed_in_method = :user_signed_in?
 ```
 
-Handlers can be symbols (invoked on the controller) or callables. Return `false` or raise to deny access.
+Handlers can be symbols (invoked on the controller) or callables. Return `false` or raise to deny access. As soon as either handler is configured, the handler decides access and the fail-closed guard no longer applies.
+
+### Open access opt-in (non-production)
+
+For local demos or sandboxes where engine routes are deliberately public, you
+can explicitly opt out of the fail-closed guard:
+
+```ruby
+config.authentication.open_access = true # default: false
+```
+
+This is intended for non-production/demo environments only. Configuring a
+handler always takes precedence over this flag.
 
 ## Health Model
 

data/docs/deployment.md

@@ -33,7 +33,7 @@ SourceMonitor assumes the standard Rails 8 process split:
 
 ## Security & Authentication
 
-- Lock down the engine routes with authentication hooks (`config.authentication.authenticate_with` / `authorize_with`).
+- SourceMonitor is **fail-closed by default**: without a configured handler every engine route returns `403 Forbidden`. Lock down the routes with authentication hooks (`config.authentication.authenticate_with` / `authorize_with`). Only set `config.authentication.open_access = true` for non-production demos where public access is intentional.
 - Configure HTTPS for Action Cable if you expose Solid Cable over the public internet.
 - Store API keys for authenticated feeds in encrypted credentials and inject them via per-source custom headers.