swal_rails 0.3.1.beta1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9e9ac64c06c6de5525bf1964f4c866b72b3a5fc4fb42fed239778cc94e0bc57c
+  data.tar.gz: abefde5449478e377516fb40b78087fb89b60f73c60788422309e0930e278643
+SHA512:
+  metadata.gz: 455ee6bc8175ee826535fcfbb7be404f9b56ca2d2a92715f0fe47d818d10521257bcdb8bd640b7b344e26e980aeaa5948d2d237fa097df0aa0e2c534a6fd337a
+  data.tar.gz: db9ff1404a3e0b33b0e9b70cb04feb9386c2e94b5dad486477d18b319b16d9c64e055eb47a726f491447bcba326010b08f3565de07f343ad3a0033f6634cc925

data/Appraisals

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+# Regenerate per-version Gemfiles with: bundle exec appraisal install
+#
+# The base Gemfile pins Rails 8.1.3 + Propshaft for local dev. Each appraise
+# block redeclares the Rails stack — Appraisal uses the last `gem` declaration
+# when the same gem is named twice. `remove_gem "propshaft"` is needed for the
+# sprockets variant to avoid shipping both pipelines.
+
+appraise "rails-7-2" do
+  gem "rails", "~> 7.2.2"
+  gem "propshaft", "~> 0.9"
+  gem "importmap-rails", "~> 2.0"
+  gem "turbo-rails", "~> 2.0"
+  gem "stimulus-rails", "~> 1.3"
+end
+
+appraise "rails-8-0" do
+  gem "rails", "~> 8.0.0"
+  gem "propshaft", "~> 1.0"
+  gem "importmap-rails", "~> 2.0"
+  gem "turbo-rails", "~> 2.0"
+  gem "stimulus-rails", "~> 1.3"
+end
+
+appraise "rails-8-1" do
+  gem "rails", "~> 8.1.3"
+  gem "propshaft", "~> 1.0"
+  gem "importmap-rails", "~> 2.0"
+  gem "turbo-rails", "~> 2.0"
+  gem "stimulus-rails", "~> 1.3"
+end
+
+# Rails LTS (8.1) with Sprockets instead of Propshaft — validates the
+# alternative asset pipeline on the version most people will run in prod.
+appraise "rails-8-1-sprockets" do
+  remove_gem "propshaft"
+  gem "rails", "~> 8.1.3"
+  gem "importmap-rails", "~> 2.0"
+  gem "turbo-rails", "~> 2.0"
+  gem "stimulus-rails", "~> 1.3"
+  gem "sprockets-rails", "~> 3.5"
+end

data/CHANGELOG.md

@@ -0,0 +1,73 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.3.1.beta1] - 2026-04-21
+
+### Changed
+- First public release on [RubyGems.org](https://rubygems.org/gems/swal_rails). Prior `0.x` tags lived on GitHub Packages only.
+- Release workflow now publishes to RubyGems via [Trusted Publishing](https://guides.rubygems.org/trusted-publishing/) (OIDC), no long-lived API key.
+
+### Security
+- `.gitignore` hardened preventively against `.env`, `master.key`, `config/credentials/*.key`, `*.pem`, `*.key`.
+- Gemspec now pins `allowed_push_host` to `https://rubygems.org` as a safety net against accidental push to other hosts.
+
+## [0.3.0] - 2026-04-21
+
+### Added
+- **Multi-step confirm chains** — `data-swal-steps='[{...}, {...}]'` (JSON array) runs each step sequentially and only proceeds with the original click/submit if every step is confirmed. Each step is a full SweetAlert2 options Hash, with per-step defaults (`showCancelButton`, `focusCancel`, `icon: "warning"`) merged in first.
+- **Conditional branching** via `onConfirmed` / `onDenied` sub-chains on any step — opt in to a Deny button with `showDenyButton: true` to get a three-way choice; nested sub-chains are recursive. `isDismissed` always aborts.
+- `data-turbo-confirm` (under `:turbo_override` / `:both`) now also accepts a JSON array, firing a chain via the Turbo override path.
+- Stimulus controller gains a `chain` action reading `data-swal-steps-value`; submits the enclosing form when the chain resolves confirmed.
+- Ruby view helper `swal_chain_tag(steps, html_options = {})` — symmetric with `swal_tag`, same `ERB::Util.json_escape` hardening and CSP nonce handling.
+
+### Fixed
+- `boot()` is now idempotent across `turbo:load` events: on Turbo-driven navigations the capture-phase click/submit listeners are installed exactly once for the page lifetime, instead of stacking one additional listener per navigation. Previously, after N Turbo visits a single `[data-swal-confirm]` click opened N cascading modals.
+- Confirm → form submit path now calls `form.requestSubmit()` when available (falling back to `form.submit()`), so Turbo and UJS `submit` listeners stay in the loop.
+
+### Security
+- Documented the Hash-form escape hatch: when a Hash is assigned to `flash[key]`, `data-turbo-confirm`, `data-swal-confirm` or `data-swal-options`, its keys (notably `html:`, `iconHtml:`, `footer:`) flow unescaped into SweetAlert2. The String form keeps payloads in `text:` and remains XSS-safe by default.
+
+## [0.2.1] - 2026-04-20
+
+### Changed
+- Release workflow now also triggers on push to `main`: when the version in `lib/swal_rails/version.rb` advances past the last `v*` tag, the workflow creates and pushes the tag, then runs the existing build / GitHub Release / GitHub Packages publish steps in the same job. Tag pushes keep working unchanged.
+
+## [0.2.0] - 2026-04-20
+
+### Added
+- Per-request SA2 options via Hash values:
+  - `flash[:notice] = { text: "…", icon: "rocket", timer: 5000 }` shadows `flash_map[:notice]`.
+  - `data: { turbo_confirm: { icon: "error", title: "Really?" } }` (or `swal_confirm:`) — Rails JSON-encodes the Hash, the runtime parses it back and treats it as full SA2 options.
+  - `data-swal-options='{…}'` on confirm triggers — full SA2 options escape hatch, wins over shortcut `data-swal-*` attributes.
+- Flash array expansion: `flash[:alert] = @post.errors.full_messages` fires one Swal per message.
+- CSP nonce support on `swal_tag`: pass `nonce: true` to have Rails substitute the per-request CSP nonce; silent fallback when no CSP helper is configured.
+- Six official SweetAlert2 themes vendored under `vendor/stylesheets/sweetalert2/themes/` (bootstrap-4, bootstrap-5, borderless, bulma, material-ui, minimal). `bootstrap-5` and `material-ui` carry built-in dark variants via `data-swal2-theme="…-dark"`.
+- `Sprockets::Rails` precompile allowlist now includes the ESM bundles, the Stimulus controller path, and all vendored themes — fixes `AssetNotPrecompiledError` on Sprockets host apps.
+
+### Security
+- `swal_tag` runs its options through `ERB::Util.json_escape` before interpolating them into the `<script>` body, neutralizing `</script>`, `<!--`, U+2028 and U+2029 — the four sequences that can break out of an inline script block.
+
+### Fixed
+- Global configuration no longer leaks between spec files (`swal_rails_spec.rb` mutated `confirm_mode` without restoring it, causing intermittent flakes in the system suite).
+
+### Changed
+- Flash meta-tag JSON shape: each entry is now `{key, options}` instead of `{key, message}`. Internal to the gem — no action required by consumers of the Ruby API.
+
+## [0.1.0] - 2026-04-19
+
+### Added
+- Rails Engine with multi-mode asset delivery (importmap, jsbundling, sprockets).
+- `SwalRails::Configuration` with per-flash-key mapping and four confirm modes
+  (`:off`, `:data_attribute`, `:turbo_override`, `:both`).
+- JS runtime: bootstraps `Swal.mixin`, installs confirm handler, auto-fires flash messages.
+- Stimulus controller `swal` with `fire` and `confirm` actions.
+- View helpers: `swal_rails_meta_tags`, `swal_config_meta_tag`, `swal_flash_meta_tag`, `swal_tag`.
+- Generators: `swal_rails:install` (with `--mode` flag) and `swal_rails:locales`.
+- I18n: `en` and `fr` locales.
+- a11y: respect for `prefers-reduced-motion`.
+- Bundled SweetAlert2 v11.26.24 under MIT license.

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Florian Gagnaire
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.