u-authorization 2.3.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e3526fe8435c3d7156d4a879ac31de440227c7e6c64301fd83c4de7290ce8a30
-  data.tar.gz: 6afe620c20a8eead3210e280afed85643fb8737b14403fd3c1ce0497b2b7e7ae
+  metadata.gz: 51c049fdf0f6232070f3f1bb66812b92401d5fea6ff171990d07eea0e7f81693
+  data.tar.gz: 34456d500170bafe3d018687e3bbd3c46b3d373918829150549d2992297b88f8
 SHA512:
-  metadata.gz: d45f1751962e25ab031bf7196916f71fed329d8528cda715583ffb2cba93da09832ecd12552075e6b077394f8349e2ed64585c593b397728a753507c394b76e7
-  data.tar.gz: 1653c3e2cade12615afa6abfde01c49f30b9e3211915802627c4ed297ef8fbd73dcfe888aa07299efa03c8f3106b16cb32d47c570ae6de5fe5b04be3274d2fc9
+  metadata.gz: d62f986439e59cff7acedd82d2d0f608e0a28bbd9870f0d95347b987a13b217f2e71df86c7f32d3e47147273296bf50abe54843e93e6ad9cc69e9a535129730d
+  data.tar.gz: d3dfde01673ddf71ff0ec631d35b42275ccfd6f85e74755fa3e6b1ae8303b6ff1ffefe9fb6bf30c51ab11440173529385b57f85dd66d27c85011867aa492f912

data/.github/workflows/ci.yml

@@ -0,0 +1,41 @@
+name: Ruby
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Ruby ${{ matrix.ruby }}
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ["2.7", "3.0", "3.1", "3.2", "3.3", "3.4", "4.0", head]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install bundler
+        run: gem install bundler -v 2.4.22
+        if: ${{ matrix.ruby == '2.7' || matrix.ruby == '3.0' }}
+      - name: Bundle install
+        run: bundle install
+      - name: Run tests
+        run: bundle exec rake test
+      - name: Upload coverage to Qlty
+        uses: qltysh/qlty-action/coverage@v2
+        if: ${{ matrix.ruby == '3.4' && !github.base_ref }}
+        with:
+          token: ${{ secrets.QLTY_COVERAGE_TOKEN }}
+          files: coverage/.resultset.json

data/.gitignore

@@ -1,3 +1,5 @@
+.DS_Store
+
 /.bundle/
 /.yardoc
 /_yardoc/
@@ -6,3 +8,8 @@
 /pkg/
 /spec/reports/
 /tmp/
+
+Gemfile.lock
+
+.tool-versions
+tags

data/CHANGELOG.md

@@ -0,0 +1,74 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [3.0.0] - 2026-06-01
+
+### Added
+
+- This `CHANGELOG.md`, following the [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/) format and backfilled to cover every tagged release.
+- GitHub Actions CI that runs the test suite across Ruby 2.7 through the current development build, with coverage uploaded to Qlty.
+- A rewritten, comprehensive `README.md`, an API stability notice, and a `CLAUDE.md` with notes for contributors.
+- `bin/setup` and `bin/console` scripts.
+- `homepage_uri`, `source_code_uri`, and `bug_tracker_uri` entries in the gem metadata.
+
+### Changed
+
+- Raised the minimum Ruby version to `>= 2.7.0` (was `>= 2.2.0`). Ruby 2.2 through 2.6 are end of life.
+- Bumped the `rake` development dependency to `~> 13.0` (was `~> 10.0`).
+
+### Fixed
+
+- Ruby 3.0+ compatibility in `Micro::Authorization::Model#add_policies`. It no longer relies on `Method#to_proc` auto-splatting the `[key, value]` pair, which raised an `ArgumentError` on Ruby 3.0 and later.
+
+### Removed
+
+- Travis CI configuration (`.travis.yml`), replaced by GitHub Actions.
+- `Gemfile.lock` is no longer tracked; it is regenerated per environment.
+
+## [2.3.0] - 2019-08-04
+
+### Changed
+
+- A policy's context must now be a Hash. `current_user` (and its `user` alias) reads `context[:user]` and falls back to `context[:current_user]`; passing a non-Hash context to use directly as the user is no longer supported.
+- Clearer `ArgumentError` message from `Micro::Authorization::Model#add_policies` when it is given something other than a Hash.
+
+### Removed
+
+- The deprecation warning on the permission checker's `required_features`. It is now a plain alias of `#features`.
+
+## [2.2.0] - 2019-07-30
+
+### Added
+
+- Multi-role permissions. `Micro::Authorization::Permissions.new` and `Micro::Authorization::Model.build` accept an array of roles and grant the union of their permissions, so a feature is allowed when any role allows it.
+
+### Deprecated
+
+- The permission checker's `required_features`, in favor of `required_context`. This was reverted in 2.3.0, where `#features` became the method name and `required_features` a plain alias.
+
+## [2.1.0] - 2019-07-29
+
+### Added
+
+- `:to_permit` as the context key for permission checks in `Micro::Authorization::Model.build`, with `:permissions` kept as an alias.
+- README badges and Travis CI configuration.
+
+## [2.0.0] - 2019-07-26
+
+### Added
+
+- First tagged release of the `Micro::Authorization` architecture: the `Micro::Authorization::Model.build` entry point, the data-driven `Permissions` layer (roles as hashes with `any` / `only` / `except` rules and context matching, including dot-notation segments), and the `Micro::Authorization::Policy` base class for record-level checks that denies undefined predicates by default.
+- Each class organized into its own file under `lib/micro/authorization/`, with the test suite running on Minitest.
+
+[Unreleased]: https://github.com/u-gems/u-authorization/compare/v3.0.0...HEAD
+[3.0.0]: https://github.com/u-gems/u-authorization/compare/v2.3.0...v3.0.0
+[2.3.0]: https://github.com/u-gems/u-authorization/compare/v2.2.0...v2.3.0
+[2.2.0]: https://github.com/u-gems/u-authorization/compare/v2.1.0...v2.2.0
+[2.1.0]: https://github.com/u-gems/u-authorization/compare/v2.0.0...v2.1.0
+[2.0.0]: https://github.com/u-gems/u-authorization/releases/tag/v2.0.0

data/CLAUDE.md

@@ -0,0 +1,124 @@
+# CLAUDE.md
+
+Notes for AI assistants working in `u-authorization`.
+
+## Golden rule: feature-complete, keep it running
+
+`u-authorization` is feature-complete. There are no plans to add new features. The only ongoing work is keeping the gem compatible and running on current and future Ruby versions, plus the usual bug fixes, docs, and CI upkeep.
+
+That means two things for any task here:
+
+- **Don't add features or change the public API.** The API is frozen and backward compatible. If a task as stated would require a new feature or a breaking change, stop and surface that, then propose a compatibility-only path.
+- **Major version bumps are for dependency-floor changes only** (dropping an old Ruby from the supported matrix) per SemVer. They do not signal a behavior break. Note that this gem is pure Ruby with no ActiveModel dependency, so the support matrix is Ruby-only.
+
+## How to work in this repo
+
+### 1. Think before coding
+
+**Don't assume. Don't hide confusion. Surface tradeoffs.**
+
+- State assumptions explicitly. If uncertain, ask.
+- If multiple interpretations exist, present them — don't pick silently.
+- If a simpler approach exists, say so. Push back when warranted.
+- If something is unclear, stop. Name what's confusing. Ask.
+
+### 2. Simplicity first
+
+**Minimum code that solves the problem. Nothing speculative.**
+
+- No features beyond what was asked.
+- No abstractions for single-use code.
+- No "flexibility" or "configurability" that wasn't requested.
+- No error handling for impossible scenarios.
+- If you write 200 lines and it could be 50, rewrite it.
+
+Ask yourself: "Would a senior engineer say this is overcomplicated?" If yes,
+simplify.
+
+### 3. Surgical changes
+
+**Touch only what you must. Clean up only your own mess.**
+
+- Don't "improve" adjacent code, comments, or formatting.
+- Don't refactor things that aren't broken.
+- Match existing style, even if you'd do it differently.
+- If you notice unrelated dead code, mention it — don't delete it.
+- Remove imports/variables/functions that _your_ changes orphaned. Don't
+  remove pre-existing dead code unless asked.
+
+The test: every changed line should trace directly to the user's request.
+
+### 4. Goal-driven execution
+
+**Define success criteria. Loop until verified.**
+
+Turn vague tasks into verifiable goals:
+
+- "Add validation" → "Write tests for invalid inputs, then make them pass"
+- "Fix the bug" → "Write a test that reproduces it, then make it pass"
+- "Refactor X" → "Ensure tests pass before and after"
+
+For multi-step work, state a brief plan with a verification check per step.
+
+---
+
+## What this is
+
+`u-authorization` is a small, zero-runtime-dependency Ruby library for
+authorization and role management, living under `lib/micro/authorization/`.
+Its public namespace is `Micro::Authorization`, built from three cohesive
+pieces:
+
+- **`Permissions`** (`permissions.rb` + `permissions/`) — role-based,
+  per-feature permission checks (`to?`, `to_not?`, context matching via
+  `Checker` / `ForEachFeature`).
+- **`Policy`** (`policy.rb`) — per-subject authorization policies, instantiated
+  with a context and the caller's permissions.
+- **`Model`** (`model.rb`) — the entry point that ties permissions, policies,
+  and a context together (`Model.build`, `#to` / `#policy`, `#map`).
+
+`require 'u-authorization'` (or `require 'micro/authorization'`) loads the lot.
+It is a pure-Ruby gem with **no ActiveModel/Rails dependency** — it's designed
+to drop into Rails controllers (`[controller_name, action_name]` style
+contexts) but doesn't require Rails. Because it's a published gem, behavior
+changes — especially anything affecting the public API or the supported `ruby`
+matrix — are highly visible.
+
+## Running tests
+
+```bash
+bundle exec rake test   # full suite (also the default `rake` task)
+```
+
+The suite is plain Minitest with SimpleCov coverage; there are no Appraisals
+or ActiveModel axes (the gem has no Rails dependency). `bin/setup` reinstalls
+the bundle; `bin/console` opens an IRB session with the gem loaded.
+
+To test across Ruby versions locally, use mise — `.tool-versions` lists the
+supported versions. CI (`.github/workflows/ci.yml`) runs the suite across the
+full `ruby` matrix (2.7 → head). Tests are the success criterion for any
+behavior change — write or update a test first, then make it pass (rule 4).
+
+## CHANGELOG and README are part of every change
+
+Both files are user-facing; keep them in sync with the code.
+
+- `CHANGELOG.md` follows [Keep a Changelog 1.1.0](https://keepachangelog.com/en/1.1.0/). Record every user-visible change (behavior change, bug fix, dependency-floor bump, security fix) under the appropriate section of `[Unreleased]`. Pure internal-refactor or CI-only changes generally don't need an entry.
+- `README.md` badges and the **Required Ruby version** section near the top reference the supported Ruby bounds; update them when those bounds move. If you change a documented API, update the relevant **Usage** section in the same commit.
+
+## Bumping the version
+
+1. Edit `lib/micro/authorization/version.rb` — change
+   `Micro::Authorization::VERSION`. Follow [SemVer](https://semver.org/):
+   patch for fixes, minor for additive user-visible changes, major for
+   breaking changes. For this gem a major bump means an old Ruby was dropped
+   from the supported matrix, not a behavior break.
+2. Add a new top entry in `CHANGELOG.md` (`## [X.Y.Z] - YYYY-MM-DD`), move the
+   relevant `[Unreleased]` notes under it, and add a matching compare link at
+   the bottom (`[X.Y.Z]: …/compare/vPREV...vX.Y.Z`).
+3. If the supported Ruby matrix moved, update the Ruby badge and the
+   **Required Ruby version** section in `README.md`, and double-check the
+   `required_ruby_version` in `u-authorization.gemspec` and the CI matrix in
+   `.github/workflows/ci.yml` agree.
+
+Don't tag, push, or `gem release` — humans do that.

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at rodrigo@ysimplicity.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -1,10 +1,15 @@
 source 'https://rubygems.org'
 
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in u-authorization.gemspec
+gemspec
+
+gem 'rake', '~> 13.0'
+
 group :test do
   gem 'minitest', '~> 5.11', '>= 5.11.3'
   gem 'minitest-reporters', '~> 1.3', '>= 1.3.6'
-  gem 'simplecov', require: false
+  gem 'ostruct', '~> 0.6.3' if RUBY_VERSION >= '3.5'
+  gem 'simplecov', '~> 0.22.0', require: false
 end
-
-# Specify your gem's dependencies in u-authorization.gemspec
-gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Rodrigo Serradura
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,136 +1,523 @@
-[![Gem](https://img.shields.io/gem/v/u-authorization.svg?style=flat-square)](https://rubygems.org/gems/u-authorization)
-[![Build Status](https://travis-ci.com/serradura/u-authorization.svg?branch=master)](https://travis-ci.com/serradura/u-authorization)
-[![Maintainability](https://api.codeclimate.com/v1/badges/19251112cf39afdf8bf6/maintainability)](https://codeclimate.com/github/serradura/u-authorization/maintainability)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/19251112cf39afdf8bf6/test_coverage)](https://codeclimate.com/github/serradura/u-authorization/test_coverage)
+<p align="center">
+  <h1 align="center">🔐 µ-authorization</h1>
+  <p align="center"><i>Authorization and role management for Ruby, with no runtime dependencies.</i></p>
+</p>
+
+<p align="center">
+  <a href="https://rubygems.org/gems/u-authorization">
+    <img alt="Gem" src="https://img.shields.io/gem/v/u-authorization.svg?style=flat-square">
+  </a>
+  <a href="https://github.com/u-gems/u-authorization/actions/workflows/ci.yml">
+    <img alt="Build Status" src="https://github.com/u-gems/u-authorization/actions/workflows/ci.yml/badge.svg">
+  </a>
+  <br/>
+  <a href="https://qlty.sh/gh/u-gems/projects/u-authorization"><img src="https://qlty.sh/gh/u-gems/projects/u-authorization/maintainability.svg" alt="Maintainability" /></a>
+  <a href="https://qlty.sh/gh/u-gems/projects/u-authorization"><img src="https://qlty.sh/gh/u-gems/projects/u-authorization/coverage.svg" alt="Code Coverage" /></a>
+  <br/>
+  <img src="https://img.shields.io/badge/Ruby%20%3E%3D%202.7%2C%20%3C%3D%20Head-ruby.svg?colorA=444&colorB=333" alt="Ruby">
+  <img src="https://img.shields.io/badge/Rails%20%3E%3D%206.0%2C%20%3C%3D%20Edge-rails.svg?colorA=444&colorB=333" alt="Rails">
+</p>
+
+> [!IMPORTANT]
+> **Stable and feature-complete.** `u-authorization` has no new features planned. Its public API is frozen and backward compatible, and ongoing work is limited to keeping it running on current and future Ruby versions. You can depend on it without expecting breaking changes.
+>
+> A major version bump signals only that an old Ruby version was dropped from the supported matrix, which is a dependency-floor change under SemVer. Your code keeps working.
+
+`u-authorization` splits authorization into two layers that you can use together or on their own:
+
+1. **Permissions** answer "is this role allowed to use this feature, in this context?". A role is plain data (a Hash, or JSON loaded from a database), so you can change who can do what without redeploying.
+2. **Policies** answer "is this user allowed to act on this specific record?". A policy is a small Ruby class, similar to [Pundit](https://github.com/varvet/pundit), that returns `true` or `false` and defaults to denying anything it doesn't recognize.
+
+The two layers are independent, and you pick the right one for each check. Use permissions to gate a feature by role and context, which fits a controller `before_action`. Use a policy to decide access to a single record. An authorization object carries the current user, the request context, the role's permissions, and the policies for one request, so both checks are available from the same place.
+
+## Table of contents
+
+- [Table of contents](#table-of-contents)
+- [Installation](#installation)
+- [Supported versions](#supported-versions)
+- [Quick start](#quick-start)
+- [Permissions](#permissions)
+  - [Roles are plain data](#roles-are-plain-data)
+  - [Permission rules](#permission-rules)
+  - [Context matching and dot notation](#context-matching-and-dot-notation)
+  - [Checking permissions](#checking-permissions)
+  - [Multiple roles](#multiple-roles)
+- [Policies](#policies)
+  - [Defining a policy](#defining-a-policy)
+  - [The subject](#the-subject)
+  - [Reading permissions inside a policy](#reading-permissions-inside-a-policy)
+- [The authorization object](#the-authorization-object)
+  - [Building it](#building-it)
+  - [Asking about permissions](#asking-about-permissions)
+  - [Fetching policies](#fetching-policies)
+  - [Registering policies](#registering-policies)
+  - [Cloning with map](#cloning-with-map)
+- [Using it with Rails](#using-it-with-rails)
+- [Comparison with Pundit and CanCanCan](#comparison-with-pundit-and-cancancan)
+- [Development](#development)
+- [Contributing](#contributing)
+- [License](#license)
+- [Code of conduct](#code-of-conduct)
 
-# µ-authorization
+## Installation
 
-Simple authorization library and role managment for Ruby.
+Add the gem to your `Gemfile`:
 
-## Prerequisites
+```ruby
+gem 'u-authorization'
+```
 
-> Ruby >= 2.2.0
+Then run `bundle install`. Or install it directly:
 
-## Installation
+```bash
+gem install u-authorization
+```
+
+Require it (or let Bundler do it for you):
 
-Add this line to your application's Gemfile:
+```ruby
+require 'u-authorization'
 ```
-gem 'u-authorization'
+
+## Supported versions
+
+The gem requires Ruby `>= 2.7` and is tested on CI against Ruby 2.7 through the current development build. It has no runtime dependencies and works inside any Rails `>= 6.0` application, but it does not depend on Rails or ActiveModel, so you can use it in plain Ruby, Hanami, Sinatra, or a script.
+
+## Quick start
+
+Here is a full example using `OpenStruct` to stand in for a user and a database record. It defines a role, a policy, builds an authorization object, and asks it questions.
+
+```ruby
+require 'ostruct'
+require 'u-authorization'
+
+# 1. Roles are data. Map each feature to a rule.
+module Permissions
+  ADMIN = {
+    'visit'  => { 'any' => true },
+    'export' => { 'any' => true }
+  }
+
+  USER = {
+    'visit'  => { 'except' => ['billings'] },
+    'export' => { 'except' => ['sales'] }
+  }
+
+  ALL = { 'admin' => ADMIN, 'user' => USER }
+
+  def self.to(role)
+    ALL.fetch(role, USER)
+  end
+end
+
+# 2. Policies are classes. Predicate methods return true or false.
+class SalesPolicy < Micro::Authorization::Policy
+  def edit?(record)
+    user.id == record.user_id
+  end
+end
+
+user = OpenStruct.new(id: 1, role: 'user')
+
+# 3. Build the authorization object for this request.
+authorization = Micro::Authorization::Model.build(
+  permissions: Permissions.to(user.role),
+  policies: { default: :sales, sales: SalesPolicy },
+  context: {
+    user: user,
+    to_permit: ['dashboard', 'controllers', 'sales', 'index']
+  }
+)
+
+# 4a. Ask about feature permissions for the current context.
+authorization.permissions.to?('visit')  # => true
+authorization.permissions.to?('export') # => false
+
+# 4b. Ask the same feature about a different context.
+can_export = authorization.permissions.to('export')
+can_export.context?('billings') # => true
+can_export.context?('sales')    # => false
+
+# 4c. Ask a policy about a record.
+charge = OpenStruct.new(id: 2, user_id: user.id)
+
+authorization.to(:sales).edit?(charge) # => true
+authorization.policy.edit?(charge)     # => true (uses the default policy)
+```
+
+## Permissions
+
+A permission check answers one question: given a role and the context the request is happening in, is a feature allowed?
+
+### Roles are plain data
+
+A role is a Hash whose keys are feature names and whose values are rules:
+
+```ruby
+role = {
+  'visit'  => { 'only'   => ['users'] },
+  'export' => { 'only'   => ['users.reports'] },
+  'manage' => { 'any'    => false }
+}
+```
+
+Because a role is plain data, it serializes cleanly. You can store roles as JSON in a database, edit them through an admin screen, and load them at runtime without touching code:
+
+```ruby
+require 'json'
+
+roles = JSON.parse(current_account.roles_json)
+permissions = Micro::Authorization::Permissions.new(roles['user'], context: [])
+```
+
+### Permission rules
+
+Each feature maps to one of these rules:
+
+| Rule                    | Meaning                                        |
+| ----------------------- | ---------------------------------------------- |
+| `true`                  | Allowed in every context.                      |
+| `false`                 | Denied in every context.                       |
+| missing key or `nil`    | Denied.                                        |
+| `{ 'any' => true }`     | Allowed in every context.                      |
+| `{ 'any' => false }`    | Denied in every context.                       |
+| `{ 'only' => [...] }`   | Allowed only in the listed contexts.           |
+| `{ 'except' => [...] }` | Allowed everywhere except the listed contexts. |
+
+`{ 'any' => nil }` and any unrecognized key (for example `{ 'sometimes' => [...] }`) raise `NotImplementedError`, so a malformed role fails loudly instead of silently granting or denying access.
+
+### Context matching and dot notation
+
+The context is an array of strings that describes where the request is happening. In a Rails controller that is usually `[controller_name, action_name]`, but it can be any list of identifiers. Matching is case insensitive; both the context and the rule values are downcased before comparison.
+
+A single string in `only` or `except` matches when the context includes it:
+
+```ruby
+role = { 'visit' => { 'only' => ['users'] } }
+permissions = Micro::Authorization::Permissions.new(role, context: [])
+
+permissions.to('visit').context?(['users'])  # => true
+permissions.to('visit').context?(['sales'])  # => false
 ```
 
-And then execute:
+A string with dots, such as `'users.reports'`, splits on the dot and requires every segment to be present in the context. Entries in the array are still combined with OR, so the rule means "users and reports, or any other listed entry":
+
+```ruby
+role = { 'export' => { 'only' => ['users.reports'] } }
+permissions = Micro::Authorization::Permissions.new(role, context: [])
+
+permissions.to('export').context?(['users', 'reports']) # => true
+permissions.to('export').context?(['users'])            # => false
 ```
-$ bundle
+
+### Checking permissions
+
+`Micro::Authorization::Permissions.new(role, context:)` returns a permissions model bound to a context. From there you have two ways to ask questions.
+
+Use `to?` and `to_not?` to check a feature against the context the model was built with. Pass a single feature or an array, in which case every feature must be allowed:
+
+```ruby
+role = { 'visit' => true, 'comment' => false }
+permissions = Micro::Authorization::Permissions.new(role, context: ['sales', 'index'])
+
+permissions.to?('visit')                # => true
+permissions.to?('comment')              # => false
+permissions.to?(['visit', 'comment'])   # => false (comment is denied)
+permissions.to_not?('comment')          # => true
 ```
 
-Or install it yourself as:
+Use `to(feature)` to get a checker you can test against any context with `context?`, regardless of the model's own context:
+
+```ruby
+role = {
+  'visit'   => { 'any' => true },
+  'comment' => { 'except' => ['sales'] }
+}
+permissions = Micro::Authorization::Permissions.new(role, context: ['sales', 'index'])
+
+can_comment = permissions.to('comment')
+can_comment.context?('invoices') # => true
+can_comment.context?('sales')    # => false
+
+can_comment.features # => ['comment'] (the features this checker verifies)
+```
+
+The model caches each `to?` result per feature, so repeated checks in the same request are cheap.
+
+### Multiple roles
+
+Pass an array of roles to grant a user the union of their permissions. A feature is allowed when at least one role allows it:
+
+```ruby
+analytics = { 'export' => { 'only' => ['reports'] } }
+support   = { 'export' => { 'only' => ['users.reports'] } }
+
+permissions = Micro::Authorization::Permissions.new([analytics, support], context: [])
+
+permissions.to('export').context?(['sales', 'reports']) # => true (granted by analytics)
+permissions.to('export').context?(['users', 'reports']) # => true (granted by support)
+```
+
+## Policies
+
+Permissions decide what a role can do in a place. Policies decide what a user can do to a record. A policy is a class with predicate methods, in the style of Pundit.
+
+### Defining a policy
+
+Subclass `Micro::Authorization::Policy` and define methods that end in `?`. Inside a policy you can read `user` (an alias of `current_user`), `subject`, `context`, and `permissions`:
+
+```ruby
+class CommentPolicy < Micro::Authorization::Policy
+  def edit?(comment)
+    user.id == comment.author_id
+  end
+end
+
+policy = CommentPolicy.new({ user: current_user })
+policy.edit?(comment) # => true or false
+```
+
+Any predicate method you have not defined returns `false`. Deny by default is the standard behavior, so a feature you forget to handle stays forbidden.
+
+```ruby
+policy = Micro::Authorization::Policy.new({})
+
+policy.index?         # => false
+policy.show?(record)  # => false
 ```
-$ gem install u-authorization
+
+Calling a method that does not end in `?` raises `NoMethodError`, so typos in real method names still surface.
+
+Inside a policy, `current_user` reads `context[:user]` first, then falls back to `context[:current_user]`.
+
+### The subject
+
+A policy can receive the record it is about in two ways. You can pass it as the second argument when constructing the policy, and read it through `subject`:
+
+```ruby
+class RecordPolicy < Micro::Authorization::Policy
+  def show?
+    user.id == subject.user_id
+  end
+end
+
+RecordPolicy.new({ user: current_user }, record).show?
 ```
 
-## Usage
+Or you can pass it as an argument to the predicate method, which is handy when one policy instance answers questions about several records:
 
 ```ruby
-  require 'ostruct'
-  require 'u-authorization'
+class RecordPolicy < Micro::Authorization::Policy
+  def show?(record)
+    user.id == record.user_id
+  end
+end
 
-  module Permissions
-    ADMIN = {
-      'visit'  => { 'any' => true },
-      'export' => { 'any' => true }
-    }
+policy = RecordPolicy.new({ user: current_user })
+policy.show?(record_a) # => true
+policy.show?(record_b) # => false
+```
 
-    USER = {
-      'visit'  => { 'except' => ['billings'] },
-      'export' => { 'except' => ['sales'] }
-    }
+### Reading permissions inside a policy
 
-    ALL = {
-      'admin' => ADMIN,
-      'user'  => USER
-    }
+A policy can combine record-level checks with feature permissions. When the authorization object builds a policy it passes the permissions in, so `permissions` is available inside:
 
-    def self.to(role)
-      ALL.fetch(role, 'user')
-    end
+```ruby
+class ReportPolicy < Micro::Authorization::Policy
+  def show?(report)
+    permissions.to?('visit') && current_user.id == report.owner_id
   end
+end
+```
+
+## The authorization object
+
+`Micro::Authorization::Model` ties a user, a context, a role's permissions, and a set of policies into a single object for the current request.
+
+### Building it
+
+Use `Model.build` with three keyword arguments. `policies` is optional:
+
+```ruby
+authorization = Micro::Authorization::Model.build(
+  permissions: Permissions.to(user.role),
+  policies: { default: SalesPolicy, sales: SalesPolicy },
+  context: {
+    user: user,
+    to_permit: ['sales', 'index']
+  }
+)
+```
+
+The `context` Hash is read like this:
+
+- `:to_permit` (or its alias `:permissions`) is the context used for permission checks. One of them is required if you want to check permissions.
+- `:user` is the current user. It becomes `user` / `current_user` inside policies.
+- Every other key stays in the context and is handed to policies, so a policy can read anything else you put there.
+
+### Asking about permissions
+
+`authorization.permissions` returns the permissions model described above, so the full `to?`, `to_not?`, and `to(...).context?` interface is available:
+
+```ruby
+authorization.permissions.to?('visit')           # => true
+authorization.permissions.to('export').context?('sales') # => false
+```
+
+### Fetching policies
+
+`to(key, subject: nil)` looks up a registered policy by name, builds it with the current context and permissions, and returns the instance:
+
+```ruby
+authorization.to(:sales).edit?(charge)
+```
+
+`policy(key = :default, subject: nil)` does the same but defaults to the `:default` policy, which reads well when you have one main policy per request:
+
+```ruby
+authorization.policy.edit?(charge)         # uses :default
+authorization.policy(:sales).edit?(charge) # same as to(:sales)
+```
+
+If you ask for a key that was never registered, you get the base `Micro::Authorization::Policy`, which denies every predicate. Unknown features are forbidden rather than raising.
+
+Policy instances are cached per key, so calling `to(:sales)` repeatedly returns the same object within a request. Passing a `subject:` builds a fresh instance bound to that subject:
 
-  user = OpenStruct.new(id: 1, role: 'user')
+```ruby
+authorization.to(:report, subject: report).show?
+```
+
+### Registering policies
+
+You can register policies when building the object through the `policies:` keyword, or afterward with `add_policy` and `add_policies`:
+
+```ruby
+authorization.add_policy(:sales, SalesPolicy)
+authorization.add_policies(sales: SalesPolicy, report: ReportPolicy)
+```
+
+`add_policies` expects a Hash and raises `ArgumentError` otherwise.
+
+The `:default` key is special. It can hold a policy class, or a Symbol that points at another registered policy, so you can name one of your policies as the default:
+
+```ruby
+Micro::Authorization::Model.build(
+  permissions: role,
+  policies: { default: :sales, sales: SalesPolicy },
+  context: { user: user }
+)
+```
+
+### Cloning with map
+
+`map` returns a new authorization object, replacing the context, the policies, or both. Whatever you leave out is carried over from the original, and the original is left untouched, which helps when one request needs to check several contexts:
+
+```ruby
+on_releases = authorization.map(context: ['dashboard', 'releases', 'index'])
+
+on_releases.permissions.to?('visit') # checked against the new context
+authorization.equal?(on_releases)    # => false
+
+with_admin_policy = authorization.map(policies: { default: AdminPolicy })
+```
+
+Calling `map` without `context:` or `policies:` raises `ArgumentError`, since there would be nothing to change.
 
-  class SalesPolicy < Micro::Authorization::Policy
-    def edit?(record)
-      user.id == record.user_id
-    end
+## Using it with Rails
+
+The context maps naturally onto a Rails controller. Using `controller_path.split('/') + [action_name]` keeps namespaced controllers distinct, so `Admin::UsersController#index` becomes `['admin', 'users', 'index']`. A common setup builds the authorization object once per request and exposes a helper:
+
+```ruby
+class ApplicationController < ActionController::Base
+  before_action :authenticate_user!
+
+  private
+
+  def authorization
+    @authorization ||= Micro::Authorization::Model.build(
+      permissions: current_user.role_permissions, # a Hash, maybe loaded from the DB
+      policies: { default: :record, record: RecordPolicy },
+      context: {
+        user: current_user,
+        to_permit: controller_path.split('/') + [action_name]
+      }
+    )
   end
 
-  authorization = Micro::Authorization::Model.build(
-    permissions: Permissions.to(user.role),
-    policies: { default: :sales, sales: SalesPolicy },
-    context: {
-      user: user,
-      to_permit: ['dashboard', 'controllers', 'sales', 'index']
-    }
-  )
+  def authorize_visit!
+    redirect_to root_path unless authorization.permissions.to?('visit')
+  end
+end
+```
 
-  # Info about the `context` data:
-  #   1. :to_permit is a required key
-  #     1.1. :permissions is an alternative of :to_permit key.
-  #   2. :user is an optional key
-  #   3. Any key different of :permissions, will be passed as a policy context.
+```ruby
+class ReportsController < ApplicationController
+  before_action :authorize_visit!
 
-  # Verifying the permissions for the given context
-  authorization.permissions.to?('visit')  #=> true
-  authorization.permissions.to?('export') #=> false
+  def show
+    @report = Report.find(params[:id])
+    redirect_to reports_path unless authorization.policy.show?(@report)
+  end
+end
+```
 
-  # Verifying permission for a given feature in different contexts
-  has_permission_to = authorization.permissions.to('export')
-  has_permission_to.context?('billings') #=> true
-  has_permission_to.context?('sales')    #=> false
+Because roles are data, `current_user.role_permissions` can come straight from a column or an associated table, which lets non-developers manage roles through your own admin tools.
 
-  charge = OpenStruct.new(id: 2, user_id: user.id)
+## Comparison with Pundit and CanCanCan
 
-  # The #to() method fetch and build a policy.
-  authorization.to(:sales).edit?(charge)   #=> true
+All three gems solve authorization, with different shapes.
 
-  # :default is the only permitted key to receive
-  # another symbol as a value (a policy reference).
-  authorization.to(:default).edit?(charge) #=> true
+- [Pundit](https://github.com/varvet/pundit) is built around policy classes, one per resource. `u-authorization` has the same idea in its `Policy` layer, and adds a separate permissions layer for role and context checks. Pundit leaves roles to you.
+- [CanCanCan](https://github.com/CanCanCommunity/cancancan) centralizes rules in one `Ability` class written in Ruby. `u-authorization` keeps role rules as data instead of code, so they can be stored and edited outside the codebase, and keeps record-level logic in policy classes.
 
-  # #policy() method has a similar behavior of #to(),
-  # but if there is a policy defined as ":default", it will be fetched and instantiated by default.
-  authorization.policy.edit?(charge)         #=> true
-  authorization.policy(:sales).edit?(charge) #=> true
+Reasons you might reach for `u-authorization`:
 
-  # Cloning the authorization changing only its context.
-  new_authorization = authorization.map(context: [
-    'dashboard', 'controllers', 'billings', 'index'
-  ])
+- You want roles defined as data (Hash or JSON) so they can live in a database and change without a deploy.
+- You want permission checks that are aware of the controller and action, not only the model.
+- You want a small library with no runtime dependencies.
+- You want role and context checks and record-level checks to stay separate instead of merging into one concept.
 
-  new_authorization.permissions.to?('visit') #=> false
+If you only need record-level policies, Pundit is a fine and popular choice. If you prefer one central Ruby file of abilities, CanCanCan fits well.
 
-  authorization.equal?(new_authorization) #=> false
+## Development
 
-  #========================#
-  # Multi role permissions #
-  #========================#
+After cloning the repository, install dependencies and set up the project:
 
-  authorization = Micro::Authorization::Model.build(
-    permissions: [Permissions::USER, Permissions::ADMIN], # An array of permissions
-    policies: { default: :sales, sales: SalesPolicy },
-    context: {
-      user: user,
-      to_permit: ['dashboard', 'controllers', 'sales', 'index']
-    }
-  )
+```bash
+bin/setup
+```
 
-  authorization.permissions.to?('visit')  #=> true
-  authorization.permissions.to?('export') #=> true
+Run the test suite, which is the default Rake task:
 
-  has_permission_to = authorization.permissions.to('export')
-  has_permission_to.context?('billings') #=> true
-  has_permission_to.context?('sales')    #=> true
+```bash
+bundle exec rake test
+# or simply
+bundle exec rake
 ```
 
-## Original implementation
+Open a console with the gem loaded to experiment:
+
+```bash
+bin/console
+```
+
+To run the suite across Ruby versions locally, use [mise](https://mise.jdx.dev). The `.tool-versions` file pins the project's default Ruby; add the versions you want to cover and run the suite under each. CI runs the full matrix, from Ruby 2.7 through the current development build, defined in `.github/workflows/ci.yml`.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/u-gems/u-authorization. Please add or update tests for any behavior you change; the test suite is the contract for the public API.
+
+1. Fork the repository.
+2. Create your feature branch (`git checkout -b my-new-feature`).
+3. Add tests and make them pass with `bundle exec rake test`.
+4. Commit your changes and open a pull request.
+
+Everyone interacting in the project's codebases and issue trackers is expected to follow the [code of conduct](CODE_OF_CONDUCT.md).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).
+
+## Code of conduct
 
-https://gist.github.com/serradura/7d51b979b90609d8601d0f416a9aa373
+Everyone interacting in the µ-authorization project is expected to follow the [code of conduct](CODE_OF_CONDUCT.md).

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "u-authorization"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+rm -f Gemfile.lock
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/micro/authorization/model.rb

@@ -53,7 +53,7 @@ module Micro
           raise ArgumentError, "policies must be a Hash. e.g: `{policy_name: #{Policy.name}}`"
         end
 
-        new_policies.each(&method(:add_policy))
+        new_policies.each { |key, policy_klass| add_policy(key, policy_klass) }
 
         self
       end

data/lib/micro/authorization/version.rb

@@ -2,6 +2,6 @@
 
 module Micro
   module Authorization
-    VERSION = '2.3.0'.freeze
+    VERSION = '3.0.0'.freeze
   end
 end

data/u-authorization.gemspec

@@ -10,8 +10,14 @@ Gem::Specification.new do |spec|
 
   spec.summary      = 'Authorization library and role managment'
   spec.description  = 'Simple authorization library and role managment for Ruby.'
-  spec.homepage     = 'https://github.com/serradura/u-authorization'
+  spec.homepage     = 'https://github.com/u-gems/u-authorization'
   spec.license      = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/u-gems/u-authorization'
+  spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+  spec.metadata['bug_tracker_uri'] = "#{spec.homepage}/issues"
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -22,6 +28,6 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = '>= 2.2.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '~> 13.0'
 end

metadata

@@ -1,29 +1,42 @@
 --- !ruby/object:Gem::Specification
 name: u-authorization
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Rodrigo Serradura
-autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 description: Simple authorization library and role managment for Ruby.
 email:
 - rodrigo.serradura@gmail.com
@@ -31,12 +44,17 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
-- ".travis.yml"
+- CHANGELOG.md
+- CLAUDE.md
+- CODE_OF_CONDUCT.md
 - Gemfile
-- Gemfile.lock
+- LICENSE.txt
 - README.md
 - Rakefile
+- bin/console
+- bin/setup
 - lib/micro/authorization.rb
 - lib/micro/authorization/model.rb
 - lib/micro/authorization/permissions.rb
@@ -48,11 +66,14 @@ files:
 - lib/micro/authorization/version.rb
 - lib/u-authorization.rb
 - u-authorization.gemspec
-homepage: https://github.com/serradura/u-authorization
+homepage: https://github.com/u-gems/u-authorization
 licenses:
 - MIT
-metadata: {}
-post_install_message: 
+metadata:
+  homepage_uri: https://github.com/u-gems/u-authorization
+  source_code_uri: https://github.com/u-gems/u-authorization
+  changelog_uri: https://github.com/u-gems/u-authorization/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/u-gems/u-authorization/issues
 rdoc_options: []
 require_paths:
 - lib
@@ -60,15 +81,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.0
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 4.0.12
 specification_version: 4
 summary: Authorization library and role managment
 test_files: []

data/.travis.yml

@@ -1,28 +0,0 @@
-language: ruby
-
-sudo: false
-
-rvm:
-- 2.2.0
-- 2.3.0
-- 2.4.0
-- 2.5.0
-- 2.6.0
-
-cache: bundler
-
-before_install:
-  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
-  - gem install bundler -v '< 2'
-
-install: bundle install --jobs=3 --retry=3
-
-before_script:
-  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-  - chmod +x ./cc-test-reporter
-  - "./cc-test-reporter before-build"
-
-script: "rake"
-
-after_success:
-  - "./cc-test-reporter after-build -t simplecov"

data/Gemfile.lock

@@ -1,38 +0,0 @@
-PATH
-  remote: .
-  specs:
-    u-authorization (2.3.0)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    ansi (1.5.0)
-    builder (3.2.3)
-    docile (1.3.2)
-    json (2.2.0)
-    minitest (5.11.3)
-    minitest-reporters (1.3.6)
-      ansi
-      builder
-      minitest (>= 5.0)
-      ruby-progressbar
-    rake (10.5.0)
-    ruby-progressbar (1.10.1)
-    simplecov (0.17.0)
-      docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  minitest (~> 5.11, >= 5.11.3)
-  minitest-reporters (~> 1.3, >= 1.3.6)
-  rake (~> 10.0)
-  simplecov
-  u-authorization!
-
-BUNDLED WITH
-   1.17.2