Merge branch 'main' into mobile-app/scoped-stylesheets

* main: (26 commits)
  Update fizzy-saas
  Update to fizzy-saas to remove jobs from beta
  Claude can fetch the .mcp.json file that shipyard places in your home
  Update fizzy-saas
  This was moved to the engine
  Introduce an "owner" role, and prevent it from being administered
  Make sure the sqlite db is prepared in SAAS mode
  Update fizzy-saas gem
  Move env-specific config bits to the saas gem
  Migrate sqlite schema
  Use main branch of fizzy-saas
  Change copy
  Make sign up Magic Links work across devices
  Remove unused view
  Update signup with the design from signin
  Revert "Update to latest version with the env config bits moved"
  Update to latest version with the env config bits moved
  Organize everything under Signups
  Create signups controller
  update pipelines
  ...

Author: adjogima

.github/workflows/ci-oss.yml

@@ -2,10 +2,11 @@ name: CI (OSS)
 
 on:
   pull_request:
-  if: github.event.pull_request.head.repo.full_name != github.repository
+    types: [opened, synchronize]
 
 jobs:
   test:
+    if: github.event.pull_request.head.repo.full_name != github.repository
     uses: ./.github/workflows/test.yml
     with:
       saas: false

.mcp.json

@@ -68,7 +68,7 @@ Fizzy uses **URL path-based multi-tenancy**:
 
 **Passwordless magic link authentication**:
 - Global `Identity` (email-based) can have `Users` in multiple Accounts
-- Users belong to an Account and have roles: admin, member, system
+- Users belong to an Account and have roles: owner, admin, member, system
 - Sessions managed via signed cookies
 - Board-level access control via `Access` records
 
@@ -84,7 +84,7 @@ Fizzy uses **URL path-based multi-tenancy**:
 
 **User** → Account membership
 - Belongs to Account and Identity
-- Has role (admin/member/system)
+- Has role (owner/admin/member/system)
 - Board access via explicit `Access` records
 
 **Board** → Primary organizational unit

AGENTS.md

@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/basecamp/fizzy-saas
-  revision: 7f392bbbf9f5170d334b6ee2f6d240569bd157ed
+  revision: 130c8b23f9861a89feb59ca68f192bd05d51310c
   specs:
     fizzy-saas (0.1.0)
       prometheus-client-mmap
@@ -16,7 +16,7 @@ GIT
       yabeda-http_requests
       yabeda-prometheus-mmap
       yabeda-puma-plugin
-      yabeda-rails
+      yabeda-rails (>= 0.10)
 
 GIT
   remote: https://github.com/basecamp/queenbee-plugin
@@ -52,7 +52,7 @@ GIT
 
 GIT
   remote: https://github.com/rails/rails.git
-  revision: 4f7ab01bb5d6be78c7447dbb230c55027d08ae34
+  revision: 690ec8898318b8f50714e86676353ebe1551261e
   branch: main
   specs:
     actioncable (8.2.0.alpha)
@@ -423,7 +423,7 @@ GEM
     rake-compiler-dock (1.9.1)
     rb_sys (0.9.117)
       rake-compiler-dock (= 1.9.1)
-    rdoc (6.15.1)
+    rdoc (6.16.1)
       erb
       psych (>= 4.0.0)
       tsort
@@ -479,10 +479,10 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 4.0)
       websocket (~> 1.0)
-    sentry-rails (6.1.1)
+    sentry-rails (6.2.0)
       railties (>= 5.2.0)
-      sentry-ruby (~> 6.1.1)
-    sentry-ruby (6.1.1)
+      sentry-ruby (~> 6.2.0)
+    sentry-ruby (6.2.0)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
     sniffer (0.5.0)

Gemfile.saas.lock

@@ -55,7 +55,7 @@ Under the hood, this will create or remove `tmp/email-dev.txt`.
 
 ## Deployment
 
-We recommend [Kamal](https://kamal-deploy.org/) for deploying Fizzy. This project comes with a vanilla Rails template, you can find our production setup in [`fizzy-saas`](https://github.com/basecamp/fizzy-saas).
+We recommend [Kamal](https://kamal-deploy.org/) for deploying Fizzy. This project comes with a vanilla Rails template. You can find our production setup in [`fizzy-saas`](https://github.com/basecamp/fizzy-saas).
 
 ### Web Push Notifications
 

README.md

@@ -9,9 +9,9 @@ def show
   end
 
   def create
-    if identity = MagicLink.consume(code)
-      start_new_session_for identity
-      redirect_to after_authentication_url
+    if magic_link = MagicLink.consume(code)
+      start_new_session_for magic_link.identity
+      redirect_to after_sign_in_url(magic_link)
     else
       redirect_to session_magic_link_path, alert: "Try another code."
     end
@@ -21,4 +21,12 @@ def create
     def code
       params.expect(:code)
     end
+
+    def after_sign_in_url(magic_link)
+      if magic_link.for_sign_up?
+        new_signup_completion_path
+      else
+        after_authentication_url
+      end
+    end
 end

app/assets/images/system_user.png

@@ -1,13 +1,4 @@
 class SessionsController < ApplicationController
-  # FIXME: Remove this before launch!
-  unless Rails.env.local?
-    http_basic_authenticate_with \
-      name: Rails.application.credentials.account_signup_http_basic_auth.name,
-      password: Rails.application.credentials.account_signup_http_basic_auth.password,
-      realm: "Fizzy Signup",
-      only: :create, unless: -> { Identity.exists?(email_address: email_address) }
-  end
-
   disallow_account_scope
   require_unauthenticated_access except: :destroy
   rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_path, alert: "Try again later." }
@@ -19,10 +10,11 @@ def new
 
   def create
     if identity = Identity.find_by_email_address(email_address)
-      handle_existing_user(identity)
-    elsif
-      handle_new_signup
+      magic_link = identity.send_magic_link
+      flash[:magic_link_code] = magic_link&.code if Rails.env.development?
     end
+
+    redirect_to session_magic_link_path
   end
 
   def destroy
@@ -34,16 +26,4 @@ def destroy
     def email_address
       params.expect(:email_address)
     end
-
-    def handle_existing_user(identity)
-      magic_link = identity.send_magic_link
-      flash[:magic_link_code] = magic_link&.code if Rails.env.development?
-      redirect_to session_magic_link_path
-    end
-
-    def handle_new_signup
-      Signup.new(email_address: email_address).create_identity
-      session[:return_to_after_authenticating] = new_signup_completion_path
-      redirect_to session_magic_link_path
-    end
 end

app/controllers/sessions/magic_links_controller.rb

@@ -1,4 +1,4 @@
-class Signup::CompletionsController < ApplicationController
+class Signups::CompletionsController < ApplicationController
   layout "public"
 
   disallow_account_scope

app/controllers/sessions_controller.rb

@@ -0,0 +1,34 @@
+class SignupsController < ApplicationController
+  # FIXME: Remove this before launch!
+  unless Rails.env.local?
+    http_basic_authenticate_with \
+      name: Rails.application.credentials.account_signup_http_basic_auth.name,
+      password: Rails.application.credentials.account_signup_http_basic_auth.password,
+      realm: "Fizzy Signup"
+  end
+
+  disallow_account_scope
+  allow_unauthenticated_access
+  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_signup_path, alert: "Try again later." }
+  before_action :redirect_authenticated_user
+
+  layout "public"
+
+  def new
+    @signup = Signup.new
+  end
+
+  def create
+    Signup.new(signup_params).create_identity
+    redirect_to session_magic_link_path
+  end
+
+  private
+    def redirect_authenticated_user
+      redirect_to new_signup_completion_path if authenticated?
+    end
+
+    def signup_params
+      params.expect signup: :email_address
+    end
+end