better-together-org
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 30 additions & 0 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/rubyonrails.yml‎
Lines changed: 7 additions & 10 deletions b/‎.github/workflows/rubyonrails.yml‎
Lines changed: 7 additions & 10 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 31 additions & 1 deletion b/‎AGENTS.md‎
Lines changed: 31 additions & 1 deletion
diff --git a/‎Gemfile‎
Lines changed: 1 addition & 1 deletion b/‎Gemfile‎
Lines changed: 1 addition & 1 deletion
@@ -116,6 +116,7 @@ This repository contains the **Better Together Community Engine** (an isolated R
   - **Use allow-lists for dynamic class resolution**: Follow the `joatu_source_class` pattern with concern-based allow-lists
   - **Validate user inputs**: Always sanitize and validate parameters, especially for file uploads and dynamic queries
   - **Strong parameters**: Use Rails strong parameters in all controllers
+  - **Model-level permitted attributes**: Prefer defining a class method `self.permitted_attributes` on models that returns the permitted attribute array (including nested attributes). Controllers and shared resource code should call `Model.permitted_attributes` rather than hard-coding permit lists. Compose nested permitted attributes by referencing other models' `permitted_attributes` (for example: `Conversation.permitted_attributes` may include `{ messages_attributes: Message.permitted_attributes }`).
   - **Authorization everywhere**: Implement Pundit policy checks on all actions
   - **SQL injection prevention**: Use parameterized queries, avoid string interpolation in SQL
   - **XSS prevention**: Use Rails auto-escaping, sanitize HTML inputs with allowlists
@@ -205,6 +206,35 @@ This repository contains the **Better Together Community Engine** (an isolated R
   - **Rails-Controller-Testing**: Add `gem 'rails-controller-testing'` to Gemfile for `assigns` method in controller tests.
   - Toggle requires_invitation and provide invitation_code when needed for registration tests.
 
+### Automatic test configuration & auth helper patterns
+
+This repository provides an automatic test-configuration layer (see `spec/support/automatic_test_configuration.rb`) that sets up the host `Platform` and, where appropriate, performs authentication for request, controller, and feature specs so most specs do NOT need to call `configure_host_platform` manually.
+
+- Automatic setup applies to specs with `type: :request`, `type: :controller`, and `type: :feature` by default.
+- Use these example metadata tags to control authentication explicitly:
+  - `:as_platform_manager` or `:platform_manager` — login as the platform manager (elevated privileges)
+  - `:as_user`, `:authenticated`, or `:user` — login as a regular user
+  - `:no_auth` or `:unauthenticated` — ensure no authentication is performed for the example
+  - `:skip_host_setup` — skip host platform creation/configuration for this example
+
+How it works:
+- The test helper inspects example metadata and description text (describe/context). If the description contains keywords such as "platform manager", "admin", "authenticated", or "signed in", it will automatically set appropriate tags and perform the corresponding authentication.
+- The helper creates a host `Platform` if one does not exist and marks the default setup wizard as completed.
+- For request specs it uses HTTP login helpers (`login(email, password)`); for controller specs it uses Devise test helpers (`sign_in`); for feature specs it uses Capybara UI login flows.
+
+Recommended usage:
+- Prefer using metadata tags (`:as_platform_manager`, `:as_user`, `:skip_host_setup`) in the `describe` or `context` header when a test needs a specific authentication state. Example:
+
+```ruby
+RSpec.describe 'Creating a conversation', type: :request, :as_user do
+  # host platform and user login are automatically configured
+end
+```
+
+- Avoid calling `configure_host_platform` manually in most specs; reserve manual calls for special cases (use `:skip_host_setup` to opt out of automatic config).
+
+Note: The helper set lives under `spec/support/automatic_test_configuration.rb` and provides helpers like `configure_host_platform`, `find_or_create_test_user`, and `capybara_login_as_platform_manager` to use directly if needed by unusual tests.
+
 ### Testing Architecture Standards
 - **Project Standard**: Use request specs (`type: :request`) for all controller testing to maintain consistency
 - **Request Specs Advantages**: Handle Rails engine routing automatically through full HTTP stack
 
@@ -11,11 +11,8 @@ jobs:
       matrix:
         include:
           - ruby: '3.4.4'
-            rails: '7.1.5.2'
+            rails: '7.2.2.2'
             allowed_failure: false   # ✅ required
-          - ruby: '3.4.4'
-            rails: '7.2.2.1'
-            allowed_failure: false   # ⚠️ allowed to fail
           - ruby: '3.4.4'
             rails: '8.0.2'
             allowed_failure: true    # ⚠️ allowed to fail
@@ -52,18 +49,18 @@ jobs:
         with:
           ruby-version: ${{ matrix.ruby }}
 
-          # Run the automatic bundle-install only on 7.1.
+          # Run the automatic bundle-install only on 7.2.
           # For 7.2 / 8.0 it just sets up Ruby *and* restores a cache layer
           # that we’ll reuse in the later manual install.
-          bundler-cache: ${{ matrix.rails == '7.1.5.2' }}
+          bundler-cache: ${{ matrix.rails == '7.2.2.2' }}
 
           # One cache bucket per Rails version so they don’t clobber each other.
           cache-version: rails-${{ matrix.rails }}
 
       # Updating Rails can legitimately blow up on the experimental tracks,
       # so we allow that *step* to error out without failing the job.
       - name: Update Rails & install gems
-        if: matrix.rails != '7.1.5.2'
+        if: matrix.rails != '7.2.2.2'
         id: update
         run: |
           # turn off deployment mode
@@ -75,21 +72,21 @@ jobs:
         continue-on-error: ${{ matrix.allowed_failure }}
 
       - name: Prepare DB schema
-        if: (matrix.rails == '7.1.5.2') || steps.update.outcome == 'success'
+        if: (matrix.rails == '7.2.2.2') || steps.update.outcome == 'success'
         run: |
           rm -f spec/dummy/tmp/pids/server.pid
           bundle exec rake -f spec/dummy/Rakefile db:schema:load
         continue-on-error: ${{ matrix.allowed_failure }}
 
       - name: Wait for Elasticsearch
-        if: (matrix.rails == '7.1.5.2') || steps.update.outcome == 'success'
+        if: (matrix.rails == '7.2.2.2') || steps.update.outcome == 'success'
         run: |
           echo "Waiting for Elasticsearch to be healthy..."
           curl -s "http://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=60s" || (echo "Elasticsearch not healthy" && exit 1)
 
 
       - name: Run RSpec
-        if: (matrix.rails == '7.1.5.2') || steps.update.outcome == 'success'
+        if: (matrix.rails == '7.2.2.2') || steps.update.outcome == 'success'
         env:
           RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}
         run: |
 
@@ -4,7 +4,7 @@ Instructions for GitHub Copilot and other automated contributors working in this
 
 ## Project
 - Ruby: 3.4.4 (installed via rbenv in setup)
-- Rails: 7.1
+- Rails: 7.2
 - Node: 20
 - DB: PostgreSQL + PostGIS
 - Search: Elasticsearch 7.17.23
@@ -50,6 +50,7 @@ Instructions for GitHub Copilot and other automated contributors working in this
   - Use allow-lists for dynamic class resolution (see `joatu_source_class` pattern)
   - Sanitize and validate all user inputs
   - Use strong parameters in controllers
+  - Define model-level permitted attributes: prefer a class method `self.permitted_attributes` on models that returns the permitted attribute list (including nested attribute structures). Controllers should call `Model.permitted_attributes` to build permit lists instead of hard-coding them. When composing nested attributes, reference other models' `permitted_attributes` (for example: `Conversation.permitted_attributes` may include `{ messages_attributes: Message.permitted_attributes }`).
   - Implement proper authorization checks (Pundit policies)
 - **For reflection-based features**: Create concerns with `included_in_models` class methods for safe dynamic class resolution
 - **Post-generation security check**: Run `bin/dc-run bundle exec brakeman --quiet --no-pager -c UnsafeReflection,SQL,CrossSiteScripting` after major code changes
@@ -226,6 +227,35 @@ For every implementation plan, create acceptance criteria covering relevant stak
 - **Required for**: Controller specs, request specs, feature specs, and any integration tests that involve routing or authentication.
 - **Locale Parameters**: Engine controller tests require locale parameters (e.g., `params: { locale: I18n.default_locale }`) due to routing constraints.
 
+### Automatic test configuration & auth helper patterns
+
+This repository provides an automatic test-configuration layer (see `spec/support/automatic_test_configuration.rb`) that sets up the host `Platform` and, where appropriate, performs authentication for request, controller, and feature specs so most specs do NOT need to call `configure_host_platform` manually.
+
+- Automatic setup applies to specs with `type: :request`, `type: :controller`, and `type: :feature` by default.
+- Use these example metadata tags to control authentication explicitly:
+  - `:as_platform_manager` or `:platform_manager` — login as the platform manager (elevated privileges)
+  - `:as_user`, `:authenticated`, or `:user` — login as a regular user
+  - `:no_auth` or `:unauthenticated` — ensure no authentication is performed for the example
+  - `:skip_host_setup` — skip host platform creation/configuration for this example
+
+How it works:
+- The test helper inspects example metadata and description text (describe/context). If the description contains keywords such as "platform manager", "admin", "authenticated", or "signed in", it will automatically set appropriate tags and perform the corresponding authentication.
+- The helper creates a host `Platform` if one does not exist and marks the default setup wizard as completed.
+- For request specs it uses HTTP login helpers (`login(email, password)`); for controller specs it uses Devise test helpers (`sign_in`); for feature specs it uses Capybara UI login flows.
+
+Recommended usage:
+- Prefer using metadata tags (`:as_platform_manager`, `:as_user`, `:skip_host_setup`) in the `describe` or `context` header when a test needs a specific authentication state. Example:
+
+```ruby
+RSpec.describe 'Creating a conversation', type: :request, :as_user do
+  # host platform and user login are automatically configured
+end
+```
+
+- Avoid calling `configure_host_platform` manually in most specs; reserve manual calls for special cases (use `:skip_host_setup` to opt out of automatic config).
+
+Note: The helper set lives under `spec/support/automatic_test_configuration.rb` and provides helpers like `configure_host_platform`, `find_or_create_test_user`, and `capybara_login_as_platform_manager` to use directly if needed by unusual tests.
+
 ## Test Coverage Standards
 - **Models**: Test validations, associations, scopes, instance methods, class methods, and callbacks.
 - **Controllers**: Test all actions, authorization policies, parameter handling, and response formats.
 
@@ -27,7 +27,7 @@ gem 'pundit-resources', '~> 1.1.4', github: 'better-together-org/pundit-resource
 
 # Core Rails gem
 gem 'rack-protection'
-gem 'rails', ENV.fetch('RAILS_VERSION', '7.1.5.2')
+gem 'rails', ENV.fetch('RAILS_VERSION', '7.2.2.2')
 
 # Redis for ActionCable and background jobs
 gem 'redis', '~> 5.4'