Merge pull request #74 from kengallego/v0.3.0-update

V0.3.0 update

Author: kengallego

.brakeman.ignore

@@ -0,0 +1,23 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Cross-Site Request Forgery",
+      "warning_code": 7,
+      "fingerprint": "8467757e84ea0d7ea13884e1bebb9cd69913885cc43c455f2d71bd8b8c92c5c7",
+      "check_name": "ForgerySetting",
+      "message": "`protect_from_forgery` should be called in `ApplicationController`",
+      "file": "site/app/controllers/application_controller.rb",
+      "line": 3,
+      "link": "https://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/",
+      "code": null,
+      "render_path": null,
+      "location": {
+        "type": "controller",
+        "controller": "ApplicationController"
+      },
+      "user_input": null,
+      "confidence": "High",
+      "note": "The `site/` path is meant for development and testing ONLY. It is never deployed to production and has no real users or sessions."
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
           bundler-cache: true
 
       - name: Scan for common Rails security vulnerabilities using static analysis
-        run: bin/brakeman --no-pager
+        run: bin/brakeman --no-pager -i .brakeman.ignore
 
   scan_js:
     runs-on: ubuntu-latest

.rubocop.yml

@@ -21,6 +21,8 @@ Lint/MissingSuper:
 
 Naming/VariableNumber:
   EnforcedStyle: snake_case
+  Exclude:
+    - 'config/initializers/**/*'
 
 Metrics/MethodLength:
   Enabled: false
@@ -39,3 +41,12 @@ Metrics/ParameterLists:
     - 'app/components/**/*'
     - 'site/app/previews/**/*'
     - 'spec/components/previews/**/*'
+
+Metrics/ClassLength:
+  Exclude:
+    - 'site/app/previews/**/*'
+
+Rails/OutputSafety:
+  Exclude:
+    - 'site/app/previews/**/*'
+    - 'spec/**/*'

AGENT.md

@@ -0,0 +1,32 @@
+# Agent Guide
+
+Essence is a Rails 8 engine that ships Beyond UI as ViewComponents with Stimulus/Turbo; Lookbook preview lives in `site/`.
+
+Stack quickref
+- Ruby >= 3.3 with Bundler
+- ViewComponent + SimpleForm; importmap + Propshaft assets; Stimulus controllers in `app/javascript/essence/controllers`
+- Components in `app/components/essence`; styles/images under `app/assets/essence`
+
+Setup
+- `bundle install`
+- Preview app: `cd site && bin/setup --skip-server` to install deps and prep the sqlite DB
+- Start Lookbook: `cd site && bin/rails server` (or run `site/bin/setup` without `--skip-server` to boot via `bin/dev`)
+
+Everyday dev
+- Subclass `Essence::ApplicationComponent`; pair `*_component.rb` with `*_component.html.erb`
+- JS entry: `app/javascript/essence/application.js`; register controllers via `controllers/index.js`; add importmap pins in `config/importmap.rb` when needed
+- CSS/design tokens in `app/assets/stylesheets/essence`; images in `app/assets/images/essence`
+- Previews/examples live in `site/app/previews/**`; mirror new props and states there
+- Shared helpers and form inputs are under `app/helpers` and `app/inputs`; reuse existing utilities before adding new ones
+
+Quality gates
+- Specs: `bundle exec rspec`
+- Lint: `bundle exec rubocop`
+- Security: `bundle exec brakeman`
+- Gem sanity: `bundle exec rake build` (bundler gem tasks)
+
+Notes for changes
+- Keep HTML semantics and ARIA intact; components are consumed by storefront apps
+- Avoid bundling external JS/CSS; rely on importmap + Stimulus
+- Preserve backward compatibility; prefer deprecations to breaking changes
+- Update previews and documentation when behaviour or UI shifts