Merge branch 'main' into dependabot/bundler/omniauth-2.1.4

Author: dorner

.gitignore

@@ -89,3 +89,4 @@ out/
 
 .vscode/
 .aider*
+.claude

CLAUDE.md

@@ -0,0 +1,99 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+Human Essentials is a Ruby on Rails inventory management system for diaper banks and essentials banks. It's a Ruby for Good project serving 200+ non-profit organizations. The app manages donations, purchases, distributions, inventory, partners, and requests for essential items.
+
+## Common Commands
+
+### Development
+```bash
+bin/setup          # First-time setup (installs gems, creates DB, seeds)
+bin/start          # Starts Rails server (port 3000) + Delayed Job worker
+```
+
+### Testing
+```bash
+bundle exec rspec                              # Run full test suite
+bundle exec rspec spec/models/item_spec.rb     # Run a single test file
+bundle exec rspec spec/models/item_spec.rb:42  # Run a single test at line
+bundle exec rspec spec/models/                 # Run a directory of tests
+```
+
+CI splits tests into two workflows: `rspec` (unit tests, excludes system/request specs) and `rspec-system` (system and request specs only, 6 parallel nodes). System tests use Capybara with Cuprite (headless Chrome).
+
+### Linting
+```bash
+bundle exec rubocop                  # Ruby linter (Standard-based config)
+bundle exec erb_lint --lint-all      # ERB template linter
+bundle exec brakeman                 # Security scanner
+```
+
+### Database
+```bash
+bundle exec rake db:migrate
+bundle exec rake db:seed
+bundle exec rake db:reset            # Drop + create + migrate + seed
+```
+
+## Architecture
+
+### Multi-Tenancy
+Nearly all data is scoped to an `Organization`. Most models `belong_to :organization` and queries should always scope by organization context. The current user's organization is the primary tenant boundary.
+
+### Roles (Rolify)
+Four roles defined in `Role`: `ORG_USER`, `ORG_ADMIN`, `SUPER_ADMIN`, `PARTNER`. Roles are polymorphic and scoped to a resource (usually an Organization). Authentication is via Devise.
+
+### Event Sourcing for Inventory
+Inventory is **not** tracked via simple column updates. Instead, it uses an event sourcing pattern:
+
+- **`Event`** (STI base model) stores all inventory-affecting actions as JSONB events
+- Subclasses: `DonationEvent`, `DistributionEvent`, `PurchaseEvent`, `TransferEvent`, `AdjustmentEvent`, `AuditEvent`, `KitAllocateEvent`, `SnapshotEvent`, etc.
+- **`InventoryAggregate`** replays events to compute current inventory state. It finds the most recent `SnapshotEvent` and replays subsequent events
+- **`EventTypes::Inventory`** is the in-memory inventory representation built from events
+- When creating/updating donations, distributions, purchases, transfers, or adjustments, the corresponding service creates an Event, and `Event#validate_inventory` replays all events to verify consistency
+
+This means: to check inventory levels, use `InventoryAggregate.inventory_for(organization_id)`, not direct DB queries on quantity columns.
+
+### Service Objects
+Business logic lives in service classes (`app/services/`), not controllers. Pattern: `{Model}{Action}Service` (e.g., `DistributionCreateService`, `DonationDestroyService`). Controllers are thin and delegate to services.
+
+### Key Models
+- **Item**: Individual item types (diapers, wipes, etc.) belonging to an Organization. Maps to a `BaseItem` (system-wide template) via `partner_key`.
+- **Kit**: A bundle of items. Kits contain line items referencing Items.
+- **StorageLocation**: Where inventory is physically stored. Inventory quantities are per storage location.
+- **Distribution**: Items sent to a Partner. **Donation/Purchase**: Items coming in. **Transfer**: Items between storage locations. **Adjustment**: Manual inventory corrections.
+- **Partner**: Organizations that receive distributions. Partners have their own portal (`/partners/*` routes) and users.
+- **Request**: Partner requests for items, which can become Distributions.
+
+### Routes Structure
+- `/` - Bank user dashboard and resources (distributions, donations, etc.)
+- `/partners/*` - Partner-facing portal (separate namespace)
+- `/admin/*` - Super admin management
+- `/reports/*` - Reporting endpoints
+
+### Query Objects
+Complex queries are extracted into `app/queries/` (e.g., `ItemsInQuery`, `LowInventoryQuery`).
+
+### Frontend
+Bootstrap 5.2, Turbo Rails, Stimulus.js, ImportMap (no Webpack/bundler). JavaScript controllers live in `app/javascript/`.
+
+### Background Jobs
+Delayed Job for async processing (emails, etc.). Clockwork (`clock.rb`) for scheduled tasks (caching historical data, reminder emails, DB backups).
+
+### Feature Flags
+Flipper is available for feature flags, accessible at `/flipper` (auth required).
+
+## Testing Conventions
+
+- RSpec with FactoryBot. Factories are in `spec/factories/`.
+- **Setting up inventory in tests**: Use `TestInventory.create_inventory(organization, { storage_location_id => [[item_id, quantity], ...] })` from `spec/inventory.rb`. There's also a `setup_storage_location` helper in `spec/support/inventory_assistant.rb`.
+- System tests use Capybara with Cuprite driver. Failed screenshots go to `tmp/screenshots/` and `tmp/capybara/`.
+- Models use `has_paper_trail` for audit trails and `Discard` for soft deletes (not `destroy`).
+- The `Filterable` concern provides `class_filter` for scope-based filtering on index actions.
+
+## Dev Credentials
+
+All passwords are `password!`. Key accounts: `superadmin@example.com`, `org_admin1@example.com`, `user_1@example.com`.

Gemfile

@@ -10,7 +10,7 @@ end
 # User management and login workflow.
 gem "devise", '>= 4.7.1'
 # Postgres database adapter.
-gem "pg", "~> 1.6.2"
+gem "pg", "~> 1.6.3"
 # Web server.
 gem "puma"
 # Rails web framework.
@@ -158,7 +158,7 @@ group :development, :test do
   gem 'rubocop-performance'
   gem "rubocop-rails", "~> 2.33.4"
   # More concise test ("should") matchers
-  gem "shoulda-matchers", "~> 6.5"
+  gem "shoulda-matchers", "~> 7.0"
   # Default rules for Rubocop.
   gem "standard", "~> 1.52"
   gem "standard-rails"

Gemfile.lock

@@ -229,7 +229,7 @@ GEM
       dry-inflector (~> 1.0)
       dry-logic (~> 1.4)
       zeitwerk (~> 2.6)
-    erb (6.0.1)
+    erb (6.0.2)
     erb_lint (0.9.0)
       activesupport
       better_html (>= 2.0.1)
@@ -246,7 +246,7 @@ GEM
       railties (>= 6.1.0)
     faker (3.6.0)
       i18n (>= 1.8.11, < 2)
-    faraday (1.10.4)
+    faraday (1.10.5)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)
@@ -259,10 +259,10 @@ GEM
       faraday-retry (~> 1.0)
       ruby2_keywords (>= 0.0.4)
     faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
+    faraday-em_synchrony (1.0.1)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.1.0)
+    faraday-multipart (1.2.0)
       multipart-post (~> 2.0)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
@@ -334,8 +334,9 @@ GEM
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
     io-console (0.8.2)
-    irb (1.16.0)
+    irb (1.17.0)
       pp (>= 0.6.0)
+      prism (>= 1.3.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jbuilder (2.14.1)
@@ -396,7 +397,8 @@ GEM
     memory_profiler (1.1.0)
     method_source (1.1.0)
     mini_mime (1.1.5)
-    minitest (6.0.1)
+    minitest (6.0.2)
+      drb (~> 2.0)
       prism (~> 1.5)
     monetize (2.0.0)
       money (~> 7.0)
@@ -437,7 +439,7 @@ GEM
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    oauth2 (2.0.12)
+    oauth2 (2.0.18)
       faraday (>= 0.17.3, < 4.0)
       jwt (>= 1.0, < 4.0)
       logger (~> 1.2)
@@ -450,13 +452,13 @@ GEM
       logger
       rack (>= 2.2.3)
       rack-protection
-    omniauth-google-oauth2 (1.2.1)
+    omniauth-google-oauth2 (1.2.2)
       jwt (>= 2.9.2)
       oauth2 (~> 2.0)
       omniauth (~> 2.0)
       omniauth-oauth2 (~> 1.8)
-    omniauth-oauth2 (1.8.0)
-      oauth2 (>= 1.4, < 3)
+    omniauth-oauth2 (1.9.0)
+      oauth2 (>= 2.0.2, < 3)
       omniauth (~> 2.0)
     omniauth-rails_csrf_protection (2.0.1)
       actionpack (>= 4.2)
@@ -480,9 +482,9 @@ GEM
       hashery (~> 2.0)
       ruby-rc4
       ttfunk
-    pg (1.6.2-arm64-darwin)
-    pg (1.6.2-x86_64-darwin)
-    pg (1.6.2-x86_64-linux)
+    pg (1.6.3-arm64-darwin)
+    pg (1.6.3-x86_64-darwin)
+    pg (1.6.3-x86_64-linux)
     popper_js (2.11.8)
     pp (0.6.3)
       prettyprint
@@ -562,8 +564,8 @@ GEM
       activesupport (>= 4.2)
       choice (~> 0.2.0)
       ruby-graphviz (~> 1.2)
-    rails-html-sanitizer (1.6.2)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     railties (8.0.2.1)
       actionpack (= 8.0.2.1)
@@ -578,7 +580,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rdoc (7.1.0)
+    rdoc (7.2.0)
       erb
       psych (>= 4.0.0)
       tsort
@@ -659,8 +661,8 @@ GEM
       tilt
     securerandom (0.4.1)
     shellany (0.0.1)
-    shoulda-matchers (6.5.0)
-      activesupport (>= 5.2.0)
+    shoulda-matchers (7.0.1)
+      activesupport (>= 7.1)
     simple_form (5.4.0)
       actionpack (>= 7.0)
       activemodel (>= 7.0)
@@ -733,14 +735,13 @@ GEM
     uniform_notifier (1.18.0)
     uri (1.1.1)
     useragent (0.16.11)
-    version_gem (1.1.8)
+    version_gem (1.1.9)
     warden (1.2.9)
       rack (>= 2.0.9)
-    web-console (4.2.1)
-      actionview (>= 6.0.0)
-      activemodel (>= 6.0.0)
+    web-console (4.3.0)
+      actionview (>= 8.0.0)
       bindex (>= 0.4.0)
-      railties (>= 6.0.0)
+      railties (>= 8.0.0)
     webmock (3.26.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -753,7 +754,7 @@ GEM
     xpath (3.2.0)
       nokogiri (~> 1.8)
     yard (0.9.37)
-    zeitwerk (2.7.4)
+    zeitwerk (2.7.5)
 
 PLATFORMS
   arm64-darwin
@@ -819,7 +820,7 @@ DEPENDENCIES
   orderly (~> 0.1)
   paper_trail
   pdf-reader
-  pg (~> 1.6.2)
+  pg (~> 1.6.3)
   prawn (~> 2.4.0)
   prawn-rails
   pry-doc
@@ -838,7 +839,7 @@ DEPENDENCIES
   rubocop-performance
   rubocop-rails (~> 2.33.4)
   sass-rails
-  shoulda-matchers (~> 6.5)
+  shoulda-matchers (~> 7.0)
   simple_form
   simplecov
   solid_cache (~> 1.0)

app/controllers/items_controller.rb

@@ -11,7 +11,7 @@ def index
     @items = @items.active unless params[:include_inactive_items]
 
     @item_categories = current_organization.item_categories.includes(:items).order('name ASC')
-    @kits = current_organization.kits.includes(line_items: :item)
+    @kits = current_organization.kits.includes(item: {line_items: :item})
     @storages = current_organization.storage_locations.active.order(id: :asc)
 
     @include_inactive_items = params[:include_inactive_items]

app/controllers/kits_controller.rb

@@ -4,7 +4,7 @@ def show
   end
 
   def index
-    @kits = current_organization.kits.includes(:item, line_items: :item).class_filter(filter_params)
+    @kits = current_organization.kits.includes(item: {line_items: :item}).class_filter(filter_params)
     @inventory = View::Inventory.new(current_organization.id)
     unless params[:include_inactive_items]
       @kits = @kits.active
@@ -16,7 +16,8 @@ def new
     load_form_collections
 
     @kit = current_organization.kits.new
-    @kit.line_items.build
+    @kit.item = current_organization.items.new
+    @kit.item.line_items.build
   end
 
   def create
@@ -31,9 +32,12 @@ def create
         .map { |error| formatted_error_message(error) }
         .join(", ")
 
-      @kit = Kit.new(kit_params)
+      # Extract kit and item params separately since line_items belong to Item, not Kit
+      kit_only_params = kit_params.except(:line_items_attributes)
+      @kit = Kit.new(kit_only_params)
       load_form_collections
-      @kit.line_items.build if @kit.line_items.empty?
+      @kit.item ||= current_organization.items.new(kit_params.slice(:line_items_attributes))
+      @kit.item.line_items.build if @kit.item.line_items.empty?
 
       render :new
     end
@@ -87,12 +91,14 @@ def load_form_collections
   end
 
   def kit_params
-    params.require(:kit).permit(
+    kit_params = params.require(:kit).permit(
       :name,
       :visible_to_partners,
-      :value_in_dollars,
-      line_items_attributes: [:item_id, :quantity, :_destroy]
+      :value_in_dollars
     )
+    item_params = params.require(:item)
+      .permit(line_items_attributes: [:item_id, :quantity, :_destroy])
+    kit_params.to_h.merge(item_params.to_h)
   end
 
   def kit_adjustment_params

app/events/kit_allocate_event.rb

@@ -1,6 +1,6 @@
 class KitAllocateEvent < Event
   def self.event_line_items(kit, storage_location, quantity)
-    items = kit.line_items.map do |item|
+    items = kit.item.line_items.map do |item|
       EventTypes::EventLineItem.new(
         quantity: item.quantity * quantity,
         item_id: item.item_id,

app/events/kit_deallocate_event.rb

@@ -1,6 +1,6 @@
 class KitDeallocateEvent < Event
   def self.event_line_items(kit, storage_location, quantity)
-    items = kit.line_items.map do |item|
+    items = kit.item.line_items.map do |item|
       EventTypes::EventLineItem.new(
         quantity: item.quantity * quantity,
         item_id: item.item_id,