Skip to content

roadmap: high-impact application feature gaps — auth scaffold/generator, authorization policy layer, file attachments (Active Storage), channels docs + WebSocket parity #2962

Description

@bpamiri

Problem

The wave-2 framework review's feature-set assessment (FRAMEWORK-REVIEW-2026-06-09.md §5.2) identifies four High-impact application-layer parity gaps. Grouped into one roadmap issue to bound issue count; each section is an independent, separately-shippable feature. The framework already ships the lower-level primitives for several of these — the gap is the developer-facing scaffold/abstraction on top.

1. Authentication scaffold/generator (High / Medium effort)

No wheels generate auth producing a User model + secure password + registration/login/reset/verification flows on top of the existing vendor/wheels/auth/ strategies (Authenticator + Session/Token/JWT + JwtService). The primitives exist; the one-command scaffold does not.
Prior art: Rails 8 generate authentication; Laravel Fortify.

2. Authorization / policy layer (High / Medium effort)

No gates/policies/can() abstraction. AuthMiddleware answers "who are you" but not "may you do this". Apps must hand-roll authorization in controller filters.
Prior art: Laravel Gates + Policies; Pundit.

3. File attachments / Active Storage equivalent (High / High effort)

No hasOneAttached/hasManyAttached, no storage-service abstraction (local/S3/etc.), no variants, no signed URLs. Uploads are raw cffile.
Prior art: Rails Active Storage.

4. Channels documentation + WebSocket parity (High docs / Medium WS, Medium-High effort)

Working SSE channels ship with zero user-facing docs (.ai/wheels/channels/channels.md is internal only). SSE is server→client only; there is no client→server WebSocket path.
Prior art: Rails ActionCable; Phoenix Channels; Laravel Reverb.

Impact

These are the most-requested parity gaps versus Rails 8 / Laravel 12 for teams adopting Wheels for new apps. Auth scaffold and authorization in particular are table-stakes for typical CRUD apps; the absence forces every app to hand-roll them. Channels has working code with no docs — the lowest-effort, highest-leverage of the four (docs first, WebSocket later).

Suggested approach

Treat each section as its own design + implementation effort, sequenced by effort/leverage:

  1. Channels docs first (code exists; write user-facing guide pages under web/sites/guides/), then scope client→server WebSocket support.
  2. Authentication generator on top of vendor/wheels/auth/wheels generate auth producing model + migrations + controllers + views, calling super.config() (see the CSRF footgun, this campaign).
  3. Authorization policy layer — gates/policies/can(), composing with AuthMiddleware.
  4. File attachments — storage-service abstraction with local + S3 adapters, model macros, signed URLs, variants.

Each warrants its own design discussion; this issue is the roadmap anchor. Split into per-feature issues once each is scheduled.

Acceptance criteria

  • Channels has user-facing guide docs; WebSocket client→server support is scoped (or shipped).
  • wheels generate auth scaffolds a working auth flow on the existing strategies.
  • An authorization/policy abstraction (can() + policy objects) exists and composes with middleware.
  • A file-attachments abstraction with a pluggable storage service exists.

Source

Internal multi-agent framework review 2026-06-09, wave 2 (issues phase). Feature-set assessment §5.2, High-impact gaps: Authentication scaffold/generator, Authorization/policy layer, File attachments/Active Storage, Channels docs + WebSocket parity.


Tracking checklist (converted 2026-06-12 per the sequencing comment above)

Metadata

Metadata

Assignees

No one assigned

    Labels

    roadmapRoadmap / tracking issue grouping scheduled work

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions