Problem
The wave-2 framework review's feature-set assessment (FRAMEWORK-REVIEW-2026-06-09.md §5.2) identifies four High-impact application-layer parity gaps. Grouped into one roadmap issue to bound issue count; each section is an independent, separately-shippable feature. The framework already ships the lower-level primitives for several of these — the gap is the developer-facing scaffold/abstraction on top.
1. Authentication scaffold/generator (High / Medium effort)
No wheels generate auth producing a User model + secure password + registration/login/reset/verification flows on top of the existing vendor/wheels/auth/ strategies (Authenticator + Session/Token/JWT + JwtService). The primitives exist; the one-command scaffold does not.
Prior art: Rails 8 generate authentication; Laravel Fortify.
2. Authorization / policy layer (High / Medium effort)
No gates/policies/can() abstraction. AuthMiddleware answers "who are you" but not "may you do this". Apps must hand-roll authorization in controller filters.
Prior art: Laravel Gates + Policies; Pundit.
3. File attachments / Active Storage equivalent (High / High effort)
No hasOneAttached/hasManyAttached, no storage-service abstraction (local/S3/etc.), no variants, no signed URLs. Uploads are raw cffile.
Prior art: Rails Active Storage.
4. Channels documentation + WebSocket parity (High docs / Medium WS, Medium-High effort)
Working SSE channels ship with zero user-facing docs (.ai/wheels/channels/channels.md is internal only). SSE is server→client only; there is no client→server WebSocket path.
Prior art: Rails ActionCable; Phoenix Channels; Laravel Reverb.
Impact
These are the most-requested parity gaps versus Rails 8 / Laravel 12 for teams adopting Wheels for new apps. Auth scaffold and authorization in particular are table-stakes for typical CRUD apps; the absence forces every app to hand-roll them. Channels has working code with no docs — the lowest-effort, highest-leverage of the four (docs first, WebSocket later).
Suggested approach
Treat each section as its own design + implementation effort, sequenced by effort/leverage:
- Channels docs first (code exists; write user-facing guide pages under
web/sites/guides/), then scope client→server WebSocket support.
- Authentication generator on top of
vendor/wheels/auth/ — wheels generate auth producing model + migrations + controllers + views, calling super.config() (see the CSRF footgun, this campaign).
- Authorization policy layer — gates/policies/
can(), composing with AuthMiddleware.
- File attachments — storage-service abstraction with local + S3 adapters, model macros, signed URLs, variants.
Each warrants its own design discussion; this issue is the roadmap anchor. Split into per-feature issues once each is scheduled.
Acceptance criteria
Source
Internal multi-agent framework review 2026-06-09, wave 2 (issues phase). Feature-set assessment §5.2, High-impact gaps: Authentication scaffold/generator, Authorization/policy layer, File attachments/Active Storage, Channels docs + WebSocket parity.
Tracking checklist (converted 2026-06-12 per the sequencing comment above)
Problem
The wave-2 framework review's feature-set assessment (FRAMEWORK-REVIEW-2026-06-09.md §5.2) identifies four High-impact application-layer parity gaps. Grouped into one roadmap issue to bound issue count; each section is an independent, separately-shippable feature. The framework already ships the lower-level primitives for several of these — the gap is the developer-facing scaffold/abstraction on top.
1. Authentication scaffold/generator (High / Medium effort)
No
wheels generate authproducing a User model + secure password + registration/login/reset/verification flows on top of the existingvendor/wheels/auth/strategies (Authenticator+ Session/Token/JWT +JwtService). The primitives exist; the one-command scaffold does not.Prior art: Rails 8
generate authentication; Laravel Fortify.2. Authorization / policy layer (High / Medium effort)
No gates/policies/
can()abstraction.AuthMiddlewareanswers "who are you" but not "may you do this". Apps must hand-roll authorization in controller filters.Prior art: Laravel Gates + Policies; Pundit.
3. File attachments / Active Storage equivalent (High / High effort)
No
hasOneAttached/hasManyAttached, no storage-service abstraction (local/S3/etc.), no variants, no signed URLs. Uploads are rawcffile.Prior art: Rails Active Storage.
4. Channels documentation + WebSocket parity (High docs / Medium WS, Medium-High effort)
Working SSE channels ship with zero user-facing docs (
.ai/wheels/channels/channels.mdis internal only). SSE is server→client only; there is no client→server WebSocket path.Prior art: Rails ActionCable; Phoenix Channels; Laravel Reverb.
Impact
These are the most-requested parity gaps versus Rails 8 / Laravel 12 for teams adopting Wheels for new apps. Auth scaffold and authorization in particular are table-stakes for typical CRUD apps; the absence forces every app to hand-roll them. Channels has working code with no docs — the lowest-effort, highest-leverage of the four (docs first, WebSocket later).
Suggested approach
Treat each section as its own design + implementation effort, sequenced by effort/leverage:
web/sites/guides/), then scope client→server WebSocket support.vendor/wheels/auth/—wheels generate authproducing model + migrations + controllers + views, callingsuper.config()(see the CSRF footgun, this campaign).can(), composing withAuthMiddleware.Each warrants its own design discussion; this issue is the roadmap anchor. Split into per-feature issues once each is scheduled.
Acceptance criteria
wheels generate authscaffolds a working auth flow on the existing strategies.can()+ policy objects) exists and composes with middleware.Source
Internal multi-agent framework review 2026-06-09, wave 2 (issues phase). Feature-set assessment §5.2, High-impact gaps: Authentication scaffold/generator, Authorization/policy layer, File attachments/Active Storage, Channels docs + WebSocket parity.
Tracking checklist (converted 2026-06-12 per the sequencing comment above)
wheels generate auth(sequenced first)