First cut of a simplified "intro" UI layout (#265)

* First cut of a simplified "intro" UI layout

* Linter

* Add guest role and intro-only access

* Fix guest role UI defaults (#940)

Use enum predicate to avoid missing role helper.

* Remove legacy user role mapping (#941)

Drop the unused user role references in role normalization
and SSO role mapping forms to avoid implying a role that
never existed.

Refs: #0

* Remove role normalization (#942)

Remove role normalization

Roles are now stored directly without legacy mappings.

* Revert role mapping logic

* Remove `normalize_role_settings`

* Remove unnecessary migration

* Make `member` the default

* Broken `.erb`

---------

Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>

config/application.rb

@@ -42,6 +42,9 @@ module Sure
     # Enable Rack::Attack middleware for API rate limiting
     config.middleware.use Rack::Attack
 
+    config.x.ui = ActiveSupport::OrderedOptions.new
+    default_layout = ENV.fetch("DEFAULT_UI_LAYOUT", "dashboard")
+    config.x.ui.default_layout = default_layout.in?(%w[dashboard intro]) ? default_layout : "dashboard"
     # Handle OmniAuth/OIDC errors gracefully (must be before OmniAuth middleware)
     require_relative "../app/middleware/omniauth_error_handler"
     config.middleware.use OmniauthErrorHandler

config/locales/views/admin/sso_providers/en.yml

@@ -76,6 +76,7 @@ en:
         provisioning_title: "User Provisioning"
         default_role_label: "Default Role for New Users"
         default_role_help: "Role assigned to users created via just-in-time (JIT) SSO account provisioning. Defaults to Member."
+        role_guest: "Guest"
         role_member: "Member"
         role_admin: "Admin"
         role_super_admin: "Super Admin"
@@ -83,6 +84,7 @@ en:
         role_mapping_help: "Map IdP groups/claims to application roles. Users are assigned the highest matching role. Leave blank to use the default role above."
         super_admin_groups: "Super Admin Groups"
         admin_groups: "Admin Groups"
+        guest_groups: "Guest Groups"
         member_groups: "Member Groups"
         groups_help: "Comma-separated list of IdP group names. Use * to match all groups."
         advanced_title: "Advanced OIDC Settings"

config/locales/views/admin/users/en.yml

@@ -10,10 +10,12 @@ en:
         no_users: "No users found."
         role_descriptions_title: "Role Descriptions"
         roles:
+          guest: "Guest"
           member: "Member"
           admin: "Admin"
           super_admin: "Super Admin"
         role_descriptions:
+          guest: "Assistant-first experience with intentionally restricted permissions for intro workflows."
           member: "Basic user access. Can manage their own accounts, transactions, and settings."
           admin: "Family administrator. Can access advanced settings like API keys, imports, and AI prompts."
           super_admin: "Instance administrator. Can manage SSO providers, user roles, and impersonate users for support."

config/locales/views/invitations/en.yml

@@ -19,6 +19,7 @@ en:
       email_label: Email Address
       email_placeholder: Enter email address
       role_admin: Administrator
+      role_guest: Guest
       role_label: Role
       role_member: Member
       submit: Send Invitation

config/locales/views/registrations/en.yml

@@ -17,6 +17,7 @@ en:
       invitation_message: "%{inviter} has invited you to join as a %{role}"
       join_family_title: Join %{family}
       role_admin: administrator
+      role_guest: guest
       role_member: member
       submit: Create account
       title: Create your account

config/routes.rb

@@ -482,6 +482,7 @@ Rails.application.routes.draw do
   terms_url = ENV["LEGAL_TERMS_URL"].presence
   get "privacy", to: privacy_url ? redirect(privacy_url) : "pages#privacy"
   get "terms", to: terms_url ? redirect(terms_url) : "pages#terms"
+  get "intro", to: "pages#intro"
 
   # Admin namespace for super admin functionality
   namespace :admin do