☒ you are essentially putting a pause on that thread so it is not ideal. However, I think that it must be weighed given the situation with potentially leaking exposing customer emails. This was more of an illustration of one of the things that a developer may not think of that a bad actor may.

I am not sure about Heroku default app servers. I typically would use the Procfile to specify booting up Puma, so that would probably be a non issue. Their documentation does have a recommendation for using Puma as well. https://devcenter.heroku.com/articles/ruby-default-web-server#production-web-server

The authenticate method is an alias for some meta programming that's going on in the module that is included by has_secure_password.

https://api.rubyonrails.org/classes/ActiveModel/SecurePassword/InstanceMethodsOnActivation.html

  define_method("authenticate_#{attribute}") do |unencrypted_password|
    attribute_digest = public_send("#{attribute}_digest")
    BCrypt::Password.new(attribute_digest).is_password?(unencrypted_password) && self
  end

  alias_method :authenticate, :authenticate_password if attribute == :password

So, it basically just calls BCrypt to check with the method is_password? if they are a match.

 ☒ Yes, and you would likely not use any of the Stimulus controller parts since the file is already generated. For audio files (and likewise with images), you should probably have some front end validation with the mime types that you would accept in a comma separated string. For example, in this case, you would accept MP3 (or similar).

<%= form.file_field :media, direct_upload: true, accept: 'audio/mpeg' %>

How did you install homebrew & postgresql? It also looks like you're using the system Ruby which is ARM based. I'd recommend now a days to use the native arm-based homebrew.

I have been using ARM based everything. Unless if a program requires Rosetta2 (like Microsoft Teams, OneDrive, etc), I will always now default to ARM based.