active_canvas 0.0.1

data/app/views/layouts/active_canvas/application.html.erb

@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+
+  <title><%= yield(:page_title).presence || "Active Canvas" %></title>
+
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <!-- SEO Meta Tags -->
+  <%= yield :seo_meta %>
+
+  <!-- Open Graph / Social -->
+  <%= yield :og_meta %>
+
+  <!-- Twitter Card -->
+  <%= yield :twitter_meta %>
+
+  <!-- Canonical URL -->
+  <%= yield :canonical %>
+
+  <!-- Structured Data -->
+  <%= yield :structured_data %>
+
+  <%= yield :head %>
+
+  <!-- ActiveCanvas: framework=<%= ActiveCanvas::Setting.css_framework %> compiled_mode=<%= ActiveCanvas::Setting.tailwind_compiled_mode? %> available=<%= ActiveCanvas::TailwindCompiler.available? %> env=<%= Rails.env %> -->
+  <% if ActiveCanvas::Setting.tailwind_compiled_mode? %>
+    <!-- ActiveCanvas: Using compiled Tailwind CSS (no CDN) -->
+  <% elsif ActiveCanvas::Setting.css_framework_url.present? %>
+    <!-- ActiveCanvas: Loading CSS framework from CDN -->
+    <% if ActiveCanvas::Setting.css_framework_type == :script %>
+      <script src="<%= ActiveCanvas::Setting.css_framework_url %>"></script>
+    <% else %>
+      <link rel="stylesheet" href="<%= ActiveCanvas::Setting.css_framework_url %>">
+    <% end %>
+  <% end %>
+
+  <%= stylesheet_link_tag "active_canvas/application", media: "all" %>
+
+  <% if ActiveCanvas::Setting.global_css.present? %>
+    <style><%= ActiveCanvas::Setting.global_css.html_safe %></style>
+  <% end %>
+</head>
+<body>
+
+<%= yield %>
+
+<% if ActiveCanvas::Setting.global_js.present? %>
+  <script><%= ActiveCanvas::Setting.global_js.html_safe %></script>
+<% end %>
+</body>
+</html>

data/config/routes.rb

@@ -0,0 +1,48 @@
+ActiveCanvas::Engine.routes.draw do
+  namespace :admin do
+    resources :pages do
+      member do
+        get :content
+        patch :update_content
+        get :editor
+        patch :save_editor
+        get :versions
+      end
+      resources :versions, only: [:show], controller: "page_versions"
+    end
+    resources :page_types
+    resources :partials, only: [:index, :edit, :update] do
+      member do
+        get :editor
+        patch :save_editor
+      end
+    end
+    resources :media, only: [:index, :show, :create, :destroy]
+    resource :settings, only: [:show, :update] do
+      patch :update_global_css
+      patch :update_global_js
+      patch :update_ai
+      post :sync_ai_models
+      patch :toggle_ai_model
+      patch :bulk_toggle_ai_models
+      post :create_ai_model
+      delete :destroy_ai_model
+      patch :update_tailwind_config
+      post :recompile_tailwind
+    end
+
+    namespace :ai do
+      post :chat
+      post :image
+      post :screenshot_to_code
+      get :models
+      get :status
+    end
+
+    root to: "pages#index"
+  end
+
+  root to: "pages#home"
+  get ":slug", to: "pages#show", as: :public_page,
+    constraints: ->(req) { ActiveCanvas::Page.published.exists?(slug: req.params[:slug]) }
+end

data/db/migrate/20260202000001_create_active_canvas_tables.rb

@@ -0,0 +1,113 @@
+class CreateActiveCanvasTables < ActiveRecord::Migration[8.0]
+  def change
+    create_table :active_canvas_page_types, if_not_exists: true do |t|
+      t.string :name, null: false
+      t.string :key, null: false
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_page_types, :key, unique: true, if_not_exists: true
+
+    create_table :active_canvas_pages, if_not_exists: true do |t|
+      t.string :title, null: false
+      t.string :slug
+      t.text :content
+      t.references :page_type, null: false, foreign_key: { to_table: :active_canvas_page_types }
+      t.boolean :published, default: false, null: false
+
+      # Editor data
+      t.text :content_css
+      t.text :content_js
+      t.text :content_components
+
+      # Tailwind compilation
+      t.text :compiled_tailwind_css
+      t.datetime :tailwind_compiled_at
+
+      # Header/Footer
+      t.boolean :show_header, default: true, null: false
+      t.boolean :show_footer, default: true, null: false
+
+      # SEO
+      t.string :meta_title
+      t.text :meta_description
+      t.string :canonical_url
+      t.string :meta_robots
+
+      # Open Graph
+      t.string :og_title
+      t.text :og_description
+      t.string :og_image
+
+      # Twitter
+      t.string :twitter_card
+      t.string :twitter_title
+      t.text :twitter_description
+      t.string :twitter_image
+
+      # Structured data
+      t.text :structured_data
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_pages, :slug, unique: true, if_not_exists: true
+
+    create_table :active_canvas_page_versions, if_not_exists: true do |t|
+      t.references :page, null: false, foreign_key: { to_table: :active_canvas_pages }
+      t.integer :version_number, null: false
+      t.text :content_before
+      t.text :content_after
+      t.text :content_diff
+      t.text :css_before
+      t.text :css_after
+      t.string :change_summary
+      t.string :changed_by
+      t.integer :content_size_before
+      t.integer :content_size_after
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_page_versions, [:page_id, :version_number], unique: true, if_not_exists: true
+    add_index :active_canvas_page_versions, :created_at, if_not_exists: true
+
+    create_table :active_canvas_partials, if_not_exists: true do |t|
+      t.string :name, null: false
+      t.string :partial_type, null: false
+      t.text :content
+      t.text :content_css
+      t.text :content_js
+      t.text :content_components
+      t.text :compiled_css
+      t.boolean :active, default: true, null: false
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_partials, :partial_type, unique: true, if_not_exists: true
+
+    create_table :active_canvas_media, if_not_exists: true do |t|
+      t.string :filename, null: false
+      t.string :content_type
+      t.integer :byte_size
+      t.text :metadata
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_media, :content_type, if_not_exists: true
+    add_index :active_canvas_media, :created_at, if_not_exists: true
+
+    create_table :active_canvas_settings, if_not_exists: true do |t|
+      t.string :key, null: false
+      t.text :value
+      t.text :encrypted_value
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_settings, :key, unique: true, if_not_exists: true
+  end
+end

data/db/migrate/20260202000002_create_active_canvas_ai_models.rb

@@ -0,0 +1,26 @@
+class CreateActiveCanvasAiModels < ActiveRecord::Migration[8.0]
+  def change
+    create_table :active_canvas_ai_models, if_not_exists: true do |t|
+      t.string :model_id, null: false
+      t.string :provider, null: false
+      t.string :model_type
+      t.string :name
+      t.string :family
+      t.integer :context_window
+      t.integer :max_tokens
+      t.boolean :supports_functions, default: false
+      t.decimal :input_price_per_million, precision: 10, scale: 4
+      t.decimal :output_price_per_million, precision: 10, scale: 4
+      t.boolean :active, default: true
+      t.text :input_modalities
+      t.text :output_modalities
+
+      t.timestamps
+    end
+
+    add_index :active_canvas_ai_models, :model_id, unique: true, if_not_exists: true
+    add_index :active_canvas_ai_models, :provider, if_not_exists: true
+    add_index :active_canvas_ai_models, :model_type, if_not_exists: true
+    add_index :active_canvas_ai_models, :active, if_not_exists: true
+  end
+end

data/lib/active_canvas/configuration.rb

@@ -0,0 +1,232 @@
+module ActiveCanvas
+  class Configuration
+    # ==> Authentication
+    # Authentication callback for public pages
+    # Set to a proc/lambda that will be called as a before_action
+    # Example: config.authenticate_public = -> { redirect_to login_path unless current_user }
+    attr_accessor :authenticate_public
+
+    # Authentication callback for admin pages
+    # Set to a proc/lambda or method name symbol
+    # Example: config.authenticate_admin = :authenticate_admin_user!
+    # Example: config.authenticate_admin = -> { redirect_to login_path unless current_user&.admin? }
+    attr_accessor :authenticate_admin
+
+    # HTTP Basic Auth credentials (used when authenticate_admin = :http_basic_auth)
+    attr_accessor :http_basic_user
+    attr_accessor :http_basic_password
+
+    # Parent controller class for admin controllers
+    # Set to a string like "Admin::ApplicationController" to inherit authentication
+    # Example: config.admin_parent_controller = "Admin::ApplicationController"
+    attr_accessor :admin_parent_controller
+    attr_accessor :public_parent_controller
+
+    # Current user method name (used by AI features, version tracking, etc.)
+    attr_accessor :current_user_method
+
+    # ==> CSS Framework
+    # Default CSS framework: :tailwind, :bootstrap5, :none
+    # Can be overridden in admin settings
+    attr_accessor :css_framework
+
+    # ==> Media Uploads
+    # Enable/disable file uploads
+    attr_accessor :enable_uploads
+
+    # Maximum upload size in bytes
+    attr_accessor :max_upload_size
+
+    # Allowed MIME types for uploads
+    attr_accessor :allowed_content_types
+
+    # Allow SVG uploads (disabled by default due to XSS risks)
+    attr_accessor :allow_svg_uploads
+
+    # Active Storage service name (nil = default service)
+    attr_accessor :storage_service
+
+    # Make uploads publicly accessible (false = use signed URLs)
+    attr_accessor :public_uploads
+
+    # ==> Editor Settings
+    # Default blocks available in the editor
+    attr_accessor :editor_blocks
+
+    # Enable/disable specific editor features
+    attr_accessor :enable_ai_features
+    attr_accessor :enable_code_editor
+    attr_accessor :enable_asset_manager
+
+    # ==> Page Settings
+    # Auto-save interval in seconds (0 = disabled)
+    attr_accessor :autosave_interval
+
+    # Maximum versions to keep per page (0 = unlimited)
+    attr_accessor :max_versions_per_page
+
+    # ==> Security
+    # Sanitize HTML content on save
+    attr_accessor :sanitize_content
+
+    # Allowed HTML tags (when sanitize_content is true)
+    attr_accessor :allowed_html_tags
+
+    # Allowed HTML attributes (when sanitize_content is true)
+    attr_accessor :allowed_html_attributes
+
+    # ==> AI Security
+    # Rate limit for AI requests (per minute per IP)
+    attr_accessor :ai_rate_limit_per_minute
+
+    # Maximum stream timeout for AI chat
+    attr_accessor :ai_stream_timeout
+
+    # Idle timeout for AI streaming (no data received)
+    attr_accessor :ai_stream_idle_timeout
+
+    # Maximum response size for AI streaming
+    attr_accessor :ai_max_response_size
+
+    # Maximum screenshot size (base64 encoded)
+    attr_accessor :max_screenshot_size
+
+    # Allowed hosts for AI-generated image downloads
+    attr_accessor :allowed_ai_image_hosts
+
+    # Dangerous content types that are always blocked
+    DANGEROUS_CONTENT_TYPES = %w[
+      application/x-executable
+      application/x-sharedlib
+      application/x-mach-binary
+      text/html
+      application/javascript
+      text/javascript
+      application/x-httpd-php
+    ].freeze
+
+    def initialize
+      # Authentication - open by default (configure in initializer!)
+      @authenticate_public = nil
+      @authenticate_admin = nil
+      @http_basic_user = nil
+      @http_basic_password = nil
+      @admin_parent_controller = "ActionController::Base"
+      @public_parent_controller = "ActionController::Base"
+      @current_user_method = :current_user
+
+      # CSS Framework
+      @css_framework = :tailwind
+
+      # Media Uploads
+      @enable_uploads = true
+      @max_upload_size = 10.megabytes
+      @allowed_content_types = %w[
+        image/jpeg
+        image/png
+        image/gif
+        image/webp
+        image/avif
+        application/pdf
+      ]
+      @allow_svg_uploads = false
+      @storage_service = nil
+      @public_uploads = false
+
+      # Editor Settings
+      @editor_blocks = :all
+      @enable_ai_features = true
+      @enable_code_editor = true
+      @enable_asset_manager = true
+
+      # Page Settings
+      @autosave_interval = 60
+      @max_versions_per_page = 50
+
+      # Security
+      @sanitize_content = true
+      @allowed_html_tags = %w[
+        h1 h2 h3 h4 h5 h6 p div span a img ul ol li
+        table thead tbody tr th td
+        section article header footer nav main aside
+        figure figcaption blockquote pre code
+        strong em b i u s mark small sub sup
+        br hr
+        form input button label select option textarea
+        iframe video audio source
+      ]
+      @allowed_html_attributes = %w[
+        class id style href src alt title target rel
+        width height loading name type value placeholder
+        disabled readonly checked selected multiple
+        action method enctype
+        controls autoplay loop muted poster
+        frameborder allowfullscreen allow
+      ]
+
+      # AI Security
+      @ai_rate_limit_per_minute = 30
+      @ai_stream_timeout = 5.minutes
+      @ai_stream_idle_timeout = 30.seconds
+      @ai_max_response_size = 1.megabyte
+      @max_screenshot_size = 10.megabytes
+      @allowed_ai_image_hosts = %w[
+        oaidalleapiprodscus.blob.core.windows.net
+        dalleprodsec.blob.core.windows.net
+      ]
+    end
+
+    # Get effective allowed content types (includes SVG if enabled, excludes dangerous types)
+    def effective_allowed_content_types
+      types = allowed_content_types.dup
+      types << "image/svg+xml" if allow_svg_uploads
+      types - DANGEROUS_CONTENT_TYPES
+    end
+
+    # Check if authentication is properly configured for production
+    def enforce_authentication!
+      return unless defined?(Rails) && Rails.env.production?
+      return if authenticate_admin.present?
+      return if admin_parent_controller != "ActionController::Base"
+
+      raise SecurityError, <<~MSG
+        [ActiveCanvas] Admin authentication is not configured!
+
+        Your admin interface is currently open to anyone. Configure authentication in your initializer:
+
+        ActiveCanvas.configure do |config|
+          # Option 1: Use your app's authentication method (recommended)
+          config.authenticate_admin = :authenticate_user!
+
+          # Option 2: Inherit from your admin base controller
+          config.admin_parent_controller = "Admin::ApplicationController"
+
+          # Option 3: Use HTTP Basic Auth
+          config.authenticate_admin = :http_basic_auth
+          config.http_basic_user = "admin"
+          config.http_basic_password = Rails.application.credentials.active_canvas_password
+        end
+
+        For development, you can use HTTP Basic Auth with default credentials,
+        but ALWAYS configure proper authentication for production.
+      MSG
+    end
+
+    # Check if HTTP Basic Auth is configured
+    def http_basic_auth_configured?
+      authenticate_admin == :http_basic_auth &&
+        http_basic_user.present? &&
+        http_basic_password.present?
+    end
+
+    # Helper to check if AI features are enabled
+    def ai_available?
+      @enable_ai_features
+    end
+
+    # Helper to check if Tailwind compilation is available
+    def tailwind_compilation_available?
+      @css_framework == :tailwind && defined?(Tailwindcss::Ruby)
+    end
+  end
+end

data/lib/active_canvas/engine.rb

@@ -0,0 +1,44 @@
+module ActiveCanvas
+  class Engine < ::Rails::Engine
+    isolate_namespace ActiveCanvas
+
+    # Prevent engine migrations from auto-running in the host app.
+    # Host apps copy migrations via: rails active_canvas:install:migrations
+    initializer "active_canvas.migrations", before: :append_migrations do
+      config.paths["db/migrate"] = []
+    end
+
+    # Ensure engine assets are precompiled
+    initializer "active_canvas.assets.precompile" do |app|
+      app.config.assets.precompile += %w[
+        active_canvas/editor.js
+        active_canvas/editor.css
+      ]
+    end
+
+    # Filter sensitive parameters from logs
+    initializer "active_canvas.filter_parameters" do |app|
+      app.config.filter_parameters += [
+        :ai_openai_api_key,
+        :ai_anthropic_api_key,
+        :ai_openrouter_api_key,
+        :http_basic_password,
+        /active_canvas.*api.*key/i,
+        /active_canvas.*password/i
+      ]
+    end
+
+    # Warn about authentication configuration
+    config.after_initialize do
+      if defined?(Rails::Server) && Rails.env.production?
+        unless ActiveCanvas.config.authenticate_admin.present?
+          Rails.logger.warn <<~MSG
+            [ActiveCanvas] WARNING: Admin authentication is not configured!
+            Your admin interface will be inaccessible until you configure authentication.
+            See the ActiveCanvas documentation for setup instructions.
+          MSG
+        end
+      end
+    end
+  end
+end

data/lib/active_canvas/version.rb

@@ -0,0 +1,3 @@
+module ActiveCanvas
+  VERSION = "0.0.1"
+end

data/lib/active_canvas.rb

@@ -0,0 +1,26 @@
+require "active_canvas/version"
+require "active_canvas/configuration"
+require "active_canvas/engine"
+
+# Load RubyLLM if available for AI features
+begin
+  require "ruby_llm"
+rescue LoadError
+  # RubyLLM is optional - AI features will be disabled if not available
+end
+
+module ActiveCanvas
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+
+    def config
+      configuration
+    end
+  end
+end