active_canvas 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 379f677cf18be6230e9307e1380a024d6252a4add2b2cd954dfa6769a91b2541
-  data.tar.gz: fb55ab3e7801bae61423982e903cf61d35c396fb523209154a730e67b6fe93ff
+  metadata.gz: b6178be7aae3ee9f6da228b4d3aa8e0927c4faf622a7215b313616f4fda4d87d
+  data.tar.gz: 64b25a9e874d070f4289013c8d66cc1a3896fbf35bab1189f80ab84e01790593
 SHA512:
-  metadata.gz: f68e873c9f4950c4b11ecf7a673d4edf911a719bbea2f163e9da45809facebf2a5ec822293dd1077922106a507f4e017b1d1312ca7ab99a207a5212cae8fda2e
-  data.tar.gz: cfcb65632db1f023976acf5699880d615120f6ae669922c4f5c5d39cb0b61ce1daf0fed55a136e9b3b9d6e585d08143eca45b8446602f30b2dfa03686904eac2
+  metadata.gz: 69e71f2fea7ea67db2f3ae3dabb864b1f6c8234b45a7e3529315c0b65075b31ed7fa9837528e1fda7072a841987437f3a7a0f006c1b5a3bdcf3a3b8c26b2e660
+  data.tar.gz: a5853a4a2d3b35422238b281a44951a90fbff0d92e245546df70c06e2a618e5c1941cbce7b9e5ca2209b4dd4d5f4be9efd37e22cc25c22c9f9fa54a15aee7bc5

data/README.md

@@ -2,11 +2,11 @@
 
 ![ActiveCanvas Demo](docs/images/active-canvas-demo.gif)
 
-A mountable Rails engine that turns any Rails app into a full-featured CMS. Includes a visual drag-and-drop editor (GrapeJS), AI-powered content generation, Tailwind CSS compilation, media management, page versioning, and SEO controls -- all behind an admin interface that works out of the box.
+A mountable Rails engine that turns any Rails app into a full-featured CMS. Includes a visual drag-and-drop editor (GrapesJS), AI-powered content generation, Tailwind CSS compilation, media management, page versioning, and SEO controls -- all behind an admin interface that works out of the box.
 
 ## Features
 
-- **Visual Editor** -- Drag-and-drop page builder powered by GrapeJS
+- **Visual Editor** -- Drag-and-drop page builder powered by GrapesJS
 - **AI Content Generation** -- Text, images, and screenshot-to-code via OpenAI, Anthropic, or OpenRouter
 - **Tailwind CSS Compilation** -- Per-page compiled CSS for production (no CDN dependency)
 - **Media Library** -- Upload and manage images/files with Active Storage
@@ -56,7 +56,7 @@ Then visit `/canvas/admin` to start building pages.
 
 ## Visual Editor
 
-The GrapeJS editor provides:
+The GrapesJS editor provides:
 
 - Drag-and-drop blocks (text, images, columns, forms, etc.)
 - Code editor panel for direct HTML/CSS editing
@@ -161,6 +161,45 @@ Upload and manage images directly from the admin or from within the editor's ass
 - Works with any Active Storage backend (local, S3, GCS, etc.)
 - Public or signed URL modes
 
+## Media & storage
+
+### Stable media references
+
+Images inserted via the editor are stored as `data-ac-media-id` attribute references in page content rather than raw URLs. At render time, `ContentRenderer` resolves each reference to a fresh URL, so time-limited signed URLs are never persisted in the database. Existing pages gain this behaviour automatically after running the backfill migration:
+
+```bash
+bin/rails active_canvas:install:migrations
+bin/rails db:migrate
+```
+
+Note: blobs that were already deleted from Active Storage cannot be recovered by the backfill.
+
+### public_uploads (#4)
+
+Setting `config.public_uploads = true` only takes effect when the Active Storage service is **also** declared `public: true` in `config/storage.yml`. If the service is not public, ActiveCanvas logs a warning and falls back to signed URLs automatically.
+
+For a public Disk service used outside a request context (e.g. background jobs), you must set:
+
+```ruby
+Rails.application.routes.default_url_options[:host] = "https://yourapp.example.com"
+```
+
+### Public S3 buckets (#5)
+
+For S3, make the bucket publicly readable via a **bucket policy**, not per-object ACLs. Modern S3 buckets have Object Ownership set to "Bucket owner enforced" and Block Public Access enabled, which means per-object `public-read` ACLs are silently ignored. A bucket policy that allows `s3:GetObject` for `"Principal": "*"` is the supported path.
+
+Declare the service `public: true` in `config/storage.yml` and set `config.storage_service` to its name -- that combination is what ActiveCanvas checks before switching to public URLs.
+
+### SVG uploads (#6)
+
+SVG uploads are disabled by default because SVGs can contain `<script>` tags and event-handler attributes (stored-XSS).
+
+When you enable them with `config.allow_svg_uploads = true`, ActiveCanvas serves uploaded SVGs with `Content-Disposition: attachment` on the **signed-URL path**, which causes browsers to download the file rather than render it, neutralizing top-level execution.
+
+**Known limitation:** this disposition is **not** applied when `public_uploads` is `true` and the storage service is public. In that configuration the SVG is served inline directly from the public bucket/origin, bypassing the disposition header. If you need SVG uploads with `public_uploads`, serve media uploads from a **separate origin or bucket** (a different domain from your application) so that any injected scripts cannot access your app's cookies or local storage.
+
+Also note: the admin "Open Original" link will trigger a download (not an inline display) for SVG files because of the `attachment` disposition.
+
 ## Page Versioning
 
 Every content change creates a version automatically. View the version history from the page admin to see:

data/app/assets/javascripts/active_canvas/editor/asset_manager.js

@@ -7,6 +7,20 @@
 
   window.ActiveCanvasEditor = window.ActiveCanvasEditor || {};
 
+  /**
+   * Warn when a src is a relative asset path the engine cannot resolve.
+   * Absolute URLs, root-relative paths, and data: URIs are fine.
+   */
+  function warnIfUnresolvableSrc(src) {
+    const { showToast } = window.ActiveCanvasEditor;
+    if (!src) return;
+    const ok = /^(https?:)?\/\//i.test(src) || src.startsWith('/') || src.startsWith('data:');
+    if (!ok) {
+      console.warn(`[ActiveCanvas] "${src}" is a relative path the engine will not serve at runtime. Use the media library instead.`);
+      if (showToast) showToast('Relative asset paths won\'t resolve on the published page', 'error');
+    }
+  }
+
   /**
    * Setup the custom asset manager modal
    * @param {Object} editor - GrapeJS editor instance
@@ -168,7 +182,7 @@
 
     function renderMediaGrid(media, container) {
       container.innerHTML = media.map(item => `
-        <div class="ac-asset-item" data-src="${item.src}" data-name="${item.name || ''}">
+        <div class="ac-asset-item" data-src="${item.src}" data-name="${item.name || ''}" data-media-id="${item.id || ''}">
           <div class="ac-asset-thumb">
             <img src="${item.src}" alt="${item.name || 'Image'}" loading="lazy">
           </div>
@@ -179,7 +193,7 @@
       // Add click handlers
       container.querySelectorAll('.ac-asset-item').forEach(item => {
         item.addEventListener('click', () => {
-          selectAsset(item.dataset.src, item.dataset.name);
+          selectAsset(item.dataset.src, item.dataset.name, item.dataset.mediaId);
         });
       });
     }
@@ -221,13 +235,16 @@
       });
     }
 
-    function selectAsset(src, name) {
+    function selectAsset(src, name, mediaId) {
       // Add to GrapeJS asset manager
-      editor.AssetManager.add({ src, name, type: 'image' });
+      editor.AssetManager.add({ src, name, type: 'image', mediaId });
 
-      // If there's a target component, set the image
+      // If there's a target component, set the image + stable media ref
       if (currentTarget) {
         currentTarget.set('src', src);
+        if (mediaId) {
+          currentTarget.addAttributes({ 'data-ac-media-id': mediaId });
+        }
       }
 
       // Close modal
@@ -333,10 +350,10 @@
     }
 
     grid.innerHTML = assets.map(asset => `
-      <div class="asset-item" draggable="true" data-src="${asset.src}" data-name="${asset.name || 'Image'}" title="${asset.name || 'Image'}">
+      <div class="asset-item" draggable="true" data-src="${asset.src}" data-name="${asset.name || 'Image'}" data-media-id="${asset.id || asset.mediaId || ''}" title="${asset.name || 'Image'}">
         <img src="${asset.src}" alt="${asset.name || 'Image'}" loading="lazy">
         <div class="asset-item-overlay">
-          <button class="asset-insert-btn" data-src="${asset.src}" title="Insert image">
+          <button class="asset-insert-btn" data-src="${asset.src}" data-media-id="${asset.id || asset.mediaId || ''}" title="Insert image">
             <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
               <line x1="12" y1="5" x2="12" y2="19"/>
               <line x1="5" y1="12" x2="19" y2="12"/>
@@ -351,7 +368,9 @@
       // Drag to canvas
       item.addEventListener('dragstart', (e) => {
         const src = item.dataset.src;
-        e.dataTransfer.setData('text/html', `<img src="${src}" alt="Image" style="max-width: 100%;">`);
+        const mediaId = item.dataset.mediaId;
+        const idAttr = mediaId ? ` data-ac-media-id="${mediaId}"` : '';
+        e.dataTransfer.setData('text/html', `<img src="${src}"${idAttr} alt="Image" style="max-width: 100%;">`);
         e.dataTransfer.effectAllowed = 'copy';
       });
 
@@ -360,15 +379,13 @@
       if (insertBtn) {
         insertBtn.addEventListener('click', (e) => {
           e.stopPropagation();
-          const src = insertBtn.dataset.src;
-          insertImageToCanvas(editor, src);
+          insertImageToCanvas(editor, insertBtn.dataset.src, insertBtn.dataset.mediaId);
         });
       }
 
       // Double-click to insert
       item.addEventListener('dblclick', () => {
-        const src = item.dataset.src;
-        insertImageToCanvas(editor, src);
+        insertImageToCanvas(editor, item.dataset.src, item.dataset.mediaId);
       });
     });
   }
@@ -376,14 +393,20 @@
   /**
    * Insert an image into the canvas
    */
-  function insertImageToCanvas(editor, src) {
+  function insertImageToCanvas(editor, src, mediaId) {
     const { showToast } = window.ActiveCanvasEditor;
+    warnIfUnresolvableSrc(src);
     const selected = editor.getSelected();
     const wrapper = editor.getWrapper();
 
+    const attributes = { src: src, alt: 'Image' };
+    if (mediaId) {
+      attributes['data-ac-media-id'] = mediaId;
+    }
+
     const imageComponent = {
       type: 'image',
-      attributes: { src: src, alt: 'Image' },
+      attributes: attributes,
       style: { 'max-width': '100%' }
     };
 

data/app/models/active_canvas/current.rb

@@ -0,0 +1,9 @@
+module ActiveCanvas
+  class Current < ActiveSupport::CurrentAttributes
+    attribute :settings_cache
+
+    def settings_cache
+      super || (self.settings_cache = {})
+    end
+  end
+end

data/app/models/active_canvas/media.rb

@@ -9,15 +9,23 @@ module ActiveCanvas
 
     serialize :metadata, coder: JSON
 
+    # Tracks whether the public_uploads-misconfiguration warning was already
+    # logged this process (avoids log spam).
+    @public_uploads_warned = false
+    class << self
+      attr_accessor :public_uploads_warned
+    end
+
     validates :filename, presence: true
     validates :file, presence: true, on: :create
 
     validate :acceptable_file, on: :create
 
-    before_save :set_file_attributes, if: -> { file.attached? && file.blob.present? }
+    before_validation :set_file_attributes, on: :create,
+      if: -> { file.attached? && file.blob.present? }
     after_commit :make_blob_public, on: [:create, :update], if: :should_make_public?
 
-    scope :images, -> { where(content_type: ActiveCanvas.config.allowed_content_types) }
+    scope :images, -> { where(content_type: ActiveCanvas.config.effective_allowed_content_types) }
     scope :recent, -> { order(created_at: :desc) }
 
     def metadata
@@ -27,22 +35,19 @@ module ActiveCanvas
     def url
       return nil unless file.attached?
 
-      # If public_uploads is enabled and blob service supports public URLs
       if ActiveCanvas.config.public_uploads &&
          file.blob.service.respond_to?(:public?) &&
          file.blob.service.public?
+        # NOTE: public services serve the blob directly; the SVG attachment
+        # disposition (see #svg_disposition_option) is NOT applied here. For
+        # public SVG serving, use a separate origin/bucket. See README "Media & storage".
         file.url
       else
-        # Use signed URL with expiration for better security
-        Rails.application.routes.url_helpers.rails_blob_url(
-          file,
-          expires_in: 1.hour,
-          only_path: true
-        )
+        warn_if_public_uploads_misconfigured
+        Rails.application.routes.url_helpers.rails_blob_url(file, **blob_url_options)
       end
     rescue ArgumentError
-      # Fallback for services that don't support expires_in
-      Rails.application.routes.url_helpers.rails_blob_url(file, only_path: true)
+      Rails.application.routes.url_helpers.rails_blob_url(file, only_path: true, **svg_disposition_option)
     end
 
     def public_url
@@ -112,6 +117,28 @@ module ActiveCanvas
       end
     end
 
+    def warn_if_public_uploads_misconfigured
+      return unless ActiveCanvas.config.public_uploads
+      return if self.class.public_uploads_warned
+
+      self.class.public_uploads_warned = true
+      Rails.logger.warn(
+        "[ActiveCanvas] config.public_uploads is true but the storage service " \
+        "(#{file.blob.service.name}) is not public. Falling back to signed URLs. " \
+        "Declare a `public: true` service (and set config.storage_service) to serve public URLs."
+      )
+    end
+
+    def blob_url_options
+      { expires_in: 1.hour, only_path: true }.merge(svg_disposition_option)
+    end
+
+    def svg_disposition_option
+      return {} unless file.attached? && file.blob.present?
+
+      file.blob.content_type == "image/svg+xml" ? { disposition: "attachment" } : {}
+    end
+
     def should_make_public?
       file.attached? && ActiveCanvas.config.public_uploads
     end

data/app/models/active_canvas/page.rb

@@ -22,7 +22,7 @@ module ActiveCanvas
     end
 
     def rendered_content
-      content.to_s.html_safe
+      ActiveCanvas::ContentRenderer.resolve(content).to_s.html_safe
     end
 
     def current_version_number

data/app/models/active_canvas/setting.rb

@@ -29,29 +29,45 @@ module ActiveCanvas
 
     class << self
       def get(key)
-        setting = find_by(key: key)
-        return nil unless setting
+        key = key.to_s
+        cache = Current.settings_cache
+        return cache[key] if cache.key?(key)
 
-        if ENCRYPTED_KEYS.include?(key.to_s) && setting.encrypted_value.present?
+        setting = find_by(key: key)
+        value = if setting.nil?
+          nil
+        elsif ENCRYPTED_KEYS.include?(key) && setting.encrypted_value.present?
           decrypt_value(setting.encrypted_value)
         else
           setting.value
         end
+
+        cache[key] = value
       end
 
       def set(key, value)
-        setting = find_or_initialize_by(key: key)
-
-        if ENCRYPTED_KEYS.include?(key.to_s) && value.present?
-          setting.encrypted_value = encrypt_value(value)
-          setting.value = nil # Clear plain text value
-        else
-          setting.value = value
-          setting.encrypted_value = nil if ENCRYPTED_KEYS.include?(key.to_s)
+        retried = false
+        begin
+          setting = find_or_initialize_by(key: key)
+
+          if ENCRYPTED_KEYS.include?(key.to_s) && value.present?
+            setting.encrypted_value = encrypt_value(value)
+            setting.value = nil # Clear plain text value
+          else
+            setting.value = value
+            setting.encrypted_value = nil if ENCRYPTED_KEYS.include?(key.to_s)
+          end
+
+          setting.save!
+          Current.settings_cache[key.to_s] = value
+          value
+        rescue ActiveRecord::RecordNotUnique
+          # Another process inserted the same key between find_or_initialize_by
+          # and save!. Reload and retry once; the second pass will UPDATE.
+          raise if retried
+          retried = true
+          retry
         end
-
-        setting.save!
-        value
       end
 
       # Check if an API key is configured (without revealing the value)

data/app/services/active_canvas/content_renderer.rb

@@ -0,0 +1,27 @@
+module ActiveCanvas
+  # Resolves persisted media references (<img data-ac-media-id="N">) to fresh
+  # URLs at render time. We persist a stable id, never a time-limited URL, so
+  # saved content never rots.
+  class ContentRenderer
+    def self.resolve(html)
+      return html if html.blank?
+
+      fragment = Nokogiri::HTML5.fragment(html)
+      nodes = fragment.css("img[data-ac-media-id]")
+      return html if nodes.empty?
+
+      ids = nodes.map { |n| n["data-ac-media-id"] }.uniq
+      media_by_id = Media.where(id: ids)
+                         .includes(file_attachment: :blob)
+                         .index_by { |m| m.id.to_s }
+
+      nodes.each do |node|
+        media = media_by_id[node["data-ac-media-id"].to_s]
+        fresh_url = media&.url
+        node["src"] = fresh_url if fresh_url # unknown id or orphaned media: leave the node as-is
+      end
+
+      fragment.to_html
+    end
+  end
+end

data/app/services/active_canvas/media_ref_backfill.rb

@@ -0,0 +1,77 @@
+require "base64"
+require "json"
+
+module ActiveCanvas
+  # One-time, best-effort backfill: rewrites legacy <img> tags whose src is an
+  # Active Storage blob redirect URL into stable <img data-ac-media-id="N"> refs
+  # that ContentRenderer can resolve at render time. Idempotent; logs unmatched.
+  #
+  # Recovers the blob id by decoding the signed_id payload directly, bypassing
+  # the expiry check (this is our own data) so already-rotted URLs are healed.
+  class MediaRefBackfill
+    BLOB_URL_RE = %r{active_storage/blobs/(?:redirect|proxy)/([^/]+)/[^/]+\z}
+
+    def self.run(logger: Rails.logger)
+      new(logger).run
+    end
+
+    def initialize(logger)
+      @logger = logger
+    end
+
+    def run
+      ActiveCanvas::Page.find_each do |page|
+        content = page.content
+        next if content.blank?
+
+        fragment = Nokogiri::HTML5.fragment(content)
+        changed = false
+
+        fragment.css("img").each do |img|
+          next if img["data-ac-media-id"].present?
+
+          src = img["src"].to_s
+          next unless src.match?(BLOB_URL_RE)
+
+          media_id = media_id_for(src)
+          if media_id
+            img["data-ac-media-id"] = media_id.to_s
+            changed = true
+          else
+            @logger.warn("[ActiveCanvas] backfill: could not match media for #{src} on page #{page.id}")
+          end
+        end
+
+        # update_columns: skip sanitize + version callbacks; we only add a data-* attr.
+        page.update_columns(content: fragment.to_html) if changed
+      end
+    end
+
+    private
+
+    def media_id_for(src)
+      match = src.match(BLOB_URL_RE)
+      return nil unless match
+
+      blob_id = blob_id_from_signed_id(match[1])
+      return nil unless blob_id
+
+      ActiveStorage::Attachment
+        .where(record_type: "ActiveCanvas::Media", name: "file", blob_id: blob_id)
+        .limit(1)
+        .pick(:record_id)
+    end
+
+    # Decodes "<base64 payload>--<hmac>" into the blob id. The payload base64
+    # decodes to {"_rails":{"data":<blob_id>,"exp":...,"pur":"blob_id"}}.
+    def blob_id_from_signed_id(signed_id)
+      payload = signed_id.to_s.split("--").first
+      return nil if payload.blank?
+
+      data = JSON.parse(Base64.decode64(payload))
+      data.dig("_rails", "data")
+    rescue StandardError
+      nil
+    end
+  end
+end

data/db/migrate/20260613000002_backfill_active_canvas_media_refs.rb

@@ -0,0 +1,9 @@
+class BackfillActiveCanvasMediaRefs < ActiveRecord::Migration[8.1]
+  def up
+    ActiveCanvas::MediaRefBackfill.run
+  end
+
+  def down
+    # No-op: data-ac-media-id attributes are harmless to leave in place.
+  end
+end

data/lib/active_canvas/configuration.rb

@@ -40,13 +40,25 @@ module ActiveCanvas
     # Allowed MIME types for uploads
     attr_accessor :allowed_content_types
 
-    # Allow SVG uploads (disabled by default due to XSS risks)
+    # Allow SVG uploads (disabled by default due to XSS risks).
+    # SECURITY: SVGs can contain <script>/onload. ActiveCanvas serves uploaded
+    # SVGs with Content-Disposition: attachment on the signed-URL path to prevent
+    # top-level execution. NOTE: this disposition is NOT applied when
+    # public_uploads is true and the storage service is public (the file is served
+    # inline from the public bucket/origin). If you enable SVG uploads, prefer
+    # serving uploads from a SEPARATE origin/bucket, especially with public_uploads.
     attr_accessor :allow_svg_uploads
 
     # Active Storage service name (nil = default service)
     attr_accessor :storage_service
 
-    # Make uploads publicly accessible (false = use signed URLs)
+    # Make uploads publicly accessible (false = signed, expiring URLs).
+    # NOTE: this only takes effect when the Active Storage service is ALSO
+    # declared `public: true` in config/storage.yml. For S3, make the bucket
+    # public via a BUCKET POLICY (per-object ACLs are ignored on modern buckets
+    # with Object Ownership = Bucket owner enforced / Block Public Access).
+    # For a public Disk service outside a request, set
+    # Rails.application.routes.default_url_options[:host].
     attr_accessor :public_uploads
 
     # ==> Editor Settings
@@ -180,7 +192,7 @@ module ActiveCanvas
     def effective_allowed_content_types
       types = allowed_content_types.dup
       types << "image/svg+xml" if allow_svg_uploads
-      types - DANGEROUS_CONTENT_TYPES
+      (types - DANGEROUS_CONTENT_TYPES).uniq
     end
 
     # Check if authentication is properly configured for production

data/lib/active_canvas/version.rb

@@ -1,3 +1,3 @@
 module ActiveCanvas
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end

data/lib/generators/active_canvas/install/install_generator.rb

@@ -5,6 +5,11 @@ module ActiveCanvas
 
       desc "Interactive setup wizard for ActiveCanvas"
 
+      class_option :defaults, type: :boolean, default: false,
+        desc: "Run non-interactively using default answers (CI-safe)"
+      class_option :skip_route, type: :boolean, default: false,
+        desc: "Do not mount ActiveCanvas::Engine in config/routes.rb"
+
       def welcome
         say ""
         say "=" * 60, :cyan
@@ -45,8 +50,7 @@ module ActiveCanvas
         say "  3. none      - No framework"
         say ""
 
-        framework = ask("Enter choice [tailwind]:")
-        framework = "tailwind" if framework.blank?
+        framework = ask_value("Enter choice [tailwind]:", default: "tailwind")
         framework = framework.downcase.strip
 
         @css_framework = case framework
@@ -94,8 +98,7 @@ module ActiveCanvas
         say "Step 4: Configuration", :yellow
         say "-" * 40
 
-        @mount_path = ask("Mount path [/canvas]:")
-        @mount_path = "/canvas" if @mount_path.blank?
+        @mount_path = ask_value("Mount path [/canvas]:", default: "/canvas")
         @mount_path = "/#{@mount_path}" unless @mount_path.start_with?("/")
 
         template "initializer.rb", "config/initializers/active_canvas.rb"
@@ -104,6 +107,9 @@ module ActiveCanvas
       end
 
       def mount_engine
+        @mount_path ||= "/canvas"
+        return if options[:skip_route]
+
         say "Step 5: Routes", :yellow
         say "-" * 40
 
@@ -162,11 +168,24 @@ module ActiveCanvas
 
       private
 
+      def interactive?
+        !options[:defaults]
+      end
+
+      # Non-interactive: return the default instead of reading stdin.
+      def ask_value(question, default:)
+        return default unless interactive?
+        answer = ask(question)
+        answer.blank? ? default : answer
+      end
+
       # Helper for yes/no prompts with clear defaults
       # @param question [String] The question to ask
       # @param default [Boolean] The default answer (true = Y, false = N)
       # @return [Boolean]
       def yes_no?(question, default: true)
+        return default unless interactive?
+
         indicator = default ? "[Y/n]" : "[y/N]"
         answer = ask("#{question} #{indicator}")
 
@@ -176,7 +195,8 @@ module ActiveCanvas
       end
 
       def setup_tailwind
-        gemfile_content = File.read(Rails.root.join("Gemfile"))
+        gemfile_path = Rails.root.join("Gemfile")
+        gemfile_content = File.exist?(gemfile_path) ? File.read(gemfile_path) : ""
 
         if gemfile_content.include?("tailwindcss-rails")
           say "✓ tailwindcss-rails gem already installed", :green
@@ -202,6 +222,12 @@ module ActiveCanvas
       end
 
       def configure_ai_keys
+        unless interactive?
+          @openai_key = @anthropic_key = @openrouter_key = nil
+          say "→ Non-interactive: skipping AI key entry. Add keys later in Admin > Settings > AI", :yellow
+          return
+        end
+
         say ""
         @openai_key = ask("OpenAI API key (leave blank to skip):")
         @anthropic_key = ask("Anthropic API key (leave blank to skip):")

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: active_canvas
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Giovanni Panasiti
 bindir: bin
 cert_chain: []
-date: 2026-04-30 00:00:00.000000000 Z
+date: 2026-06-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -77,6 +77,7 @@ files:
 - app/mailers/active_canvas/application_mailer.rb
 - app/models/active_canvas/ai_model.rb
 - app/models/active_canvas/application_record.rb
+- app/models/active_canvas/current.rb
 - app/models/active_canvas/media.rb
 - app/models/active_canvas/page.rb
 - app/models/active_canvas/page_type.rb
@@ -86,7 +87,9 @@ files:
 - app/services/active_canvas/ai_configuration.rb
 - app/services/active_canvas/ai_models.rb
 - app/services/active_canvas/ai_service.rb
+- app/services/active_canvas/content_renderer.rb
 - app/services/active_canvas/content_sanitizer.rb
+- app/services/active_canvas/media_ref_backfill.rb
 - app/services/active_canvas/tailwind_compiler.rb
 - app/views/active_canvas/admin/media/index.html.erb
 - app/views/active_canvas/admin/media/show.html.erb
@@ -116,6 +119,7 @@ files:
 - config/routes.rb
 - db/migrate/20260202000001_create_active_canvas_tables.rb
 - db/migrate/20260202000002_create_active_canvas_ai_models.rb
+- db/migrate/20260613000002_backfill_active_canvas_media_refs.rb
 - lib/active_canvas.rb
 - lib/active_canvas/configuration.rb
 - lib/active_canvas/engine.rb