collavre 0.16.0 → 0.20.0

data/app/controllers/collavre/topics_controller.rb

@@ -1,6 +1,11 @@
 module Collavre
   class TopicsController < ApplicationController
+    include Collavre::CreativePermissionGuard
+
     before_action :set_creative
+    before_action :require_creative_read!, only: %i[next_name]
+    before_action :require_creative_admin!, only: %i[update destroy move reorder]
+    before_action :require_creative_write!, only: %i[create archive unarchive set_primary_agent]
 
     def index
       is_owner = @creative.user == Current.user
@@ -18,6 +23,7 @@ module Collavre
       end
 
       system_topic_id = @creative.inbox? ? @creative.topics.find_by(name: Creative::SYSTEM_TOPIC_NAME)&.id : nil
+      main_topic_id = @creative.main_topic(fallback_user: Current.user).id
 
       render json: {
         topics: active_topics.map { |t| topic_json(t) },
@@ -26,15 +32,12 @@ module Collavre
         can_create_topic: can_create_topic,
         last_topic_id: last_topic_id,
         is_inbox: @creative.inbox?,
-        system_topic_id: system_topic_id
+        system_topic_id: system_topic_id,
+        main_topic_id: main_topic_id
       }
     end
 
     def create
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.build(topic_params)
       topic.user = Current.user
 
@@ -56,10 +59,7 @@ module Collavre
           end
 
           broadcast_data = agent ? topic_json_with_agent(topic, agent) : topic.slice(:id, :name)
-          TopicsChannel.broadcast_to(
-            @creative,
-            { action: "created", topic: broadcast_data, user_id: Current.user.id }
-          )
+          broadcast_topic_event("created", topic: broadcast_data, user_id: Current.user.id)
           render json: topic, status: :created
         else
           render json: { errors: topic.errors.full_messages }, status: :unprocessable_entity
@@ -70,54 +70,35 @@ module Collavre
     end
 
     def next_name
-      unless @creative.has_permission?(Current.user, :read) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       render json: { name: generate_next_topic_name }
     end
 
     def update
-      unless @creative.has_permission?(Current.user, :admin) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.find(params[:id])
 
       if topic.update(topic_params)
-        TopicsChannel.broadcast_to(
-          @creative,
-          { action: "updated", topic: topic.slice(:id, :name) }
-        )
-        render json: topic
+        broadcast_topic_event("updated", topic: topic_json(topic))
+        render json: topic_json(topic)
       else
         render json: { errors: topic.errors.full_messages }, status: :unprocessable_entity
       end
     end
 
     def destroy
-      unless @creative.has_permission?(Current.user, :admin) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
+      topic = @creative.topics.find(params[:id])
+
+      if topic.name == Creative::MAIN_TOPIC_NAME
+        render json: { error: I18n.t("collavre.topics.cannot_delete_main") }, status: :unprocessable_entity and return
       end
 
-      topic = @creative.topics.find(params[:id])
       topic_id = topic.id
-
-      # last_topic_id is nullified by DB FK (on_delete: :nullify) and model dependent: :nullify
       topic.destroy
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        { action: "deleted", topic_id: topic_id }
-      )
+      broadcast_topic_event("deleted", topic_id: topic_id)
       head :no_content
     end
 
     def move
-      unless @creative.has_permission?(Current.user, :admin) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.find(params[:id])
       target_creative = Creative.find(params[:target_creative_id]).effective_origin
 
@@ -135,53 +116,29 @@ module Collavre
         topic.update!(creative: target_creative)
       end
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        { action: "deleted", topic_id: topic.id }
-      )
-      TopicsChannel.broadcast_to(
-        target_creative,
-        { action: "created", topic: topic.slice(:id, :name) }
-      )
+      broadcast_topic_event("deleted", topic_id: topic.id)
+      broadcast_topic_event("created", creative: target_creative, topic: topic.slice(:id, :name))
 
       render json: { success: true, topic: topic.slice(:id, :name), target_creative_id: target_creative.id }
     end
 
     def archive
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.find(params[:id])
       topic.archive!
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        { action: "archived", topic: topic.slice(:id, :name) }
-      )
+      broadcast_topic_event("archived", topic: topic.slice(:id, :name))
       render json: { success: true }
     end
 
     def unarchive
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.find(params[:id])
       topic.unarchive!
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        { action: "unarchived", topic: topic.slice(:id, :name, :archived_at) }
-      )
+      broadcast_topic_event("unarchived", topic: topic.slice(:id, :name, :archived_at))
       render json: { success: true }
     end
 
     def reorder
-      unless @creative.has_permission?(Current.user, :admin) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic_ids = params[:topic_ids]
       unless topic_ids.is_a?(Array) && topic_ids.present?
         render json: { error: "Invalid topic_ids" }, status: :unprocessable_entity and return
@@ -193,19 +150,12 @@ module Collavre
         end
       end
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        { action: "reordered", topic_ids: topic_ids }
-      )
+      broadcast_topic_event("reordered", topic_ids: topic_ids)
 
       render json: { success: true }
     end
 
     def set_primary_agent
-      unless @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
-        render json: { error: I18n.t("collavre.topics.no_permission") }, status: :forbidden and return
-      end
-
       topic = @creative.topics.find(params[:id])
       agent = User.find_by(id: params[:agent_id])
 
@@ -215,13 +165,7 @@ module Collavre
 
       topic.set_primary_agent!(agent)
 
-      TopicsChannel.broadcast_to(
-        @creative,
-        {
-          action: "updated",
-          topic: topic_json_with_agent(topic, agent)
-        }
-      )
+      broadcast_topic_event("updated", topic: topic_json_with_agent(topic, agent))
 
       render json: { success: true, topic: topic_json_with_agent(topic, agent) }
     end
@@ -287,13 +231,11 @@ module Collavre
     end
 
     def agent_json(agent)
-      {
-        id: agent.id,
-        name: agent.display_name,
-        avatar_url: view_context.user_avatar_url(agent, size: 20),
-        default_avatar: !agent.avatar.attached? && agent.avatar_url.blank?,
-        initial: agent.display_name&.at(0)&.upcase || "?"
-      }
+      view_context.user_json(agent)
+    end
+
+    def broadcast_topic_event(action, creative: @creative, **payload)
+      TopicsChannel.broadcast_to(creative, { action: action, **payload })
     end
   end
 end

data/app/controllers/concerns/collavre/comments/comment_scoping.rb

@@ -9,6 +9,9 @@ module Collavre
 
       def set_creative
         @creative = Creative.find(params[:creative_id]).effective_origin
+        unless @creative.has_permission?(Current.user, :read)
+          render json: { error: I18n.t("collavre.creatives.errors.no_permission") }, status: :forbidden
+        end
       end
 
       def set_comment

data/app/controllers/concerns/collavre/creative_permission_guard.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Collavre
+  module CreativePermissionGuard
+    extend ActiveSupport::Concern
+
+    private
+
+    def require_creative_read!
+      return if @creative.has_permission?(Current.user, :read) || @creative.user == Current.user
+
+      render json: { error: creative_permission_denied_message }, status: :forbidden
+    end
+
+    def require_creative_write!
+      return if @creative.has_permission?(Current.user, :write) || @creative.user == Current.user
+
+      render json: { error: creative_permission_denied_message }, status: :forbidden
+    end
+
+    def require_creative_admin!
+      return if @creative.has_permission?(Current.user, :admin) || @creative.user == Current.user
+
+      render json: { error: creative_permission_denied_message }, status: :forbidden
+    end
+
+    # Override in controllers that use a different i18n key.
+    def creative_permission_denied_message
+      I18n.t("collavre.topics.no_permission")
+    end
+  end
+end

data/app/controllers/concerns/collavre/integration_setup.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Collavre
+  module IntegrationSetup
+    extend ActiveSupport::Concern
+
+    private
+
+    def set_creative
+      @creative = Collavre::Creative.find(params[:creative_id])
+    end
+
+    def set_origin
+      @origin = @creative.effective_origin
+    end
+  end
+end

data/app/helpers/collavre/application_helper.rb

@@ -81,11 +81,30 @@ module Collavre
       safe_join(styles, "\n")
     end
 
+    def user_json(user, email: false, ai_user: false)
+      data = {
+        id: user.id,
+        name: user.display_name,
+        avatar_url: user_avatar_url(user, size: 20),
+        default_avatar: !user.avatar.attached? && user.avatar_url.blank?,
+        initial: user.display_name&.at(0)&.upcase || "?"
+      }
+      data[:email] = user.email if email
+      data[:ai_user] = user.ai_user? if ai_user
+      data
+    end
+
     private
 
+    CSS_VARIABLE_KEY_PATTERN = /\A--[a-zA-Z0-9_-]+\z/
+    CSS_VARIABLE_VALUE_PATTERN = /\A[^;}{<>"']+\z/
+    ALLOWED_COLOR_SCHEMES = %w[light dark].freeze
+
     def render_theme_media_query(theme, mode)
-      vars = theme.variables.map { |k, v| "#{k}: #{v} !important;" }.join("\n            ")
-      legacy = legacy_alias_declarations(theme.variables).map { |k, v| "#{k}: #{v} !important;" }.join("\n            ")
+      return "" unless ALLOWED_COLOR_SCHEMES.include?(mode)
+
+      vars = safe_css_declarations(theme.variables)
+      legacy = safe_css_declarations(legacy_alias_declarations(theme.variables))
       dark_filter = theme.dark? ? "--date-icon-filter: invert(0.8) !important;" : ""
 
       <<~CSS
@@ -99,6 +118,15 @@ module Collavre
       CSS
     end
 
+    def safe_css_declarations(variables)
+      variables.filter_map { |k, v|
+        k = k.to_s
+        v = v.to_s
+        next unless k.match?(CSS_VARIABLE_KEY_PATTERN) && v.match?(CSS_VARIABLE_VALUE_PATTERN)
+        "#{k}: #{v} !important;"
+      }.join("\n            ")
+    end
+
     public
 
     # Render all partials registered for a named extension slot.

data/app/javascript/components/InlineLexicalEditor.jsx

@@ -48,6 +48,7 @@ import FileUploadPlugin, {
 import { ImageNode } from "../lib/lexical/image_node"
 import { AttachmentNode } from "../lib/lexical/attachment_node"
 import AttachmentCleanupPlugin from "./plugins/attachment_cleanup_plugin"
+import MarkdownShortcutsPlugin from "./plugins/markdown_shortcuts_plugin"
 import { syncLexicalStyleAttributes } from "../lib/lexical/style_attributes"
 import { updateResponsiveImages } from "../lib/responsive_images"
 
@@ -956,6 +957,7 @@ function EditorInner({
           blobUrlTemplate={blobUrlTemplate}
         />
         <AttachmentCleanupPlugin deletedAttachmentsRef={deletedAttachmentsRef} />
+        <MarkdownShortcutsPlugin />
         {onEnterKey && <EnterKeyPlugin onEnterKey={onEnterKey} />}
       </div>
     </div>
@@ -966,14 +968,16 @@ function EnterKeyPlugin({ onEnterKey }) {
   const [editor] = useLexicalComposerContext()
 
   useEffect(() => {
-    // Use capture-phase keydown on the root element to intercept Enter
-    // BEFORE Lexical's own handlers process it and insert a paragraph.
+    // Use capture-phase keydown on the root element to intercept Shift+Enter
+    // BEFORE Lexical's own handlers process it.
+    // Bare Enter is left to Lexical for newline insertion.
     const rootElement = editor.getRootElement()
     if (!rootElement) return
 
     const handler = (event) => {
       if (event.key !== 'Enter') return
-      if (event.shiftKey || event.altKey || event.ctrlKey || event.metaKey) return
+      if (!event.shiftKey) return // only intercept Shift+Enter
+      if (event.altKey || event.ctrlKey || event.metaKey) return
       if (event.isComposing) return
 
       if (onEnterKey(event, editor) === true) {

data/app/javascript/components/creative_tree_row.js

@@ -25,6 +25,7 @@ class CreativeTreeRow extends LitElement {
     originLinkHtml: { state: true },
     isTitle: { type: Boolean, attribute: "is-title", reflect: true },
     archived: { type: Boolean, attribute: "archived", reflect: true },
+    githubSource: { type: Boolean, attribute: "github-source", reflect: true },
     loadingChildren: { type: Boolean, attribute: "loading-children", reflect: true },
     _loadingDotsState: { state: true },
     editingUsers: { state: true }
@@ -48,6 +49,7 @@ class CreativeTreeRow extends LitElement {
     this.editOffIconHtml = "";
     this.originLinkHtml = "";
     this.isTitle = false;
+    this.githubSource = false;
     this.editingUsers = []; // [{ user_id, user_name, avatar_url }]
     this._templatesExtracted = false;
     this.loadingChildren = false;
@@ -315,12 +317,22 @@ class CreativeTreeRow extends LitElement {
     `;
   }
 
+  _renderGithubBadge() {
+    if (!this.githubSource) return nothing;
+    return html`<span class="github-source-badge" title="Synced from GitHub (read-only)">
+      <svg width="14" height="14" viewBox="0 0 16 16" fill="currentColor" style="vertical-align: -2px; opacity: 0.5;">
+        <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z"/>
+      </svg>
+    </span>`;
+  }
+
   _renderContent() {
     const level = Number(this.level) || 1;
     // Toggle is now rendered outside
+    const githubBadge = this._renderGithubBadge();
     const content = html`
       <div class="creative-content" @click=${this._handleContentClick}>
-        ${unsafeHTML(this.descriptionHtml || "")}
+        ${githubBadge}${unsafeHTML(this.descriptionHtml || "")}
       </div>
     `;
     const indicator = this.loadingChildren ? this._renderLoadingIndicator() : nothing;
@@ -579,6 +591,14 @@ class CreativeTreeRow extends LitElement {
   }
 
   _handleContentClick(event) {
+    // In select mode, block navigation — selection toggle is handled by
+    // select_mode_controller's mousedown handler to avoid double-toggling.
+    if (this.selectMode) {
+      event.preventDefault();
+      event.stopPropagation();
+      return;
+    }
+
     // Check if the clicked element is an interactive element or inside one
     const target = event.target;
     if (target.tagName === 'A' || target.closest('a') ||

data/app/javascript/components/plugins/markdown_shortcuts_plugin.jsx

@@ -0,0 +1,34 @@
+import { useEffect } from "react"
+import { useLexicalComposerContext } from "@lexical/react/LexicalComposerContext"
+import {
+  registerMarkdownShortcuts,
+  UNORDERED_LIST,
+  ORDERED_LIST,
+  CODE
+} from "@lexical/markdown"
+
+/**
+ * Markdown-style shortcuts for the creative inline editor:
+ *
+ * - "* " / "- " / "+ " at line start → unordered list
+ * - "1. " (any number) at line start → ordered list
+ * - "```" + space at line start → code block
+ *
+ * These fire on text change (not on Enter), so they don't conflict
+ * with the Enter→addNew() shortcut on desktop.
+ */
+const CREATIVE_MARKDOWN_TRANSFORMERS = [
+  UNORDERED_LIST,
+  ORDERED_LIST,
+  CODE
+]
+
+export default function MarkdownShortcutsPlugin() {
+  const [editor] = useLexicalComposerContext()
+
+  useEffect(() => {
+    return registerMarkdownShortcuts(editor, CREATIVE_MARKDOWN_TRANSFORMERS)
+  }, [editor])
+
+  return null
+}

data/app/javascript/controllers/comment_controller.js

@@ -2,6 +2,7 @@ import { Controller } from "@hotwired/stimulus"
 import { renderCommentMarkdown, renderMermaidDiagrams } from '../lib/utils/markdown'
 import { addTableDownloadButtons } from '../lib/utils/table_download'
 import CommonPopup from '../lib/common_popup'
+import csrfFetch from '../lib/api/csrf_fetch'
 
 // Global tracker: persists streaming state across Turbo replacements
 // (each replacement creates a new controller instance, losing instance state)
@@ -163,6 +164,22 @@ export default class extends Controller {
     }
   }
 
+  cancelTask(event) {
+    event.preventDefault()
+    event.stopPropagation()
+    const taskId = event.currentTarget.dataset.taskId
+    if (!taskId) return
+    event.currentTarget.disabled = true
+    csrfFetch(`/tasks/${taskId}/cancel`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+    })
+      .then((response) => {
+        if (!response.ok) event.currentTarget.disabled = false
+      })
+      .catch(() => { event.currentTarget.disabled = false })
+  }
+
   triggerReactionPicker(event) {
     event.preventDefault()
     event.stopPropagation()

data/app/javascript/controllers/comments/form_controller.js

@@ -103,6 +103,7 @@ export default class extends Controller {
     this.currentTopicId = event.detail.topicId
     this._isInbox = event.detail.isInbox || false
     this._systemTopicId = event.detail.systemTopicId || null
+    this._mainTopicId = event.detail.mainTopicId || null
     this._updateInboxReplyMode()
   }
 
@@ -265,8 +266,9 @@ export default class extends Controller {
     const wasPrivate = this.privateCheckboxTarget?.checked ?? false
 
     const formData = new FormData(this.formTarget)
-    if (this.currentTopicId) {
-      formData.append('comment[topic_id]', this.currentTopicId)
+    const effectiveTopicId = this.currentTopicId || this._mainTopicId
+    if (effectiveTopicId) {
+      formData.append('comment[topic_id]', effectiveTopicId)
     }
     if (this._pendingReviewType) {
       formData.append('comment[review_type]', this._pendingReviewType)
@@ -763,8 +765,9 @@ export default class extends Controller {
     }
     const isPrivate = this.privateCheckboxTarget?.checked ?? false
     if (isPrivate) formData.append('comment[private]', '1')
-    if (this.currentTopicId) {
-      formData.append('comment[topic_id]', this.currentTopicId)
+    const effectiveTopicId = this.currentTopicId || this._mainTopicId
+    if (effectiveTopicId) {
+      formData.append('comment[topic_id]', effectiveTopicId)
     }
 
     const url = `/creatives/${this.creativeId}/comments`

data/app/javascript/controllers/comments/list_controller.js

@@ -579,10 +579,9 @@ export default class extends Controller {
     bar.querySelector('.selection-action-branch').addEventListener('click', (e) => { e.stopPropagation(); this.branchSelectedComments() })
     bar.querySelector('.selection-action-bar-close').addEventListener('click', () => this.clearSelection())
 
-    // Insert before typing indicator so it stays inside the popup window
-    const typingIndicator = this.element.querySelector('#typing-indicator')
-    if (typingIndicator) {
-      typingIndicator.parentNode.insertBefore(bar, typingIndicator)
+    const typingRow = this.element.querySelector('#typing-indicator-row') || this.element.querySelector('#typing-indicator')
+    if (typingRow) {
+      typingRow.parentNode.insertBefore(bar, typingRow)
     } else {
       this.element.appendChild(bar)
     }
@@ -1061,6 +1060,46 @@ export default class extends Controller {
       .finally(() => { this.movingComments = false })
   }
 
+  scrollToPreviousMessage() {
+    const list = this.listTarget
+    const items = Array.from(list.querySelectorAll('.comment-item'))
+    if (items.length === 0) return
+
+    const listRect = list.getBoundingClientRect()
+    const viewportTop = listRect.top
+
+    let currentIdx = -1
+    for (let i = 0; i < items.length; i++) {
+      const rect = items[i].getBoundingClientRect()
+      if (rect.top >= viewportTop - 2) {
+        currentIdx = i
+        break
+      }
+    }
+
+    if (currentIdx === -1) currentIdx = items.length - 1
+
+    const currentItem = items[currentIdx]
+    const currentRect = currentItem.getBoundingClientRect()
+    const isAtTop = Math.abs(currentRect.top - viewportTop) < 4
+
+    const targetIdx = isAtTop ? currentIdx - 1 : currentIdx
+    if (targetIdx < 0) {
+      if (!this.allOlderLoaded) {
+        this.loadOlderComments()
+      }
+      return
+    }
+
+    const target = items[targetIdx]
+    const targetTop = target.offsetTop - list.offsetTop
+    list.scrollTo({ top: targetTop, behavior: 'smooth' })
+    this.stickToBottom = false
+
+    target.classList.add('highlight-flash')
+    setTimeout(() => target.classList.remove('highlight-flash'), 2000)
+  }
+
   // UI Helpers
   updateStickiness() {
     this.stickToBottom = this.isNearBottom()