collavre 0.20.2 → 0.21.0

data/app/models/collavre/channel.rb

@@ -0,0 +1,87 @@
+module Collavre
+  class Channel < ApplicationRecord
+    BOT_EMAIL = "channel@collavre.local"
+    BOT_NAME = "Channel"
+
+    self.table_name = "channels"
+
+    belongs_to :topic, class_name: "Collavre::Topic"
+
+    enum :state, { active: 0, detached: 1 }, default: :active
+
+    scope :not_dismissed, -> { where(dismissed_at: nil) }
+
+    def handle(event:, payload:)
+      raise NotImplementedError, "#{self.class} must implement #handle"
+    end
+
+    # Chip fallbacks rendered before any webhook event populates latest_label /
+    # latest_link. Base class returns nil; subclasses override when they can
+    # derive a stable label/link from their own config (e.g. PR #N + URL).
+    def default_label
+      nil
+    end
+
+    def default_link
+      nil
+    end
+
+    # Badge interface for the typing-indicator chip. Subclasses override
+    # `badge_state` to drive the chip badge color (the value becomes a CSS
+    # modifier: channel-chip-badge--<state>), and `badge_title` to provide a
+    # localized title / aria-label string. Returning nil from `badge_state`
+    # hides the badge entirely.
+    def badge_state
+      nil
+    end
+
+    def badge_title
+      nil
+    end
+
+    def detach!
+      update!(state: :detached)
+    end
+
+    def dismissed?
+      dismissed_at.present?
+    end
+
+    # Hide the chip from the typing-indicator row. Performs detach! as a
+    # side-effect when the channel is still active so dismissal is a single
+    # user-facing action — clicking the X always removes the chip regardless
+    # of prior state.
+    def dismiss!
+      transaction do
+        detach! if active?
+        update!(dismissed_at: Time.current) if dismissed_at.nil?
+      end
+    end
+
+    def record_event!(label:, link:)
+      update!(latest_label: label, latest_link: link, last_event_at: Time.current)
+    end
+
+    def inject_into_topic!(injected_message)
+      transaction do
+        comment = topic.creative.comments.create!(
+          user: injected_message.speaker,
+          topic_id: topic.id,
+          content: injected_message.message,
+          private: false
+        )
+        record_event!(label: injected_message.label, link: injected_message.link)
+        comment
+      end
+    end
+
+    after_create_commit  :broadcast_chips_changed
+    after_update_commit  :broadcast_chips_changed
+
+    private
+
+    def broadcast_chips_changed
+      Collavre::CommentsPresenceChannel.broadcast_channel_chips_changed(topic.creative_id, topic_id: topic_id)
+    end
+  end
+end

data/app/models/collavre/creative/describable.rb

@@ -4,10 +4,18 @@ module Collavre
       extend ActiveSupport::Concern
 
       included do
+        attr_accessor :content_type_input
+        attr_reader :markdown_source
+
+        def markdown_source=(value)
+          @markdown_source = value.is_a?(String) ? value.gsub(/\r\n?/, "\n") : value
+        end
+
         validates :description, presence: true, unless: -> { origin_id.present? }
         validate :description_cannot_change_if_has_origin, on: :update
         validate :description_cannot_change_if_github_source, on: :update
 
+        before_validation :convert_markdown_to_html
         before_save :sanitize_description_html
         after_destroy_commit :purge_description_attachments
       end
@@ -32,14 +40,68 @@ module Collavre
 
       private
 
+      def convert_markdown_to_html
+        if content_type_input == "markdown"
+          self.data ||= {}
+          new_source = markdown_source.to_s
+          prev_source = data["markdown_source"].to_s
+          prev_type = data["content_type"]
+          self.data["content_type"] = "markdown"
+          if new_source != prev_source || prev_type != "markdown"
+            # Rewrite inline data-URI images to freshly-uploaded blob paths
+            # FIRST, then persist the rewritten source. Subsequent edits
+            # around the same image carry the blob path instead of the
+            # data URI, so re-renders no longer create duplicate blobs.
+            rewritten_source = Collavre::MarkdownConverter.rewrite_data_uri_images(new_source)
+            self.data["markdown_source"] = rewritten_source
+            self.description = Collavre::MarkdownConverter.markdown_to_html(rewritten_source)
+          else
+            self.data["markdown_source"] = new_source
+            # Source unchanged: description must stay derived from markdown_source.
+            # Restore the persisted value rather than trusting params[:description],
+            # which would let a stale/crafted request diverge from markdown_source.
+            # Skipping the re-render also avoids re-importing data-URI images as
+            # fresh Active Storage blobs on every autosave/progress/move.
+            self.description = description_was if description_changed?
+          end
+        elsif content_type_input == "html"
+          self.data ||= {}
+          self.data.delete("content_type")
+          self.data.delete("markdown_source")
+        elsif !new_record? && description_changed? && data&.dig("content_type") == "markdown"
+          # Description was rewritten through a non-markdown path (tool/MCP
+          # update, direct base.update(description: ...), etc.) on a creative
+          # that was previously in markdown mode. The new HTML no longer
+          # matches data["markdown_source"], so the next inline-markdown open
+          # would load the stale source and silently overwrite this update.
+          # Demote to HTML mode so the persisted source matches description.
+          self.data.delete("content_type")
+          self.data.delete("markdown_source")
+        end
+      end
+
       def sanitize_description_html
         table_tags = %w[table thead tbody tfoot tr th td]
         table_attrs = %w[colspan rowspan]
         attachment_attrs = %w[download data-filesize]
+        task_list_attrs = %w[type disabled checked]
+
+        # GFM task list checkboxes (`- [ ]` / `- [x]`) render as
+        # <input type="checkbox" disabled> via Commonmarker's tasklist
+        # extension. Strip any other <input> variant before sanitization
+        # so allowing the `input` tag in the safelist can't smuggle in
+        # text/image/submit inputs.
+        scrubbed = Loofah.fragment(description.to_s)
+        scrubbed.css("input").each do |node|
+          unless node["type"] == "checkbox" && node.has_attribute?("disabled")
+            node.remove
+          end
+        end
+
         self.description = ActionController::Base.helpers.sanitize(
-          description,
-          tags: Rails::HTML5::SafeListSanitizer.allowed_tags.to_a + table_tags,
-          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + %w[data-lexical]
+          scrubbed.to_html,
+          tags: Rails::HTML5::SafeListSanitizer.allowed_tags.to_a + table_tags + %w[input],
+          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + task_list_attrs + %w[data-lexical]
         )
       end
 

data/app/models/collavre/creative.rb

@@ -24,6 +24,8 @@ module Collavre
     has_many :comment_read_pointers, class_name: "Collavre::CommentReadPointer", dependent: :delete_all
     has_many :comment_snapshots, class_name: "Collavre::CommentSnapshot", dependent: :destroy
 
+    has_many_attached :files, dependent: :purge_later
+
     has_closure_tree order: :sequence, name_column: :description, hierarchy_table_name: "creative_hierarchies"
 
     # --- Archive scopes ---

data/app/models/collavre/integration_setting.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Collavre
+  # Stores externally-configurable integration secrets (Slack, Google OAuth,
+  # AWS S3/SES, FCM, etc.) on a per-key basis with `value` encrypted at rest.
+  #
+  # Distinct from {Collavre::SystemSetting}, which stores unencrypted app-behavior
+  # toggles (rate limits, themes, etc.). Pair with
+  # {Collavre::IntegrationSettings::Registry} (key definitions) and
+  # {Collavre::IntegrationSettings::Resolver} (DB > ENV > default precedence).
+  class IntegrationSetting < ApplicationRecord
+    self.table_name = "integration_settings"
+
+    encrypts :value, deterministic: false
+
+    validates :key, presence: true, uniqueness: true
+    validates :category, presence: true
+
+    after_commit :clear_cache
+
+    def self.cache_key_for(key)
+      "collavre/integration_setting/#{key}"
+    end
+
+    private
+
+    def clear_cache
+      Rails.cache.delete(self.class.cache_key_for(key))
+      if saved_change_to_key?
+        old_key = saved_change_to_key.first
+        Rails.cache.delete(self.class.cache_key_for(old_key)) if old_key.present?
+      end
+    end
+  end
+end

data/app/models/collavre/preview_channel.rb

@@ -0,0 +1,93 @@
+module Collavre
+  # Topic chip for a running development preview server. Unlike
+  # GithubPrChannel there is no external webhook source — the chip is
+  # populated by AI Agents (or humans) calling preview_attach/preview_detach
+  # MCP tools, one for each ./bin/dev they spin up alongside a worktree.
+  class PreviewChannel < Collavre::Channel
+    self.table_name = "channels"
+
+    PREVIEW_STATES = %w[running stopped].freeze
+
+    def preview_url
+      config["preview_url"]
+    end
+
+    def worktree_id
+      config["worktree_id"]
+    end
+
+    def custom_label
+      config["label"]
+    end
+
+    # Chip fallbacks rendered immediately on attach, before the user has
+    # interacted with the chip. The label prefers the caller-supplied
+    # "Preview #42" style override and falls back to a localized default;
+    # the link is always the preview URL.
+    def default_label
+      custom_label.presence || I18n.t("collavre.channel.preview.label_default")
+    end
+
+    def default_link
+      preview_url
+    end
+
+    def badge_state
+      preview_state
+    end
+
+    def badge_title
+      I18n.t("collavre.channel.preview.badge.#{preview_state}", default: preview_state.to_s)
+    end
+
+    def preview_state
+      state = config["preview_state"].to_s
+      PREVIEW_STATES.include?(state) ? state : "running"
+    end
+
+    def preview_state=(value)
+      value = value.to_s
+      raise ArgumentError, "Invalid preview_state: #{value.inspect}" unless PREVIEW_STATES.include?(value)
+      self.config = config.merge("preview_state" => value)
+    end
+
+    def attached_message
+      Collavre::Channel::InjectedMessage.new(
+        speaker: channel_bot_user,
+        message: I18n.t("collavre.channel.preview.attached_message",
+                        label: default_label, url: preview_url),
+        label: default_label,
+        link: preview_url
+      )
+    end
+
+    # PreviewChannel has no external event source — preview_attach/detach
+    # mutate the channel directly. The base `handle` would raise
+    # NotImplementedError, so override with an explicit no-op.
+    def handle(event:, payload:)
+      nil
+    end
+
+    private
+
+    # Same bot user as GithubPrChannel so all channel-injected comments come
+    # from a single "Channel" speaker in the topic timeline.
+    def channel_bot_user
+      @channel_bot_user ||=
+        Collavre::User.find_by(email: Collavre::Channel::BOT_EMAIL) ||
+          ensure_channel_bot_user!
+    end
+
+    def ensure_channel_bot_user!
+      email = Collavre::Channel::BOT_EMAIL
+      user = Collavre::User.find_or_initialize_by(email: email)
+      user.name = Collavre::Channel::BOT_NAME
+      user.password = SecureRandom.hex(32) if user.new_record?
+      user.email_verified_at ||= Time.current
+      user.searchable = false if user.respond_to?(:searchable=)
+      user.llm_vendor = nil
+      user.save!
+      user
+    end
+  end
+end

data/app/models/collavre/system_setting.rb

@@ -25,9 +25,15 @@ module Collavre
     # By default, public access is allowed (false)
     DEFAULT_CREATIVES_LOGIN_REQUIRED = false
 
-    # Default home page path (nil means use root_path "/")
+    # Default home page path for unauthenticated visitors (nil means use root_path "/")
     DEFAULT_HOME_PAGE_PATH = nil
 
+    # Default home page path for authenticated users.
+    # Signed-in visitors hitting "/" are redirected to this path when the
+    # admin has not configured a value. Set to "/" via the admin UI to
+    # disable the redirect and fall back to the unauthenticated rewrite.
+    DEFAULT_HOME_PAGE_PATH_AUTHENTICATED = "/creatives"
+
     # Default theme IDs (nil means use built-in light/dark)
     # These reference UserTheme IDs for admin-configured custom themes
     DEFAULT_LIGHT_THEME_ID = nil
@@ -59,7 +65,7 @@ module Collavre
         lockout_duration_minutes session_timeout_minutes password_min_length
         password_reset_rate_limit password_reset_rate_period_minutes
         api_rate_limit api_rate_period_minutes auth_providers_disabled
-        creatives_login_required home_page_path default_light_theme_id default_dark_theme_id
+        creatives_login_required home_page_path home_page_path_authenticated default_light_theme_id default_dark_theme_id
         display_level completion_mark llm_request_timeout_seconds
       ].each { |k| Rails.cache.delete("system_setting:#{k}") }
     end
@@ -88,6 +94,11 @@ module Collavre
       value.presence
     end
 
+    def self.home_page_path_authenticated
+      value = cached_value("home_page_path_authenticated")
+      value.presence || DEFAULT_HOME_PAGE_PATH_AUTHENTICATED
+    end
+
     def self.mcp_tool_approval_required?
       if Current.mcp_tool_approval_required.nil?
         Current.mcp_tool_approval_required = cached_value("mcp_tool_approval_required") == "true"

data/app/models/collavre/topic.rb

@@ -5,8 +5,10 @@ module Collavre
     belongs_to :creative, class_name: "Collavre::Creative"
     belongs_to :user, class_name: Collavre.configuration.user_class_name
     belongs_to :source_topic, class_name: "Collavre::Topic", optional: true
+    belongs_to :primary_agent, class_name: Collavre.configuration.user_class_name, optional: true
 
     has_many :comments, class_name: "Collavre::Comment", dependent: :destroy
+    has_many :channels, class_name: "Collavre::Channel", dependent: :destroy
     has_many :branches, class_name: "Collavre::Topic", foreign_key: :source_topic_id, dependent: :nullify
     has_many :user_creative_preferences_as_last_topic, class_name: "Collavre::UserCreativePreference",
              foreign_key: :last_topic_id, dependent: :nullify, inverse_of: :last_topic
@@ -21,33 +23,9 @@ module Collavre
 
     default_scope { order(:position) }
 
-    # Returns the primary agent User for this topic (from orchestration policy)
-    def primary_agent
-      policy = OrchestratorPolicy.find_by(
-        policy_type: "arbitration",
-        scope_type: "Topic",
-        scope_id: id
-      )
-      return nil unless policy&.config&.dig("primary_agent_id")
-
-      User.find_by(id: policy.config["primary_agent_id"])
-    end
-
     # Sets or replaces the primary agent for this topic
     def set_primary_agent!(agent)
-      policy = OrchestratorPolicy.find_or_initialize_by(
-        policy_type: "arbitration",
-        scope_type: "Topic",
-        scope_id: id
-      )
-      policy.update!(
-        config: {
-          "strategy" => "primary_first",
-          "primary_agent_id" => agent.id
-        },
-        priority: 10,
-        enabled: true
-      )
+      update!(primary_agent: agent)
     end
 
     def archived?

data/app/models/concerns/collavre/ai_agent_resolvable.rb

@@ -5,13 +5,22 @@ module Collavre
     private
 
     # Resolve AI agent using orchestration rules:
-    # 1. Topic's primary agent (from OrchestratorPolicy)
-    # 2. Fallback: any AI agent with feedback permission on the creative
+    # 1. Topic's primary agent (stored on topics table)
+    # 2. Fallback: policy-level primary_agent_id (creative/global scope)
+    # 3. Fallback: any AI agent with feedback permission on the creative
     def resolve_ai_agent(creative, topic_id)
       if topic_id.present?
+        # Check topic's direct primary_agent_id first
+        topic = Topic.find_by(id: topic_id)
+        if topic&.primary_agent_id.present?
+          agent = User.find_by(id: topic.primary_agent_id)
+          return agent if agent&.ai_user?
+        end
+
+        # Fall back to policy-level config (creative/global scope)
         context = build_ai_agent_policy_context(creative, topic_id)
         resolver = Orchestration::PolicyResolver.new(context)
-        primary_id = resolver.primary_agent_id
+        primary_id = resolver.arbitration_config["primary_agent_id"]
 
         if primary_id.present?
           agent = User.find_by(id: primary_id)

data/app/services/collavre/ai_client.rb

@@ -113,17 +113,17 @@ module Collavre
 
       context_block = case normalized_vendor
       when "openai"
-        api_key = @llm_api_key.presence || ENV["OPENAI_API_KEY"]
+        api_key = @llm_api_key.presence || IntegrationSettings.fetch(:openai_api_key)
         base_url = @gateway_url.presence
         proc do |config|
           config.openai_api_key = api_key
           config.openai_api_base = base_url if base_url
         end
       when "anthropic"
-        api_key = @llm_api_key.presence || ENV["ANTHROPIC_API_KEY"]
+        api_key = @llm_api_key.presence || IntegrationSettings.fetch(:anthropic_api_key)
         proc { |config| config.anthropic_api_key = api_key }
       else
-        api_key = @llm_api_key.presence || ENV["GEMINI_API_KEY"]
+        api_key = @llm_api_key.presence || IntegrationSettings.fetch(:gemini_api_key)
         proc { |config| config.gemini_api_key = api_key }
       end
 

data/app/services/collavre/channel_attacher.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Collavre
+  # Shared idempotent attach/reactivate lifecycle for topic channels.
+  # Every channel subtype reaches the same end-state regardless of which tool
+  # invoked it: a row that is active, not dismissed, and visible under the
+  # `not_dismissed` render scope.
+  #
+  # Subtype-specific resets (e.g. PR `pr_state` back to "open" so a previously
+  # merged-then-reattached channel renders the green badge again) run via the
+  # `on_reactivate` proc.
+  class ChannelAttacher
+    # Returns [channel, status] where status ∈ :created / :reactivated / :noop.
+    #
+    # `lookup` is called twice in the unique-violation race path, so it must
+    # be a fresh query each call (not a captured AR record).
+    #
+    # `on_noop` runs when the existing channel is still active+visible and we
+    # would otherwise short-circuit. Preview channels use it to silently refresh
+    # config (e.g. new port after a restart) so the chip link never points at a
+    # dead server while reporting success.
+    def self.call(channel_class:, lookup:, create_attrs:, on_reactivate: nil, on_noop: nil)
+      existing = lookup.call
+      if existing
+        return noop(existing, on_noop) if existing.active? && existing.dismissed_at.nil?
+        reactivate(existing, on_reactivate)
+        return [ existing, :reactivated ]
+      end
+      [ channel_class.create!(create_attrs), :created ]
+    rescue ActiveRecord::RecordNotUnique
+      existing = lookup.call
+      raise unless existing
+      if existing.active? && existing.dismissed_at.nil?
+        noop(existing, on_noop)
+      else
+        reactivate(existing, on_reactivate)
+        [ existing, :reactivated ]
+      end
+    end
+
+    def self.reactivate(channel, on_reactivate)
+      channel.state = :active unless channel.active?
+      channel.dismissed_at = nil unless channel.dismissed_at.nil?
+      on_reactivate&.call(channel)
+      channel.save!
+    end
+    private_class_method :reactivate
+
+    def self.noop(channel, on_noop)
+      if on_noop
+        on_noop.call(channel)
+        channel.save! if channel.changed?
+      end
+      [ channel, :noop ]
+    end
+    private_class_method :noop
+  end
+end

data/app/services/collavre/comments/mcp_command.rb

@@ -98,6 +98,18 @@ module Collavre
         return I18n.t("collavre.comments.mcp_command.error_running", tool_name: tool_name, error: response[:error]) if response[:error].present?
 
         result = response[:result]
+        escaped_tool = ERB::Util.html_escape(tool_name)
+
+        markdown_body = extract_markdown(result)
+        if markdown_body
+          return <<~HTML
+          <details open><summary>#{escaped_tool} response</summary>
+
+          #{markdown_body}
+          </details>
+          HTML
+        end
+
         content = case result
         when Hash, Array
           JSON.pretty_generate(result)
@@ -105,7 +117,6 @@ module Collavre
           result.to_s
         end
 
-        escaped_tool = ERB::Util.html_escape(tool_name)
         escaped_content = ERB::Util.html_escape(content)
 
         <<~HTML
@@ -115,6 +126,25 @@ module Collavre
         HTML
       end
 
+      def extract_markdown(result)
+        candidate = nil
+
+        if result.is_a?(Hash)
+          candidate = result["markdown"] || result[:markdown]
+        elsif result.is_a?(String)
+          parsed = begin
+            JSON.parse(result)
+          rescue JSON::ParserError
+            nil
+          end
+          candidate = parsed["markdown"] if parsed.is_a?(Hash)
+        end
+
+        return nil unless candidate.is_a?(String) && candidate.strip.length.positive?
+
+        candidate
+      end
+
       def tool_name
         tool[:name]
       end

data/app/services/collavre/creatives/tree_builder.rb

@@ -128,7 +128,7 @@ module Creatives
           sequence: creative.sequence,
           link_url: view_context.collavre.creative_path(creative),
           templates: template_payload_for(creative, has_children: filtered_children.any?),
-          inline_editor_payload: inline_editor_payload_for(creative),
+          inline_editor_payload: inline_editor_payload_for(creative, can_write: cached_can_write?(creative)),
           children_container: children_container_payload(
             creative,
             filtered_children,
@@ -187,11 +187,15 @@ module Creatives
       }
     end
 
-    def inline_editor_payload_for(creative)
+    def inline_editor_payload_for(creative, can_write:)
+      effective = creative.effective_origin(Set.new)
+      origin_writable = effective.id == creative.id ? can_write : creative.has_permission?(user, :write)
       {
         description_raw_html: creative.effective_description(nil, true),
         progress: creative.progress,
-        origin_id: creative.origin_id
+        origin_id: creative.origin_id,
+        content_type: effective.data&.dig("content_type"),
+        markdown_source: origin_writable ? effective.data&.dig("markdown_source") : nil
       }
     end
 

data/app/services/collavre/google_calendar_service.rb

@@ -110,8 +110,10 @@ module Collavre
       raise GoogleCalendarError, I18n.t("collavre.google_calendar.errors.not_connected") if token.blank?
 
       Google::Auth::UserRefreshCredentials.new(
-        client_id:     ENV["GOOGLE_CLIENT_ID"] || Rails.application.credentials.dig(:google, :client_id),
-        client_secret: ENV["GOOGLE_CLIENT_SECRET"] || Rails.application.credentials.dig(:google, :client_secret),
+        client_id:     Collavre::IntegrationSettings::Resolver.get(:google_client_id).presence ||
+                       Rails.application.credentials.dig(:google, :client_id),
+        client_secret: Collavre::IntegrationSettings::Resolver.get(:google_client_secret).presence ||
+                       Rails.application.credentials.dig(:google, :client_secret),
         scope:         [ Google::Apis::CalendarV3::AUTH_CALENDAR_APP_CREATED ],
         refresh_token: token
       ).tap(&:fetch_access_token!)