collavre 0.20.3 → 0.22.0

data/app/models/collavre/comment.rb

@@ -46,6 +46,7 @@ module Collavre
     include Broadcastable
     include Notifiable
     include Approvable
+    include ClaudeChannelPermission
 
     attribute :skip_default_user, :boolean, default: false
     attribute :skip_dispatch, :boolean, default: false
@@ -110,11 +111,35 @@ module Collavre
     def cancel_pending_tasks
       # Cancel tasks triggered by this comment (no creative_id scoping —
       # CommentMoveService can change comment.creative_id without updating
-      # existing tasks, so scoping would miss moved-comment tasks)
-      Task.where(status: %w[pending running queued]).find_each do |task|
-        if task.trigger_event_payload&.dig("comment", "id") == id
-          task.update!(status: "cancelled")
+      # existing tasks, so scoping would miss moved-comment tasks).
+      # Include "delegated" so a deleted prompt also cancels Claude Channel
+      # work that's still waiting on an external MCP reply — otherwise the
+      # delegated task keeps holding the topic/agent slot until stuck recovery.
+      Task.where(status: %w[pending running queued delegated]).find_each do |task|
+        next unless task.trigger_event_payload&.dig("comment", "id") == id
+
+        was_delegated = task.status == "delegated"
+        task.update!(status: "cancelled")
+
+        # Delegated tasks live past their job: the AiAgentJob already returned,
+        # holding the agent slot under task.id and counting against the per-topic
+        # serializer. Mirror the cancel path used elsewhere to free both.
+        next unless was_delegated
+        if task.agent
+          Collavre::Orchestration::ResourceTracker.for(task.agent).release!(task.id)
         end
+        if task.parent_task_id.present?
+          begin
+            Collavre::Comments::WorkflowExecutor.new(task.parent_task).fail_subtask!(
+              task, error_message: "Triggering comment was deleted"
+            )
+          rescue StandardError => e
+            Rails.logger.error(
+              "[Comment#cancel_pending_tasks] fail_subtask! failed for task #{task.id}: #{e.message}"
+            )
+          end
+        end
+        Collavre::Orchestration::AgentOrchestrator.dequeue_next_for_topic(task.topic_id, task.creative_id)
       end
 
       # Cancel queued tasks when their waiting notice (system comment) is deleted
@@ -139,7 +164,32 @@ module Collavre
       return unless user_id        # nil user = system message
       return if user&.ai_user?     # AI replies use A2aDispatcher, not this callback
       return unless creative
-      return if creative.inbox?
+      # Inbox creatives hold the user's notifications/DMs and normally must not
+      # trigger AI orchestration. Exception: a Claude Channel agent session
+      # registers its topic *inside* the inbox (Creative.inbox_for) and depends
+      # on the orchestration pipeline (Matcher → Arbiter → AiAgentService) to
+      # deliver comments to the running session. Scope the exception to actual
+      # Claude Channel session topics (primary_agent is a claude_channel_agent?).
+      # An inbox topic can be given any ai_user as primary_agent via
+      # TopicsController#set_primary_agent; gating on mere primary_agent presence
+      # would leak ordinary inbox DMs to the live Claude session, which holds
+      # inbox-wide :feedback + routing_expression="true" and would be selected by
+      # the Matcher for any dispatched inbox comment.
+      return if creative.inbox? && !claude_channel_session_topic?
+
+      # A Claude Channel session suspended on a native tool-permission prompt
+      # parks its in-flight dispatch as a `delegated` task carrying a
+      # pending_tool_call (stamped by /agent/notify when the prompt is relayed).
+      # An intervening human comment posted while the task is parked is dispatched
+      # normally — not suppressed. The delegated task holds the topic's only
+      # concurrency slot (running_for_topic counts `delegated`,
+      # topic_max_concurrent_jobs=1), so the scheduler defers the comment into a
+      # `queued` task rather than a competing turn, and
+      # AgentOrchestrator.dequeue_next_for_topic promotes it (refreshed to the
+      # latest comment) when the parked task is finalized on /reply. Suppressing
+      # it here would silently drop the follow-up instead of deferring it — worst
+      # when the local Claude TUI answered the prompt, leaving pending_tool_call
+      # set on the server for the rest of a locally-approved tool run.
 
       SystemEvents::Dispatcher.dispatch("comment_created", dispatch_payload)
     rescue StandardError => e
@@ -150,6 +200,21 @@ module Collavre
       raise  # re-raise so calling jobs (e.g. DropTriggerJob) can retry
     end
 
+    # True only when this comment's topic is an actual Claude Channel session
+    # topic — it carries the registration marker (session_id) AND its
+    # primary_agent is a claude_channel_agent? (llm_model "claude-code"). Used to
+    # scope the inbox dispatch exception so ordinary inbox threads stay local.
+    #
+    # session_id is required, not just the Claude primary_agent: a Claude
+    # channel ai_user can be assigned as primary_agent on an ordinary inbox
+    # topic via TopicsController#set_primary_agent without ever registering a
+    # session. Gating on the agent alone would dispatch that ordinary thread and
+    # leak it to the live Claude session. session_id is exactly what
+    # ClaudeChannelAdapter#session_topic? keys on, so the two stay consistent.
+    def claude_channel_session_topic?
+      topic&.session_id.present? && topic&.primary_agent&.claude_channel_agent?
+    end
+
     def assign_default_user
       return if skip_default_user
       self.user ||= Collavre.current_user

data/app/models/collavre/creative/describable.rb

@@ -4,11 +4,20 @@ module Collavre
       extend ActiveSupport::Concern
 
       included do
+        attr_accessor :content_type_input
+        attr_reader :markdown_source
+
+        def markdown_source=(value)
+          @markdown_source = value.is_a?(String) ? value.gsub(/\r\n?/, "\n") : value
+        end
+
         validates :description, presence: true, unless: -> { origin_id.present? }
         validate :description_cannot_change_if_has_origin, on: :update
         validate :description_cannot_change_if_github_source, on: :update
 
+        before_validation :convert_markdown_to_html
         before_save :sanitize_description_html
+        after_save :reconcile_description_attachments
         after_destroy_commit :purge_description_attachments
       end
 
@@ -30,19 +39,208 @@ module Collavre
         CGI.unescapeHTML(ActionController::Base.helpers.strip_tags(effective_origin.description || "")).truncate(24, omission: "...")
       end
 
+      # GitHub-synced creatives reject any description change
+      # (description_cannot_change_if_github_source), so embedding would raise
+      # and orphan the blob. Callers MUST check this before creating the blob.
+      def attachments_embeddable?
+        !effective_origin.github_markdown?
+      end
+
+      # Append an attachment node and save; after_save reconcile attaches the
+      # blob to creative.files. Linked creatives can't change their own
+      # description (it lives on the origin), so embed on effective_origin —
+      # otherwise the save raises and orphans the blob.
+      def embed_attachment_blob!(blob)
+        target = effective_origin
+        return target.embed_attachment_blob!(blob) unless target == self
+
+        node = attachment_node_html(blob)
+        new_html = "#{description}#{node}"
+        # Markdown-mode creatives derive description from markdown_source; demote
+        # to HTML so the embedded node is the persisted source of truth.
+        self.content_type_input = "html" if data&.dig("content_type") == "markdown"
+        update!(description: new_html)
+      end
+
+      # HTML for embedding a blob inline, branching on content type. The proxy
+      # path MUST match what extract_signed_ids_from_description scans and what
+      # the sanitizer allows.
+      def attachment_node_html(blob)
+        url = "/public-assets/blobs/#{blob.signed_id}/#{blob.filename.sanitized}"
+        name = ERB::Util.html_escape(blob.filename.to_s)
+        if blob.content_type.to_s.start_with?("image/")
+          %(<img src="#{url}" alt="#{name}">)
+        elsif blob.content_type.to_s.start_with?("video/")
+          %(<video controls src="#{url}"></video>)
+        else
+          %(<a href="#{url}" download="#{name}" data-filesize="#{blob.byte_size}">#{name}</a>)
+        end
+      end
+
+      # Remove the attachment for `signed_id`. HTML is the source of truth, so
+      # strip the node and let after_save reconcile detach + safe-purge. A blob
+      # that's attached but not embedded (legacy, not yet backfilled) is
+      # detached directly. Returns true if an attachment was present.
+      def remove_attachment!(signed_id)
+        target = effective_origin
+        return target.remove_attachment!(signed_id) unless target == self
+
+        blob = ActiveStorage::Blob.find_signed(signed_id)
+        return false unless blob
+
+        attachment = files.attachments.find_by(blob_id: blob.id)
+        return false unless attachment
+
+        stripped = description_without_attachment_node(blob.signed_id)
+        if stripped
+          # Demote markdown -> html so the stripped HTML is the persisted source
+          # of truth (mirrors embed_attachment_blob!).
+          self.content_type_input = "html" if data&.dig("content_type") == "markdown"
+          update!(description: stripped)
+        else
+          detach_and_maybe_purge(attachment)
+        end
+        true
+      end
+
       private
 
+      # description HTML with every node (<img>/<video>/<source>/<a>) whose
+      # src/href references signed_id removed, or nil when none is present.
+      def description_without_attachment_node(signed_id)
+        return nil if description.blank?
+
+        doc = Loofah.fragment(description.to_s)
+        matches = doc.css("img, video, source, a").select do |node|
+          ref = node["src"] || node["href"]
+          ref&.include?(signed_id)
+        end
+        return nil if matches.empty?
+
+        matches.each(&:remove)
+        doc.to_html
+      end
+
+      def convert_markdown_to_html
+        if content_type_input == "markdown"
+          self.data ||= {}
+          new_source = markdown_source.to_s
+          prev_source = data["markdown_source"].to_s
+          prev_type = data["content_type"]
+          self.data["content_type"] = "markdown"
+          if new_source != prev_source || prev_type != "markdown"
+            # Rewrite inline data-URI images to freshly-uploaded blob paths
+            # FIRST, then persist the rewritten source. Subsequent edits
+            # around the same image carry the blob path instead of the
+            # data URI, so re-renders no longer create duplicate blobs.
+            rewritten_source = Collavre::MarkdownConverter.rewrite_data_uri_images(new_source)
+            self.data["markdown_source"] = rewritten_source
+            self.description = Collavre::MarkdownConverter.markdown_to_html(rewritten_source)
+          else
+            self.data["markdown_source"] = new_source
+            # Source unchanged: description must stay derived from markdown_source.
+            # Restore the persisted value rather than trusting params[:description],
+            # which would let a stale/crafted request diverge from markdown_source.
+            # Skipping the re-render also avoids re-importing data-URI images as
+            # fresh Active Storage blobs on every autosave/progress/move.
+            self.description = description_was if description_changed?
+          end
+        elsif content_type_input == "html"
+          self.data ||= {}
+          self.data.delete("content_type")
+          self.data.delete("markdown_source")
+        elsif !new_record? && description_changed? && data&.dig("content_type") == "markdown"
+          # Description was rewritten through a non-markdown path (tool/MCP
+          # update, direct base.update(description: ...), etc.) on a creative
+          # that was previously in markdown mode. The new HTML no longer
+          # matches data["markdown_source"], so the next inline-markdown open
+          # would load the stale source and silently overwrite this update.
+          # Demote to HTML mode so the persisted source matches description.
+          self.data.delete("content_type")
+          self.data.delete("markdown_source")
+        end
+      end
+
       def sanitize_description_html
         table_tags = %w[table thead tbody tfoot tr th td]
         table_attrs = %w[colspan rowspan]
         attachment_attrs = %w[download data-filesize]
+        task_list_attrs = %w[type disabled checked]
+        media_tags = %w[video source]
+        media_attrs = %w[controls src preload width height poster]
+
+        # GFM task list checkboxes (`- [ ]` / `- [x]`) render as
+        # <input type="checkbox" disabled> via Commonmarker's tasklist
+        # extension. Strip any other <input> variant before sanitization
+        # so allowing the `input` tag in the safelist can't smuggle in
+        # text/image/submit inputs.
+        scrubbed = Loofah.fragment(description.to_s)
+        scrubbed.css("input").each do |node|
+          unless node["type"] == "checkbox" && node.has_attribute?("disabled")
+            node.remove
+          end
+        end
+
         self.description = ActionController::Base.helpers.sanitize(
-          description,
-          tags: Rails::HTML5::SafeListSanitizer.allowed_tags.to_a + table_tags,
-          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + %w[data-lexical]
+          scrubbed.to_html,
+          tags: Rails::HTML5::SafeListSanitizer.allowed_tags.to_a + table_tags + media_tags + %w[input],
+          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + task_list_attrs + media_attrs + %w[data-lexical]
         )
       end
 
+      # Sync creative.files to exactly the blobs referenced in the description
+      # HTML (attach new, detach removed). Must never raise during save —
+      # malformed HTML yields [] and a no-op.
+      #
+      # Markdown-mode creatives manage their own blobs via MarkdownConverter;
+      # the embed paths demote markdown -> html first, so uploads still reconcile.
+      def reconcile_description_attachments
+        return if data&.dig("content_type") == "markdown"
+        # Linked creatives don't own their description (it lives on the origin)
+        # and their own column is blank, so reconcile would treat every legacy
+        # attachment as an orphan and purge it on the next save (e.g. a
+        # reparent). Skip them to preserve pre-existing linked-row attachments.
+        return if origin_id.present?
+
+        referenced = extract_signed_ids_from_description.filter_map do |sid|
+          ActiveStorage::Blob.find_signed(sid)
+        rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveRecord::RecordNotFound
+          nil
+        end
+        referenced_ids = referenced.map(&:id).to_set
+
+        current = files.includes(:blob).to_a
+        current_blob_ids = current.map(&:blob_id).to_set
+
+        to_attach = referenced.reject { |b| current_blob_ids.include?(b.id) }
+        to_detach = current.reject { |a| referenced_ids.include?(a.blob_id) }
+        return if to_attach.empty? && to_detach.empty?
+
+        to_attach.each { |blob| files.attach(blob) }
+        to_detach.each { |attachment| detach_and_maybe_purge(attachment) }
+      rescue StandardError => e
+        Rails.logger.error("Creative##{id}: reconcile_description_attachments failed: #{e.message}")
+      end
+
+      # Detach this creative's join, then purge the blob ONLY if nothing else
+      # references it — a shared blob (description copied between creatives)
+      # would otherwise be deleted out from under the others, 404-ing their
+      # descriptions.
+      def detach_and_maybe_purge(attachment)
+        blob = attachment.blob
+        attachment.delete
+        return if blob.nil?
+
+        signed_id = blob.signed_id
+        still_referenced = Creative.where.not(id: id)
+                                   .where("description LIKE ?", "%#{ActiveRecord::Base.sanitize_sql_like(signed_id)}%")
+                                   .exists?
+        return if still_referenced
+        return if ActiveStorage::Attachment.where(blob_id: blob.id).exists?
+
+        blob.purge_later
+      end
+
       def purge_description_attachments
         return if description.blank?
 
@@ -74,6 +272,7 @@ module Collavre
 
         ids = html.scan(%r{/rails/active_storage/blobs/(?:redirect|proxy)/([^/?#]+)}).flatten
         ids += html.scan(%r{/rails/active_storage/blobs/([^/?#]+)}).flatten
+        ids += html.scan(%r{/public-assets/blobs/([^/?#]+)}).flatten
 
         ids.uniq
       end

data/app/models/collavre/creative.rb

@@ -24,6 +24,8 @@ module Collavre
     has_many :comment_read_pointers, class_name: "Collavre::CommentReadPointer", dependent: :delete_all
     has_many :comment_snapshots, class_name: "Collavre::CommentSnapshot", dependent: :destroy
 
+    has_many_attached :files, dependent: :purge_later
+
     has_closure_tree order: :sequence, name_column: :description, hierarchy_table_name: "creative_hierarchies"
 
     # --- Archive scopes ---

data/app/models/collavre/creative_share.rb

@@ -64,6 +64,7 @@ module Collavre
 
     def notify_recipient
       return unless Current.user && user
+      return if user.ai_user?
       inbox_creative = Creative.inbox_for(user)
       short_title = ActionController::Base.helpers.truncate(
         ActionController::Base.helpers.strip_tags(creative.effective_description),

data/app/models/collavre/integration_setting.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Collavre
+  # Stores externally-configurable integration secrets (Slack, Google OAuth,
+  # AWS S3/SES, FCM, etc.) on a per-key basis with `value` encrypted at rest.
+  #
+  # Distinct from {Collavre::SystemSetting}, which stores unencrypted app-behavior
+  # toggles (rate limits, themes, etc.). Pair with
+  # {Collavre::IntegrationSettings::Registry} (key definitions) and
+  # {Collavre::IntegrationSettings::Resolver} (DB > ENV > default precedence).
+  class IntegrationSetting < ApplicationRecord
+    self.table_name = "integration_settings"
+
+    encrypts :value, deterministic: false
+
+    validates :key, presence: true, uniqueness: true
+    validates :category, presence: true
+
+    after_commit :clear_cache
+
+    def self.cache_key_for(key)
+      "collavre/integration_setting/#{key}"
+    end
+
+    private
+
+    def clear_cache
+      Rails.cache.delete(self.class.cache_key_for(key))
+      if saved_change_to_key?
+        old_key = saved_change_to_key.first
+        Rails.cache.delete(self.class.cache_key_for(old_key)) if old_key.present?
+      end
+    end
+  end
+end

data/app/models/collavre/preview_channel.rb

@@ -0,0 +1,93 @@
+module Collavre
+  # Topic chip for a running development preview server. Unlike
+  # GithubPrChannel there is no external webhook source — the chip is
+  # populated by AI Agents (or humans) calling preview_attach/preview_detach
+  # MCP tools, one for each ./bin/dev they spin up alongside a worktree.
+  class PreviewChannel < Collavre::Channel
+    self.table_name = "channels"
+
+    PREVIEW_STATES = %w[running stopped].freeze
+
+    def preview_url
+      config["preview_url"]
+    end
+
+    def worktree_id
+      config["worktree_id"]
+    end
+
+    def custom_label
+      config["label"]
+    end
+
+    # Chip fallbacks rendered immediately on attach, before the user has
+    # interacted with the chip. The label prefers the caller-supplied
+    # "Preview #42" style override and falls back to a localized default;
+    # the link is always the preview URL.
+    def default_label
+      custom_label.presence || I18n.t("collavre.channel.preview.label_default")
+    end
+
+    def default_link
+      preview_url
+    end
+
+    def badge_state
+      preview_state
+    end
+
+    def badge_title
+      I18n.t("collavre.channel.preview.badge.#{preview_state}", default: preview_state.to_s)
+    end
+
+    def preview_state
+      state = config["preview_state"].to_s
+      PREVIEW_STATES.include?(state) ? state : "running"
+    end
+
+    def preview_state=(value)
+      value = value.to_s
+      raise ArgumentError, "Invalid preview_state: #{value.inspect}" unless PREVIEW_STATES.include?(value)
+      self.config = config.merge("preview_state" => value)
+    end
+
+    def attached_message
+      Collavre::Channel::InjectedMessage.new(
+        speaker: channel_bot_user,
+        message: I18n.t("collavre.channel.preview.attached_message",
+                        label: default_label, url: preview_url),
+        label: default_label,
+        link: preview_url
+      )
+    end
+
+    # PreviewChannel has no external event source — preview_attach/detach
+    # mutate the channel directly. The base `handle` would raise
+    # NotImplementedError, so override with an explicit no-op.
+    def handle(event:, payload:)
+      nil
+    end
+
+    private
+
+    # Same bot user as GithubPrChannel so all channel-injected comments come
+    # from a single "Channel" speaker in the topic timeline.
+    def channel_bot_user
+      @channel_bot_user ||=
+        Collavre::User.find_by(email: Collavre::Channel::BOT_EMAIL) ||
+          ensure_channel_bot_user!
+    end
+
+    def ensure_channel_bot_user!
+      email = Collavre::Channel::BOT_EMAIL
+      user = Collavre::User.find_or_initialize_by(email: email)
+      user.name = Collavre::Channel::BOT_NAME
+      user.password = SecureRandom.hex(32) if user.new_record?
+      user.email_verified_at ||= Time.current
+      user.searchable = false if user.respond_to?(:searchable=)
+      user.llm_vendor = nil
+      user.save!
+      user
+    end
+  end
+end

data/app/models/collavre/system_setting.rb

@@ -25,9 +25,15 @@ module Collavre
     # By default, public access is allowed (false)
     DEFAULT_CREATIVES_LOGIN_REQUIRED = false
 
-    # Default home page path (nil means use root_path "/")
+    # Default home page path for unauthenticated visitors (nil means use root_path "/")
     DEFAULT_HOME_PAGE_PATH = nil
 
+    # Default home page path for authenticated users.
+    # Signed-in visitors hitting "/" are redirected to this path when the
+    # admin has not configured a value. Set to "/" via the admin UI to
+    # disable the redirect and fall back to the unauthenticated rewrite.
+    DEFAULT_HOME_PAGE_PATH_AUTHENTICATED = "/creatives"
+
     # Default theme IDs (nil means use built-in light/dark)
     # These reference UserTheme IDs for admin-configured custom themes
     DEFAULT_LIGHT_THEME_ID = nil
@@ -59,7 +65,7 @@ module Collavre
         lockout_duration_minutes session_timeout_minutes password_min_length
         password_reset_rate_limit password_reset_rate_period_minutes
         api_rate_limit api_rate_period_minutes auth_providers_disabled
-        creatives_login_required home_page_path default_light_theme_id default_dark_theme_id
+        creatives_login_required home_page_path home_page_path_authenticated default_light_theme_id default_dark_theme_id
         display_level completion_mark llm_request_timeout_seconds
       ].each { |k| Rails.cache.delete("system_setting:#{k}") }
     end
@@ -88,6 +94,11 @@ module Collavre
       value.presence
     end
 
+    def self.home_page_path_authenticated
+      value = cached_value("home_page_path_authenticated")
+      value.presence || DEFAULT_HOME_PAGE_PATH_AUTHENTICATED
+    end
+
     def self.mcp_tool_approval_required?
       if Current.mcp_tool_approval_required.nil?
         Current.mcp_tool_approval_required = cached_value("mcp_tool_approval_required") == "true"

data/app/models/collavre/task.rb

@@ -15,7 +15,7 @@ module Collavre
     after_update_commit :broadcast_stop_button_removal, if: :became_terminal?
 
     scope :running_for_topic, ->(topic_id, creative_id = nil) {
-      rel = where(topic_id: topic_id, status: "running")
+      rel = where(topic_id: topic_id, status: %w[running delegated])
       rel = rel.where(creative_id: creative_id) if creative_id
       rel
     }
@@ -25,19 +25,44 @@ module Collavre
       rel.order(:created_at)
     }
 
-    # Check if agent already has a running task triggered by the same comment
+    # Check if agent already has an in-flight task triggered by the same comment.
+    # Treats "delegated" as in-flight: a Claude Channel task that is waiting on
+    # an external MCP reply is still active work — re-dispatching the same
+    # comment would produce duplicate replies.
     def self.duplicate_running_for_comment?(agent_id, comment_id)
-      where(agent_id: agent_id, status: "running", trigger_event_name: "comment_created")
+      where(agent_id: agent_id, status: %w[running delegated], trigger_event_name: "comment_created")
         .find_each do |task|
         return true if task.trigger_event_payload&.dig("comment", "id").to_s == comment_id.to_s
       end
       false
     end
 
+    # Replay the after_update_commit callbacks when the status transition was
+    # made via an UPDATE that bypassed callbacks (e.g. update_all in an atomic
+    # claim flow). The private callback predicates rely on
+    # saved_change_to_attribute? which is false outside a save lifecycle, so
+    # the callbacks themselves would no-op when called directly. This method
+    # is the supported escape hatch for AgentsController#finalize_claimed_task
+    # to drive the same side effects (trigger-loop continuation + stop-button
+    # broadcast) once the related reply_comment has been persisted.
+    def fire_completion_callbacks_after_external_claim
+      check_trigger_loop_completion if trigger_loop_completion_eligible?
+      broadcast_stop_button_removal if terminal_status?
+    end
+
     private
 
     def trigger_loop_candidate?
-      return false unless saved_change_to_attribute?("status") && status == "done"
+      return false unless saved_change_to_attribute?("status")
+
+      trigger_loop_completion_eligible?
+    end
+
+    # State-only eligibility check (no save-lifecycle dependency).
+    # Reused by trigger_loop_candidate? for the callback path and by
+    # fire_completion_callbacks_after_external_claim for explicit replay.
+    def trigger_loop_completion_eligible?
+      return false unless status == "done"
       return false unless trigger_event_name == "comment_created"
       return false unless creative&.parent&.drop_trigger_enabled?
 
@@ -51,7 +76,11 @@ module Collavre
     end
 
     def became_terminal?
-      saved_change_to_attribute?("status") && status.in?(%w[done cancelled failed])
+      saved_change_to_attribute?("status") && terminal_status?
+    end
+
+    def terminal_status?
+      status.in?(%w[done cancelled failed])
     end
 
     def broadcast_stop_button_removal

data/app/models/collavre/topic.rb

@@ -5,8 +5,15 @@ module Collavre
     belongs_to :creative, class_name: "Collavre::Creative"
     belongs_to :user, class_name: Collavre.configuration.user_class_name
     belongs_to :source_topic, class_name: "Collavre::Topic", optional: true
+    belongs_to :primary_agent, class_name: Collavre.configuration.user_class_name, optional: true
 
     has_many :comments, class_name: "Collavre::Comment", dependent: :destroy
+    has_many :channels, class_name: "Collavre::Channel", dependent: :destroy
+    # Compress/merge snapshots capture a topic's comments as a restore point. The
+    # comment_snapshots -> topics FK has no DB-level ON DELETE, so without this the
+    # row blocks topic deletion (ActiveRecord::InvalidForeignKey -> 500). Once the
+    # topic is gone the snapshot can no longer be restored into it, so :destroy.
+    has_many :comment_snapshots, class_name: "Collavre::CommentSnapshot", dependent: :destroy
     has_many :branches, class_name: "Collavre::Topic", foreign_key: :source_topic_id, dependent: :nullify
     has_many :user_creative_preferences_as_last_topic, class_name: "Collavre::UserCreativePreference",
              foreign_key: :last_topic_id, dependent: :nullify, inverse_of: :last_topic
@@ -21,33 +28,9 @@ module Collavre
 
     default_scope { order(:position) }
 
-    # Returns the primary agent User for this topic (from orchestration policy)
-    def primary_agent
-      policy = OrchestratorPolicy.find_by(
-        policy_type: "arbitration",
-        scope_type: "Topic",
-        scope_id: id
-      )
-      return nil unless policy&.config&.dig("primary_agent_id")
-
-      User.find_by(id: policy.config["primary_agent_id"])
-    end
-
     # Sets or replaces the primary agent for this topic
     def set_primary_agent!(agent)
-      policy = OrchestratorPolicy.find_or_initialize_by(
-        policy_type: "arbitration",
-        scope_type: "Topic",
-        scope_id: id
-      )
-      policy.update!(
-        config: {
-          "strategy" => "primary_first",
-          "primary_agent_id" => agent.id
-        },
-        priority: 10,
-        enabled: true
-      )
+      update!(primary_agent: agent)
     end
 
     def archived?

data/app/models/collavre/user.rb

@@ -157,6 +157,10 @@ module Collavre
       llm_vendor.present?
     end
 
+    def claude_channel_agent?
+      llm_model == "claude-code"
+    end
+
     scope :ai_agents, -> { where.not(llm_vendor: [ nil, "" ]) }
 
     def self.accessible_ai_agents_for(user)