collavre 0.20.3 → 0.22.0

data/app/services/collavre/creatives/index_query.rb

@@ -1,6 +1,15 @@
 module Collavre
 module Creatives
   class IndexQuery
+    # Cap flat search results for the lightweight picker popup (simple mode).
+    # The full-page search (no `simple` flag) is intentionally unbounded.
+    SIMPLE_SEARCH_LIMIT = 50
+
+    # Permission-check matched rows in rank order in slices of this size, so a
+    # heavily-matched query only checks the prefix needed to fill the cap rather
+    # than its entire match set.
+    PERMISSION_FILTER_BATCH = 200
+
     Result = Struct.new(
       :creatives,
       :parent_creative,
@@ -63,12 +72,16 @@ module Creatives
 
     def handle_filtered_query
       scope = determine_scope
+      pipeline = FilterPipeline.new(user: user, params: params, scope: scope)
 
-      result = FilterPipeline.new(
-        user: user,
-        params: params,
-        scope: scope
-      ).call
+      # The picker's flat search (simple mode) only renders matched rows ranked
+      # and capped; ancestors, progress_map and overall_progress are full-page
+      # concerns it never reads (breadcrumbs are resolved separately). Skip that
+      # work — and the per-row readable? N+1 — so a 2-char query in a large tree
+      # caps before doing unbounded resolution.
+      return simple_search_result(pipeline) if simple_search?
+
+      result = pipeline.call
 
       return empty_result if result.matched_ids.empty?
 
@@ -83,9 +96,6 @@ module Creatives
         # Sort by comment updated_at for comment filter
         if params[:comment] == "true"
           matched_creatives = matched_creatives.sort_by { |c| c.comments.maximum(:updated_at) || c.updated_at }.reverse
-        elsif params[:search].present? && params[:simple].present?
-          # Sort by description length (shorter = more relevant match)
-          matched_creatives = matched_creatives.sort_by { |c| c.description.to_s.length }
         end
 
         parent = params[:id] ? Creative.find_by(id: params[:id]) : nil
@@ -109,6 +119,98 @@ module Creatives
       end
     end
 
+    def simple_search?
+      params[:search].present? && params[:simple].present? &&
+        params[:search_mode] != "tree" && params[:comment] != "true"
+    end
+
+    # Lightweight flat-search path for the picker popup: matched rows only,
+    # permission-filtered in one batch, ranked by relevance and capped — without
+    # resolving ancestors/progress for the whole match set.
+    def simple_search_result(pipeline)
+      relation = pipeline.search_only_relation
+      ids = if relation
+        windowed_readable_ids(relation)
+      else
+        matched = pipeline.matched_ids
+        matched.empty? ? [] : ranked_readable_window(matched)
+      end
+      return empty_result if ids.empty?
+
+      by_id = Creative.where(id: ids).index_by(&:id)
+      creatives = ids.filter_map { |id| by_id[id] }
+
+      {
+        creatives: creatives,
+        parent: params[:id] ? Creative.find_by(id: params[:id]) : nil,
+        allowed_ids: nil,
+        overall_progress: nil,
+        progress_map: nil
+      }
+    end
+
+    # Window the ranked search matches entirely in SQL: order by relevance and
+    # pull PERMISSION_FILTER_BATCH-sized slices via LIMIT/OFFSET, permission-filtering
+    # each and stopping as soon as the cap is filled. The match itself stays a
+    # subquery (`id IN (<search relation>)`), so Ruby never holds the full match-id
+    # set at once — only one PERMISSION_FILTER_BATCH window is in memory at a time.
+    # Wrapping the join+distinct search as a subquery also keeps the outer relation
+    # join-free, so `ORDER BY LENGTH(description)` is portable (no Postgres
+    # "DISTINCT + ORDER BY must be in select list" issue). The DB still scans/sorts
+    # all matches (inherent to a leading-wildcard LIKE + global relevance ranking),
+    # but the rows crossing into Ruby are bounded per window.
+    #
+    # The loop continues until the cap is filled OR the match set is exhausted —
+    # there is no fixed window ceiling. A ceiling would silently truncate results:
+    # in a multi-user install the match scope is every `origin_id: nil` row before
+    # permission filtering, so a user's readable matches can sort after many
+    # unreadable ones, and capping the scan would return an empty/incomplete result
+    # even though matching readable creatives exist. Termination is guaranteed by the
+    # finite match set (offset advances past the last row → empty window → break);
+    # per-window memory stays bounded regardless of how deep the scan goes.
+    # PermissionFilter stays the single source of read permission. LENGTH() is
+    # portable across SQLite/Postgres/MySQL and byte-vs-char length is immaterial
+    # for a ranking heuristic.
+    def windowed_readable_ids(relation)
+      ordered = Creative.where(id: relation.select(:id))
+        .order(Arel.sql("LENGTH(creatives.description)"), :id)
+
+      readable = []
+      offset = 0
+      loop do
+        window = ordered.offset(offset).limit(PERMISSION_FILTER_BATCH).pluck(:id)
+        break if window.empty?
+
+        permitted = PermissionFilter.new(user: user).readable_ids(window).to_set
+        window.each { |id| readable << id if permitted.include?(id) }
+        break if readable.size >= SIMPLE_SEARCH_LIMIT || window.size < PERMISSION_FILTER_BATCH
+
+        offset += PERMISSION_FILTER_BATCH
+      end
+      readable.first(SIMPLE_SEARCH_LIMIT)
+    end
+
+    # Fallback for when other filters are active alongside search (no single-relation
+    # form): rank the already-matched ids by relevance in the DB, then permission-filter
+    # in that order one slice at a time, stopping as soon as the cap is filled. Only the
+    # prefix needed for SIMPLE_SEARCH_LIMIT readable rows is permission-checked and
+    # materialized. The matched-id set itself is plucked up front here (it was already
+    # intersected across filters in Ruby), which is why the search-only path prefers the
+    # windowed subquery above. PermissionFilter stays the single source of read permission.
+    def ranked_readable_window(matched)
+      ranked_ids = Creative.where(id: matched)
+        .order(Arel.sql("LENGTH(creatives.description)"), :id)
+        .pluck(:id)
+
+      readable = []
+      ranked_ids.each_slice(PERMISSION_FILTER_BATCH) do |slice|
+        permitted = PermissionFilter.new(user: user).readable_ids(slice).to_set
+        slice.each { |id| readable << id if permitted.include?(id) }
+        break if readable.size >= SIMPLE_SEARCH_LIMIT
+      end
+      readable.first(SIMPLE_SEARCH_LIMIT)
+    end
+
     def handle_id_query
       creative = Creative.find_by(id: params[:id])
       return empty_result unless creative && readable?(creative)

data/app/services/collavre/creatives/permission_filter.rb

@@ -0,0 +1,50 @@
+module Collavre
+module Creatives
+  # Batch "which of these creative ids can the user read?" using the O(1)
+  # CreativeSharesCache table. Extracted from FilterPipeline so the picker's
+  # has_children presence check can apply the exact same permission posture as
+  # the browse endpoint (children_with_permission) without re-deriving it.
+  #
+  # no_access wins over a public share, so user-level denials are subtracted
+  # from the public set. Owned creatives are always readable.
+  class PermissionFilter
+    def initialize(user:)
+      @user = user
+    end
+
+    # Returns the subset of `ids` the user may read, as an Array.
+    def readable_ids(ids)
+      ids = ids.to_a
+      return [] if ids.empty?
+
+      accessible_ids = Set.new
+
+      if user
+        user_accessible = []
+        user_denied = Set.new
+        CreativeSharesCache.where(creative_id: ids, user_id: user.id)
+          .pluck(:creative_id, :permission).each do |cid, perm|
+            perm == "no_access" ? user_denied << cid : user_accessible << cid
+          end
+        accessible_ids.merge(user_accessible)
+
+        public_ids = CreativeSharesCache.where(creative_id: ids, user_id: nil)
+          .where.not(permission: :no_access).pluck(:creative_id)
+        accessible_ids.merge(public_ids - user_denied.to_a)
+
+        owned_ids = Creative.where(id: ids, user_id: user.id).pluck(:id)
+        accessible_ids.merge(owned_ids)
+      else
+        accessible_ids = CreativeSharesCache.where(creative_id: ids, user_id: nil)
+          .where.not(permission: :no_access).pluck(:creative_id).to_set
+      end
+
+      accessible_ids.to_a
+    end
+
+    private
+
+    attr_reader :user
+  end
+end
+end

data/app/services/collavre/creatives/reveal_path_resolver.rb

@@ -0,0 +1,118 @@
+module Collavre
+module Creatives
+  # Resolves, for each flat-search hit that is only reachable through a linked
+  # creative shell, the path of node ids to expand *in the signed-in user's own
+  # tree* to surface that shell — ordered root-most ancestor down to the shell
+  # itself.
+  #
+  # Why this exists: search breadcrumbs (BreadcrumbResolver) carry the hit's
+  # *origin-space* ancestors. When a shared subtree is represented by a shell
+  # nested under one of the user's own folders, those origin ancestors never
+  # include the local folder that contains the shell, so the picker's
+  # breadcrumb-jump cannot expand down to it (the shell <li> is never rendered
+  # and `_findItem` returns null). This service supplies the missing user-local
+  # prefix `[localFolder..., shellId]`; the client expands it before walking the
+  # origin chain. Display is unaffected — only navigation.
+  #
+  # Returns { hit_id (Integer) => { origin_ancestor_id (Integer) => [user_tree_id, ...] } },
+  # i.e. for each hit, a per-origin-ancestor map: every origin ancestor (incl.
+  # the hit itself) that the user holds a renderable shell for maps to the local
+  # path that surfaces *that* shell. The client anchors a breadcrumb click at the
+  # entry at/above the clicked crumb, so a higher ancestor crumb resolves through
+  # its own shell rather than a deeper one (a user may hold shells at several
+  # depths of the same shared subtree). Hits not routed through any shell are
+  # omitted (their origin path already matches rendered ids).
+  class RevealPathResolver
+    def initialize(creative_ids, user: nil, include_archived: false)
+      @ids = Array(creative_ids).map { |id| id.to_s.to_i }.uniq.reject(&:zero?)
+      @user = user
+      @include_archived = include_archived
+    end
+
+    def call
+      return {} if @ids.empty? || user.nil?
+
+      # Origin-space self+ancestor rows for every hit (generations 0 = self).
+      hit_rows = CreativeHierarchy
+        .where(descendant_id: @ids)
+        .pluck(:descendant_id, :ancestor_id, :generations)
+      return {} if hit_rows.empty?
+
+      shells_by_origin = user_shells_by_origin(hit_rows.map { |_d, a, _g| a }.uniq)
+      return {} if shells_by_origin.empty?
+
+      local_prefix = local_ancestor_paths(shells_by_origin.values.flatten.uniq)
+
+      # For each hit, map every origin ancestor (incl. self) that has a renderable
+      # user shell to the local path [localFolder..., shellId] surfacing it.
+      hit_rows.group_by { |descendant_id, _a, _g| descendant_id }
+        .each_with_object({}) do |(hit_id, rows), out|
+          paths = rows.each_with_object({}) do |(_d, ancestor_id, _g), acc|
+            next if acc.key?(ancestor_id)
+
+            shell_ids = shells_by_origin[ancestor_id]
+            next unless shell_ids
+
+            # A user may hold several shells for the same origin; pick the first
+            # whose local path is actually renderable (not behind an archived
+            # folder; [] for a root shell counts as renderable).
+            shell_id = shell_ids.find { |sid| local_prefix[sid] }
+            next unless shell_id
+
+            acc[ancestor_id] = local_prefix[shell_id] + [ shell_id ]
+          end
+          out[hit_id] = paths if paths.any?
+        end
+    end
+
+    private
+
+    attr_reader :ids, :user, :include_archived
+
+    # Shells the signed-in user owns whose origin is one of the hits' ancestors,
+    # grouped by origin id (a user can hold more than one shell per origin).
+    # Archived shells are excluded (unless show_archived) so the reveal path only
+    # targets nodes the browse endpoint actually renders.
+    def user_shells_by_origin(origin_ids)
+      return {} if origin_ids.empty?
+
+      scope = Creative
+        .where(user_id: user.id)
+        .where.not(origin_id: nil)
+        .where(origin_id: origin_ids)
+      scope = scope.where(archived_at: nil) unless include_archived
+      scope.pluck(:origin_id, :id).each_with_object({}) do |(origin_id, id), grouped|
+        (grouped[origin_id] ||= []) << id
+      end
+    end
+
+    # User-local ancestors of each shell (the user's own folders above it),
+    # ordered root-most down to the shell's immediate parent. Returns nil for a
+    # shell whose path crosses an archived (unrendered) folder, since the browse
+    # path could never expand down to it.
+    def local_ancestor_paths(shell_ids)
+      rows = CreativeHierarchy
+        .where(descendant_id: shell_ids)
+        .where("generations > 0")
+        .pluck(:descendant_id, :ancestor_id, :generations)
+      by_shell = rows.group_by { |descendant_id, _a, _g| descendant_id }
+      archived = archived_ancestor_ids(rows.map { |_d, a, _g| a }.uniq)
+
+      shell_ids.index_with do |shell_id|
+        ordered = (by_shell[shell_id] || [])
+          .sort_by { |_d, _a, generations| -generations }
+          .map { |_d, ancestor_id, _g| ancestor_id }
+        ordered.any? { |ancestor_id| archived.include?(ancestor_id) } ? nil : ordered
+      end
+    end
+
+    # Ancestor folder ids that are archived (and thus hidden from the browse path
+    # unless show_archived). Empty when show_archived is set.
+    def archived_ancestor_ids(ancestor_ids)
+      return Set.new if include_archived || ancestor_ids.empty?
+
+      Creative.where(id: ancestor_ids).where.not(archived_at: nil).pluck(:id).to_set
+    end
+  end
+end
+end

data/app/services/collavre/creatives/tree_builder.rb

@@ -128,7 +128,7 @@ module Creatives
           sequence: creative.sequence,
           link_url: view_context.collavre.creative_path(creative),
           templates: template_payload_for(creative, has_children: filtered_children.any?),
-          inline_editor_payload: inline_editor_payload_for(creative),
+          inline_editor_payload: inline_editor_payload_for(creative, can_write: cached_can_write?(creative)),
           children_container: children_container_payload(
             creative,
             filtered_children,
@@ -187,11 +187,15 @@ module Creatives
       }
     end
 
-    def inline_editor_payload_for(creative)
+    def inline_editor_payload_for(creative, can_write:)
+      effective = creative.effective_origin(Set.new)
+      origin_writable = effective.id == creative.id ? can_write : creative.has_permission?(user, :write)
       {
         description_raw_html: creative.effective_description(nil, true),
         progress: creative.progress,
-        origin_id: creative.origin_id
+        origin_id: creative.origin_id,
+        content_type: effective.data&.dig("content_type"),
+        markdown_source: origin_writable ? effective.data&.dig("markdown_source") : nil
       }
     end
 

data/app/services/collavre/crons/recurring_task_arguments.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Crons
+    # Shared parsing for SolidQueue::RecurringTask records that back our crons.
+    # The cron's creative_id/topic_id/agent_id/message live inside the task's
+    # `arguments` JSON (an array whose first element is the keyword hash), and
+    # the creative id is also encoded in the key as `cron_<creative_id>_<hex>`.
+    #
+    # Included by CronListService and Topics::OrphanedCronNotifier so the
+    # arguments format is parsed in exactly one place.
+    module RecurringTaskArguments
+      private
+
+      def parse_arguments(task)
+        args = task.arguments
+        return {} unless args.is_a?(Array) && args.first.is_a?(Hash)
+
+        args.first.stringify_keys
+      end
+
+      def parse_creative_id_from_key(key)
+        match = key.match(/\Acron_(\d+)_/)
+        match[1].to_i if match
+      end
+    end
+  end
+end

data/app/services/collavre/google_calendar_service.rb

@@ -110,8 +110,10 @@ module Collavre
       raise GoogleCalendarError, I18n.t("collavre.google_calendar.errors.not_connected") if token.blank?
 
       Google::Auth::UserRefreshCredentials.new(
-        client_id:     ENV["GOOGLE_CLIENT_ID"] || Rails.application.credentials.dig(:google, :client_id),
-        client_secret: ENV["GOOGLE_CLIENT_SECRET"] || Rails.application.credentials.dig(:google, :client_secret),
+        client_id:     Collavre::IntegrationSettings::Resolver.get(:google_client_id).presence ||
+                       Rails.application.credentials.dig(:google, :client_id),
+        client_secret: Collavre::IntegrationSettings::Resolver.get(:google_client_secret).presence ||
+                       Rails.application.credentials.dig(:google, :client_secret),
         scope:         [ Google::Apis::CalendarV3::AUTH_CALENDAR_APP_CREATED ],
         refresh_token: token
       ).tap(&:fetch_access_token!)

data/app/services/collavre/markdown_converter.rb

@@ -14,25 +14,38 @@ module Collavre
       # Falls back to lightweight regex conversion for short inline fragments.
       def markdown_to_html(text, image_refs = {})
         return "" if text.nil?
-        input = text.dup
 
-        # Collect reference-style data-URI images: [alt]: <data:...>
-        input.gsub!(/^\s*\[([^\]]+)\]:\s*<\s*(data:image\/[^>]+)\s*>\s*$/) do
-          image_refs[$1] = $2.strip
-          ""
-        end
+        # Protect fenced code blocks and inline code spans from the regex
+        # rewrites below — a Markdown sample like ```` ```md\n![x](data:...)\n``` ````
+        # must not silently upload its data URI as an Active Storage blob.
+        input = with_code_protected(text.dup) do |source|
+          # Collect reference-style data-URI images. CommonMark allows both the
+          # angle-bracket form `[alt]: <data:...>` and the bare form
+          # `[alt]: data:image/...`, optionally followed by a title.
+          source.gsub!(/^\s*\[([^\]]+)\]:\s*(?:<\s*(data:image\/[^>]+?)\s*>|(data:image\/\S+))\s*(?:"[^"]*"|'[^']*'|\([^)]*\))?\s*$/) do
+            image_refs[$1] = ($2 || $3).strip
+            ""
+          end
 
-        # Convert data-URI images to Active Storage before rendering
-        input.gsub!(/(?<!\\)!\[([^\]]*)\]\[([^\]]+)\]/) do
-          if (data_url = image_refs[$2])
-            data_image_to_attachment(data_url, $1)
-          else
-            "![#{$1}][#{$2}]"
+          # Convert data-URI images to Active Storage before rendering
+          source.gsub!(/(?<!\\)!\[([^\]]*)\]\[([^\]]+)\]/) do
+            if (data_url = image_refs[$2])
+              data_image_to_attachment(data_url, $1)
+            else
+              "![#{$1}][#{$2}]"
+            end
+          end
+
+          # Inline data-URI images. base64 contains no whitespace or `)`, so bound
+          # the URL on those and capture an optional CommonMark title separately;
+          # otherwise `data:...;base64,XYZ "caption"` would be slurped as one URL
+          # and fail the strict parser in `data_image_to_attachment`. Titles may be
+          # double-quoted, single-quoted, or parenthesized per CommonMark.
+          source.gsub!(/(?<!\\)!\[([^\]]*)\]\(\s*(data:image\/[^\s)]+)(?:\s+(?:"[^"]*"|'[^']*'|\([^)]*\)))?\s*\)/) do
+            data_image_to_attachment($2, $1)
           end
-        end
 
-        input.gsub!(/(?<!\\)!\[([^\]]*)\]\((data:image\/[^)]+)\)/) do
-          data_image_to_attachment($2, $1)
+          source
         end
 
         # Render with commonmarker (GFM extensions: table, strikethrough, autolink, tasklist, tagfilter)
@@ -194,8 +207,110 @@ module Collavre
         end
       end
 
+      # Rewrite data-URI image references in Markdown source to point at
+      # newly-created Active Storage blobs. Returns rewritten Markdown.
+      #
+      # Used by the inline Markdown editor to persist blob URLs in the stored
+      # `markdown_source`, so subsequent text edits around the image do not
+      # re-import the same data URI into a fresh blob on every autosave.
+      def rewrite_data_uri_images(text)
+        return text if text.nil?
+        image_refs = {}
+
+        # Protect fenced code blocks and inline code spans before rewriting —
+        # a Markdown code sample like ```` ```md\n![x](data:...)\n``` ```` must
+        # not be silently uploaded as a blob and have its source rewritten,
+        # which would corrupt the user's code snippet on every autosave.
+        with_code_protected(text.dup) do |result|
+          # Collect reference-style data-URI image definitions. CommonMark accepts
+          # both the angle-bracket form `[alt]: <data:...>` and the bare form
+          # `[alt]: data:image/...`, optionally followed by a title. Rewrite each
+          # definition to point at a freshly-uploaded blob, normalizing to the
+          # bare form (titles are dropped since blob paths cannot collide with
+          # surrounding text).
+          result.gsub!(/^(\s*\[)([^\]]+)(\]:\s*)(?:<\s*(data:image\/[^>]+?)\s*>|(data:image\/\S+))(\s*(?:"[^"]*"|'[^']*'|\([^)]*\))?\s*)$/) do
+            lead, label, mid, angle_url, bare_url, tail = $1, $2, $3, $4, $5, $6
+            data_url = (angle_url || bare_url).strip
+            blob_path = data_uri_to_blob_path(data_url)
+            image_refs[label] = blob_path
+            "#{lead}#{label}#{mid}#{blob_path}#{tail}"
+          end
+
+          # Inline data-URI images: ![alt](data:...) or ![alt](data:... "title")
+          # → ![alt](blob_path) / ![alt](blob_path "title"). Parse the title
+          # separately so it doesn't get captured into the data URL and break
+          # strict matching in `data_uri_to_blob_path`. Titles may be
+          # double-quoted, single-quoted, or parenthesized per CommonMark.
+          result.gsub!(/(?<!\\)!\[([^\]]*)\]\(\s*(data:image\/[^\s)]+)(\s+(?:"[^"]*"|'[^']*'|\([^)]*\)))?\s*\)/) do
+            alt, data_url, title = $1, $2, $3
+            "![#{alt}](#{data_uri_to_blob_path(data_url)}#{title})"
+          end
+
+          result
+        end
+      end
+
+      # Convert a data-URI to a freshly-uploaded Active Storage blob path.
+      # Returns the original URL unchanged on parse failure.
+      def data_uri_to_blob_path(data_url)
+        return data_url unless data_url =~ %r{\Adata:(image/[\w.+-]+);base64,(.+)\z}
+
+        content_type = Regexp.last_match(1)
+        data = Base64.decode64(Regexp.last_match(2))
+        ext = Mime::Type.lookup(content_type).symbol.to_s
+        filename = "import-#{SecureRandom.hex}.#{ext}"
+        blob = ActiveStorage::Blob.create_and_upload!(io: StringIO.new(data), filename: filename, content_type: content_type)
+        Rails.application.routes.url_helpers.rails_blob_url(blob, only_path: true)
+      end
+
       private
 
+      # Run a regex-rewriting block on `text` with fenced code blocks,
+      # indented code blocks, and inline code spans swapped for unique tokens,
+      # then restore the original segments in the block's return value.
+      # Prevents data-URI rewrites from touching code samples that happen to
+      # contain image syntax.
+      def with_code_protected(text)
+        segments = {}
+        index = 0
+        protected_text = text
+
+        # Fenced code blocks (``` or ~~~, indented up to 3 spaces per CommonMark).
+        # The closing fence is optional: per CommonMark, an unclosed fence runs to
+        # end-of-document, so we still need to protect its contents from rewrites.
+        protected_text.gsub!(/^([ \t]{0,3})(`{3,}|~{3,})[^\n]*(?:\n(?:[\s\S]*?\n\1\2[ \t]*(?=\n|\z)|[\s\S]*\z)|\z)/) do |match|
+          token = "\x00MDPROTECT#{index}\x00"
+          segments[token] = match
+          index += 1
+          token
+        end
+
+        # Indented code blocks: contiguous lines each starting with 4+ spaces
+        # or a tab, preceded by start-of-document or a blank line (CommonRule
+        # requirement so we don't mistake list-item continuations for code).
+        protected_text.gsub!(/(\A|\n\n+)((?:(?:[ ]{4,}|\t)[^\n]*(?:\n|\z))+)/) do
+          prefix = Regexp.last_match(1)
+          block = Regexp.last_match(2)
+          token = "\x00MDPROTECT#{index}\x00"
+          segments[token] = block
+          index += 1
+          "#{prefix}#{token}"
+        end
+
+        # Inline single-backtick code spans. Multi-backtick spans are rare in
+        # practice; the protection above already covers fenced samples.
+        protected_text.gsub!(/`[^`\n]+?`/) do |match|
+          token = "\x00MDPROTECT#{index}\x00"
+          segments[token] = match
+          index += 1
+          token
+        end
+
+        rewritten = yield(protected_text)
+        segments.each { |token, original| rewritten.sub!(token, original) }
+        rewritten
+      end
+
       def escape_table_cell(text)
         text.to_s.gsub(/(?<!\\)\|/, '\\|')
       end

data/app/services/collavre/markdown_importer.rb

@@ -6,9 +6,14 @@ module Collavre
     def self.import(content, parent:, user:, create_root: false)
       lines = content.to_s.lines
       image_refs = {}
+      # CommonMark allows both the angle-bracket form `[alt]: <data:...>` and
+      # the bare form `[alt]: data:image/...`, optionally followed by a title
+      # (`"..."`, `'...'`, or `(...)`). Match both so reference-style data-URI
+      # images survive the import path and resolve to attachments downstream
+      # (mirrors MarkdownConverter#markdown_to_html).
       lines.reject! do |ln|
-        if ln =~ /^\s*\[([^\]]+)\]:\s*<\s*(data:image\/[^>]+)\s*>\s*$/
-          image_refs[$1] = $2.strip
+        if ln =~ /^\s*\[([^\]]+)\]:\s*(?:<\s*(data:image\/[^>]+?)\s*>|(data:image\/\S+))\s*(?:"[^"]*"|'[^']*'|\([^)]*\))?\s*$/
+          image_refs[$1] = ($2 || $3).strip
           true
         else
           false

data/app/services/collavre/orchestration/policy_resolver.rb

@@ -88,6 +88,8 @@ module Collavre
 
       # Convenience methods
       def arbitration_strategy
+        return "primary_first" if topic_primary_agent_id.present?
+
         arbitration_config["strategy"]
       end
 
@@ -96,7 +98,7 @@ module Collavre
       end
 
       def primary_agent_id
-        arbitration_config["primary_agent_id"]
+        topic_primary_agent_id || arbitration_config["primary_agent_id"]
       end
 
       # Bid strategy specific
@@ -160,6 +162,14 @@ module Collavre
 
         config
       end
+
+      # Read primary_agent_id directly from the topics table
+      def topic_primary_agent_id
+        topic_id = @context.dig("topic", "id")
+        return nil unless topic_id
+
+        Topic.where(id: topic_id).pick(:primary_agent_id)
+      end
     end
   end
 end

data/app/services/collavre/orchestration/stuck_detector.rb

@@ -59,7 +59,7 @@ module Collavre
           next unless stuck_item.type == :task
 
           task = stuck_item.item
-          next unless task.status == "running"
+          next unless %w[running delegated].include?(task.status)
 
           task.update!(status: "failed")
           Rails.logger.info(
@@ -73,6 +73,23 @@ module Collavre
             tracker.release!(task.id)
           end
 
+          # If this was a workflow subtask, fail the parent so the workflow
+          # advances instead of staying running with pending_creative_ids
+          # pointing at a child that's been failed underneath it.
+          if task.parent_task_id.present?
+            begin
+              Collavre::Comments::WorkflowExecutor.new(task.parent_task).fail_subtask!(
+                task,
+                error_message: "Auto-recovered: stuck for " \
+                               "#{((Time.current - stuck_item.stuck_since) / 60).round} minutes"
+              )
+            rescue StandardError => e
+              Rails.logger.error(
+                "[StuckDetector] fail_subtask! failed for task #{task.id}: #{e.message}"
+              )
+            end
+          end
+
           # Drain the queue for the topic so waiting tasks can execute
           AgentOrchestrator.dequeue_next_for_topic(task.topic_id, task.creative_id)
         rescue StandardError => e
@@ -89,7 +106,10 @@ module Collavre
         threshold_minutes = config["task_stuck_threshold_minutes"] || 30
         threshold_time = threshold_minutes.minutes.ago
 
-        stuck_tasks = Task.where(status: "running")
+        # Include delegated tasks: Claude Channel tasks sit in delegated
+        # waiting for an external MCP reply; if the client disconnects, the
+        # task can otherwise stay delegated forever and block the topic queue.
+        stuck_tasks = Task.where(status: %w[running delegated])
                           .where("updated_at < ?", threshold_time)
 
         stuck_tasks.filter_map do |task|