collavre 0.22.0 → 0.23.0

data/app/models/collavre/comment/notifiable.rb

@@ -118,7 +118,7 @@ module Collavre
       def notify_write_users
         return if private? || !user
         return if streaming_placeholder?
-        return if creative&.inbox? # Don't notify about inbox comments
+        return if suppress_inbox_notification? # only the System topic is the alarm stream
         notification_recipients.each do |recipient|
           create_inbox_comment(
             recipient,
@@ -131,7 +131,7 @@ module Collavre
       def notify_mentions
         return if private?
         return if streaming_placeholder?
-        return if creative&.inbox? # Don't notify about inbox comments
+        return if suppress_inbox_notification? # only the System topic is the alarm stream
         notify_mentioned_users
       end
 
@@ -146,7 +146,7 @@ module Collavre
       end
 
       def notify_ai_write_users
-        return if creative&.inbox? # Don't notify about inbox comments
+        return if suppress_inbox_notification? # only the System topic is the alarm stream
         notification_recipients.each do |recipient|
           create_inbox_comment(
             recipient,
@@ -157,10 +157,20 @@ module Collavre
       end
 
       def notify_ai_mentions
-        return if creative&.inbox? # Don't notify about inbox comments
+        return if suppress_inbox_notification? # only the System topic is the alarm stream
         notify_mentioned_users
       end
 
+      # #1301 made every inbox topic EXCEPT System dispatch like a normal topic;
+      # the alarm stream follows suit. Suppress notifications ONLY for the System
+      # topic itself (its system-authored notices must not cascade into more
+      # notices — a loop). Inbox#Main and other inbox topics notify normally, so
+      # an agent reply there reaches the absent owner. Mirrors the dispatch gate
+      # in Comment#dispatch_to_orchestration.
+      def suppress_inbox_notification?
+        creative&.inbox? && inbox_system_topic?
+      end
+
       def notify_approver
         return unless approver.present? && action.present?
         return if approver == user

data/app/models/collavre/comment.rb

@@ -3,12 +3,54 @@ module Collavre
     self.table_name = "comments"
 
     STREAMING_PLACEHOLDER_CONTENT = "..."
+    # Authorless "⏳" waiting-notice system messages posted when an agent is
+    # deferred for topic concurrency. AgentOrchestrator.cleanup_waiting_notices!
+    # matches the same prefix to remove them once the waiter is dequeued.
+    WAITING_NOTICE_PREFIX = "⏳"
 
     # Use non-namespaced partial path for backward compatibility
     def to_partial_path
       "comments/comment"
     end
 
+    # A system "⏳" waiting notice (no author) telling a user their agent is
+    # deferred because another task holds the topic's running slot.
+    def waiting_notice?
+      user_id.nil? && content.to_s.start_with?(WAITING_NOTICE_PREFIX)
+    end
+
+    # The task holding this topic's concurrency slot — the blocker this waiting
+    # notice is about. Lets the notice render a stop button that cancels the
+    # blocker (freeing the topic so the deferred waiter proceeds) instead of
+    # being an anonymous dead end. Resolved at render time rather than stored on
+    # task_id, which Task#reply_comment keys on (a shared task_id would make the
+    # blocker's reply_comment ambiguous).
+    #
+    # Two gates keep the button honest:
+    #   1. Only THIS notice's own topic-concurrency defer qualifies. The same "⏳"
+    #      notice is also posted for :delayed decisions (busy / rate_limited),
+    #      which schedule a delayed job WITHOUT queuing a topic waiter —
+    #      cancelling some unrelated running task would not unblock them.
+    #      topic_concurrency_defer is set only on the :deferred path, so a
+    #      :delayed notice never shows the button even when an unrelated queued
+    #      waiter happens to share the topic. The queued_for_topic check then
+    #      confirms a waiter is still actually pending on the slot.
+    #   2. Resolve the blocker over occupying_topic_slot, not just running/
+    #      delegated: a holder paused on pending_approval still occupies the slot
+    #      and is cancellable, so the button must stay visible for it.
+    # Returns nil once no slot holder remains — at which point the notice itself
+    # is cleaned up.
+    def topic_blocking_task
+      return @topic_blocking_task if defined?(@topic_blocking_task)
+
+      @topic_blocking_task =
+        if topic_concurrency_defer? && topic_id &&
+           Collavre::Task.queued_for_topic(topic_id, creative_id).exists?
+          Collavre::Task.occupying_topic_slot(topic_id, creative_id)
+                        .includes(:agent).order(:created_at).first
+        end
+    end
+
     belongs_to :creative, class_name: "Collavre::Creative"
     belongs_to :user, class_name: Collavre.configuration.user_class_name, optional: true
     belongs_to :approver, class_name: Collavre.configuration.user_class_name, optional: true
@@ -50,6 +92,10 @@ module Collavre
 
     attribute :skip_default_user, :boolean, default: false
     attribute :skip_dispatch, :boolean, default: false
+    # Set by AgentOrchestrator.cleanup_waiting_notices! so destroying a notice as
+    # part of *promoting* a waiter does not run the user-delete cancel cascade
+    # (which would cancel other still-queued waiters in the same topic).
+    attribute :suppress_waiter_cancellation, :boolean, default: false
 
     before_validation :use_origin_creative
     before_validation :assign_default_user, on: :create
@@ -142,12 +188,18 @@ module Collavre
         Collavre::Orchestration::AgentOrchestrator.dequeue_next_for_topic(task.topic_id, task.creative_id)
       end
 
-      # Cancel queued tasks when their waiting notice (system comment) is deleted
-      cancel_queued_tasks_for_waiting_notice if waiting_notice?
-    end
-
-    def waiting_notice?
-      user_id.nil? && content&.start_with?("⏳")
+      # Cancel queued tasks when a user DELETES their waiting notice. Gated to
+      # topic_concurrency_defer notices: only the :deferred path queues a topic
+      # waiter, so a :delayed (busy / rate_limited) "⏳" notice — which shares the
+      # prefix but has no waiter of its own — must not cancel an unrelated queued
+      # waiter that happens to share the topic. Also skipped when the notice is
+      # removed by promotion cleanup (suppress_waiter_cancellation): there the
+      # waiter is being advanced, not abandoned, and cancelling other still-queued
+      # waiters would drop their work (multi-slot orphan recovery must not cancel
+      # the rest).
+      if waiting_notice? && topic_concurrency_defer? && !suppress_waiter_cancellation
+        cancel_queued_tasks_for_waiting_notice
+      end
     end
 
     def cancel_queued_tasks_for_waiting_notice
@@ -164,18 +216,21 @@ module Collavre
       return unless user_id        # nil user = system message
       return if user&.ai_user?     # AI replies use A2aDispatcher, not this callback
       return unless creative
-      # Inbox creatives hold the user's notifications/DMs and normally must not
-      # trigger AI orchestration. Exception: a Claude Channel agent session
-      # registers its topic *inside* the inbox (Creative.inbox_for) and depends
-      # on the orchestration pipeline (Matcher → Arbiter → AiAgentService) to
-      # deliver comments to the running session. Scope the exception to actual
-      # Claude Channel session topics (primary_agent is a claude_channel_agent?).
-      # An inbox topic can be given any ai_user as primary_agent via
-      # TopicsController#set_primary_agent; gating on mere primary_agent presence
-      # would leak ordinary inbox DMs to the live Claude session, which holds
-      # inbox-wide :feedback + routing_expression="true" and would be selected by
-      # the Matcher for any dispatched inbox comment.
-      return if creative.inbox? && !claude_channel_session_topic?
+      # Inbox creatives hold the user's notifications AND ordinary conversations.
+      # Only the System topic is special: it carries alarms/notifications (stuck
+      # recovery, share notices, …) and must never trigger AI. Every OTHER inbox
+      # topic — Main, Content, user threads, Claude Channel session topics — is an
+      # ordinary conversation surface and dispatches exactly like a normal
+      # (non-inbox) topic.
+      #
+      # A live Claude Channel session holds inbox-wide :feedback +
+      # routing_expression="true", so it would otherwise be selected by the
+      # Matcher for *every* dispatched inbox comment (leaking ordinary inbox
+      # threads into the live session). That confinement now lives in
+      # Orchestration::Matcher, which scopes a Claude session agent to its own
+      # registered session topic — keeping non-System topics truly identical to a
+      # normal topic whether or not a session is live.
+      return if creative.inbox? && inbox_system_topic?
 
       # A Claude Channel session suspended on a native tool-permission prompt
       # parks its in-flight dispatch as a `delegated` task carrying a
@@ -200,19 +255,12 @@ module Collavre
       raise  # re-raise so calling jobs (e.g. DropTriggerJob) can retry
     end
 
-    # True only when this comment's topic is an actual Claude Channel session
-    # topic — it carries the registration marker (session_id) AND its
-    # primary_agent is a claude_channel_agent? (llm_model "claude-code"). Used to
-    # scope the inbox dispatch exception so ordinary inbox threads stay local.
-    #
-    # session_id is required, not just the Claude primary_agent: a Claude
-    # channel ai_user can be assigned as primary_agent on an ordinary inbox
-    # topic via TopicsController#set_primary_agent without ever registering a
-    # session. Gating on the agent alone would dispatch that ordinary thread and
-    # leak it to the live Claude session. session_id is exactly what
-    # ClaudeChannelAdapter#session_topic? keys on, so the two stay consistent.
-    def claude_channel_session_topic?
-      topic&.session_id.present? && topic&.primary_agent&.claude_channel_agent?
+    # The inbox System topic is the alarm/notification stream and must never
+    # trigger AI orchestration. Matched by name (Creative::SYSTEM_TOPIC_NAME),
+    # the same topic Creative#system_topic finds/creates and that stuck-recovery
+    # and share notices post into.
+    def inbox_system_topic?
+      topic&.name == Creative::SYSTEM_TOPIC_NAME
     end
 
     def assign_default_user

data/app/models/collavre/creative/describable.rb

@@ -5,6 +5,11 @@ module Collavre
 
       included do
         attr_accessor :content_type_input
+        # Which editing surface authored this Markdown: "rich" (Lexical) reopens
+        # in the rich editor, "source" (or absent/legacy) reopens in the advanced
+        # textarea. Stored in data["editor"]; decoupled from the storage format
+        # (content_type), which is now Markdown for both surfaces.
+        attr_accessor :markdown_editor
         attr_reader :markdown_source
 
         def markdown_source=(value)
@@ -128,6 +133,9 @@ module Collavre
           prev_source = data["markdown_source"].to_s
           prev_type = data["content_type"]
           self.data["content_type"] = "markdown"
+          # Remember which surface authored this. Absent param (MCP/tool writes)
+          # keeps the prior choice, defaulting to the advanced textarea.
+          self.data["editor"] = markdown_editor.presence || data["editor"] || "source"
           if new_source != prev_source || prev_type != "markdown"
             # Rewrite inline data-URI images to freshly-uploaded blob paths
             # FIRST, then persist the rewritten source. Subsequent edits
@@ -149,6 +157,7 @@ module Collavre
           self.data ||= {}
           self.data.delete("content_type")
           self.data.delete("markdown_source")
+          self.data.delete("editor")
         elsif !new_record? && description_changed? && data&.dig("content_type") == "markdown"
           # Description was rewritten through a non-markdown path (tool/MCP
           # update, direct base.update(description: ...), etc.) on a creative
@@ -158,6 +167,7 @@ module Collavre
           # Demote to HTML mode so the persisted source matches description.
           self.data.delete("content_type")
           self.data.delete("markdown_source")
+          self.data.delete("editor")
         end
       end
 
@@ -181,21 +191,67 @@ module Collavre
           end
         end
 
+        # The Lexical editor stores text color / background as inline <span
+        # style="...">. Tighten every style attribute to ONLY validated color /
+        # background-color declarations BEFORE sanitization, so allowing `style`
+        # in the safelist can't smuggle layout/position/url() payloads.
+        scrub_inline_color_styles(scrubbed)
+
         self.description = ActionController::Base.helpers.sanitize(
           scrubbed.to_html,
           tags: Rails::HTML5::SafeListSanitizer.allowed_tags.to_a + table_tags + media_tags + %w[input],
-          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + task_list_attrs + media_attrs + %w[data-lexical]
+          attributes: Rails::HTML5::SafeListSanitizer.allowed_attributes.to_a + table_attrs + attachment_attrs + task_list_attrs + media_attrs + %w[data-lexical style]
         )
       end
 
-      # Sync creative.files to exactly the blobs referenced in the description
-      # HTML (attach new, detach removed). Must never raise during save —
-      # malformed HTML yields [] and a no-op.
+      # Only these CSS color values may appear in a stored inline style — mirrors
+      # the JS markdown serializer's allowlist (markdown_serialize.js). Blocks
+      # url(), expression(), javascript:, and angle brackets.
+      SAFE_COLOR_VALUE = /\A(#[0-9a-fA-F]{3,8}|rgba?\([0-9.,%\s]+\)|hsla?\([0-9.,%\s]+\)|var\(--[a-zA-Z0-9\-_]+\)|[a-zA-Z]+)\z/
+
+      def scrub_inline_color_styles(fragment)
+        fragment.css("[style]").each do |node|
+          declarations = node["style"].to_s.split(";").filter_map do |decl|
+            key, value = decl.split(":", 2)
+            next if key.nil? || value.nil?
+
+            key = key.strip.downcase
+            value = value.strip
+            next unless %w[color background-color].include?(key)
+            next if value =~ /url\(|expression|javascript:|@import|[<>]/i
+            next unless value =~ SAFE_COLOR_VALUE
+
+            "#{key}: #{value}"
+          end
+
+          if declarations.any?
+            node["style"] = declarations.join("; ")
+          else
+            node.remove_attribute("style")
+          end
+        end
+      end
+
+      # Sync creative.files to the blobs referenced in the description HTML
+      # (attach new, detach removed). Must never raise during save — malformed
+      # HTML yields [] and a no-op.
+      #
+      # The rich (Lexical) editor is now Markdown-canonical and serializes
+      # inserted images/videos/files as raw blob-URL tags inside markdown_source,
+      # which markdown_to_html renders into `description`. So reconcile must run
+      # for markdown mode too, otherwise rich-editor uploads never reach
+      # creative.files (and the attachment list/remove services miss them).
       #
-      # Markdown-mode creatives manage their own blobs via MarkdownConverter;
-      # the embed paths demote markdown -> html first, so uploads still reconcile.
+      # Markdown detach is narrowed (not skipped): markdown creatives may carry
+      # legacy blobs attached directly but never embedded in the derived
+      # description (AttachmentBackfill skips markdown, so reconcile is their only
+      # touch point) — those must survive. But media the user actually removed
+      # in-editor WAS referenced in the prior description and no longer is; that
+      # must detach, or creative.files keeps listing a deleted file (the editor's
+      # purge DELETE can't compensate while the attachment still exists). So for
+      # markdown we detach only blobs that were previously referenced. HTML keeps
+      # full detach (backfill embeds its orphans, so none should linger).
       def reconcile_description_attachments
-        return if data&.dig("content_type") == "markdown"
         # Linked creatives don't own their description (it lives on the origin)
         # and their own column is blank, so reconcile would treat every legacy
         # attachment as an orphan and purge it on the next save (e.g. a
@@ -212,8 +268,16 @@ module Collavre
         current = files.includes(:blob).to_a
         current_blob_ids = current.map(&:blob_id).to_set
 
+        markdown = data&.dig("content_type") == "markdown"
         to_attach = referenced.reject { |b| current_blob_ids.include?(b.id) }
-        to_detach = current.reject { |a| referenced_ids.include?(a.blob_id) }
+        unreferenced = current.reject { |a| referenced_ids.include?(a.blob_id) }
+        to_detach =
+          if markdown
+            prev_referenced_ids = blob_ids_referenced_in(description_before_last_save)
+            unreferenced.select { |a| prev_referenced_ids.include?(a.blob_id) }
+          else
+            unreferenced
+          end
         return if to_attach.empty? && to_detach.empty?
 
         to_attach.each { |blob| files.attach(blob) }
@@ -266,9 +330,13 @@ module Collavre
       end
 
       def extract_signed_ids_from_description
-        return [] if description.blank?
+        extract_signed_ids_from(description)
+      end
 
-        html = description.to_s
+      def extract_signed_ids_from(html)
+        return [] if html.blank?
+
+        html = html.to_s
 
         ids = html.scan(%r{/rails/active_storage/blobs/(?:redirect|proxy)/([^/?#]+)}).flatten
         ids += html.scan(%r{/rails/active_storage/blobs/([^/?#]+)}).flatten
@@ -277,6 +345,17 @@ module Collavre
         ids.uniq
       end
 
+      # Blob ids that `html` references, resolving each signed id to its blob.
+      # Used to tell user-removed media (was referenced, now gone) apart from
+      # legacy orphans (never referenced) during markdown reconcile.
+      def blob_ids_referenced_in(html)
+        extract_signed_ids_from(html).filter_map do |sid|
+          ActiveStorage::Blob.find_signed(sid)&.id
+        rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveRecord::RecordNotFound
+          nil
+        end.to_set
+      end
+
       def description_cannot_change_if_has_origin
         if origin_id.present? && will_save_change_to_description?
           errors.add(:description, "cannot be changed directly when linked to an origin")

data/app/models/collavre/task.rb

@@ -24,6 +24,21 @@ module Collavre
       rel = rel.where(creative_id: creative_id) if creative_id
       rel.order(:created_at)
     }
+    # Tasks that hold a topic concurrency slot: running/delegated (executing)
+    # plus pending — a task that has been claimed (dequeue_next_for_topic moves a
+    # waiter queued -> pending, a retry re-queues to pending, initial dispatch
+    # creates pending) but whose AiAgentJob has not started yet — plus
+    # pending_approval — a task paused awaiting tool approval that intentionally
+    # keeps its resource (AiAgentJob sets should_release = false) and does NOT
+    # drain the topic queue (dequeue_next_for_topic only fires on terminal
+    # statuses done/failed/cancelled/escalated). Orphan detection must count all
+    # of these, otherwise a claimed-but-not-started or approval-paused slot looks
+    # free and a second waiter gets promoted into the same slot.
+    scope :occupying_topic_slot, ->(topic_id, creative_id = nil) {
+      rel = where(topic_id: topic_id, status: %w[running delegated pending pending_approval])
+      rel = rel.where(creative_id: creative_id) if creative_id
+      rel
+    }
 
     # Check if agent already has an in-flight task triggered by the same comment.
     # Treats "delegated" as in-flight: a Claude Channel task that is waiting on

data/app/models/collavre/user.rb

@@ -44,6 +44,15 @@ module Collavre
     has_many :creatives, class_name: "Collavre::Creative", dependent: nil
     before_destroy :destroy_creatives_leaf_first
 
+    # /compress and /merge summaries are durable recovery artifacts: they replace
+    # the deleted original conversation and anchor the restore control (rendered
+    # from the surviving result comment via CommentSnapshot). Detach them (nullify
+    # author) BEFORE the comments dependent: :destroy cascade — prepend ensures we
+    # run first — so deleting the authoring agent/user doesn't destroy the summary
+    # and orphan the snapshot, which would erase the only path to restore the
+    # compressed conversation.
+    before_destroy :preserve_durable_summary_comments, prepend: true
+
     belongs_to :creator, class_name: "Collavre::User", foreign_key: "created_by_id", optional: true
     has_many :created_ai_users, class_name: "Collavre::User", foreign_key: "created_by_id", dependent: :destroy
 
@@ -58,6 +67,15 @@ module Collavre
     attribute :system_admin, :boolean, default: false
     attribute :searchable, :boolean, default: false
 
+    # Typo correction (2D gating: typing-device AND input-location must both be on).
+    attribute :typo_correction_enabled, :boolean, default: true
+    attribute :typo_correction_threshold, :integer, default: 80
+    attribute :typo_correction_on_soft_keyboard, :boolean, default: true
+    attribute :typo_correction_on_voice, :boolean, default: true
+    attribute :typo_correction_on_physical_keyboard, :boolean, default: false
+    attribute :typo_correction_in_chat, :boolean, default: true
+    attribute :typo_correction_in_editor, :boolean, default: false
+
     attribute :google_uid, :string
     attribute :google_access_token, :string
     attribute :google_refresh_token, :string
@@ -140,6 +158,31 @@ module Collavre
       end
     end
 
+    TYPO_CORRECTION_DEVICES = %w[voice soft_keyboard physical_keyboard].freeze
+    TYPO_CORRECTION_LOCATIONS = %w[chat editor].freeze
+
+    # 2D gating: typo correction runs only when the master switch is on AND the
+    # originating typing device AND the input location are both enabled. Unknown
+    # device/location values are treated as disabled (fail closed).
+    def typo_correction_active_for?(device:, location:)
+      return false unless typo_correction_enabled
+
+      device_on = case device.to_s
+      when "voice" then typo_correction_on_voice
+      when "soft_keyboard" then typo_correction_on_soft_keyboard
+      when "physical_keyboard" then typo_correction_on_physical_keyboard
+      else false
+      end
+
+      location_on = case location.to_s
+      when "chat" then typo_correction_in_chat
+      when "editor" then typo_correction_in_editor
+      else false
+      end
+
+      device_on && location_on
+    end
+
     LLM_VENDOR_OPTIONS = [
       [ "Google (Gemini)", "google" ],
       [ "OpenAI", "openai" ],
@@ -148,7 +191,7 @@ module Collavre
     ].freeze
 
     SUPPORTED_LLM_MODELS = [
-      "gemini-3-flash-preview",
+      "gemini-3.1-flash-lite",
       "gemini-1.5-flash",
       "gemini-1.5-pro"
     ].freeze
@@ -194,6 +237,11 @@ module Collavre
     validates :timezone,
               inclusion: { in: ActiveSupport::TimeZone.all.map { |z| z.tzinfo.identifier } },
               allow_nil: true
+    # Column is NOT NULL; clearing the profile field (or a crafted PATCH) casts to
+    # nil and would raise a DB error on save. Validate so the form re-renders.
+    validates :typo_correction_threshold,
+              presence: true,
+              numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: 100 }
 
     generates_token_for :email_verification, expires_in: 1.day do
       email
@@ -255,6 +303,14 @@ module Collavre
       end
     end
 
+    # Keep durable compress/merge summaries (snapshot result comments) alive when
+    # their author is deleted: nullify authorship instead of cascading destroy.
+    def preserve_durable_summary_comments
+      Collavre::Comment
+        .where(id: Collavre::CommentSnapshot.where(result_comment_id: comments.select(:id)).select(:result_comment_id))
+        .update_all(user_id: nil)
+    end
+
     # Destroy creatives deepest-first so closure_tree always finds its parent
     def destroy_creatives_leaf_first
       all_creatives = creatives.flat_map { |c| c.self_and_descendants.to_a }.uniq

data/app/services/collavre/ai_client.rb

@@ -10,13 +10,18 @@ module Collavre
 
     attr_reader :last_input_tokens, :last_output_tokens
 
-    def initialize(vendor:, model:, system_prompt:, llm_api_key: nil, gateway_url: nil, context: {})
+    # log_interactions: persist each call to ActivityLog. Default true. Pass false
+    # for ephemeral, high-frequency calls on text the user has not submitted (e.g.
+    # inline typo correction on debounced typing) so private drafts are never
+    # written to server-side activity logs.
+    def initialize(vendor:, model:, system_prompt:, llm_api_key: nil, gateway_url: nil, context: {}, log_interactions: true)
       @vendor = vendor
       @model = model
       @system_prompt = system_prompt
       @llm_api_key = llm_api_key
       @gateway_url = gateway_url
       @context = context
+      @log_interactions = log_interactions
       @last_input_tokens = 0
       @last_output_tokens = 0
     end
@@ -64,7 +69,13 @@ module Collavre
       raise # Re-raise cancellation errors without catching them
     rescue StandardError => e
       error_message = "[#{e.class.name}] #{e.message}"
-      Rails.logger.error "AI Client error: #{error_message}"
+      # When log_interactions is false (inline typo correction runs on the user's
+      # *unsubmitted* draft), the LLM error message can echo the request text. Log
+      # only the error class to app logs so private drafts never leak — matching the
+      # no-log guarantee already enforced on the parse path (TypoCorrector) and the
+      # ActivityLog gate below. error_message stays intact for the gated ensure log
+      # and the streamed yield (which goes back to the same user).
+      Rails.logger.error "AI Client error: #{@log_interactions ? error_message : "[#{e.class.name}]"}"
       Rails.logger.error "Partial response length: #{response_content.length} chars" if response_content.present?
       Rails.logger.debug e.backtrace.join("\n")
       yield "\n\n⚠️ AI Error: #{error_message}" if block_given?
@@ -72,14 +83,16 @@ module Collavre
     ensure
       @last_input_tokens = input_tokens || 0
       @last_output_tokens = output_tokens || 0
-      log_interaction(
-        messages: @conversation&.messages&.to_a || Array(contents),
-        tools: @conversation&.tools&.to_a || [],
-        response_content: response_content.presence,
-        error_message: error_message,
-        input_tokens: input_tokens,
-        output_tokens: output_tokens
-      )
+      if @log_interactions
+        log_interaction(
+          messages: @conversation&.messages&.to_a || Array(contents),
+          tools: @conversation&.tools&.to_a || [],
+          response_content: response_content.presence,
+          error_message: error_message,
+          input_tokens: input_tokens,
+          output_tokens: output_tokens
+        )
+      end
     end
 
     # Ask a follow-up question using the existing conversation context.
@@ -115,6 +128,11 @@ module Collavre
       when "openai"
         api_key = @llm_api_key.presence || IntegrationSettings.fetch(:openai_api_key)
         base_url = @gateway_url.presence
+        # A custom OpenAI-compatible gateway (local Ollama / LM Studio, etc.) needs
+        # no real OpenAI key, but RubyLLM raises ConfigurationError before sending
+        # if openai_api_key is blank. Supply a placeholder so keyless local gateways
+        # work; hosted OpenAI (no gateway) still requires a real key.
+        api_key = "local-gateway" if api_key.blank? && base_url
         proc do |config|
           config.openai_api_key = api_key
           config.openai_api_base = base_url if base_url

data/app/services/collavre/auto_theme_generator.rb

@@ -195,7 +195,7 @@ module Collavre
     def default_client
       AiClient.new(
         vendor: "google",
-        model: "gemini-3-flash-preview",
+        model: "gemini-3.1-flash-lite",
         system_prompt: nil
       )
     end