collavre 0.22.0 → 0.23.0

data/app/controllers/collavre/api/v1/mobile/base_controller.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Api
+    module V1
+      module Mobile
+        # Shared base for the voice-companion mobile API. Inherits Doorkeeper
+        # bearer auth from Api::V1::BaseController.
+        #
+        # ★ The API base controller authenticates the token but does NOT run the
+        # host app's locale around_action, so I18n would otherwise serve the
+        # process-default locale. Every persisted/spoken string here must match
+        # the speaker, so we wrap every action in I18n.with_locale (app-supplied
+        # `locale` param wins, else the user's stored locale).
+        class BaseController < Collavre::Api::V1::BaseController
+          around_action :with_request_locale
+
+          private
+
+          def with_request_locale(&block)
+            I18n.with_locale(requested_locale, &block)
+          end
+
+          def requested_locale
+            normalize_locale(params[:locale].presence || current_user&.locale)
+          end
+
+          def normalize_locale(value)
+            return I18n.default_locale if value.blank?
+
+            base = value.to_s.tr("-", "_").split("_").first.to_sym
+            I18n.available_locales.include?(base) ? base : I18n.default_locale
+          end
+
+          def summarizer
+            @summarizer ||= Collavre::Mobile::EventSummarizer.new(locale: I18n.locale)
+          end
+
+          # User-owned AI agents (Claude Channel sessions, etc.).
+          def agent_ids
+            @agent_ids ||= Collavre::User.ai_agents.where(created_by_id: current_user.id).pluck(:id)
+          end
+
+          # Undecided permission prompts the token holder is the approver for.
+          def pending_approvals
+            Collavre::Comment.where(approver_id: current_user.id, action_executed_at: nil)
+                             .where.not(action: nil)
+                             .order(:created_at)
+                             .limit(50)
+                             .select(&:claude_channel_permission?)
+          end
+
+          def reply(key)
+            I18n.t("collavre.mobile.reply.#{key}")
+          end
+
+          def label_for_topic(topic_id)
+            topic = topic_id && Collavre::Topic.find_by(id: topic_id)
+            topic&.name.presence || I18n.t("collavre.mobile.default_task_label")
+          end
+
+          # List/display title for an event: "Creative#Topic" so the app can show
+          # which thread a message belongs to (spec: 제목을 크리에이티브#토픽 형태로).
+          def title_for_topic(topic_id)
+            topic = topic_id && Collavre::Topic.find_by(id: topic_id)
+            name = topic&.name.presence || I18n.t("collavre.mobile.default_task_label")
+            creative = topic&.creative&.effective_origin || topic&.creative
+            creative&.description.present? ? "#{creative.description}##{name}" : name
+          end
+
+          def render_speak(reply_key_or_text, action: {}, speak: true, status: :ok)
+            text = reply_key_or_text.is_a?(Symbol) ? reply(reply_key_or_text) : reply_key_or_text
+            render json: { reply: text, speak: speak, action: action }, status: status
+          end
+
+          # Gate + decide + broadcast a Claude Channel permission. Routes the
+          # voice path through the same approval_status gate the web path uses
+          # (Comments::ApprovalActions). Without this the caller could decide a
+          # prompt they merely own the authoring agent for but are not the
+          # designated approver of (authorized_comment? lets agent-owned events
+          # through). Returns a symbol: :ok | :unauthorized | :already_decided.
+          def decide_permission(comment, behavior)
+            return :unauthorized unless comment.can_be_approved_by?(current_user)
+
+            comment.decide_claude_channel_permission!(behavior, by: current_user)
+            comment.broadcast_claude_channel_permission_decision(behavior)
+            :ok
+          rescue Collavre::Comment::ClaudeChannelPermission::AlreadyDecided
+            :already_decided
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/collavre/api/v1/mobile/devices_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Api
+    module V1
+      module Mobile
+        # FCM registration for the Android companion. Push is a follow-up (MVP
+        # uses foreground polling), but registering the device now keeps the
+        # token current so push can light up without a client change.
+        class DevicesController < BaseController
+          def create
+            device = Collavre::Device.find_by(fcm_token: device_params[:fcm_token]) ||
+                     current_user.devices.find_or_initialize_by(client_id: device_params[:client_id])
+
+            device.assign_attributes(device_params)
+            device.user = current_user
+            device.device_type = :android if device.device_type.blank?
+            device.save!
+            head :no_content
+          end
+
+          private
+
+          def device_params
+            params.require(:device).permit(:client_id, :device_type, :app_id, :app_version, :fcm_token)
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/collavre/api/v1/mobile/voice_commands_controller.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Api
+    module V1
+      module Mobile
+        # A plain mic press (no message selected) routes here: the utterance
+        # starts a new piece of work in the user's Inbox#Main, exactly like
+        # typing in the inbox chat — dispatch then matches an agent via
+        # routing_expression. Replies to a SPECIFIC message go through
+        # agent_events#respond instead (they carry the target event id).
+        class VoiceCommandsController < BaseController
+          def create
+            text = params[:text].to_s.strip
+            return render_speak(:empty_response, action: { type: "noop" }) if text.blank?
+
+            inbox = Collavre::Creative.inbox_for(current_user)
+            comment = inbox.comments.create!(content: text, user: current_user)
+            render_speak(:sent, action: { type: "message_sent", comment_id: comment.id })
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/collavre/creatives_controller.rb

@@ -67,7 +67,9 @@ module Collavre
               allowed_creative_ids: @allowed_creative_ids,
               progress_map: @progress_map
             )
-            render json: { creatives: @creatives_tree_json }
+            payload = { creatives: @creatives_tree_json }
+            payload[:pagination] = index_result.pagination if index_result.pagination
+            render json: payload
           end
         end
       end
@@ -155,6 +157,10 @@ module Collavre
             render json: {
               id: @creative.id,
               description: @creative.effective_description,
+              # Embedded variant for read-only display (e.g. slide view): turns
+              # bare YouTube links into preview iframes. `description` stays the
+              # raw editable form the inline editor round-trips.
+              description_embedded_html: view_context.embed_youtube_iframe(@creative.effective_description),
               description_raw_html: @creative.description,
               origin_id: @creative.origin_id,
               parent_id: @creative.parent_id,
@@ -165,6 +171,7 @@ module Collavre
               has_children: children_count > 0,
               data: sanitized_data,
               content_type: effective.data&.dig("content_type"),
+              markdown_editor: effective.data&.dig("editor"),
               markdown_source: can_edit ? effective.data&.dig("markdown_source") : nil,
               trigger_loop: trigger_loop_data,
               is_trigger_task: parent_trigger_enabled,
@@ -210,6 +217,7 @@ module Collavre
         render json: {
           id: @creative.id,
           content_type: @creative.data&.dig("content_type"),
+          markdown_editor: @creative.data&.dig("editor"),
           markdown_source: @creative.data&.dig("markdown_source")
         }
       else
@@ -281,7 +289,8 @@ module Collavre
               progress: base.progress,
               progress_html: view_context.render_creative_progress(base),
               has_children: base.children.exists?,
-              content_type: base.data&.dig("content_type")
+              content_type: base.data&.dig("content_type"),
+              markdown_editor: base.data&.dig("editor")
             }
             # Expose the post-rewrite markdown source so the client can sync its
             # textarea after the server replaces inline data: URIs with blob paths.
@@ -394,9 +403,11 @@ module Collavre
         return
       end
       # Reserved markdown fields are not editable via metadata; preserve current values so a stale
-      # YAML payload from the metadata popup can't overwrite a concurrent markdown edit.
+      # YAML payload from the metadata popup (or an API client that omits them) can't overwrite a
+      # concurrent markdown edit. "editor" must be reserved too: dropping it would erase the "rich"
+      # authoring flag and make a Lexical-authored creative reopen in the advanced textarea.
       current_data = creative.data || {}
-      %w[markdown_source content_type].each do |key|
+      %w[markdown_source content_type editor].each do |key|
         if current_data.key?(key)
           new_data[key] = current_data[key]
         else
@@ -543,7 +554,7 @@ module Collavre
       end
 
       def creative_params
-        params.require(:creative).permit(:description, :progress, :parent_id, :sequence, :origin_id, :markdown_source, :content_type_input)
+        params.require(:creative).permit(:description, :progress, :parent_id, :sequence, :origin_id, :markdown_source, :content_type_input, :markdown_editor)
       end
 
       def any_filter_active?

data/app/controllers/collavre/tasks_controller.rb

@@ -14,12 +14,21 @@ module Collavre
         return head :unprocessable_entity
       end
 
-      was_delegated = task.status == "delegated"
+      # These statuses count against the topic slot (occupying_topic_slot) yet no
+      # live worker will run AiAgentJob's ensure-block drain for them:
+      #   - delegated / pending_approval already returned from the job holding the
+      #     slot (should_release = false) — awaiting an MCP reply / approval.
+      #   - pending may be a waiter that dequeue_next_for_topic promoted
+      #     queued -> pending before its job starts; once cancelled, that job
+      #     early-returns at the top of #perform and never reaches the ensure drain.
+      # So free the agent slot and drain the topic queue here — otherwise
+      # cancelling the blocker leaves agent capacity and the next waiter stuck
+      # until stuck recovery. release!/dequeue are idempotent (dequeue is bounded
+      # by topic_at_capacity?), so a racing live worker that also drains is harmless.
+      held_slot_without_worker = %w[pending delegated pending_approval].include?(task.status)
       task.update!(status: "cancelled")
 
-      # Delegated tasks have no active worker to run the ensure-block release,
-      # so free the agent slot and drain the topic queue here.
-      if was_delegated && task.agent
+      if held_slot_without_worker && task.agent
         Collavre::Orchestration::ResourceTracker.for(task.agent).release!(task.id)
         Collavre::Orchestration::AgentOrchestrator.dequeue_next_for_topic(task.topic_id, task.creative_id)
       end

data/app/controllers/collavre/topics_controller.rb

@@ -128,6 +128,7 @@ module Collavre
 
     def move
       topic = @creative.topics.find(params[:id])
+      source_creative = @creative
       target_creative = Creative.find(params[:target_creative_id]).effective_origin
 
       unless target_creative.has_permission?(Current.user, :write) || target_creative.user == Current.user
@@ -147,7 +148,13 @@ module Collavre
       broadcast_topic_event("deleted", topic_id: topic.id)
       broadcast_topic_event("created", creative: target_creative, topic: topic.slice(:id, :name))
 
-      render json: { success: true, topic: topic.slice(:id, :name), target_creative_id: target_creative.id }
+      render json: {
+        success: true,
+        topic: topic.slice(:id, :name),
+        target_creative_id: target_creative.id,
+        target_creative_name: target_creative.creative_snippet,
+        missing_members: missing_members_for_move(source_creative, target_creative)
+      }
     end
 
     def archive
@@ -204,6 +211,47 @@ module Collavre
       @creative = Creative.find(params[:creative_id]).effective_origin
     end
 
+    # When a topic moves to a different creative, members who had access on the
+    # source creative may lose visibility on the target. Returns the human
+    # members who are effectively present on the source (owner + feedback-or-
+    # higher shares) but have no resolvable access on the target, so the client
+    # can offer to re-add them with the same permission. Only returned when the
+    # current user can actually grant shares on the target (admin/owner);
+    # otherwise the suggestion would be unusable.
+    def missing_members_for_move(source_creative, target_creative)
+      return [] unless target_creative.has_permission?(Current.user, :admin) || target_creative.user == Current.user
+
+      # Any user with a resolvable share on the target chain (including inherited
+      # shares and explicit no_access blocks) already has — or is intentionally
+      # denied — access, so they are never "missing".
+      excluded_user_ids = target_creative.all_shared_users(:no_access).map(&:user_id).compact.to_set
+      excluded_user_ids << target_creative.user_id
+      excluded_user_ids << Current.user&.id
+
+      # Candidate => grant permission. Source owner had full control, so we
+      # suggest admin; shared members keep their own (closest) permission.
+      candidates = {}
+      owner = source_creative.user
+      if owner && !owner.ai_user? && excluded_user_ids.exclude?(owner.id)
+        candidates[owner.id] = { user: owner, permission: "admin" }
+      end
+
+      source_creative.all_shared_users(:feedback).each do |share|
+        user = share.user
+        next if user.nil? || user.ai_user?
+        next if excluded_user_ids.include?(user.id)
+
+        candidates[user.id] ||= { user: user, permission: share.permission }
+      end
+
+      candidates.values.map do |candidate|
+        {
+          user: view_context.user_json(candidate[:user], email: true),
+          permission: candidate[:permission]
+        }
+      end
+    end
+
     def topic_params
       params.require(:topic).permit(:name)
     end

data/app/controllers/collavre/typo_corrections_controller.rb

@@ -0,0 +1,39 @@
+module Collavre
+  # Session-authenticated endpoint backing the inline typo-correction UI. The
+  # frontend also gates by device/location, but we re-check here (fail closed)
+  # before spending an LLM call, and echo the user's auto-apply threshold so the
+  # client never has to hardcode it.
+  class TypoCorrectionsController < ApplicationController
+    # The client debounce is only a hint — a scripted/compromised page can loop
+    # this endpoint with arbitrary text, and every accepted call spends an LLM
+    # request. Bound both the call rate and the per-call size server-side. The
+    # chat composer is short text; anything larger is not a typo-correction case.
+    MAX_TEXT_LENGTH = 4_000
+    RATE_LIMIT = 120          # requests
+    RATE_PERIOD = 1.minute    # ...per user per minute
+
+    def create
+      user = Current.user
+      device = params[:device].to_s
+      location = params[:location].presence || "chat"
+      text = params[:text].to_s
+
+      unless user.typo_correction_active_for?(device: device, location: location)
+        return render json: { edits: [], threshold: user.typo_correction_threshold }
+      end
+
+      # Oversized input: skip the LLM entirely (return no edits, not an error —
+      # this is a background affordance, not a user-facing failure).
+      if text.length > MAX_TEXT_LENGTH
+        return render json: { edits: [], threshold: user.typo_correction_threshold }
+      end
+
+      # Raises RateLimitExceeded -> 429 (DynamicRateLimiting), which the client
+      # treats as "no suggestions this round".
+      check_rate_limit!(key: "typo_correction:#{user.id}", limit: RATE_LIMIT, period: RATE_PERIOD)
+
+      edits = TypoCorrector.new.correct(text)
+      render json: { edits: edits, threshold: user.typo_correction_threshold }
+    end
+  end
+end

data/app/controllers/concerns/collavre/users_controller/profile_and_settings.rb

@@ -58,6 +58,14 @@ module Collavre
       end
     end
 
+    def typo_correction
+      @user = Collavre::User.find(params[:id])
+
+      unless @user == Current.user || Current.user.system_admin?
+        redirect_to user_path(Current.user), alert: I18n.t("collavre.users.destroy.not_authorized")
+      end
+    end
+
     def update_password
       @user = Collavre::User.find(params[:id])
       if @user.authenticate(params[:user][:current_password])
@@ -89,7 +97,14 @@ module Collavre
         :notifications_enabled,
         :calendar_id,
         :timezone,
-        :locale
+        :locale,
+        :typo_correction_enabled,
+        :typo_correction_threshold,
+        :typo_correction_on_soft_keyboard,
+        :typo_correction_on_voice,
+        :typo_correction_on_physical_keyboard,
+        :typo_correction_in_chat,
+        :typo_correction_in_editor
       ).tap do |p|
         p[:locale] = normalize_supported_locale(p[:locale]) if p.key?(:locale)
       end

data/app/controllers/concerns/collavre/users_controller/registration.rb

@@ -37,7 +37,34 @@ module Collavre
             Collavre::Contact.ensure(user: invitation.inviter, contact_user: @user)
             invitation.creative.create_linked_creative_for_user(@user)
           end
-          Collavre::EmailVerificationMailer.verify(@user).deliver_later
+          # Deployments with no outbound mail (e.g. the local desktop app, which
+          # has no SMTP/SES) would otherwise leave the first user unable to verify
+          # and permanently locked out of login. Such envs opt into auto-verify.
+          # NB: compare to `true` explicitly — an unset config.x.* key reads back
+          # as a truthy empty OrderedOptions, so a bare `if` would fire everywhere.
+          if Rails.application.config.x.auto_verify_email == true
+            @user.update_column(:email_verified_at, Time.current)
+          else
+            Collavre::EmailVerificationMailer.verify(@user).deliver_later
+          end
+          # Envs that ship no seeded admin (e.g. desktop) bootstrap one here: the
+          # first registered user becomes system_admin. Guarded by "no admin yet"
+          # so only the very first signup is elevated, and by a loopback origin so
+          # that in documented open mode (LAN/Tailscale binding) a remote client
+          # cannot race the local owner for the admin account. `== true` for the
+          # same OrderedOptions reason as above.
+          if Rails.application.config.x.bootstrap_first_admin == true && request_from_loopback?
+            # Promote atomically rather than exists?-then-update: a separate check
+            # and write is a TOCTOU race where two concurrent first signups both
+            # read "no admin yet" and both elevate. A single UPDATE ... WHERE NOT
+            # EXISTS lets the DB evaluate the guard and write under one lock, so
+            # exactly one wins. This path only runs on desktop (the only env that
+            # sets bootstrap_first_admin), which is always SQLite — and SQLite
+            # serializes writers, so the loser's re-evaluated NOT EXISTS sees the
+            # admin and updates nothing.
+            admin_exists = Collavre::User.where(system_admin: true).arel.exists
+            Collavre::User.where(id: @user.id).where(admin_exists.not).update_all(system_admin: true)
+          end
           session.delete(:return_to_after_authenticating)
           redirect_to new_session_path, notice: I18n.t("collavre.users.new.success_sign_up")
         else
@@ -56,6 +83,19 @@ module Collavre
 
     private
 
+    # Whether the request originates from the local machine. Uses remote_addr
+    # (the socket peer) rather than remote_ip: remote_ip trusts X-Forwarded-For
+    # from private-range proxies, so a LAN attacker at e.g. 192.168.x could spoof
+    # `XFF: 127.0.0.1` and forge a loopback origin. The socket peer cannot be
+    # spoofed by headers.
+    def request_from_loopback?
+      addr = IPAddr.new(request.remote_addr.to_s)
+      addr = addr.native if addr.respond_to?(:ipv4_mapped?) && addr.ipv4_mapped?
+      addr.loopback?
+    rescue IPAddr::InvalidAddressError
+      false
+    end
+
     def user_params
       params.require(:user).permit(:email, :password, :password_confirmation, :name)
     end

data/app/helpers/collavre/application_helper.rb

@@ -14,6 +14,7 @@ module Collavre
       collavre/org_chart
       collavre/popup
       collavre/comments_popup
+      collavre/tables
       collavre/code_highlight
       collavre/comment_versions
       collavre/mention_menu

data/app/javascript/collavre.js

@@ -5,6 +5,7 @@
 import "./modules/creatives"
 import "./modules/creative_row_swipe"
 import "./modules/mention_menu"
+import "./modules/typo_corrector"
 import "./modules/command_menu"
 import "./modules/modal_dialog"
 import "./modules/export_to_markdown"
@@ -19,6 +20,7 @@ import "./components/creative_tree_row"
 // Import and re-export lib utilities
 import "./lib/apply_lexical_styles"
 import "./lib/turbo_stream_actions"
+import "./lib/turbo_confirm"
 
 // Export controller registration
 export { registerControllers } from "./controllers"

data/app/javascript/components/ImageResizer.jsx

@@ -51,9 +51,15 @@ export default function ImageResizer({ src, altText, width, height, nodeKey }) {
       editor.registerCommand(
         CLICK_COMMAND,
         (event) => {
-          // If click is outside our image, deselect
+          // If click is outside our image, deselect — but only via clearSelection.
+          // setSelected(false) is destructive here: when the click lands in text
+          // (a RangeSelection / the caret), the hook synthesizes a fresh empty
+          // NodeSelection and replaces the caret with it, so the editor loses its
+          // caret and becomes uneditable the instant you click to edit while an
+          // image is present. clearSelection only acts on an existing
+          // NodeSelection, so a RangeSelection (caret) is preserved.
           if (containerRef.current && !containerRef.current.contains(event.target)) {
-            setSelected(false)
+            clearSelection()
           }
           return false
         },
@@ -90,7 +96,7 @@ export default function ImageResizer({ src, altText, width, height, nodeKey }) {
         COMMAND_PRIORITY_LOW
       )
     )
-  }, [editor, isSelected, nodeKey, setSelected])
+  }, [editor, isSelected, nodeKey, clearSelection])
 
   // Resize logic
   const onPointerDown = useCallback(