collavre 0.13.0 → 0.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e41b11d4cc034b5427a84b2bcc4b2061d2400ec13a3fd05baf2783a37124c6c5
-  data.tar.gz: f50467778a86b0dc89a1bea7f2c684f1c9bad3828db6b0c49f6c284c1cd7709c
+  metadata.gz: e56759c8d6833552a9d5e49b19745aca7d0a58d56ad3c3a7e6d502ea54d6b156
+  data.tar.gz: 37a2481e6fc5abc1077167d481abb51b118f256de05c704cdd64381eb090562a
 SHA512:
-  metadata.gz: 70a7f5c8b10e0fb95d3cc7e3ca739c2d894e418e8936f141c99b69a339ec811556564c376e4e4b3624c8a375d8477dc676f915e4bcbdc1c532789b7234ee1b26
-  data.tar.gz: 867618e8aff1be6f2d24735eceae6aeb6544ce85dccf7b7f23bbad9a4d0cb985f6131ed0a18fc6752ad897dc0e42c52446556fff9dab25c5d5ed5849c73e714e
+  metadata.gz: 9261164e029e28e9303f30879740f5dbd3ccbb6779b0767cd8488920e56f0037f63159fcdf64bd12dbb7788a22f5e1718fc468f616a02f59553a67713dfa422c
+  data.tar.gz: 5856204cfe3ff27016d1e0f5a54f3de43cf839911fae1dba656200679c941c837b4f30ded9e9f94153ecea2972c8797a0554f81c58df27123f1dc0d66ed7b30a

data/app/assets/stylesheets/collavre/comments_popup.css

@@ -43,7 +43,7 @@ body.chat-fullscreen {
     border-radius: 0;
     box-shadow: none;
     border: none;
-    z-index: 9999;
+    z-index: var(--layer-fullscreen);
     box-sizing: border-box;
     padding: 0.5em;
 }
@@ -478,6 +478,11 @@ body.chat-fullscreen {
     white-space: nowrap;
 }
 
+.inbox-reply-btn {
+    font-size: var(--text-0) !important;
+    white-space: nowrap;
+}
+
 .comment-highlight {
     background: color-mix(in srgb, var(--color-active) 15%, transparent) !important;
     transition: background 0.3s ease;
@@ -599,7 +604,7 @@ body.chat-fullscreen {
     border: 1px solid var(--color-border);
     border-radius: 8px;
     box-shadow: var(--shadow-3);
-    z-index: 9999;
+    z-index: var(--layer-fullscreen);
 }
 
 #global-reaction-picker {
@@ -1510,6 +1515,15 @@ body.chat-fullscreen {
     opacity: 0.5;
     font-style: italic;
 }
+.topic-branch-icon {
+    font-size: 0.75em;
+    opacity: 0.6;
+    margin-right: 1px;
+    cursor: pointer;
+}
+.topic-branch-icon:hover {
+    opacity: 1;
+}
 .archive-topic-btn,
 .unarchive-topic-btn {
     background: none;

data/app/assets/stylesheets/collavre/design_tokens.css

@@ -145,6 +145,7 @@
   --layer-popup: 100;
   --layer-modal: 1000;
   --layer-toast: 2000;
+  --layer-fullscreen: 9999;
   --layer-important: 2147483647;
 
   /* ============================================================================

data/app/assets/stylesheets/collavre/popup.css

@@ -86,6 +86,12 @@
   z-index: calc(var(--layer-modal) + 10);
 }
 
+/* When chat is fullscreen, these modals must sit above it */
+body.chat-fullscreen #link-creative-modal,
+body.chat-fullscreen #topic-search-modal {
+  z-index: calc(var(--layer-fullscreen) + 1);
+}
+
 .common-popup {
   position: absolute;
   z-index: var(--layer-modal);

data/app/components/collavre/inbox/badge_component.rb

@@ -26,8 +26,7 @@ module Collavre
       private
 
       def unread_count_for_creative
-        visible_comments = @creative.comments.where(private: false)
-                                             .or(@creative.comments.where(user_id: @user.id))
+        visible_comments = @creative.comments.visible_to(@user)
         pointer = CommentReadPointer.find_by(user: @user, creative: @creative)
         last_read_id = pointer&.last_read_comment_id
 

data/app/controllers/collavre/comment_read_pointers_controller.rb

@@ -2,7 +2,7 @@ module Collavre
   class CommentReadPointersController < ApplicationController
     def update
       creative = Creative.find(params[:creative_id]).effective_origin
-      last_id = creative.comments.where("comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?", false, Current.user.id, Current.user.id).maximum(:id)
+      last_id = creative.comments.visible_to(Current.user).maximum(:id)
       pointer = CommentReadPointer.find_or_initialize_by(user: Current.user, creative: creative)
 
       previous_last_read_id = pointer.last_read_comment_id

data/app/controllers/collavre/comments/reactions_controller.rb

@@ -1,6 +1,8 @@
 module Collavre
   module Comments
     class ReactionsController < ApplicationController
+      include Collavre::Comments::CommentScoping
+
       before_action :set_creative
       before_action :set_comment
       before_action :authorize_feedback!
@@ -48,22 +50,6 @@ module Collavre
         CommentReaction.broadcast_reaction_update(@comment)
       end
 
-      def set_creative
-        @creative = Creative.find(params[:creative_id]).effective_origin
-      end
-
-      def set_comment
-        comment_id = params[:comment_id] || params[:id]
-        @comment = @creative.comments
-                           .where(
-                             "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-                             false,
-                             Current.user.id,
-                             Current.user.id
-                           )
-                           .find(comment_id)
-      end
-
       def authorize_feedback!
         return if @creative.has_permission?(Current.user, :feedback)
 

data/app/controllers/collavre/comments/versions_controller.rb

@@ -3,6 +3,8 @@
 module Collavre
   module Comments
     class VersionsController < ApplicationController
+      include Collavre::Comments::CommentScoping
+
       before_action :set_creative
       before_action :set_comment
 
@@ -62,21 +64,6 @@ module Collavre
       end
 
       private
-
-      def set_creative
-        @creative = Creative.find(params[:creative_id]).effective_origin
-      end
-
-      def set_comment
-        @comment = @creative.comments
-                             .where(
-                               "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-                               false,
-                               Current.user.id,
-                               Current.user.id
-                             )
-                             .find(params[:comment_id])
-      end
     end
   end
 end

data/app/controllers/collavre/comments_controller.rb

@@ -1,5 +1,6 @@
 module Collavre
   class CommentsController < ApplicationController
+    include Collavre::Comments::CommentScoping
     include Collavre::Comments::ApprovalActions
     include Collavre::Comments::Conversion
     include Collavre::Comments::BatchOperations
@@ -26,12 +27,7 @@ module Collavre
     def index
       limit = 20
 
-      visible_scope = @creative.comments.where(
-        "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-        false,
-        Current.user.id,
-        Current.user.id
-      )
+      visible_scope = @creative.comments.visible_to(Current.user)
       scope = visible_scope.with_attached_images.includes(:topic, :comment_reactions, :comment_versions, :snapshot_as_result)
 
       if params[:search].present?
@@ -185,6 +181,9 @@ module Collavre
         @comment.skip_dispatch = true
       end
       if @comment.save
+        # Cross-post inbox inline replies to the original creative/topic
+        InboxReplyService.call(@comment)
+
         # Dispatch is handled by Comment#after_create_commit callback
         @comment = Comment.with_attached_images.includes(:comment_reactions, :comment_versions, :selected_version).find(@comment.id)
         render partial: "collavre/comments/comment", locals: { comment: @comment, current_topic_id: current_topic_context }, status: :created
@@ -353,17 +352,6 @@ module Collavre
       end
     end
 
-    def set_comment
-      @comment = @creative.comments
-                             .where(
-                               "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-                               false,
-                               Current.user.id,
-                               Current.user.id
-                             )
-                             .find(params[:id])
-    end
-
     def comment_params
       params.require(:comment).permit(:content, :private, :topic_id, :quoted_comment_id, :quoted_text, :review_type, images: [])
     end

data/app/controllers/collavre/creatives_controller.rb

@@ -528,7 +528,7 @@ module Collavre
         end
 
         topic = creative.topics.find_by(name: "Drop Trigger")
-        agent = parent.all_shared_users(:write).map(&:user).find(&:ai_user?)
+        agent = parent.find_ai_agent(:write)
         unless topic && agent
           Rails.logger.warn("[TriggerAction] resume: missing topic=#{topic&.id} or agent for creative #{creative.id}")
           return
@@ -565,7 +565,7 @@ module Collavre
         end
 
         topic = creative.topics.find_by(name: "Drop Trigger")
-        agent = parent.all_shared_users(:write).map(&:user).find(&:ai_user?)
+        agent = parent.find_ai_agent(:write)
         unless topic && agent
           Rails.logger.warn("[TriggerAction] restart: missing topic=#{topic&.id} or agent for creative #{creative.id}")
           return
@@ -593,7 +593,7 @@ module Collavre
       end
 
       def notify_drop_trigger_missing_agent!(creative)
-        return if creative.all_shared_users(:write).map(&:user).any?(&:ai_user?)
+        return if creative.find_ai_agent(:write)
 
         topic = creative.topics.find_or_create_by!(name: "Drop Trigger") do |t|
           t.user = creative.user

data/app/controllers/collavre/tasks_controller.rb

@@ -24,31 +24,7 @@ module Collavre
     private
 
     def abort_openclaw_session(task)
-      return unless task.agent.llm_vendor&.downcase == "openclaw"
-      return unless defined?(CollavreOpenclaw::ConnectionManager)
-
-      conn = CollavreOpenclaw::ConnectionManager.instance.connection_for(task.agent)
-      session_key = build_session_key(task)
-      conn.chat_abort(session_key: session_key)
-    rescue StandardError => e
-      Rails.logger.warn("[TasksController] OpenClaw abort failed: #{e.message}")
-    end
-
-    def build_session_key(task)
-      payload = task.trigger_event_payload || {}
-      creative = task.creative || Creative.find_by(id: payload.dig("creative", "id"))
-      comment = Comment.find_by(id: payload.dig("comment", "id"))
-
-      CollavreOpenclaw::OpenclawAdapter.new(
-        user: task.agent,
-        system_prompt: "",
-        context: {
-          creative: creative,
-          user: task.agent,
-          task: task,
-          comment: comment
-        }
-      ).session_key
+      Collavre::OpenclawAbortService.call(agent: task.agent, task: task)
     end
   end
 end

data/app/controllers/collavre/topics_controller.rb

@@ -17,12 +17,16 @@ module Collavre
                           .pick(:last_topic_id)
       end
 
+      system_topic_id = @creative.inbox? ? @creative.topics.find_by(name: Creative::SYSTEM_TOPIC_NAME)&.id : nil
+
       render json: {
         topics: active_topics.map { |t| topic_json(t) },
         archived_topics: archived_topics,
         can_manage: can_manage,
         can_create_topic: can_create_topic,
-        last_topic_id: last_topic_id
+        last_topic_id: last_topic_id,
+        is_inbox: @creative.inbox?,
+        system_topic_id: system_topic_id
       }
     end
 
@@ -268,7 +272,7 @@ module Collavre
     end
 
     def topic_json(topic)
-      data = topic.slice(:id, :name)
+      data = topic.slice(:id, :name, :source_topic_id)
       agent = topic.instance_variable_get(:@_primary_agent) || topic.primary_agent
       if agent
         data[:primary_agent] = agent_json(agent)
@@ -277,7 +281,7 @@ module Collavre
     end
 
     def topic_json_with_agent(topic, agent)
-      data = topic.slice(:id, :name)
+      data = topic.slice(:id, :name, :source_topic_id)
       data[:primary_agent] = agent_json(agent)
       data
     end

data/app/controllers/concerns/collavre/comments/batch_operations.rb

@@ -14,10 +14,7 @@ module Collavre
         is_admin = @creative.has_permission?(Current.user, :admin)
         is_creative_owner = @creative.user == Current.user
 
-        visible_scope = @creative.comments.where(
-          "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-          false, Current.user.id, Current.user.id
-        )
+        visible_scope = @creative.comments.visible_to(Current.user)
         comments = visible_scope.where(id: comment_ids).to_a
 
         if comments.length != comment_ids.length
@@ -47,10 +44,7 @@ module Collavre
           render json: { error: I18n.t("collavre.comments.merge.not_authorized") }, status: :forbidden and return
         end
 
-        visible_scope = @creative.comments.where(
-          "comments.private = ? OR comments.user_id = ? OR comments.approver_id = ?",
-          false, Current.user.id, Current.user.id
-        )
+        visible_scope = @creative.comments.visible_to(Current.user)
         comments = visible_scope.where(id: comment_ids).to_a
 
         if comments.length != comment_ids.length
@@ -82,6 +76,18 @@ module Collavre
       rescue ActiveRecord::RecordInvalid => e
         render json: { error: e.record.errors.full_messages.to_sentence.presence || I18n.t("collavre.comments.move_error") }, status: :unprocessable_entity
       end
+
+      def branch
+        source_topic = params[:topic_id].present? ? @creative.topics.find(params[:topic_id]) : nil
+        new_topic = TopicBranchService.new(creative: @creative, user: Current.user, source_topic: source_topic).call(
+          comment_ids: params[:comment_ids]
+        )
+        render json: { success: true, topic: new_topic.slice(:id, :name, :source_topic_id) }, status: :created
+      rescue TopicBranchService::BranchError => e
+        render json: { error: e.message }, status: :unprocessable_entity
+      rescue ActiveRecord::RecordInvalid => e
+        render json: { error: e.record.errors.full_messages.to_sentence }, status: :unprocessable_entity
+      end
     end
   end
 end

data/app/controllers/concerns/collavre/comments/comment_scoping.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Collavre
+  module Comments
+    module CommentScoping
+      extend ActiveSupport::Concern
+
+      private
+
+      def set_creative
+        @creative = Creative.find(params[:creative_id]).effective_origin
+      end
+
+      def set_comment
+        comment_id = params[:comment_id] || params[:id]
+        @comment = @creative.comments.visible_to(Current.user).find(comment_id)
+      end
+    end
+  end
+end

data/app/controllers/concerns/collavre/integration_permission.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Collavre
+  module IntegrationPermission
+    extend ActiveSupport::Concern
+
+    private
+
+    def ensure_read_permission
+      return if @creative.has_permission?(Current.user, :read)
+
+      render json: { error: integration_forbidden_message }, status: :forbidden
+    end
+
+    def ensure_admin_permission
+      return if @creative.has_permission?(Current.user, :admin)
+
+      render json: { error: integration_forbidden_message }, status: :forbidden
+    end
+
+    def ensure_write_permission
+      return if @creative.has_permission?(Current.user, :write)
+
+      render json: { error: integration_forbidden_message }, status: :forbidden
+    end
+
+    def integration_forbidden_message
+      "forbidden"
+    end
+  end
+end

data/app/controllers/concerns/collavre/users_controller/ai_user_management.rb

@@ -5,7 +5,7 @@ module Collavre
     included do
       before_action :set_user_for_ai_actions, only: [ :edit_ai, :update_ai ]
       before_action :verify_ai_user, only: [ :edit_ai, :update_ai ]
-      before_action :verify_ai_user_authorization, only: [ :update_ai ]
+      before_action :verify_ai_user_authorization, only: [ :edit_ai, :update_ai ]
     end
 
     def new_ai

data/app/controllers/concerns/collavre/users_controller/profile_and_settings.rb

@@ -29,6 +29,7 @@ module Collavre
 
     def update
       @user = Collavre::User.find(params[:id])
+      return head :forbidden unless @user == Current.user || Current.user.system_admin?
       if @user.update(profile_params)
         redirect_to user_path(@user), notice: I18n.t("collavre.users.profile_updated")
       else
@@ -46,6 +47,7 @@ module Collavre
 
     def edit_password
       @user = Collavre::User.find(params[:id])
+      head :forbidden unless @user == Current.user || Current.user.system_admin?
     end
 
     def passkeys

data/app/helpers/collavre/application_helper.rb

@@ -78,8 +78,7 @@ module Collavre
         styles << render_theme_media_query(dark_theme, "dark")
       end
 
-      # Safe: CSS generated from admin-configured theme settings (CSS variables only)
-      styles.join("\n").html_safe # rubocop:disable Rails/OutputSafety
+      safe_join(styles, "\n")
     end
 
     private
@@ -111,7 +110,7 @@ module Collavre
     #
     def render_extension_slot(slot, **locals)
       entries = Collavre::ViewExtensions.for_slot(slot)
-      return "".html_safe if entries.empty? # rubocop:disable Rails/OutputSafety
+      return safe_join([]) if entries.empty?
 
       safe_join(entries.map { |entry| render(partial: entry[:partial], locals: locals) })
     end

data/app/helpers/collavre/creatives_helper.rb

@@ -118,7 +118,7 @@ module Collavre
       if value == 1 && !completion_mark.nil?
         text = completion_mark
       end
-      display_text = text.blank? ? "  ".html_safe : text
+      display_text = text.blank? ? "\u00A0\u00A0" : text
       content_tag(
         :span,
         display_text,
@@ -126,10 +126,6 @@ module Collavre
       )
     end
 
-    def expanded_from_expanded_state(creative_id, expanded_state_map)
-      !!(expanded_state_map && expanded_state_map[creative_id.to_s])
-    end
-
     def render_creative_tree_markdown(creatives, level = 1, with_progress = false, max_depth: nil)
       return "" if creatives.blank?
       md = ""
@@ -184,9 +180,5 @@ module Collavre
     def markdown_links_to_html(text, image_refs = {})
       MarkdownConverter.markdown_to_html(text, image_refs)
     end
-
-    def html_links_to_markdown(text)
-      MarkdownConverter.html_to_markdown(text)
-    end
   end
 end

data/app/helpers/collavre/navigation_helper.rb

@@ -47,12 +47,6 @@ module Collavre
       end
     end
 
-    def render_mobile_navigation_item(item)
-      content = render_navigation_item(item, mobile: true)
-      return if content.blank?
-      content_tag(:div, content)
-    end
-
     def render_navigation_item_with_children(item, mobile: false)
       return unless navigation_item_visible?(item, desktop: !mobile)
 

data/app/javascript/controllers/agent_trigger_controller.js

@@ -0,0 +1,94 @@
+import { Controller } from '@hotwired/stimulus'
+
+// Maps trigger type radio buttons to routing_expression values.
+// Shows/hides keyword input and advanced expression textarea based on selection.
+export default class extends Controller {
+  static targets = ['hiddenField', 'keywordInput', 'keywordGroup', 'advancedGroup', 'advancedInput']
+
+  static values = {
+    currentExpression: String
+  }
+
+  connect() {
+    this.detectTriggerType()
+    this.updateVisibility()
+  }
+
+  // Called when a radio button changes
+  change() {
+    this.updateVisibility()
+    this.updateExpression()
+  }
+
+  // Called when keyword input changes
+  keywordChanged() {
+    // Strip double quotes to prevent Liquid injection
+    const input = this.keywordInputTarget
+    const sanitized = input.value.replace(/"/g, '')
+    if (input.value !== sanitized) input.value = sanitized
+    this.updateExpression()
+  }
+
+  // Called when advanced expression changes
+  advancedChanged() {
+    this.hiddenFieldTarget.value = this.advancedInputTarget.value
+  }
+
+  get selectedType() {
+    const checked = this.element.querySelector('input[name="trigger_type"]:checked')
+    return checked?.value || 'mention'
+  }
+
+  detectTriggerType() {
+    const expr = (this.currentExpressionValue || '').trim()
+    if (!expr || expr === 'chat.mentioned_user.id == agent.id') {
+      this.selectRadio('mention')
+    } else if (expr === 'event_name == "comment_created"') {
+      this.selectRadio('auto')
+    } else {
+      const keywordMatch = expr.match(/^chat\.content\s+contains\s+"([^"]*)"$/)
+      if (keywordMatch) {
+        this.selectRadio('keyword')
+        this.keywordInputTarget.value = keywordMatch[1]
+      } else {
+        this.selectRadio('advanced')
+        this.advancedInputTarget.value = expr
+      }
+    }
+  }
+
+  selectRadio(value) {
+    const radio = this.element.querySelector(`input[name="trigger_type"][value="${value}"]`)
+    if (radio) radio.checked = true
+  }
+
+  updateVisibility() {
+    const type = this.selectedType
+    this.keywordGroupTarget.style.display = type === 'keyword' ? '' : 'none'
+    this.advancedGroupTarget.style.display = type === 'advanced' ? '' : 'none'
+  }
+
+  updateExpression() {
+    const type = this.selectedType
+    let expression = ''
+
+    switch (type) {
+      case 'auto':
+        expression = 'event_name == "comment_created"'
+        break
+      case 'mention':
+        expression = 'chat.mentioned_user.id == agent.id'
+        break
+      case 'keyword': {
+        const keyword = this.keywordInputTarget.value.trim().replace(/"/g, '')
+        expression = keyword ? `chat.content contains "${keyword}"` : ''
+        break
+      }
+      case 'advanced':
+        expression = this.advancedInputTarget.value
+        break
+    }
+
+    this.hiddenFieldTarget.value = expression
+  }
+}

data/app/javascript/controllers/comment_controller.js

@@ -121,7 +121,7 @@ export default class extends Controller {
 
     // Text selection quote support
     this.handleMouseUp = this.handleMouseUp.bind(this)
-    this.element.addEventListener('mouseup', this.handleMouseUp)
+    document.addEventListener('mouseup', this.handleMouseUp)
 
     this.currentUserId = document.body.dataset.currentUserId
     const commentAuthorId = this.element.dataset.userId
@@ -223,7 +223,7 @@ export default class extends Controller {
       clearTimeout(this._streamingTimeout)
       this._streamingTimeout = null
     }
-    this.element.removeEventListener('mouseup', this.handleMouseUp)
+    document.removeEventListener('mouseup', this.handleMouseUp)
     this.hideReviewPopup()
     if (this._reviewPopupEl) {
       this._reviewPopupEl.remove()