collavre 0.21.0 → 0.22.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f24eeb18d0272f998210dbfd04bd15a5ac4bf9fab0a61c400ac64298b17cdf3c
-  data.tar.gz: dd4c2d977abfb6831b971f6c9ed8a7343329a48af8cff04674502a2840bd0f37
+  metadata.gz: 9fd2c39503f762d09d1c98d125910e010ab634bb8d9e5e7c39c1acdc450b841f
+  data.tar.gz: 11684679fc116af3955540f8b866b5a3df763823e7d2cb82656d0652cb1b01ef
 SHA512:
-  metadata.gz: 55aa0ac2253e57cf0b4ac5d3de3a8028aa254b1b9d0b02fce88f4ac5cc3ab532588e574aebf1392bc40328f24061b1e75c74a3576f48ebc5b24d0aa5d3beebef
-  data.tar.gz: 97d1c389fdd7d00635a4ce87c5b3c9b4f0238f4c69f94e794dcbf42284da51994d35d9821da7f04f91d58857cef4ee697a128df54e914743be31d15a70d52c9b
+  metadata.gz: a8c63aed51bf215f04787f5a6adb220b4306c117b951e0af7c7e19c2998455d50ff9d98edec2ad691e1f2c2d8610218565fd1f7c23348e4e12cfbd6a74167bbc
+  data.tar.gz: 9d7ff16652f6d416b3be9730fee13821ed6bbc94054e6695b4e97c82d68d023feff9d192675a733af9ecaf81b7366176d128ba6ad08695618fe3708cf508f422

data/app/assets/stylesheets/collavre/comments_popup.css

@@ -806,7 +806,8 @@ body.chat-fullscreen {
 }
 
 .edit-comment-action-btn,
-.approve-comment-btn {
+.approve-comment-btn,
+.deny-comment-btn {
     padding: 0.15em 0.4em;
     border-radius: var(--radius-2);
     font-size: 0.75rem;
@@ -836,6 +837,18 @@ body.chat-fullscreen {
     border-color: var(--color-success);
 }
 
+.deny-comment-btn {
+    border: 1px solid color-mix(in srgb, var(--color-danger) 35%, transparent);
+    background: color-mix(in srgb, var(--color-danger) 15%, transparent);
+    color: var(--color-danger);
+}
+
+.deny-comment-btn:hover {
+    background: var(--color-danger);
+    color: var(--text-on-badge);
+    border-color: var(--color-danger);
+}
+
 .comment-status-label {
     margin-left: 0.4em;
     font-size: 0.75em;
@@ -858,6 +871,11 @@ body.chat-fullscreen {
     color: var(--color-complete);
 }
 
+.comment-status-label.denied-label {
+    background-color: color-mix(in srgb, var(--color-danger) 20%, transparent);
+    color: var(--color-danger);
+}
+
 .comment-status-label.pending-label {
     background-color: color-mix(in srgb, var(--color-warning) 20%, transparent);
     color: var(--color-warning);
@@ -1111,6 +1129,34 @@ body.chat-fullscreen {
     gap: var(--space-1);
 }
 
+/* Horizontally-scrollable viewport for channel chips + typing indicator.
+   Keeps PR/Preview badges and live typing on a single line so they never
+   wrap and push the form down. The scroll-prev button stays pinned at the
+   left because it is a flex sibling of (not inside) this viewport.
+   min-width:0 lets this flex child shrink below its content width, which is
+   what actually enables overflow scrolling. */
+#typing-scroll-viewport {
+    flex: 1;
+    min-width: 0;
+    display: flex;
+    align-items: center;
+    gap: var(--space-1);
+    flex-wrap: nowrap;
+    overflow-x: auto;
+    overflow-y: hidden;
+    scrollbar-width: thin;
+    scroll-behavior: smooth;
+}
+
+#typing-scroll-viewport::-webkit-scrollbar {
+    height: 4px;
+}
+
+#typing-scroll-viewport::-webkit-scrollbar-thumb {
+    background: var(--border-color);
+    border-radius: var(--radius-2);
+}
+
 .scroll-prev-msg-btn {
     background: none;
     border: 1px solid var(--border-color);
@@ -1131,10 +1177,11 @@ body.chat-fullscreen {
 
 #typing-indicator {
     font-style: italic;
-    flex: 1;
+    flex: 0 0 auto;
     min-height: var(--space-px-5);
     display: flex;
     align-items: center;
+    white-space: nowrap;
 }
 
 #typing-indicator .avatar-wrapper {
@@ -1188,7 +1235,8 @@ body.chat-fullscreen {
 #channel-chips-container,
 .channel-chips {
     display: inline-flex;
-    flex-wrap: wrap;
+    flex-wrap: nowrap;
+    flex-shrink: 0;
     gap: var(--space-1);
     align-items: center;
 }

data/app/assets/stylesheets/collavre/popup.css

@@ -396,3 +396,151 @@ a.popup-menu-item:hover {
     min-width: 100%;
   }
 }
+
+/* ── Link-creative picker: mini-tree + flat search results ── */
+.link-creative-list {
+  list-style: none;
+  margin: 0;
+  padding: 0;
+  max-height: 320px;
+  overflow-y: auto;
+}
+
+/* Tree (browse) rows */
+.link-tree-item {
+  list-style: none;
+}
+
+.link-tree-children {
+  list-style: none;
+  margin: 0;
+  padding: 0;
+}
+
+.link-tree-row {
+  display: flex;
+  align-items: center;
+  gap: 0.35em;
+  padding: 0.3em 0.5em;
+  border-radius: var(--radius-1);
+  cursor: pointer;
+}
+
+.link-tree-row:hover,
+.link-tree-row.active {
+  background: var(--surface-hover);
+}
+
+.link-tree-toggle {
+  flex: 0 0 auto;
+  width: 1.75em;
+  height: 1.75em;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  background: transparent;
+  border: none;
+  border-radius: var(--radius-1);
+  padding: 0;
+  line-height: 1;
+  color: var(--text-secondary);
+  cursor: pointer;
+  appearance: none;
+}
+
+.link-tree-toggle svg {
+  display: block;
+  width: 16px;
+  height: 16px;
+}
+
+.link-tree-toggle:hover {
+  color: var(--text-primary);
+  background: var(--surface-hover);
+}
+
+.link-tree-toggle-empty {
+  visibility: hidden;
+  cursor: default;
+}
+
+.link-tree-label {
+  flex: 1 1 auto;
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+  color: var(--text-primary);
+}
+
+.link-tree-loading,
+.link-tree-empty,
+.link-popup-message {
+  list-style: none;
+  padding: 0.35em 0.6em;
+  color: var(--text-muted);
+  font-size: var(--text-0);
+}
+
+/* Flat search results with breadcrumb */
+.link-result-item {
+  list-style: none;
+  padding: 0.4em 0.5em;
+  border-radius: var(--radius-1);
+  cursor: pointer;
+}
+
+.link-result-item:hover,
+.link-result-item.active {
+  background: var(--surface-hover);
+}
+
+.link-result-label {
+  color: var(--text-primary);
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.link-result-path {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  gap: 0.15em;
+  margin-top: 0.15em;
+  font-size: var(--text-00);
+  color: var(--text-muted);
+}
+
+.link-crumb {
+  background: transparent;
+  border: none;
+  padding: 0 0.1em;
+  font-size: inherit;
+  color: var(--text-muted);
+  cursor: pointer;
+  appearance: none;
+  max-width: 14ch;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.link-crumb:hover {
+  color: var(--color-link);
+  text-decoration: underline;
+}
+
+.link-crumb-sep {
+  color: var(--text-muted);
+  opacity: 0.6;
+}
+
+.link-crumb-restricted {
+  cursor: default;
+  opacity: 0.6;
+}
+.link-crumb-restricted:hover {
+  color: var(--text-muted);
+  text-decoration: none;
+}

data/app/channels/collavre/agent_channel.rb

@@ -0,0 +1,205 @@
+# frozen_string_literal: true
+
+module Collavre
+  class AgentChannel < ApplicationCable::Channel
+    # Heartbeat for Claude Channel presence rows. Fires for every subscription,
+    # but touch_presence is a no-op unless this connection registered a presence
+    # row (agent_id subscribe by a Claude Channel agent), so topic/legacy/non-
+    # Claude subscribers pay only an idle timer.
+    periodically :touch_presence, every: AgentSubscription::HEARTBEAT_SECONDS
+
+    # Subscribes to an agent stream for real-time dispatch notifications.
+    # Accepts either:
+    #   - agent_id: per-agent stream — used by MCP plugin clients (Claude
+    #     Channel) so they receive every dispatch routed to the agent, no
+    #     matter which topic triggered it. Authorized by created_by ownership.
+    #   - topic_id: per-topic stream — legacy/UI listeners scoped to one topic.
+    def subscribed
+      return reject unless current_user
+
+      if params[:agent_id].present?
+        subscribe_to_agent_stream
+      elsif params[:topic_id].present?
+        subscribe_to_topic_stream
+      else
+        reject
+      end
+    end
+
+    # When the MCP process crashes or the WebSocket drops before the plugin
+    # can call DELETE /api/v1/agent/:id, a Claude Channel session would
+    # otherwise stay matchable (routing_expression: "true") and any future
+    # comment on a creative still shared with the agent would dispatch into an
+    # empty stream — delegated work that only clears via stuck recovery.
+    #
+    # One shared agent can have MANY concurrent sessions, so routing is gated
+    # on PRESENCE: this session drops its own AgentSubscription row, and
+    # routing is cleared only when NO rows remain. A still-live sibling session
+    # keeps its row, so routing stays active and its in-flight work is never
+    # cancelled. Done under the agent's row lock so a concurrent subscribe on
+    # the same agent serializes (no clear-vs-activate race).
+    #
+    # Cross-process / late unsubscribe: the row was keyed by this connection's
+    # own @subscription_token. A stale unsubscribe whose row was already
+    # removed (newer subscribe took over, or a different Puma/Kamal process)
+    # deletes zero rows and becomes a no-op — required for scaled deployments
+    # (WEB_CONCURRENCY > 1, Solid Cable).
+    def unsubscribed
+      return unless @session_agent && @subscription_token
+
+      cleared = false
+      dropped_session_id = nil
+      @session_agent.with_lock do
+        scope = AgentSubscription.where(agent_id: @session_agent.id, token: @subscription_token)
+        # Capture the dropped session's id before deleting its row so a live-
+        # sibling exit can still scope a cleanup to this session's own topic.
+        dropped_session_id = scope.pick(:session_id)
+        deleted = scope.delete_all
+        # Stale: our presence row is already gone. The live owner's lifecycle
+        # owns routing — do not clobber it, do not schedule cancellation.
+        if deleted.zero?
+          dropped_session_id = nil
+          next
+        end
+
+        # Drop crash-orphaned sibling rows (a Puma/ActionCable process that
+        # died without firing unsubscribed) before reading presence, so a dead
+        # row cannot masquerade as a live sibling and pin routing on forever.
+        AgentSubscription.reap_stale!(@session_agent.id)
+
+        # Another session is still LIVE on this shared agent. Keep routing
+        # active; whichever session unsubscribes last clears it.
+        next if AgentSubscription.live.where(agent_id: @session_agent.id).exists?
+
+        @session_agent.update_columns(
+          routing_expression: nil,
+          routing_subscription_token: nil
+        )
+        cleared = true
+      end
+
+      if cleared
+        # Reconnect-grace cancellation (last session): clearing routing only
+        # makes the agent unroutable. Any task already "delegated" still holds
+        # its ResourceTracker slot — the dispatch was broadcast to a now-dead
+        # stream so no client remains to call /reply, and the slot would stay
+        # held until StuckDetectorJob times out. The job cancels those tasks
+        # after a grace window, but only if the agent is still offline (it
+        # rechecks routing_expression AND that no session has resubscribed).
+        CancelOfflineDelegatedTasksJob
+          .set(wait: CancelOfflineDelegatedTasksJob::GRACE_SECONDS.seconds)
+          .perform_later(@session_agent.id, @subscription_token)
+      elsif dropped_session_id.present?
+        # A live sibling keeps the shared agent routable, so we must NOT clear
+        # routing or sweep agent-wide. But this dropped session's OWN session
+        # topic is private to it — siblings filter session_topic dispatches to
+        # their own topic, so none will /reply to a task delegated there and it
+        # would hold its slot until stuck recovery. Schedule a grace-delayed,
+        # session-scoped cancellation (skipped if this same session reconnects
+        # within the window), mirroring the destroy path's cancel_tasks_for_topic.
+        CancelOfflineDelegatedTasksJob
+          .set(wait: CancelOfflineDelegatedTasksJob::GRACE_SECONDS.seconds)
+          .perform_later(@session_agent.id, @subscription_token, dropped_session_id)
+      end
+    rescue ActiveRecord::StatementInvalid => e
+      Rails.logger.warn("[AgentChannel] unsubscribed presence clear failed: #{e.message}")
+    end
+
+    # Pull-on-resubscribe replay (Codex P2): after every (re)subscribe the plugin
+    # sends the permission request_ids it still holds pending, and the server
+    # re-broadcasts the recorded decision for exactly those ids. A decision
+    # broadcast once into the transient agent:user:<id> stream while the plugin's
+    # WebSocket was down would otherwise be lost (action_executed_at already
+    # stamped, buttons hidden), hanging the suspended tool with no retry path.
+    # The plugin's pending set is the sole bound — there is no wall-clock window,
+    # so an outage of any length is covered, and a decision already consumed is
+    # never requested. Idempotent: the plugin's coordinator drops any id it no
+    # longer holds. Gated on @session_agent so only a Claude Channel agent
+    # subscription (where stream_from agent:user:<id> is attached) can pull.
+    def replay_permissions(data)
+      return unless @session_agent
+
+      Comment.replay_claude_channel_permission_decisions_for(
+        @session_agent.id,
+        data["request_ids"]
+      )
+    end
+
+    # Broadcast an arbitrary payload to a topic's agent stream.
+    def self.broadcast_to_topic(topic_id, payload)
+      ActionCable.server.broadcast("agent:topic:#{topic_id}", payload)
+    end
+
+    # Broadcast to a per-agent stream so the agent's MCP plugin receives the
+    # dispatch regardless of which topic triggered it.
+    def self.broadcast_to_agent(agent_id, payload)
+      ActionCable.server.broadcast("agent:user:#{agent_id}", payload)
+    end
+
+    private
+
+    def subscribe_to_topic_stream
+      @topic = Topic.find_by(id: params[:topic_id])
+      return reject unless @topic
+
+      creative = @topic.creative&.effective_origin
+      return reject unless creative&.has_permission?(current_user, :read)
+
+      stream_from "agent:topic:#{@topic.id}"
+    end
+
+    def subscribe_to_agent_stream
+      agent = User.find_by(id: params[:agent_id])
+      return reject unless agent&.ai_user?
+      return reject unless agent.created_by_id == current_user.id
+
+      # Attach the stream BEFORE activating routing. Orchestration::Matcher
+      # can pick this agent as soon as routing_expression becomes "true";
+      # broadcasts to agent:user:<id> in the window between the UPDATE
+      # committing and stream_from registering the subscription would land
+      # in a stream with no subscriber, leaving the new delegated task
+      # waiting on stuck recovery. Registering the subscription first means
+      # by the time the agent is matchable, this connection is already
+      # receiving broadcasts.
+      @session_agent = agent if agent.claude_channel_agent?
+      @subscription_token = SecureRandom.hex(8) if agent.claude_channel_agent?
+      stream_from "agent:user:#{agent.id}"
+
+      # Record this session's presence row and (re)activate routing under the
+      # agent's row lock, so a concurrent unsubscribe on the same shared agent
+      # serializes against this and cannot clear routing out from under a live
+      # session. routing_subscription_token is kept as the most-recent-session
+      # marker (debugging / grace-job arg); presence rows are the real gate.
+      if agent.claude_channel_agent?
+        agent.with_lock do
+          # Self-heal: clear crash-orphaned rows for this agent before counting
+          # so this session's activation isn't blocked from, and presence reads
+          # aren't fooled by, a dead process's leftover row.
+          AgentSubscription.reap_stale!(agent.id)
+          # Record the plugin-supplied session_id (stable across --resume) on the
+          # row. The HTTP unregister path (DELETE /api/v1/agent/:id) cannot know
+          # this connection's server-minted @subscription_token, so it correlates
+          # the exiting session to its row via session_id instead.
+          AgentSubscription.create!(
+            agent_id: agent.id,
+            token: @subscription_token,
+            session_id: params[:session_id].presence
+          )
+          agent.update_columns(
+            routing_subscription_token: @subscription_token,
+            routing_expression: "true"
+          )
+        end
+      end
+    end
+
+    # Periodic heartbeat callback: keep this session's presence row live. No-op
+    # once the row is gone (rotated by a newer subscribe, or reaped), so it can
+    # never resurrect a removed row.
+    def touch_presence
+      return unless @session_agent && @subscription_token
+
+      AgentSubscription.touch!(@session_agent.id, @subscription_token)
+    end
+  end
+end

data/app/controllers/collavre/admin/integrations_controller.rb

@@ -23,6 +23,10 @@ module Collavre
             next if value.blank?
 
             definition = Registry.instance.find(key) or next
+            # Mirror the index filter: keys hidden from the admin UI
+            # (admin_visible: false) are not editable via this form, so a crafted
+            # POST cannot write them.
+            next if definition.admin_visible == false
 
             row = Collavre::IntegrationSetting.find_or_initialize_by(key: definition.key.to_s)
             row.category = definition.category
@@ -47,14 +51,21 @@ module Collavre
       private
 
       def load_definition!
-        @definition = Registry.instance.find(params[:key]) or
-          (render file: Rails.root.join("public/404.html"), status: :not_found, layout: false and return)
+        @definition = Registry.instance.find(params[:key])
+        # Keys hidden from the admin UI (admin_visible: false) are treated as
+        # non-addressable here too, so a crafted DELETE cannot reset them.
+        if @definition.nil? || @definition.admin_visible == false
+          @definition = nil
+          render file: Rails.root.join("public/404.html"), status: :not_found, layout: false and return
+        end
       end
 
       def build_grouped_settings
-        Registry.instance.by_category.sort_by { |category, _defs| category.to_s }.map do |category, definitions|
-          rows = definitions.map { |definition| build_row(definition) }
-          [ category, rows ]
+        Registry.instance.by_category.sort_by { |category, _defs| category.to_s }.filter_map do |category, definitions|
+          visible = definitions.select { |d| d.admin_visible != false }
+          next if visible.empty?
+
+          [ category, visible.map { |definition| build_row(definition) } ]
         end
       end