coplan-engine 0.1.0

data/app/controllers/coplan/api/v1/sessions_controller.rb

@@ -0,0 +1,92 @@
+module CoPlan
+  module Api
+    module V1
+      class SessionsController < BaseController
+        before_action :set_plan
+        before_action :authorize_plan_access!
+        before_action :set_session, only: [:show, :commit]
+
+        # POST /api/v1/plans/:plan_id/sessions
+        # Cloud personas create sessions via direct Ruby service calls, not this endpoint.
+        def create
+          actor_type = params[:actor_type].presence || ApiToken::HOLDER_TYPE
+          unless EditSession::ACTOR_TYPES.include?(actor_type)
+            render json: { error: "Invalid actor_type" }, status: :unprocessable_entity
+            return
+          end
+          ttl = actor_type == "cloud_persona" ? EditSession::CLOUD_PERSONA_TTL : EditSession::LOCAL_AGENT_TTL
+
+          session = EditSession.create!(
+            plan: @plan,
+            actor_type: actor_type,
+            actor_id: api_actor_id,
+            base_revision: @plan.current_revision,
+            expires_at: ttl.from_now
+          )
+
+          render json: session_json(session), status: :created
+        end
+
+        # GET /api/v1/plans/:plan_id/sessions/:id
+        def show
+          render json: session_json(@session).merge(
+            operations_count: @session.operations_json.length,
+            has_draft: @session.draft_content.present?
+          )
+        end
+
+        # POST /api/v1/plans/:plan_id/sessions/:id/commit
+        def commit
+          result = Plans::CommitSession.call(
+            session: @session,
+            change_summary: params[:change_summary]
+          )
+
+          response = {
+            session_id: @session.id,
+            status: @session.status,
+            committed_at: @session.committed_at
+          }
+
+          if result[:version]
+            response[:revision] = result[:version].revision
+            response[:version_id] = result[:version].id
+            response[:content_sha256] = result[:version].content_sha256
+          end
+
+          render json: response
+        rescue Plans::CommitSession::SessionNotOpenError => e
+          render json: { error: e.message }, status: :unprocessable_entity
+        rescue Plans::CommitSession::StaleSessionError => e
+          render json: { error: e.message }, status: :conflict
+        rescue Plans::CommitSession::SessionConflictError => e
+          render json: {
+            error: e.message,
+            current_revision: @plan.reload.current_revision
+          }, status: :conflict
+        end
+
+        private
+
+        def set_session
+          @session = @plan.edit_sessions.find_by(id: params[:id], actor_id: api_actor_id)
+          unless @session
+            render json: { error: "Edit session not found" }, status: :not_found
+          end
+        end
+
+        def session_json(session)
+          {
+            id: session.id,
+            plan_id: session.plan_id,
+            status: session.status,
+            actor_type: session.actor_type,
+            base_revision: session.base_revision,
+            expires_at: session.expires_at,
+            created_at: session.created_at
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/coplan/application_controller.rb

@@ -0,0 +1,78 @@
+module CoPlan
+  class ApplicationController < ::ApplicationController
+    layout "coplan/application"
+
+    # CoPlan.underscore produces "co_plan", but our views/templates use "coplan/"
+    def self.controller_path
+      super.sub(/\Aco_plan\//, "coplan/")
+    end
+
+    helper CoPlan::ApplicationHelper
+    helper CoPlan::MarkdownHelper
+    helper CoPlan::CommentsHelper
+
+    # Skip host auth — CoPlan handles authentication internally via config.authenticate
+    skip_before_action :authenticate_user!, raise: false
+
+    before_action :authenticate_coplan_user!
+    before_action :set_coplan_current
+
+    helper_method :current_user, :signed_in?
+
+    class NotAuthorizedError < StandardError; end
+
+    rescue_from NotAuthorizedError do
+      head :not_found
+    end
+
+    private
+
+    def current_user
+      @current_coplan_user
+    end
+
+    def signed_in?
+      current_user.present?
+    end
+
+    def authenticate_coplan_user!
+      callback = CoPlan.configuration.authenticate
+      unless callback
+        raise "CoPlan.configure { |c| c.authenticate = ->(request) { ... } } is required"
+      end
+
+      attrs = callback.call(request)
+      unless attrs && attrs[:external_id].present?
+        if CoPlan.configuration.sign_in_path
+          redirect_to CoPlan.configuration.sign_in_path, alert: "Please sign in."
+        else
+          head :unauthorized
+        end
+        return
+      end
+
+      external_id = attrs[:external_id].to_s
+      @current_coplan_user = CoPlan::User.find_or_initialize_by(external_id: external_id)
+      @current_coplan_user.assign_attributes(attrs.slice(:name, :admin, :metadata).compact)
+      if @current_coplan_user.new_record? || @current_coplan_user.changed?
+        @current_coplan_user.save!
+      end
+    rescue ActiveRecord::RecordNotUnique
+      @current_coplan_user = CoPlan::User.find_by!(external_id: external_id)
+      @current_coplan_user.assign_attributes(attrs.slice(:name, :admin, :metadata).compact)
+      @current_coplan_user.save! if @current_coplan_user.changed?
+    end
+
+    def set_coplan_current
+      CoPlan::Current.user = current_user
+    end
+
+    def authorize!(record, action)
+      policy_class = "CoPlan::#{record.class.name.demodulize}Policy".constantize
+      policy = policy_class.new(current_user, record)
+      unless policy.public_send(action)
+        raise NotAuthorizedError
+      end
+    end
+  end
+end

data/app/controllers/coplan/automated_reviews_controller.rb

@@ -0,0 +1,29 @@
+module CoPlan
+  class AutomatedReviewsController < ApplicationController
+    before_action :set_plan
+    before_action :set_reviewer, only: [:create]
+
+    def create
+      authorize!(@plan, :update?)
+
+      AutomatedReviewJob.perform_later(
+        plan_id: @plan.id,
+        reviewer_id: @reviewer.id,
+        plan_version_id: @plan.current_plan_version_id,
+        triggered_by: current_user
+      )
+
+      redirect_to plan_path(@plan), notice: "#{@reviewer.name} review queued."
+    end
+
+    private
+
+    def set_plan
+      @plan = Plan.find(params[:plan_id])
+    end
+
+    def set_reviewer
+      @reviewer = AutomatedPlanReviewer.enabled.find(params[:reviewer_id])
+    end
+  end
+end

data/app/controllers/coplan/comment_threads_controller.rb

@@ -0,0 +1,148 @@
+module CoPlan
+  class CommentThreadsController < ApplicationController
+    include ActionView::RecordIdentifier
+
+    before_action :set_plan
+    before_action :set_thread, only: [:resolve, :accept, :dismiss, :reopen]
+
+    def create
+      authorize!(@plan, :show?)
+
+      thread = @plan.comment_threads.new(
+        plan_version: @plan.current_plan_version,
+        anchor_text: params[:comment_thread][:anchor_text].presence,
+        anchor_context: params[:comment_thread][:anchor_context].presence,
+        start_line: params[:comment_thread][:start_line].presence,
+        end_line: params[:comment_thread][:end_line].presence,
+        created_by_user: current_user
+      )
+
+      thread.save!
+
+      comment = thread.comments.create!(
+        author_type: "human",
+        author_id: current_user.id,
+        body_markdown: params[:comment_thread][:body_markdown]
+      )
+
+      broadcast_new_thread(thread)
+      broadcast_tab_counts
+
+      respond_with_stream_or_redirect("Comment added.")
+    end
+
+    def resolve
+      authorize!(@thread, :resolve?)
+      @thread.resolve!(current_user)
+      broadcast_thread_move(@thread, from: "comment-threads", to: "resolved-comment-threads")
+      respond_with_stream_or_redirect("Thread resolved.")
+    end
+
+    def accept
+      authorize!(@thread, :accept?)
+      @thread.accept!(current_user)
+      broadcast_thread_move(@thread, from: "comment-threads", to: "resolved-comment-threads")
+      respond_with_stream_or_redirect("Thread accepted.")
+    end
+
+    def dismiss
+      authorize!(@thread, :dismiss?)
+      @thread.dismiss!(current_user)
+      broadcast_thread_move(@thread, from: "comment-threads", to: "resolved-comment-threads")
+      respond_with_stream_or_redirect("Thread dismissed.")
+    end
+
+    def reopen
+      authorize!(@thread, :reopen?)
+      @thread.update!(status: "open", resolved_by_user: nil)
+      # Out-of-date threads stay in the archived list even when reopened,
+      # since the active scope excludes out_of_date rows.
+      if @thread.out_of_date?
+        broadcast_thread_replace(@thread)
+      else
+        broadcast_thread_move(@thread, from: "resolved-comment-threads", to: "comment-threads")
+      end
+      respond_with_stream_or_redirect("Thread reopened.")
+    end
+
+    private
+
+    def set_plan
+      @plan = Plan.find(params[:plan_id])
+    end
+
+    def set_thread
+      @thread = @plan.comment_threads.find(params[:id])
+    end
+
+    def broadcast_new_thread(thread)
+      Broadcaster.prepend_to(
+        @plan,
+        target: "comment-threads",
+        partial: "coplan/comment_threads/thread",
+        locals: { thread: thread, plan: @plan }
+      )
+    end
+
+    # Broadcasts update all clients (including the submitter) via WebSocket.
+    # The empty turbo_stream response prevents Turbo from navigating (which causes scroll-to-top).
+    def respond_with_stream_or_redirect(message)
+      respond_to do |format|
+        format.turbo_stream { render turbo_stream: [] }
+        format.html { redirect_to plan_path(@plan), notice: message }
+      end
+    end
+
+    # Replaces a thread in place (status changed but stays in the same list).
+    def broadcast_thread_replace(thread)
+      Broadcaster.replace_to(
+        @plan,
+        target: dom_id(thread),
+        partial: "coplan/comment_threads/thread",
+        locals: { thread: thread, plan: @plan }
+      )
+      broadcast_tab_counts
+    end
+
+    # Moves a thread between Open/Resolved lists and updates tab counts.
+    def broadcast_thread_move(thread, from:, to:)
+      Broadcaster.remove_to(@plan, target: dom_id(thread))
+      Broadcaster.append_to(
+        @plan,
+        target: to,
+        partial: "coplan/comment_threads/thread",
+        locals: { thread: thread, plan: @plan }
+      )
+      broadcast_tab_counts
+    end
+
+    def broadcast_tab_counts
+      threads = @plan.comment_threads
+      open_count = threads.active.count
+      resolved_count = threads.archived.count
+
+      Broadcaster.update_to(
+        @plan,
+        target: "open-thread-count",
+        html: open_count > 0 ? open_count.to_s : ""
+      )
+      Broadcaster.update_to(
+        @plan,
+        target: "resolved-thread-count",
+        html: resolved_count > 0 ? resolved_count.to_s : ""
+      )
+
+      # Toggle empty-state placeholders
+      Broadcaster.replace_to(
+        @plan,
+        target: "open-threads-empty",
+        html: %(<p class="text-sm text-muted" id="open-threads-empty" #{'style="display: none;"' if open_count > 0}>No open comments.</p>)
+      )
+      Broadcaster.replace_to(
+        @plan,
+        target: "resolved-threads-empty",
+        html: %(<p class="text-sm text-muted" id="resolved-threads-empty" #{'style="display: none;"' if resolved_count > 0}>No resolved comments.</p>)
+      )
+    end
+  end
+end

data/app/controllers/coplan/comments_controller.rb

@@ -0,0 +1,40 @@
+module CoPlan
+  class CommentsController < ApplicationController
+    before_action :set_plan
+    before_action :set_thread
+
+    def create
+      authorize!(@plan, :show?)
+
+      comment = @thread.comments.create!(
+        author_type: "human",
+        author_id: current_user.id,
+        body_markdown: params[:comment][:body_markdown]
+      )
+
+      Broadcaster.append_to(
+        @plan,
+        target: ActionView::RecordIdentifier.dom_id(@thread, :comments),
+        partial: "coplan/comments/comment",
+        locals: { comment: comment }
+      )
+
+      # The broadcast above updates all clients (including the submitter) via WebSocket.
+      # The empty turbo_stream response prevents Turbo from navigating (which causes scroll-to-top).
+      respond_to do |format|
+        format.turbo_stream { render turbo_stream: [] }
+        format.html { redirect_to plan_path(@plan), notice: "Reply added." }
+      end
+    end
+
+    private
+
+    def set_plan
+      @plan = Plan.find(params[:plan_id])
+    end
+
+    def set_thread
+      @thread = @plan.comment_threads.find(params[:comment_thread_id])
+    end
+  end
+end

data/app/controllers/coplan/dashboard_controller.rb

@@ -0,0 +1,6 @@
+module CoPlan
+  class DashboardController < ApplicationController
+    def show
+    end
+  end
+end

data/app/controllers/coplan/plan_versions_controller.rb

@@ -0,0 +1,29 @@
+module CoPlan
+  class PlanVersionsController < ApplicationController
+    before_action :set_plan
+    before_action :set_version, only: [:show]
+
+    def index
+      authorize!(@plan, :show?)
+      @versions = @plan.plan_versions.order(revision: :desc)
+    end
+
+    def show
+      authorize!(@plan, :show?)
+      @previous_version = @plan.plan_versions.find_by(revision: @version.revision - 1)
+      if @previous_version
+        @diff = Diffy::Diff.new(@previous_version.content_markdown, @version.content_markdown, include_plus_and_minus_in_html: true, context: 3)
+      end
+    end
+
+    private
+
+    def set_plan
+      @plan = Plan.find(params[:plan_id])
+    end
+
+    def set_version
+      @version = @plan.plan_versions.find(params[:id])
+    end
+  end
+end

data/app/controllers/coplan/plans_controller.rb

@@ -0,0 +1,53 @@
+module CoPlan
+  class PlansController < ApplicationController
+    before_action :set_plan, only: [:show, :edit, :update, :update_status]
+
+    def index
+      @plans = Plan.order(updated_at: :desc)
+      @plans = @plans.where(status: params[:status]) if params[:status].present?
+      @plans = @plans.where(created_by_user: current_user) if params[:scope] == "mine"
+    end
+
+    def show
+      authorize!(@plan, :show?)
+      threads = @plan.comment_threads.includes(:comments, :created_by_user, :plan_version).order(created_at: :asc)
+      @active_threads = threads.active
+      @archived_threads = threads.archived
+    end
+
+    def edit
+      authorize!(@plan, :update?)
+    end
+
+    def update
+      authorize!(@plan, :update?)
+      @plan.update!(title: params[:plan][:title])
+      broadcast_plan_update(@plan)
+      redirect_to plan_path(@plan), notice: "Plan updated."
+    end
+
+    def update_status
+      authorize!(@plan, :update_status?)
+      new_status = params[:status]
+      if Plan::STATUSES.include?(new_status) && @plan.update(status: new_status)
+        broadcast_plan_update(@plan)
+        if @plan.saved_change_to_status?
+          Plans::TriggerAutomatedReviews.call(plan: @plan, new_status: new_status, triggered_by: current_user)
+        end
+        redirect_to plan_path(@plan), notice: "Status updated to #{new_status}."
+      else
+        redirect_to plan_path(@plan), alert: "Invalid status."
+      end
+    end
+
+    private
+
+    def set_plan
+      @plan = Plan.find(params[:id])
+    end
+
+    def broadcast_plan_update(plan)
+      Broadcaster.replace_to(plan, target: "plan-header", partial: "coplan/plans/header", locals: { plan: plan })
+    end
+  end
+end

data/app/controllers/coplan/settings/tokens_controller.rb

@@ -0,0 +1,37 @@
+module CoPlan
+  module Settings
+    class TokensController < ApplicationController
+      def index
+        @api_tokens = current_user.api_tokens.order(created_at: :desc)
+      end
+
+      def create
+        @api_token, @raw_token = ApiToken.create_with_raw_token(user: current_user, name: params[:api_token][:name])
+        @api_tokens = current_user.api_tokens.order(created_at: :desc)
+
+        respond_to do |format|
+          format.turbo_stream
+          format.html do
+            flash[:raw_token] = @raw_token
+            flash[:notice] = "Token created. Copy it now — it won't be shown again."
+            redirect_to settings_tokens_path, status: :see_other
+          end
+        end
+      rescue ActiveRecord::RecordInvalid => e
+        @api_tokens = current_user.api_tokens.order(created_at: :desc)
+        flash.now[:alert] = e.message
+        render :index, status: :unprocessable_entity
+      end
+
+      def destroy
+        @token = current_user.api_tokens.find(params[:id])
+        @token.revoke!
+
+        respond_to do |format|
+          format.turbo_stream
+          format.html { redirect_to settings_tokens_path, notice: "Token revoked.", status: :see_other }
+        end
+      end
+    end
+  end
+end

data/app/helpers/coplan/application_helper.rb

@@ -0,0 +1,4 @@
+module CoPlan
+  module ApplicationHelper
+  end
+end

data/app/helpers/coplan/comments_helper.rb

@@ -0,0 +1,20 @@
+module CoPlan
+  module CommentsHelper
+    def comment_author_name(comment)
+      case comment.author_type
+      when "human"
+        CoPlan::User.find_by(id: comment.author_id)&.name || "Unknown"
+      when "local_agent"
+        user_name = CoPlan::User
+          .joins(:api_tokens)
+          .where(coplan_api_tokens: { id: comment.author_id })
+          .pick(:name) || "Agent"
+        comment.agent_name.present? ? "#{user_name} (#{comment.agent_name})" : user_name
+      when "cloud_persona"
+        AutomatedPlanReviewer.find_by(id: comment.author_id)&.name || "Reviewer"
+      else
+        comment.author_type
+      end
+    end
+  end
+end

data/app/helpers/coplan/markdown_helper.rb

@@ -0,0 +1,36 @@
+module CoPlan
+  module MarkdownHelper
+    ALLOWED_TAGS = %w[
+      h1 h2 h3 h4 h5 h6
+      p div span
+      ul ol li
+      table thead tbody tfoot tr th td
+      pre code
+      a img
+      strong em b i u s del
+      blockquote hr br
+      dd dt dl
+      sup sub
+    ].freeze
+
+    ALLOWED_ATTRIBUTES = %w[id class href src alt title].freeze
+
+    def render_markdown(content)
+      html = Commonmarker.to_html(content.to_s.encode("UTF-8"), plugins: { syntax_highlighter: nil })
+      sanitized = sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES)
+      tag.div(sanitized, class: "markdown-rendered")
+    end
+
+    def render_line_view(content)
+      lines = content.to_s.split("\n", -1)
+      line_divs = lines.each_with_index.map do |line, index|
+        n = index + 1
+        escaped = ERB::Util.html_escape(line)
+        inner = escaped.blank? ? " ".html_safe : escaped
+        tag.div(inner, class: "line-view__line", id: "L#{n}", data: { line: n })
+      end
+
+      tag.div(safe_join(line_divs), class: "line-view", data: { controller: "line-selection" })
+    end
+  end
+end

data/app/javascript/controllers/coplan/dropdown_controller.js

@@ -0,0 +1,25 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["menu"]
+
+  toggle() {
+    const menu = this.menuTarget
+    menu.style.display = menu.style.display === "none" ? "" : "none"
+  }
+
+  close(event) {
+    if (!this.element.contains(event.target)) {
+      this.menuTarget.style.display = "none"
+    }
+  }
+
+  connect() {
+    this._closeHandler = this.close.bind(this)
+    document.addEventListener("click", this._closeHandler)
+  }
+
+  disconnect() {
+    document.removeEventListener("click", this._closeHandler)
+  }
+}