railspress-engine 1.2.0 → 1.3.0

data/app/controllers/railspress/api/v1/posts_controller.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class PostsController < BaseController
+        include Railspress::Api::V1::Concerns::PostSerialization
+
+        before_action :set_post, only: [ :show, :update, :destroy ]
+
+        def index
+          posts = Railspress::Post.includes(:category, :tags).sorted_by(sort_column, sort_direction)
+          total_count = posts.count
+
+          posts = posts.offset((page - 1) * per_page).limit(per_page)
+
+          render json: {
+            data: posts.map { |post| serialize_post(post) },
+            meta: {
+              page: page,
+              per: per_page,
+              total_count: total_count,
+              total_pages: (total_count.to_f / per_page).ceil
+            }
+          }
+        end
+
+        def show
+          render json: { data: serialize_post(@post) }
+        end
+
+        def create
+          post = Railspress::Post.new(post_params.except(:header_image_signed_blob_id))
+          attach_header_image_from_signed_blob(post, post_params[:header_image_signed_blob_id])
+
+          if post.save
+            render json: { data: serialize_post(post) }, status: :created
+          else
+            render_validation_errors(post)
+          end
+        rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveRecord::RecordNotFound
+          post.errors.add(:header_image, "signed blob id is invalid")
+          render_validation_errors(post)
+        end
+
+        def update
+          @post.assign_attributes(post_params.except(:header_image_signed_blob_id))
+          attach_header_image_from_signed_blob(@post, post_params[:header_image_signed_blob_id])
+
+          if @post.save
+            render json: { data: serialize_post(@post) }
+          else
+            render_validation_errors(@post)
+          end
+        rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveRecord::RecordNotFound
+          @post.errors.add(:header_image, "signed blob id is invalid")
+          render_validation_errors(@post)
+        end
+
+        def destroy
+          @post.destroy
+          head :no_content
+        end
+
+        private
+
+        def set_post
+          @post = Railspress::Post.find(params[:id])
+        end
+
+        def post_params
+          permitted = [
+            :title,
+            :slug,
+            :category_id,
+            :content,
+            :status,
+            :published_at,
+            :reading_time,
+            :meta_title,
+            :meta_description,
+            :tag_list
+          ]
+
+          permitted << :author_id if Railspress.authors_enabled?
+
+          if Railspress.post_images_enabled?
+            permitted << :header_image
+            permitted << :header_image_signed_blob_id
+            permitted << :remove_header_image
+
+            if Railspress.focal_points_enabled?
+              permitted << { header_image_focal_point_attributes: [ :focal_x, :focal_y, { overrides: {} } ] }
+            end
+          end
+
+          params.require(:post).permit(*permitted)
+        end
+
+        def page
+          [ params.fetch(:page, 1).to_i, 1 ].max
+        end
+
+        def per_page
+          requested = params.fetch(:per, Railspress::Post.per_page_count).to_i
+          requested = Railspress::Post.per_page_count if requested <= 0
+          [ requested, 100 ].min
+        end
+
+        def sort_column
+          params[:sort].presence || "created_at"
+        end
+
+        def sort_direction
+          params[:direction].presence || "desc"
+        end
+
+        def attach_header_image_from_signed_blob(post, signed_blob_id)
+          return if signed_blob_id.blank?
+          return unless Railspress.post_images_enabled?
+
+          post.header_image.attach(ActiveStorage::Blob.find_signed!(signed_blob_id))
+        end
+      end
+    end
+  end
+end

data/app/controllers/railspress/api/v1/prime_controller.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class PrimeController < BaseController
+        def show
+          render json: {
+            data: {
+              service: "Railspress API",
+              version: "v1",
+              authentication: {
+                type: "bearer",
+                token_types: [ "api_key", "agent_bootstrap_key" ],
+                agent_bootstrap_exchange_endpoint: exchange_api_v1_agent_keys_path
+              },
+              defaults: {
+                post_status: "draft",
+                publish_with_explicit_status: true
+              },
+              capabilities: capabilities,
+              endpoints: endpoints,
+              key: {
+                id: current_api_key.id,
+                name: current_api_key.name,
+                status: current_api_key.status,
+                expires_at: current_api_key.expires_at,
+                last_used_at: current_api_key.last_used_at
+              },
+              server_time: Time.current
+            }
+          }
+        end
+
+        private
+
+        def capabilities
+          {
+            posts: {
+              list: true,
+              read: true,
+              create: true,
+              update: true,
+              delete: true,
+              rich_text_html: true,
+              default_status: "draft",
+              publish_supported: true
+            },
+            post_imports: {
+              create: true,
+              read: true,
+              formats: %w[md markdown txt zip]
+            },
+            post_media: {
+              header_image: Railspress.post_images_enabled?,
+              focal_points: Railspress.post_images_enabled? && Railspress.focal_points_enabled?,
+              context_overrides: Railspress.post_images_enabled? && Railspress.focal_points_enabled?
+            },
+            taxonomies: {
+              categories: true,
+              tags: true
+            }
+          }
+        end
+
+        def endpoints
+          {
+            prime: api_v1_prime_path,
+            posts: api_v1_posts_path,
+            post_imports: api_v1_post_imports_path,
+            categories: api_v1_categories_path,
+            tags: api_v1_tags_path
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/railspress/api/v1/tags_controller.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Railspress
+  module Api
+    module V1
+      class TagsController < BaseController
+        before_action :set_tag, only: [ :show, :update, :destroy ]
+
+        def index
+          tags = Railspress::Tag.ordered
+          total_count = tags.count
+          tags = tags.offset((page - 1) * per_page).limit(per_page)
+
+          render json: {
+            data: tags.map { |tag| serialize_tag(tag) },
+            meta: {
+              page: page,
+              per: per_page,
+              total_count: total_count,
+              total_pages: (total_count.to_f / per_page).ceil
+            }
+          }
+        end
+
+        def show
+          render json: { data: serialize_tag(@tag) }
+        end
+
+        def create
+          tag = Railspress::Tag.new(tag_params)
+
+          if tag.save
+            render json: { data: serialize_tag(tag) }, status: :created
+          else
+            render_validation_errors(tag)
+          end
+        end
+
+        def update
+          if @tag.update(tag_params)
+            render json: { data: serialize_tag(@tag) }
+          else
+            render_validation_errors(@tag)
+          end
+        end
+
+        def destroy
+          @tag.destroy
+          head :no_content
+        end
+
+        private
+
+        def set_tag
+          @tag = Railspress::Tag.find(params[:id])
+        end
+
+        def tag_params
+          params.require(:tag).permit(:name, :slug)
+        end
+
+        def page
+          [ params.fetch(:page, 1).to_i, 1 ].max
+        end
+
+        def per_page
+          requested = params.fetch(:per, 20).to_i
+          requested = 20 if requested <= 0
+          [ requested, 100 ].min
+        end
+
+        def serialize_tag(tag)
+          {
+            id: tag.id,
+            name: tag.name,
+            slug: tag.slug,
+            posts_count: tag.posts.count,
+            created_at: tag.created_at,
+            updated_at: tag.updated_at
+          }
+        end
+      end
+    end
+  end
+end

data/app/helpers/railspress/admin_helper.rb

@@ -664,6 +664,25 @@ module Railspress
       content_tag(:span, text, class: "rp-badge rp-badge--#{status}")
     end
 
+    # Returns a safe display string for an author record in admin views.
+    # Falls back through common attributes if configured display method is unavailable.
+    def rp_author_display(author)
+      return nil unless author
+
+      configured_method = Railspress.author_display_method
+      if configured_method.present? && author.respond_to?(configured_method)
+        configured_value = author.public_send(configured_method)
+        return configured_value if configured_value.present?
+      end
+
+      fallback_method = [ :name, :full_name, :display_name, :email, :email_address ]
+        .find { |method| author.respond_to?(method) && author.public_send(method).present? }
+
+      return author.public_send(fallback_method) if fallback_method
+
+      "Author ##{author.id || "unknown"}"
+    end
+
     # Renders a hint/help text below a form input.
     # @param text [String] the hint text
     # @return [String] rendered HTML

data/app/models/railspress/agent_bootstrap_key.rb

@@ -0,0 +1,163 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module Railspress
+  class AgentBootstrapKey < ApplicationRecord
+    self.table_name = "railspress_agent_bootstrap_keys"
+
+    DEFAULT_TTL = 1.hour
+
+    class ExchangeError < StandardError; end
+
+    belongs_to :owner, polymorphic: true, optional: true
+    belongs_to :created_by, polymorphic: true, optional: true
+    belongs_to :revoked_by, polymorphic: true, optional: true
+    belongs_to :exchanged_api_key, class_name: "Railspress::ApiKey", optional: true
+
+    encrypts :secret_ciphertext
+
+    normalizes :name, with: ->(value) { value.to_s.strip }
+    normalizes :token_prefix, with: ->(value) { value.to_s.downcase }
+
+    validates :name, presence: true, length: { maximum: 120 }
+    validates :token_prefix, presence: true, length: { is: 12 }
+    validates :token_digest, presence: true, uniqueness: true, length: { is: 64 }
+    validates :secret_ciphertext, presence: true
+    validates :expires_at, presence: true
+    validates :global_uuid, presence: true, uniqueness: true
+
+    scope :recent, -> { order(created_at: :desc) }
+    scope :revoked, -> { where.not(revoked_at: nil) }
+    scope :used, -> { where.not(used_at: nil) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :active, -> {
+      where(revoked_at: nil, used_at: nil)
+        .where("expires_at > ?", Time.current)
+    }
+
+    before_validation :set_global_uuid, on: :create
+
+    class << self
+      def issue!(name:, actor:, owner: actor, expires_at: DEFAULT_TTL.from_now)
+        prefix = generate_prefix
+        raw_secret = generate_secret
+        token = build_token(prefix, raw_secret)
+
+        bootstrap_key = create!(
+          name: name,
+          token_prefix: prefix,
+          token_digest: digest(raw_secret),
+          secret_ciphertext: raw_secret,
+          owner: owner,
+          created_by: actor,
+          expires_at: expires_at
+        )
+
+        [ bootstrap_key, token ]
+      end
+
+      def authenticate(raw_token)
+        parsed = parse_token(raw_token)
+        return nil unless parsed
+
+        candidate = active.where(token_prefix: parsed[:prefix]).recent.first
+        return nil unless candidate
+        return nil unless secure_digest_match?(candidate.token_digest, digest(parsed[:secret]))
+
+        candidate
+      end
+
+      def build_token(prefix, raw_secret)
+        "rpb_#{Rails.env}_#{prefix}_#{raw_secret}"
+      end
+
+      def digest(raw_secret)
+        OpenSSL::HMAC.hexdigest("SHA256", digest_key, raw_secret.to_s)
+      end
+
+      def parse_token(raw_token)
+        return nil if raw_token.blank?
+
+        match = raw_token.match(/\Arpb_[a-z0-9_]+_([a-f0-9]{12})_([a-f0-9]{64})\z/)
+        return nil unless match
+
+        { prefix: match[1], secret: match[2] }
+      end
+
+      private
+
+      def digest_key
+        Rails.application.secret_key_base.to_s
+      end
+
+      def generate_prefix
+        SecureRandom.hex(6)
+      end
+
+      def generate_secret
+        SecureRandom.hex(32)
+      end
+
+      def secure_digest_match?(stored_digest, candidate_digest)
+        return false if stored_digest.blank? || candidate_digest.blank?
+        return false unless stored_digest.bytesize == candidate_digest.bytesize
+
+        ActiveSupport::SecurityUtils.secure_compare(stored_digest, candidate_digest)
+      end
+    end
+
+    def exchange!(ip_address: nil, api_key_name: default_api_key_name, api_key_expires_at: nil)
+      raise ExchangeError, "Bootstrap key is not active." unless active?
+
+      transaction do
+        api_key_actor = owner || created_by
+        api_key_owner = owner || api_key_actor
+        api_key, plain_token = Railspress::ApiKey.issue!(
+          name: api_key_name,
+          actor: api_key_actor,
+          owner: api_key_owner,
+          expires_at: api_key_expires_at
+        )
+
+        update!(
+          used_at: Time.current,
+          used_ip: ip_address,
+          exchanged_api_key: api_key
+        )
+
+        [ api_key, plain_token ]
+      end
+    end
+
+    def revoke!(actor:, reason: "revoked")
+      update!(
+        revoked_at: Time.current,
+        revoke_reason: reason,
+        revoked_by: actor
+      )
+    end
+
+    def active?
+      revoked_at.nil? && used_at.nil? && expires_at > Time.current
+    end
+
+    def status
+      return "revoked" if revoked_at.present?
+      return "used" if used_at.present?
+      return "expired" if expires_at <= Time.current
+
+      "active"
+    end
+
+    private
+
+    def default_api_key_name
+      "#{name} (API Key)"
+    end
+
+    def set_global_uuid
+      self.global_uuid ||= SecureRandom.uuid
+    end
+  end
+end

data/app/models/railspress/api_key.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module Railspress
+  class ApiKey < ApplicationRecord
+    self.table_name = "railspress_api_keys"
+
+    belongs_to :owner, polymorphic: true, optional: true
+    belongs_to :created_by, polymorphic: true, optional: true
+    belongs_to :rotated_by, polymorphic: true, optional: true
+    belongs_to :revoked_by, polymorphic: true, optional: true
+    belongs_to :rotated_from, class_name: "Railspress::ApiKey", optional: true
+
+    encrypts :secret_ciphertext
+
+    normalizes :name, with: ->(value) { value.to_s.strip }
+    normalizes :token_prefix, with: ->(value) { value.to_s.downcase }
+
+    validates :name, presence: true, length: { maximum: 120 }
+    validates :token_prefix, presence: true, length: { is: 12 }
+    validates :token_digest, presence: true, uniqueness: true, length: { is: 64 }
+    validates :secret_ciphertext, presence: true
+    validates :global_uuid, presence: true, uniqueness: true
+
+    scope :recent, -> { order(created_at: :desc) }
+    scope :revoked, -> { where.not(revoked_at: nil) }
+    scope :expired, -> { where("expires_at <= ?", Time.current) }
+    scope :active, -> {
+      where(revoked_at: nil)
+        .where("expires_at IS NULL OR expires_at > ?", Time.current)
+    }
+
+    before_validation :set_global_uuid, on: :create
+
+    class << self
+      def issue!(name:, actor:, owner: actor, expires_at: nil, rotated_from: nil)
+        prefix = generate_prefix
+        raw_secret = generate_secret
+        token = build_token(prefix, raw_secret)
+
+        api_key = create!(
+          name: name,
+          token_prefix: prefix,
+          token_digest: digest(raw_secret),
+          secret_ciphertext: raw_secret,
+          owner: owner,
+          created_by: actor,
+          expires_at: expires_at,
+          rotated_from: rotated_from
+        )
+
+        [ api_key, token ]
+      end
+
+      def authenticate(raw_token, ip_address: nil)
+        parsed = parse_token(raw_token)
+        return nil unless parsed
+
+        candidate = active.where(token_prefix: parsed[:prefix]).recent.first
+        return nil unless candidate
+        return nil unless secure_digest_match?(candidate.token_digest, digest(parsed[:secret]))
+
+        candidate.touch_usage!(ip_address: ip_address)
+        candidate
+      end
+
+      def build_token(prefix, raw_secret)
+        "rp_#{Rails.env}_#{prefix}_#{raw_secret}"
+      end
+
+      def digest(raw_secret)
+        OpenSSL::HMAC.hexdigest("SHA256", digest_key, raw_secret.to_s)
+      end
+
+      def parse_token(raw_token)
+        return nil if raw_token.blank?
+
+        match = raw_token.match(/\Arp_[a-z0-9_]+_([a-f0-9]{12})_([a-f0-9]{64})\z/)
+        return nil unless match
+
+        { prefix: match[1], secret: match[2] }
+      end
+
+      private
+
+      def digest_key
+        Rails.application.secret_key_base.to_s
+      end
+
+      def generate_prefix
+        SecureRandom.hex(6)
+      end
+
+      def generate_secret
+        SecureRandom.hex(32)
+      end
+
+      def secure_digest_match?(stored_digest, candidate_digest)
+        return false if stored_digest.blank? || candidate_digest.blank?
+        return false unless stored_digest.bytesize == candidate_digest.bytesize
+
+        ActiveSupport::SecurityUtils.secure_compare(stored_digest, candidate_digest)
+      end
+    end
+
+    def revoke!(actor:, reason: "revoked")
+      update!(
+        revoked_at: Time.current,
+        revoke_reason: reason,
+        revoked_by: actor
+      )
+    end
+
+    def rotate!(actor:, name: self.name, expires_at: self.expires_at)
+      transaction do
+        replacement_key, plain_token = self.class.issue!(
+          name: name,
+          actor: actor,
+          owner: owner,
+          expires_at: expires_at,
+          rotated_from: self
+        )
+
+        update!(
+          revoked_at: Time.current,
+          revoke_reason: "rotated",
+          revoked_by: actor,
+          rotated_by: actor
+        )
+
+        [ replacement_key, plain_token ]
+      end
+    end
+
+    def active?
+      revoked_at.nil? && (expires_at.nil? || expires_at > Time.current)
+    end
+
+    def status
+      return "revoked" if revoked_at.present?
+      return "expired" if expires_at.present? && expires_at <= Time.current
+
+      "active"
+    end
+
+    def touch_usage!(ip_address: nil)
+      update_columns(last_used_at: Time.current, last_used_ip: ip_address, updated_at: Time.current)
+    end
+
+    private
+
+    def set_global_uuid
+      self.global_uuid ||= SecureRandom.uuid
+    end
+  end
+end

data/app/models/railspress/post_export_processor.rb

@@ -85,8 +85,7 @@ module Railspress
       fm["meta_description"] = post.meta_description if post.meta_description.present?
 
       if Railspress.authors_enabled? && post.respond_to?(:author) && post.author.present?
-        display_method = Railspress.author_display_method
-        fm["author"] = post.author.public_send(display_method)
+        fm["author"] = author_display_for_export(post.author)
       end
 
       if post.header_image.attached?
@@ -158,5 +157,20 @@ module Railspress
         zipfile.add(entry_name, file)
       end
     end
+
+    def author_display_for_export(author)
+      display_method = Railspress.author_display_method
+      if display_method.present? && author.respond_to?(display_method)
+        configured_value = author.public_send(display_method)
+        return configured_value if configured_value.present?
+      end
+
+      fallback_method = [ :name, :full_name, :display_name, :email, :email_address ]
+        .find { |method| author.respond_to?(method) && author.public_send(method).present? }
+
+      return author.public_send(fallback_method) if fallback_method
+
+      "Author ##{author.id || "unknown"}"
+    end
   end
 end

data/app/views/railspress/admin/agent_bootstrap_keys/_form.html.erb

@@ -0,0 +1,25 @@
+<%= form_with model: [:admin, agent_bootstrap_key], class: "rp-form rp-form--narrow" do |form| %>
+  <%= rp_form_errors(agent_bootstrap_key) %>
+
+  <%= rp_hint("Bootstrap keys are one-time exchange tokens for agents. They default to a 1-hour expiration.") %>
+
+  <%= rp_string_field(
+        form,
+        :name,
+        primary: true,
+        required: true,
+        label: "Bootstrap Key Name",
+        placeholder: "e.g., Claude Code",
+        hint: "Use a descriptive name so you can identify this bootstrap key later."
+      ) %>
+
+  <%= rp_datetime_field(
+        form,
+        :expires_at,
+        label: "Expiration",
+        hint: "Defaults to 1 hour from now. Set a custom date/time to override.",
+        step: 60
+      ) %>
+
+  <%= rp_form_actions(form, admin_api_keys_path, submit_text: "Create Agent Bootstrap Key") %>
+<% end %>

data/app/views/railspress/admin/agent_bootstrap_keys/new.html.erb

@@ -0,0 +1,7 @@
+<% content_for :title, "New Agent Key" %>
+
+<h1 class="rp-page-title rp-page-title--standalone">New Agent Key</h1>
+
+<div class="rp-card rp-card--padded">
+  <%= render "form", agent_bootstrap_key: @agent_bootstrap_key %>
+</div>