railspress-engine 1.2.1 → 1.3.1

data/app/views/railspress/admin/api_keys/index.html.erb

@@ -0,0 +1,142 @@
+<% content_for :title, "Agents & API" %>
+
+<%= rp_page_header "Agents & API",
+    "New Agent Key" => [new_admin_agent_bootstrap_key_path, class: "rp-btn rp-btn--secondary"],
+    "New API Key" => new_admin_api_key_path %>
+
+<div class="rp-card rp-card--padded rp-card--section">
+  <div class="rp-section">
+    <div class="rp-section-header">
+      <h2 class="rp-section-title">Agent Setup (Generic)</h2>
+    </div>
+
+    <div class="rp-form rp-form--spacious">
+      <p class="rp-hint">Use a short-lived bootstrap key in agent instructions. The agent exchanges it once for a real API key.</p>
+
+      <%= render "railspress/admin/shared/copyable_textarea",
+          id: "rp-generic-agent-quick-start",
+          label: "Bootstrap Quick Start",
+          value: @generic_agent_quick_start,
+          rows: 10,
+          button_text: "Copy Quick Start" %>
+
+      <%= render "railspress/admin/shared/copyable_textarea",
+          id: "rp-generic-agent-instructions",
+          label: "Agent Instructions",
+          value: @generic_agent_instructions,
+          rows: 10,
+          button_text: "Copy Instructions" %>
+    </div>
+  </div>
+</div>
+
+<div class="rp-card rp-card--padded rp-card--section">
+  <div class="rp-section">
+    <div class="rp-section-header">
+      <h2 class="rp-section-title">API Keys</h2>
+    </div>
+
+    <% if @api_keys.any? %>
+      <div class="rp-table--responsive">
+        <table class="rp-table">
+          <thead>
+            <tr>
+              <th><%= rp_table_header("Name") %></th>
+              <th><%= rp_table_header("Prefix") %></th>
+              <th><%= rp_table_header("Status") %></th>
+              <th><%= rp_table_header("Last Used") %></th>
+              <th><%= rp_table_header("Expires") %></th>
+              <th class="rp-table-actions"><%= rp_table_header("Actions") %></th>
+            </tr>
+          </thead>
+          <tbody>
+            <% @api_keys.each do |api_key| %>
+              <% api_status_type = case api_key.status
+                  when "active" then :published
+                  when "expired" then :draft
+                  else :failed
+                  end %>
+              <tr>
+                <td class="rp-table-primary"><%= api_key.name %></td>
+                <td class="rp-table-secondary"><code><%= api_key.token_prefix %></code></td>
+                <td><%= rp_status_badge(api_key.status, type: api_status_type) %></td>
+                <td><%= api_key.last_used_at ? l(api_key.last_used_at, format: :short) : "Never" %></td>
+                <td><%= api_key.expires_at ? l(api_key.expires_at, format: :short) : "Never" %></td>
+                <td class="rp-table-actions">
+                  <%= button_to "Rotate",
+                      rotate_admin_api_key_path(api_key),
+                      method: :post,
+                      class: "rp-btn rp-btn--secondary rp-btn--sm" %>
+                  <% unless api_key.revoked_at %>
+                    <%= button_to "Revoke",
+                        revoke_admin_api_key_path(api_key),
+                        method: :post,
+                        class: "rp-btn rp-btn--danger rp-btn--sm",
+                        data: { turbo_confirm: "Revoke this API key?" } %>
+                  <% end %>
+                </td>
+              </tr>
+            <% end %>
+          </tbody>
+        </table>
+      </div>
+    <% else %>
+      <%= rp_empty_state("No API keys yet.", link_text: "Create your first API key", link_path: new_admin_api_key_path) %>
+    <% end %>
+  </div>
+</div>
+
+<div class="rp-card rp-card--padded rp-card--section">
+  <div class="rp-section">
+    <div class="rp-section-header">
+      <h2 class="rp-section-title">Agent Bootstrap Keys</h2>
+    </div>
+
+    <% if @agent_bootstrap_keys.any? %>
+      <div class="rp-table--responsive">
+        <table class="rp-table">
+          <thead>
+            <tr>
+              <th><%= rp_table_header("Name") %></th>
+              <th><%= rp_table_header("Prefix") %></th>
+              <th><%= rp_table_header("Status") %></th>
+              <th><%= rp_table_header("Used") %></th>
+              <th><%= rp_table_header("Expires") %></th>
+              <th class="rp-table-actions"><%= rp_table_header("Actions") %></th>
+            </tr>
+          </thead>
+          <tbody>
+            <% @agent_bootstrap_keys.each do |bootstrap_key| %>
+              <% bootstrap_status_type = case bootstrap_key.status
+                  when "active" then :published
+                  when "used" then :completed
+                  when "expired" then :draft
+                  else :failed
+                  end %>
+              <tr>
+                <td class="rp-table-primary"><%= bootstrap_key.name %></td>
+                <td class="rp-table-secondary"><code><%= bootstrap_key.token_prefix %></code></td>
+                <td><%= rp_status_badge(bootstrap_key.status, type: bootstrap_status_type) %></td>
+                <td><%= bootstrap_key.used_at ? l(bootstrap_key.used_at, format: :short) : "No" %></td>
+                <td><%= l(bootstrap_key.expires_at, format: :short) %></td>
+                <td class="rp-table-actions">
+                  <% if bootstrap_key.active? %>
+                    <%= button_to "Revoke",
+                        revoke_admin_agent_bootstrap_key_path(bootstrap_key),
+                        method: :post,
+                        class: "rp-btn rp-btn--danger rp-btn--sm",
+                        data: { turbo_confirm: "Revoke this bootstrap key?" } %>
+                  <% else %>
+                    <span class="rp-hint">No actions</span>
+                  <% end %>
+                </td>
+              </tr>
+            <% end %>
+          </tbody>
+        </table>
+      </div>
+    <% else %>
+      <%= rp_empty_state("No bootstrap keys yet.", link_text: "Create your first bootstrap key", link_path: new_admin_agent_bootstrap_key_path) %>
+    <% end %>
+  </div>
+</div>

data/app/views/railspress/admin/api_keys/new.html.erb

@@ -0,0 +1,7 @@
+<% content_for :title, "New API Key" %>
+
+<h1 class="rp-page-title rp-page-title--standalone">New API Key</h1>
+
+<div class="rp-card rp-card--padded">
+  <%= render "form", api_key: @api_key %>
+</div>

data/app/views/railspress/admin/api_keys/reveal.html.erb

@@ -0,0 +1,40 @@
+<% content_for :title, "API Key Created" %>
+
+<h1 class="rp-page-title rp-page-title--standalone">API Key Created</h1>
+
+<div class="rp-card rp-card--padded">
+  <div class="rp-form rp-form--spacious">
+    <p class="rp-hint">
+      Copy this key now. For security reasons it will not be shown again.
+    </p>
+
+    <%= render "railspress/admin/shared/copyable_textarea",
+        id: "rp-api-key-token",
+        label: "Bearer Token",
+        value: @plain_token,
+        rows: 4,
+        hint: "Use this as Authorization: Bearer <token> (or save it to ~/.railspress_token for reuse).",
+        button_text: "Copy Token" %>
+
+    <%= render "railspress/admin/shared/copyable_textarea",
+        id: "rp-api-key-quick-start",
+        label: "API Quick Start",
+        value: @api_key_quick_start,
+        rows: 3,
+        hint: "This verifies connectivity and capabilities via /api/v1/prime.",
+        button_text: "Copy Quick Start" %>
+
+    <%= render "railspress/admin/shared/copyable_textarea",
+        id: "rp-api-key-instructions",
+        label: "API Key Instructions",
+        value: @api_key_instructions,
+        rows: 14,
+        hint: "Draft is default; publishing is supported when explicitly requested.",
+        button_text: "Copy Instructions" %>
+
+    <div class="rp-form-actions">
+      <%= link_to "Create Another API Key", new_admin_api_key_path, class: "rp-btn rp-btn--primary" %>
+      <%= link_to "Back to Agents & API", admin_api_keys_path, class: "rp-btn rp-btn--secondary" %>
+    </div>
+  </div>
+</div>

data/app/views/railspress/admin/posts/_form.html.erb

@@ -159,7 +159,7 @@
         <% if authors_enabled? %>
           <div class="rp-form-group">
             <%= form.label :author_id, "Author", class: "rp-label" %>
-            <%= form.collection_select :author_id, available_authors, :id, Railspress.author_display_method,
+            <%= form.collection_select :author_id, available_authors, :id, ->(author) { rp_author_display(author) },
                 { prompt: "No author", selected: @post.author_id },
                 { class: "rp-select" } %>
           </div>

data/app/views/railspress/admin/posts/_post_row.html.erb

@@ -11,7 +11,7 @@
   </td>
   <td><%= post.category&.name || "—" %></td>
   <% if authors_enabled? %>
-    <td><%= post.author&.public_send(Railspress.author_display_method) || "—" %></td>
+    <td><%= post.author ? rp_author_display(post.author) : "—" %></td>
   <% end %>
   <td>
     <span class="rp-badge rp-badge--<%= post.display_status %>">

data/app/views/railspress/admin/posts/show.html.erb

@@ -2,7 +2,7 @@
   <div>
     <h1 class="rp-page-title"><%= @post.title %></h1>
     <% if authors_enabled? && @post.author %>
-      <p class="rp-byline">by <%= @post.author.public_send(Railspress.author_display_method) %></p>
+      <p class="rp-byline">by <%= rp_author_display(@post.author) %></p>
     <% end %>
   </div>
   <div class="rp-page-actions">

data/app/views/railspress/admin/shared/_copyable_textarea.html.erb

@@ -0,0 +1,17 @@
+<div class="rp-form-group">
+  <label class="rp-label"><%= label %></label>
+  <% textarea_classes = ["rp-input", "rp-input--mono", "rp-input--code", local_assigns[:textarea_class]].compact.join(" ") %>
+  <textarea id="<%= id %>"
+            class="<%= textarea_classes %>"
+            rows="<%= local_assigns.fetch(:rows, 4) %>"
+            readonly><%= value %></textarea>
+  <% if local_assigns[:hint].present? %>
+    <p class="rp-hint"><%= hint %></p>
+  <% end %>
+  <% button_variant = local_assigns.fetch(:button_class, "rp-btn--accent") %>
+  <button type="button"
+          class="rp-btn rp-btn--sm <%= button_variant %>"
+          data-copy-target="<%= id %>">
+    <%= local_assigns.fetch(:button_text, "Copy") %>
+  </button>
+</div>

data/app/views/railspress/admin/shared/_sidebar.html.erb

@@ -94,6 +94,20 @@
     <% end %>
 
     <div class="rp-nav-divider"></div>
+    <% if Railspress.api_enabled? %>
+      <%= link_to railspress.admin_api_keys_path,
+          class: "rp-nav-link #{controller_name == 'api_keys' ? 'rp-nav-link--active' : ''}" do %>
+        <svg class="rp-nav-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <path d="M12 3 13.6 6.9 17.5 8.5 13.6 10.1 12 14 10.4 10.1 6.5 8.5 10.4 6.9z"/>
+          <path d="M19 13 19.8 14.9 21.7 15.7 19.8 16.5 19 18.4 18.2 16.5 16.3 15.7 18.2 14.9z"/>
+          <path d="M5 15 5.8 16.9 7.7 17.7 5.8 18.5 5 20.4 4.2 18.5 2.3 17.7 4.2 16.9z"/>
+        </svg>
+        <span class="rp-nav-text">Agents &amp; API</span>
+      <% end %>
+
+      <div class="rp-nav-divider"></div>
+    <% end %>
+
     <%= link_to "/", class: "rp-nav-link" do %>
       <svg class="rp-nav-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
         <circle cx="12" cy="12" r="10"/>

data/config/routes.rb

@@ -4,6 +4,17 @@ Railspress::Engine.routes.draw do
     root "dashboard#index"
     resources :categories, except: [ :show ]
     resources :tags, except: [ :show ]
+    resources :api_keys, only: [ :index, :new, :create ] do
+      member do
+        post :rotate
+        post :revoke
+      end
+    end
+    resources :agent_bootstrap_keys, only: [ :new, :create ] do
+      member do
+        post :revoke
+      end
+    end
 
     # Content Element CMS (opt-in via config.enable_cms)
     if Railspress.cms_enabled?
@@ -67,4 +78,26 @@ Railspress::Engine.routes.draw do
       end
     end
   end
+
+  namespace :api do
+    namespace :v1 do
+      resource :prime, only: [ :show ], controller: "prime"
+      resources :agent_keys, only: [] do
+        collection do
+          post :exchange, to: "agent_key_exchanges#create"
+        end
+      end
+      resources :post_imports, path: "posts/imports", only: [ :create, :show ]
+      resources :posts, only: [ :index, :show, :create, :update, :destroy ] do
+        resource :header_image, only: [ :show, :update, :destroy ], controller: "post_header_images" do
+          resource :focal_point, only: [ :show, :update ], controller: "post_header_image_focal_points"
+          resources :contexts, only: [ :index, :show, :update, :destroy ],
+                               controller: "post_header_image_contexts",
+                               param: :context
+        end
+      end
+      resources :categories, only: [ :index, :show, :create, :update, :destroy ]
+      resources :tags, only: [ :index, :show, :create, :update, :destroy ]
+    end
+  end
 end

data/db/migrate/20260415000001_create_railspress_api_keys.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class CreateRailspressApiKeys < ActiveRecord::Migration[8.0]
+  def change
+    create_table :railspress_api_keys do |t|
+      t.string :name, null: false
+      t.string :global_uuid, null: false
+      t.string :token_prefix, null: false
+      t.string :token_digest, null: false
+      t.text :secret_ciphertext, null: false
+      t.datetime :expires_at
+      t.datetime :last_used_at
+      t.string :last_used_ip
+      t.datetime :revoked_at
+      t.string :revoke_reason
+      t.integer :rotated_from_id
+
+      t.string :owner_type
+      t.bigint :owner_id
+
+      t.string :created_by_type
+      t.bigint :created_by_id
+      t.string :rotated_by_type
+      t.bigint :rotated_by_id
+      t.string :revoked_by_type
+      t.bigint :revoked_by_id
+
+      t.timestamps
+    end
+
+    add_index :railspress_api_keys, :global_uuid, unique: true
+    add_index :railspress_api_keys, :token_prefix
+    add_index :railspress_api_keys, :token_digest, unique: true
+    add_index :railspress_api_keys, :rotated_from_id
+    add_index :railspress_api_keys, [ :owner_type, :owner_id ]
+    add_index :railspress_api_keys, [ :created_by_type, :created_by_id ]
+    add_index :railspress_api_keys, [ :rotated_by_type, :rotated_by_id ]
+    add_index :railspress_api_keys, [ :revoked_by_type, :revoked_by_id ]
+  end
+end

data/db/migrate/20260415000002_create_railspress_agent_bootstrap_keys.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class CreateRailspressAgentBootstrapKeys < ActiveRecord::Migration[8.0]
+  def change
+    create_table :railspress_agent_bootstrap_keys do |t|
+      t.string :name, null: false
+      t.string :global_uuid, null: false
+      t.string :token_prefix, null: false
+      t.string :token_digest, null: false
+      t.text :secret_ciphertext, null: false
+      t.datetime :expires_at, null: false
+      t.datetime :used_at
+      t.string :used_ip
+      t.datetime :revoked_at
+      t.string :revoke_reason
+      t.bigint :exchanged_api_key_id
+
+      t.string :owner_type
+      t.bigint :owner_id
+
+      t.string :created_by_type
+      t.bigint :created_by_id
+      t.string :revoked_by_type
+      t.bigint :revoked_by_id
+
+      t.timestamps
+    end
+
+    add_index :railspress_agent_bootstrap_keys, :global_uuid, unique: true
+    add_index :railspress_agent_bootstrap_keys, :token_prefix
+    add_index :railspress_agent_bootstrap_keys, :token_digest, unique: true
+    add_index :railspress_agent_bootstrap_keys, :exchanged_api_key_id
+    add_index :railspress_agent_bootstrap_keys, [ :owner_type, :owner_id ], name: "idx_rp_agent_bootstrap_keys_owner"
+    add_index :railspress_agent_bootstrap_keys, [ :created_by_type, :created_by_id ], name: "idx_rp_agent_bootstrap_keys_created_by"
+    add_index :railspress_agent_bootstrap_keys, [ :revoked_by_type, :revoked_by_id ], name: "idx_rp_agent_bootstrap_keys_revoked_by"
+  end
+end

data/lib/generators/railspress/install/templates/initializer.rb

@@ -8,6 +8,7 @@ Railspress.configure do |config|
   # config.enable_authors
   # config.author_class_name = "User"
   # config.current_author_method = :current_user
+  # config.current_author_proc = -> { Current.user }
 
   # === CMS Content Elements (opt-in) ===
   # Adds content groups, content elements, and the cms_element/cms_value
@@ -26,4 +27,19 @@ Railspress.configure do |config|
   # config.inline_editing_check = ->(context) {
   #   context.controller.current_user&.admin?
   # }
+
+  # === API (opt-in) ===
+  # Enables API endpoints under /railspress/api/v1 and admin API key management.
+  # Requires Active Record Encryption keys in your host app config.
+  # Uncomment to enable:
+  # config.enable_api
+  # Optional: include a host auth concern into Railspress::Admin::BaseController.
+  # Define your concern in app/controllers/concerns/railspress_admin_auth.rb
+  # and set this to its constant name (String or Symbol).
+  # config.admin_auth_concern = "RailspressAdminAuth"
+  # config.current_api_actor_method = :current_user
+  # config.current_api_actor_proc = -> { Current.user if Current.user&.admin? }
+  # Optional: force a canonical public base URL in generated API instructions.
+  # Falls back to Rails.application.routes.default_url_options, then request host.
+  # config.public_base_url = "https://blog.example.com"
 end

data/lib/railspress/engine.rb

@@ -41,6 +41,18 @@ module Railspress
       end
     end
 
+    # Allow host apps to inject their auth concern into the admin base controller.
+    # This keeps host auth logic in app/controllers concerns while Railspress handles reload-safe wiring.
+    initializer "railspress.admin_auth_concern" do |app|
+      app.config.to_prepare do
+        concern = Railspress.resolved_admin_auth_concern
+        next unless concern
+        next if Railspress::Admin::BaseController < concern
+
+        Railspress::Admin::BaseController.include(concern)
+      end
+    end
+
     # Configure importmap for Stimulus controllers
     initializer "railspress.importmap", before: "importmap" do |app|
       if app.respond_to?(:importmap)

data/lib/railspress/version.rb

@@ -1,3 +1,3 @@
 module Railspress
-  VERSION = "1.2.1"
+  VERSION = "1.3.1"
 end

data/lib/railspress.rb

@@ -10,6 +10,10 @@ module Railspress
     attr_accessor :author_class_name,
                   :current_author_method,
                   :current_author_proc,
+                  :current_api_actor_method,
+                  :current_api_actor_proc,
+                  :admin_auth_concern,
+                  :public_base_url,
                   :author_scope,
                   :author_display_method,
                   :words_per_minute,
@@ -18,19 +22,24 @@ module Railspress
                   :post_image_variants,
                   :inline_editing_check
 
-    attr_reader :authors_enabled, :post_images_enabled, :focal_points_enabled, :cms_enabled, :image_contexts
+    attr_reader :authors_enabled, :post_images_enabled, :focal_points_enabled, :cms_enabled, :api_enabled, :image_contexts
 
     def initialize
       @authors_enabled = false
       @post_images_enabled = false
       @focal_points_enabled = false
       @cms_enabled = false
+      @api_enabled = false
       @image_contexts = default_image_contexts
       @post_image_variants = {}
       @inline_editing_check = nil
       @author_class_name = "User"
       @current_author_method = :current_user
       @current_author_proc = nil
+      @current_api_actor_method = :current_user
+      @current_api_actor_proc = nil
+      @admin_auth_concern = nil
+      @public_base_url = nil
       @author_scope = nil
       @author_display_method = :name
       @words_per_minute = 200
@@ -58,6 +67,11 @@ module Railspress
       @cms_enabled = true
     end
 
+    # Declarative setter: config.enable_api
+    def enable_api
+      @api_enabled = true
+    end
+
     # Validate configuration after the configure block completes.
     # This keeps the configure block order-independent.
     def validate!
@@ -212,6 +226,10 @@ module Railspress
       configuration.image_contexts
     end
 
+    def api_enabled?
+      configuration.api_enabled
+    end
+
     def author_class
       configuration.author_class_name.constantize
     end
@@ -231,6 +249,26 @@ module Railspress
       configuration.author_display_method
     end
 
+    # Returns a safe display string for an author record.
+    # Falls back through common attribute names when the configured display
+    # method is missing on the model.
+    def author_display_for(author)
+      return nil unless author
+
+      configured_method = author_display_method
+      if configured_method.present? && author.respond_to?(configured_method)
+        value = author.public_send(configured_method)
+        return value if value.present?
+      end
+
+      fallback_method = [ :name, :full_name, :display_name, :email, :email_address ]
+        .find { |method| author.respond_to?(method) && author.public_send(method).present? }
+
+      return author.public_send(fallback_method) if fallback_method
+
+      "Author ##{author.id || "unknown"}"
+    end
+
     def current_author_method
       configuration.current_author_method
     end
@@ -239,6 +277,40 @@ module Railspress
       configuration.current_author_proc
     end
 
+    def current_api_actor_method
+      configuration.current_api_actor_method
+    end
+
+    def current_api_actor_proc
+      configuration.current_api_actor_proc
+    end
+
+    def admin_auth_concern
+      configuration.admin_auth_concern
+    end
+
+    def resolved_admin_auth_concern
+      concern = admin_auth_concern
+      return nil if concern.blank?
+
+      module_value = case concern
+      when Module then concern
+      when String, Symbol
+        concern_name = concern.to_s
+        concern_name.safe_constantize || concern_name.camelize.safe_constantize
+      end
+
+      unless module_value.is_a?(Module)
+        raise ConfigurationError, "admin_auth_concern must resolve to a Module. Got: #{concern.inspect}"
+      end
+
+      module_value
+    end
+
+    def public_base_url
+      configuration.public_base_url
+    end
+
     def words_per_minute
       configuration.words_per_minute
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: railspress-engine
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.1
 platform: ruby
 authors:
 - Avi Flombaum
@@ -157,6 +157,8 @@ files:
 - app/assets/stylesheets/railspress/admin/utilities.css
 - app/assets/stylesheets/railspress/admin/variables.css
 - app/assets/stylesheets/railspress/application.css
+- app/controllers/railspress/admin/agent_bootstrap_keys_controller.rb
+- app/controllers/railspress/admin/api_keys_controller.rb
 - app/controllers/railspress/admin/base_controller.rb
 - app/controllers/railspress/admin/categories_controller.rb
 - app/controllers/railspress/admin/cms_transfers_controller.rb
@@ -171,6 +173,17 @@ files:
 - app/controllers/railspress/admin/posts_controller.rb
 - app/controllers/railspress/admin/prototypes_controller.rb
 - app/controllers/railspress/admin/tags_controller.rb
+- app/controllers/railspress/api/v1/agent_key_exchanges_controller.rb
+- app/controllers/railspress/api/v1/base_controller.rb
+- app/controllers/railspress/api/v1/categories_controller.rb
+- app/controllers/railspress/api/v1/concerns/post_serialization.rb
+- app/controllers/railspress/api/v1/post_header_image_contexts_controller.rb
+- app/controllers/railspress/api/v1/post_header_image_focal_points_controller.rb
+- app/controllers/railspress/api/v1/post_header_images_controller.rb
+- app/controllers/railspress/api/v1/post_imports_controller.rb
+- app/controllers/railspress/api/v1/posts_controller.rb
+- app/controllers/railspress/api/v1/prime_controller.rb
+- app/controllers/railspress/api/v1/tags_controller.rb
 - app/controllers/railspress/application_controller.rb
 - app/helpers/railspress/admin_helper.rb
 - app/helpers/railspress/application_helper.rb
@@ -190,6 +203,8 @@ files:
 - app/models/concerns/railspress/has_focal_point.rb
 - app/models/concerns/railspress/soft_deletable.rb
 - app/models/concerns/railspress/taggable.rb
+- app/models/railspress/agent_bootstrap_key.rb
+- app/models/railspress/api_key.rb
 - app/models/railspress/application_record.rb
 - app/models/railspress/category.rb
 - app/models/railspress/content_element.rb
@@ -210,6 +225,13 @@ files:
 - app/views/layouts/action_text/contents/_content.html.erb
 - app/views/layouts/railspress/admin.html.erb
 - app/views/layouts/railspress/application.html.erb
+- app/views/railspress/admin/agent_bootstrap_keys/_form.html.erb
+- app/views/railspress/admin/agent_bootstrap_keys/new.html.erb
+- app/views/railspress/admin/agent_bootstrap_keys/reveal.html.erb
+- app/views/railspress/admin/api_keys/_form.html.erb
+- app/views/railspress/admin/api_keys/index.html.erb
+- app/views/railspress/admin/api_keys/new.html.erb
+- app/views/railspress/admin/api_keys/reveal.html.erb
 - app/views/railspress/admin/categories/_form.html.erb
 - app/views/railspress/admin/categories/edit.html.erb
 - app/views/railspress/admin/categories/index.html.erb
@@ -244,6 +266,7 @@ files:
 - app/views/railspress/admin/posts/new.html.erb
 - app/views/railspress/admin/posts/show.html.erb
 - app/views/railspress/admin/prototypes/image_section.html.erb
+- app/views/railspress/admin/shared/_copyable_textarea.html.erb
 - app/views/railspress/admin/shared/_dropzone.html.erb
 - app/views/railspress/admin/shared/_flash.html.erb
 - app/views/railspress/admin/shared/_focal_point_editor.html.erb
@@ -275,6 +298,8 @@ files:
 - db/migrate/20260207000001_add_unique_index_to_content_elements.rb
 - db/migrate/20260211112812_add_image_hint_to_railspress_content_elements.rb
 - db/migrate/20260211154040_add_required_to_railspress_content_elements.rb
+- db/migrate/20260415000001_create_railspress_api_keys.rb
+- db/migrate/20260415000002_create_railspress_agent_bootstrap_keys.rb
 - lib/generators/railspress/entity/entity_generator.rb
 - lib/generators/railspress/entity/templates/migration.rb.tt
 - lib/generators/railspress/entity/templates/model.rb.tt