ruby_llm-agents 0.4.0 → 0.5.0

data/app/models/ruby_llm/agents/api_configuration.rb

@@ -0,0 +1,386 @@
+# frozen_string_literal: true
+
+module RubyLLM
+  module Agents
+    # Database-backed API configuration for LLM providers
+    #
+    # Stores API keys (encrypted at rest) and configuration options that can be
+    # managed via the dashboard UI. Supports both global settings and per-tenant
+    # overrides.
+    #
+    # Resolution priority: per-tenant DB > global DB > config file (RubyLLM.configure)
+    #
+    # @!attribute [rw] scope_type
+    #   @return [String] Either 'global' or 'tenant'
+    # @!attribute [rw] scope_id
+    #   @return [String, nil] Tenant ID when scope_type='tenant'
+    #
+    # @example Setting global API keys
+    #   config = ApiConfiguration.global
+    #   config.update!(
+    #     openai_api_key: "sk-...",
+    #     anthropic_api_key: "sk-ant-..."
+    #   )
+    #
+    # @example Setting tenant-specific configuration
+    #   tenant_config = ApiConfiguration.for_tenant!("acme_corp")
+    #   tenant_config.update!(
+    #     anthropic_api_key: "sk-ant-tenant-specific...",
+    #     default_model: "claude-sonnet-4-20250514"
+    #   )
+    #
+    # @example Resolving configuration for a tenant
+    #   resolved = ApiConfiguration.resolve(tenant_id: "acme_corp")
+    #   resolved.apply_to_ruby_llm!  # Apply to RubyLLM.configuration
+    #
+    # @see ResolvedConfig
+    # @api public
+    class ApiConfiguration < ::ActiveRecord::Base
+      self.table_name = "ruby_llm_agents_api_configurations"
+
+      # Valid scope types
+      SCOPE_TYPES = %w[global tenant].freeze
+
+      # All API key attributes that should be encrypted
+      API_KEY_ATTRIBUTES = %i[
+        openai_api_key
+        anthropic_api_key
+        gemini_api_key
+        deepseek_api_key
+        mistral_api_key
+        perplexity_api_key
+        openrouter_api_key
+        gpustack_api_key
+        xai_api_key
+        ollama_api_key
+        bedrock_api_key
+        bedrock_secret_key
+        bedrock_session_token
+        vertexai_credentials
+      ].freeze
+
+      # All endpoint attributes
+      ENDPOINT_ATTRIBUTES = %i[
+        openai_api_base
+        gemini_api_base
+        ollama_api_base
+        gpustack_api_base
+        xai_api_base
+      ].freeze
+
+      # All default model attributes
+      MODEL_ATTRIBUTES = %i[
+        default_model
+        default_embedding_model
+        default_image_model
+        default_moderation_model
+      ].freeze
+
+      # Connection settings attributes
+      CONNECTION_ATTRIBUTES = %i[
+        request_timeout
+        max_retries
+        retry_interval
+        retry_backoff_factor
+        retry_interval_randomness
+        http_proxy
+      ].freeze
+
+      # All configurable attributes (excluding API keys)
+      NON_KEY_ATTRIBUTES = (
+        ENDPOINT_ATTRIBUTES +
+        MODEL_ATTRIBUTES +
+        CONNECTION_ATTRIBUTES +
+        %i[
+          openai_organization_id
+          openai_project_id
+          bedrock_region
+          vertexai_project_id
+          vertexai_location
+        ]
+      ).freeze
+
+      # Encrypt all API keys using Rails encrypted attributes
+      # Requires Rails encryption to be configured (rails credentials:edit)
+      API_KEY_ATTRIBUTES.each do |key_attr|
+        encrypts key_attr, deterministic: false
+      end
+
+      # Validations
+      validates :scope_type, presence: true, inclusion: { in: SCOPE_TYPES }
+      validates :scope_id, uniqueness: { scope: :scope_type }, allow_nil: true
+      validate :validate_scope_consistency
+
+      # Scopes
+      scope :global_config, -> { where(scope_type: "global", scope_id: nil) }
+      scope :for_scope, ->(type, id) { where(scope_type: type, scope_id: id) }
+      scope :tenant_configs, -> { where(scope_type: "tenant") }
+
+      # Provider configuration mappings for display
+      PROVIDERS = {
+        openai: {
+          name: "OpenAI",
+          key_attr: :openai_api_key,
+          base_attr: :openai_api_base,
+          extra_attrs: [:openai_organization_id, :openai_project_id],
+          capabilities: ["Chat", "Embeddings", "Images", "Moderation"]
+        },
+        anthropic: {
+          name: "Anthropic",
+          key_attr: :anthropic_api_key,
+          capabilities: ["Chat"]
+        },
+        gemini: {
+          name: "Google Gemini",
+          key_attr: :gemini_api_key,
+          base_attr: :gemini_api_base,
+          capabilities: ["Chat", "Embeddings", "Images"]
+        },
+        deepseek: {
+          name: "DeepSeek",
+          key_attr: :deepseek_api_key,
+          capabilities: ["Chat"]
+        },
+        mistral: {
+          name: "Mistral",
+          key_attr: :mistral_api_key,
+          capabilities: ["Chat", "Embeddings"]
+        },
+        perplexity: {
+          name: "Perplexity",
+          key_attr: :perplexity_api_key,
+          capabilities: ["Chat"]
+        },
+        openrouter: {
+          name: "OpenRouter",
+          key_attr: :openrouter_api_key,
+          capabilities: ["Chat"]
+        },
+        gpustack: {
+          name: "GPUStack",
+          key_attr: :gpustack_api_key,
+          base_attr: :gpustack_api_base,
+          capabilities: ["Chat"]
+        },
+        xai: {
+          name: "xAI",
+          key_attr: :xai_api_key,
+          base_attr: :xai_api_base,
+          capabilities: ["Chat"]
+        },
+        ollama: {
+          name: "Ollama",
+          key_attr: :ollama_api_key,
+          base_attr: :ollama_api_base,
+          capabilities: ["Chat", "Embeddings"]
+        },
+        bedrock: {
+          name: "AWS Bedrock",
+          key_attr: :bedrock_api_key,
+          extra_attrs: [:bedrock_secret_key, :bedrock_session_token, :bedrock_region],
+          capabilities: ["Chat", "Embeddings"]
+        },
+        vertexai: {
+          name: "Google Vertex AI",
+          key_attr: :vertexai_credentials,
+          extra_attrs: [:vertexai_project_id, :vertexai_location],
+          capabilities: ["Chat", "Embeddings"]
+        }
+      }.freeze
+
+      class << self
+        # Finds or creates the global configuration
+        #
+        # @return [ApiConfiguration] The global configuration record
+        def global
+          global_config.first_or_create!
+        end
+
+        # Finds a tenant-specific configuration
+        #
+        # @param tenant_id [String] The tenant identifier
+        # @return [ApiConfiguration, nil] The tenant configuration or nil
+        def for_tenant(tenant_id)
+          return nil if tenant_id.blank?
+
+          for_scope("tenant", tenant_id).first
+        end
+
+        # Finds or creates a tenant-specific configuration
+        #
+        # @param tenant_id [String] The tenant identifier
+        # @return [ApiConfiguration] The tenant configuration record
+        def for_tenant!(tenant_id)
+          raise ArgumentError, "tenant_id cannot be blank" if tenant_id.blank?
+
+          for_scope("tenant", tenant_id).first_or_create!(
+            scope_type: "tenant",
+            scope_id: tenant_id
+          )
+        end
+
+        # Resolves the effective configuration for a given tenant
+        #
+        # Creates a ResolvedConfig that combines tenant config > global DB > RubyLLM config
+        #
+        # @param tenant_id [String, nil] Optional tenant identifier
+        # @return [ResolvedConfig] The resolved configuration
+        def resolve(tenant_id: nil)
+          tenant_config = tenant_id.present? ? for_tenant(tenant_id) : nil
+          global = global_config.first
+
+          RubyLLM::Agents::ResolvedConfig.new(
+            tenant_config: tenant_config,
+            global_config: global,
+            ruby_llm_config: ruby_llm_current_config
+          )
+        end
+
+        # Attempts to get the current RubyLLM configuration object
+        # Gets the current RubyLLM configuration object
+        #
+        # @return [Object, nil] The RubyLLM config object or nil
+        def ruby_llm_current_config
+          return nil unless defined?(::RubyLLM)
+          return nil unless RubyLLM.respond_to?(:config)
+
+          RubyLLM.config
+        rescue StandardError
+          nil
+        end
+
+        # Checks if the table exists (for graceful degradation)
+        #
+        # @return [Boolean]
+        def table_exists?
+          connection.table_exists?(table_name)
+        rescue ActiveRecord::NoDatabaseError, ActiveRecord::StatementInvalid
+          false
+        end
+      end
+
+      # Checks if a specific attribute has a value set
+      #
+      # @param attr_name [Symbol, String] The attribute name
+      # @return [Boolean]
+      def has_value?(attr_name)
+        value = send(attr_name)
+        value.present?
+      rescue NoMethodError
+        false
+      end
+
+      # Returns a masked version of an API key for display
+      #
+      # @param attr_name [Symbol, String] The API key attribute name
+      # @return [String, nil] Masked key like "sk-ab****wxyz" or nil
+      def masked_key(attr_name)
+        value = send(attr_name)
+        return nil if value.blank?
+
+        mask_string(value)
+      end
+
+      # Returns the source of this configuration
+      #
+      # @return [String] "global" or "tenant:ID"
+      def source_label
+        scope_type == "global" ? "Global" : "Tenant: #{scope_id}"
+      end
+
+      # Converts this configuration to a hash suitable for RubyLLM
+      #
+      # @return [Hash] Configuration hash with non-nil values
+      def to_ruby_llm_config
+        {}.tap do |config|
+          # API keys
+          config[:openai_api_key] = openai_api_key if openai_api_key.present?
+          config[:anthropic_api_key] = anthropic_api_key if anthropic_api_key.present?
+          config[:gemini_api_key] = gemini_api_key if gemini_api_key.present?
+          config[:deepseek_api_key] = deepseek_api_key if deepseek_api_key.present?
+          config[:mistral_api_key] = mistral_api_key if mistral_api_key.present?
+          config[:perplexity_api_key] = perplexity_api_key if perplexity_api_key.present?
+          config[:openrouter_api_key] = openrouter_api_key if openrouter_api_key.present?
+          config[:gpustack_api_key] = gpustack_api_key if gpustack_api_key.present?
+          config[:xai_api_key] = xai_api_key if xai_api_key.present?
+          config[:ollama_api_key] = ollama_api_key if ollama_api_key.present?
+
+          # Bedrock
+          config[:bedrock_api_key] = bedrock_api_key if bedrock_api_key.present?
+          config[:bedrock_secret_key] = bedrock_secret_key if bedrock_secret_key.present?
+          config[:bedrock_session_token] = bedrock_session_token if bedrock_session_token.present?
+          config[:bedrock_region] = bedrock_region if bedrock_region.present?
+
+          # Vertex AI
+          config[:vertexai_credentials] = vertexai_credentials if vertexai_credentials.present?
+          config[:vertexai_project_id] = vertexai_project_id if vertexai_project_id.present?
+          config[:vertexai_location] = vertexai_location if vertexai_location.present?
+
+          # Endpoints
+          config[:openai_api_base] = openai_api_base if openai_api_base.present?
+          config[:gemini_api_base] = gemini_api_base if gemini_api_base.present?
+          config[:ollama_api_base] = ollama_api_base if ollama_api_base.present?
+          config[:gpustack_api_base] = gpustack_api_base if gpustack_api_base.present?
+          config[:xai_api_base] = xai_api_base if xai_api_base.present?
+
+          # OpenAI options
+          config[:openai_organization_id] = openai_organization_id if openai_organization_id.present?
+          config[:openai_project_id] = openai_project_id if openai_project_id.present?
+
+          # Default models
+          config[:default_model] = default_model if default_model.present?
+          config[:default_embedding_model] = default_embedding_model if default_embedding_model.present?
+          config[:default_image_model] = default_image_model if default_image_model.present?
+          config[:default_moderation_model] = default_moderation_model if default_moderation_model.present?
+
+          # Connection settings
+          config[:request_timeout] = request_timeout if request_timeout.present?
+          config[:max_retries] = max_retries if max_retries.present?
+          config[:retry_interval] = retry_interval if retry_interval.present?
+          config[:retry_backoff_factor] = retry_backoff_factor if retry_backoff_factor.present?
+          config[:retry_interval_randomness] = retry_interval_randomness if retry_interval_randomness.present?
+          config[:http_proxy] = http_proxy if http_proxy.present?
+        end
+      end
+
+      # Returns provider status information for display
+      #
+      # @return [Array<Hash>] Array of provider status hashes
+      def provider_statuses
+        PROVIDERS.map do |key, info|
+          key_value = send(info[:key_attr])
+          {
+            key: key,
+            name: info[:name],
+            configured: key_value.present?,
+            masked_key: key_value.present? ? mask_string(key_value) : nil,
+            capabilities: info[:capabilities],
+            has_base_url: info[:base_attr].present? && send(info[:base_attr]).present?
+          }
+        end
+      end
+
+      private
+
+      # Validates scope consistency
+      def validate_scope_consistency
+        if scope_type == "global" && scope_id.present?
+          errors.add(:scope_id, "must be nil for global scope")
+        elsif scope_type == "tenant" && scope_id.blank?
+          errors.add(:scope_id, "must be present for tenant scope")
+        end
+      end
+
+      # Masks a string for display (shows first 2 and last 4 chars)
+      #
+      # @param value [String] The string to mask
+      # @return [String] Masked string
+      def mask_string(value)
+        return nil if value.blank?
+        return "****" if value.length <= 8
+
+        "#{value[0..1]}****#{value[-4..]}"
+      end
+    end
+  end
+end

data/app/models/ruby_llm/agents/tenant_budget.rb

@@ -6,34 +6,45 @@ module RubyLLM
     #
     # Stores per-tenant budget limits that override the global configuration.
     # Supports runtime updates without application restarts.
+    # Supports both cost-based (USD) and token-based limits.
     #
     # @!attribute [rw] tenant_id
     #   @return [String] Unique identifier for the tenant
+    # @!attribute [rw] name
+    #   @return [String, nil] Human-readable name for the tenant
     # @!attribute [rw] daily_limit
     #   @return [BigDecimal, nil] Daily budget limit in USD
     # @!attribute [rw] monthly_limit
     #   @return [BigDecimal, nil] Monthly budget limit in USD
+    # @!attribute [rw] daily_token_limit
+    #   @return [Integer, nil] Daily token limit (across all models)
+    # @!attribute [rw] monthly_token_limit
+    #   @return [Integer, nil] Monthly token limit (across all models)
     # @!attribute [rw] per_agent_daily
-    #   @return [Hash] Per-agent daily limits: { "AgentName" => limit }
+    #   @return [Hash] Per-agent daily cost limits: { "AgentName" => limit }
     # @!attribute [rw] per_agent_monthly
-    #   @return [Hash] Per-agent monthly limits: { "AgentName" => limit }
+    #   @return [Hash] Per-agent monthly cost limits: { "AgentName" => limit }
     # @!attribute [rw] enforcement
     #   @return [String] Enforcement mode: "none", "soft", or "hard"
     # @!attribute [rw] inherit_global_defaults
     #   @return [Boolean] Whether to fall back to global config for unset limits
     #
-    # @example Creating a tenant budget
+    # @example Creating a tenant budget with cost and token limits
     #   TenantBudget.create!(
     #     tenant_id: "acme_corp",
-    #     daily_limit: 50.0,
-    #     monthly_limit: 500.0,
+    #     name: "Acme Corporation",
+    #     daily_limit: 50.0,           # USD
+    #     monthly_limit: 500.0,        # USD
+    #     daily_token_limit: 1_000_000,
+    #     monthly_token_limit: 10_000_000,
     #     per_agent_daily: { "ContentAgent" => 10.0 },
     #     enforcement: "hard"
     #   )
     #
     # @example Fetching budget for a tenant
     #   budget = TenantBudget.for_tenant("acme_corp")
-    #   budget.effective_daily_limit  # => 50.0
+    #   budget.effective_daily_limit        # => 50.0 (cost)
+    #   budget.effective_daily_token_limit  # => 1_000_000 (tokens)
     #
     # @see RubyLLM::Agents::BudgetTracker
     # @api public
@@ -48,6 +59,8 @@ module RubyLLM
       validates :enforcement, inclusion: { in: ENFORCEMENT_MODES }, allow_nil: true
       validates :daily_limit, :monthly_limit,
                 numericality: { greater_than_or_equal_to: 0 }, allow_nil: true
+      validates :daily_token_limit, :monthly_token_limit,
+                numericality: { greater_than_or_equal_to: 0, only_integer: true }, allow_nil: true
 
       # Finds a budget for the given tenant
       #
@@ -59,6 +72,24 @@ module RubyLLM
         find_by(tenant_id: tenant_id)
       end
 
+      # Finds or creates a budget for the given tenant
+      #
+      # @param tenant_id [String] The tenant identifier
+      # @param name [String, nil] Optional human-readable name
+      # @return [TenantBudget] The budget record
+      def self.for_tenant!(tenant_id, name: nil)
+        find_or_create_by!(tenant_id: tenant_id) do |budget|
+          budget.name = name
+        end
+      end
+
+      # Returns the display name (name or tenant_id fallback)
+      #
+      # @return [String] The name to display
+      def display_name
+        name.presence || tenant_id
+      end
+
       # Returns the effective daily limit, considering inheritance
       #
       # @return [Float, nil] The daily limit or nil if not set
@@ -103,6 +134,26 @@ module RubyLLM
         global_config&.dig(:per_agent_monthly, agent_type)
       end
 
+      # Returns the effective daily token limit, considering inheritance
+      #
+      # @return [Integer, nil] The daily token limit or nil if not set
+      def effective_daily_token_limit
+        return daily_token_limit if daily_token_limit.present?
+        return nil unless inherit_global_defaults
+
+        global_config&.dig(:global_daily_tokens)
+      end
+
+      # Returns the effective monthly token limit, considering inheritance
+      #
+      # @return [Integer, nil] The monthly token limit or nil if not set
+      def effective_monthly_token_limit
+        return monthly_token_limit if monthly_token_limit.present?
+        return nil unless inherit_global_defaults
+
+        global_config&.dig(:global_monthly_tokens)
+      end
+
       # Returns the effective enforcement mode
       #
       # @return [Symbol] :none, :soft, or :hard
@@ -127,10 +178,14 @@ module RubyLLM
         {
           enabled: budgets_enabled?,
           enforcement: effective_enforcement,
+          # Cost limits
           global_daily: effective_daily_limit,
           global_monthly: effective_monthly_limit,
           per_agent_daily: merged_per_agent_daily,
-          per_agent_monthly: merged_per_agent_monthly
+          per_agent_monthly: merged_per_agent_monthly,
+          # Token limits (global only)
+          global_daily_tokens: effective_daily_token_limit,
+          global_monthly_tokens: effective_monthly_token_limit
         }
       end
 

data/app/views/layouts/ruby_llm/agents/application.html.erb

@@ -230,7 +230,9 @@
                 { path: ruby_llm_agents.root_path, label: "Dashboard", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 12l2-2m0 0l7-7 7 7M5 10v10a1 1 0 001 1h3m10-11l2 2m-2-2v10a1 1 0 01-1 1h-3m-6 0a1 1 0 001-1v-4a1 1 0 011-1h2a1 1 0 011 1v4a1 1 0 001 1m-6 0h6" />' },
                 { path: ruby_llm_agents.agents_path, label: "Agents", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9.75 17L9 20l-1 1h8l-1-1-.75-3M3 13h18M5 17h14a2 2 0 002-2V5a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />' },
                 { path: ruby_llm_agents.executions_path, label: "Executions", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-3 7h3m-3 4h3m-6-4h.01M9 16h.01" />' },
-                { path: ruby_llm_agents.settings_path, label: "Settings", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" /><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />' }
+                { path: ruby_llm_agents.tenants_path, label: "Tenants", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" />' },
+                { path: ruby_llm_agents.system_config_path, label: "System Config", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10.325 4.317c.426-1.756 2.924-1.756 3.35 0a1.724 1.724 0 002.573 1.066c1.543-.94 3.31.826 2.37 2.37a1.724 1.724 0 001.065 2.572c1.756.426 1.756 2.924 0 3.35a1.724 1.724 0 00-1.066 2.573c.94 1.543-.826 3.31-2.37 2.37a1.724 1.724 0 00-2.572 1.065c-.426 1.756-2.924 1.756-3.35 0a1.724 1.724 0 00-2.573-1.066c-1.543.94-3.31-.826-2.37-2.37a1.724 1.724 0 00-1.065-2.572c-1.756-.426-1.756-2.924 0-3.35a1.724 1.724 0 001.066-2.573c-.94-1.543.826-3.31 2.37-2.37.996.608 2.296.07 2.572-1.065z" /><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 12a3 3 0 11-6 0 3 3 0 016 0z" />' },
+                { path: ruby_llm_agents.api_configuration_path, label: "API Keys", icon: '<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M15 7a2 2 0 012 2m4 0a6 6 0 01-7.743 5.743L11 17H9v2H7v2H4a1 1 0 01-1-1v-2.586a1 1 0 01.293-.707l5.964-5.964A6 6 0 1121 9z" />' }
               ]
             %>
             <nav class="hidden md:flex items-center space-x-1">

data/app/views/ruby_llm/agents/api_configurations/_api_key_field.html.erb

@@ -0,0 +1,34 @@
+<% # Partial for API key input field %>
+<% # Local variables: f (form builder), config (ApiConfiguration), resolved (ResolvedConfig, optional), attr (symbol), label (string), placeholder (string, optional), hint (string, optional) %>
+<% resolved = local_assigns[:resolved] %>
+<% config_value = resolved&.ruby_llm_value_for(attr) %>
+<% db_value = config.send(attr) %>
+
+<div>
+  <%= f.label attr, label, class: "block text-sm font-medium text-gray-700 dark:text-gray-300" %>
+  <div class="mt-1 relative rounded-md shadow-sm">
+    <%= f.password_field attr,
+        class: "block w-full px-3 py-2 rounded-md border-gray-300 dark:border-gray-600 dark:bg-gray-700 dark:text-gray-100 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 sm:text-sm pr-10",
+        placeholder: config.has_value?(attr) ? "[Key set - leave blank to keep]" : (local_assigns[:placeholder] || "Enter API key..."),
+        autocomplete: "off",
+        value: db_value,
+        data: { key_field: attr, config_value: config_value, db_value: db_value } %>
+    <% if config.has_value?(attr) %>
+      <div class="absolute inset-y-0 right-0 pr-3 flex items-center pointer-events-none">
+        <svg class="h-5 w-5 text-green-500" fill="currentColor" viewBox="0 0 20 20">
+          <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/>
+        </svg>
+      </div>
+    <% end %>
+  </div>
+  <% if local_assigns[:hint] %>
+    <p class="mt-1 text-xs text-gray-500 dark:text-gray-400"><%= hint %></p>
+  <% end %>
+  <% if config_value.present? %>
+    <p class="mt-1 text-xs text-gray-500 dark:text-gray-400 config-value-hint"
+       data-full-value="<%= config_value %>"
+       data-masked-value="<%= resolved.mask_string(config_value) %>">
+      From config: <code class="bg-gray-100 dark:bg-gray-700 px-1 rounded config-value-display"><%= resolved.mask_string(config_value) %></code>
+    </p>
+  <% end %>
+</div>