studio-engine 0.4.2 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2cff93b3aa059d4b0542abe34622157f0d0928f758b4f656878cfab6e4e25a2
-  data.tar.gz: fb784e5e6ace872de9d92d3a035e85caaa2085b6b72e18b1f380459f997221c5
+  metadata.gz: 288a5cb85deb7c2c43a77b24e4d5bc1b958fd5652e2860bbe88a12d43c22f21e
+  data.tar.gz: 1c6ee3b69613649611963e56ba681d066dfeda518bc1010e764ac560e9c308af
 SHA512:
-  metadata.gz: 7862911114e91fde7662c540229703184be955af01116c8ced37160751b8d1b09093ebba1fe410602d03b6f562e261e995884e78041fea02b720fafbfd027bf1
-  data.tar.gz: e7424e7e280e8ba717807d3b690fad5929d150e6c3c298a8ace724a4e1ebdec8fd261f8bf9f40b8abff2f299d223a8954cc3a7abd5a0493f0cc0def677fc7649
+  metadata.gz: c930ecdf8f851eaaff0d14db9661dc434132a877a08deec34745e66817e77292dbc95fd1d661769c566d74180cae623f3cfeb76f94ce7690bf4ca71a1e0fe649
+  data.tar.gz: b3e2862a52d75a9bc7e122865dd1e9222859a17dbbf19f837f50f5e44a90e25bb1a01ec92afe77621a827cbfccda370e6235e8b60ae05ce01855c5f76a8e55ec

data/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html) — `MAJOR.MINOR.PATCH`. Both consumer Rails apps pin to a tag in their `Gemfile`; bumping the tag is a release.
 
+## v0.4.4 (2026-05-20)
+
+Sticky-navbar scroll fixes — bounce-free for every consuming app, no migration required.
+
+### Fixed
+- **Navbar scroll-collapse bounce.** A `position: sticky` navbar that shrinks on scroll changes layout above the fold; Chrome/Firefox scroll-anchoring then compensates by moving `scrollY`, which re-crosses the collapse threshold and oscillates. `_head.html.erb` now ships `body { overflow-anchor: none }`, so the navbar resize no longer drags `scrollY`. Every app that renders `layouts/studio/head` gets this automatically.
+- **Navbar unscroll threshold `20 → 5`** in `_navbar.html.erb` — widens the hysteresis dead zone (5/60) so a height change can't push `scrollY` back across the lower bound.
+
+### Added
+- **`--nav-h` CSS variable.** `_head.html.erb` ships a `ResizeObserver` that publishes the page header's live height to `--nav-h` on `:root` — updated on every resize (including the collapse animation) and re-attached after Turbo navigations. Fixed/sticky elements below the navbar can position off `var(--nav-h)` instead of hardcoded px (e.g. `style="top: var(--nav-h)"`). Auto-detects the page `<header>`; no markup changes needed.
+
+## v0.4.3 (2026-05-19)
+
+Tier-3 fix from the turf-monster pre-prod opsec audit (OPSEC-016).
+
+### Fixed (security)
+- **`GET /sso_login` no longer mutates the session (OPSEC-016).** The action previously called `authenticate_sso_user!` directly — starting a session on a GET. GETs are not CSRF-covered and are prefetchable (`<img>`, `<link rel=prefetch>`, browser prefetch), so an XSS on any `*.mcritchie.studio` subdomain that wrote `session[:sso_email]` could have a forged `/sso_login` hit silently start a session as that user. `sso_login` now only redirects to the login page; the session mutation happens exclusively through the CSRF-protected `POST /sso_continue` ("Continue as …" button).
+
+### Changed
+- The hub's one-click SSO link to a satellite's `/sso_login` now lands the user on the satellite login page with the "Continue as …" button instead of logging them in directly — one extra click, and the GET endpoint is no longer a session-mutation vector.
+
 ## v0.4.2 (2026-05-19)
 
 Security follow-up to v0.4.1 — closes a cross-app session-fixation surface.

data/app/controllers/sessions_controller.rb

@@ -15,15 +15,20 @@ class SessionsController < ApplicationController
     end
   end
 
-  # GET /sso_login — one-click SSO entry point (linked from hub app nav)
+  # GET /sso_login — one-click SSO entry point (linked from hub app nav).
+  #
+  # OPSEC-016: this previously called authenticate_sso_user! directly, mutating
+  # the session on a GET. GETs are not CSRF-covered and are prefetchable
+  # (browser prefetch, <img>, <link rel=prefetch>), so an XSS on any
+  # *.mcritchie.studio subdomain could write session[:sso_email] and a forged
+  # GET /sso_login would silently start a session as that user. It now only
+  # redirects to the login page — the session mutation happens exclusively via
+  # the CSRF-protected POST /sso_continue ("Continue as …" button rendered
+  # there when sso_user_available?).
   def sso_login
     return redirect_to root_path if logged_in?
-    return redirect_to login_path unless sso_user_available?
 
-    authenticate_sso_user!
-  rescue StandardError => e
-    create_error_log(e)
-    redirect_to login_path, alert: "Could not continue session. Please log in."
+    redirect_to login_path
   end
 
   # POST /sso_continue — form-based SSO from login page button

data/app/views/layouts/_navbar.html.erb

@@ -18,7 +18,7 @@
   logo_path = Studio.logo_for("Navbar Logo")
 %>
 
-<header x-data="{ scrolled: false }" <%= '@scroll.window="scrolled = scrolled ? (window.scrollY > 20) : (window.scrollY > 60)"'.html_safe unless is_preview %>
+<header x-data="{ scrolled: false }" <%= '@scroll.window="scrolled = scrolled ? (window.scrollY > 5) : (window.scrollY > 60)"'.html_safe unless is_preview %>
         class="<%= is_preview ? 'bg-page' : 'sticky top-0 z-50 bg-page transition-shadow duration-300' %>"
         :class="scrolled && 'shadow-lg border-b border-subtle is-scrolled'">
   <style>

data/app/views/layouts/studio/_head.html.erb

@@ -73,6 +73,38 @@
   });
 </script>
 
+<style>
+  /* studio-engine: a sticky navbar that shrinks on scroll changes layout
+     above the fold — Chrome/Firefox scroll-anchoring then compensates by
+     moving scrollY, which re-crosses the collapse threshold and bounces.
+     Disabling anchoring document-wide stops scrollY being dragged by the
+     navbar resize. */
+  body { overflow-anchor: none; }
+</style>
+<script>
+  // studio-engine: publish the sticky header's live height as the --nav-h
+  // CSS variable so fixed/sticky elements below the navbar can position off
+  // it (e.g. top: var(--nav-h)) without hardcoded px. Tracks every resize,
+  // including scroll-collapse animations, and re-attaches after Turbo nav.
+  (function () {
+    if (!window.ResizeObserver) return;
+    var ro = null;
+    function publish(header) {
+      document.documentElement.style.setProperty('--nav-h', header.offsetHeight + 'px');
+    }
+    function attach() {
+      var header = document.querySelector('header');
+      if (!header) return;
+      if (ro) ro.disconnect();
+      ro = new ResizeObserver(function () { publish(header); });
+      ro.observe(header);
+      publish(header);
+    }
+    document.addEventListener('DOMContentLoaded', attach);
+    document.addEventListener('turbo:load', attach);
+  })();
+</script>
+
 <%= stylesheet_link_tag "tailwind", "data-turbo-track": "reload" %>
 <%= stylesheet_link_tag "application", "data-turbo-track": "reload" %>
 <%= javascript_importmap_tags %>

data/lib/studio/version.rb

@@ -1,3 +1,3 @@
 module Studio
-  VERSION = "0.4.2"
+  VERSION = "0.4.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: studio-engine
 version: !ruby/object:Gem::Version
-  version: 0.4.2
+  version: 0.4.4
 platform: ruby
 authors:
 - Alex McRitchie
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-19 00:00:00.000000000 Z
+date: 2026-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails