studio-engine 0.5.3 → 0.5.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a8a6751151b77737dbf25bd04a59d9ad3f801ec8f66c214dc5a97ef5f006b1f6
-  data.tar.gz: f0283ba8e4e38b8e2375b563b6f93917c3ffbc3a0880353c62ec2c5f9441b6f4
+  metadata.gz: 5ceb657a1e35df5801b4bf45a82d916d236d5497bd876b9b245997474411c310
+  data.tar.gz: 6d68e9c3fb7a338b22adf45dd00435d21e16ddfce4321c5e28eabd9108a93ba1
 SHA512:
-  metadata.gz: a911d76518bba342d65e2e5cb1d32c80f28a484057deb8ea630a2aae34867a530b51f0814abedee21267ff66a03df2c71e4c5610b24248e8cb5174b289f92da5
-  data.tar.gz: '09a3b96acf18c3cd876463445eb02f704b25292f048006be18c44aeaffe2e9e152d1f42977bad66cde5834c87a0eda05489ebbf1b53cdb8c7ab6ca1f5a1d3d7b'
+  metadata.gz: d2ffbe056170f338dca804feeaf5594aa470d0f26488514ba798403108d6091e3072fa58b92a2fb8908c14d14d26cff7620fdbfcb8cd04a4f984316d90ec05b2
+  data.tar.gz: 550d7dd3d351624c058d0a4db421be26c18dc0b357af54c3e9c575164bd78b908798e7e66fe87cd64b3dde648372337938ca4f7b31c52f8438676f58ba5c8d90

data/CHANGELOG.md

@@ -6,6 +6,18 @@ The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This pro
 
 No entries yet.
 
+## v0.5.5 (2026-06-14)
+
+### Added
+- **Local email inbox** at `/_studio/local_emails` for non-production localhost requests. It lists recent outbox rows and exposes local proof links for magic-link, email-verification, wallet-export, and email-change emails.
+- **`Studio.local_email_capture?`** — shared capture switch for local/worktree stacks. `LOCAL_EMAIL_CAPTURE=1` or `AGENT_WORKTREE=1` records delivery rows without enqueueing external sends.
+
+## v0.5.4 (2026-06-14)
+
+### Changed
+- Engine magic links are now scanner-safe: emailed links land on an inert GET confirmation page, and the token is consumed only by the CSRF-protected POST from that page.
+- Added the shared `magic_link_consume_path` route helper for consumer apps using engine-drawn auth routes.
+
 ## v0.5.3 (2026-06-14)
 
 ### Added

data/README.md

@@ -11,7 +11,7 @@ Shared Rails engine for McRitchie apps. Provides authentication, error handling,
 gem "studio-engine", "~> 0.5"
 ```
 
-Then `bundle install`. The current release is **v0.5.2**; see [`CHANGELOG.md`](./CHANGELOG.md) for the history.
+Then `bundle install`. The current release is **v0.5.5**; see [`CHANGELOG.md`](./CHANGELOG.md) for the history.
 
 > Published to RubyGems as of v0.4.0 (2026-05-17). New installs should use the RubyGems form, which the consumer Rails apps (`mcritchie-studio`, `turf-monster`) already use.
 
@@ -62,7 +62,9 @@ Rails.application.routes.draw do
 end
 ```
 
-This draws the enabled auth routes (`/login`, `/signup`, `/logout`, magic-link routes, Solana routes), OAuth callbacks, optional SSO routes, `/error_logs`, and `/admin/theme`.
+This draws the enabled auth routes (`/login`, `/signup`, `/logout`, magic-link request/confirm/consume routes, Solana routes), OAuth callbacks, optional SSO routes, `/error_logs`, and `/admin/theme`. Magic-link emails point at the inert GET confirmation route; the single-use token is consumed only by the CSRF-protected POST to `magic_link_consume_path`.
+
+In non-production local requests, this also draws `/_studio/local_emails`, a local email inbox for agent/worktree proof flows. Set `LOCAL_EMAIL_CAPTURE=1` or run with `AGENT_WORKTREE=1` to record outbox rows without sending real email.
 
 ## Overriding Views
 

data/app/controllers/magic_links_controller.rb

@@ -1,7 +1,8 @@
 # Unified create-or-login email magic link (the passwordless email path).
 #
 #   POST /magic_link        — request a link (email [, return_to])
-#   GET  /magic_link/:token — consume it: log in OR create the account
+#   GET  /magic_link/:token — "Confirm sign-in" interstitial (does NOT consume)
+#   POST /magic_link/:token — consume it: log in OR create the account
 #
 # create-or-login: clicking the link IS proof of email ownership, so an email
 # that collides with a Google/wallet-only account that was never email-verified
@@ -14,6 +15,7 @@
 # sign_in_existing / sign_up_new building blocks.
 class MagicLinksController < ApplicationController
   skip_before_action :require_authentication
+  layout false, only: :confirm
 
   # Respond uniformly for any well-formed email. Under create-or-login every
   # address is "valid" (it logs in or signs up), so there is nothing to
@@ -30,13 +32,22 @@ class MagicLinksController < ApplicationController
     end
   end
 
+  # GET /magic_link/:token is deliberately inert. Email link scanners and link
+  # preview clients frequently prefetch emailed URLs with GET/HEAD; if GET burned
+  # the token, the human's first real click could already be invalid. The page
+  # renders a CSRF-protected form that a browser auto-POSTs to #consume.
+  def confirm
+    # strict-origin strips the token-bearing path from subresource Referer
+    # headers while preserving a usable Origin header for Rails' CSRF origin
+    # check on the consume POST.
+    response.set_header("Referrer-Policy", "strict-origin")
+    @token = params[:token]
+  end
+
+  # POST /magic_link/:token is the authoritative consume. This is the only place
+  # the single-use token is burned.
   def consume
-    # Keep the token out of Referer headers on the consume page's subresource
-    # loads. Single-use + short TTL is the primary defence; this closes the
-    # passive-leak gap. NOTE: aggressive email link-scanners (Outlook SafeLinks,
-    # Mimecast) may pre-fetch the link and burn the single-use token before the
-    # human clicks — a known magic-link tradeoff; documented for support.
-    response.set_header("Referrer-Policy", "no-referrer")
+    response.set_header("Referrer-Policy", "strict-origin")
     result = MagicLink.consume(params[:token])
     user = User.find_by(email: result.email)
     user ? sign_in_existing(user, result) : sign_up_new(result)

data/app/controllers/studio/local_emails_controller.rb

@@ -0,0 +1,108 @@
+module Studio
+  class LocalEmailsController < ApplicationController
+    skip_before_action :require_authentication, raise: false
+    layout false
+
+    before_action :require_local_development!
+
+    def index
+      @deliveries = delivery_records.map { |record| serialize_delivery(record) }
+
+      respond_to do |format|
+        format.html
+        format.json do
+          render json: {
+            capture_enabled: Studio.local_email_capture?,
+            inbox_url: request.original_url.sub(/\.json\z/, ""),
+            deliveries: @deliveries
+          }
+        end
+      end
+    end
+
+    private
+
+    def require_local_development!
+      head :not_found if Rails.env.production? || !request.local?
+    end
+
+    def delivery_records
+      klass = delivery_class
+      return [] unless klass
+
+      klass.recent.limit(50)
+    end
+
+    def delivery_class
+      if Object.const_defined?(:EmailDelivery, false)
+        return Object.const_get(:EmailDelivery, false)
+      end
+
+      if Studio.const_defined?(:EmailDelivery, false) && Studio::EmailDelivery.respond_to?(:available?) && Studio::EmailDelivery.available?
+        return Studio::EmailDelivery
+      end
+
+      nil
+    end
+
+    def serialize_delivery(record)
+      args = deserialize_args(record.args)
+      kwargs = deserialize_kwargs(record.kwargs)
+      {
+        id: record.id,
+        email_key: record.email_key,
+        mailer: record.mailer,
+        action: record.action,
+        to: record.to,
+        sent: record.sent?,
+        sent_at: record.sent_at,
+        error: record.error,
+        created_at: record.created_at,
+        action_url: local_action_url(record, args),
+        args_preview: args.map { |arg| preview_value(arg) },
+        kwargs_preview: kwargs.transform_values { |value| preview_value(value) }
+      }
+    end
+
+    def deserialize_args(value)
+      ActiveJob::Arguments.deserialize(value || [])
+    rescue StandardError
+      []
+    end
+
+    def deserialize_kwargs(value)
+      deserialized = ActiveJob::Arguments.deserialize([value || {}]).first
+      deserialized.respond_to?(:symbolize_keys) ? deserialized.symbolize_keys : {}
+    rescue StandardError
+      {}
+    end
+
+    def local_action_url(record, args)
+      token = args[1].to_s
+      return if token.empty?
+
+      path =
+        case record.email_key
+        when /#magic_link\z/
+          "/magic_link/#{ERB::Util.url_encode(token)}"
+        when /#email_verification\z/
+          "/email_verification/#{ERB::Util.url_encode(token)}"
+        when /#wallet_export\z/
+          "/account/wallet/export/#{ERB::Util.url_encode(token)}"
+        when /#email_change_confirmation\z/
+          "/account/email/confirm/#{ERB::Util.url_encode(token)}"
+        end
+
+      "#{request.base_url}#{path}" if path
+    end
+
+    def preview_value(value)
+      case value
+      when String, Numeric, TrueClass, FalseClass, NilClass
+        value
+      else
+        value.respond_to?(:to_global_id) ? value.to_global_id.to_s : value.to_s
+      end
+    end
+  end
+end

data/app/models/studio/email_delivery.rb

@@ -23,12 +23,13 @@ module Studio
         args: ActiveJob::Arguments.serialize(args),
         kwargs: ActiveJob::Arguments.serialize([kwargs]).first
       )
-      Studio::EmailDeliveryJob.perform_later(record.id)
+      Studio::EmailDeliveryJob.perform_later(record.id) unless Studio.local_email_capture?
       record
     end
 
     def deliver_now!
       return if sent?
+      return update!(error: "local email capture enabled; not sent") if Studio.local_email_capture?
 
       pos = ActiveJob::Arguments.deserialize(args)
       kw = ActiveJob::Arguments.deserialize([kwargs]).first.symbolize_keys

data/app/views/magic_links/confirm.html.erb

@@ -0,0 +1,96 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <%= csrf_meta_tags %>
+    <title>Signing you in - <%= Studio.app_name %></title>
+    <style>
+      @keyframes magic-spin { to { transform: rotate(360deg); } }
+
+      * { box-sizing: border-box; }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        display: grid;
+        place-items: center;
+        color: #f8fafc;
+        background: <%= Studio.theme_dark %>;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      }
+
+      main { width: min(100% - 32px, 420px); text-align: center; }
+
+      .magic-spinner {
+        width: 88px;
+        height: 88px;
+        margin: 0 auto;
+        border-radius: 9999px;
+        border: 8px solid rgba(255, 255, 255, 0.14);
+        border-top-color: <%= Studio.theme_success %>;
+        animation: magic-spin 0.8s linear infinite;
+      }
+
+      .magic-fallback {
+        display: none;
+        margin-top: 2rem;
+        color: rgba(248, 250, 252, 0.8);
+      }
+
+      .magic-fallback p { margin: 0 0 1rem; font-size: 15px; }
+
+      .magic-submit {
+        display: inline-block;
+        max-width: 100%;
+        padding: 14px 34px;
+        border: 0;
+        border-radius: 8px;
+        color: #ffffff;
+        background: <%= Studio.theme_success %>;
+        font: inherit;
+        font-size: 16px;
+        font-weight: 700;
+        cursor: pointer;
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <div class="magic-spinner" role="status" aria-label="Signing you in"></div>
+
+      <div id="magic-fallback" class="magic-fallback">
+        <p>Taking longer than expected?</p>
+        <%= button_to magic_link_consume_path(token: @token),
+              method: :post,
+              form: { id: "magic-consume-form", data: { turbo: "false" } },
+              class: "magic-submit" do %>
+          Sign in to <%= Studio.app_name %>
+        <% end %>
+      </div>
+    </main>
+
+    <noscript>
+      <style>
+        #magic-fallback { display: block !important; }
+        .magic-spinner { display: none; }
+      </style>
+    </noscript>
+
+    <script>
+      (function () {
+        var form = document.getElementById("magic-consume-form");
+        if (form && !form.dataset.autoSubmitted) {
+          form.dataset.autoSubmitted = "1";
+          if (typeof form.requestSubmit === "function") form.requestSubmit();
+          else form.submit();
+        }
+
+        setTimeout(function () {
+          var fallback = document.getElementById("magic-fallback");
+          if (fallback) fallback.style.display = "block";
+        }, 4000);
+      })();
+    </script>
+  </body>
+</html>

data/app/views/studio/local_emails/index.html.erb

@@ -0,0 +1,100 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1">
+    <title>Local Emails - <%= Studio.app_name %></title>
+    <style>
+      * { box-sizing: border-box; }
+      body {
+        margin: 0;
+        background: #10101f;
+        color: #f8fafc;
+        font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", sans-serif;
+      }
+      main { width: min(1180px, calc(100% - 32px)); margin: 32px auto; }
+      header { display: flex; align-items: flex-start; justify-content: space-between; gap: 24px; margin-bottom: 24px; }
+      h1 { margin: 0 0 8px; font-size: 28px; line-height: 1.2; }
+      p { margin: 0; color: #b6bdd3; }
+      .pill { display: inline-flex; align-items: center; border: 1px solid #3b3b62; border-radius: 999px; padding: 6px 12px; color: #d8dcf0; background: #18182b; font-size: 13px; white-space: nowrap; }
+      .notice { margin-bottom: 18px; border: 1px solid #3b3b62; border-radius: 8px; background: #18182b; padding: 14px 16px; color: #cbd2e8; }
+      table { width: 100%; border-collapse: collapse; overflow: hidden; border-radius: 8px; background: #18182b; }
+      th, td { padding: 12px 14px; border-bottom: 1px solid #2f2f4d; text-align: left; vertical-align: top; }
+      th { color: #9fa7c3; font-size: 12px; text-transform: uppercase; }
+      td { color: #eef2ff; font-size: 14px; }
+      tr:last-child td { border-bottom: 0; }
+      code { color: #c4b5fd; word-break: break-word; }
+      .muted { color: #9fa7c3; }
+      .error { color: #fda4af; }
+      .button { display: inline-flex; align-items: center; justify-content: center; border-radius: 8px; padding: 8px 12px; background: #4baf50; color: #fff; font-weight: 700; text-decoration: none; white-space: nowrap; }
+      .empty { border: 1px solid #3b3b62; border-radius: 8px; background: #18182b; padding: 24px; color: #cbd2e8; }
+      @media (max-width: 760px) {
+        header { display: block; }
+        .pill { margin-top: 14px; }
+        table, thead, tbody, tr, th, td { display: block; }
+        thead { display: none; }
+        tr { border-bottom: 1px solid #2f2f4d; padding: 10px 0; }
+        td { border-bottom: 0; padding: 8px 14px; }
+        td::before { content: attr(data-label); display: block; color: #9fa7c3; font-size: 12px; text-transform: uppercase; margin-bottom: 4px; }
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <header>
+        <div>
+          <h1>Local Emails</h1>
+          <p>Recent outbox rows for this local <%= Studio.app_name %> stack.</p>
+        </div>
+        <span class="pill">Capture <%= Studio.local_email_capture? ? "enabled" : "disabled" %></span>
+      </header>
+
+      <% if Studio.local_email_capture? %>
+        <div class="notice">This stack records email intents and does not send them to external providers.</div>
+      <% else %>
+        <div class="notice">Capture is disabled. This page still shows recent delivery rows, but this stack may send real email when workers run.</div>
+      <% end %>
+
+      <% if @deliveries.empty? %>
+        <div class="empty">No email deliveries have been recorded yet.</div>
+      <% else %>
+        <table>
+          <thead>
+            <tr>
+              <th>When</th>
+              <th>Message</th>
+              <th>To</th>
+              <th>Status</th>
+              <th>Proof URL</th>
+            </tr>
+          </thead>
+          <tbody>
+            <% @deliveries.each do |delivery| %>
+              <tr>
+                <td data-label="When"><%= delivery[:created_at]&.strftime("%Y-%m-%d %H:%M:%S") %></td>
+                <td data-label="Message"><code><%= delivery[:email_key] %></code></td>
+                <td data-label="To"><%= delivery[:to] %></td>
+                <td data-label="Status">
+                  <% if delivery[:sent] %>
+                    Sent
+                  <% elsif delivery[:error].present? %>
+                    <span class="error"><%= delivery[:error] %></span>
+                  <% else %>
+                    <span class="muted">Captured</span>
+                  <% end %>
+                </td>
+                <td data-label="Proof URL">
+                  <% if delivery[:action_url].present? %>
+                    <a class="button" href="<%= delivery[:action_url] %>">Open link</a>
+                  <% else %>
+                    <span class="muted">No local action URL</span>
+                  <% end %>
+                </td>
+              </tr>
+            <% end %>
+          </tbody>
+        </table>
+      <% end %>
+    </main>
+  </body>
+</html>

data/lib/studio/version.rb

@@ -1,3 +1,3 @@
 module Studio
-  VERSION = "0.5.3"
+  VERSION = "0.5.5"
 end

data/lib/studio.rb

@@ -41,6 +41,10 @@ module Studio
   # verified sending address in config/initializers/studio.rb.
   mattr_accessor :mailer_from, default: nil
 
+  # Local/worktree email capture. nil means "auto": enabled when AGENT_WORKTREE
+  # is truthy, otherwise disabled. Production always disables capture.
+  mattr_accessor :local_email_capture, default: nil
+
   # Theme role colors (7 roles)
   mattr_accessor :theme_primary,  default: "#8E82FE"
   mattr_accessor :theme_dark,     default: "#1A1535"
@@ -88,6 +92,13 @@ module Studio
     auth_methods.include?(method.to_sym)
   end
 
+  def self.local_email_capture?
+    return false if defined?(Rails) && Rails.respond_to?(:env) && Rails.env.production?
+    return !!local_email_capture unless local_email_capture.nil?
+
+    env_truthy?(ENV["LOCAL_EMAIL_CAPTURE"]) || env_truthy?(ENV["AGENT_WORKTREE"])
+  end
+
   # Verifies that the host app's User model satisfies the engine's expected
   # contract. Raises Studio::UserContractError with a clear pointer to
   # docs/USER_CONTRACT.md if anything required is missing. Called from
@@ -146,6 +157,10 @@ module Studio
     entry ? "/#{entry[:file]}" : nil
   end
 
+  def self.env_truthy?(value)
+    %w[1 true yes on].include?(value.to_s.strip.downcase)
+  end
+
   def self.routes(router)
     router.instance_exec do
       get  "login",  to: "sessions#new"
@@ -158,13 +173,21 @@ module Studio
       get  "auth/:provider/callback", to: "omniauth_callbacks#create"
       get  "auth/failure", to: "omniauth_callbacks#failure"
 
+      unless defined?(Rails) && Rails.env.production?
+        get "_studio/local_emails", to: "studio/local_emails#index", as: :studio_local_emails
+      end
+
       # Passwordless email (magic link). Helpers: magic_link_request_path (POST
-      # to request a link) + magic_link_path(token) / magic_link_url(token:)
-      # (the emailed consume link). The token is a URL-safe MessageVerifier blob
-      # but the constraint guards against a stray "." segment.
+      # to request a link), magic_link_path(token) / magic_link_url(token:)
+      # for the emailed GET confirmation page, and magic_link_consume_path(token)
+      # for the scanner-safe POST consume. The token is a URL-safe
+      # MessageVerifier blob but the constraint guards against a stray "."
+      # segment.
       if Studio.draw_auth_routes && Studio.auth_method?(:magic_link)
-        post "magic_link",        to: "magic_links#create",  as: :magic_link_request
-        get  "magic_link/:token", to: "magic_links#consume", as: :magic_link,
+        post "magic_link",        to: "magic_links#create",   as: :magic_link_request
+        get  "magic_link/:token", to: "magic_links#confirm",  as: :magic_link,
+             constraints: { token: %r{[^/]+} }
+        post "magic_link/:token", to: "magic_links#consume",  as: :magic_link_consume,
              constraints: { token: %r{[^/]+} }
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: studio-engine
 version: !ruby/object:Gem::Version
-  version: 0.5.3
+  version: 0.5.5
 platform: ruby
 authors:
 - Alex McRitchie
@@ -150,6 +150,7 @@ files:
 - app/controllers/schema_controller.rb
 - app/controllers/sessions_controller.rb
 - app/controllers/solana_sessions_controller.rb
+- app/controllers/studio/local_emails_controller.rb
 - app/controllers/theme_settings_controller.rb
 - app/helpers/studio_theme_helper.rb
 - app/jobs/error_log_cleanup_job.rb
@@ -184,12 +185,14 @@ files:
 - app/views/layouts/_navbar.html.erb
 - app/views/layouts/studio/_flash.html.erb
 - app/views/layouts/studio/_head.html.erb
+- app/views/magic_links/confirm.html.erb
 - app/views/navbar/show.html.erb
 - app/views/registrations/new.html.erb
 - app/views/schema/index.html.erb
 - app/views/sessions/_sso_continue.html.erb
 - app/views/sessions/new.html.erb
 - app/views/studio/_cropper_assets.html.erb
+- app/views/studio/local_emails/index.html.erb
 - app/views/studio/modals/_crop_photo.html.erb
 - app/views/studio/modals/_host.html.erb
 - app/views/studio/modals/_image_upload.html.erb