Fix public-launch review blockers (P1 demo write hole, P2 toolbar)#30
Merged
bnz183 merged 2 commits intoJun 16, 2026
Conversation
Drop unused initializers in insertFileLink and scope an eslint-disable around the intentional latest-ref slash-extension pattern. No behavior change; build, unit tests, and e2e all pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
P1: add requireNonDemo guard so demo sessions and forced-demo deployments cannot trigger real writes; apply it to /api/setup/generate-config (which writes sourcedraft.config.json). The guard blocks genuine demo only, so a real authenticated user can still generate config before a publisher is configured. Centralize client publish gating (canSubmitPublish/isRealPublish): a real publish requires a connected, non-demo Studio; demo only simulates. P2: route toolbar disabled state and click handling through a single isToolbarButtonEnabled predicate so a disabled control can never run its command even if the native disabled state is bypassed. Adds regression tests: requireNonDemo (server), publish gating and isToolbarButtonEnabled (unit), and source-mode/disabled toolbar e2e. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
c17d2b8
into
feature/public-ready-studio-editor-final
8 checks passed
bnz183
added a commit
that referenced
this pull request
Jun 16, 2026
* feat: improve setup detection, config generation, and Studio editor polish Add content-root detection, frontmatter inference, and server-side config generation while hardening auth, rate limits, and writer-facing Studio workflows. * fix: finish demo mode toggle from login and exit banner Allow demo by default unless disabled, remove misleading unavailable copy, and wire Exit demo mode back to the login screen. * feat: finalize public Studio onboarding and editor polish Add Underline to the editor toolbar (already-loaded extension that round-trips to <u> HTML passthrough), clarify the disabled file-link copy, and align editor docs with shipped behavior. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * Fix public-launch review blockers (P1 demo write hole, P2 toolbar) (#30) * fix: clear pre-existing Studio editor lint errors Drop unused initializers in insertFileLink and scope an eslint-disable around the intentional latest-ref slash-extension pattern. No behavior change; build, unit tests, and e2e all pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix: close demo write hole and harden disabled toolbar controls P1: add requireNonDemo guard so demo sessions and forced-demo deployments cannot trigger real writes; apply it to /api/setup/generate-config (which writes sourcedraft.config.json). The guard blocks genuine demo only, so a real authenticated user can still generate config before a publisher is configured. Centralize client publish gating (canSubmitPublish/isRealPublish): a real publish requires a connected, non-demo Studio; demo only simulates. P2: route toolbar disabled state and click handling through a single isToolbarButtonEnabled predicate so a disabled control can never run its command even if the native disabled state is bypassed. Adds regression tests: requireNonDemo (server), publish gating and isToolbarButtonEnabled (unit), and source-mode/disabled toolbar e2e. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: bnz183 <bnz183@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: bnz183 <bnz183@users.noreply.github.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses the pre-launch review blockers on PR #27, routed into the feature branch via PR per the branch ruleset. Supersedes the lint-only PR #28 (includes its commit).
P1 — security/behavior (demo must stay read/demo-only)
/api/setup/generate-configwrites a realsourcedraft.config.jsonbut only hadrequireAuth, so a demo session could mutate real files. AddedrequireNonDemo(rejects forced-demo deployments and demo sessions with 403) and applied it to that route.isHardDemoRequest(forced demo OR actual demo session), notisRequestDemoSession— so a real authenticated user can still generate config before a publisher is configured.canSubmitPublish/isRealPublish: a real publish requires a connected, non-demo Studio; demo mode only simulates. Unauthenticated/demo can never trigger a real publish (server is authoritative; demo routes to simulation).P2 — toolbar
disabledattribute and their click handler through oneisToolbarButtonEnabledpredicate, so a disabled control can never run its command even if the native disabled state is bypassed.Tests
requireNonDemo.test.ts— forced demo and demo sessions blocked; real authenticated (even pre-publisher) allowed.publishGate.test.ts— demo never real-publishes; configured non-demo can; invalid/in-flight blocked.toolbarButton.test.ts— disabled/source-mode controls are not runnable.Also folds in the earlier lint cleanup (
insertFileLink, slash-extension latest-ref pattern).Local results:
pnpm build✅,pnpm test✅ (studio 115, 0 fail),pnpm test:e2e✅ 16/16,pnpm lint✅.🤖 Generated with Claude Code