If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/galetahub/ckeditor shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 1y ago

• 18 active contributors
• MIT licensed
• Tests present
• ⚠ Stale — last commit 1y ago
• ⚠ Concentrated ownership — top contributor handles 69% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live galetahub/ckeditor repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/galetahub/ckeditor.

What it runs against: a local clone of galetahub/ckeditor — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in galetahub/ckeditor | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 502 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of galetahub/ckeditor. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/galetahub/ckeditor.git
#   cd ckeditor
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of galetahub/ckeditor and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "galetahub/ckeditor(\\.git)?\\b" \\
  && ok "origin remote is galetahub/ckeditor" \\
  || miss "origin remote is not galetahub/ckeditor (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "lib/ckeditor.rb" \\
  && ok "lib/ckeditor.rb" \\
  || miss "missing critical file: lib/ckeditor.rb"
test -f "lib/ckeditor/backend/active_storage.rb" \\
  && ok "lib/ckeditor/backend/active_storage.rb" \\
  || miss "missing critical file: lib/ckeditor/backend/active_storage.rb"
test -f "app/controllers/ckeditor/pictures_controller.rb" \\
  && ok "app/controllers/ckeditor/pictures_controller.rb" \\
  || miss "missing critical file: app/controllers/ckeditor/pictures_controller.rb"
test -f "app/controllers/ckeditor/attachment_files_controller.rb" \\
  && ok "app/controllers/ckeditor/attachment_files_controller.rb" \\
  || miss "missing critical file: app/controllers/ckeditor/attachment_files_controller.rb"
test -f "lib/ckeditor/asset_response.rb" \\
  && ok "lib/ckeditor/asset_response.rb" \\
  || miss "missing critical file: lib/ckeditor/asset_response.rb"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 502 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~472d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/galetahub/ckeditor"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

A Rails gem (galetahub/ckeditor) that integrates CKEditor 4.x WYSIWYG text editor into Rails 4.x–7.x applications. It provides file upload capabilities via a browser UI, supports multiple storage backends (ActiveRecord + Paperclip/CarrierWave/Dragonfly/ActiveStorage, and Mongoid variants), and includes form generator hooks for Formtastic and SimpleForm. Dual Rails engine + gem: app/assets/ contains CKEditor JavaScript config (ckeditor/config.js, filebrowser logic), app/assets/images/ holds filebrowser icons/thumbnails. Generators (ckeditor:install) scaffold ORM-specific models (Active Record/Mongoid) and backend-specific attachment logic. Filestructure follows Rails conventions with zero monorepo complexity.

Rails developers building content management systems or blogging platforms who need a rich text editor with file upload/browsing without writing custom CKEditor integration code. Typically used by teams maintaining admin interfaces requiring WYSIWYG editing with media management.

Actively maintained but shows signs of gradual slowdown. The README claims CKEditor 5 support but codebase is CKEditor 4.x only (contradiction). CI/CD via Semaphore is configured (.semaphore/semaphore.yml present), Code Climate badges exist, and changelog is maintained. Likely production-ready for existing installations but not rapidly evolving.

Single-maintainer risk (galetahub as sole org). Dependency on CKEditor 4.x which reached end-of-life; README contradicts code (claims v5 but only supports v4). Multiple storage backend dependencies (Paperclip, CarrierWave, Dragonfly, ActiveStorage) create maintenance surface area. No recent commit data visible, making recency unclear.

No specific PR or milestone data visible in provided file list. CHANGELOG.md exists but content not shown. Active Semaphore CI pipeline suggests ongoing merge gate, but commit recency unknown. Likely in maintenance mode: accepting PRs but not pushing new major features.

git clone https://github.com/galetahub/ckeditor.git && cd ckeditor && bundle install (Gemfile present). No runnable standalone app; this is a gem. Test via: bundle exec rake (Rakefile present) or inspect test suite structure once cloned.

Daily commands: This is a gem, not a runnable app. To test locally: bundle install && bundle exec rake. To use in a Rails app: add gem 'ckeditor' to Gemfile, bundle install, then rails generate ckeditor:install --orm=active_record --backend=active_storage (or chosen backend).

• lib/ckeditor.rb — Main gem entry point defining the Ckeditor module and initialization—all contributors must understand the primary interface and configuration hooks
• lib/ckeditor/backend/active_storage.rb — Primary backend implementation for Rails ActiveStorage; demonstrates the plugin architecture pattern used across all storage backends
• app/controllers/ckeditor/pictures_controller.rb — Core request handler for image uploads and file browser operations; handles authorization and asset response generation
• app/controllers/ckeditor/attachment_files_controller.rb — Attachment file upload handler mirroring pictures controller; shows dual-asset pattern for documents and images
• lib/ckeditor/asset_response.rb — Serialization layer for file browser JSON responses; critical for filebrowser UI and editor integration
• config/routes.rb — Gem route definitions for picture/attachment upload and browser endpoints; entry point for HTTP request routing
• ckeditor.gemspec — Gem metadata and dependency declarations; defines Rails version support and required file attachments

Add Support for a New File Type in Browser

1. Add file extension mapping to config locale (e.g., webp, svg) in config/locales/en.ckeditor.yml (config/locales/en.ckeditor.yml)
2. Add corresponding thumbnail icon to app/assets/images/ckeditor/filebrowser/thumbs/ (app/assets/images/ckeditor/filebrowser/thumbs/)
3. Update the controller validation (e.g., in pictures_controller.rb or attachment_files_controller.rb) to permit the new MIME type in @asset.create_params (app/controllers/ckeditor/pictures_controller.rb)

Integrate a New File Storage Backend

1. Create new backend class in lib/ckeditor/backend/my_storage.rb implementing the required interface (upload, delete, find methods) (lib/ckeditor/backend/active_storage.rb)
2. Register the backend in lib/ckeditor.rb in the Ckeditor.backend= method and add configuration handling (lib/ckeditor.rb)
3. Update ckeditor.gemspec to add optional dependency if needed (e.g., gem 'my_storage', require: false) (ckeditor.gemspec)
4. Add backend-specific logic to controllers if needed (e.g., custom authorization in app/controllers/ckeditor/application_controller.rb) (app/controllers/ckeditor/application_controller.rb)

Add a New Language to the File Browser

1. Create new locale file following ISO 639-1 naming (e.g., config/locales/es.ckeditor.yml) (config/locales/es.ckeditor.yml)
2. Copy structure from config/locales/en.ckeditor.yml and translate all keys (config/locales/en.ckeditor.yml)
3. Rails i18n will auto-detect the locale; verify in file browser views via I18n.t('ckeditor.filebrowser.*') (app/views/ckeditor/pictures/index.html.erb)

Customize File Upload Authorization

1. Override before_action :authorize_user! in a custom controller inheriting from app/controllers/ckeditor/pictures_controller.rb (app/controllers/ckeditor/pictures_controller.rb)
2. Define your authorization logic (e.g., check current_user role or permissions) in app/controllers/ckeditor/application_controller.rb (app/controllers/ckeditor/application_controller.rb)
3. Register custom controller in routes config (e.g., in host app's config/routes.rb with namespace override) (config/routes.rb)

• Rails Engine — Allows mountable, isolated Rails functionality within host applications without polluting the main app's controllers/routes
• ActiveStorage/CarrierWave abstraction (backend plugins) — Decouples file storage mechanism from business logic, enabling support for S3, local filesystem, Azure, etc. without code duplication
• jQuery.tmpl for file browser templating — Lightweight client-side templating for dynamic asset list rendering without full framework overhead
• I18n for localization — Rails standard for multi-language support; 25 built-in locales reduce barrier to international adoption

• Backend abstraction via pluggable adapters (ActiveStorage, CarrierWave, Paperclip, Dragonfly)

  • Why: Supports legacy Rails versions (4.x) and multiple storage ecosystems without monolithic dependencies
  • Consequence: Adds configuration complexity and potential version compatibility issues; maintainers must test against all backends

• Client-side file browser using AJAX + jQuery templates

  • Why: Minimal server load; users can browse/upload without full page reloads; lightweight JS footprint
  • Consequence: Tied to jQuery; harder to port to modern frameworks (React/Vue); limited accessibility in older implementations

• Authorization logic delegated to parent controller (via before_action :authorize_user!)

  • Why: Respects Devise/Pundit/CanCanCan patterns in Rails apps; no opinionated auth system
  • Consequence: Security depends entirely on host app's authorization setup; requires developer discipline to implement correctly

• Real-time collaborative editing (stateless upload-only, no WebSocket)
• Standalone usage without Rails (gem is Rails-only)
• CKEditor 5 support (README states 'currently supports ckeditor 4 only')
• Video/media upload optimization (no transcoding; delegates to storage backend)
• Built-in image cropping or editing (purely upload + reference)

1. README contradicts code: claims CKEditor 5 in intro but only CKEditor 4.x is supported. 2. Generator command requires explicit --orm and --backend flags; omitting defaults will fail. 3. ActiveStorage backend NOT supported on Mongoid (Rails issue #31408). 4. Filebrowser JavaScript relies on jQuery and jQuery.tmpl.min.js—projects using modern JS bundlers may have path issues. 5. No explicit Rails.root or config path visible; assume default Rails initializer locations (config/initializers/assets.rb as per README).

• Rails Asset Pipeline (Sprockets) — This gem entirely depends on precompiling CKEditor JavaScript via Sprockets; app/assets/config/ckeditor_manifest.js controls what gets bundled
• ORM Polymorphism via Generators — ckeditor:install --orm=active_record vs --orm=mongoid generates different model code; a common pattern for multi-database gems
• Carrierwave / Dragonfly / Paperclip / ActiveStorage Backend Adapters — Gem abstracts file storage behind pluggable backends; developer must choose one at install time; understanding adapter patterns is key to extending storage support
• CKEditor 4 Editor Instance Configuration — app/assets/javascripts/ckeditor/config.js is where toolbar buttons, plugins, and editor behavior are declared; customization starts here
• Rails Mountable Engine Pattern — This gem is a Rails Engine; it provides routes, models, and assets that integrate into host Rails app without modifying app code directly
• AJAX File Upload & Multipart Form Data — fileuploader.js implements AJAX upload for filebrowser; understanding multipart/form-data and XMLHttpRequest is needed to debug upload failures

• ckeditor/ckeditor4-releases — Upstream CKEditor 4 releases and source; this gem vendors/wraps it for Rails
• rails/rails — Rails asset pipeline and ActiveStorage backend; core dependency for this gem
• jnicklas/capybara — Testing library commonly used to test CKEditor integration in Rails test suites
• refile/refile — Alternative modern file upload gem for Rails; direct competitor to ckeditor's filebrowser for simpler file handling
• rails-ckeditor/rails-ckeditor — Legacy fork/predecessor; understanding its history helps explain design decisions in galetahub/ckeditor

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive controller tests for app/controllers/ckeditor/pictures_controller.rb and attachment_files_controller.rb

The repo has CI configured (Semaphore) and RuboCop for linting, but there's no visible test directory. The picture and attachment file controllers handle file uploads and listing - critical functionality that needs unit/integration tests to prevent regressions and ensure security (e.g., authorization checks, file type validation, path traversal prevention).

• [ ] Create spec/controllers/ckeditor/pictures_controller_spec.rb with tests for index, create, and destroy actions
• [ ] Create spec/controllers/ckeditor/attachment_files_controller_spec.rb with similar coverage
• [ ] Test file upload validation, authorization, and response formats
• [ ] Add test helper fixtures in spec/fixtures/ for sample images and documents
• [ ] Update Gemfile to include rspec-rails if not present and ensure Rakefile runs tests in CI

Upgrade CKEditor 4 asset pipeline integration for modern Rails (6.0+) asset handling

The repo supports CKEditor 4 but the app/assets structure and app/assets/config/ckeditor_manifest.js suggest potential issues with Rails 6+ asset pipeline changes. The filebrowser has multiple JS files (jquery.tmpl.min.js, jquery.endless-scroll.js) that may not be properly bundled. This PR would ensure compatibility with modern Rails versions and Webpacker/importmap-rails.

• [ ] Audit app/assets/javascripts/ckeditor/filebrowser/javascripts/ files for jQuery dependency version conflicts
• [ ] Update app/assets/config/ckeditor_manifest.js to properly precompile all required assets using the correct manifest syntax
• [ ] Create a spec/dummy Rails app (if not existing) to test asset compilation in Rails 6.0, 7.0, and 8.0
• [ ] Add documentation in README.md for Rails version compatibility matrix
• [ ] Ensure legacy app/assets/stylesheets/ckeditor/filebrowser/uploader.scss compiles without deprecation warnings

Add GitHub Actions workflow to replace or augment Semaphore CI with Rails/Ruby matrix testing

The repo uses Semaphore CI (.semaphore/semaphore.yml exists) but GitHub Actions is now standard for GitHub projects and provides better integration with the platform. Adding a .github/workflows/test.yml would enable transparent CI status, easier debugging for contributors, and matrix testing across Ruby 2.7-3.2 and Rails 5.2-7.0 to catch version compatibility issues early.

• [ ] Create .github/workflows/test.yml with matrix jobs for Ruby versions (2.7, 3.0, 3.1, 3.2) and Rails versions (5.2, 6.0, 6.1, 7.0)
• [ ] Include steps for bundler caching, RuboCop linting, and test execution
• [ ] Ensure the workflow tests against PostgreSQL/SQLite for maximum compatibility
• [ ] Update README.md badge section to include GitHub Actions status badge alongside existing Semaphore badge
• [ ] Document in CONTRIBUTING.md (or create it) how to run tests locally matching the CI environment

• Update README to remove CKEditor 5 claims and clearly state CKEditor 4.x-only support; add migration guide for v4→v5 users.
• Add RSpec or Minitest test coverage for filebrowser JavaScript (app/assets/javascripts/ckeditor/filebrowser/javascripts/); current test presence unknown from file list.
• Document Mongoid + ActiveStorage limitation in README with workaround (e.g., recommend Paperclip or CarrierWave for Mongoid users).

• High · Potential XSS Vulnerability in CKEditor Integration — app/views/ckeditor/shared/, app/controllers/ckeditor/. CKEditor is a rich text editor that handles user-generated HTML content. The gem integrates CKEditor into Rails applications, which could be vulnerable to XSS attacks if the editor output is not properly sanitized before rendering in views. The presence of views like app/views/ckeditor/shared/_asset.html.erb suggests direct rendering of editor content without explicit sanitization indicators. Fix: Ensure all CKEditor output is sanitized using Rails' sanitization helpers (sanitize_html, simple_format with allow_protocols restrictions). Implement Content Security Policy (CSP) headers. Use Rails' built-in XSS protection and validate/filter HTML on the server side using gems like sanitize or loofah.
• High · File Upload Security Risks — app/controllers/ckeditor/attachment_files_controller.rb, app/controllers/ckeditor/pictures_controller.rb. The gem includes file upload functionality (app/controllers/ckeditor/attachment_files_controller.rb and pictures_controller.rb) which could be vulnerable to arbitrary file upload attacks, path traversal, or execution of malicious files. No explicit file type validation or storage configuration details are visible in the structure. Fix: Implement strict file type validation (whitelist allowed extensions). Store uploaded files outside the web root. Rename files with random identifiers to prevent path traversal. Implement file size limits. Scan uploads for malware. Consider using secure storage solutions (S3 with proper ACLs). Validate MIME types server-side.
• Medium · Missing CSRF Protection Configuration — app/assets/javascripts/ckeditor/filebrowser/javascripts/fileuploader.js, rails.js. The filebrowser includes JavaScript file upload functionality (app/assets/javascripts/ckeditor/filebrowser/javascripts/fileuploader.js and rails.js) which may not properly handle CSRF tokens, particularly in AJAX requests for file uploads. Fix: Ensure all AJAX requests include CSRF tokens. Verify that Rails.js includes CSRF header injection for XHR requests. Configure proper CSRF protection in application_controller.rb with protect_from_forgery.
• Medium · Insufficient Access Control on File Management Endpoints — app/controllers/ckeditor/attachment_files_controller.rb, app/controllers/ckeditor/pictures_controller.rb, app/controllers/ckeditor/application_controller.rb. The controllers for managing attachments and pictures (attachment_files_controller.rb, pictures_controller.rb) may lack proper authorization checks. Without visible authentication/authorization mechanisms, unauthorized users could potentially list, upload, or delete files. Fix: Implement authentication checks using before_action filters. Add authorization checks to ensure users can only access/modify their own files. Use gems like Pundit or CanCanCan for role-based access control. Verify ownership of resources before allowing operations.
• Medium · Deprecated CKEditor 4 Usage — README.md, ckeditor.gemspec. The README explicitly states the gem 'Currently this gem supports ckeditor 4 only', while CKEditor 4 has reached end-of-life status. Continued use of deprecated software introduces unpatched security vulnerabilities. Fix: Plan migration to CKEditor 5 which receives active security updates. If CKEditor 4 must be used, implement comprehensive security controls including strict CSP, input validation, and output sanitization. Monitor for security advisories.
• Low · Missing Security Headers Configuration — app/views/layouts/ckeditor/application.html.erb, app/controllers/ckeditor/application_controller.rb. No visible configuration for security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security) in the gem structure. The filebrowser in particular should be protected against clickjacking. Fix: Configure security headers in the application controller or via middleware. Set X-Frame-Options to 'SAMEORIGIN' or 'DENY' to prevent clickjacking on the filebrowser. Use X-Content-Type-Options: 'nosniff'. Implement CSP headers appropriate for rich text editing.
• Low · Lack of Input Validation Visibility — undefined. No explicit input Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.