Add README viewer modal

[deoshreyas]

Adds a modal to view README files from the project page. Some sanitization for unsafe HTML (can extend if needed).

[sentry]

The helper method helpers.readme_project_path(project) is being called but this method is not defined in the codebase (verified by ripgrep search). This will cause a NoMethodError at runtime. You need to either: (1) define this helper method in a helper file, or (2) use the standard Rails path helper directly. Since you're using member do get :readme end in routes, the correct helper should be readme_project_path(project).
_{Severity: CRITICAL}

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/components/project_show_card_component.html.erb#L92-L93

Potential issue: The helper method `helpers.readme_project_path(project)` is being
called but this method is not defined in the codebase (verified by ripgrep search). This
will cause a NoMethodError at runtime. You need to either: (1) define this helper method
in a helper file, or (2) use the standard Rails path helper directly. Since you're using
`member do get :readme end` in routes, the correct helper should be
`readme_project_path(project)`.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 3637112}

[sentry]

The modal uses data-action="click->modal#closeBackground keyup@window->modal#closeWithEsc" for keyboard and click-outside handling. However, there's no focus trap or focus restoration logic. When the modal opens, focus should move to the modal (or close button), and when it closes, focus should return to the triggering element. This improves accessibility for keyboard and screen reader users. Consider adding autofocus to the close button or using a focus management library.
_{Severity: MEDIUM}

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/views/projects/readme.html.erb#L1-L16

Potential issue: The modal uses `data-action="click->modal#closeBackground
keyup@window->modal#closeWithEsc"` for keyboard and click-outside handling. However,
there's no focus trap or focus restoration logic. When the modal opens, focus should
move to the modal (or close button), and when it closes, focus should return to the
triggering element. This improves accessibility for keyboard and screen reader users.
Consider adding `autofocus` to the close button or using a focus management library.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 3637112}

[sentry]

The close method at line 14 calls this.element.remove() without checking if the element exists or is already removed. If called multiple times or if the element is removed externally, this could cause an error. Additionally, if the Turbo frame replacement is still in progress, removing the element synchronously could cause issues. Consider using a safer approach: this.element?.remove?.() or wrapping in a try-catch.
_{Severity: MEDIUM}

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/javascript/controllers/modal_controller.js#L13-L14

Potential issue: The `close` method at line 14 calls `this.element.remove()` without
checking if the element exists or is already removed. If called multiple times or if the
element is removed externally, this could cause an error. Additionally, if the Turbo
frame replacement is still in progress, removing the element synchronously could cause
issues. Consider using a safer approach: `this.element?.remove?.()` or wrapping in a
try-catch.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 3637112}

[sentry]

The disconnect method restores document.body.style.overflow by setting it to an empty string. However, if multiple modals are nested or opened in quick succession, this could prematurely unlock scrolling before all modals are closed. Consider using a counter or stack to track open modals. Alternatively, use a class-based approach: add/remove a class from document.body and manage overflow via CSS.
_{Severity: MEDIUM}

🤖 Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: app/javascript/controllers/modal_controller.js#L8-L9

Potential issue: The `disconnect` method restores `document.body.style.overflow` by
setting it to an empty string. However, if multiple modals are nested or opened in quick
succession, this could prematurely unlock scrolling before all modals are closed.
Consider using a counter or stack to track open modals. Alternatively, use a class-based
approach: add/remove a class from `document.body` and manage overflow via CSS.

_{Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 3637112}

[cskartikey]

Ah, I'm quite concerned about the XSS possibilities

[deoshreyas]

I could extend it, any suggestions?