dandruff 0.8.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 92f96a417934ece71e7a47f7c4ae9b38af85c4fc249c806033527998d5dceb04
+  data.tar.gz: 660b1352cca1a330c1728ba2788803313482be7afc1325d28a0f9a0ac92d8671
+SHA512:
+  metadata.gz: f5a5e2e77d5e5330880c468ba9c92abc8ae5cbd977db0aed73e9fde021eb3e52f019b8c6b6a01c260496bad64106d93b08b6af1cc9dec1bc205cf8819469ef39
+  data.tar.gz: 1dd3a851d79ea500828f9a755796cbd51255920a63c4b36bd166a17a62de8a6b3a26261a1752a1fbd0011dc3ac496a5ab46ff10afae6f48495b8145e671cbada

data/.rubocop.yml

@@ -0,0 +1,23 @@
+# Omakase Ruby styling for Rails
+# inherit_gem: { rubocop-rails-omakase: rubocop.yml }
+
+# Overwrite or add rules to create your own house style
+#
+# # Use `[a, [b, c]]` not `[ a, [ b, c ] ]`
+# Layout/SpaceInsideArrayLiteralBrackets:
+#   Enabled: false
+
+inherit_gem: { kuyio-rubocop: rubocop-default.yml }
+inherit_mode:
+  merge:
+    - Exclude
+
+AllCops:
+  Exclude:
+    - Gemfile
+    - Gemfile.lock
+    - vendor/**/*
+    - spec/fixtures/examples.rb
+
+Style/Lambda:
+  EnforcedStyle: literal

data/CHANGELOG.md

@@ -0,0 +1,69 @@
+## [Unreleased]
+ 
+## [0.8.0] - 2025-11-24
+
+### Changed
+- **BREAKING**: Renamed library from `scrubber` to `dandruff`.
+- **BREAKING**: Renamed main module from `Scrubber` to `Dandruff`.
+- **BREAKING**: Renamed all files and directories to match new namespace.
+- Added `Dandruff.scrub` alias for `Dandruff.sanitize`.
+- Full YARD documentation
+- Expanded README with more examples and documentation
+
+## [0.7.0] - 2025-11-23
+
+### Fixed
+- Removed duplicate `describe 'namespace configuration'` block, reducing example count to 414.
+- Excluded `spec/fixtures/examples.rb` from RuboCop to avoid infinite loops.
+- Fixed unused method argument in `valid_uri_attribute?`.
+- Added `MATH_SVG_TAGS` constant and used safe navigation.
+- Disabled cyclomatic complexity and perceived complexity metrics for several methods.
+- Updated RSpec example titles for uniqueness.
+- Re-enabled RSpec/RepeatedExample cop after fixing duplicates.
+## [0.6.0] - 2025-11-22
+
+### Fixed
+- Refined CSS validation to allow safe CSS (behavior:, binding:, data:image/svg+xml) while blocking dangerous patterns.
+- Updated HTML email profile: enabled style tags, preserved document elements, disabled DOM clobbering, allowed data attributes.
+- Fixed namespace handling: preserve text content when removing unknown namespaces.
+- Updated SVG attribute handling: safe handling of filter, data URIs, feImage.
+- Updated configuration handling: added explicit allow_data_attributes flag for strict attribute lists.
+- Updated tests to reflect new behavior.
+
+## [0.5.0] - 2025-11-21
+
+### Added
+- Specs covering metadata tag stripping, data/file URI enforcement, obfuscated CSS payloads, expanded DOM clobbering identifiers, attribute hook execution, SVG/MathML hardening, mutation-XSS stabilization, and DOM clobbering canonical parity.
+- Canonical DOM clobbering denylist test to track parity with DOMPurify.
+- Performance section in README with benchmark stats from local Apple M1 Max runs.
+- `html_email` profile to support safe rendering of HTML emails (allows `head`, `meta`, `style` tags and email-specific attributes while stripping scripts and forms).
+- **Per-tag attribute control** via `allowed_attributes_per_tag` configuration option, enabling fine-grained attribute allow lists per HTML tag (e.g., allow `href` only on `<a>` tags). Includes comprehensive documentation and test coverage.
+- **Optimized `html_email` profile** to use per-tag attribute restrictions instead of global attribute allowlisting, improving security by preventing attribute confusion attacks while maintaining full email compatibility.
+- Hook-based per-tag attribute control documentation showing how to use `upon_sanitize_attribute` hook for custom per-tag validation logic.
+- Additional HTML email profile regression specs to preserve `<html lang>`, head/meta/style content, legacy body margins/padding, table layout attributes, and enforced `alt` on `<img>` while stripping dangerous handlers/URIs.
+
+### Changed
+- Default forbidden tags now include `base`, `link`, `meta`, and `style`; removed these from the default allowlist to mirror DOMPurify defaults.
+- Tightened URI allowlist to http/https/mailto/ftp/tel or relative; `data:`/`file:` are blocked unless explicitly allowed via `allow_data_uri`.
+- Media/link data URIs now honor `allow_data_uri` across tags; inline styles are scanned for escaped/scripted payloads and stripped when unsafe.
+- Broadened DOM clobbering protection and now invoke `upon_sanitize_attribute` hooks during attribute processing.
+- Optional `allow_style_tags` opt-in drops entire style blocks on detection of dangerous patterns; default remains to deny `<style>`.
+- Added optional mutation-XSS stability pass (`sanitize_until_stable` with `mutation_max_passes`) to re-sanitize until output stabilizes and reduce mXSS risk.
+- Expanded URI-safe recognition to SVG `filter` attributes and extended DOM-clobbering denylist; added SVG filter/data-URI and extra clobbering specs.
+- Added SVG animateMotion/feImage data-URI blocking tests to harden remaining SVG vectors.
+- Annotation-XML now forbidden by default; added MathML coverage/tests for maction/annotation-xml and malicious MathML URIs.
+- Added mutation XSS stability test and baseProfile SVG trap coverage.
+- Inline style filtering hardened to catch behavior/binding directives and data SVG URLs; style opt-in drops blocks containing these payloads.
+- `sanitize_until_stable` defaults to 2 passes (bounded), with `pass_limit` to disable or increase passes.
+- Removed `return_trusted_type` flag to avoid implying browser Trusted Types; always return String unless `return_dom`/`return_dom_fragment`.
+- Added `minimal_profile` option to use an HTML-only allowlist (SVG/MathML off by default when enabled) and drop document wrappers unless explicitly allowed.
+- CSS tests expanded for nested/escaped `@import`; URI parsing tightened to reject leading whitespace/control characters.
+- Inline styles now parsed into allowed declarations with protocol checks; unsafe values drop the entire attribute.
+- Dandruff now uses instance-based configuration (`Dandruff.new(config)`) instead of module-level global state; the module-level `Dandruff.sanitize` is a convenience wrapper that builds a fresh instance per call.
+- `use_profiles=` now resets and reapplies profile-derived config, fixing block-style configuration for `html_email` (preserves document elements/attributes even with `return_dom`).
+- HTML email profile now forces full-document parsing and preserves legacy margin attributes and backgrounds on row/table elements to improve email fidelity.
+
+## [0.4.0] - 2025-11-20
+
+### Added
+- Initial public release of Scrubber

data/COMPARISON.md

@@ -0,0 +1,175 @@
+# HTML Sanitizer Comparison
+
+This document compares Dandruff (this project) with [Loofah](https://github.com/flavorjones/loofah), [sanitize](https://github.com/rgrove/sanitize), and [rails-html-sanitization](https://github.com/rails/rails-html-sanitizer).
+
+All four libraries are widely used and have solid track records. They make different trade‑offs in API design, configuration style, and how much “framework” they provide around Nokogiri. Dandruff’s design is strongly influenced by [DOMPurify](https://github.com/cure53/DOMPurify) and emphasizes XSS-hardening features and rich hooks; the other libraries are more focused on being flexible building blocks (Loofah), a concise configuration layer (sanitize), or Rails‑friendly defaults (rails-html-sanitization).
+
+The goal of this comparison is to highlight where each library is a particularly good fit, rather than to declare a single “winner”.
+
+## High-Level Feature Matrix
+
+| Aspect | Dandruff | Loofah | sanitize | rails-html-sanitization |
+| --- | --- | --- | --- | --- |
+| **Core model** | Standalone sanitizer modeled after DOMPurify, using Nokogiri HTML5 parsing | Set of Nokogiri-based dandruffs (fragment and document) with composable behavior | Configuration layer on top of Loofah dandruffs | Rails-centric helpers and safe lists backed by Loofah |
+| **Configuration style** | Ruby object/DSL with profiles and per-call overrides | Choose and combine dandruffs; custom dandruff classes | Hash-based allow/forbid lists plus transformers | Limited knobs; mostly choice of sanitizer method and options |
+| **Hooks / extension** | Named hooks around attribute/element sanitization; can adjust or veto behavior | Custom dandruff classes and Nokogiri manipulation | Transformers (blocks) that can modify the tree | Limited extension; primarily composition with Loofah or custom helpers |
+| **Content types** | HTML, SVG, MathML, SVG filters via profiles | Primarily HTML fragments/documents; SVG/MathML require custom handling | Same as Loofah; primarily HTML | HTML/ERB rendered through Rails; other types are uncommon |
+| **HTML email support** | Dedicated `html_email` profile with per-tag attribute rules | Possible with custom dandruffs and rules | Possible with custom config/transformers | Possible with custom config; no email-specific profile |
+| **Return types** | String, DOM, or fragment based on config | Nokogiri fragment/document or serialized string | String output by default | String output, integrated with Rails views/helpers |
+| **Default posture** | Defensive defaults modeled after DOMPurify | Depends on chosen dandruff; some permissive, some stricter | Conservative defaults suitable for common use cases | Rails defaults tuned for typical web views |
+
+## Library-by-Library Discussion
+
+### Dandruff
+
+#### **Design**
+  Dandruff is a Ruby implementation inspired by DOMPurify’s design and threat model. It uses Nokogiri’s HTML5 parsing to work with modern HTML and provides configuration through a Ruby object/DSL (`Dandruff::Config`). It exposes a single primary sanitizer with options rather than a collection of separate dandruff classes.
+
+#### **Configuration and profiles**
+  - Allows setting allowed/forbidden/additional tags and attributes.
+  - Supports profiles such as `html`, `svg`, `math_ml`, `svg_filters`, and `html_email` that encapsulate curated safe lists.
+  - Per-call overrides allow you to adjust rules for a specific sanitization call without mutating the global configuration.
+
+#### **Hooks and advanced behavior**
+  - Named hooks (e.g., before/after sanitize elements or attributes, per-element/attribute hooks) allow you to implement cross-cutting rules without forking the library.
+  - Can optionally “sanitize until stable”: run sanitization repeatedly until the output no longer changes. This can mitigate payloads that only appear after an initial transformation step.
+
+#### **Strengths**
+  - Strong focus on XSS mitigation and modern HTML features due to its DOMPurify heritage.
+  - Rich, explicit hook system for custom policies.
+  - Built-in support for several content profiles, including HTML email.
+
+#### **Trade-offs**
+  - Adds a more opinionated sanitization framework on top of Nokogiri; this is helpful for many applications, but lower-level libraries can be preferable when you want complete control.
+  - The “sanitize until stable” option introduces additional processing; in high-throughput pipelines you may choose to disable it when you are confident in your input and policies.
+
+---
+
+### Loofah
+
+#### **Design**
+  Loofah is a Nokogiri-based library that provides a set of “dandruffs” and helper methods to clean HTML fragments and documents. It is a foundational piece in the Ruby ecosystem and underpins other sanitizers like sanitize and rails-html-sanitization.
+
+#### **Configuration and extensibility**
+  - Ships with built-in dandruffs (e.g., stripping or escaping certain content) and lets you compose them.
+  - You can define custom dandruffs by subclassing and implementing your own logic, or by manipulating the Nokogiri document directly.
+  - The configuration is comparatively low-level: instead of a single global config object, you use and combine dandruffs and Nokogiri operations.
+
+#### **Strengths**
+  - Very flexible when you need fine-grained control over the Nokogiri document tree.
+  - Mature and widely used; many Rails and Ruby projects rely on it directly or indirectly.
+  - Good fit when you already think in terms of Nokogiri nodes and custom dandruff classes.
+
+#### **Trade-offs**
+  - Higher-level policies (like “safe for HTML email” or “DOMPurify-like hardening”) need to be composed manually.
+  - No named hook system; extension typically happens by writing more code around Nokogiri.
+
+---
+
+### sanitize
+
+#### **Design**
+  `sanitize` builds on Loofah and provides a configuration-driven interface: you specify allowed tags, attributes, and protocols, plus optional transformers that can rewrite or remove specific nodes. It targets a middle ground between low-level Loofah and more opinionated frameworks.
+
+#### **Configuration and transformers**
+  - Uses a hash-based configuration with explicit allow/forbid lists.
+  - Transformers are blocks that run during sanitization and can inspect or modify nodes.
+  - Comes with several built-in configurations aimed at common use cases, which can be a starting point for your own policies.
+
+#### **Strengths**
+  - Expressive configuration model for allowlist-style policies without having to write full custom dandruffs.
+  - Transformers allow targeted adjustments when you need to make exceptions or enforce special rules.
+  - Good compromise when you want more structure than pure Loofah, but do not need a full DOMPurify-like feature set.
+
+#### **Trade-offs**
+  - Shares Loofah’s underlying parsing and sanitization behavior, so any limitations or quirks there apply.
+  - Complex policies can become harder to reason about when expressed as many transformers.
+
+---
+
+### rails-html-sanitization
+
+#### **Design**
+  `rails-html-sanitization` is the library Rails uses for HTML sanitization, built on top of Loofah. It provides Rails-focused APIs and defaults that integrate closely with Action View and other Rails components.
+
+#### **Configuration and integration**
+  - Exposes sanitization helpers that fit naturally into Rails views and helpers.
+  - Uses curated safe lists aimed at typical Rails HTML output.
+  - Changes and security fixes are coordinated with Rails releases, which is convenient for Rails applications that update regularly.
+
+#### **Strengths**
+  - Excellent fit for standard Rails applications that want “batteries included” sanitization in templates.
+  - Rails-aware defaults that try to balance safety and convenience in common web app scenarios.
+  - Minimal configuration burden; Rails developers can often rely on the defaults.
+
+#### **Trade-offs**
+  - Less suited for non-Rails environments or for highly specialized sanitization policies.
+  - Extension usually involves reaching down to Loofah or additional custom code, rather than tweaking a rich configuration object.
+
+## Security Considerations
+
+All four libraries take security seriously, but they differ in how much they encode a specific threat model in their APIs and defaults.
+
+### **Dandruff**
+  - Inspired by DOMPurify’s approach to XSS prevention, including careful handling of attributes, URIs, and different content types.
+  - Profiles group safe lists and attribute restrictions, which helps avoid subtle misconfigurations.
+  - Hook system enables project-specific rules; as with any extensibility, care is required to avoid accidentally whitelisting unsafe constructs.
+  - Optional “sanitize until stable” behavior provides extra resilience against multi-step payloads at the cost of more processing.
+
+### **Loofah**
+  - Provides robust primitives and dandruffs, and benefits from a long history of security review and fixes.
+  - Actual security posture depends on how you compose dandruffs and write custom code around them.
+  - Shared foundation for other libraries means improvements and fixes can benefit the wider ecosystem.
+
+### **sanitize**
+  - Makes explicit allow/forbid configuration central, which can help reason about the policy.
+  - Transformers offer precise control but, if misused, can inadvertently permit risky nodes or attributes.
+  - Inherits Loofah’s behavior and security updates.
+
+### **rails-html-sanitization**
+  - Rails-safe defaults are tuned for common Rails templates, and Rails security advisories often highlight sanitizer-related updates.
+  - Security posture is strongly tied to keeping Rails and its dependencies up to date.
+  - More specialized use cases (e.g., heavy SVG/MathML or complex HTML email) may require additional layers on top.
+
+## Usage Scenarios
+
+### Rich user-generated content (posts, comments, WYSIWYG)
+
+- **Dandruff**: Strong choice when you want DOMPurify-style defenses, hooks for special cases, and the ability to support richer content types (like SVG or MathML) behind explicit profiles.
+- **Loofah**: Good when you need detailed control over the tree and are comfortable building your own dandruffs.
+- **sanitize**: Convenient when you want a clear allowlist configuration and occasional transformers, but no large framework.
+- **rails-html-sanitization**: Appropriate in Rails apps where the built-in view helpers already meet your needs.
+
+### HTML email sanitization/rendering
+
+- **Dandruff**: Offers an `html_email` profile with per-tag attribute rules and email-oriented safe lists, which can reduce the chance of missing subtle constraints.
+- **Loofah**: Works well for email when you build a dedicated set of dandruffs and tests for your email policies.
+- **sanitize**: A good fit when you prefer hash-based policies; you can encode an email-specific configuration and add transformers for edge cases.
+- **rails-html-sanitization**: Usable within Rails mailers; for complex email policies you may still want to layer `sanitize` or Dandruff (or custom Loofah logic) on top.
+
+### SVG/MathML or mixed content
+
+- **Dandruff**: Profiles for `svg`, `math_ml`, and `svg_filters` make it straightforward to enable these formats with curated safe lists.
+- **Loofah** and **sanitize**: Capable of handling SVG/MathML with custom configurations, but require more manual policy design and testing.
+- **rails-html-sanitization**: Possible but not a primary focus; typically you would supplement it with lower-level tools for complex SVG/MathML use.
+
+### Rails applications
+
+- **rails-html-sanitization**: Natural default for Rails because it integrates directly with Action View and is maintained as part of Rails.
+- **Dandruff**: Attractive when you want DOMPurify-inspired hardening, or more explicit hooks; it can be used alongside Rails.
+- **sanitize**: A good option when you like Loofah’s foundation but prefer hash-based configs, and you are comfortable wiring it into your Rails app.
+- **Loofah**: Best fit if you are already using Nokogiri/Loofah directly and want to keep that level of control.
+
+### Non-Rails services, background jobs, or custom pipelines
+
+- **Dandruff**: Helpful when you want a self-contained sanitizer with clear profiles and hooks, and you do not rely on Rails.
+- **Loofah**: Ideal if you already have Nokogiri logic and want to stay close to the DOM representation.
+- **sanitize**: Simple configuration-centric choice for services that just need to enforce a stable allowlist policy.
+- **rails-html-sanitization**: Less relevant outside Rails; typically you would use one of the other three libraries directly.
+
+## Choosing Between Them
+
+- Prefer **Dandruff** when you want DOMPurify-style behavior, strong XSS-oriented defaults, support for multiple content profiles (including HTML email), and a rich hook system in a standalone library.
+- Prefer **Loofah** when you value fine-grained control over Nokogiri documents and are comfortable assembling your own dandruffs and policies.
+- Prefer **sanitize** when you like Loofah’s robustness but want a concise, configuration-based interface with transformers for special cases.
+- Prefer **rails-html-sanitization** when you are in a Rails application and are satisfied with Rails’ built-in sanitization semantics and integration.

data/Gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gemspec
+
+gem "kuyio-rubocop", github: "kuyio/kuyio-rubocop"

data/Gemfile.lock

@@ -0,0 +1,142 @@
+GIT
+  remote: https://github.com/kuyio/kuyio-rubocop.git
+  revision: 9b25aab12c07cfdea072ff70c1e6d4e066795ff2
+  specs:
+    kuyio-rubocop (0.3.1)
+      rubocop (~> 1.74.0)
+      rubocop-performance (~> 1.24.0)
+      rubocop-rails (~> 2.30.0)
+      rubocop-rspec (~> 3.5.0)
+
+PATH
+  remote: .
+  specs:
+    dandruff (0.8.0)
+      nokogiri (~> 1.10)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (8.1.1)
+      base64
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      json
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    bigdecimal (3.3.1)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
+    diff-lcs (1.6.2)
+    drb (2.2.3)
+    i18n (1.14.7)
+      concurrent-ruby (~> 1.0)
+    json (2.16.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    minitest (5.26.2)
+    nokogiri (1.18.10-aarch64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-aarch64-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.10-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.10-x86_64-linux-musl)
+      racc (~> 1.4)
+    parallel (1.27.0)
+    parser (3.3.10.0)
+      ast (~> 2.4.1)
+      racc
+    prism (1.6.0)
+    racc (1.8.1)
+    rack (3.2.4)
+    rainbow (3.1.1)
+    rake (13.3.1)
+    regexp_parser (2.11.3)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.7)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    rubocop (1.74.0)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.48.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-performance (1.24.0)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rails (2.30.3)
+      activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
+      rack (>= 1.1)
+      rubocop (>= 1.72.1, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+    rubocop-rspec (3.5.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    ruby-progressbar (1.13.0)
+    securerandom (0.4.1)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    uri (1.1.1)
+
+PLATFORMS
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
+  arm64-darwin
+  x86_64-darwin
+  x86_64-linux-gnu
+  x86_64-linux-musl
+
+DEPENDENCIES
+  benchmark (~> 0.5)
+  dandruff!
+  kuyio-rubocop!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rubocop (~> 1.21)
+
+BUNDLED WITH
+   2.7.2

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 KUY.io Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/Makefile

@@ -0,0 +1,41 @@
+# Makefile for Dandruff Ruby Gem
+
+.PHONY: all test build clean install lint help
+
+# Default target
+all: test build
+
+# Run test suite
+specs:
+	bundle exec rake spec
+
+# Build the gem
+build:
+	gem build dandruff.gemspec
+
+# Clean build artifacts
+clean:
+	rm -f *.gem
+
+# Install the gem locally
+install: build
+	gem install dandruff-*.gem
+
+# Run linting
+lint:
+	bundle exec rubocop
+
+# Run both specs and linting
+test: specs lint
+
+# Show help
+help:
+	@echo "Available targets:"
+	@echo "  all     - Run tests and build the gem (default)"
+	@echo "  test    - Run both specs and linting"
+	@echo "  build   - Build the gem package"
+	@echo "  install - Build and install the gem locally"
+	@echo "  clean   - Remove built gem files"
+	@echo "  specs   - Run the test suite"
+	@echo "  lint    - Run RuboCop linting"
+	@echo "  help    - Show this help message"