http 6.0.0-java

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d825505ad2427825690e2c8ca8b6e2eb448f4d143e1429118b40c99102ed9ac3
+  data.tar.gz: d2265d0dfeef4b92002da361703283185db942390d9fdeeb5cfff9b33ba6161a
+SHA512:
+  metadata.gz: 8474712ee9528afb559ac0d7e0b4e3d0ba5768eb4c12bab5bc6a6238e7ed4c3e78fd49921e4d1243f44b12737646150496a07fde71f9b0643344aada4d5b7538
+  data.tar.gz: 669acc5dd73ded2112a61c049424aa375feff6a80d4d3b42091304c5de10bd30d2e0fab5c8cf5397c10280774a6678b4788a8f4cbbdbadacf37dbc950990483f

data/CHANGELOG.md

@@ -0,0 +1,267 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [6.0.0] - 2026-03-16
+
+### Changed
+
+- Merged `http-form_data` gem into the main `http` gem. The `HTTP::FormData`
+  module (including `Part`, `File`, `Multipart`, `Urlencoded`, and `CompositeIO`)
+  is now shipped directly with `http` instead of being a separate dependency.
+  The public API is unchanged.
+
+### Fixed
+
+- `Inflater` no longer raises `Zlib::BufError` when a response declares
+  `Content-Encoding: gzip` (or deflate) but the body is not valid compressed
+  data. This commonly occurred when following redirects with `auto_inflate`
+  enabled, because the redirect response had a `Content-Encoding` header but a
+  non-compressed body. ([#621])
+- Persistent connections now auto-flush unread response bodies before sending
+  the next request, instead of raising `StateError`. Bodies up to 1 MiB are
+  drained transparently; larger bodies cause the connection to close and reopen.
+  This prevents the silent body clobbering described in [#371], where an unread
+  response body would return `""` after a subsequent request. ([#371])
+- `Response#content_length` now handles duplicate `Content-Length` headers per
+  RFC 7230 Section 3.3.2. When all values are identical, they are collapsed into
+  a single valid value. When values conflict, `nil` is returned instead of
+  raising `TypeError`. ([#566])
+- HTTP 1xx informational responses (e.g. `100 Continue`) are now transparently
+  skipped, returning the final response. This was a regression introduced when
+  the parser was migrated from http-parser to llhttp. ([#667])
+- Redirect loop detection now considers cookies, so a redirect back to the
+  same URL with different cookies is no longer falsely detected as an endless
+  loop. Fixes cookie-dependent redirect flows where a server sets a cookie on
+  one hop and expects it on the next. ([#544])
+- Per-operation timeouts (`HTTP.timeout(read: n, write: n, connect: n)`) no
+  longer default unspecified values to 0.25 seconds. Omitted timeouts now mean
+  no timeout for that operation, matching the behavior when no timeout is
+  configured at all. ([#579])
+- Per-operation timeout handler now correctly handles `:wait_writable` from
+  `read_nonblock` and `:wait_readable` from `write_nonblock` on SSL sockets
+  during TLS renegotiation. Previously these symbols were returned as data
+  instead of being waited on. ([#358])
+- Persistent sessions now follow cross-origin redirects instead of raising
+  `StateError`. `HTTP.persistent` returns an `HTTP::Session` that pools one
+  `HTTP::Client` per origin, so redirects to a different domain transparently
+  open (and reuse) a separate persistent connection. Cookie management is
+  preserved across all hops. ([#557])
+- Chaining configuration methods (`.headers`, `.auth`, `.cookies`, etc.) on a
+  persistent session no longer breaks connection reuse. Child sessions created
+  by chaining now share the parent's connection pool, so
+  `HTTP.persistent(host).headers(...).get(path)` reuses the same underlying
+  TCP connection across calls. ([#372])
+
+### Changed
+
+- **BREAKING** `HTTP.persistent` now returns an `HTTP::Session` instead of an
+  `HTTP::Client`. The session pools persistent clients per origin and exposes
+  the same chainable API (`get`, `post`, `headers`, `follow`, etc.) plus a
+  `close` method that shuts down all pooled connections. Code that called
+  `HTTP::Client`-only methods on the return value will need updating. ([#557])
+- **BREAKING** Convert options hash parameters to explicit keyword arguments
+  across the public API. Methods like `HTTP.get(url, body: "data")` continue to
+  work, but passing an explicit hash (e.g., `HTTP.get(url, {body: "data"})`) is
+  no longer supported, and unrecognized keyword arguments now raise
+  `ArgumentError`. Affected methods: all HTTP verb methods (`get`, `post`,
+  etc.), `request`, `follow`, `retriable`, `URI.new`, `Request.new`,
+  `Response.new`, `Redirector.new`, `Retriable::Performer.new`,
+  `Retriable::DelayCalculator.new`, and `Timeout::Null.new` (and subclasses).
+  `HTTP::URI.new` also no longer accepts `Addressable::URI` objects.
+- **BREAKING** `addressable` is no longer a runtime dependency. It is now
+  lazy-loaded only when parsing non-ASCII (IRI) URIs or normalizing
+  internationalized hostnames. Install the `addressable` gem if you need
+  non-ASCII URI support. ASCII-only URIs use Ruby's stdlib `URI` parser
+  exclusively.
+- **BREAKING** Extract request building into `HTTP::Request::Builder`. The
+  `build_request` method has been removed from `Client`, `Session`, and the
+  top-level `HTTP` module. Use `HTTP::Request::Builder.new(options).build(verb, uri)`
+  to construct requests without executing them.
+
+### Added
+
+- Block form for verb methods and `request` that auto-closes the connection
+  after the block returns. `HTTP.get(url) { |response| response.status }` yields
+  the response, closes the underlying connection, and returns the block's value.
+  Works with all verb methods and chained options. ([#270])
+- HTTP caching feature (`HTTP.use(:caching)`) that stores and reuses responses
+  according to RFC 7234. Supports `Cache-Control` (`max-age`, `no-cache`,
+  `no-store`), `Expires`, `ETag` / `If-None-Match`, and
+  `Last-Modified` / `If-Modified-Since` for freshness checks and conditional
+  revalidation. Ships with a default in-memory store; custom stores can be
+  passed via `store:` option. Only GET and HEAD responses are cached. ([#223])
+- `HTTP.digest_auth(user:, pass:)` for HTTP Digest Authentication (RFC 2617 /
+  RFC 7616). Automatically handles 401 challenges with digest credentials,
+  supporting MD5, SHA-256, MD5-sess, and SHA-256-sess algorithms with
+  quality-of-protection negotiation. Works as a chainable feature:
+  `HTTP.digest_auth(user: "admin", pass: "secret").get(url)` ([#448])
+- Happy Eyeballs (RFC 8305) support via Ruby 3.4's native `TCPSocket`
+  implementation. Connection attempts now try multiple addresses (IPv6 and
+  IPv4) concurrently, improving reliability on dual-stack networks. Connect
+  timeouts are passed natively to `TCPSocket` instead of using
+  `Timeout.timeout`, avoiding `Thread.raise` interference with the Happy
+  Eyeballs state machine. ([#739])
+- `HTTP.base_uri` for setting a base URI that resolves relative request paths
+  per RFC 3986. Supports chaining (`HTTP.base_uri("https://api.example.com/v1")
+  .get("users")`), and integrates with `persistent` connections by deriving the
+  host when omitted ([#519], [#512], [#493])
+- `Request::Body#loggable?` and `Response::Body#loggable?` predicates, and a
+  `binary_formatter` option for the logging feature. Binary bodies
+  (IO/Enumerable request sources, binary-encoded request strings, and
+  binary-encoded responses) are now formatted instead of dumped raw,
+  preventing unreadable log output when transferring files like images or
+  audio. Available formatters: `:stats` (default, logs byte count),
+  `:base64` (logs base64-encoded content), or a custom `Proc`. Invalid
+  formatter values raise `ArgumentError` ([#784])
+- `Feature#on_request` and `Feature#around_request` lifecycle hooks, called
+  before/around each request attempt (including retries), for per-attempt side
+  effects like instrumentation spans and circuit breakers ([#826])
+- Pattern matching support (`deconstruct_keys`) for Response, Response::Status,
+  Headers, ContentType, and URI ([#642])
+- Combined global and per-operation timeouts: global and per-operation timeouts
+  are no longer mutually exclusive. Use
+  `HTTP.timeout(global: 60, read: 30, write: 30, connect: 5)` to set both a
+  global request timeout and individual operation limits ([#773])
+
+### Fixed
+
+- `HTTP::URI.form_encode` now encodes newlines as `%0A` instead of
+  `%0D%0A` ([#449])
+- Thread-safety: `Headers::Normalizer` cache is now per-thread via
+  `Thread.current`, eliminating a potential race condition when multiple
+  threads share a normalizer instance
+- Instrumentation feature now correctly starts a new span for each retry
+  attempt, fixing `NoMethodError` with `ActiveSupport::Notifications` when
+  using `.retriable` with the instrumentation feature ([#826])
+- Raise `HTTP::URI::InvalidError` for malformed or schemeless URIs and
+  `ArgumentError` for nil or empty URIs, instead of confusing
+  `UnsupportedSchemeError` or `Addressable::URI::InvalidURIError` ([#565])
+- Strip `Authorization` and `Cookie` headers when following redirects to a
+  different origin (scheme, host, or port) to prevent credential leakage
+  ([#516], [#770])
+- AutoInflate now preserves the response charset encoding instead of
+  defaulting to `Encoding::BINARY` ([#535])
+- `LocalJumpError` when using instrumentation with instrumenters that
+  unconditionally yield in `#instrument` (e.g., `ActiveSupport::Notifications`)
+  ([#673])
+- Logging feature no longer eagerly consumes the response body at debug level;
+  body chunks are now logged as they are streamed, preserving
+  `response.body.each` ([#785])
+
+### Removed
+
+- `HTTP::URI` setter methods (`scheme=`, `user=`, `password=`, `authority=`,
+  `origin=`, `port=`, `request_uri=`, `fragment=`) and normalized accessors
+  (`normalized_user`, `normalized_password`, `normalized_port`,
+  `normalized_path`, `normalized_query`) that were delegated to
+  `Addressable::URI` but never used internally
+- `HTTP::URI#origin` is no longer delegated to `Addressable::URI`. The new
+  implementation follows RFC 6454, normalizing scheme and host to lowercase
+  and excluding user info from the origin string
+- `HTTP::URI#request_uri` is no longer delegated to `Addressable::URI`
+- `HTTP::URI#omit` is no longer delegated to `Addressable::URI` and now
+  returns `HTTP::URI` instead of `Addressable::URI` ([#491])
+- `HTTP::URI#query_values` and `HTTP::URI#query_values=` delegations to
+  `Addressable::URI`. Query parameter merging now uses stdlib
+  `URI.decode_www_form`/`URI.encode_www_form`
+- `HTTP::URI` delegations for `normalized_scheme`, `normalized_authority`,
+  `normalized_fragment`, and `authority` to `Addressable::URI`. The URI
+  normalizer now inlines these operations directly
+- `HTTP::URI#join` is no longer delegated to `Addressable::URI` and now
+  returns `HTTP::URI` instead of `Addressable::URI`. Uses stdlib `URI.join`
+  with automatic percent-encoding of non-ASCII characters ([#491])
+- `HTTP::URI.form_encode` no longer delegates to `Addressable::URI`. Uses
+  stdlib `URI.encode_www_form` instead
+
+### Changed
+
+- **BREAKING** `HTTP::Response::Status` no longer inherits from `Delegator`.
+  It now uses `Comparable` and `Forwardable` instead, providing `to_i`,
+  `to_int`, and `<=>` for numeric comparisons and range matching. Code that
+  called `__getobj__`/`__setobj__` or relied on implicit delegation of
+  arbitrary `Integer` methods (e.g., `status.even?`) will need to be updated
+  to use `status.code` instead
+- **BREAKING** Chainable option methods (`.headers`, `.timeout`, `.cookies`,
+  `.auth`, `.follow`, `.via`, `.use`, `.encoding`, `.nodelay`, `.basic_auth`,
+  `.accept`) now return a thread-safe `HTTP::Session` instead of `HTTP::Client`.
+  `Session` creates a new `Client` for each request, making it safe to share a
+  configured session across threads. `HTTP.persistent` still returns
+  `HTTP::Client` since persistent connections require mutable state. Code that
+  calls HTTP verb methods (`.get`, `.post`, etc.) or accesses `.default_options`
+  is unaffected. Code that checks `is_a?(HTTP::Client)` on the return value of
+  chainable methods will need to be updated to check for `HTTP::Session`
+- **BREAKING** `.retriable` now returns `HTTP::Session` instead of
+  `HTTP::Retriable::Client`. Retry is a session-level option: it flows through
+  `HTTP::Options` into `HTTP::Client#perform`, eliminating the need for
+  separate `Retriable::Client` and `Retriable::Session` classes
+- Improved error message when request body size cannot be determined to suggest
+  setting `Content-Length` explicitly or using chunked `Transfer-Encoding` ([#560])
+- **BREAKING** `Connection#readpartial` now raises `EOFError` instead of
+  returning `nil` at end-of-stream, and supports an `outbuf` parameter,
+  conforming to the `IO#readpartial` API. `Body#readpartial` and
+  `Inflater#readpartial` also raise `EOFError` ([#618])
+- **BREAKING** Stricter timeout options parsing: `.timeout()` with a Hash now
+  rejects unknown keys, non-numeric values, string keys, and empty hashes ([#754])
+- Bumped min llhttp dependency version
+- **BREAKING** Handle responses in the reverse order from the requests ([#776])
+- **BREAKING** `Response#cookies` now returns `Array<HTTP::Cookie>` instead of
+  `HTTP::CookieJar`. The `cookies` option has been removed from `Options`;
+  `Chainable#cookies` now sets the `Cookie` header directly with no implicit
+  merging — the last `.cookies()` call wins ([#536])
+- Cookie jar management during redirects moved from `Redirector` to `Session`.
+  `Redirector` is now a pure redirect-following engine with no cookie
+  awareness; `Session#request` manages cookies across redirect hops
+- **BREAKING** `HTTP::Options.new`, `HTTP::Client.new`, and `HTTP::Session.new`
+  now accept keyword arguments instead of an options hash. For example,
+  `HTTP::Options.new(response: :body)` continues to work, but
+  `HTTP::Options.new({response: :body})` must be updated to
+  `HTTP::Options.new(**options)`. Invalid option names now raise
+  `ArgumentError` automatically ([#447])
+
+### Removed
+
+- **BREAKING** Drop Ruby 2.x support
+- **BREAKING** Remove `Headers::Mixin` and the `[]`/`[]=` delegators on
+  `Request` and `Response`. Use `request.headers["..."]` and
+  `response.headers["..."]` instead ([#537])
+
+[#270]: https://github.com/httprb/http/issues/270
+[#223]: https://github.com/httprb/http/issues/223
+[#358]: https://github.com/httprb/http/issues/358
+[#371]: https://github.com/httprb/http/issues/371
+[#372]: https://github.com/httprb/http/issues/372
+[#447]: https://github.com/httprb/http/issues/447
+[#448]: https://github.com/httprb/http/issues/448
+[#449]: https://github.com/httprb/http/issues/449
+[#491]: https://github.com/httprb/http/issues/491
+[#493]: https://github.com/httprb/http/pull/493
+[#512]: https://github.com/httprb/http/issues/512
+[#516]: https://github.com/httprb/http/issues/516
+[#519]: https://github.com/httprb/http/issues/519
+[#535]: https://github.com/httprb/http/issues/535
+[#536]: https://github.com/httprb/http/issues/536
+[#537]: https://github.com/httprb/http/issues/537
+[#544]: https://github.com/httprb/http/issues/544
+[#557]: https://github.com/httprb/http/issues/557
+[#560]: https://github.com/httprb/http/pull/560
+[#565]: https://github.com/httprb/http/issues/565
+[#566]: https://github.com/httprb/http/issues/566
+[#579]: https://github.com/httprb/http/issues/579
+[#618]: https://github.com/httprb/http/pull/618
+[#621]: https://github.com/httprb/http/issues/621
+[#642]: https://github.com/httprb/http/issues/642
+[#667]: https://github.com/httprb/http/issues/667
+[#673]: https://github.com/httprb/http/issues/673
+[#739]: https://github.com/httprb/http/issues/739
+[#754]: https://github.com/httprb/http/pull/754
+[#770]: https://github.com/httprb/http/issues/770
+[#773]: https://github.com/httprb/http/issues/773
+[#776]: https://github.com/httprb/http/issues/776
+[#784]: https://github.com/httprb/http/issues/784
+[#785]: https://github.com/httprb/http/issues/785
+[#826]: https://github.com/httprb/http/issues/826
+[unreleased]: https://github.com/httprb/http/compare/v5.3.0...main

data/CONTRIBUTING.md

@@ -0,0 +1,26 @@
+# Help and Discussion
+
+If you need help or just want to talk about the http.rb,
+visit the http.rb Google Group:
+
+https://groups.google.com/forum/#!forum/httprb
+
+You can join by email by sending a message to:
+
+[httprb+subscribe@googlegroups.com](mailto:httprb+subscribe@googlegroups.com)
+
+
+# Reporting bugs
+
+The best way to report a bug is by providing a reproduction script. A half
+working script with comments for the parts you were unable to automate is still
+appreciated.
+
+In any case, specify following info in description of your issue:
+
+- What you're trying to accomplish
+- What you expected to happen
+- What actually happened
+- The exception backtrace(s), if any
+- Version of gem or commit ref you are using
+- Version of ruby you are using

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2011-2026 Tony Arcieri, Erik Berlin, Alexey V. Zapparov, Zachary Anker
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,263 @@
+# ![http.rb](https://raw.github.com/httprb/http.rb/main/logo.png)
+
+[![Gem Version][gem-image]][gem-link]
+[![MIT licensed][license-image]][license-link]
+[![Docs][docs-image]][docs-link]
+[![Lint][lint-image]][lint-link]
+[![Mutant][mutant-image]][mutant-link]
+[![Test][test-image]][test-link]
+[![Typecheck][typecheck-image]][typecheck-link]
+
+[Documentation]
+
+## About
+
+HTTP (The Gem! a.k.a. http.rb) is an easy-to-use client library for making requests
+from Ruby. It uses a simple method chaining system for building requests, similar to
+Python's [Requests].
+
+Under the hood, http.rb uses the [llhttp] parser, a fast HTTP parsing native extension.
+This library isn't just yet another wrapper around `Net::HTTP`. It implements the HTTP
+protocol natively and outsources the parsing to native extensions.
+
+### Why http.rb?
+
+- **Clean API**: http.rb offers an easy-to-use API that should be a
+   breath of fresh air after using something like Net::HTTP.
+
+- **Maturity**: http.rb is one of the most mature Ruby HTTP clients, supporting
+   features like persistent connections and fine-grained timeouts.
+
+- **Performance**: using native parsers and a clean, lightweight implementation,
+   http.rb achieves high performance while implementing HTTP in Ruby instead of C.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+```ruby
+gem "http"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install http
+```
+
+Inside of your Ruby program do:
+```ruby
+require "http"
+```
+
+...to pull it in as a dependency.
+
+
+## Documentation
+
+[Please see the http.rb wiki][documentation]
+for more detailed documentation and usage notes.
+
+The following API documentation is also available:
+
+- [YARD API documentation](https://www.rubydoc.info/github/httprb/http)
+- [Chainable module (all chainable methods)](https://www.rubydoc.info/github/httprb/http/HTTP/Chainable)
+
+
+### Basic Usage
+
+Here's some simple examples to get you started:
+
+```ruby
+>> HTTP.get("https://github.com").to_s
+=> "\n\n\n<!DOCTYPE html>\n<html lang=\"en\" class=\"\">\n  <head prefix=\"o..."
+```
+
+That's all it takes! To obtain an `HTTP::Response` object instead of the response
+body, all we have to do is omit the `#to_s` on the end:
+
+```ruby
+>> HTTP.get("https://github.com")
+=> #<HTTP::Response/1.1 200 OK {"Server"=>"GitHub.com", "Date"=>"Tue, 10 May...>
+```
+
+We can also obtain an `HTTP::Response::Body` object for this response:
+
+```ruby
+>> HTTP.get("https://github.com").body
+=> #<HTTP::Response::Body:3ff756862b48 @streaming=false>
+```
+
+The response body can be streamed with `HTTP::Response::Body#readpartial`.
+In practice, you'll want to bind the `HTTP::Response::Body` to a local variable
+and call `#readpartial` on it repeatedly until it returns `nil`:
+
+```ruby
+>> body = HTTP.get("https://github.com").body
+=> #<HTTP::Response::Body:3ff756862b48 @streaming=false>
+>> body.readpartial
+=> "\n\n\n<!DOCTYPE html>\n<html lang=\"en\" class=\"\">\n  <head prefix=\"o..."
+>> body.readpartial
+=> "\" href=\"/apple-touch-icon-72x72.png\">\n    <link rel=\"apple-touch-ic..."
+# ...
+>> body.readpartial
+=> nil
+```
+
+### Pattern Matching
+
+Response objects support Ruby's pattern matching:
+
+```ruby
+case HTTP.get("https://api.example.com/users")
+in { status: 200..299, body: body }
+  JSON.parse(body.to_s)
+in { status: 404 }
+  nil
+in { status: 400.. }
+  raise "request failed"
+end
+```
+
+Pattern matching is also supported on `HTTP::Response::Status`, `HTTP::Headers`,
+`HTTP::ContentType`, and `HTTP::URI`.
+
+### Base URI
+
+Set a base URI to avoid repeating the scheme and host in every request:
+
+```ruby
+api = HTTP.base_uri("https://api.example.com/v1")
+api.get("users")       # GET https://api.example.com/v1/users
+api.get("users/1")     # GET https://api.example.com/v1/users/1
+```
+
+Relative paths are resolved per [RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-5).
+Combine with `persistent` to reuse the connection:
+
+```ruby
+HTTP.base_uri("https://api.example.com/v1").persistent do |http|
+  http.get("users")
+  http.get("posts")
+end
+```
+
+### Thread Safety
+
+Configured sessions are safe to share across threads:
+
+```ruby
+# Build a session once, use it from any thread
+session = HTTP.headers("Accept" => "application/json")
+              .timeout(10)
+              .auth("Bearer token")
+
+threads = 10.times.map do
+  Thread.new { session.get("https://example.com/api/data") }
+end
+threads.each(&:join)
+```
+
+Chainable configuration methods (`.headers`, `.timeout`, `.auth`, etc.) return
+an `HTTP::Session`, which creates a fresh `HTTP::Client` for every request.
+
+Persistent connections (`HTTP.persistent`) return an `HTTP::Session` that pools
+one `HTTP::Client` per origin. The session itself is **not** thread-safe. For
+thread-safe persistent connections, use the
+[connection_pool](https://rubygems.org/gems/connection_pool) gem:
+
+```ruby
+pool = ConnectionPool.new(size: 5) { HTTP.persistent("https://example.com") }
+pool.with { |http| http.get("/path") }
+```
+
+Cross-origin redirects are handled transparently — the session opens a separate
+persistent connection for each origin encountered during a redirect chain:
+
+```ruby
+HTTP.persistent("https://example.com").follow do |http|
+  http.get("/moved-to-other-domain")  # follows redirect across origins
+end
+```
+
+## Supported Ruby Versions
+
+This library aims to support and is [tested against][build-link]
+the following Ruby  versions:
+
+- Ruby 3.2
+- Ruby 3.3
+- Ruby 3.4
+- Ruby 4.0
+
+If something doesn't work on one of these versions, it's a bug.
+
+This library may inadvertently work (or seem to work) on other Ruby versions,
+however support will only be provided for the versions listed above.
+
+If you would like this library to support another Ruby version or
+implementation, you may volunteer to be a maintainer. Being a maintainer
+entails making sure all tests run and pass on that implementation. When
+something breaks on your implementation, you will be responsible for providing
+patches in a timely fashion. If critical issues for a particular implementation
+exist at the time of a major release, support for that Ruby version may be
+dropped.
+
+
+## Upgrading
+
+See [UPGRADING.md] for a detailed migration guide between major versions.
+
+
+## Security
+
+See [SECURITY.md] for reporting vulnerabilities.
+
+
+## Contributing to http.rb
+
+See [CONTRIBUTING.md] for guidelines, or the quick version:
+
+- Fork http.rb on GitHub
+- Make your changes
+- Ensure all tests pass (`bundle exec rake`)
+- Send a pull request
+- If we like them we'll merge them
+- If we've accepted a patch, feel free to ask for commit access!
+
+
+## Copyright
+
+Copyright © 2011-2026 Tony Arcieri, Erik Berlin, Alexey V. Zapparov, Zachary Anker.
+See LICENSE.txt for further details.
+
+
+[//]: # (badges)
+
+[gem-image]: https://img.shields.io/gem/v/http?logo=ruby
+[gem-link]: https://rubygems.org/gems/http
+[license-image]: https://img.shields.io/badge/license-MIT-blue.svg
+[license-link]: https://github.com/httprb/http/blob/main/LICENSE.txt
+[docs-image]: https://github.com/httprb/http/actions/workflows/docs.yml/badge.svg
+[docs-link]: https://github.com/httprb/http/actions/workflows/docs.yml
+[lint-image]: https://github.com/httprb/http/actions/workflows/lint.yml/badge.svg
+[lint-link]: https://github.com/httprb/http/actions/workflows/lint.yml
+[mutant-image]: https://github.com/httprb/http/actions/workflows/mutant.yml/badge.svg
+[mutant-link]: https://github.com/httprb/http/actions/workflows/mutant.yml
+[test-image]: https://github.com/httprb/http/actions/workflows/test.yml/badge.svg
+[test-link]: https://github.com/httprb/http/actions/workflows/test.yml
+[typecheck-image]: https://github.com/httprb/http/actions/workflows/typecheck.yml/badge.svg
+[typecheck-link]: https://github.com/httprb/http/actions/workflows/typecheck.yml
+
+[//]: # (links)
+
+[contributing.md]: https://github.com/httprb/http/blob/main/CONTRIBUTING.md
+[documentation]: https://github.com/httprb/http/wiki
+[llhttp]: https://llhttp.org/
+[requests]: https://docs.python-requests.org/en/latest/
+[security.md]: https://github.com/httprb/http/blob/main/SECURITY.md
+[upgrading.md]: https://github.com/httprb/http/blob/main/UPGRADING.md

data/SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the most recent release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report
+it privately. **Do not disclose it as a public issue.** This gives us time to
+work with you to fix the issue before public exposure, reducing the chance that
+the exploit will be used before a patch is released.
+
+Please disclose it at [security advisory](https://github.com/httprb/http/security/advisories/new).
+
+This project is maintained by a team of volunteers on a reasonable-effort basis.
+As such, please give us at least 90 days to work on a fix before public exposure.