otto 1.1.0.pre.alpha4 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ad2b9c043b3b58202eadcae63354ebead1b70178fd7723dc24820462a3831a
-  data.tar.gz: f95e243be8e6e59c5a17f7ec98d7a05d1a31599e0970e9e20763c569a65acfb8
+  metadata.gz: c17a841334ba79be6d1c4625eb8e8e39eda301be3a77813c8ea6386bb3d0d6b5
+  data.tar.gz: 2639d6f7ef18aa85bf75646d5c9d97814d1bf3a585e53003de7ccb4e8ce1eccf
 SHA512:
-  metadata.gz: 4ed91d559e7e339df4c5a28be0864ff2151e3e06e9dea577dedb346eaf4476e0d62adc84de508d3ff1ea1c55633789643b5f5bcee15d88bd6c8a43c6b7f04a59
-  data.tar.gz: 7d5f8bfb03f7e9ce91eebf632df7cc5ccf8b804beac9777662ef490507d1dba3a3ed1401d9e498ecb749617b8ab561a73c2226cb66c02f4796e18148b6afa479
+  metadata.gz: 40e9f5ed072e4d86dd27c49d397fa3ece8904420a3264166ad187aeea9c26c3818c32c45986903914df664cbb7671c8edabad18601f60013c8f05d2ce742d65f
+  data.tar.gz: 95d85cabd00d26658ce816021289ca7a21600dee34ac051ccfa6cf79b8713742d5389e67042d49991a1a63794fe30e3cd76d11bfb7d3ee52a8281e42e184174b

data/.gitignore

@@ -16,3 +16,5 @@ log
 tmp
 vendor
 *.gem
+.ruby-lsp
+.rspec_status

data/.rspec

@@ -0,0 +1,4 @@
+--color
+--format documentation
+--require spec_helper
+--order random

data/.rubocop.yml

@@ -1,3 +1,5 @@
+# .rubocop.yml
+
 ##
 # This is the RuboCop configuration file.
 # It contains the rules and settings for the RuboCop linter.
@@ -13,7 +15,7 @@
 #
 inherit_from: .rubocop_todo.yml
 
-require:
+plugins:
   - rubocop-performance
   - rubocop-thread_safety
 
@@ -21,13 +23,13 @@ AllCops:
   NewCops: enable
   UseCache: true
   MaxFilesInCache: 100
-  TargetRubyVersion: 3.0
+  TargetRubyVersion: 3.4
   Exclude:
-    - 'migrate/**/*.rb'
-    - 'migrate/*.rb'
-    - 'try/**/*'
-    - 'try/*.rb'
-    - 'vendor/**/*'
+    - "migrate/**/*.rb"
+    - "migrate/*.rb"
+    - "try/**/*"
+    - "try/*.rb"
+    - "vendor/**/*"
 
 Gemspec/DeprecatedAttributeAssignment:
   Enabled: true
@@ -55,12 +57,12 @@ Metrics/CyclomaticComplexity:
 Metrics/MethodLength:
   Enabled: true
   Max: 40
-  CountAsOne: ['method_call']
+  CountAsOne: ["method_call"]
 
 Metrics/ModuleLength:
   Enabled: true
   Max: 250
-  CountAsOne: ['method_call']
+  CountAsOne: ["method_call"]
 
 Performance/Size:
   Enabled: true

data/.rubocop_todo.yml

@@ -0,0 +1,152 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2025-07-18 21:29:04 UTC using RuboCop version 1.78.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: AllowSafeAssignment.
+Lint/AssignmentInCondition:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 1
+# Configuration parameters: CountComments, Max, CountAsOne, AllowedMethods, AllowedPatterns.
+Metrics/MethodLength:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 5
+# Configuration parameters: AllowedMethods, AllowedPatterns.
+Metrics/PerceivedComplexity:
+  Max: 36
+
+# Offense count: 1
+Security/Eval:
+  Exclude:
+    - 'lib/otto/route.rb'
+
+# Offense count: 6
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'example/app.rb'
+    - 'lib/otto.rb'
+    - 'lib/otto/helpers/request.rb'
+    - 'lib/otto/helpers/response.rb'
+    - 'lib/otto/route.rb'
+    - 'lib/otto/static.rb'
+
+# Offense count: 9
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: always, always_true, never
+Style/FrozenStringLiteralComment:
+  Exclude:
+    - '**/*.arb'
+    - 'example/app.rb'
+    - 'example/config.ru'
+    - 'lib/otto.rb'
+    - 'lib/otto/helpers/request.rb'
+    - 'lib/otto/helpers/response.rb'
+    - 'lib/otto/route.rb'
+    - 'lib/otto/static.rb'
+    - 'lib/otto/version.rb'
+    - 'otto.gemspec'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle, Autocorrect.
+# SupportedStyles: module_function, extend_self, forbidden
+Style/ModuleFunction:
+  Exclude:
+    - 'lib/otto/static.rb'
+
+# Offense count: 2
+Style/MultilineBlockChain:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: literals, strict
+Style/MutableConstant:
+  Exclude:
+    - 'example/config.ru'
+
+# Offense count: 1
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: respond_to_missing?
+Style/OptionalBooleanParameter:
+  Exclude:
+    - 'lib/otto/helpers/response.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: short, verbose
+Style/PreferredHashMethods:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/RedundantFilterChain:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/RedundantInterpolation:
+  Exclude:
+    - 'example/config.ru'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/SelectByRegexp:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+Style/SlicingWithRange:
+  Exclude:
+    - 'lib/otto/route.rb'
+
+# Offense count: 4
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: RequireEnglish.
+# SupportedStyles: use_perl_names, use_english_names, use_builtin_english_names
+Style/SpecialGlobalVars:
+  EnforcedStyle: use_perl_names
+
+# Offense count: 1
+# Configuration parameters: ActiveSupportClassAttributeAllowed.
+ThreadSafety/ClassAndModuleAttributes:
+  Exclude:
+    - 'lib/otto.rb'
+
+# Offense count: 9
+ThreadSafety/ClassInstanceVariable:
+  Exclude:
+    - 'lib/otto.rb'
+    - 'lib/otto/version.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowCallWithBlock.
+ThreadSafety/DirChdir:
+  Exclude:
+    - 'otto.gemspec'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, IgnoreCopDirectives, AllowedPatterns, SplitStrings.
+# URISchemes: http, https
+Layout/LineLength:
+  Max: 135

data/Gemfile

@@ -1,11 +1,22 @@
 # frozen_string_literal: true
 
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
 gemspec
 
-group "development" do
-  gem "pry-byebug"
-  gem "rubocop"
-  gem "tryouts"
+group :development, :test do
+  gem 'rspec', '~> 3.12'
+  gem 'rack-test'
+end
+
+group 'development' do
+  gem 'pry-byebug', require: false
+  gem 'rubocop', require: false
+  gem 'rubocop-performance', require: false
+  gem 'rubocop-rspec', require: false
+  gem 'rubocop-thread_safety', require: false
+  gem 'ruby-lsp', require: false
+  gem 'stackprof', require: false
+  gem 'syntax_tree', require: false
+  gem 'tryouts', require: false
 end

data/Gemfile.lock

@@ -1,9 +1,10 @@
 PATH
   remote: .
   specs:
-    otto (1.1.0.pre.alpha3)
+    otto (1.2.0)
       addressable (~> 2.2, < 3)
-      rack (~> 2.2, < 3.0)
+      rack (~> 3.1, < 4.0)
+      rack-parser (~> 0.7)
       rexml (>= 3.3.6)
 
 GEM
@@ -14,14 +15,18 @@ GEM
     ast (2.4.2)
     byebug (11.1.3)
     coderay (1.1.3)
+    diff-lcs (1.6.2)
     drydock (0.6.9)
     json (2.7.2)
     language_server-protocol (3.17.0.3)
+    logger (1.7.0)
     method_source (1.0.0)
     parallel (1.24.0)
     parser (3.3.0.5)
       ast (~> 2.4.1)
       racc
+    prettier_print (1.2.1)
+    prism (1.4.0)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
@@ -30,10 +35,29 @@ GEM
       pry (>= 0.13, < 0.15)
     public_suffix (6.0.1)
     racc (1.7.3)
-    rack (2.2.9)
+    rack (3.1.16)
+    rack-parser (0.7.0)
+      rack
+    rack-test (2.2.0)
+      rack (>= 1.3)
     rainbow (3.1.1)
+    rbs (3.9.4)
+      logger
     regexp_parser (2.9.0)
     rexml (3.3.7)
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.4)
     rubocop (1.62.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -47,8 +71,22 @@ GEM
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.31.2)
       parser (>= 3.3.0.4)
+    rubocop-performance (1.23.1)
+      rubocop (>= 1.48.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
+    rubocop-rspec (3.4.0)
+      rubocop (~> 1.61)
+    rubocop-thread_safety (0.6.0)
+      rubocop (>= 1.48.1)
+    ruby-lsp (0.26.0)
+      language_server-protocol (~> 3.17.0)
+      prism (>= 1.2, < 2.0)
+      rbs (>= 3, < 5)
     ruby-progressbar (1.13.0)
+    stackprof (0.2.27)
     storable (0.10.0)
+    syntax_tree (6.3.0)
+      prettier_print (>= 1.2.0)
     sysinfo (0.10.0)
       drydock (< 1.0)
       storable (~> 0.10)
@@ -63,7 +101,15 @@ PLATFORMS
 DEPENDENCIES
   otto!
   pry-byebug
+  rack-test
+  rspec (~> 3.12)
   rubocop
+  rubocop-performance
+  rubocop-rspec
+  rubocop-thread_safety
+  ruby-lsp
+  stackprof
+  syntax_tree
   tryouts
 
 BUNDLED WITH

data/LICENSE.txt

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2011-2024 delano
+Copyright (c) 2011 Delano Mandelbaum
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -1,150 +1,99 @@
-# Otto - 1.0 (2024-04-05)
+# Otto - 1.2 (2025-08-18)
 
-**Auto-define your rack-apps in plain-text.**
+**Define your rack-apps in plain-text with built-in security.**
 
-## Overview
+![Otto mascot](public/img/otto.jpg "Otto - All Rack, no Pinion")
 
-Apps built with Otto have three, basic parts: a rackup file, a ruby file, and a routes file. If you've built a [Rack app](https://github.com/rack/rack) before, then you've seen a rackup file before. The ruby file is your actual app and the routes file is what Otto uses to map URI paths to a Ruby class and method.
-
-A barebones app directory looks something like this:
+Otto apps have three files: a rackup file, a Ruby class, and a routes file. The routes file is just plain text that maps URLs to Ruby methods.
 
 ```bash
-  $ cd myapp
-  $ ls
-  config.ru app.rb routes
+$ cd myapp && ls
+config.ru app.rb routes
 ```
 
-See the examples/ directory for a working app.
+## Routes File
+```
+# routes
 
+GET   /                         App#index
+POST  /feedback                 App#receive_feedback
+GET   /product/:id              App#show_product
+GET   /robots.txt               App#robots_text
+GET   /404                      App#not_found
+```
 
-### Routes
+## Ruby Class
+```ruby
+# app.rb
 
-The routes file is just a plain-text file which defines the end points of your application. Each route has three parts:
+class App
+  def initialize(req, res)
+    @req, @res = req, res
+  end
 
- * HTTP verb (GET, POST, PUT, DELETE or HEAD)
- * URI path
- * Ruby class and method to call
+  def index
+    res.body = '<h1>Hello Otto</h1>'
+  end
 
-Here is an example:
+  def show_product
+    product_id = req.params[:id]
+    res.body = "Product: #{product_id}"
+  end
 
-```ruby
-  GET   /                         App#index
-  POST  /                         App#receive_feedback
-  GET   /redirect                 App#redirect
-  GET   /robots.txt               App#robots_text
-  GET   /product/:prodid          App#display_product
-
-  # You can also define these handlers when no
-  # route can be found or there's a server error. (optional)
-  GET   /404                      App#not_found
-  GET   /500                      App#server_error
+  def robots_text
+    res.header['Content-Type'] = "text/plain"
+    rules = 'User-agent: *', 'Disallow: /private/keep/out'
+    res.body = rules.join($/)
+  end
+end
 ```
 
-### App
+## Rackup File
+```ruby
+# config.ru
 
-There is nothing special about the Ruby class. The only requirement is that the first two arguments to initialize be a Rack::Request object and a Rack::Response object. Otherwise, you can do anything you want. You're free to use any templating engine, any database mapper, etc. There is no magic.
+require 'otto'
+require 'app'
 
-```ruby
-  class App
-    attr_reader :req, :res
-
-    # Otto creates an instance of this class for every request
-    # and passess the Rack::Request and Rack::Response objects.
-    def initialize req, res
-      @req, @res = req, res
-    end
-
-    def index
-      res.header['Content-Type'] = "text/html; charset=utf-8"
-      lines = [
-        '<img src="/img/otto.jpg" /><br/><br/>',
-        'Send feedback:<br/>',
-        '<form method="post"><input name="msg" /><input type="submit" /></form>',
-        '<a href="/product/100">A product example</a>'
-      ]
-      res.body = lines.join($/)
-    end
-
-    def receive_feedback
-      res.body = req.params.inspect
-    end
-
-    def redirect
-      res.redirect '/robots.txt'
-    end
-
-    def robots_text
-      res.header['Content-Type'] = "text/plain"
-      rules = 'User-agent: *', 'Disallow: /private'
-      res.body = rules.join($/)
-    end
-
-    def display_product
-      res.header['Content-Type'] = "application/json; charset=utf-8"
-      prodid = req.params[:prodid]
-      res.body = '{"product":%s,"msg":"Hint: try another value"}' % [prodid]
-    end
-
-    def not_found
-      res.status = 404
-      res.body = "Item not found!"
-    end
-
-    def server_error
-      res.status = 500
-      res.body = "There was a server error!"
-    end
-  end
+run Otto.new("./routes")
 ```
 
 
-### Rackup
+## Security Features
 
-There is also nothing special about the rackup file. It just builds a Rack app using your routes file.
+Otto includes optional security features for production apps:
 
 ```ruby
-  require 'otto'
-  require 'app'
-
-  app = Otto.new("./routes")
-
-  map('/') {
-    run app
-  }
+# Enable security features
+app = Otto.new("./routes", {
+  csrf_protection: true,      # CSRF tokens and validation
+  request_validation: true,   # Input sanitization and limits
+  trusted_proxies: ['10.0.0.0/8']
+})
 ```
 
-See the examples/ directory for a working app.
+Security features include CSRF protection, input validation, security headers, and trusted proxy configuration.
 
+## Requirements
 
-## Installation
+- Ruby 3.4+
+- Rack 3.1+
 
-Get it in one of the following ways:
+## Installation
 
 ```bash
-  $ gem install otto
-
-  [ Add it to yer Gemfile]
-  $ bundle install
-
-  $ git clone git://github.com/delano/otto.git
+gem install otto
 ```
 
+## AI Development Assistance
 
-You can also download via [tarball](https://github.com/delano/otto/tarball/latest) or [zip](https://github.com/delano/otto/zipball/latest).
-
-
-## More Information
-
-* [Homepage](https://github.com/delano/otto)
-
-
-## In the wild
-
-Services that use Otto:
-
-* [Onetime Secret](https://onetimesecret.com/) -- A safe way to share sensitive data.
+Version 1.2.0's security features were developed with AI assistance:
 
+* **Zed Agent (Claude Sonnet 4)** - Security implementation and testing
+* **Claude Desktop** - Rack 3+ compatibility and debugging
+* **GitHub Copilot** - Code completion
 
+The maintainer remains responsible for all security decisions and implementation. We believe in transparency about development tools, especially for security-focused software.
 
 ## License
 

data/VERSION.yml

@@ -1,4 +1,5 @@
+# VERSION.yml
+---
 :MAJOR: 1
-:MINOR: 1
+:MINOR: 2
 :PATCH: 0
-:PRE: alpha4

data/examples/basic/app.rb

@@ -0,0 +1,78 @@
+# examples/basic/app.rb (Streamlined with Design System)
+
+require_relative '../../lib/otto/design_system'
+
+class App
+  include Otto::DesignSystem
+
+  attr_reader :req, :res
+
+  def initialize(req, res)
+    @req = req
+    @res = res
+    res.headers['content-type'] = 'text/html; charset=utf-8'
+  end
+
+  def index
+    content = <<~HTML
+      <div class="otto-card otto-text-center">
+        <img src="/img/otto.jpg" alt="Otto Framework" class="otto-logo" />
+        <h1>Otto Framework</h1>
+        <p>Minimal Ruby web framework with style</p>
+      </div>
+
+      #{otto_card("Send Feedback") do
+        otto_form_wrapper do
+          otto_input("msg", placeholder: "Your message...") +
+          otto_button("Send Feedback")
+        end
+      end}
+    HTML
+
+    res.send_cookie :sess, 1_234_567, 3600
+    res.body = otto_page(content)
+  end
+
+  def receive_feedback
+    message = req.params['msg']&.strip
+
+    content = if message.nil? || message.empty?
+      otto_alert("error", "Empty Message", "Please enter a message before submitting.")
+    else
+      otto_alert("success", "Feedback Received", "Thanks for your message!") +
+      otto_card("Your Message") { otto_code_block(message, 'text') }
+    end
+
+    content += "<p>#{otto_link("← Back", "/")}</p>"
+    res.body = otto_page(content, "Feedback")
+  end
+
+  def redirect
+    res.redirect '/robots.txt'
+  end
+
+  def robots_text
+    res.headers['content-type'] = 'text/plain'
+    res.body = ['User-agent: *', 'Disallow: /private'].join($/)
+  end
+
+  def display_product
+    res.headers['content-type'] = 'application/json; charset=utf-8'
+    prodid = req.params[:prodid]
+    res.body = format('{"product":%s,"msg":"Hint: try another value"}', prodid)
+  end
+
+  def not_found
+    res.status = 404
+    content = otto_alert("error", "Not Found", "The requested page could not be found.")
+    content += "<p>#{otto_link("← Home", "/")}</p>"
+    res.body = otto_page(content, "404")
+  end
+
+  def server_error
+    res.status = 500
+    content = otto_alert("error", "Server Error", "An internal server error occurred.")
+    content += "<p>#{otto_link("← Home", "/")}</p>"
+    res.body = otto_page(content, "500")
+  end
+end