otto 1.3.0 → 1.4.0

data/lib/otto/helpers/request.rb

@@ -1,7 +1,11 @@
 # lib/otto/helpers/request.rb
 
+require_relative 'base'
+
 class Otto
   module RequestHelpers
+    include Otto::BaseHelpers
+
     def user_agent
       env['HTTP_USER_AGENT']
     end
@@ -70,7 +74,11 @@ class Otto
       ip = client_ipaddress
       return false unless ip
 
-      local_or_private_ip?(ip)
+      # Check both IP and server name for comprehensive localhost detection
+      server_name        = env['SERVER_NAME']
+      local_server_names = ['localhost', '127.0.0.1', '0.0.0.0']
+
+      local_or_private_ip?(ip) && local_server_names.include?(server_name)
     end
 
     def secure?
@@ -107,8 +115,6 @@ class Otto
       [prefix, http_host, request_path].join
     end
 
-    private
-
     def otto_security_config
       # Try to get security config from various sources
       if respond_to?(:otto) && otto.respond_to?(:security_config)
@@ -136,7 +142,7 @@ class Otto
 
       # Validate each octet
       octets = clean_ip.split('.')
-      return nil unless octets.all? { |octet| (0..255).include?(octet.to_i) }
+      return nil unless octets.all? { |octet| (0..255).cover?(octet.to_i) }
 
       clean_ip
     end
@@ -166,5 +172,218 @@ class Otto
       # Check for private IP ranges
       private_ip?(ip)
     end
+
+    # Collect and format HTTP header details from the request environment
+    #
+    # This method extracts and formats specific HTTP headers, including
+    # Cloudflare and proxy-related headers, for logging and debugging purposes.
+    #
+    # @param header_prefix [String, nil] Custom header prefix to include (e.g. 'X_SECRET_')
+    # @param additional_keys [Array<String>] Additional header keys to collect
+    # @return [String] Formatted header details as "key: value" pairs
+    #
+    # @example Basic usage
+    #   collect_proxy_headers
+    #   # => "X-Forwarded-For: 203.0.113.195 Remote-Addr: 192.0.2.1"
+    #
+    #
+    # @example With custom prefix
+    #   collect_proxy_headers(header_prefix: 'X_CUSTOM_')
+    #   # => "X-Forwarded-For: 203.0.113.195 X-Custom-Token: abc123"
+    def collect_proxy_headers(header_prefix: nil, additional_keys: [])
+      keys = %w[
+        HTTP_FLY_REQUEST_ID
+        HTTP_VIA
+        HTTP_X_FORWARDED_PROTO
+        HTTP_X_FORWARDED_FOR
+        HTTP_X_FORWARDED_HOST
+        HTTP_X_FORWARDED_PORT
+        HTTP_X_SCHEME
+        HTTP_X_REAL_IP
+        HTTP_CF_IPCOUNTRY
+        HTTP_CF_RAY
+        REMOTE_ADDR
+      ]
+
+      # Add any header that begins with the specified prefix
+      if header_prefix
+        prefix_keys = env.keys.select { |key| key.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
+        keys.concat(prefix_keys)
+      end
+
+      # Add any additional keys requested
+      keys.concat(additional_keys) if additional_keys.any?
+
+      keys.sort.filter_map do |key|
+        value = env[key]
+        next unless value
+
+        # Normalize the header name to look like browser dev console
+        # e.g. Content-Type instead of HTTP_CONTENT_TYPE
+        pretty_name = key.sub(/^HTTP_/, '').split('_').map(&:capitalize).join('-')
+        "#{pretty_name}: #{value}"
+      end.join(' ')
+    end
+
+    # Format request details as a single string for logging
+    #
+    # This method combines IP address, HTTP method, path, query parameters,
+    # and proxy header details into a single formatted string suitable for logging.
+    #
+    # @param header_prefix [String, nil] Custom header prefix for proxy headers
+    # @return [String] Formatted request details
+    #
+    # @example
+    #   format_request_details
+    #   # => "192.0.2.1; GET /path?query=string; Proxy[X-Forwarded-For: 203.0.113.195 Remote-Addr: 192.0.2.1]"
+    #
+    def format_request_details(header_prefix: nil)
+      header_details = collect_proxy_headers(header_prefix: header_prefix)
+
+      details = [
+        client_ipaddress,
+        "#{request_method} #{env['PATH_INFO']}?#{env['QUERY_STRING']}",
+        "Proxy[#{header_details}]",
+      ]
+
+      details.join('; ')
+    end
+
+    # Check if user agent matches blocked patterns
+    #
+    # This method checks if the current request's user agent string
+    # matches any of the provided blocked agent patterns.
+    #
+    # @param blocked_agents [Array<String, Symbol, Regexp>] Patterns to check against
+    # @return [Boolean] true if user agent is allowed, false if blocked
+    #
+    # @example
+    #   blocked_user_agent?([:bot, :crawler, 'BadAgent'])
+    #   # => false if user agent contains 'bot', 'crawler', or 'BadAgent'
+    def blocked_user_agent?(blocked_agents: [])
+      return true if blocked_agents.empty?
+
+      user_agent_string = user_agent.to_s.downcase
+      return true if user_agent_string.empty?
+
+      blocked_agents.flatten.any? do |agent|
+        case agent
+        when Regexp
+          user_agent_string.match?(agent)
+        else
+          user_agent_string.include?(agent.to_s.downcase)
+        end
+      end
+    end
+
+    # Build application path by joining path segments
+    #
+    # This method safely joins multiple path segments, handling
+    # duplicate slashes and ensuring proper path formatting.
+    # Includes the script name (mount point) as the first segment.
+    #
+    # @param paths [Array<String>] Path segments to join
+    # @return [String] Properly formatted path
+    #
+    # @example
+    #   app_path('api', 'v1', 'users')
+    #   # => "/myapp/api/v1/users"
+    #
+    # @example
+    #   app_path(['admin', 'settings'])
+    #   # => "/myapp/admin/settings"
+    def app_path(*paths)
+      paths = paths.flatten.compact
+      paths.unshift(env['SCRIPT_NAME']) if env['SCRIPT_NAME']
+      paths.join('/').gsub('//', '/')
+    end
+
+    # Set the locale for the request based on multiple sources
+    #
+    # This method determines the locale to be used for the request by checking
+    # the following sources in order of precedence:
+    # 1. The locale parameter passed to the method
+    # 2. The locale query parameter in the request
+    # 3. The user's saved locale preference (if provided)
+    # 4. The rack.locale environment variable
+    #
+    # If a valid locale is found, it's stored in the request environment.
+    # If no valid locale is found, the default locale is used.
+    #
+    # @param locale [String, nil] The locale to use, if specified
+    # @param opts [Hash] Configuration options
+    # @option opts [Hash] :available_locales Hash of available locales to validate against (required unless configured at Otto level)
+    # @option opts [String] :default_locale Default locale to use as fallback (required unless configured at Otto level)
+    # @option opts [String, nil] :preferred_locale User's saved locale preference
+    # @option opts [String] :locale_env_key Environment key to store the locale (default: 'locale')
+    # @option opts [Boolean] :debug Enable debug logging for locale selection
+    # @return [String] The selected locale
+    #
+    # @example Basic usage
+    #   check_locale!(
+    #     available_locales: { 'en' => 'English', 'es' => 'Spanish' },
+    #     default_locale: 'en'
+    #   )
+    #   # => 'en'
+    #
+    # @example With user preference
+    #   check_locale!(nil, {
+    #     available_locales: { 'en' => 'English', 'es' => 'Spanish' },
+    #     default_locale: 'en',
+    #     preferred_locale: 'es'
+    #   })
+    #   # => 'es'
+    #
+    # @example Using Otto-level configuration
+    #   # Otto configured with: Otto.new(routes, { locale_config: { available: {...}, default: 'en' } })
+    #   check_locale!('es')  # Uses Otto's config automatically
+    #   # => 'es'
+    #
+    def check_locale!(locale = nil, opts = {})
+      # Get configuration from options, Otto config, or environment (in that order)
+      otto_config = env['otto.locale_config']
+
+      available_locales = opts[:available_locales] ||
+                          otto_config&.dig(:available_locales) ||
+                          env['otto.available_locales']
+      default_locale    = opts[:default_locale] ||
+                          otto_config&.dig(:default_locale) ||
+                          env['otto.default_locale']
+      preferred_locale  = opts[:preferred_locale]
+      locale_env_key    = opts[:locale_env_key] || 'locale'
+      debug_enabled     = opts[:debug] || false
+
+      # Guard clause - required configuration must be present
+      unless available_locales && default_locale
+        raise ArgumentError, 'available_locales and default_locale are required (provide via opts or Otto configuration)'
+      end
+
+      # Check sources in order of precedence
+      locale ||= env['rack.request.query_hash'] && env['rack.request.query_hash']['locale']
+      locale ||= preferred_locale if preferred_locale
+      locale ||= (env['rack.locale'] || []).first
+
+      # Validate locale against available translations
+      have_translations = locale && available_locales.key?(locale.to_s)
+
+      # Debug logging if enabled
+      if debug_enabled && defined?(Otto.logger)
+        message = format(
+          '[check_locale!] sources[param=%s query=%s user=%s rack=%s] valid=%s',
+          locale,
+          env.dig('rack.request.query_hash', 'locale'),
+          preferred_locale,
+          (env['rack.locale'] || []).first,
+          have_translations
+        )
+        Otto.logger.debug message
+      end
+
+      # Set the locale in request environment
+      selected_locale = have_translations ? locale : default_locale
+      env[locale_env_key] = selected_locale
+
+      selected_locale
+    end
   end
 end

data/lib/otto/helpers/response.rb

@@ -1,7 +1,11 @@
 # lib/otto/helpers/response.rb
 
+require_relative 'base'
+
 class Otto
   module ResponseHelpers
+    include Otto::BaseHelpers
+
     attr_accessor :request
 
     def send_secure_cookie(name, value, ttl, opts = {})
@@ -76,5 +80,76 @@ class Otto
 
       headers
     end
+
+    # Set Content Security Policy (CSP) headers with nonce support
+    #
+    # This method generates and sets CSP headers with the provided nonce value,
+    # following the same usage pattern as send_cookie methods. The CSP policy
+    # is generated dynamically based on the security configuration and environment.
+    #
+    # @param content_type [String] Content-Type header value to set
+    # @param nonce [String] Nonce value to include in CSP directives
+    # @param opts [Hash] Options for CSP generation
+    # @option opts [Otto::Security::Config] :security_config Security config to use
+    # @option opts [Boolean] :development_mode Use development-friendly CSP directives
+    # @option opts [Boolean] :debug Enable debug logging for this request
+    # @return [void]
+    #
+    # @example Basic usage
+    #   nonce = SecureRandom.base64(16)
+    #   res.send_csp_headers('text/html; charset=utf-8', nonce)
+    #
+    # @example With options
+    #   res.send_csp_headers('text/html; charset=utf-8', nonce, {
+    #     development_mode: Rails.env.development?,
+    #     debug: true
+    #   })
+    def send_csp_headers(content_type, nonce, opts = {})
+      # Set content type if not already set
+      headers['content-type'] ||= content_type
+
+      # Warn if CSP header already exists but don't skip
+      if headers['content-security-policy']
+        warn 'CSP header already set, overriding with nonce-based policy'
+      end
+
+      # Get security configuration
+      security_config = opts[:security_config] ||
+                        (request&.env && request.env['otto.security_config']) ||
+                        nil
+
+      # Skip if CSP nonce support is not enabled
+      return unless security_config&.csp_nonce_enabled?
+
+      # Generate CSP policy with nonce
+      development_mode = opts[:development_mode] || false
+      csp_policy       = security_config.generate_nonce_csp(nonce, development_mode: development_mode)
+
+      # Debug logging if enabled
+      debug_enabled = opts[:debug] || security_config.debug_csp?
+      if debug_enabled && defined?(Otto.logger)
+        Otto.logger.debug "[CSP] #{csp_policy}"
+      end
+
+      # Set the CSP header
+      headers['content-security-policy'] = csp_policy
+    end
+
+    # Set cache control headers to prevent caching
+    #
+    # This method sets comprehensive cache control headers to ensure that
+    # the response is not cached by browsers, proxies, or CDNs. This is
+    # particularly useful for sensitive pages or dynamic content that
+    # should always be fresh.
+    #
+    # @return [void]
+    #
+    # @example
+    #   res.no_cache!
+    def no_cache!
+      headers['cache-control'] = 'no-store, no-cache, must-revalidate, max-age=0'
+      headers['expires']       = 'Mon, 7 Nov 2011 00:00:00 UTC'
+      headers['pragma']        = 'no-cache'
+    end
   end
 end

data/lib/otto/route.rb

@@ -115,6 +115,11 @@ class Otto
       res.extend Otto::ResponseHelpers
       res.request    = req
 
+      # Make security config available to response helpers
+      if otto.respond_to?(:security_config) && otto.security_config
+        env['otto.security_config'] = otto.security_config
+      end
+
       # Process parameters through security layer
       req.params.merge! extra_params
       req.params.replace Otto::Static.indifferent_params(req.params)

data/lib/otto/security/config.rb

@@ -24,7 +24,8 @@ class Otto
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
         :max_request_size, :max_param_depth, :max_param_keys,
         :trusted_proxies, :require_secure_cookies,
-        :security_headers, :input_validation
+        :security_headers, :input_validation,
+        :csp_nonce_enabled, :debug_csp
 
       # Initialize security configuration with safe defaults
       #
@@ -42,6 +43,8 @@ class Otto
         @require_secure_cookies = false
         @security_headers       = default_security_headers
         @input_validation       = true
+        @csp_nonce_enabled      = false
+        @debug_csp              = false
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -199,6 +202,53 @@ class Otto
         @security_headers['content-security-policy'] = policy
       end
 
+      # Enable Content Security Policy (CSP) with nonce support
+      #
+      # This enables dynamic CSP header generation with nonces for enhanced security.
+      # Unlike enable_csp!, this doesn't set a static policy but enables the response
+      # helper to generate CSP headers with nonces on a per-request basis.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      # @return [void]
+      #
+      # @example
+      #   config.enable_csp_with_nonce!(debug: true)
+      def enable_csp_with_nonce!(debug: false)
+        @csp_nonce_enabled = true
+        @debug_csp         = debug
+      end
+
+      # Disable CSP nonce support
+      #
+      # @return [void]
+      def disable_csp_nonce!
+        @csp_nonce_enabled = false
+      end
+
+      # Check if CSP nonce support is enabled
+      #
+      # @return [Boolean] true if CSP nonce support is enabled
+      def csp_nonce_enabled?
+        @csp_nonce_enabled
+      end
+
+      # Check if CSP debug logging is enabled
+      #
+      # @return [Boolean] true if CSP debug logging is enabled
+      def debug_csp?
+        @debug_csp
+      end
+
+      # Generate a CSP policy string with the provided nonce
+      #
+      # @param nonce [String] The nonce value to include in the CSP
+      # @param development_mode [Boolean] Whether to use development-friendly directives
+      # @return [String] Complete CSP policy string
+      def generate_nonce_csp(nonce, development_mode: false)
+        directives = development_mode ? development_csp_directives(nonce) : production_csp_directives(nonce)
+        directives.join(' ')
+      end
+
       # Enable X-Frame-Options header to prevent clickjacking
       #
       # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
@@ -298,6 +348,54 @@ class Otto
         a.bytes.zip(b.bytes) { |x, y| result |= x ^ y }
         result == 0
       end
+
+      # Generate CSP directives for development environment
+      #
+      # Development mode allows inline scripts/styles and hot reloading connections
+      # for better developer experience with build tools like Vite.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def development_csp_directives(nonce)
+        [
+          "default-src 'none';",
+          "script-src 'nonce-#{nonce}' 'unsafe-inline';",  # Allow inline scripts for development tools
+          "style-src 'self' 'unsafe-inline';",
+          "connect-src 'self' ws: wss: http: https:;",      # Allow HTTP and all WebSocket connections for dev tools
+          "img-src 'self' data:;",
+          "font-src 'self';",
+          "object-src 'none';",
+          "base-uri 'self';",
+          "form-action 'self';",
+          "frame-ancestors 'none';",
+          "manifest-src 'self';",
+          "worker-src 'self' data:;",
+        ]
+      end
+
+      # Generate CSP directives for production environment
+      #
+      # Production mode is more restrictive, only allowing HTTPS connections
+      # and nonce-only scripts for enhanced XSS protection.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def production_csp_directives(nonce)
+        [
+          "default-src 'none';",                     # Restrict to same origin by default
+          "script-src 'nonce-#{nonce}';",            # Only allow scripts with valid nonce
+          "style-src 'self' 'unsafe-inline';",       # Allow inline styles and same-origin stylesheets
+          "connect-src 'self' wss: https:;",         # Only HTTPS and secure WebSockets
+          "img-src 'self' data:;",                   # Allow images from same origin and data URIs
+          "font-src 'self';",                        # Allow fonts from same origin only
+          "object-src 'none';",                      # Block <object>, <embed>, and <applet> elements
+          "base-uri 'self';",                        # Restrict <base> tag targets to same origin
+          "form-action 'self';",                     # Restrict form submissions to same origin
+          "frame-ancestors 'none';",                 # Prevent site from being embedded in frames
+          "manifest-src 'self';",                    # Allow web app manifests from same origin
+          "worker-src 'self' data:;",                # Allow Workers from same origin and data blobs
+        ]
+      end
     end
 
     # Raised when a request exceeds the configured size limit

data/lib/otto/version.rb

@@ -1,5 +1,5 @@
 # lib/otto/version.rb
 
 class Otto
-  VERSION = '1.3.0'.freeze
+  VERSION = '1.4.0'.freeze
 end

data/lib/otto.rb

@@ -1,5 +1,6 @@
 require 'json'
 require 'logger'
+require 'ostruct'
 require 'securerandom'
 require 'uri'
 
@@ -42,8 +43,20 @@ class Otto
 
   @debug  = ENV['OTTO_DEBUG'] == 'true'
   @logger = Logger.new($stdout, Logger::INFO)
+  @global_config = {}
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config
+  # Global configuration for all Otto instances
+  def self.configure
+    config = OpenStruct.new(@global_config)
+    yield config
+    @global_config = config.to_h
+  end
+
+  def self.global_config
+    @global_config
+  end
+
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config
   attr_accessor :not_found, :server_error, :middleware_stack
 
   def initialize(path = nil, opts = {})
@@ -58,6 +71,9 @@ class Otto
     @security_config   = Otto::Security::Config.new
     @middleware_stack  = []
 
+    # Configure locale support (merge global config with instance options)
+    configure_locale(opts)
+
     # Configure security based on options
     configure_security(opts)
 
@@ -157,6 +173,7 @@ class Otto
   def handle_request(env)
     locale             = determine_locale env
     env['rack.locale'] = locale
+    env['otto.locale_config'] = @locale_config if @locale_config
     @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
     path_info          = Rack::Utils.unescape(env['PATH_INFO'])
     path_info          = '/' if path_info.to_s.empty?
@@ -370,8 +387,64 @@ class Otto
     @security_config.enable_frame_protection!(option)
   end
 
+  # Enable Content Security Policy (CSP) with nonce support for dynamic header generation.
+  # This enables the res.send_csp_headers response helper method.
+  #
+  # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+  # @example
+  #   otto.enable_csp_with_nonce!(debug: true)
+  def enable_csp_with_nonce!(debug: false)
+    @security_config.enable_csp_with_nonce!(debug: debug)
+  end
+
+  # Configure locale settings for the application
+  #
+  # @param available_locales [Hash] Hash of available locales (e.g., { 'en' => 'English', 'es' => 'Spanish' })
+  # @param default_locale [String] Default locale to use as fallback
+  # @example
+  #   otto.configure(
+  #     available_locales: { 'en' => 'English', 'es' => 'Spanish', 'fr' => 'French' },
+  #     default_locale: 'en'
+  #   )
+  def configure(available_locales: nil, default_locale: nil)
+    @locale_config ||= {}
+    @locale_config[:available_locales] = available_locales if available_locales
+    @locale_config[:default_locale] = default_locale if default_locale
+  end
+
   private
 
+  def configure_locale(opts)
+    # Start with global configuration
+    global_config = self.class.global_config
+    @locale_config = nil
+
+    # Check if we have any locale configuration from any source
+    has_global_locale = global_config && (global_config[:available_locales] || global_config[:default_locale])
+    has_direct_options = opts[:available_locales] || opts[:default_locale]
+    has_legacy_config = opts[:locale_config]
+
+    # Only create locale_config if we have configuration from somewhere
+    if has_global_locale || has_direct_options || has_legacy_config
+      @locale_config = {}
+
+      # Apply global configuration first
+      @locale_config[:available_locales] = global_config[:available_locales] if global_config && global_config[:available_locales]
+      @locale_config[:default_locale] = global_config[:default_locale] if global_config && global_config[:default_locale]
+
+      # Apply direct instance options (these override global config)
+      @locale_config[:available_locales] = opts[:available_locales] if opts[:available_locales]
+      @locale_config[:default_locale] = opts[:default_locale] if opts[:default_locale]
+
+      # Legacy support: Configure locale if provided in initialization options via locale_config hash
+      if opts[:locale_config]
+        locale_opts = opts[:locale_config]
+        @locale_config[:available_locales] = locale_opts[:available_locales] || locale_opts[:available] if locale_opts[:available_locales] || locale_opts[:available]
+        @locale_config[:default_locale] = locale_opts[:default_locale] || locale_opts[:default] if locale_opts[:default_locale] || locale_opts[:default]
+      end
+    end
+  end
+
   def configure_security(opts)
     # Enable CSRF protection if requested
     enable_csrf_protection! if opts[:csrf_protection]

data/otto.gemspec

@@ -16,11 +16,11 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/delano/otto'
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = ['>= 3.4', '< 4.0']
+  spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
   # https://github.com/delano/otto/security/dependabot/5
   spec.add_dependency 'rexml', '>= 3.3.6'
-
+  spec.add_dependency 'ostruct'
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'
   spec.metadata['rubygems_mfa_required'] = 'true'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -23,6 +23,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.3.6
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -63,7 +77,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
+- ".github/workflows/ci.yml"
 - ".gitignore"
+- ".pre-commit-config.yaml"
+- ".pre-push-config.yaml"
 - ".rspec"
 - ".rubocop.yml"
 - Gemfile
@@ -76,11 +94,15 @@ files:
 - examples/dynamic_pages/app.rb
 - examples/dynamic_pages/config.ru
 - examples/dynamic_pages/routes
+- examples/helpers_demo/app.rb
+- examples/helpers_demo/config.ru
+- examples/helpers_demo/routes
 - examples/security_features/app.rb
 - examples/security_features/config.ru
 - examples/security_features/routes
 - lib/otto.rb
 - lib/otto/design_system.rb
+- lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
 - lib/otto/helpers/response.rb
 - lib/otto/route.rb
@@ -104,7 +126,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.4'
+      version: '3.2'
   - - "<"
     - !ruby/object:Gem::Version
       version: '4.0'