otto 1.5.0 → 2.0.0.pre1

data/CHANGELOG.rst

@@ -0,0 +1,83 @@
+CHANGELOG.rst
+=============
+
+All notable changes to Otto are documented here.
+
+The format is based on `Keep a
+Changelog <https://keepachangelog.com/en/1.1.0/>`__, and this project
+adheres to `Semantic
+Versioning <https://semver.org/spec/v2.0.0.html>`__.
+
+.. raw:: html
+
+   <!--scriv-insert-here-->
+
+.. _changelog-2.0.0-pre1:
+
+2.0.0-pre1 — 2025-09-10
+=======================
+
+Added
+-----
+
+- Comprehensive test coverage for error handling methods (handle_error, secure_error_response,
+json_error_response)
+- Test coverage for private configuration methods (configure_locale, configure_security,
+configure_authentication, configure_mcp)
+- Expanded MCP functionality test coverage including route parsing and server initialization
+- Security header validation in all error responses
+- Content negotiation testing for JSON vs plain text error responses
+- Development vs production mode error handling verification
+
+- ``Otto::Security::Configurator`` class for consolidated security configuration
+- ``Otto::Core::MiddlewareStack`` class for enhanced middleware management
+- Unified ``security.configure()`` method for streamlined security setup
+- Middleware introspection capabilities via ``middleware_list`` and ``middleware_details`` methods
+
+Changed
+-------
+
+- **BREAKING**: Direct middleware_stack manipulation no longer supported. Use ``otto.use()`` instead
+of ``otto.middleware_stack <<``. See `migration guide <docs/migrating/v2.0.0-pre1.md>`__ for upgrade
+path.
+
+- Refactored main Otto class from 767 lines to 348 lines using composition pattern (#29)
+- Modernized initialization method with helper functions while maintaining backward compatibility
+- Applied Ruby 3.2+ features including pattern matching and anonymous block forwarding
+- Improved method organization and separation of concerns
+
+- Refactored security configuration methods to use new ``Otto::Security::Configurator`` facade
+- Enhanced middleware stack management with better registration and execution interfaces
+- Improved separation of concerns between security configuration and middleware handling
+
+- Unified middleware stack implementation for improved performance and consistency
+- Optimized middleware lookup and registration with O(1) Set-based tracking
+- Memoized middleware list to reduce array creation overhead
+- Improved middleware registration to handle varied argument scenarios
+
+Documentation
+-------------
+
+- Added changelog management system with Scriv configuration
+- Created comprehensive changelog process documentation
+
+AI Assistance
+-------------
+
+- Comprehensive test suite development covering 76 new test cases across 3 test files
+- Error handling analysis and edge case identification
+- Configuration method testing strategy development
+- MCP functionality testing with proper mocking and stubbing techniques
+- Test quality assurance ensuring all 460 examples pass with 0 failures
+
+- Extracted core Otto class functionality into 5 focused modules (Router, FileSafety, Configuration,
+ErrorHandler, UriGenerator) using composition pattern for improved maintainability while preserving
+complete API backward compatibility (#28)
+
+- Comprehensive refactoring implementation developed with AI assistance
+- Systematic approach to maintaining backward compatibility during modernization
+- Full test suite validation ensuring zero breaking changes across 460 test cases
+
+- Comprehensive refactoring of middleware stack management
+- Performance optimization and code quality improvements
+- Developed detailed migration guide for smooth transition

data/CLAUDE.md

@@ -0,0 +1,56 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Setup
+```bash
+# Install development and test dependencies
+bundle config set with 'development test'
+bundle install
+
+# Lint code
+bundle exec rubocop
+
+# Run tests
+bundle exec rspec
+
+# Run a specific test
+bundle exec rspec spec/path/to/specific_spec.rb
+# rspec settings in .rspec
+```
+
+## Project Overview
+
+### Core Components
+- Ruby Rack-based web framework for defining web applications
+- Focuses on security and simplicity
+- Supports internationalization and optional security features
+
+### Key Features
+- Plain-text routes configuration
+- Automatic locale detection
+- Optional security features:
+  - CSRF protection
+  - Input validation
+  - Security headers
+  - Trusted proxy configuration
+
+### Test Frameworks
+- RSpec for unit and integration testing
+- Tryouts for behavior-driven testing
+
+### Development Tools
+- Rubocop for linting
+- Debug gem for debugging
+- Tryouts for alternative testing approach
+
+### Ruby Version Requirements
+- Ruby 3.2+
+- Rack 3.1+
+
+### Important Notes
+- Always validate and sanitize user inputs
+- Leverage built-in security features
+- Use locale helpers for internationalization support

data/Gemfile

@@ -1,14 +1,30 @@
+# Gemfile
+
+# To install all development and test dependencies:
+#
+#   $ bundle config set with 'development test'
+#   $ bundle install
+
 source 'https://rubygems.org'
 
 gemspec
 
-group :development, :test do
+gem 'rackup'
+
+group :test do
   gem 'rack-test'
-  gem 'rspec', '~> 3.12'
+  gem 'rspec', '~> 3.13'
+end
+
+# bundle config set with 'optional'
+group :development, :test, optional: true do
+  # Keep gems that need to be in both environments
+  gem 'json_schemer'
+  gem 'rack-attack'
 end
 
-group 'development' do
-  gem 'pry-byebug', require: false
+group :development do
+  gem 'debug'
   gem 'rubocop', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false
@@ -16,5 +32,5 @@ group 'development' do
   gem 'ruby-lsp', require: false
   gem 'stackprof', require: false
   gem 'syntax_tree', require: false
-  gem 'tryouts', '~> 3.3.1', require: false
+  gem 'tryouts', '~> 3.6.0', require: false
 end

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    otto (1.5.0)
-      ostruct
+    otto (2.0.0.pre.pre1)
+      facets (~> 3.1)
+      loofah (~> 2.20)
       rack (~> 3.1, < 4.0)
       rack-parser (~> 0.7)
       rexml (>= 3.3.6)
@@ -11,23 +12,51 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
-    byebug (12.0.0)
-    coderay (1.1.3)
+    bigdecimal (3.2.3)
+    concurrent-ruby (1.3.5)
+    crass (1.0.6)
     date (3.4.1)
+    debug (1.11.0)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
     diff-lcs (1.6.2)
     erb (5.0.2)
+    facets (3.1.0)
+    hana (1.3.7)
     io-console (0.8.1)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.13.2)
+    json_schemer (2.4.0)
+      bigdecimal
+      hana (~> 1.3)
+      regexp_parser (~> 2.0)
+      simpleidn (~> 0.2)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
-    method_source (1.1.0)
+    loofah (2.24.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
     minitest (5.25.5)
-    ostruct (0.6.3)
+    nokogiri (1.18.9-aarch64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-aarch64-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-linux-musl)
+      racc (~> 1.4)
     parallel (1.27.0)
     parser (3.3.9.0)
       ast (~> 2.4.1)
@@ -39,31 +68,29 @@ GEM
     prettier_print (1.2.1)
     prettyprint (0.2.0)
     prism (1.4.0)
-    pry (0.15.2)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    pry-byebug (3.11.0)
-      byebug (~> 12.0)
-      pry (>= 0.13, < 0.16)
     psych (5.2.6)
       date
       stringio
     racc (1.8.1)
-    rack (3.2.0)
+    rack (3.2.1)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-parser (0.7.0)
       rack
     rack-test (2.2.0)
       rack (>= 1.3)
+    rackup (2.2.1)
+      rack (>= 3)
     rainbow (3.1.1)
-    rbs (3.9.4)
+    rbs (3.9.5)
       logger
     rdoc (6.14.2)
       erb
       psych (>= 4.0.0)
-    regexp_parser (2.11.0)
+    regexp_parser (2.11.2)
     reline (0.6.2)
       io-console (~> 0.5)
-    rexml (3.4.1)
+    rexml (3.4.3)
     rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -76,8 +103,8 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.4)
-    rubocop (1.79.1)
+    rspec-support (3.13.5)
+    rubocop (1.80.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -91,11 +118,11 @@ GEM
     rubocop-ast (1.46.0)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    rubocop-performance (1.25.0)
+    rubocop-performance (1.26.0)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
-    rubocop-rspec (3.6.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rspec (3.7.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
     rubocop-thread_safety (0.7.3)
@@ -107,11 +134,13 @@ GEM
       prism (>= 1.2, < 2.0)
       rbs (>= 3, < 5)
     ruby-progressbar (1.13.0)
+    simpleidn (0.2.3)
     stackprof (0.2.27)
     stringio (3.1.7)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
-    tryouts (3.3.1)
+    tryouts (3.6.0)
+      concurrent-ruby (~> 1.0)
       irb
       minitest (~> 5.0)
       pastel (~> 0.8)
@@ -122,19 +151,28 @@ GEM
     tty-color (0.6.0)
     tty-cursor (0.7.1)
     tty-screen (0.8.2)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
 
 PLATFORMS
-  arm64-darwin-24
-  ruby
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
+  arm64-darwin
+  x86_64-darwin
+  x86_64-linux-gnu
+  x86_64-linux-musl
 
 DEPENDENCIES
+  debug
+  json_schemer
   otto!
-  pry-byebug
+  rack-attack
   rack-test
-  rspec (~> 3.12)
+  rackup
+  rspec (~> 3.13)
   rubocop
   rubocop-performance
   rubocop-rspec
@@ -142,7 +180,7 @@ DEPENDENCIES
   ruby-lsp
   stackprof
   syntax_tree
-  tryouts (~> 3.3.1)
+  tryouts (~> 3.6.0)
 
 BUNDLED WITH
-   2.6.9
+   2.7.1

data/README.md

@@ -2,6 +2,8 @@
 
 **Define your rack-apps in plain-text with built-in security.**
 
+> **v2.0.0-pre1 Available**: This pre-release includes major improvements to middleware management and test coverage. See [changelog](CHANGELOG.rst) and [migration guide](docs/migrating/v2.0.0-pre1.md) for upgraders.
+
 ![Otto mascot](public/img/otto.jpg "Otto - All Rack, no Pinion")
 
 Otto apps have three files: a rackup file, a Ruby class, and a routes file. The routes file is just plain text that maps URLs to Ruby methods.

data/bin/rspec

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+
+require 'rubygems'
+require 'bundler/setup'
+
+load Gem.bin_path('rspec-core', 'rspec')

data/changelog.d/20250911_235619_delano_next.rst

@@ -0,0 +1,28 @@
+Added
+-----
+
+- ``Otto::RequestContext`` Data class providing immutable, structured authentication context for Logic classes
+- Helper methods ``authenticated?``, ``has_role?``, ``has_permission?``, ``user_name``, ``session_id`` for cleaner Logic class implementation
+- Factory methods for creating RequestContext from AuthResult or anonymous contexts
+
+Changed
+-------
+
+- **BREAKING**: Logic class constructor signature changed from ``initialize(session, user, params, locale)`` to ``initialize(context, params, locale)``
+- Logic classes now receive immutable RequestContext instead of separate session/user parameters
+- LogicClassHandler simplified to single arity pattern, removing backward compatibility code
+- Authentication middleware now creates RequestContext instances for all requests
+
+Documentation
+-------------
+
+- Updated migration guide with comprehensive RequestContext examples and step-by-step conversion instructions
+- Updated Logic class examples in advanced_routes and authentication_strategies to demonstrate new pattern
+- Enhanced documentation with RequestContext API reference and helper method examples
+
+AI Assistance
+-------------
+
+- RequestContext Data class design developed with AI architectural guidance for immutability and clean API
+- Comprehensive migration of all example Logic classes with AI assistance for consistency and best practices
+- Documentation improvements ensuring clarity of breaking changes and migration path

data/changelog.d/20250912_123055_delano_remove_ostruct.rst

@@ -0,0 +1,21 @@
+Changed
+-------
+
+- Replaced `RequestContext` with `StrategyResult` class for better authentication handling
+- Simplified authentication strategy API to return `StrategyResult` or `nil` for success/failure
+- Enhanced route handlers to support JSON request body parsing
+- Updated authentication middleware to use `StrategyResult` throughout
+
+Added
+-----
+
+- Added `StrategyResult` class with improved user model compatibility and cleaner API
+- Added JSON request body parsing support in Logic class handlers
+
+Removed
+-------
+
+- Removed `RequestContext` class (replaced by `StrategyResult`)
+- Removed `AuthResult` class from authentication system
+- Removed OpenStruct dependency across the framework
+- Removed `ConcurrentCacheStore` example class for an ActiveSupport::Cache::MemoryStore-compatible interface with Rack::Attack

data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst

@@ -0,0 +1,21 @@
+Changed
+-------
+
+- Reorganized Otto security module structure for better maintainability and separation of concerns
+- Moved authentication strategies to ``Otto::Security::Authentication::Strategies`` namespace
+- Moved security middleware to ``Otto::Security::Middleware`` namespace
+- Moved ``StrategyResult`` and ``FailureResult`` to ``Otto::Security::Authentication`` namespace
+
+Added
+-----
+
+- Added new modular directory structure under ``lib/otto/security/``
+- Added backward compatibility aliases to maintain existing API compatibility
+- Added proper namespacing for authentication components and middleware classes
+
+AI Assistance
+-------------
+
+- Comprehensive security module reorganization with systematic namespace restructuring
+- Automated test validation to ensure backward compatibility during refactoring
+- Intelligent file organization following Ruby conventions and single responsibility principles

data/changelog.d/README.md

@@ -0,0 +1,120 @@
+# Otto Changelog Process
+
+This directory contains Otto's changelog management using [Scriv](https://scriv.readthedocs.io/).
+
+## Developer Workflow
+
+### Creating a Changelog Fragment
+
+When making changes that affect users, create a changelog fragment:
+
+```bash
+# Create a new fragment
+scriv create
+
+# Edit the generated file in changelog.d/
+# Add entries under appropriate categories
+```
+
+### Categories
+
+Use these categories in your fragments:
+
+- **Added**: New features
+- **Changed**: Changes in existing functionality
+- **Deprecated**: Soon-to-be removed features
+- **Removed**: Removed features
+- **Fixed**: Bug fixes
+- **Security**: Security fixes and improvements
+- **Documentation**: Documentation changes
+- **AI Assistance**: AI-assisted development, analysis, and improvements
+
+### Fragment Format
+
+Each fragment uses reStructuredText format:
+
+```rst
+Added
+-----
+
+- New feature description
+
+Fixed
+-----
+
+- Bug fix description
+
+AI Assistance
+-------------
+
+- Comprehensive test coverage development with AI assistance
+```
+
+### Committing Changes
+
+Always commit the fragment alongside your code:
+
+```bash
+# Stage both code and fragment
+git add changelog.d/YYYYMMDD_HHmmss_username_branch.rst
+git add [your code files]
+
+# Commit together
+git commit -m "Your commit message
+
+Includes changelog fragment documenting changes."
+```
+
+## Release Process
+
+During releases, maintainers aggregate all fragments:
+
+```bash
+# Collect all fragments into CHANGELOG.rst
+scriv collect
+
+# Review the updated CHANGELOG.rst
+git add CHANGELOG.rst
+git commit -m "Release changelog for vX.Y.Z"
+```
+
+## Guidelines
+
+### When to Create Fragments
+
+Create fragments for:
+- ✅ New features users will notice
+- ✅ Bug fixes that affect user experience
+- ✅ Breaking changes or deprecations
+- ✅ Security fixes
+- ✅ API changes
+- ✅ Significant internal improvements (use AI Assistance category)
+
+Skip fragments for:
+- ❌ Internal refactoring with no user impact
+- ❌ Test-only changes (unless they represent significant coverage improvements)
+- ❌ Documentation typo fixes
+- ❌ CI/build changes
+
+### Fragment Quality
+
+Good fragments:
+- Are concise but descriptive
+- Focus on user impact, not implementation details
+- Link to issues/PRs when helpful: `(#123)`
+- Use active voice: "Fixed authentication bug" not "Authentication bug was fixed"
+
+### AI Assistance Category
+
+Use the "AI Assistance" category to document:
+- Security analysis and hardened design discussions
+- Implementation development with AI pair programming
+- Comprehensive test coverage development
+- Architecture improvements developed with AI
+- Code review and debugging sessions with AI
+
+This category ensures transparency about AI contributions to the project while highlighting areas where AI provided particular value.
+
+## Configuration
+
+See `scriv.ini` for configuration details. The setup automatically detects Otto's version from `lib/otto/version.rb`.

data/changelog.d/scriv.ini

@@ -0,0 +1,5 @@
+[scriv]
+format = rst
+categories = Added, Changed, Deprecated, Removed, Fixed, Security, Documentation, AI Assistance
+version = command: ruby -r ./lib/otto/version.rb -e "puts Otto::VERSION"
+main_branches = main, next

data/docs/.gitignore

@@ -1,2 +1,3 @@
 *
 !.gitignore
+!migrating/