otto 1.5.0 → 2.0.0.pre1

data/lib/otto/core/router.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+# lib/otto/core/router.rb
+
+require_relative '../mcp/route_parser'
+
+class Otto
+  module Core
+    # Router module providing route loading and request dispatching functionality
+    module Router
+      def load(path)
+        path = File.expand_path(path)
+        raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
+
+        raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
+        raw.each do |entry|
+          # Enhanced parsing: split only on first two whitespace boundaries
+          # This preserves parameters in the definition part
+          parts = entry.split(/\s+/, 3)
+          next if parts.size < 3 # Skip malformed entries
+
+          verb = parts[0]
+          path = parts[1]
+          definition = parts[2]
+
+          # Check for MCP routes
+          if Otto::MCP::RouteParser.is_mcp_route?(definition)
+            raise '[MCP] MCP server not enabled' unless @mcp_server
+
+            handle_mcp_route(verb, path, definition)
+            next
+          elsif Otto::MCP::RouteParser.is_tool_route?(definition)
+            raise '[MCP] MCP server not enabled' unless @mcp_server
+
+            handle_tool_route(verb, path, definition)
+            next
+          end
+
+          route                                   = Otto::Route.new verb, path, definition
+          route.otto                              = self
+          path_clean                              = path.gsub(%r{/$}, '')
+          @route_definitions[route.definition]    = route
+          Otto.logger.debug "route: #{route.pattern}" if Otto.debug
+          @routes[route.verb] ||= []
+          @routes[route.verb] << route
+          @routes_literal[route.verb]           ||= {}
+          @routes_literal[route.verb][path_clean] = route
+        rescue StandardError => e
+          Otto.logger.error "Bad route in #{path}: #{entry} (Error: #{e.message})"
+        end
+        self
+      end
+
+      def handle_request(env)
+        locale             = determine_locale env
+        env['rack.locale'] = locale
+        env['otto.locale_config'] = @locale_config if @locale_config
+        @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
+        path_info          = Rack::Utils.unescape(env['PATH_INFO'])
+        path_info          = '/' if path_info.to_s.empty?
+
+        begin
+          path_info_clean = path_info
+                            .encode(
+                              'UTF-8', # Target encoding
+                              invalid: :replace, # Replace invalid byte sequences
+                              undef: :replace,   # Replace characters undefined in UTF-8
+                              replace: '' # Use empty string for replacement
+                            )
+                            .gsub(%r{/$}, '') # Remove trailing slash, if present
+        rescue ArgumentError => e
+          # Log the error but don't expose details
+          Otto.logger.error '[Otto.handle_request] Path encoding error'
+          Otto.logger.debug "[Otto.handle_request] Error details: #{e.message}" if Otto.debug
+          # Set a default value or use the original path_info
+          path_info_clean = path_info
+        end
+
+        base_path      = File.split(path_info).first
+        # Files in the root directory can refer to themselves
+        base_path      = path_info if base_path == '/'
+        http_verb      = env['REQUEST_METHOD'].upcase.to_sym
+        literal_routes = routes_literal[http_verb] || {}
+        literal_routes.merge! routes_literal[:GET] if http_verb == :HEAD
+
+        if static_route && http_verb == :GET && routes_static[:GET].member?(base_path)
+          # Otto.logger.debug " request: #{path_info} (static)"
+          static_route.call(env)
+        elsif literal_routes.has_key?(path_info_clean)
+          route = literal_routes[path_info_clean]
+          # Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
+          route.call(env)
+        elsif static_route && http_verb == :GET && safe_file?(path_info)
+          Otto.logger.debug " new static route: #{base_path} (#{path_info})" if Otto.debug
+          routes_static[:GET][base_path] = base_path
+          static_route.call(env)
+        else
+          match_dynamic_route(env, path_info, http_verb, literal_routes)
+        end
+      end
+
+      def determine_locale(env)
+        accept_langs = env['HTTP_ACCEPT_LANGUAGE']
+        accept_langs = option[:locale] if accept_langs.to_s.empty?
+        locales      = []
+        unless accept_langs.empty?
+          locales = accept_langs.split(',').map do |l|
+            l += ';q=1.0' unless /;q=\d+(?:\.\d+)?$/.match?(l)
+            l.split(';q=')
+          end.sort_by do |_locale, qvalue|
+            qvalue.to_f
+          end.collect do |locale, _qvalue|
+            locale
+          end.reverse
+        end
+        Otto.logger.debug "locale: #{locales} (#{accept_langs})" if Otto.debug
+        locales.empty? ? nil : locales
+      end
+
+      private
+
+      def match_dynamic_route(env, path_info, http_verb, literal_routes)
+        extra_params  = {}
+        found_route   = nil
+        valid_routes  = routes[http_verb] || []
+        valid_routes.push(*routes[:GET]) if http_verb == :HEAD
+
+        valid_routes.each do |route|
+          # Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
+          next unless (match = route.pattern.match(path_info))
+
+          values = match.captures.to_a
+          # The first capture returned is the entire matched string b/c
+          # we wrapped the entire regex in parens. We don't need it to
+          # the full match.
+          values.shift
+          extra_params = build_route_params(route, values)
+          found_route  = route
+          break
+        end
+
+        found_route ||= literal_routes['/404']
+        if found_route
+          found_route.call env, extra_params
+        else
+          @not_found || Otto::Static.not_found
+        end
+      end
+
+      def build_route_params(route, values)
+        if route.keys.any?
+          route.keys.zip(values).each_with_object({}) do |(k, v), hash|
+            if k == 'splat'
+              (hash[k] ||= []) << v
+            else
+              hash[k] = v
+            end
+          end
+        elsif values.any?
+          { 'captures' => values }
+        else
+          {}
+        end
+      end
+
+      def handle_mcp_route(verb, path, definition)
+        route_info = Otto::MCP::RouteParser.parse_mcp_route(verb, path, definition)
+        @mcp_server.register_mcp_route(route_info)
+        Otto.logger.debug "[MCP] Registered resource route: #{definition}" if Otto.debug
+      rescue StandardError => e
+        Otto.logger.error "[MCP] Failed to parse MCP route: #{definition} - #{e.message}"
+      end
+
+      def handle_tool_route(verb, path, definition)
+        route_info = Otto::MCP::RouteParser.parse_tool_route(verb, path, definition)
+        @mcp_server.register_mcp_route(route_info)
+        Otto.logger.debug "[MCP] Registered tool route: #{definition}" if Otto.debug
+      rescue StandardError => e
+        Otto.logger.error "[MCP] Failed to parse TOOL route: #{definition} - #{e.message}"
+      end
+    end
+  end
+end

data/lib/otto/core/uri_generator.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# lib/otto/core/uri_generator.rb
+
+require 'uri'
+
+class Otto
+  module Core
+    # URI generation module providing path and URL generation for route definitions
+    module UriGenerator
+      # Return the URI path for the given +route_definition+
+      # e.g.
+      #
+      #     Otto.default.path 'YourClass.somemethod'  #=> /some/path
+      #
+      def uri(route_definition, params = {})
+        # raise RuntimeError, "Not working"
+        route = @route_definitions[route_definition]
+        return if route.nil?
+
+        local_params = params.clone
+        local_path   = route.path.clone
+
+        keys_to_remove = []
+        local_params.each_pair do |k, v|
+          next unless local_path.match(":#{k}")
+
+          local_path.gsub!(":#{k}", v.to_s)
+          keys_to_remove << k
+        end
+        keys_to_remove.each { |k| local_params.delete(k) }
+
+        uri = URI::HTTP.new(nil, nil, nil, nil, nil, local_path, nil, nil, nil)
+        unless local_params.empty?
+          query_string = local_params.map do |k, v|
+            "#{URI.encode_www_form_component(k)}=#{URI.encode_www_form_component(v)}"
+          end.join('&')
+          uri.query = query_string
+        end
+        uri.to_s
+      end
+    end
+  end
+end

data/lib/otto/design_system.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # lib/otto/design_system.rb
 
 class Otto
@@ -112,11 +114,11 @@ class Otto
       return '' if text.nil?
 
       text.to_s
-        .gsub('&', '&')
-        .gsub('<', '&lt;')
-        .gsub('>', '&gt;')
-        .gsub('"', '&quot;')
-        .gsub("'", '&#x27;')
+          .gsub('&', '&amp;')
+          .gsub('<', '&lt;')
+          .gsub('>', '&gt;')
+          .gsub('"', '&quot;')
+          .gsub("'", '&#x27;')
     end
 
     def otto_styles

data/lib/otto/helpers/base.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/base.rb
 
 class Otto
+  # Base helper methods providing core functionality for Otto applications
   module BaseHelpers
     # Build application path by joining path segments
     #

data/lib/otto/helpers/request.rb

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/request.rb
 
 require_relative 'base'
 
 class Otto
+  # Request helper methods providing HTTP request handling utilities
   module RequestHelpers
     include Otto::BaseHelpers
 
@@ -14,9 +17,7 @@ class Otto
       remote_addr = env['REMOTE_ADDR']
 
       # If we don't have a security config or trusted proxies, use direct connection
-      if !otto_security_config || !trusted_proxy?(remote_addr)
-        return validate_ip_address(remote_addr)
-      end
+      return validate_ip_address(remote_addr) if !otto_security_config || !trusted_proxy?(remote_addr)
 
       # Check forwarded headers from trusted proxies
       forwarded_ips = [
@@ -152,12 +153,12 @@ class Otto
 
       # RFC 1918 private ranges and loopback
       private_ranges = [
-        /\A10\./,                    # 10.0.0.0/8
+        /\A10\./, # 10.0.0.0/8
         /\A172\.(1[6-9]|2[0-9]|3[01])\./, # 172.16.0.0/12
         /\A192\.168\./,              # 192.168.0.0/16
         /\A169\.254\./,              # 169.254.0.0/16 (link-local)
         /\A224\./,                   # 224.0.0.0/4 (multicast)
-        /\A0\./,                      # 0.0.0.0/8
+        /\A0\./, # 0.0.0.0/8
       ]
 
       private_ranges.any? { |range| ip.match?(range) }
@@ -207,7 +208,7 @@ class Otto
 
       # Add any header that begins with the specified prefix
       if header_prefix
-        prefix_keys = env.keys.select { |key| key.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
+        prefix_keys = env.keys.select { _1.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
         keys.concat(prefix_keys)
       end
 
@@ -354,8 +355,9 @@ class Otto
       debug_enabled     = opts[:debug] || false
 
       # Guard clause - required configuration must be present
-      unless available_locales && default_locale
-        raise ArgumentError, 'available_locales and default_locale are required (provide via opts or Otto configuration)'
+      unless available_locales.is_a?(Hash) && !available_locales.empty? && default_locale && available_locales.key?(default_locale)
+        raise ArgumentError,
+              'available_locales must be a non-empty Hash and include default_locale (provide via opts or Otto configuration)'
       end
 
       # Check sources in order of precedence

data/lib/otto/helpers/response.rb

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/response.rb
 
 require_relative 'base'
 
 class Otto
+  # Response helper methods providing HTTP response handling utilities
   module ResponseHelpers
     include Otto::BaseHelpers
 
@@ -48,7 +51,7 @@ class Otto
       session_opts = opts.merge(
         secure: true,
         httponly: true,
-        samesite: :strict,
+        samesite: :strict
       )
 
       # Remove expiration-related options for session cookies
@@ -109,9 +112,7 @@ class Otto
       headers['content-type'] ||= content_type
 
       # Warn if CSP header already exists but don't skip
-      if headers['content-security-policy']
-        warn 'CSP header already set, overriding with nonce-based policy'
-      end
+      warn 'CSP header already set, overriding with nonce-based policy' if headers['content-security-policy']
 
       # Get security configuration
       security_config = opts[:security_config] ||

data/lib/otto/helpers/validation.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+# lib/otto/helpers/validation.rb
+
+require 'loofah'
+require 'facets/file'
+
+class Otto
+  module Security
+    # Validation helper methods providing input validation and sanitization
+    module ValidationHelpers
+      def validate_input(input, max_length: 1000, allow_html: false)
+        return input if input.nil?
+
+        input_str = input.to_s
+        return input_str if input_str.empty?
+
+        # Check length
+        if input_str.length > max_length
+          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
+        end
+
+        # Use Loofah for HTML sanitization and validation
+        unless allow_html
+          # Check for script injection first (these should always be rejected)
+          raise Otto::Security::ValidationError, 'Dangerous content detected' if looks_like_script_injection?(input_str)
+
+          # Use Loofah to sanitize less dangerous HTML content
+          sanitized_input = Loofah.fragment(input_str).scrub!(:whitewash).to_s
+          input_str       = sanitized_input
+        end
+
+        # Always check for SQL injection
+        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
+          raise Otto::Security::ValidationError, 'Potential SQL injection detected' if input_str.match?(pattern)
+        end
+
+        input_str
+      end
+
+      def sanitize_filename(filename)
+        return nil if filename.nil?
+        return 'file' if filename.empty?
+
+        # Use Facets File.sanitize for basic filesystem-safe filename
+        clean_name = File.sanitize(filename.to_s)
+
+        # Handle edge cases and improve on Facets behavior to match test expectations
+        if clean_name.nil? || clean_name.empty?
+          clean_name = 'file'
+        else
+          # Additional cleanup that Facets doesn't do but our tests expect
+          clean_name = clean_name.gsub(/_{2,}/, '_')        # Collapse multiple underscores
+          clean_name = clean_name.gsub(/^_+|_+$/, '')       # Remove leading/trailing underscores
+          clean_name = 'file' if clean_name.empty?          # Handle case where only underscores remain
+        end
+
+        # Ensure reasonable length (255 is filesystem limit, leave some padding)
+        clean_name = clean_name[0..99] if clean_name.length > 100
+
+        clean_name
+      end
+
+      private
+
+      # Check if content looks like it contains HTML tags or entities
+      def contains_html_like_content?(content)
+        content.match?(/[<>&]/) || content.match?(/&\w+;/)
+      end
+
+      # Detect likely script injection attempts that should be rejected
+      def looks_like_script_injection?(content)
+        dangerous_patterns = [
+          /javascript:/i,
+          /<script[^>]*>/i,
+          /on\w+\s*=/i, # event handlers like onclick=
+          /expression\s*\(/i,
+          /data:.*base64/i,
+        ]
+
+        dangerous_patterns.any? { |pattern| content.match?(pattern) }
+      end
+    end
+  end
+end

data/lib/otto/mcp/auth/token.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/auth/token.rb
+
+require 'json'
+
+class Otto
+  module MCP
+    module Auth
+      # Token-based authentication for MCP protocol endpoints
+      class TokenAuth
+        def initialize(tokens)
+          @tokens = Array(tokens).to_set
+        end
+
+        def authenticate(env)
+          token = extract_token(env)
+          return false unless token
+
+          @tokens.include?(token)
+        end
+
+        private
+
+        def extract_token(env)
+          # Try Authorization header first (Bearer token)
+          auth_header = env['HTTP_AUTHORIZATION']
+          return auth_header[7..] if auth_header&.start_with?('Bearer ')
+
+          # Try X-MCP-Token header
+          env['HTTP_X_MCP_TOKEN']
+        end
+      end
+
+      # Middleware for token authentication in MCP protocol
+      class TokenMiddleware
+        def initialize(app, security_config = nil)
+          @app             = app
+          @security_config = security_config
+        end
+
+        def call(env)
+          # Only apply to MCP endpoints
+          return @app.call(env) unless mcp_endpoint?(env)
+
+          # Get auth instance from security config
+          auth = @security_config&.mcp_auth
+          return unauthorized_response if auth && !auth.authenticate(env)
+
+          @app.call(env)
+        end
+
+        private
+
+        def mcp_endpoint?(env)
+          endpoint = env['otto.mcp_http_endpoint'] || '/_mcp'
+          path     = env['PATH_INFO'].to_s
+          path.start_with?(endpoint)
+        end
+
+        def unauthorized_response
+          body = JSON.generate({
+                                 jsonrpc: '2.0',
+            id: nil,
+            error: {
+              code: -32_000,
+              message: 'Unauthorized',
+              data: 'Valid token required',
+            },
+                               })
+
+          [401, { 'content-type' => 'application/json' }, [body]]
+        end
+      end
+    end
+  end
+end

data/lib/otto/mcp/protocol.rb

@@ -0,0 +1,164 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/protocol.rb
+
+require 'json'
+require_relative 'registry'
+
+class Otto
+  module MCP
+    # MCP protocol handler providing Model Context Protocol functionality
+    class Protocol
+      attr_reader :registry
+
+      def initialize(otto_instance)
+        @otto     = otto_instance
+        @registry = Registry.new
+      end
+
+      def handle_request(env)
+        request = Rack::Request.new(env)
+
+        unless request.post? && request.content_type&.include?('application/json')
+          return error_response(nil, -32_600, 'Invalid Request', 'Only JSON-RPC POST requests supported')
+        end
+
+        begin
+          body = request.body.read
+          data = JSON.parse(body)
+        rescue JSON::ParserError
+          return error_response(nil, -32_700, 'Parse error', 'Invalid JSON')
+        end
+
+        unless valid_jsonrpc_request?(data)
+          return error_response(data['id'], -32_600, 'Invalid Request', 'Missing jsonrpc, method, or id fields')
+        end
+
+        case data['method']
+        when 'initialize'
+          handle_initialize(data)
+        when 'resources/list'
+          handle_resources_list(data)
+        when 'resources/read'
+          handle_resources_read(data)
+        when 'tools/list'
+          handle_tools_list(data)
+        when 'tools/call'
+          handle_tools_call(data, env)
+        else
+          error_response(data['id'], -32_601, 'Method not found', "Unknown method: #{data['method']}")
+        end
+      end
+
+      private
+
+      def valid_jsonrpc_request?(data)
+        data.is_a?(Hash) &&
+          data['jsonrpc'] == '2.0' &&
+          data['method'].is_a?(String) &&
+          data.key?('id')
+      end
+
+      def handle_initialize(data)
+        capabilities = {
+          resources: {
+            subscribe: false,
+            listChanged: false,
+          },
+          tools: {},
+        }
+
+        success_response(data['id'], {
+                           protocolVersion: '2024-11-05',
+          capabilities: capabilities,
+          serverInfo: {
+            name: 'Otto MCP Server',
+            version: Otto::VERSION,
+          },
+                         })
+      end
+
+      def handle_resources_list(data)
+        resources = @registry.list_resources
+        success_response(data['id'], { resources: resources })
+      end
+
+      def handle_resources_read(data)
+        params = data['params'] || {}
+        uri    = params['uri']
+
+        return error_response(data['id'], -32_602, 'Invalid params', 'Missing uri parameter') unless uri
+
+        resource = @registry.read_resource(uri)
+        if resource
+          success_response(data['id'], resource)
+        else
+          error_response(data['id'], -32_001, 'Resource not found', "Resource not found: #{uri}")
+        end
+      end
+
+      def handle_tools_list(data)
+        tools = @registry.list_tools
+        success_response(data['id'], { tools: tools })
+      end
+
+      def handle_tools_call(data, env)
+        params    = data['params'] || {}
+        name      = params['name']
+        arguments = params['arguments'] || {}
+
+        return error_response(data['id'], -32_602, 'Invalid params', 'Missing name parameter') unless name
+
+        begin
+          result = @registry.call_tool(name, arguments, env)
+          success_response(data['id'], result)
+        rescue StandardError => e
+          Otto.logger.error "[MCP] Tool call error: #{e.message}"
+          error_response(data['id'], -32_603, 'Internal error', e.message)
+        end
+      end
+
+      def success_response(id, result)
+        body = JSON.generate({
+                               jsonrpc: '2.0',
+          id: id,
+          result: result,
+                             })
+
+        [200, { 'content-type' => 'application/json' }, [body]]
+      end
+
+      def error_response(id, code, message, data = nil)
+        error        = { code: code, message: message }
+        error[:data] = data if data
+
+        body = JSON.generate({
+                               jsonrpc: '2.0',
+          id: id,
+          error: error,
+                             })
+
+        # Map JSON-RPC error codes to appropriate HTTP status codes
+        http_status = case code
+                      when -32_700..-32_600 # Parse error, Invalid Request, Method not found
+                        400
+                      when -32_603, -32_000..-32_099 # Internal error and all server error range (-32000..-32099)
+                        500
+                      when -32_001         # Resource not found
+                        404
+                      when -32_002         # Tool not found
+                        404
+                      when -32_601         # Method not found
+                        404
+                      when -32_602         # Invalid params
+                        400
+                      else
+                        # Default client error for unknown non-server codes; treat server-range as 500
+                        (-32_099..-32_000).cover?(code) ? 500 : 400
+                      end
+
+        [http_status, { 'content-type' => 'application/json' }, [body]]
+      end
+    end
+  end
+end