otto 1.6.0 → 2.0.0.pre1

data/otto.gemspec

@@ -16,10 +16,10 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
-  spec.add_dependency 'ostruct', '~> 0.6.3'
+
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'
-  spec.add_dependency 'rexml', '~> 3.3', '>= 3.3.6'
+  spec.add_dependency 'rexml', '>= 3.3.6'
 
   # Security dependencies
   spec.add_dependency 'facets', '~> 3.1'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 2.0.0.pre1
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -9,20 +9,6 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
-- !ruby/object:Gem::Dependency
-  name: ostruct
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.3
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: 0.6.3
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -61,9 +47,6 @@ dependencies:
   name: rexml
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.3'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.3.6
@@ -71,9 +54,6 @@ dependencies:
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.3'
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.3.6
@@ -113,34 +93,87 @@ extra_rdoc_files: []
 files:
 - ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
+- ".github/workflows/claude-code-review.yml"
+- ".github/workflows/claude.yml"
 - ".gitignore"
 - ".pre-commit-config.yaml"
 - ".pre-push-config.yaml"
 - ".rspec"
 - ".rubocop.yml"
+- CHANGELOG.rst
+- CLAUDE.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
 - bin/rspec
+- changelog.d/20250911_235619_delano_next.rst
+- changelog.d/20250912_123055_delano_remove_ostruct.rst
+- changelog.d/20250912_175625_claude_delano_remove_ostruct.rst
+- changelog.d/README.md
+- changelog.d/scriv.ini
 - docs/.gitignore
+- docs/migrating/v2.0.0-pre1.md
+- examples/.gitignore
+- examples/advanced_routes/README.md
+- examples/advanced_routes/app.rb
+- examples/advanced_routes/app/controllers/handlers/async.rb
+- examples/advanced_routes/app/controllers/handlers/dynamic.rb
+- examples/advanced_routes/app/controllers/handlers/static.rb
+- examples/advanced_routes/app/controllers/modules/auth.rb
+- examples/advanced_routes/app/controllers/modules/transformer.rb
+- examples/advanced_routes/app/controllers/modules/validator.rb
+- examples/advanced_routes/app/controllers/routes_app.rb
+- examples/advanced_routes/app/controllers/v2/admin.rb
+- examples/advanced_routes/app/controllers/v2/config.rb
+- examples/advanced_routes/app/controllers/v2/settings.rb
+- examples/advanced_routes/app/logic/admin/logic/manager.rb
+- examples/advanced_routes/app/logic/admin/panel.rb
+- examples/advanced_routes/app/logic/analytics_processor.rb
+- examples/advanced_routes/app/logic/complex/business/handler.rb
+- examples/advanced_routes/app/logic/data_logic.rb
+- examples/advanced_routes/app/logic/data_processor.rb
+- examples/advanced_routes/app/logic/input_validator.rb
+- examples/advanced_routes/app/logic/nested/feature/logic.rb
+- examples/advanced_routes/app/logic/reports_generator.rb
+- examples/advanced_routes/app/logic/simple_logic.rb
+- examples/advanced_routes/app/logic/system/config/manager.rb
+- examples/advanced_routes/app/logic/test_logic.rb
+- examples/advanced_routes/app/logic/transform_logic.rb
+- examples/advanced_routes/app/logic/upload_logic.rb
+- examples/advanced_routes/app/logic/v2/logic/dashboard.rb
+- examples/advanced_routes/app/logic/v2/logic/processor.rb
+- examples/advanced_routes/config.rb
+- examples/advanced_routes/config.ru
+- examples/advanced_routes/puma.rb
+- examples/advanced_routes/routes
+- examples/advanced_routes/run.rb
+- examples/advanced_routes/test.rb
+- examples/authentication_strategies/README.md
+- examples/authentication_strategies/app/auth.rb
+- examples/authentication_strategies/app/controllers/auth_controller.rb
+- examples/authentication_strategies/app/controllers/main_controller.rb
+- examples/authentication_strategies/config.ru
+- examples/authentication_strategies/routes
+- examples/basic/README.md
 - examples/basic/app.rb
 - examples/basic/config.ru
 - examples/basic/routes
-- examples/dynamic_pages/app.rb
-- examples/dynamic_pages/config.ru
-- examples/dynamic_pages/routes
-- examples/helpers_demo/app.rb
-- examples/helpers_demo/config.ru
-- examples/helpers_demo/routes
+- examples/mcp_demo/README.md
 - examples/mcp_demo/app.rb
 - examples/mcp_demo/config.ru
 - examples/mcp_demo/routes
+- examples/security_features/README.md
 - examples/security_features/app.rb
 - examples/security_features/config.ru
 - examples/security_features/routes
-- lib/concurrent_cache_store.rb
 - lib/otto.rb
+- lib/otto/core/configuration.rb
+- lib/otto/core/error_handler.rb
+- lib/otto/core/file_safety.rb
+- lib/otto/core/middleware_stack.rb
+- lib/otto/core/router.rb
+- lib/otto/core/uri_generator.rb
 - lib/otto/design_system.rb
 - lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
@@ -154,15 +187,43 @@ files:
 - lib/otto/mcp/server.rb
 - lib/otto/mcp/validation.rb
 - lib/otto/response_handlers.rb
+- lib/otto/response_handlers/auto.rb
+- lib/otto/response_handlers/base.rb
+- lib/otto/response_handlers/default.rb
+- lib/otto/response_handlers/factory.rb
+- lib/otto/response_handlers/json.rb
+- lib/otto/response_handlers/redirect.rb
+- lib/otto/response_handlers/view.rb
 - lib/otto/route.rb
 - lib/otto/route_definition.rb
 - lib/otto/route_handlers.rb
+- lib/otto/route_handlers/base.rb
+- lib/otto/route_handlers/class_method.rb
+- lib/otto/route_handlers/factory.rb
+- lib/otto/route_handlers/instance_method.rb
+- lib/otto/route_handlers/lambda.rb
+- lib/otto/route_handlers/logic_class.rb
 - lib/otto/security/authentication.rb
+- lib/otto/security/authentication/auth_strategy.rb
+- lib/otto/security/authentication/authentication_middleware.rb
+- lib/otto/security/authentication/failure_result.rb
+- lib/otto/security/authentication/strategies/api_key_strategy.rb
+- lib/otto/security/authentication/strategies/permission_strategy.rb
+- lib/otto/security/authentication/strategies/public_strategy.rb
+- lib/otto/security/authentication/strategies/role_strategy.rb
+- lib/otto/security/authentication/strategies/session_strategy.rb
+- lib/otto/security/authentication/strategy_result.rb
 - lib/otto/security/config.rb
+- lib/otto/security/configurator.rb
 - lib/otto/security/csrf.rb
+- lib/otto/security/middleware/csrf_middleware.rb
+- lib/otto/security/middleware/rate_limit_middleware.rb
+- lib/otto/security/middleware/validation_middleware.rb
+- lib/otto/security/rate_limiter.rb
 - lib/otto/security/rate_limiting.rb
 - lib/otto/security/validator.rb
 - lib/otto/static.rb
+- lib/otto/utils.rb
 - lib/otto/version.rb
 - otto.gemspec
 - public/favicon.ico

data/examples/dynamic_pages/app.rb

@@ -1,115 +0,0 @@
-# examples/basic/app.rb (Streamlined with Design System)
-
-require_relative '../../lib/otto/design_system'
-
-class App
-  include Otto::DesignSystem
-
-  attr_reader :req, :res
-
-  def initialize(req, res)
-    @req                        = req
-    @res                        = res
-    res.headers['content-type'] = 'text/html; charset=utf-8'
-  end
-
-  def index
-    # This demonstrates nested heredocs in Ruby
-    # The outer heredoc uses <<~HTML delimiter
-    content = <<~HTML
-      <div class="otto-card otto-text-center">
-        <img src="/img/otto.jpg" alt="Otto Framework" class="otto-logo" />
-        <h1>Otto Framework</h1>
-        <p>Minimal Ruby web framework with style</p>
-      </div>
-
-      #{otto_card('Dynamic Pages') do
-        # This is a nested heredoc within the outer HTML heredoc
-        # It uses a different delimiter (EXAMPLES) to avoid conflicts
-        # The #{} interpolation allows the inner heredoc to be embedded
-        <<~EXAMPLES
-          #{otto_link('Product #100', '/product/100')} - View product page<br>
-          #{otto_link('Product #42', '/product/42')} - Different product<br>
-          #{otto_link('API Data', '/product/100.json')} - JSON endpoint
-        EXAMPLES
-      end}
-    HTML
-
-    res.send_secure_cookie :sess, 1_234_567, 3600
-    res.body = otto_page(content)
-  end
-
-  def receive_feedback
-    message = req.params['msg']&.strip
-
-    content = if message.nil? || message.empty?
-      otto_alert('error', 'Empty Message', 'Please enter a message before submitting.')
-    else
-      otto_alert('success', 'Feedback Received', 'Thanks for your message!') +
-        otto_card('Your Message') { otto_code_block(message, 'text') }
-    end
-
-    content += "<p>#{otto_link('← Back', '/')}</p>"
-    res.body = otto_page(content, 'Feedback')
-  end
-
-  def redirect
-    res.redirect '/robots.txt'
-  end
-
-  def robots_text
-    res.headers['content-type'] = 'text/plain'
-    res.body                    = ['User-agent: *', 'Disallow: /private'].join($/)
-  end
-
-  def display_product
-    prodid = req.params[:prodid]
-
-    # Check if JSON is requested via .json extension or Accept header
-    wants_json = req.path_info.end_with?('.json') ||
-                 req.env['HTTP_ACCEPT']&.include?('application/json')
-
-    if wants_json
-      res.headers['content-type'] = 'application/json; charset=utf-8'
-      res.body                    = format('{"product":%s,"msg":"Hint: try another value"}', prodid)
-    else
-      # Return HTML product page
-      product_data = {
-        'Product ID' => prodid,
-        'Name' => "Sample Product ##{prodid}",
-        'Price' => "$#{rand(10..999)}.99",
-        'Description' => 'This is a demonstration product showing dynamic routing with parameter :prodid',
-        'Stock' => rand(0..50) > 5 ? 'In Stock' : 'Out of Stock',
-      }
-
-      product_html = product_data.map do |key, value|
-        "<p><strong>#{key}:</strong> #{escape_html(value.to_s)}</p>"
-      end.join
-
-      content = <<~HTML
-        #{otto_card('Product Details') { product_html }}
-
-        <p>
-          #{otto_link('← Back to Home', '/')} |
-          #{otto_link('View as JSON', "/product/#{prodid}.json")}
-        </p>
-      HTML
-
-      res.body = otto_page(content, "Product ##{prodid}")
-    end
-  end
-
-  def not_found
-    res.status = 404
-    content    = otto_alert('error', 'Not Found', 'The requested page could not be found.')
-    content   += "<p>#{otto_link('← Home', '/')}</p>"
-    res.body   = otto_page(content, '404')
-  end
-
-  def server_error
-    res.status = 500
-    content    = otto_alert('error', 'Server Error', 'An internal server error occurred.')
-    content   += "<p>#{otto_link('← Home', '/')}</p>"
-    res.body   = otto_page(content, '500')
-  end
-end

data/examples/dynamic_pages/config.ru

@@ -1,30 +0,0 @@
-# examples/basic/config.ru
-
-# OTTO EXAMPLE APP CONFIG - 2025-08-18
-#
-# Usage:
-#
-#     $ thin -e dev -R config.ru -p 10770 start
-
-public_path = File.expand_path('../../public', __dir__)
-
-require_relative '../../lib/otto'
-require_relative 'app'
-
-app = Otto.new('routes')
-
-# DEV: Run web apps with extra logging and reloading
-if Otto.env?(:dev)
-
-  map('/') do
-    use Rack::CommonLogger
-    use Rack::Reloader, 0
-    app.option[:public] = public_path
-    app.add_static_path '/favicon.ico'
-    run app
-  end
-
-# PROD: run the webapp on the metal
-else
-  map('/') { run app }
-end

data/examples/dynamic_pages/routes

@@ -1,21 +0,0 @@
-# examples/basic/routes
-
-# OTTO - ROUTES EXAMPLE
-
-# Each route has three parts:
-#  * HTTP verb (GET, POST, PUT, DELETE or HEAD)
-#  * URI path
-#  * Ruby class and method to call
-
-GET   /                         App#index
-POST  /                         App#receive_feedback
-GET   /redirect                 App#redirect
-GET   /robots.txt               App#robots_text
-GET   /product/:prodid          App#display_product
-
-GET   /bogus                    App#no_such_method
-
-# You can also define these handlers when no
-# route can be found or there's a server error. (optional)
-GET   /404                      App#not_found
-GET   /500                      App#server_error

data/examples/helpers_demo/app.rb

@@ -1,244 +0,0 @@
-require 'otto'
-require 'json'
-
-class HelpersDemo
-  def initialize(req, res)
-    @req, @res = req, res
-  end
-
-  attr_reader :req, :res
-
-  def index
-    res.headers['content-type'] = 'text/html'
-    res.body = <<~HTML
-      <h1>Otto Request & Response Helpers Demo</h1>
-      <p>This demo shows Otto's built-in request and response helpers.</p>
-
-      <h2>Available Demos:</h2>
-      <ul>
-        <li><a href="/request-info">Request Information</a> - Shows client IP, user agent, security info</li>
-        <li><a href="/locale-demo?locale=es">Locale Detection</a> - Demonstrates locale detection and configuration</li>
-        <li><a href="/secure-cookie">Secure Cookies</a> - Sets secure cookies with proper options</li>
-        <li><a href="/headers">Response Headers</a> - Shows security headers and custom headers</li>
-        <li>
-          <form method="POST" action="/csp-demo">
-            <button type="submit">CSP Headers Demo</button> - Content Security Policy with nonce
-          </form>
-        </li>
-      </ul>
-
-      <h2>Try These URLs:</h2>
-      <ul>
-        <li><a href="/locale-demo?locale=fr">French locale</a></li>
-        <li><a href="/locale-demo?locale=invalid">Invalid locale (falls back to default)</a></li>
-      </ul>
-    HTML
-  end
-
-  def request_info
-    # Demonstrate request helpers
-    info = {
-      'Client IP' => req.client_ipaddress,
-      'User Agent' => req.user_agent,
-      'HTTP Host' => req.http_host,
-      'Server Name' => req.current_server_name,
-      'Request Path' => req.request_path,
-      'Request URI' => req.request_uri,
-      'Is Local?' => req.local?,
-      'Is Secure?' => req.secure?,
-      'Is AJAX?' => req.ajax?,
-      'Current Absolute URI' => req.current_absolute_uri,
-      'Request Method' => req.request_method
-    }
-
-    # Show collected proxy headers
-    proxy_headers = req.collect_proxy_headers(
-      header_prefix: 'X_DEMO_',
-      additional_keys: ['HTTP_ACCEPT', 'HTTP_ACCEPT_LANGUAGE']
-    )
-
-    # Format request details for logging
-    request_details = req.format_request_details(header_prefix: 'X_DEMO_')
-
-    res.headers['content-type'] = 'text/html'
-    res.body = <<~HTML
-      <h1>Request Information</h1>
-      <p><a href="/">← Back to index</a></p>
-
-      <h2>Basic Request Info:</h2>
-      <table border="1" style="border-collapse: collapse;">
-        #{info.map { |k, v| "<tr><td><strong>#{k}</strong></td><td>#{v}</td></tr>" }.join("\n        ")}
-      </table>
-
-      <h2>Proxy Headers:</h2>
-      <pre>#{proxy_headers}</pre>
-
-      <h2>Formatted Request Details (for logging):</h2>
-      <pre>#{request_details}</pre>
-
-      <h2>Application Path Helper:</h2>
-      <p>App path for ['api', 'v1', 'users']: <code>#{req.app_path('api', 'v1', 'users')}</code></p>
-    HTML
-  end
-
-  def locale_demo
-    # Demonstrate locale detection with Otto configuration
-    current_locale = req.check_locale!(req.params['locale'], {
-      preferred_locale: 'es', # Simulate user preference
-      locale_env_key: 'demo.locale',
-      debug: true
-    })
-
-    # Show what was stored in environment
-    stored_locale = req.env['demo.locale']
-
-    res.headers['content-type'] = 'text/html'
-    res.body = <<~HTML
-      <h1>Locale Detection Demo</h1>
-      <p><a href="/">← Back to index</a></p>
-
-      <h2>Locale Detection Results:</h2>
-      <table border="1" style="border-collapse: collapse;">
-        <tr><td><strong>Detected Locale</strong></td><td>#{current_locale}</td></tr>
-        <tr><td><strong>Stored in Environment</strong></td><td>#{stored_locale}</td></tr>
-        <tr><td><strong>Query Parameter</strong></td><td>#{req.params['locale'] || 'none'}</td></tr>
-        <tr><td><strong>Accept-Language Header</strong></td><td>#{req.env['HTTP_ACCEPT_LANGUAGE'] || 'none'}</td></tr>
-      </table>
-
-      <h2>Locale Sources (in precedence order):</h2>
-      <ol>
-        <li>URL Parameter: <code>?locale=#{req.params['locale'] || 'none'}</code></li>
-        <li>User Preference: <code>es</code> (simulated)</li>
-        <li>Rack Locale: <code>#{req.env['rack.locale']&.first || 'none'}</code></li>
-        <li>Default: <code>en</code></li>
-      </ol>
-
-      <h2>Try Different Locales:</h2>
-      <ul>
-        <li><a href="/locale-demo?locale=en">English (en)</a></li>
-        <li><a href="/locale-demo?locale=es">Spanish (es)</a></li>
-        <li><a href="/locale-demo?locale=fr">French (fr)</a></li>
-        <li><a href="/locale-demo?locale=invalid">Invalid locale</a></li>
-        <li><a href="/locale-demo">No locale parameter</a></li>
-      </ul>
-    HTML
-  end
-
-  def secure_cookie
-    # Demonstrate secure cookie helpers
-    res.send_secure_cookie('demo_secure', 'secure_value_123', 3600, {
-      path: '/helpers_demo',
-      secure: !req.local?, # Only secure in production
-      same_site: :strict
-    })
-
-    res.send_session_cookie('demo_session', 'session_value_456', {
-      path: '/helpers_demo'
-    })
-
-    res.headers['content-type'] = 'text/html'
-    res.body = <<~HTML
-      <h1>Secure Cookies Demo</h1>
-      <p><a href="/">← Back to index</a></p>
-
-      <h2>Cookies Set:</h2>
-      <ul>
-        <li><strong>demo_secure</strong> - Secure cookie with 1 hour TTL</li>
-        <li><strong>demo_session</strong> - Session cookie (no expiration)</li>
-      </ul>
-
-      <h2>Cookie Security Features:</h2>
-      <ul>
-        <li>Secure flag (HTTPS only in production)</li>
-        <li>HttpOnly flag (prevents XSS access)</li>
-        <li>SameSite=Strict (CSRF protection)</li>
-        <li>Proper expiration handling</li>
-      </ul>
-
-      <p>Check your browser's developer tools to see the cookie headers!</p>
-    HTML
-  end
-
-  def csp_demo
-    # Demonstrate CSP headers with nonce
-    nonce = SecureRandom.base64(16)
-
-    res.send_csp_headers('text/html; charset=utf-8', nonce, {
-      development_mode: req.local?,
-      debug: true
-    })
-
-    res.body = <<~HTML
-      <h1>Content Security Policy Demo</h1>
-      <p><a href="/">← Back to index</a></p>
-
-      <h2>CSP Header Generated</h2>
-      <p>This page includes a CSP header with a nonce. Check the response headers!</p>
-
-      <h2>Nonce Value:</h2>
-      <p><code>#{nonce}</code></p>
-
-      <h2>Inline Script with Nonce:</h2>
-      <script nonce="#{nonce}">
-        console.log('This script runs because it has the correct nonce!');
-        document.addEventListener('DOMContentLoaded', function() {
-          document.getElementById('nonce-demo').innerHTML = 'Nonce verification successful!';
-        });
-      </script>
-
-      <div id="nonce-demo" style="padding: 10px; background: #d4edda; border: 1px solid #c3e6cb; color: #155724;">
-        Loading...
-      </div>
-
-      <p><strong>Note:</strong> Without the nonce, inline scripts would be blocked by CSP.</p>
-    HTML
-  end
-
-  def show_headers
-    # Demonstrate response headers and security features
-    res.set_cookie('demo_header', {
-      value: 'header_demo_value',
-      max_age: 1800,
-      secure: !req.local?,
-      httponly: true
-    })
-
-    # Add cache control
-    res.no_cache!
-
-    # Get security headers that would be added
-    security_headers = res.cookie_security_headers
-
-    res.headers['content-type'] = 'text/html'
-    res.headers['X-Demo-Header'] = 'Custom header value'
-
-    res.body = <<~HTML
-      <h1>Response Headers Demo</h1>
-      <p><a href="/">← Back to index</a></p>
-
-      <h2>Custom Headers Set:</h2>
-      <ul>
-        <li><strong>X-Demo-Header:</strong> Custom header value</li>
-        <li><strong>Cache-Control:</strong> no-store, no-cache, must-revalidate, max-age=0</li>
-        <li><strong>Set-Cookie:</strong> demo_header (with security options)</li>
-      </ul>
-
-      <h2>Security Headers Available:</h2>
-      <table border="1" style="border-collapse: collapse;">
-        #{security_headers.map { |k, v| "<tr><td><strong>#{k}</strong></td><td>#{v}</td></tr>" }.join("\n        ")}
-      </table>
-
-      <p>Use your browser's developer tools to inspect all response headers!</p>
-    HTML
-  end
-
-  def not_found
-    res.status = 404
-    res.headers['content-type'] = 'text/html'
-    res.body = <<~HTML
-      <h1>404 - Page Not Found</h1>
-      <p><a href="/">← Back to index</a></p>
-      <p>This is a custom 404 page demonstrating error handling.</p>
-    HTML
-  end
-end

data/examples/helpers_demo/config.ru

@@ -1,26 +0,0 @@
-require_relative '../../lib/otto'
-require_relative 'app'
-
-# Global configuration for all Otto instances
-Otto.configure do |opts|
-  opts.available_locales = {
-    'en' => 'English',
-    'es' => 'Spanish',
-    'fr' => 'French'
-  }
-  opts.default_locale = 'en'
-end
-
-# Configure Otto with security features
-app = Otto.new("./routes", {
-  # Security features
-  csrf_protection: true,
-  request_validation: true,
-  trusted_proxies: ['127.0.0.1', '::1']
-})
-
-# Enable additional security headers
-app.enable_csp_with_nonce!(debug: true)
-app.enable_frame_protection!('SAMEORIGIN')
-
-run app

data/examples/helpers_demo/routes

@@ -1,7 +0,0 @@
-GET   /                         HelpersDemo#index
-GET   /request-info             HelpersDemo#request_info
-GET   /locale-demo              HelpersDemo#locale_demo
-GET   /secure-cookie            HelpersDemo#secure_cookie
-POST  /csp-demo                 HelpersDemo#csp_demo
-GET   /headers                  HelpersDemo#show_headers
-GET   /404                      HelpersDemo#not_found