otto 1.6.0 → 2.0.0.pre1

data/CLAUDE.md

@@ -0,0 +1,56 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Setup
+```bash
+# Install development and test dependencies
+bundle config set with 'development test'
+bundle install
+
+# Lint code
+bundle exec rubocop
+
+# Run tests
+bundle exec rspec
+
+# Run a specific test
+bundle exec rspec spec/path/to/specific_spec.rb
+# rspec settings in .rspec
+```
+
+## Project Overview
+
+### Core Components
+- Ruby Rack-based web framework for defining web applications
+- Focuses on security and simplicity
+- Supports internationalization and optional security features
+
+### Key Features
+- Plain-text routes configuration
+- Automatic locale detection
+- Optional security features:
+  - CSRF protection
+  - Input validation
+  - Security headers
+  - Trusted proxy configuration
+
+### Test Frameworks
+- RSpec for unit and integration testing
+- Tryouts for behavior-driven testing
+
+### Development Tools
+- Rubocop for linting
+- Debug gem for debugging
+- Tryouts for alternative testing approach
+
+### Ruby Version Requirements
+- Ruby 3.2+
+- Rack 3.1+
+
+### Important Notes
+- Always validate and sanitize user inputs
+- Leverage built-in security features
+- Use locale helpers for internationalization support

data/Gemfile

@@ -1,12 +1,19 @@
 # Gemfile
 
+# To install all development and test dependencies:
+#
+#   $ bundle config set with 'development test'
+#   $ bundle install
+
 source 'https://rubygems.org'
 
 gemspec
 
+gem 'rackup'
+
 group :test do
   gem 'rack-test'
-  gem 'rspec', '~> 3.12'
+  gem 'rspec', '~> 3.13'
 end
 
 # bundle config set with 'optional'
@@ -17,7 +24,7 @@ group :development, :test, optional: true do
 end
 
 group :development do
-  gem 'pry-byebug', require: false
+  gem 'debug'
   gem 'rubocop', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false
@@ -25,5 +32,5 @@ group :development do
   gem 'ruby-lsp', require: false
   gem 'stackprof', require: false
   gem 'syntax_tree', require: false
-  gem 'tryouts', '~> 3.3.2', require: false
+  gem 'tryouts', '~> 3.6.0', require: false
 end

data/Gemfile.lock

@@ -1,10 +1,9 @@
 PATH
   remote: .
   specs:
-    otto (1.6.0)
+    otto (2.0.0.pre.pre1)
       facets (~> 3.1)
       loofah (~> 2.20)
-      ostruct
       rack (~> 3.1, < 4.0)
       rack-parser (~> 0.7)
       rexml (>= 3.3.6)
@@ -13,12 +12,13 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
-    bigdecimal (3.2.2)
-    byebug (12.0.0)
-    coderay (1.1.3)
+    bigdecimal (3.2.3)
     concurrent-ruby (1.3.5)
     crass (1.0.6)
     date (3.4.1)
+    debug (1.11.0)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
     diff-lcs (1.6.2)
     erb (5.0.2)
     facets (3.1.0)
@@ -40,7 +40,6 @@ GEM
     loofah (2.24.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    method_source (1.1.0)
     minitest (5.25.5)
     nokogiri (1.18.9-aarch64-linux-gnu)
       racc (~> 1.4)
@@ -58,7 +57,6 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.9-x86_64-linux-musl)
       racc (~> 1.4)
-    ostruct (0.6.3)
     parallel (1.27.0)
     parser (3.3.9.0)
       ast (~> 2.4.1)
@@ -70,25 +68,21 @@ GEM
     prettier_print (1.2.1)
     prettyprint (0.2.0)
     prism (1.4.0)
-    pry (0.15.2)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    pry-byebug (3.11.0)
-      byebug (~> 12.0)
-      pry (>= 0.13, < 0.16)
     psych (5.2.6)
       date
       stringio
     racc (1.8.1)
-    rack (3.2.0)
+    rack (3.2.1)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-parser (0.7.0)
       rack
     rack-test (2.2.0)
       rack (>= 1.3)
+    rackup (2.2.1)
+      rack (>= 3)
     rainbow (3.1.1)
-    rbs (3.9.4)
+    rbs (3.9.5)
       logger
     rdoc (6.14.2)
       erb
@@ -96,7 +90,7 @@ GEM
     regexp_parser (2.11.2)
     reline (0.6.2)
       io-console (~> 0.5)
-    rexml (3.4.1)
+    rexml (3.4.3)
     rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -109,8 +103,8 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.4)
-    rubocop (1.79.2)
+    rspec-support (3.13.5)
+    rubocop (1.80.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -124,11 +118,11 @@ GEM
     rubocop-ast (1.46.0)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    rubocop-performance (1.25.0)
+    rubocop-performance (1.26.0)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
-    rubocop-rspec (3.6.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rspec (3.7.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
     rubocop-thread_safety (0.7.3)
@@ -145,7 +139,7 @@ GEM
     stringio (3.1.7)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
-    tryouts (3.3.2)
+    tryouts (3.6.0)
       concurrent-ruby (~> 1.0)
       irb
       minitest (~> 5.0)
@@ -157,9 +151,9 @@ GEM
     tty-color (0.6.0)
     tty-cursor (0.7.1)
     tty-screen (0.8.2)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
 
 PLATFORMS
   aarch64-linux-gnu
@@ -172,12 +166,13 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  debug
   json_schemer
   otto!
-  pry-byebug
   rack-attack
   rack-test
-  rspec (~> 3.12)
+  rackup
+  rspec (~> 3.13)
   rubocop
   rubocop-performance
   rubocop-rspec
@@ -185,7 +180,7 @@ DEPENDENCIES
   ruby-lsp
   stackprof
   syntax_tree
-  tryouts (~> 3.3.2)
+  tryouts (~> 3.6.0)
 
 BUNDLED WITH
    2.7.1

data/README.md

@@ -2,6 +2,8 @@
 
 **Define your rack-apps in plain-text with built-in security.**
 
+> **v2.0.0-pre1 Available**: This pre-release includes major improvements to middleware management and test coverage. See [changelog](CHANGELOG.rst) and [migration guide](docs/migrating/v2.0.0-pre1.md) for upgraders.
+
 ![Otto mascot](public/img/otto.jpg "Otto - All Rack, no Pinion")
 
 Otto apps have three files: a rackup file, a Ruby class, and a routes file. The routes file is just plain text that maps URLs to Ruby methods.

data/bin/rspec

@@ -8,9 +8,9 @@
 # this file is here to facilitate running it.
 #
 
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
-require "rubygems"
-require "bundler/setup"
+require 'rubygems'
+require 'bundler/setup'
 
-load Gem.bin_path("rspec-core", "rspec")
+load Gem.bin_path('rspec-core', 'rspec')

data/changelog.d/20250911_235619_delano_next.rst

@@ -0,0 +1,28 @@
+Added
+-----
+
+- ``Otto::RequestContext`` Data class providing immutable, structured authentication context for Logic classes
+- Helper methods ``authenticated?``, ``has_role?``, ``has_permission?``, ``user_name``, ``session_id`` for cleaner Logic class implementation
+- Factory methods for creating RequestContext from AuthResult or anonymous contexts
+
+Changed
+-------
+
+- **BREAKING**: Logic class constructor signature changed from ``initialize(session, user, params, locale)`` to ``initialize(context, params, locale)``
+- Logic classes now receive immutable RequestContext instead of separate session/user parameters
+- LogicClassHandler simplified to single arity pattern, removing backward compatibility code
+- Authentication middleware now creates RequestContext instances for all requests
+
+Documentation
+-------------
+
+- Updated migration guide with comprehensive RequestContext examples and step-by-step conversion instructions
+- Updated Logic class examples in advanced_routes and authentication_strategies to demonstrate new pattern
+- Enhanced documentation with RequestContext API reference and helper method examples
+
+AI Assistance
+-------------
+
+- RequestContext Data class design developed with AI architectural guidance for immutability and clean API
+- Comprehensive migration of all example Logic classes with AI assistance for consistency and best practices
+- Documentation improvements ensuring clarity of breaking changes and migration path

data/changelog.d/20250912_123055_delano_remove_ostruct.rst

@@ -0,0 +1,21 @@
+Changed
+-------
+
+- Replaced `RequestContext` with `StrategyResult` class for better authentication handling
+- Simplified authentication strategy API to return `StrategyResult` or `nil` for success/failure
+- Enhanced route handlers to support JSON request body parsing
+- Updated authentication middleware to use `StrategyResult` throughout
+
+Added
+-----
+
+- Added `StrategyResult` class with improved user model compatibility and cleaner API
+- Added JSON request body parsing support in Logic class handlers
+
+Removed
+-------
+
+- Removed `RequestContext` class (replaced by `StrategyResult`)
+- Removed `AuthResult` class from authentication system
+- Removed OpenStruct dependency across the framework
+- Removed `ConcurrentCacheStore` example class for an ActiveSupport::Cache::MemoryStore-compatible interface with Rack::Attack

data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst

@@ -0,0 +1,21 @@
+Changed
+-------
+
+- Reorganized Otto security module structure for better maintainability and separation of concerns
+- Moved authentication strategies to ``Otto::Security::Authentication::Strategies`` namespace
+- Moved security middleware to ``Otto::Security::Middleware`` namespace
+- Moved ``StrategyResult`` and ``FailureResult`` to ``Otto::Security::Authentication`` namespace
+
+Added
+-----
+
+- Added new modular directory structure under ``lib/otto/security/``
+- Added backward compatibility aliases to maintain existing API compatibility
+- Added proper namespacing for authentication components and middleware classes
+
+AI Assistance
+-------------
+
+- Comprehensive security module reorganization with systematic namespace restructuring
+- Automated test validation to ensure backward compatibility during refactoring
+- Intelligent file organization following Ruby conventions and single responsibility principles

data/changelog.d/README.md

@@ -0,0 +1,120 @@
+# Otto Changelog Process
+
+This directory contains Otto's changelog management using [Scriv](https://scriv.readthedocs.io/).
+
+## Developer Workflow
+
+### Creating a Changelog Fragment
+
+When making changes that affect users, create a changelog fragment:
+
+```bash
+# Create a new fragment
+scriv create
+
+# Edit the generated file in changelog.d/
+# Add entries under appropriate categories
+```
+
+### Categories
+
+Use these categories in your fragments:
+
+- **Added**: New features
+- **Changed**: Changes in existing functionality
+- **Deprecated**: Soon-to-be removed features
+- **Removed**: Removed features
+- **Fixed**: Bug fixes
+- **Security**: Security fixes and improvements
+- **Documentation**: Documentation changes
+- **AI Assistance**: AI-assisted development, analysis, and improvements
+
+### Fragment Format
+
+Each fragment uses reStructuredText format:
+
+```rst
+Added
+-----
+
+- New feature description
+
+Fixed
+-----
+
+- Bug fix description
+
+AI Assistance
+-------------
+
+- Comprehensive test coverage development with AI assistance
+```
+
+### Committing Changes
+
+Always commit the fragment alongside your code:
+
+```bash
+# Stage both code and fragment
+git add changelog.d/YYYYMMDD_HHmmss_username_branch.rst
+git add [your code files]
+
+# Commit together
+git commit -m "Your commit message
+
+Includes changelog fragment documenting changes."
+```
+
+## Release Process
+
+During releases, maintainers aggregate all fragments:
+
+```bash
+# Collect all fragments into CHANGELOG.rst
+scriv collect
+
+# Review the updated CHANGELOG.rst
+git add CHANGELOG.rst
+git commit -m "Release changelog for vX.Y.Z"
+```
+
+## Guidelines
+
+### When to Create Fragments
+
+Create fragments for:
+- ✅ New features users will notice
+- ✅ Bug fixes that affect user experience
+- ✅ Breaking changes or deprecations
+- ✅ Security fixes
+- ✅ API changes
+- ✅ Significant internal improvements (use AI Assistance category)
+
+Skip fragments for:
+- ❌ Internal refactoring with no user impact
+- ❌ Test-only changes (unless they represent significant coverage improvements)
+- ❌ Documentation typo fixes
+- ❌ CI/build changes
+
+### Fragment Quality
+
+Good fragments:
+- Are concise but descriptive
+- Focus on user impact, not implementation details
+- Link to issues/PRs when helpful: `(#123)`
+- Use active voice: "Fixed authentication bug" not "Authentication bug was fixed"
+
+### AI Assistance Category
+
+Use the "AI Assistance" category to document:
+- Security analysis and hardened design discussions
+- Implementation development with AI pair programming
+- Comprehensive test coverage development
+- Architecture improvements developed with AI
+- Code review and debugging sessions with AI
+
+This category ensures transparency about AI contributions to the project while highlighting areas where AI provided particular value.
+
+## Configuration
+
+See `scriv.ini` for configuration details. The setup automatically detects Otto's version from `lib/otto/version.rb`.

data/changelog.d/scriv.ini

@@ -0,0 +1,5 @@
+[scriv]
+format = rst
+categories = Added, Changed, Deprecated, Removed, Fixed, Security, Documentation, AI Assistance
+version = command: ruby -r ./lib/otto/version.rb -e "puts Otto::VERSION"
+main_branches = main, next

data/docs/.gitignore

@@ -1,2 +1,3 @@
 *
 !.gitignore
+!migrating/