otto 1.6.0 → 2.0.0.pre1

data/lib/otto/core/router.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+# lib/otto/core/router.rb
+
+require_relative '../mcp/route_parser'
+
+class Otto
+  module Core
+    # Router module providing route loading and request dispatching functionality
+    module Router
+      def load(path)
+        path = File.expand_path(path)
+        raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
+
+        raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
+        raw.each do |entry|
+          # Enhanced parsing: split only on first two whitespace boundaries
+          # This preserves parameters in the definition part
+          parts = entry.split(/\s+/, 3)
+          next if parts.size < 3 # Skip malformed entries
+
+          verb = parts[0]
+          path = parts[1]
+          definition = parts[2]
+
+          # Check for MCP routes
+          if Otto::MCP::RouteParser.is_mcp_route?(definition)
+            raise '[MCP] MCP server not enabled' unless @mcp_server
+
+            handle_mcp_route(verb, path, definition)
+            next
+          elsif Otto::MCP::RouteParser.is_tool_route?(definition)
+            raise '[MCP] MCP server not enabled' unless @mcp_server
+
+            handle_tool_route(verb, path, definition)
+            next
+          end
+
+          route                                   = Otto::Route.new verb, path, definition
+          route.otto                              = self
+          path_clean                              = path.gsub(%r{/$}, '')
+          @route_definitions[route.definition]    = route
+          Otto.logger.debug "route: #{route.pattern}" if Otto.debug
+          @routes[route.verb] ||= []
+          @routes[route.verb] << route
+          @routes_literal[route.verb]           ||= {}
+          @routes_literal[route.verb][path_clean] = route
+        rescue StandardError => e
+          Otto.logger.error "Bad route in #{path}: #{entry} (Error: #{e.message})"
+        end
+        self
+      end
+
+      def handle_request(env)
+        locale             = determine_locale env
+        env['rack.locale'] = locale
+        env['otto.locale_config'] = @locale_config if @locale_config
+        @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
+        path_info          = Rack::Utils.unescape(env['PATH_INFO'])
+        path_info          = '/' if path_info.to_s.empty?
+
+        begin
+          path_info_clean = path_info
+                            .encode(
+                              'UTF-8', # Target encoding
+                              invalid: :replace, # Replace invalid byte sequences
+                              undef: :replace,   # Replace characters undefined in UTF-8
+                              replace: '' # Use empty string for replacement
+                            )
+                            .gsub(%r{/$}, '') # Remove trailing slash, if present
+        rescue ArgumentError => e
+          # Log the error but don't expose details
+          Otto.logger.error '[Otto.handle_request] Path encoding error'
+          Otto.logger.debug "[Otto.handle_request] Error details: #{e.message}" if Otto.debug
+          # Set a default value or use the original path_info
+          path_info_clean = path_info
+        end
+
+        base_path      = File.split(path_info).first
+        # Files in the root directory can refer to themselves
+        base_path      = path_info if base_path == '/'
+        http_verb      = env['REQUEST_METHOD'].upcase.to_sym
+        literal_routes = routes_literal[http_verb] || {}
+        literal_routes.merge! routes_literal[:GET] if http_verb == :HEAD
+
+        if static_route && http_verb == :GET && routes_static[:GET].member?(base_path)
+          # Otto.logger.debug " request: #{path_info} (static)"
+          static_route.call(env)
+        elsif literal_routes.has_key?(path_info_clean)
+          route = literal_routes[path_info_clean]
+          # Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
+          route.call(env)
+        elsif static_route && http_verb == :GET && safe_file?(path_info)
+          Otto.logger.debug " new static route: #{base_path} (#{path_info})" if Otto.debug
+          routes_static[:GET][base_path] = base_path
+          static_route.call(env)
+        else
+          match_dynamic_route(env, path_info, http_verb, literal_routes)
+        end
+      end
+
+      def determine_locale(env)
+        accept_langs = env['HTTP_ACCEPT_LANGUAGE']
+        accept_langs = option[:locale] if accept_langs.to_s.empty?
+        locales      = []
+        unless accept_langs.empty?
+          locales = accept_langs.split(',').map do |l|
+            l += ';q=1.0' unless /;q=\d+(?:\.\d+)?$/.match?(l)
+            l.split(';q=')
+          end.sort_by do |_locale, qvalue|
+            qvalue.to_f
+          end.collect do |locale, _qvalue|
+            locale
+          end.reverse
+        end
+        Otto.logger.debug "locale: #{locales} (#{accept_langs})" if Otto.debug
+        locales.empty? ? nil : locales
+      end
+
+      private
+
+      def match_dynamic_route(env, path_info, http_verb, literal_routes)
+        extra_params  = {}
+        found_route   = nil
+        valid_routes  = routes[http_verb] || []
+        valid_routes.push(*routes[:GET]) if http_verb == :HEAD
+
+        valid_routes.each do |route|
+          # Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
+          next unless (match = route.pattern.match(path_info))
+
+          values = match.captures.to_a
+          # The first capture returned is the entire matched string b/c
+          # we wrapped the entire regex in parens. We don't need it to
+          # the full match.
+          values.shift
+          extra_params = build_route_params(route, values)
+          found_route  = route
+          break
+        end
+
+        found_route ||= literal_routes['/404']
+        if found_route
+          found_route.call env, extra_params
+        else
+          @not_found || Otto::Static.not_found
+        end
+      end
+
+      def build_route_params(route, values)
+        if route.keys.any?
+          route.keys.zip(values).each_with_object({}) do |(k, v), hash|
+            if k == 'splat'
+              (hash[k] ||= []) << v
+            else
+              hash[k] = v
+            end
+          end
+        elsif values.any?
+          { 'captures' => values }
+        else
+          {}
+        end
+      end
+
+      def handle_mcp_route(verb, path, definition)
+        route_info = Otto::MCP::RouteParser.parse_mcp_route(verb, path, definition)
+        @mcp_server.register_mcp_route(route_info)
+        Otto.logger.debug "[MCP] Registered resource route: #{definition}" if Otto.debug
+      rescue StandardError => e
+        Otto.logger.error "[MCP] Failed to parse MCP route: #{definition} - #{e.message}"
+      end
+
+      def handle_tool_route(verb, path, definition)
+        route_info = Otto::MCP::RouteParser.parse_tool_route(verb, path, definition)
+        @mcp_server.register_mcp_route(route_info)
+        Otto.logger.debug "[MCP] Registered tool route: #{definition}" if Otto.debug
+      rescue StandardError => e
+        Otto.logger.error "[MCP] Failed to parse TOOL route: #{definition} - #{e.message}"
+      end
+    end
+  end
+end

data/lib/otto/core/uri_generator.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# lib/otto/core/uri_generator.rb
+
+require 'uri'
+
+class Otto
+  module Core
+    # URI generation module providing path and URL generation for route definitions
+    module UriGenerator
+      # Return the URI path for the given +route_definition+
+      # e.g.
+      #
+      #     Otto.default.path 'YourClass.somemethod'  #=> /some/path
+      #
+      def uri(route_definition, params = {})
+        # raise RuntimeError, "Not working"
+        route = @route_definitions[route_definition]
+        return if route.nil?
+
+        local_params = params.clone
+        local_path   = route.path.clone
+
+        keys_to_remove = []
+        local_params.each_pair do |k, v|
+          next unless local_path.match(":#{k}")
+
+          local_path.gsub!(":#{k}", v.to_s)
+          keys_to_remove << k
+        end
+        keys_to_remove.each { |k| local_params.delete(k) }
+
+        uri = URI::HTTP.new(nil, nil, nil, nil, nil, local_path, nil, nil, nil)
+        unless local_params.empty?
+          query_string = local_params.map do |k, v|
+            "#{URI.encode_www_form_component(k)}=#{URI.encode_www_form_component(v)}"
+          end.join('&')
+          uri.query = query_string
+        end
+        uri.to_s
+      end
+    end
+  end
+end

data/lib/otto/design_system.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # lib/otto/design_system.rb
 
 class Otto
@@ -112,11 +114,11 @@ class Otto
       return '' if text.nil?
 
       text.to_s
-        .gsub('&', '&')
-        .gsub('<', '&lt;')
-        .gsub('>', '&gt;')
-        .gsub('"', '&quot;')
-        .gsub("'", '&#x27;')
+          .gsub('&', '&amp;')
+          .gsub('<', '&lt;')
+          .gsub('>', '&gt;')
+          .gsub('"', '&quot;')
+          .gsub("'", '&#x27;')
     end
 
     def otto_styles

data/lib/otto/helpers/base.rb

@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/base.rb
 
 class Otto
+  # Base helper methods providing core functionality for Otto applications
   module BaseHelpers
     # Build application path by joining path segments
     #

data/lib/otto/helpers/request.rb

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/request.rb
 
 require_relative 'base'
 
 class Otto
+  # Request helper methods providing HTTP request handling utilities
   module RequestHelpers
     include Otto::BaseHelpers
 
@@ -14,9 +17,7 @@ class Otto
       remote_addr = env['REMOTE_ADDR']
 
       # If we don't have a security config or trusted proxies, use direct connection
-      if !otto_security_config || !trusted_proxy?(remote_addr)
-        return validate_ip_address(remote_addr)
-      end
+      return validate_ip_address(remote_addr) if !otto_security_config || !trusted_proxy?(remote_addr)
 
       # Check forwarded headers from trusted proxies
       forwarded_ips = [
@@ -152,12 +153,12 @@ class Otto
 
       # RFC 1918 private ranges and loopback
       private_ranges = [
-        /\A10\./,                    # 10.0.0.0/8
+        /\A10\./, # 10.0.0.0/8
         /\A172\.(1[6-9]|2[0-9]|3[01])\./, # 172.16.0.0/12
         /\A192\.168\./,              # 192.168.0.0/16
         /\A169\.254\./,              # 169.254.0.0/16 (link-local)
         /\A224\./,                   # 224.0.0.0/4 (multicast)
-        /\A0\./,                      # 0.0.0.0/8
+        /\A0\./, # 0.0.0.0/8
       ]
 
       private_ranges.any? { |range| ip.match?(range) }
@@ -207,7 +208,7 @@ class Otto
 
       # Add any header that begins with the specified prefix
       if header_prefix
-        prefix_keys = env.keys.select { |key| key.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
+        prefix_keys = env.keys.select { _1.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
         keys.concat(prefix_keys)
       end
 
@@ -354,8 +355,9 @@ class Otto
       debug_enabled     = opts[:debug] || false
 
       # Guard clause - required configuration must be present
-      unless available_locales && default_locale
-        raise ArgumentError, 'available_locales and default_locale are required (provide via opts or Otto configuration)'
+      unless available_locales.is_a?(Hash) && !available_locales.empty? && default_locale && available_locales.key?(default_locale)
+        raise ArgumentError,
+              'available_locales must be a non-empty Hash and include default_locale (provide via opts or Otto configuration)'
       end
 
       # Check sources in order of precedence

data/lib/otto/helpers/response.rb

@@ -1,8 +1,11 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/response.rb
 
 require_relative 'base'
 
 class Otto
+  # Response helper methods providing HTTP response handling utilities
   module ResponseHelpers
     include Otto::BaseHelpers
 
@@ -48,7 +51,7 @@ class Otto
       session_opts = opts.merge(
         secure: true,
         httponly: true,
-        samesite: :strict,
+        samesite: :strict
       )
 
       # Remove expiration-related options for session cookies
@@ -109,9 +112,7 @@ class Otto
       headers['content-type'] ||= content_type
 
       # Warn if CSP header already exists but don't skip
-      if headers['content-security-policy']
-        warn 'CSP header already set, overriding with nonce-based policy'
-      end
+      warn 'CSP header already set, overriding with nonce-based policy' if headers['content-security-policy']
 
       # Get security configuration
       security_config = opts[:security_config] ||

data/lib/otto/helpers/validation.rb

@@ -1,7 +1,13 @@
+# frozen_string_literal: true
+
 # lib/otto/helpers/validation.rb
 
+require 'loofah'
+require 'facets/file'
+
 class Otto
   module Security
+    # Validation helper methods providing input validation and sanitization
     module ValidationHelpers
       def validate_input(input, max_length: 1000, allow_html: false)
         return input if input.nil?
@@ -17,9 +23,7 @@ class Otto
         # Use Loofah for HTML sanitization and validation
         unless allow_html
           # Check for script injection first (these should always be rejected)
-          if looks_like_script_injection?(input_str)
-            raise Otto::Security::ValidationError, 'Dangerous content detected'
-          end
+          raise Otto::Security::ValidationError, 'Dangerous content detected' if looks_like_script_injection?(input_str)
 
           # Use Loofah to sanitize less dangerous HTML content
           sanitized_input = Loofah.fragment(input_str).scrub!(:whitewash).to_s
@@ -28,9 +32,7 @@ class Otto
 
         # Always check for SQL injection
         ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
-          if input_str.match?(pattern)
-            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
-          end
+          raise Otto::Security::ValidationError, 'Potential SQL injection detected' if input_str.match?(pattern)
         end
 
         input_str
@@ -71,7 +73,7 @@ class Otto
         dangerous_patterns = [
           /javascript:/i,
           /<script[^>]*>/i,
-          /on\w+\s*=/i,  # event handlers like onclick=
+          /on\w+\s*=/i, # event handlers like onclick=
           /expression\s*\(/i,
           /data:.*base64/i,
         ]

data/lib/otto/mcp/auth/token.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/auth/token.rb
+
 require 'json'
 
 class Otto
   module MCP
     module Auth
+      # Token-based authentication for MCP protocol endpoints
       class TokenAuth
         def initialize(tokens)
           @tokens = Array(tokens).to_set
@@ -20,15 +25,14 @@ class Otto
         def extract_token(env)
           # Try Authorization header first (Bearer token)
           auth_header = env['HTTP_AUTHORIZATION']
-          if auth_header&.start_with?('Bearer ')
-            return auth_header[7..]
-          end
+          return auth_header[7..] if auth_header&.start_with?('Bearer ')
 
           # Try X-MCP-Token header
           env['HTTP_X_MCP_TOKEN']
         end
       end
 
+      # Middleware for token authentication in MCP protocol
       class TokenMiddleware
         def initialize(app, security_config = nil)
           @app             = app
@@ -41,9 +45,7 @@ class Otto
 
           # Get auth instance from security config
           auth = @security_config&.mcp_auth
-          if auth && !auth.authenticate(env)
-            return unauthorized_response
-          end
+          return unauthorized_response if auth && !auth.authenticate(env)
 
           @app.call(env)
         end
@@ -58,15 +60,14 @@ class Otto
 
         def unauthorized_response
           body = JSON.generate({
-            jsonrpc: '2.0',
+                                 jsonrpc: '2.0',
             id: nil,
             error: {
               code: -32_000,
               message: 'Unauthorized',
               data: 'Valid token required',
             },
-          },
-                              )
+                               })
 
           [401, { 'content-type' => 'application/json' }, [body]]
         end

data/lib/otto/mcp/protocol.rb

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/protocol.rb
+
 require 'json'
 require_relative 'registry'
 
 class Otto
   module MCP
+    # MCP protocol handler providing Model Context Protocol functionality
     class Protocol
       attr_reader :registry
 
@@ -64,14 +69,13 @@ class Otto
         }
 
         success_response(data['id'], {
-          protocolVersion: '2024-11-05',
+                           protocolVersion: '2024-11-05',
           capabilities: capabilities,
           serverInfo: {
             name: 'Otto MCP Server',
             version: Otto::VERSION,
           },
-        }
-        )
+                         })
       end
 
       def handle_resources_list(data)
@@ -83,9 +87,7 @@ class Otto
         params = data['params'] || {}
         uri    = params['uri']
 
-        unless uri
-          return error_response(data['id'], -32_602, 'Invalid params', 'Missing uri parameter')
-        end
+        return error_response(data['id'], -32_602, 'Invalid params', 'Missing uri parameter') unless uri
 
         resource = @registry.read_resource(uri)
         if resource
@@ -105,26 +107,23 @@ class Otto
         name      = params['name']
         arguments = params['arguments'] || {}
 
-        unless name
-          return error_response(data['id'], -32_602, 'Invalid params', 'Missing name parameter')
-        end
+        return error_response(data['id'], -32_602, 'Invalid params', 'Missing name parameter') unless name
 
         begin
           result = @registry.call_tool(name, arguments, env)
           success_response(data['id'], result)
-        rescue StandardError => ex
-          Otto.logger.error "[MCP] Tool call error: #{ex.message}"
-          error_response(data['id'], -32_603, 'Internal error', ex.message)
+        rescue StandardError => e
+          Otto.logger.error "[MCP] Tool call error: #{e.message}"
+          error_response(data['id'], -32_603, 'Internal error', e.message)
         end
       end
 
       def success_response(id, result)
         body = JSON.generate({
-          jsonrpc: '2.0',
+                               jsonrpc: '2.0',
           id: id,
           result: result,
-        },
-                            )
+                             })
 
         [200, { 'content-type' => 'application/json' }, [body]]
       end
@@ -134,30 +133,28 @@ class Otto
         error[:data] = data if data
 
         body = JSON.generate({
-          jsonrpc: '2.0',
+                               jsonrpc: '2.0',
           id: id,
           error: error,
-        },
-                            )
+                             })
 
         # Map JSON-RPC error codes to appropriate HTTP status codes
         http_status = case code
-                      when -32700..-32600 # Parse error, Invalid Request, Method not found
+                      when -32_700..-32_600 # Parse error, Invalid Request, Method not found
                         400
-                      when -32000         # Server error (generic)
+                      when -32_603, -32_000..-32_099 # Internal error and all server error range (-32000..-32099)
                         500
-                      when -32001         # Resource not found
+                      when -32_001         # Resource not found
                         404
-                      when -32002         # Tool not found
+                      when -32_002         # Tool not found
                         404
-                      when -32601         # Method not found
+                      when -32_601         # Method not found
                         404
-                      when -32602         # Invalid params
+                      when -32_602         # Invalid params
                         400
-                      when -32603         # Internal error
-                        500
                       else
-                        400 # Default to 400 for other client errors
+                        # Default client error for unknown non-server codes; treat server-range as 500
+                        (-32_099..-32_000).cover?(code) ? 500 : 400
                       end
 
         [http_status, { 'content-type' => 'application/json' }, [body]]

data/lib/otto/mcp/rate_limiting.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/rate_limiting.rb
+
 require 'json'
 
 require_relative '../security/rate_limiting'
@@ -10,6 +14,7 @@ end
 
 class Otto
   module MCP
+    # Rate limiter for MCP protocol endpoints
     class RateLimiter < Otto::Security::RateLimiting
       def self.configure_rack_attack!(config = {})
         return unless defined?(Rack::Attack)
@@ -117,6 +122,7 @@ class Otto
       end
     end
 
+    # Middleware for applying rate limits to MCP protocol endpoints
     class RateLimitMiddleware < Otto::Security::RateLimitMiddleware
       def initialize(app, security_config = nil)
         @app                    = app
@@ -138,10 +144,9 @@ class Otto
 
         # Add MCP-specific defaults
         mcp_config = base_config.merge({
-          mcp_requests_per_minute: 60,
+                                         mcp_requests_per_minute: 60,
           tool_calls_per_minute: 20,
-        },
-                                      )
+                                       })
 
         RateLimiter.configure_rack_attack!(mcp_config)
       end

data/lib/otto/mcp/registry.rb

@@ -1,5 +1,10 @@
+# frozen_string_literal: true
+
+# lib/otto/mcp/registry.rb
+
 class Otto
   module MCP
+    # Registry for managing MCP resources and tools
     class Registry
       def initialize
         @resources = {}
@@ -59,8 +64,8 @@ class Otto
               text: content.to_s,
             }],
           }
-        rescue StandardError => ex
-          Otto.logger.error "[MCP] Resource read error for #{uri}: #{ex.message}"
+        rescue StandardError => e
+          Otto.logger.error "[MCP] Resource read error for #{uri}: #{e.message}"
           nil
         end
       end