otto 1.6.0 → 2.0.0.pre2

data/CHANGELOG.rst

@@ -0,0 +1,131 @@
+CHANGELOG.rst
+=============
+
+The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.1.0/>`__, and this project adheres to `Semantic Versioning <https://semver.org/spec/v2.0.0.html>`__.
+
+.. raw:: html
+
+   <!--scriv-insert-here-->
+
+.. _changelog-2.0.0.pre2:
+
+2.0.0.pre2 — 2025-10-11
+=======================
+
+Added
+-----
+
+- Added `StrategyResult` class with improved user model compatibility and cleaner API
+- Helper methods ``authenticated?``, ``has_role?``, ``has_permission?``, ``user_name``, ``session_id`` for cleaner Logic class implementation
+- Added JSON request body parsing support in Logic class handlers
+- Added new modular directory structure under ``lib/otto/security/``
+- Added backward compatibility aliases to maintain existing API compatibility
+- Added proper namespacing for authentication components and middleware classes
+
+Changed
+-------
+
+- **BREAKING**: Logic class constructor signature changed from ``initialize(session, user, params, locale)`` to ``initialize(context, params, locale)``
+- Logic classes now receive an immutable context object instead of separate session/user parameters
+- LogicClassHandler simplified to single arity pattern, removing backward compatibility code
+- Authentication middleware now creates `StrategyResult` instances for all requests
+- Replaced `RequestContext` with `StrategyResult` class for better authentication handling
+- Simplified authentication strategy API to return `StrategyResult` or `nil` for success/failure
+- Enhanced route handlers to support JSON request body parsing
+- Updated authentication middleware to use `StrategyResult` throughout
+- Reorganized Otto security module structure for better maintainability and separation of concerns
+- Moved authentication strategies to ``Otto::Security::Authentication::Strategies`` namespace
+- Moved security middleware to ``Otto::Security::Middleware`` namespace
+- Moved ``StrategyResult`` and ``FailureResult`` to ``Otto::Security::Authentication`` namespace
+
+Removed
+-------
+
+- Removed `RequestContext` class (which was introduced and then replaced by `StrategyResult` during this development cycle)
+- Removed `AuthResult` class from authentication system
+- Removed `ConcurrentCacheStore` example class for an ActiveSupport::Cache::MemoryStore-compatible interface with Rack::Attack
+- Removed OpenStruct dependency across the framework
+
+Documentation
+-------------
+
+- Updated migration guide with comprehensive examples for the new context object and step-by-step conversion instructions
+- Updated Logic class examples in advanced_routes and authentication_strategies to demonstrate new pattern
+- Enhanced documentation with API reference and helper method examples for the new context object
+
+AI Assistance
+-------------
+
+- AI-assisted architectural design for RequestContext Data class and security module reorganization
+- Comprehensive migration of Logic classes and documentation with AI guidance for consistency
+- Automated test validation and intelligent file organization following Ruby conventions
+
+.. _changelog-2.0.0-pre1:
+
+2.0.0-pre1 — 2025-09-10
+=======================
+
+Added
+-----
+
+- Comprehensive test coverage for error handling methods (handle_error, secure_error_response,
+json_error_response)
+- Test coverage for private configuration methods (configure_locale, configure_security,
+configure_authentication, configure_mcp)
+- Expanded MCP functionality test coverage including route parsing and server initialization
+- Security header validation in all error responses
+- Content negotiation testing for JSON vs plain text error responses
+- Development vs production mode error handling verification
+
+- ``Otto::Security::Configurator`` class for consolidated security configuration
+- ``Otto::Core::MiddlewareStack`` class for enhanced middleware management
+- Unified ``security.configure()`` method for streamlined security setup
+- Middleware introspection capabilities via ``middleware_list`` and ``middleware_details`` methods
+
+Changed
+-------
+
+- **BREAKING**: Direct middleware_stack manipulation no longer supported. Use ``otto.use()`` instead
+of ``otto.middleware_stack <<``. See `migration guide <docs/migrating/v2.0.0-pre1.md>`__ for upgrade
+path.
+
+- Refactored main Otto class from 767 lines to 348 lines using composition pattern (#29)
+- Modernized initialization method with helper functions while maintaining backward compatibility
+- Applied Ruby 3.2+ features including pattern matching and anonymous block forwarding
+- Improved method organization and separation of concerns
+
+- Refactored security configuration methods to use new ``Otto::Security::Configurator`` facade
+- Enhanced middleware stack management with better registration and execution interfaces
+- Improved separation of concerns between security configuration and middleware handling
+
+- Unified middleware stack implementation for improved performance and consistency
+- Optimized middleware lookup and registration with O(1) Set-based tracking
+- Memoized middleware list to reduce array creation overhead
+- Improved middleware registration to handle varied argument scenarios
+
+Documentation
+-------------
+
+- Added changelog management system with Scriv configuration
+- Created comprehensive changelog process documentation
+
+AI Assistance
+-------------
+
+- Comprehensive test suite development covering 76 new test cases across 3 test files
+- Error handling analysis and edge case identification
+- Configuration method testing strategy development
+- MCP functionality testing with proper mocking and stubbing techniques
+- Test quality assurance ensuring all 460 examples pass with 0 failures
+
+- Extracted core Otto class functionality into 5 focused modules (Router, FileSafety, Configuration,
+ErrorHandler, UriGenerator) using composition pattern for improved maintainability while preserving
+complete API backward compatibility (#28)
+
+- Comprehensive refactoring implementation developed with AI assistance
+- Systematic approach to maintaining backward compatibility during modernization
+- Full test suite validation ensuring zero breaking changes across 460 test cases
+
+- Comprehensive refactoring of middleware stack management
+- Performance optimization and code quality improvements
+- Developed detailed migration guide for smooth transition

data/CLAUDE.md

@@ -0,0 +1,56 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Development Commands
+
+### Setup
+```bash
+# Install development and test dependencies
+bundle config set with 'development test'
+bundle install
+
+# Lint code
+bundle exec rubocop
+
+# Run tests
+bundle exec rspec
+
+# Run a specific test
+bundle exec rspec spec/path/to/specific_spec.rb
+# rspec settings in .rspec
+```
+
+## Project Overview
+
+### Core Components
+- Ruby Rack-based web framework for defining web applications
+- Focuses on security and simplicity
+- Supports internationalization and optional security features
+
+### Key Features
+- Plain-text routes configuration
+- Automatic locale detection
+- Optional security features:
+  - CSRF protection
+  - Input validation
+  - Security headers
+  - Trusted proxy configuration
+
+### Test Frameworks
+- RSpec for unit and integration testing
+- Tryouts for behavior-driven testing
+
+### Development Tools
+- Rubocop for linting
+- Debug gem for debugging
+- Tryouts for alternative testing approach
+
+### Ruby Version Requirements
+- Ruby 3.2+
+- Rack 3.1+
+
+### Important Notes
+- Always validate and sanitize user inputs
+- Leverage built-in security features
+- Use locale helpers for internationalization support

data/Gemfile

@@ -1,12 +1,19 @@
 # Gemfile
 
+# To install all development and test dependencies:
+#
+#   $ bundle config set with 'development test'
+#   $ bundle install
+
 source 'https://rubygems.org'
 
 gemspec
 
+gem 'rackup'
+
 group :test do
   gem 'rack-test'
-  gem 'rspec', '~> 3.12'
+  gem 'rspec', '~> 3.13'
 end
 
 # bundle config set with 'optional'
@@ -17,13 +24,13 @@ group :development, :test, optional: true do
 end
 
 group :development do
-  gem 'pry-byebug', require: false
-  gem 'rubocop', require: false
+  gem 'debug'
+  gem 'rubocop', '~> 1.81.1', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false
   gem 'rubocop-thread_safety', require: false
   gem 'ruby-lsp', require: false
   gem 'stackprof', require: false
   gem 'syntax_tree', require: false
-  gem 'tryouts', '~> 3.3.2', require: false
+  gem 'tryouts', '~> 3.6.0', require: false
 end

data/Gemfile.lock

@@ -1,10 +1,10 @@
 PATH
   remote: .
   specs:
-    otto (1.6.0)
+    otto (2.0.0.pre2)
       facets (~> 3.1)
+      logger (~> 1, < 2.0)
       loofah (~> 2.20)
-      ostruct
       rack (~> 3.1, < 4.0)
       rack-parser (~> 0.7)
       rexml (>= 3.3.6)
@@ -13,12 +13,13 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
-    bigdecimal (3.2.2)
-    byebug (12.0.0)
-    coderay (1.1.3)
+    bigdecimal (3.2.3)
     concurrent-ruby (1.3.5)
     crass (1.0.6)
     date (3.4.1)
+    debug (1.11.0)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
     diff-lcs (1.6.2)
     erb (5.0.2)
     facets (3.1.0)
@@ -28,7 +29,7 @@ GEM
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.13.2)
+    json (2.15.1)
     json_schemer (2.4.0)
       bigdecimal
       hana (~> 1.3)
@@ -40,25 +41,23 @@ GEM
     loofah (2.24.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    method_source (1.1.0)
     minitest (5.25.5)
-    nokogiri (1.18.9-aarch64-linux-gnu)
+    nokogiri (1.18.10-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-aarch64-linux-musl)
+    nokogiri (1.18.10-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm-linux-gnu)
+    nokogiri (1.18.10-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm-linux-musl)
+    nokogiri (1.18.10-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm64-darwin)
+    nokogiri (1.18.10-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-darwin)
+    nokogiri (1.18.10-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-gnu)
+    nokogiri (1.18.10-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-musl)
+    nokogiri (1.18.10-x86_64-linux-musl)
       racc (~> 1.4)
-    ostruct (0.6.3)
     parallel (1.27.0)
     parser (3.3.9.0)
       ast (~> 2.4.1)
@@ -69,34 +68,30 @@ GEM
       prettyprint
     prettier_print (1.2.1)
     prettyprint (0.2.0)
-    prism (1.4.0)
-    pry (0.15.2)
-      coderay (~> 1.1)
-      method_source (~> 1.0)
-    pry-byebug (3.11.0)
-      byebug (~> 12.0)
-      pry (>= 0.13, < 0.16)
+    prism (1.5.2)
     psych (5.2.6)
       date
       stringio
     racc (1.8.1)
-    rack (3.2.0)
+    rack (3.2.2)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-parser (0.7.0)
       rack
     rack-test (2.2.0)
       rack (>= 1.3)
+    rackup (2.2.1)
+      rack (>= 3)
     rainbow (3.1.1)
-    rbs (3.9.4)
+    rbs (3.9.5)
       logger
     rdoc (6.14.2)
       erb
       psych (>= 4.0.0)
-    regexp_parser (2.11.2)
+    regexp_parser (2.11.3)
     reline (0.6.2)
       io-console (~> 0.5)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -109,8 +104,8 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.4)
-    rubocop (1.79.2)
+    rspec-support (3.13.5)
+    rubocop (1.81.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -118,17 +113,17 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.46.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.46.0)
+    rubocop-ast (1.47.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    rubocop-performance (1.25.0)
+    rubocop-performance (1.26.0)
       lint_roller (~> 1.1)
       rubocop (>= 1.75.0, < 2.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
-    rubocop-rspec (3.6.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rspec (3.7.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
     rubocop-thread_safety (0.7.3)
@@ -145,7 +140,7 @@ GEM
     stringio (3.1.7)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
-    tryouts (3.3.2)
+    tryouts (3.6.0)
       concurrent-ruby (~> 1.0)
       irb
       minitest (~> 5.0)
@@ -157,9 +152,9 @@ GEM
     tty-color (0.6.0)
     tty-cursor (0.7.1)
     tty-screen (0.8.2)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
 
 PLATFORMS
   aarch64-linux-gnu
@@ -172,20 +167,21 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  debug
   json_schemer
   otto!
-  pry-byebug
   rack-attack
   rack-test
-  rspec (~> 3.12)
-  rubocop
+  rackup
+  rspec (~> 3.13)
+  rubocop (~> 1.81.1)
   rubocop-performance
   rubocop-rspec
   rubocop-thread_safety
   ruby-lsp
   stackprof
   syntax_tree
-  tryouts (~> 3.3.2)
+  tryouts (~> 3.6.0)
 
 BUNDLED WITH
    2.7.1

data/README.md

@@ -2,6 +2,8 @@
 
 **Define your rack-apps in plain-text with built-in security.**
 
+> **v2.0.0-pre1 Available**: This pre-release includes major improvements to middleware management and test coverage. See [changelog](CHANGELOG.rst) and [migration guide](docs/migrating/v2.0.0-pre1.md) for upgraders.
+
 ![Otto mascot](public/img/otto.jpg "Otto - All Rack, no Pinion")
 
 Otto apps have three files: a rackup file, a Ruby class, and a routes file. The routes file is just plain text that maps URLs to Ruby methods.

data/bin/rspec

@@ -8,9 +8,9 @@
 # this file is here to facilitate running it.
 #
 
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 
-require "rubygems"
-require "bundler/setup"
+require 'rubygems'
+require 'bundler/setup'
 
-load Gem.bin_path("rspec-core", "rspec")
+load Gem.bin_path('rspec-core', 'rspec')

data/changelog.d/README.md

@@ -0,0 +1,120 @@
+# Otto Changelog Process
+
+This directory contains Otto's changelog management using [Scriv](https://scriv.readthedocs.io/).
+
+## Developer Workflow
+
+### Creating a Changelog Fragment
+
+When making changes that affect users, create a changelog fragment:
+
+```bash
+# Create a new fragment
+scriv create
+
+# Edit the generated file in changelog.d/
+# Add entries under appropriate categories
+```
+
+### Categories
+
+Use these categories in your fragments:
+
+- **Added**: New features
+- **Changed**: Changes in existing functionality
+- **Deprecated**: Soon-to-be removed features
+- **Removed**: Removed features
+- **Fixed**: Bug fixes
+- **Security**: Security fixes and improvements
+- **Documentation**: Documentation changes
+- **AI Assistance**: AI-assisted development, analysis, and improvements
+
+### Fragment Format
+
+Each fragment uses reStructuredText format:
+
+```rst
+Added
+-----
+
+- New feature description
+
+Fixed
+-----
+
+- Bug fix description
+
+AI Assistance
+-------------
+
+- Comprehensive test coverage development with AI assistance
+```
+
+### Committing Changes
+
+Always commit the fragment alongside your code:
+
+```bash
+# Stage both code and fragment
+git add changelog.d/YYYYMMDD_HHmmss_username_branch.rst
+git add [your code files]
+
+# Commit together
+git commit -m "Your commit message
+
+Includes changelog fragment documenting changes."
+```
+
+## Release Process
+
+During releases, maintainers aggregate all fragments:
+
+```bash
+# Collect all fragments into CHANGELOG.rst
+scriv collect
+
+# Review the updated CHANGELOG.rst
+git add CHANGELOG.rst
+git commit -m "Release changelog for vX.Y.Z"
+```
+
+## Guidelines
+
+### When to Create Fragments
+
+Create fragments for:
+- ✅ New features users will notice
+- ✅ Bug fixes that affect user experience
+- ✅ Breaking changes or deprecations
+- ✅ Security fixes
+- ✅ API changes
+- ✅ Significant internal improvements (use AI Assistance category)
+
+Skip fragments for:
+- ❌ Internal refactoring with no user impact
+- ❌ Test-only changes (unless they represent significant coverage improvements)
+- ❌ Documentation typo fixes
+- ❌ CI/build changes
+
+### Fragment Quality
+
+Good fragments:
+- Are concise but descriptive
+- Focus on user impact, not implementation details
+- Link to issues/PRs when helpful: `(#123)`
+- Use active voice: "Fixed authentication bug" not "Authentication bug was fixed"
+
+### AI Assistance Category
+
+Use the "AI Assistance" category to document:
+- Security analysis and hardened design discussions
+- Implementation development with AI pair programming
+- Comprehensive test coverage development
+- Architecture improvements developed with AI
+- Code review and debugging sessions with AI
+
+This category ensures transparency about AI contributions to the project while highlighting areas where AI provided particular value.
+
+## Configuration
+
+See `scriv.ini` for configuration details. The setup automatically detects Otto's version from `lib/otto/version.rb`.

data/changelog.d/scriv.ini

@@ -0,0 +1,5 @@
+[scriv]
+format = rst
+categories = Added, Changed, Deprecated, Removed, Fixed, Security, Documentation, AI Assistance
+version = command: ruby -r ./lib/otto/version.rb -e "puts Otto::VERSION"
+main_branches = main, next

data/docs/.gitignore

@@ -1,2 +1,4 @@
 *
 !.gitignore
+!migrating/
+!migrating/*.md