otto 1.6.0 → 2.0.0.pre2

data/examples/basic/app.rb

@@ -1,7 +1,8 @@
-# examples/basic/app.rb (Streamlined with Design System)
+# examples/basic/app.rb
 
 require_relative '../../lib/otto/design_system'
 
+# Basic example application demonstrating Otto framework features.
 class App
   include Otto::DesignSystem
 
@@ -37,42 +38,13 @@ class App
     message = req.params['msg']&.strip
 
     content = if message.nil? || message.empty?
-      otto_alert('error', 'Empty Message', 'Please enter a message before submitting.')
-    else
-      otto_alert('success', 'Feedback Received', 'Thanks for your message!') +
-        otto_card('Your Message') { otto_code_block(message, 'text') }
-    end
+                otto_alert('error', 'Empty Message', 'Please enter a message before submitting.')
+              else
+                otto_alert('success', 'Feedback Received', 'Thanks for your message!') +
+                  otto_card('Your Message') { otto_code_block(message, 'text') }
+              end
 
     content += "<p>#{otto_link('← Back', '/')}</p>"
     res.body = otto_page(content, 'Feedback')
   end
-
-  def redirect
-    res.redirect '/robots.txt'
-  end
-
-  def robots_text
-    res.headers['content-type'] = 'text/plain'
-    res.body                    = ['User-agent: *', 'Disallow: /private'].join($/)
-  end
-
-  def display_product
-    res.headers['content-type'] = 'application/json; charset=utf-8'
-    prodid                      = req.params[:prodid]
-    res.body                    = format('{"product":%s,"msg":"Hint: try another value"}', prodid)
-  end
-
-  def not_found
-    res.status = 404
-    content    = otto_alert('error', 'Not Found', 'The requested page could not be found.')
-    content   += "<p>#{otto_link('← Home', '/')}</p>"
-    res.body   = otto_page(content, '404')
-  end
-
-  def server_error
-    res.status = 500
-    content    = otto_alert('error', 'Server Error', 'An internal server error occurred.')
-    content   += "<p>#{otto_link('← Home', '/')}</p>"
-    res.body   = otto_page(content, '500')
-  end
 end

data/examples/basic/routes

@@ -9,12 +9,3 @@
 
 GET   /                         App#index
 POST  /                         App#receive_feedback
-GET   /redirect                 App#redirect
-GET   /robots.txt               App#robots_text
-
-GET   /bogus                    App#no_such_method
-
-# You can also define these handlers when no
-# route can be found or there's a server error. (optional)
-GET   /404                      App#not_found
-GET   /500                      App#server_error

data/examples/mcp_demo/README.md

@@ -0,0 +1,87 @@
+# Otto MCP Demo
+
+This example demonstrates Otto's Model-Controller-Protocol (MCP) feature. MCP provides a standardized JSON-RPC 2.0 endpoint (`/_mcp`) that allows you to expose application resources and tools securely.
+
+This is useful for building CLIs, admin interfaces, or allowing other services to interact with your application programmatically.
+
+## Features Demonstrated
+
+*   **MCP Endpoint:** A single `POST /_mcp` endpoint for all API interactions.
+*   **Authentication:** Requests to the MCP endpoint are protected by bearer token authentication.
+*   **Rate Limiting:** The endpoint has its own rate limiting to prevent abuse.
+*   **Resources:** Read-only data exposed via `MCP` routes (e.g., listing users).
+*   **Tools:** Actions or operations exposed via `TOOL` routes (e.g., creating a user).
+
+## How to Run
+
+1.  Make sure you have `bundler` and `thin` installed:
+    ```sh
+    gem install bundler thin
+    ```
+
+2.  Install the dependencies from the root of the project:
+    ```sh
+    bundle install
+    ```
+
+3.  Start the server from this directory (`examples/mcp_demo`):
+    ```sh
+    thin -R config.ru -p 9292 start
+    ```
+    *Note: This demo uses port 9292 as is conventional for Rack apps.*
+
+4.  Open your browser and navigate to `http://localhost:9292` to see the welcome page.
+
+## Interacting with the MCP Endpoint
+
+All interactions happen via `POST` requests to `http://localhost:9292/_mcp`. You must provide an `Authorization: Bearer <token>` header and a `Content-Type: application/json` header.
+
+Valid tokens are `demo-token-123` and `another-token-456`.
+
+### MCP: Initialize
+
+The `initialize` method is a built-in MCP method that returns information about the available resources and tools.
+
+```sh
+curl -X POST http://localhost:9292/_mcp \
+     -H 'Authorization: Bearer demo-token-123' \
+     -H 'Content-Type: application/json' \
+     -d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{}}'
+```
+
+### Resource: List Users
+
+This calls the `UserAPI.mcp_list_users` method defined as an `MCP` route. The method name for the JSON-RPC call is derived from the route path (`/users` -> `users/list`).
+
+```sh
+curl -X POST http://localhost:9292/_mcp \
+     -H 'Authorization: Bearer demo-token-123' \
+     -H 'Content-Type: application/json' \
+     -d '{"jsonrpc":"2.0","method":"users/list","id":2}'
+```
+
+### Tool: Create User
+
+This calls the `UserAPI.mcp_create_user` method defined as a `TOOL` route. The method name is derived from the route path (`/create_user` -> `create_user`).
+
+```sh
+curl -X POST http://localhost:9292/_mcp \
+     -H 'Authorization: Bearer demo-token-123' \
+     -H 'Content-Type: application/json' \
+     -d '{
+          "jsonrpc": "2.0",
+          "method": "create_user",
+          "id": 3,
+          "params": {
+            "name": "Charlie",
+            "email": "charlie@example.com"
+          }
+        }'
+```
+
+## File Structure
+
+*   `README.md`: This file.
+*   `app.rb`: Contains the application logic, including the `DemoApp` for web pages and the `UserAPI` for MCP handlers.
+*   `config.ru`: The Rack configuration file. It loads the Otto framework, enables MCP, and runs the application.
+*   `routes`: Defines the standard web routes as well as the `MCP` and `TOOL` routes for the MCP endpoint.

data/examples/mcp_demo/app.rb

@@ -1,22 +1,41 @@
-#!/usr/bin/env ruby
-
-# Example Otto application with MCP support
-# This demonstrates Phase 1 & 2 implementation
+# examples/mcp_demo/app.rb
+require 'json'
+require 'time'
+
+# DemoApp provides basic HTML pages for the demo.
+class DemoApp
+  def self.index(_req, res)
+    res.headers['content-type'] = 'text/html; charset=utf-8'
+    res.body = <<~HTML
+      <h1>Otto MCP Demo</h1>
+      <p>This example demonstrates Otto's Model-Controller-Protocol (MCP) feature, which provides a JSON-RPC 2.0 endpoint for interacting with your application.</p>
+      <p>The MCP endpoint is available at: <code>POST /_mcp</code></p>
+      <p>See the <code>README.md</code> file for detailed `curl` commands to test the API.</p>
+    HTML
+  end
 
-require_relative '../../lib/otto'
+  def self.health(_req, res)
+    res.headers['content-type'] = 'text/plain'
+    res.body = 'OK'
+  end
+end
 
+# UserAPI provides handlers for the MCP tool and resource routes.
 class UserAPI
+  # MCP Resource: mcp_list_users
+  # Accessible via JSON-RPC method "users/list"
   def self.mcp_list_users
     {
       users: [
         { id: 1, name: 'Alice', email: 'alice@example.com' },
-        { id: 2, name: 'Bob', email: 'bob@example.com' }
-      ]
+        { id: 2, name: 'Bob', email: 'bob@example.com' },
+      ],
     }.to_json
   end
 
-  def self.mcp_create_user(arguments, env)
-    # Tool handler that creates a user
+  # MCP Tool: mcp_create_user
+  # Accessible via JSON-RPC method "create_user"
+  def self.mcp_create_user(arguments, _env)
     name = arguments['name'] || 'Anonymous'
     email = arguments['email'] || "#{name.downcase}@example.com"
 
@@ -24,33 +43,9 @@ class UserAPI
       id: rand(1000..9999),
       name: name,
       email: email,
-      created_at: Time.now.iso8601
+      created_at: Time.now.iso8601,
     }
 
     "Created user: #{new_user.to_json}"
   end
 end
-
-# Initialize Otto with MCP support
-otto = Otto.new('routes', {
-  mcp_enabled: true,
-  auth_tokens: ['demo-token-123'],  # Simple token auth
-  requests_per_minute: 10,          # Lower for demo
-  tools_per_minute: 5
-})
-
-# Enable MCP with authentication tokens
-otto.enable_mcp!({
-  auth_tokens: ['demo-token-123', 'another-token-456'],
-  enable_validation: true,
-  enable_rate_limiting: true
-})
-
-puts "Otto MCP Demo Server starting..."
-puts "MCP endpoint: POST /_mcp"
-puts "Auth tokens: demo-token-123, another-token-456"
-puts "Usage: curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\"
-puts "       -d '{\"jsonrpc\":\"2.0\",\"method\":\"initialize\",\"id\":1,\"params\":{}}' \\"
-puts "       http://localhost:9292/_mcp"
-
-otto

data/examples/mcp_demo/config.ru

@@ -1,68 +1,17 @@
-#!/usr/bin/env ruby
+# examples/mcp_demo/config.ru
 
 require_relative '../../lib/otto'
-
-class DemoApp
-  def self.index(req, res)
-    res.body = <<-HTML
-      <h1>Otto MCP Demo</h1>
-      <p>MCP endpoint available at: <code>POST /_mcp</code></p>
-      <p>Auth tokens: <code>demo-token-123</code>, <code>another-token-456</code></p>
-
-      <h2>Test MCP Initialize</h2>
-      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
-  -d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{}}' \\
-  http://localhost:9292/_mcp</pre>
-
-      <h2>List Resources</h2>
-      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
-  -d '{"jsonrpc":"2.0","method":"resources/list","id":2}' \\
-  http://localhost:9292/_mcp</pre>
-
-      <h2>List Tools</h2>
-      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
-  -d '{"jsonrpc":"2.0","method":"tools/list","id":3}' \\
-  http://localhost:9292/_mcp</pre>
-    HTML
-  end
-
-  def self.health(req, res)
-    res.body = 'OK'
-  end
-end
-
-class UserAPI
-  def self.mcp_list_users
-    {
-      users: [
-        { id: 1, name: 'Alice', email: 'alice@example.com' },
-        { id: 2, name: 'Bob', email: 'bob@example.com' }
-      ]
-    }.to_json
-  end
-
-  def self.mcp_create_user(arguments, env)
-    # Tool handler that creates a user
-    name = arguments['name'] || 'Anonymous'
-    email = arguments['email'] || "#{name.downcase}@example.com"
-
-    new_user = {
-      id: rand(1000..9999),
-      name: name,
-      email: email,
-      created_at: Time.now.iso8601
-    }
-
-    "Created user: #{new_user.to_json}"
-  end
-end
+require_relative 'app'
 
 # Initialize Otto with MCP support
-otto = Otto.new('routes', {
+app = Otto.new('routes', {
   mcp_enabled: true,
   auth_tokens: ['demo-token-123', 'another-token-456'],
-  requests_per_minute: 60,
-  tools_per_minute: 20
+  requests_per_minute: 60, # Rate limiting for the MCP endpoint
+  tools_per_minute: 20,
 })
 
-run otto
+# The `mcp_enabled: true` flag automatically sets up the /_mcp endpoint.
+# The routes file maps MCP and TOOL methods to classes.
+
+run app

data/examples/security_features/README.md

@@ -0,0 +1,46 @@
+# Otto Security Features Example
+
+This example application demonstrates the built-in security features of the Otto framework. It is configured to be secure by default and provides a showcase of best practices.
+
+## Security Features Demonstrated
+
+*   **CSRF Protection:** All POST forms are protected with a CSRF token to prevent cross-site request forgery attacks.
+*   **Input Validation:** All user-submitted data is validated on the server-side for length and content, preventing common injection attacks.
+*   **XSS Prevention:** All output is properly escaped to prevent cross-site scripting (XSS). You can test this by submitting `<script>alert('XSS')</script>` in any form.
+*   **Secure File Uploads:** File uploads are validated, and filenames are sanitized to prevent directory traversal and other file-based attacks.
+*   **Security Headers:** The application sends important security headers like `Content-Security-Policy`, `Strict-Transport-Security`, and `X-Frame-Options`.
+*   **Request Limiting:** The application is configured to limit the maximum request size, parameter depth, and number of parameter keys to prevent denial-of-service attacks.
+*   **Trusted Proxies:** The configuration includes a list of trusted proxy servers, ensuring that `X-Forwarded-*` headers are handled correctly and securely.
+
+## How to Run
+
+1.  Make sure you have `bundler` and `thin` installed:
+    ```sh
+    gem install bundler thin
+    ```
+
+2.  Install the dependencies from the root of the project:
+    ```sh
+    bundle install
+    ```
+
+3.  Start the server from this directory (`examples/security_features`):
+    ```sh
+    thin -e dev -R config.ru -p 10770 start
+    ```
+
+4.  Open your browser and navigate to `http://localhost:10770`.
+
+## What to Test
+
+*   **XSS Protection:** Try entering `<script>alert("XSS")</script>` into any of the form fields. You will see that the input is safely displayed as text instead of being executed as a script.
+*   **Input Validation:** Try submitting a very long message in the feedback form to see the length validation in action.
+*   **File Uploads:** Try uploading different types of files. The application will show you how it sanitizes the filename.
+*   **Security Headers:** Open your browser's developer tools and inspect the network requests. You will see the security headers in the response. You can also visit the `/headers` path to see a JSON representation of the request headers your browser is sending.
+
+## File Structure
+
+*   `README.md`: This file.
+*   `app.rb`: The main application logic, demonstrating how to handle forms, file uploads, and user input in a secure way.
+*   `config.ru`: The Rack configuration file. This is where the security features are enabled and configured for the Otto application.
+*   `routes`: Defines the URL routes and maps them to methods in the `SecureApp` class.

data/examples/security_features/app.rb

@@ -1,7 +1,8 @@
-# examples/security_features/app.rb (Updated with Design System)
+# examples/security_features/app.rb
 
 require_relative '../../lib/otto/design_system'
 
+# Example application demonstrating Otto's security features including CSRF protection
 class SecureApp
   include Otto::DesignSystem
   include Otto::Security::CSRFHelpers
@@ -106,18 +107,18 @@ class SecureApp
       end
 
       content = if safe_message.empty?
-        otto_alert('error', 'Validation Error', 'Message cannot be empty.')
-      else
-        <<~HTML
-          #{otto_alert('success', 'Feedback Received', 'Thank you for your feedback!')}
-
-          #{otto_card('Your Message') do
-            otto_code_block(safe_message, 'text')
-          end}
-        HTML
+                  otto_alert('error', 'Validation Error', 'Message cannot be empty.')
+                else
+                  <<~HTML
+                    #{otto_alert('success', 'Feedback Received', 'Thank you for your feedback!')}
+
+                    #{otto_card('Your Message') do
+                      otto_code_block(safe_message, 'text')
+                    end}
+                  HTML
                 end
-    rescue Otto::Security::ValidationError => ex
-      content = otto_alert('error', 'Security Validation Failed', ex.message)
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert('error', 'Security Validation Failed', e.message)
     rescue StandardError
       content = otto_alert('error', 'Processing Error', 'An error occurred processing your request.')
     end
@@ -135,18 +136,18 @@ class SecureApp
       else
         begin
           filename = begin
-                     uploaded_file[:filename]
+            uploaded_file[:filename]
           rescue StandardError
-                     uploaded_file.original_filename
+            uploaded_file.original_filename
           end
         rescue StandardError
           'unknown'
         end
 
         safe_filename = if respond_to?(:sanitize_filename)
-          sanitize_filename(filename)
-        else
-          File.basename(filename.to_s).gsub(/[^\w\-_\.]/, '_')
+                          sanitize_filename(filename)
+                        else
+                          File.basename(filename.to_s).gsub(/[^\w\-_.]/, '_')
                         end
 
         file_info = {
@@ -173,8 +174,8 @@ class SecureApp
           </div>
         HTML
       end
-    rescue Otto::Security::ValidationError => ex
-      content = otto_alert('error', 'File Validation Failed', ex.message)
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert('error', 'File Validation Failed', e.message)
     rescue StandardError
       content = otto_alert('error', 'Upload Error', 'An error occurred during file upload.')
     end
@@ -199,9 +200,7 @@ class SecureApp
         safe_bio   = bio.to_s.strip[0..499]
       end
 
-      unless safe_email.match?(/\A[^@\s]+@[^@\s]+\z/)
-        raise Otto::Security::ValidationError, 'Invalid email format'
-      end
+      raise Otto::Security::ValidationError, 'Invalid email format' unless safe_email.match?(/\A[^@\s]+@[^@\s]+\z/)
 
       profile_data = {
         'Name' => safe_name,
@@ -221,8 +220,8 @@ class SecureApp
           profile_html
         end}
       HTML
-    rescue Otto::Security::ValidationError => ex
-      content = otto_alert('error', 'Profile Validation Failed', ex.message)
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert('error', 'Profile Validation Failed', e.message)
     rescue StandardError
       content = otto_alert('error', 'Update Error', 'An error occurred updating your profile.')
     end

data/examples/security_features/config.ru

@@ -14,8 +14,8 @@ require_relative 'app'
 
 # Create Otto app with security features enabled
 app = Otto.new('./routes', {
-  # Enable CSRF protection for POST, PUT, DELETE requests
-  csrf_protection: true,
+                 # Enable CSRF protection for POST, PUT, DELETE requests
+                 csrf_protection: true,
 
   # Enable input validation and sanitization
   request_validation: true,
@@ -44,13 +44,12 @@ app = Otto.new('./routes', {
     'strict-transport-security' => 'max-age=31536000; includeSubDomains',
     'x-frame-options' => 'DENY',
   },
-}
-)
+               })
 
 # Optional: Configure additional security settings
-app.security_config.max_request_size = 5 * 1024 * 1024  # 5MB limit
-app.security_config.max_param_depth  = 10                # Limit parameter nesting
-app.security_config.max_param_keys   = 50                 # Limit parameters per request
+app.security_config.max_request_size = 5 * 1024 * 1024 # 5MB limit
+app.security_config.max_param_depth  = 10 # Limit parameter nesting
+app.security_config.max_param_keys   = 50 # Limit parameters per request
 
 # Optional: Add static file serving with security
 app.option[:public] = public_path
@@ -62,10 +61,9 @@ if ENV['RACK_ENV'] == 'production'
 
   # More restrictive CSP for production
   app.set_security_headers({
-    'content-security-policy' => "default-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'",
+                             'content-security-policy' => "default-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'",
     'strict-transport-security' => 'max-age=63072000; includeSubDomains; preload',
-  },
-                          )
+                           })
 else
   # Development-specific settings
   puts '🔒 Security features enabled:'

data/lib/otto/core/configuration.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+# lib/otto/core/configuration.rb
+
+require_relative '../security/csrf'
+require_relative '../security/validator'
+require_relative '../security/authentication'
+require_relative '../security/rate_limiting'
+require_relative '../mcp/server'
+
+class Otto
+  module Core
+    # Configuration module providing locale and application configuration methods
+    module Configuration
+      def configure_locale(opts)
+        # Start with global configuration
+        global_config = self.class.global_config
+        @locale_config = nil
+
+        # Check if we have any locale configuration from any source
+        has_global_locale = global_config && (global_config[:available_locales] || global_config[:default_locale])
+        has_direct_options = opts[:available_locales] || opts[:default_locale]
+        has_legacy_config = opts[:locale_config]
+
+        # Only create locale_config if we have configuration from somewhere
+        return unless has_global_locale || has_direct_options || has_legacy_config
+
+        @locale_config = {}
+
+        # Apply global configuration first
+        if global_config && global_config[:available_locales]
+          @locale_config[:available_locales] =
+            global_config[:available_locales]
+        end
+        if global_config && global_config[:default_locale]
+          @locale_config[:default_locale] =
+            global_config[:default_locale]
+        end
+
+        # Apply direct instance options (these override global config)
+        @locale_config[:available_locales] = opts[:available_locales] if opts[:available_locales]
+        @locale_config[:default_locale] = opts[:default_locale] if opts[:default_locale]
+
+        # Legacy support: Configure locale if provided in initialization options via locale_config hash
+        return unless opts[:locale_config]
+
+        locale_opts = opts[:locale_config]
+        if locale_opts[:available_locales] || locale_opts[:available]
+          @locale_config[:available_locales] =
+            locale_opts[:available_locales] || locale_opts[:available]
+        end
+        return unless locale_opts[:default_locale] || locale_opts[:default]
+
+        @locale_config[:default_locale] =
+          locale_opts[:default_locale] || locale_opts[:default]
+      end
+
+      def configure_security(opts)
+        # Enable CSRF protection if requested
+        enable_csrf_protection! if opts[:csrf_protection]
+
+        # Enable request validation if requested
+        enable_request_validation! if opts[:request_validation]
+
+        # Enable rate limiting if requested
+        if opts[:rate_limiting]
+          rate_limiting_opts = opts[:rate_limiting].is_a?(Hash) ? opts[:rate_limiting] : {}
+          enable_rate_limiting!(rate_limiting_opts)
+        end
+
+        # Add trusted proxies if provided
+        Array(opts[:trusted_proxies]).each { |proxy| add_trusted_proxy(proxy) } if opts[:trusted_proxies]
+
+        # Set custom security headers
+        return unless opts[:security_headers]
+
+        set_security_headers(opts[:security_headers])
+      end
+
+      def configure_authentication(opts)
+        # Update existing @auth_config rather than creating a new one
+        # to maintain synchronization with the configurator
+        @auth_config[:auth_strategies] = opts[:auth_strategies] if opts[:auth_strategies]
+        @auth_config[:default_auth_strategy] = opts[:default_auth_strategy] if opts[:default_auth_strategy]
+
+        # Enable authentication middleware if strategies are configured
+        return unless opts[:auth_strategies] && !opts[:auth_strategies].empty?
+
+        enable_authentication!
+      end
+
+      def configure_mcp(opts)
+        @mcp_server = nil
+
+        # Enable MCP if requested in options
+        return unless opts[:mcp_enabled] || opts[:mcp_http] || opts[:mcp_stdio]
+
+        @mcp_server = Otto::MCP::Server.new(self)
+
+        mcp_options = {}
+        mcp_options[:http_endpoint] = opts[:mcp_endpoint] if opts[:mcp_endpoint]
+
+        return unless opts[:mcp_http] != false # Default to true unless explicitly disabled
+
+        @mcp_server.enable!(mcp_options)
+      end
+
+      # Configure locale settings for the application
+      #
+      # @param available_locales [Hash] Hash of available locales (e.g., { 'en' => 'English', 'es' => 'Spanish' })
+      # @param default_locale [String] Default locale to use as fallback
+      # @example
+      #   otto.configure(
+      #     available_locales: { 'en' => 'English', 'es' => 'Spanish', 'fr' => 'French' },
+      #     default_locale: 'en'
+      #   )
+      def configure(available_locales: nil, default_locale: nil)
+        @locale_config ||= {}
+        @locale_config[:available_locales] = available_locales if available_locales
+        @locale_config[:default_locale] = default_locale if default_locale
+      end
+
+      # Configure rate limiting settings.
+      #
+      # @param config [Hash] Rate limiting configuration
+      # @option config [Integer] :requests_per_minute Maximum requests per minute per IP
+      # @option config [Hash] :custom_rules Hash of custom rate limiting rules
+      # @option config [Object] :cache_store Custom cache store for rate limiting
+      # @example
+      #   otto.configure_rate_limiting({
+      #     requests_per_minute: 50,
+      #     custom_rules: {
+      #       'api_calls' => { limit: 30, period: 60, condition: ->(req) { req.path.start_with?('/api') }}
+      #     }
+      #   })
+      def configure_rate_limiting(config)
+        @security_config.rate_limiting_config.merge!(config)
+      end
+
+      # Configure authentication strategies for route-level access control.
+      #
+      # @param strategies [Hash] Hash mapping strategy names to strategy instances
+      # @param default_strategy [String] Default strategy to use when none specified
+      # @example
+      #   otto.configure_auth_strategies({
+      #     'noauth' => Otto::Security::Authentication::Strategies::NoAuthStrategy.new,
+      #     'authenticated' => Otto::Security::Authentication::Strategies::SessionStrategy.new(session_key: 'user_id'),
+      #     'role:admin' => Otto::Security::Authentication::Strategies::RoleStrategy.new(['admin']),
+      #     'api_key' => Otto::Security::Authentication::Strategies::APIKeyStrategy.new(api_keys: ['secret123'])
+      #   })
+      def configure_auth_strategies(strategies, default_strategy: 'noauth')
+        # Update existing @auth_config rather than creating a new one
+        @auth_config[:auth_strategies] = strategies
+        @auth_config[:default_auth_strategy] = default_strategy
+
+        enable_authentication! unless strategies.empty?
+      end
+
+      private
+
+      def middleware_enabled?(middleware_class)
+        # Only check the new middleware stack as the single source of truth
+        @middleware && @middleware.includes?(middleware_class)
+      end
+    end
+  end
+end