RubyGems - otto - Versions diffs - 2.0.0.pre1 → 2.0.0.pre3 - Mend

otto 2.0.0.pre1 → 2.0.0.pre3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +2 -3
data/.github/workflows/claude-code-review.yml +30 -14
data/.github/workflows/claude.yml +1 -1
data/.rubocop.yml +4 -1
data/CHANGELOG.rst +54 -6
data/CLAUDE.md +537 -0
data/Gemfile +3 -2
data/Gemfile.lock +34 -26
data/benchmark_middleware_wrap.rb +163 -0
data/changelog.d/20251014_144317_delano_54_thats_a_wrapper.rst +36 -0
data/changelog.d/20251014_161526_delano_54_thats_a_wrapper.rst +5 -0
data/docs/.gitignore +2 -0
data/docs/ipaddr-encoding-quirk.md +34 -0
data/docs/migrating/v2.0.0-pre2.md +338 -0
data/examples/authentication_strategies/config.ru +0 -1
data/lib/otto/core/configuration.rb +91 -41
data/lib/otto/core/freezable.rb +93 -0
data/lib/otto/core/middleware_stack.rb +103 -16
data/lib/otto/core/router.rb +8 -7
data/lib/otto/core.rb +8 -0
data/lib/otto/env_keys.rb +118 -0
data/lib/otto/helpers/base.rb +2 -21
data/lib/otto/helpers/request.rb +80 -2
data/lib/otto/helpers/response.rb +25 -3
data/lib/otto/helpers.rb +4 -0
data/lib/otto/locale/config.rb +56 -0
data/lib/otto/mcp/{validation.rb → schema_validation.rb} +3 -2
data/lib/otto/mcp/server.rb +26 -13
data/lib/otto/mcp.rb +3 -0
data/lib/otto/privacy/config.rb +199 -0
data/lib/otto/privacy/geo_resolver.rb +115 -0
data/lib/otto/privacy/ip_privacy.rb +175 -0
data/lib/otto/privacy/redacted_fingerprint.rb +136 -0
data/lib/otto/privacy.rb +29 -0
data/lib/otto/response_handlers/json.rb +6 -0
data/lib/otto/route.rb +44 -48
data/lib/otto/route_handlers/base.rb +1 -2
data/lib/otto/route_handlers/factory.rb +24 -9
data/lib/otto/route_handlers/logic_class.rb +2 -2
data/lib/otto/security/authentication/auth_failure.rb +44 -0
data/lib/otto/security/authentication/auth_strategy.rb +3 -3
data/lib/otto/security/authentication/route_auth_wrapper.rb +260 -0
data/lib/otto/security/authentication/strategies/{public_strategy.rb → noauth_strategy.rb} +6 -2
data/lib/otto/security/authentication/strategy_result.rb +129 -15
data/lib/otto/security/authentication.rb +5 -6
data/lib/otto/security/config.rb +51 -18
data/lib/otto/security/configurator.rb +2 -15
data/lib/otto/security/middleware/ip_privacy_middleware.rb +211 -0
data/lib/otto/security/middleware/rate_limit_middleware.rb +19 -3
data/lib/otto/security.rb +9 -0
data/lib/otto/version.rb +1 -1
data/lib/otto.rb +183 -89
data/otto.gemspec +5 -0
metadata +83 -8
data/changelog.d/20250911_235619_delano_next.rst +0 -28
data/changelog.d/20250912_123055_delano_remove_ostruct.rst +0 -21
data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst +0 -21
data/lib/otto/security/authentication/authentication_middleware.rb +0 -123
data/lib/otto/security/authentication/failure_result.rb +0 -36

data/lib/otto.rb CHANGED Viewed

@@ -11,29 +11,19 @@ require 'rack/request'
 require 'rack/response'
 require 'rack/utils'
-require_relative 'otto/security/authentication/strategy_result'
 require_relative 'otto/route_definition'
 require_relative 'otto/route'
 require_relative 'otto/static'
-require_relative 'otto/helpers/request'
-require_relative 'otto/helpers/response'
+require_relative 'otto/helpers'
 require_relative 'otto/response_handlers'
 require_relative 'otto/route_handlers'
-require_relative 'otto/version'
-require_relative 'otto/security/config'
-require_relative 'otto/security/middleware/csrf_middleware'
-require_relative 'otto/security/middleware/validation_middleware'
-require_relative 'otto/security/authentication/authentication_middleware'
-require_relative 'otto/security/middleware/rate_limit_middleware'
-require_relative 'otto/mcp/server'
-require_relative 'otto/core/router'
-require_relative 'otto/core/file_safety'
-require_relative 'otto/core/configuration'
-require_relative 'otto/core/error_handler'
-require_relative 'otto/core/uri_generator'
-require_relative 'otto/core/middleware_stack'
-require_relative 'otto/security/configurator'
+require_relative 'otto/locale/config'
+require_relative 'otto/mcp'
+require_relative 'otto/core'
+require_relative 'otto/privacy'
+require_relative 'otto/security'
 require_relative 'otto/utils'
+require_relative 'otto/version'
 # Otto is a simple Rack router that allows you to define routes in a file
 # with built-in security features including CSRF protection, input validation,
@@ -56,38 +46,6 @@ require_relative 'otto/utils'
 #   otto.enable_csp!
 #   otto.enable_frame_protection!
 #
-# Configuration Data class to replace OpenStruct
-# Configuration Data class to replace OpenStruct
-# Configuration class to replace OpenStruct
-class ConfigData
-  def initialize(**kwargs)
-    @data = kwargs
-  end
-  # Dynamic attribute accessors
-  def method_missing(method_name, *args)
-    if method_name.to_s.end_with?('=')
-      # Setter
-      attr_name = method_name.to_s.chomp('=').to_sym
-      @data[attr_name] = args.first
-    elsif @data.key?(method_name)
-      # Getter
-      @data[method_name]
-    else
-      super
-    end
-  end
-  def respond_to_missing?(method_name, include_private = false)
-    method_name.to_s.end_with?('=') || @data.key?(method_name) || super
-  end
-  # Convert to hash for compatibility
-  def to_h
-    @data.dup
-  end
-end
 class Otto
   include Otto::Core::Router
   include Otto::Core::FileSafety
@@ -103,25 +61,11 @@ class Otto
            else
              defined?(Otto::Utils) ? Otto::Utils.yes?(ENV.fetch('OTTO_DEBUG', nil)) : false
            end
-  @logger        = Logger.new($stdout, Logger::INFO)
-  @global_config = nil
-  # Global configuration for all Otto instances (Ruby 3.2+ pattern matching)
-  def self.configure
-    config = case @global_config
-             in Hash => h
-               # Transform string keys to symbol keys for ConfigData compatibility
-               symbol_hash = h.transform_keys(&:to_sym)
-               ConfigData.new(**symbol_hash)
-             else
-               ConfigData.new
-             end
-    yield config
-    @global_config = config.to_h
-  end
+  @logger = Logger.new($stdout, Logger::INFO)
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route,
-              :security_config, :locale_config, :auth_config, :route_handler_factory, :mcp_server, :security, :middleware
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option,
+              :static_route, :security_config, :locale_config, :auth_config,
+              :route_handler_factory, :mcp_server, :security, :middleware
   attr_accessor :not_found, :server_error
   def initialize(path = nil, opts = {})
@@ -132,27 +76,76 @@ class Otto
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
+    # Build the middleware app once after all initialization is complete
+    build_app!
+    # Configuration freezing is deferred until first request to support
+    # multi-step initialization (e.g., multi-app architectures).
+    # This allows adding auth strategies, middleware, etc. after Otto.new
+    # but before processing requests.
+    @freeze_mutex = Mutex.new
+    @configuration_frozen = false
   end
   alias options option
   # Main Rack application interface
   def call(env)
-    # Apply middleware stack
-    base_app = ->(e) { handle_request(e) }
-    # Use the middleware stack as the source of truth
-    app = @middleware.build_app(base_app, @security_config)
+    # Freeze configuration on first request (thread-safe)
+    # Skip in test environment to allow test flexibility
+    unless defined?(RSpec) || @configuration_frozen
+      Otto.logger.debug '[Otto] Lazy freezing check: configuration not yet frozen' if Otto.debug
+      @freeze_mutex.synchronize do
+        unless @configuration_frozen
+          Otto.logger.info '[Otto] Freezing configuration on first request (lazy freeze)'
+          freeze_configuration!
+          @configuration_frozen = true
+          Otto.logger.debug '[Otto] Configuration frozen successfully' if Otto.debug
+        end
+      end
+    end
     begin
-      app.call(env)
+      # Use pre-built middleware app (built once at initialization)
+      @app.call(env)
     rescue StandardError => e
       handle_error(e, env)
     end
   end
+  # Builds the middleware application chain
+  # Called once at initialization and whenever middleware stack changes
+  #
+  # IMPORTANT: If you have routes with auth requirements, you MUST add session
+  # middleware to your middleware stack BEFORE Otto processes requests.
+  #
+  # Session middleware is required for RouteAuthWrapper to correctly persist
+  # session changes during authentication. Common options include:
+  # - Rack::Session::Cookie (requires rack-session gem)
+  # - Rack::Session::Pool
+  # - Rack::Session::Memcache
+  # - Any Rack-compatible session middleware
+  #
+  # Example:
+  #   use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+  #   otto = Otto.new('routes.txt')
+  #
+  def build_app!
+    base_app = method(:handle_request)
+    @app = @middleware.wrap(base_app, @security_config)
+  end
   # Middleware Management
   def use(middleware, ...)
+    ensure_not_frozen!
     @middleware.add(middleware, ...)
+    # NOTE: If build_app! is triggered during a request (via use() or
+    # middleware_stack=), the @app instance variable could be swapped
+    # mid-request in a multi-threaded environment.
+    build_app! if @app  # Rebuild app if already initialized
   end
   # Compatibility method for existing tests
@@ -164,6 +157,7 @@ class Otto
   def middleware_stack=(stack)
     @middleware.clear!
     Array(stack).each { |middleware| @middleware.add(middleware) }
+    build_app! if @app  # Rebuild app if already initialized
   end
   # Compatibility method for middleware detection
@@ -180,6 +174,7 @@ class Otto
   # @example
   #   otto.enable_csrf_protection!
   def enable_csrf_protection!
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::CSRFMiddleware)
     @security_config.enable_csrf_protection!
@@ -192,6 +187,7 @@ class Otto
   # @example
   #   otto.enable_request_validation!
   def enable_request_validation!
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::ValidationMiddleware)
     @security_config.input_validation = true
@@ -207,6 +203,7 @@ class Otto
   # @example
   #   otto.enable_rate_limiting!(requests_per_minute: 50)
   def enable_rate_limiting!(options = {})
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::RateLimitMiddleware)
     @security.configure_rate_limiting(options)
@@ -223,7 +220,7 @@ class Otto
   # @example
   #   otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })
   def add_rate_limit_rule(name, options)
-    @security_config.rate_limiting_config[:custom_rules] ||= {}
+    ensure_not_frozen!
     @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
   end
@@ -235,6 +232,7 @@ class Otto
   #   otto.add_trusted_proxy('10.0.0.0/8')
   #   otto.add_trusted_proxy(/^172\.16\./)
   def add_trusted_proxy(proxy)
+    ensure_not_frozen!
     @security_config.add_trusted_proxy(proxy)
   end
@@ -248,6 +246,7 @@ class Otto
   #     'strict-transport-security' => 'max-age=31536000'
   #   })
   def set_security_headers(headers)
+    ensure_not_frozen!
     @security_config.security_headers.merge!(headers)
   end
@@ -260,6 +259,7 @@ class Otto
   # @example
   #   otto.enable_hsts!(max_age: 86400, include_subdomains: false)
   def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+    ensure_not_frozen!
     @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
   end
@@ -270,6 +270,7 @@ class Otto
   # @example
   #   otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
   def enable_csp!(policy = "default-src 'self'")
+    ensure_not_frozen!
     @security_config.enable_csp!(policy)
   end
@@ -279,6 +280,7 @@ class Otto
   # @example
   #   otto.enable_frame_protection!('DENY')
   def enable_frame_protection!(option = 'SAMEORIGIN')
+    ensure_not_frozen!
     @security_config.enable_frame_protection!(option)
   end
@@ -289,20 +291,10 @@ class Otto
   # @example
   #   otto.enable_csp_with_nonce!(debug: true)
   def enable_csp_with_nonce!(debug: false)
+    ensure_not_frozen!
     @security_config.enable_csp_with_nonce!(debug: debug)
   end
-  # Enable authentication middleware for route-level access control.
-  # This will automatically check route auth parameters and enforce authentication.
-  #
-  # @example
-  #   otto.enable_authentication!
-  def enable_authentication!
-    return if @middleware.includes?(Otto::Security::Authentication::AuthenticationMiddleware)
-    use Otto::Security::Authentication::AuthenticationMiddleware, @auth_config
-  end
   # Add a single authentication strategy
   #
   # @param name [String] Strategy name
@@ -310,12 +302,83 @@ class Otto
   # @example
   #   otto.add_auth_strategy('custom', MyCustomStrategy.new)
   def add_auth_strategy(name, strategy)
+    ensure_not_frozen!
     # Ensure auth_config is initialized (handles edge case where it might be nil)
-    @auth_config = { auth_strategies: {}, default_auth_strategy: 'publicly' } if @auth_config.nil?
+    @auth_config = { auth_strategies: {}, default_auth_strategy: 'noauth' } if @auth_config.nil?
     @auth_config[:auth_strategies][name] = strategy
+  end
-    enable_authentication!
+  # Disable IP privacy to access original IP addresses
+  #
+  # IMPORTANT: By default, Otto masks public IP addresses for privacy.
+  # Private/localhost IPs (127.0.0.0/8, 10.0.0.0/8, etc.) are never masked.
+  # Only disable this if you need access to original public IPs.
+  #
+  # When disabled:
+  # - env['REMOTE_ADDR'] contains the real IP address
+  # - env['otto.original_ip'] also contains the real IP
+  # - No PrivateFingerprint is created
+  #
+  # @example
+  #   otto.disable_ip_privacy!
+  def disable_ip_privacy!
+    ensure_not_frozen!
+    @security_config.ip_privacy_config.disable!
+  end
+  # Enable full IP privacy (mask ALL IPs including private/localhost)
+  #
+  # By default, Otto exempts private and localhost IPs from masking for
+  # better development experience. Call this method to mask ALL IPs
+  # regardless of type.
+  #
+  # @example Enable full privacy (mask all IPs)
+  #   otto = Otto.new(routes_file)
+  #   otto.enable_full_ip_privacy!
+  #   # Now 127.0.0.1 → 127.0.0.0, 192.168.1.100 → 192.168.1.0
+  #
+  # @return [void]
+  # @raise [FrozenError] if called after configuration is frozen
+  def enable_full_ip_privacy!
+    ensure_not_frozen!
+    @security_config.ip_privacy_config.mask_private_ips = true
+  end
+  # Configure IP privacy settings
+  #
+  # Privacy is enabled by default. Use this method to customize privacy
+  # behavior without disabling it entirely.
+  #
+  # @param octet_precision [Integer] Number of octets to mask (1 or 2, default: 1)
+  # @param hash_rotation [Integer] Seconds between key rotation (default: 86400)
+  # @param geo [Boolean] Enable geo-location resolution (default: true)
+  # @param redis [Redis] Redis connection for multi-server atomic key generation
+  #
+  # @example Mask 2 octets instead of 1
+  #   otto.configure_ip_privacy(octet_precision: 2)
+  #
+  # @example Disable geo-location
+  #   otto.configure_ip_privacy(geo: false)
+  #
+  # @example Custom hash rotation
+  #   otto.configure_ip_privacy(hash_rotation: 24.hours)
+  #
+  # @example Multi-server with Redis
+  #   redis = Redis.new(url: ENV['REDIS_URL'])
+  #   otto.configure_ip_privacy(redis: redis)
+  def configure_ip_privacy(octet_precision: nil, hash_rotation: nil, geo: nil, redis: nil)
+    ensure_not_frozen!
+    config = @security_config.ip_privacy_config
+    config.octet_precision = octet_precision if octet_precision
+    config.hash_rotation_period = hash_rotation if hash_rotation
+    config.geo_enabled = geo unless geo.nil?
+    config.instance_variable_set(:@redis, redis) if redis
+    # Validate configuration
+    config.validate!
   end
   # Enable MCP (Model Context Protocol) server support
@@ -327,6 +390,7 @@ class Otto
   # @example
   #   otto.enable_mcp!(http: true, endpoint: '/api/mcp')
   def enable_mcp!(options = {})
+    ensure_not_frozen!
     @mcp_server ||= Otto::MCP::Server.new(self)
     @mcp_server.enable!(options)
@@ -349,8 +413,16 @@ class Otto
     @security_config   = Otto::Security::Config.new
     @middleware        = Otto::Core::MiddlewareStack.new
     # Initialize @auth_config first so it can be shared with the configurator
-    @auth_config       = { auth_strategies: {}, default_auth_strategy: 'publicly' }
+    @auth_config       = { auth_strategies: {}, default_auth_strategy: 'noauth' }
     @security          = Otto::Security::Configurator.new(@security_config, @middleware, @auth_config)
+    @app               = nil  # Pre-built middleware app (built after initialization)
+    # Add IP Privacy middleware first in stack (privacy by default for public IPs)
+    # Private/localhost IPs are automatically exempted from masking
+    @middleware.add_with_position(
+      Otto::Security::Middleware::IPPrivacyMiddleware,
+      position: :first
+    )
   end
   def initialize_options(_path, opts)
@@ -376,7 +448,7 @@ class Otto
   end
   class << self
-    attr_accessor :debug, :logger, :global_config # rubocop:disable ThreadSafety/ClassAndModuleAttributes
+    attr_accessor :debug, :logger # rubocop:disable ThreadSafety/ClassAndModuleAttributes
   end
   # Class methods for Otto framework providing singleton access and configuration
@@ -401,6 +473,28 @@ class Otto
     def env? *guesses
       !guesses.flatten.select { |n| ENV['RACK_ENV'].to_s == n.to_s }.empty?
     end
+    # Test-only method to unfreeze Otto configuration
+    #
+    # This method resets the @configuration_frozen flag, allowing tests
+    # to bypass the ensure_not_frozen! check. It does NOT actually unfreeze
+    # Ruby objects (which is impossible once frozen).
+    #
+    # IMPORTANT: Only works when RSpec is defined. Raises an error otherwise
+    # to prevent accidental use in production.
+    #
+    # @param otto [Otto] The Otto instance to unfreeze
+    # @return [Otto] The unfrozen Otto instance
+    # @raise [RuntimeError] if RSpec is not defined (not in test environment)
+    # @api private
+    def unfreeze_for_testing(otto)
+      unless defined?(RSpec)
+        raise 'Otto.unfreeze_for_testing is only available in RSpec test environment'
+      end
+      otto.instance_variable_set(:@configuration_frozen, false)
+      otto
+    end
   end
   extend ClassMethods
 end

data/otto.gemspec CHANGED Viewed

@@ -16,6 +16,11 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ['>= 3.2', '< 4.0']
+  spec.add_dependency 'ipaddr', '~> 1', '< 2.0'
+  spec.add_dependency 'concurrent-ruby', '~> 1.3', '< 2.0'
+  # Logger is not part of the default gems as of Ruby 3.5.0
+  spec.add_dependency 'logger', '~> 1', '< 2.0'
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 2.0.0.pre1
+  version: 2.0.0.pre3
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -9,6 +9,66 @@ bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: ipaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +166,16 @@ files:
 - Gemfile.lock
 - LICENSE.txt
 - README.md
+- benchmark_middleware_wrap.rb
 - bin/rspec
-- changelog.d/20250911_235619_delano_next.rst
-- changelog.d/20250912_123055_delano_remove_ostruct.rst
-- changelog.d/20250912_175625_claude_delano_remove_ostruct.rst
+- changelog.d/20251014_144317_delano_54_thats_a_wrapper.rst
+- changelog.d/20251014_161526_delano_54_thats_a_wrapper.rst
 - changelog.d/README.md
 - changelog.d/scriv.ini
 - docs/.gitignore
+- docs/ipaddr-encoding-quirk.md
 - docs/migrating/v2.0.0-pre1.md
+- docs/migrating/v2.0.0-pre2.md
 - examples/.gitignore
 - examples/advanced_routes/README.md
 - examples/advanced_routes/app.rb
@@ -168,24 +230,35 @@ files:
 - examples/security_features/config.ru
 - examples/security_features/routes
 - lib/otto.rb
+- lib/otto/core.rb
 - lib/otto/core/configuration.rb
 - lib/otto/core/error_handler.rb
 - lib/otto/core/file_safety.rb
+- lib/otto/core/freezable.rb
 - lib/otto/core/middleware_stack.rb
 - lib/otto/core/router.rb
 - lib/otto/core/uri_generator.rb
 - lib/otto/design_system.rb
+- lib/otto/env_keys.rb
+- lib/otto/helpers.rb
 - lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
 - lib/otto/helpers/response.rb
 - lib/otto/helpers/validation.rb
+- lib/otto/locale/config.rb
+- lib/otto/mcp.rb
 - lib/otto/mcp/auth/token.rb
 - lib/otto/mcp/protocol.rb
 - lib/otto/mcp/rate_limiting.rb
 - lib/otto/mcp/registry.rb
 - lib/otto/mcp/route_parser.rb
+- lib/otto/mcp/schema_validation.rb
 - lib/otto/mcp/server.rb
-- lib/otto/mcp/validation.rb
+- lib/otto/privacy.rb
+- lib/otto/privacy/config.rb
+- lib/otto/privacy/geo_resolver.rb
+- lib/otto/privacy/ip_privacy.rb
+- lib/otto/privacy/redacted_fingerprint.rb
 - lib/otto/response_handlers.rb
 - lib/otto/response_handlers/auto.rb
 - lib/otto/response_handlers/base.rb
@@ -203,13 +276,14 @@ files:
 - lib/otto/route_handlers/instance_method.rb
 - lib/otto/route_handlers/lambda.rb
 - lib/otto/route_handlers/logic_class.rb
+- lib/otto/security.rb
 - lib/otto/security/authentication.rb
+- lib/otto/security/authentication/auth_failure.rb
 - lib/otto/security/authentication/auth_strategy.rb
-- lib/otto/security/authentication/authentication_middleware.rb
-- lib/otto/security/authentication/failure_result.rb
+- lib/otto/security/authentication/route_auth_wrapper.rb
 - lib/otto/security/authentication/strategies/api_key_strategy.rb
+- lib/otto/security/authentication/strategies/noauth_strategy.rb
 - lib/otto/security/authentication/strategies/permission_strategy.rb
-- lib/otto/security/authentication/strategies/public_strategy.rb
 - lib/otto/security/authentication/strategies/role_strategy.rb
 - lib/otto/security/authentication/strategies/session_strategy.rb
 - lib/otto/security/authentication/strategy_result.rb
@@ -217,6 +291,7 @@ files:
 - lib/otto/security/configurator.rb
 - lib/otto/security/csrf.rb
 - lib/otto/security/middleware/csrf_middleware.rb
+- lib/otto/security/middleware/ip_privacy_middleware.rb
 - lib/otto/security/middleware/rate_limit_middleware.rb
 - lib/otto/security/middleware/validation_middleware.rb
 - lib/otto/security/rate_limiter.rb

data/changelog.d/20250911_235619_delano_next.rst DELETED Viewed

@@ -1,28 +0,0 @@
-Added
------
-- ``Otto::RequestContext`` Data class providing immutable, structured authentication context for Logic classes
-- Helper methods ``authenticated?``, ``has_role?``, ``has_permission?``, ``user_name``, ``session_id`` for cleaner Logic class implementation
-- Factory methods for creating RequestContext from AuthResult or anonymous contexts
-Changed
--------
-- **BREAKING**: Logic class constructor signature changed from ``initialize(session, user, params, locale)`` to ``initialize(context, params, locale)``
-- Logic classes now receive immutable RequestContext instead of separate session/user parameters
-- LogicClassHandler simplified to single arity pattern, removing backward compatibility code
-- Authentication middleware now creates RequestContext instances for all requests
-Documentation
--------------
-- Updated migration guide with comprehensive RequestContext examples and step-by-step conversion instructions
-- Updated Logic class examples in advanced_routes and authentication_strategies to demonstrate new pattern
-- Enhanced documentation with RequestContext API reference and helper method examples
-AI Assistance
--------------
-- RequestContext Data class design developed with AI architectural guidance for immutability and clean API
-- Comprehensive migration of all example Logic classes with AI assistance for consistency and best practices
-- Documentation improvements ensuring clarity of breaking changes and migration path

data/changelog.d/20250912_123055_delano_remove_ostruct.rst DELETED Viewed

@@ -1,21 +0,0 @@
-Changed
--------
-- Replaced `RequestContext` with `StrategyResult` class for better authentication handling
-- Simplified authentication strategy API to return `StrategyResult` or `nil` for success/failure
-- Enhanced route handlers to support JSON request body parsing
-- Updated authentication middleware to use `StrategyResult` throughout
-Added
------
-- Added `StrategyResult` class with improved user model compatibility and cleaner API
-- Added JSON request body parsing support in Logic class handlers
-Removed
--------
-- Removed `RequestContext` class (replaced by `StrategyResult`)
-- Removed `AuthResult` class from authentication system
-- Removed OpenStruct dependency across the framework
-- Removed `ConcurrentCacheStore` example class for an ActiveSupport::Cache::MemoryStore-compatible interface with Rack::Attack

data/changelog.d/20250912_175625_claude_delano_remove_ostruct.rst DELETED Viewed

@@ -1,21 +0,0 @@
-Changed
--------
-- Reorganized Otto security module structure for better maintainability and separation of concerns
-- Moved authentication strategies to ``Otto::Security::Authentication::Strategies`` namespace
-- Moved security middleware to ``Otto::Security::Middleware`` namespace
-- Moved ``StrategyResult`` and ``FailureResult`` to ``Otto::Security::Authentication`` namespace
-Added
------
-- Added new modular directory structure under ``lib/otto/security/``
-- Added backward compatibility aliases to maintain existing API compatibility
-- Added proper namespacing for authentication components and middleware classes
-AI Assistance
--------------
-- Comprehensive security module reorganization with systematic namespace restructuring
-- Automated test validation to ensure backward compatibility during refactoring
-- Intelligent file organization following Ruby conventions and single responsibility principles