otto 2.0.0.pre1 → 2.0.0.pre3

data/Gemfile.lock

@@ -1,8 +1,11 @@
 PATH
   remote: .
   specs:
-    otto (2.0.0.pre.pre1)
+    otto (2.0.0.pre3)
+      concurrent-ruby (~> 1.3, < 2.0)
       facets (~> 3.1)
+      ipaddr (~> 1, < 2.0)
+      logger (~> 1, < 2.0)
       loofah (~> 2.20)
       rack (~> 3.1, < 4.0)
       rack-parser (~> 0.7)
@@ -12,6 +15,7 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
+    benchmark (0.4.1)
     bigdecimal (3.2.3)
     concurrent-ruby (1.3.5)
     crass (1.0.6)
@@ -20,15 +24,16 @@ GEM
       irb (~> 1.10)
       reline (>= 0.3.8)
     diff-lcs (1.6.2)
-    erb (5.0.2)
+    erb (5.1.1)
     facets (3.1.0)
     hana (1.3.7)
     io-console (0.8.1)
+    ipaddr (1.2.7)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.13.2)
+    json (2.15.1)
     json_schemer (2.4.0)
       bigdecimal
       hana (~> 1.3)
@@ -40,22 +45,22 @@ GEM
     loofah (2.24.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    minitest (5.25.5)
-    nokogiri (1.18.9-aarch64-linux-gnu)
+    minitest (5.26.0)
+    nokogiri (1.18.10-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-aarch64-linux-musl)
+    nokogiri (1.18.10-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm-linux-gnu)
+    nokogiri (1.18.10-arm-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm-linux-musl)
+    nokogiri (1.18.10-arm-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm64-darwin)
+    nokogiri (1.18.10-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-darwin)
+    nokogiri (1.18.10-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-gnu)
+    nokogiri (1.18.10-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-musl)
+    nokogiri (1.18.10-x86_64-linux-musl)
       racc (~> 1.4)
     parallel (1.27.0)
     parser (3.3.9.0)
@@ -63,16 +68,16 @@ GEM
       racc
     pastel (0.8.0)
       tty-color (~> 0.5)
-    pp (0.6.2)
+    pp (0.6.3)
       prettyprint
     prettier_print (1.2.1)
     prettyprint (0.2.0)
-    prism (1.4.0)
+    prism (1.5.2)
     psych (5.2.6)
       date
       stringio
     racc (1.8.1)
-    rack (3.2.1)
+    rack (3.2.3)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-parser (0.7.0)
@@ -84,13 +89,14 @@ GEM
     rainbow (3.1.1)
     rbs (3.9.5)
       logger
-    rdoc (6.14.2)
+    rdoc (6.15.0)
       erb
       psych (>= 4.0.0)
-    regexp_parser (2.11.2)
+      tsort
+    regexp_parser (2.11.3)
     reline (0.6.2)
       io-console (~> 0.5)
-    rexml (3.4.3)
+    rexml (3.4.4)
     rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
@@ -103,8 +109,8 @@ GEM
     rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.5)
-    rubocop (1.80.2)
+    rspec-support (3.13.6)
+    rubocop (1.81.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -112,10 +118,10 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.46.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.46.0)
+    rubocop-ast (1.47.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
     rubocop-performance (1.26.0)
@@ -139,15 +145,16 @@ GEM
     stringio (3.1.7)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
-    tryouts (3.6.0)
+    tryouts (3.6.1)
       concurrent-ruby (~> 1.0)
       irb
       minitest (~> 5.0)
       pastel (~> 0.8)
       prism (~> 1.0)
-      rspec (~> 3.0)
+      rspec (>= 3.0, < 5.0)
       tty-cursor (~> 0.7)
       tty-screen (~> 0.8)
+    tsort (0.2.0)
     tty-color (0.6.0)
     tty-cursor (0.7.1)
     tty-screen (0.8.2)
@@ -166,6 +173,7 @@ PLATFORMS
   x86_64-linux-musl
 
 DEPENDENCIES
+  benchmark
   debug
   json_schemer
   otto!
@@ -173,14 +181,14 @@ DEPENDENCIES
   rack-test
   rackup
   rspec (~> 3.13)
-  rubocop
+  rubocop (~> 1.81.1)
   rubocop-performance
   rubocop-rspec
   rubocop-thread_safety
   ruby-lsp
   stackprof
   syntax_tree
-  tryouts (~> 3.6.0)
+  tryouts (~> 3.6.1)
 
 BUNDLED WITH
    2.7.1

data/benchmark_middleware_wrap.rb

@@ -0,0 +1,163 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+# Benchmark to measure real-world Otto performance with actual routes and middleware
+# Usage: ruby benchmark_middleware_wrap.rb
+
+require 'bundler/setup'
+require 'benchmark'
+require 'stringio'
+require 'tempfile'
+
+require_relative 'lib/otto'
+
+REQUEST_COUNT = 50_000
+MIDDLEWARE_COUNT = 40
+
+# Create a temporary routes file
+routes_content = <<~ROUTES
+  GET / TestApp.index
+  GET /users/:id TestApp.show
+  POST /users TestApp.create
+  GET /health TestApp.health
+ROUTES
+
+routes_file = Tempfile.new(['routes', '.txt'])
+routes_file.write(routes_content)
+routes_file.close
+
+# Define test application
+class TestApp
+  def self.index(_env, _params = {})
+    [200, { 'Content-Type' => 'text/html' }, ['Welcome']]
+  end
+
+  def self.show(env, params = {})
+    user_id = params[:id] || env.dig('otto.params', :id) || '123'
+    [200, { 'Content-Type' => 'text/html' }, ["User #{user_id}"]]
+  end
+
+  def self.create(_env, _params = {})
+    [201, { 'Content-Type' => 'application/json' }, ['{"id": 123}']]
+  end
+
+  def self.health(_env, _params = {})
+    [200, { 'Content-Type' => 'text/plain' }, ['OK']]
+  end
+end
+
+# Create real Rack middleware
+class BenchmarkMiddleware
+  def initialize(app, _config = nil)
+    @app = app
+  end
+
+  def call(env)
+    @app.call(env)
+  end
+end
+
+# Create Otto instance with real configuration
+otto = Otto.new(routes_file.path)
+
+# Add real Otto security middleware
+otto.enable_csrf_protection!
+otto.enable_request_validation!
+
+# Add custom middleware to reach target count
+current_count = otto.middleware.size
+(MIDDLEWARE_COUNT - current_count).times do
+  otto.use(Class.new(BenchmarkMiddleware))
+end
+
+# Suppress error logging for benchmark
+Otto.logger.level = Logger::FATAL
+
+puts "\n" + ("=" * 70)
+puts "Otto Performance Benchmark"
+puts ("=" * 70)
+puts "Configuration:"
+puts "  Routes:     #{otto.instance_variable_get(:@route_definitions).size}"
+actual_app = otto.instance_variable_get(:@app)
+puts "  Middleware: #{otto.middleware.size} (#{MIDDLEWARE_COUNT} total in stack, app built: #{!actual_app.nil?})"
+puts "  Requests:   #{REQUEST_COUNT.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse}"
+puts ("=" * 70)
+
+# Create realistic Rack environments for different routes
+def make_env(method, path)
+  {
+    'REQUEST_METHOD' => method,
+    'PATH_INFO' => path,
+    'QUERY_STRING' => '',
+    'SERVER_NAME' => 'example.com',
+    'SERVER_PORT' => '80',
+    'rack.version' => [1, 3],
+    'rack.url_scheme' => 'http',
+    'rack.input' => StringIO.new,
+    'rack.errors' => StringIO.new,
+    'rack.multithread' => false,
+    'rack.multiprocess' => true,
+    'rack.run_once' => false,
+    'REMOTE_ADDR' => '192.168.1.100',
+    'HTTP_USER_AGENT' => 'Benchmark/1.0',
+    'rack.session' => {}
+  }
+end
+
+# Test different routes
+routes = [
+  ['GET', '/'],
+  ['GET', '/users/123'],
+  ['POST', '/users'],
+  ['GET', '/health']
+]
+
+# Warmup
+puts "\nWarming up (1,000 requests)..."
+1_000.times do |i|
+  method, path = routes[i % routes.size]
+  env = make_env(method, path)
+  otto.call(env)
+end
+
+puts "\n" + ("=" * 70)
+puts "Running benchmark..."
+puts ("=" * 70)
+
+# Benchmark
+result = Benchmark.measure do
+  REQUEST_COUNT.times do |i|
+    method, path = routes[i % routes.size]
+    env = make_env(method, path)
+    otto.call(env)
+  end
+end
+
+total_time = result.real
+per_request = (total_time / REQUEST_COUNT * 1_000_000).round(2)
+requests_per_sec = (REQUEST_COUNT / total_time).round(0)
+
+puts "\nResults:"
+puts ("=" * 70)
+puts "  Total time:        #{(total_time * 1000).round(2)}ms"
+puts "  Time per request:  #{per_request}µs"
+puts "  Requests/sec:      #{requests_per_sec.to_s.reverse.gsub(/(\d{3})(?=\d)/, '\\1,').reverse}"
+puts ("=" * 70)
+
+# Performance analysis
+puts "\nPerformance Analysis:"
+if per_request < 20
+  puts "  ✓ Excellent performance (< 20µs per request)"
+elsif per_request < 50
+  puts "  ✓ Good performance (< 50µs per request)"
+elsif per_request < 100
+  puts "  ~ Acceptable performance (< 100µs per request)"
+else
+  puts "  ⚠ May need optimization (#{per_request}µs per request)"
+end
+
+puts "\nMiddleware overhead: ~#{((per_request - 2.5) / MIDDLEWARE_COUNT).round(3)}µs per middleware"
+puts
+
+# Cleanup
+routes_file.unlink

data/changelog.d/20251014_144317_delano_54_thats_a_wrapper.rst

@@ -0,0 +1,36 @@
+Changed
+-------
+
+- Authentication now handled by RouteAuthWrapper at handler level instead of middleware
+- RouteAuthWrapper enhanced with session persistence, security headers, strategy caching, and sophisticated pattern matching
+- env['otto.strategy_result'] now GUARANTEED to be present on all routes (authenticated or anonymous)
+- RouteAuthWrapper now wraps all route handlers, not just routes with auth requirements
+
+Removed
+-------
+
+- Removed AuthenticationMiddleware (architecturally broken - executed before routing)
+- Removed enable_authentication! (no longer needed - RouteAuthWrapper handles auth automatically)
+- Removed defensive nil fallback from LogicClassHandler (no longer needed)
+
+Fixed
+-----
+
+- Session persistence now works correctly (env['rack.session'] references same object as strategy_result.session)
+- Security headers now included on all authentication failure responses (401/302)
+- Strategy lookups now cached for performance
+- env['otto.strategy_result'] is now guaranteed to be present (anonymous StrategyResult for public routes)
+- Routes without auth requirements now get anonymous StrategyResult with IP metadata
+
+Security
+--------
+
+- Authentication strategies now execute after routing when route_definition is available
+- Supports exact match, prefix match (role:admin), and fallback patterns for strategies
+
+Documentation
+-------------
+
+- Updated CLAUDE.md with RouteAuthWrapper architecture overview
+- Updated env_keys.rb to document guaranteed presence of strategy_result
+- Added comprehensive tests for anonymous route handling

data/changelog.d/20251014_161526_delano_54_thats_a_wrapper.rst

@@ -0,0 +1,5 @@
+Changed
+-------
+
+- Renamed MiddlewareStack#build_app to #wrap to better reflect per-request behavior
+  (wraps base app in middleware layers on each request, not a one-time initialization)

data/docs/.gitignore

@@ -1,3 +1,5 @@
 *
 !.gitignore
 !migrating/
+!migrating/*.md
+!ipaddr-encoding-quirk.md

data/docs/ipaddr-encoding-quirk.md

@@ -0,0 +1,34 @@
+# IPAddr#to_s Encoding Quirk in Ruby 3
+
+Ruby's `IPAddr#to_s` returns inconsistent encodings: IPv4 addresses use US-ASCII, IPv6 addresses use UTF-8.
+
+## Behavior
+
+```ruby
+IPAddr.new('192.168.1.1').to_s.encoding  # => #<Encoding:US-ASCII>
+IPAddr.new('::1').to_s.encoding          # => #<Encoding:UTF-8>
+```
+
+## Cause
+
+Different string construction in IPAddr's `_to_string` method:
+
+- **IPv4**: `Array#join('.')` → US-ASCII optimization
+- **IPv6**: `String#%` → UTF-8 default
+
+## Impact
+
+- Rack expects UTF-8 strings
+- Mixed encodings cause `Encoding::CompatibilityError`
+- String operations fail on encoding mismatches
+
+## Solution
+
+Use `force_encoding('UTF-8')` instead of `encode('UTF-8')`:
+
+- IP addresses contain only ASCII characters
+- ASCII bytes are identical in US-ASCII and UTF-8
+- `force_encoding` changes label only (O(1))
+- `encode` creates new string (O(n))
+
+This ensures consistent UTF-8 encoding across all IP strings.