otto 2.0.0.pre2 → 2.0.0.pre3

data/lib/otto/security/middleware/ip_privacy_middleware.rb

@@ -0,0 +1,211 @@
+# frozen_string_literal: true
+
+class Otto
+  module Security
+    module Middleware
+      # IP Privacy Middleware
+      #
+      # Automatically masks IP addresses for privacy by default. Original IPs
+      # are never stored unless privacy is explicitly disabled.
+      #
+      # This middleware runs FIRST in the stack to ensure all downstream
+      # middleware and application code receives masked IPs by default.
+      #
+      # @example Default behavior (privacy enabled)
+      #   # env['REMOTE_ADDR'] is masked to 192.168.1.0
+      #   # env['otto.redacted_fingerprint'] contains full anonymized data
+      #   # env['otto.original_ip'] is NOT set
+      #
+      # @example Privacy disabled
+      #   otto.disable_ip_privacy!
+      #   # env['REMOTE_ADDR'] contains real IP
+      #   # env['otto.original_ip'] also contains real IP
+      #
+      class IPPrivacyMiddleware
+        # Initialize IP Privacy middleware
+        #
+        # @param app [#call] Rack application
+        # @param security_config [Otto::Security::Config] Security configuration
+        def initialize(app, security_config = nil)
+          @app = app
+          @security_config = security_config
+          @config = security_config&.ip_privacy_config || Otto::Privacy::Config.new
+
+          # Privacy is enabled by default unless explicitly disabled
+          @privacy_enabled = @config.enabled?
+        end
+
+        # Process request with IP privacy
+        #
+        # @param env [Hash] Rack environment
+        # @return [Array] Rack response tuple [status, headers, body]
+        def call(env)
+          if @privacy_enabled
+            apply_privacy(env)
+          else
+            apply_no_privacy(env)
+          end
+
+          @app.call(env)
+        end
+
+        private
+
+        # Apply privacy settings to environment
+        #
+        # @param env [Hash] Rack environment
+        # Apply privacy settings to environment
+        #
+        # @param env [Hash] Rack environment
+        # Apply privacy settings to environment
+        #
+        # @param env [Hash] Rack environment
+        def apply_privacy(env)
+          # Resolve the actual client IP (handling proxies)
+          client_ip = resolve_client_ip(env)
+
+          Otto.logger.debug "[IPPrivacyMiddleware] Resolved client IP: #{client_ip}" if Otto.debug
+
+          # Skip masking for private/localhost IPs unless explicitly configured to mask them
+          # This provides better DX for development while still protecting public IPs
+          unless @config.mask_private_ips
+            if Otto::Privacy::IPPrivacy.private_or_localhost?(client_ip)
+              # Update REMOTE_ADDR to the resolved client IP (even though it's not masked)
+              env['REMOTE_ADDR'] = client_ip
+              env['otto.original_ip'] = client_ip
+              # Don't mask forwarded headers for private IPs
+              Otto.logger.debug "[IPPrivacyMiddleware] Private/localhost IP exempted: #{client_ip}" if Otto.debug
+              return
+            end
+          end
+
+          # Create privacy-safe fingerprint using the resolved client IP
+          # We temporarily set REMOTE_ADDR to the client IP for fingerprint creation
+          original_remote_addr = env['REMOTE_ADDR']
+          env['REMOTE_ADDR'] = client_ip
+          fingerprint = Otto::Privacy::RedactedFingerprint.new(env, @config)
+          env['REMOTE_ADDR'] = original_remote_addr
+
+          # Set privacy-safe values in environment
+          env['otto.redacted_fingerprint'] = fingerprint
+          env['otto.masked_ip'] = fingerprint.masked_ip
+          env['otto.hashed_ip'] = fingerprint.hashed_ip
+          env['otto.geo_country'] = fingerprint.country
+
+          # CRITICAL: Replace REMOTE_ADDR and forwarded headers with masked IP
+          # This ensures downstream code (rate limiting, auth, logging, Rack's request.ip)
+          # automatically uses the masked IP without modification
+          env['REMOTE_ADDR'] = fingerprint.masked_ip
+
+          # Mask X-Forwarded-For headers to prevent leakage
+          # Replace with masked IP so proxy resolution logic finds the masked IP
+          mask_forwarded_headers(env, fingerprint.masked_ip)
+
+          Otto.logger.debug "[IPPrivacyMiddleware] Masked IP: #{fingerprint.masked_ip}" if Otto.debug
+
+          # NOTE: We deliberately DO NOT set env['otto.original_ip']
+          # This prevents accidental leakage of the real IP address
+        end
+
+
+        # Resolve the actual client IP address from the request
+        #
+        # This method handles proxy scenarios by checking X-Forwarded-For and
+        # other proxy headers from trusted proxies, similar to Rack's logic
+        # and Otto's client_ipaddress method.
+        #
+        # @param env [Hash] Rack environment
+        # @return [String] Resolved client IP address
+        def resolve_client_ip(env)
+          remote_addr = env['REMOTE_ADDR']
+
+          # If we don't have a security config, use direct connection
+          return remote_addr unless @security_config
+
+          # If REMOTE_ADDR is not from a trusted proxy, it's the client IP
+          return remote_addr unless trusted_proxy?(remote_addr)
+
+          # REMOTE_ADDR is from a trusted proxy, check forwarded headers
+          forwarded_ips = [
+            env['HTTP_X_FORWARDED_FOR'],
+            env['HTTP_X_REAL_IP'],
+            env['HTTP_X_CLIENT_IP'],
+          ].compact.map { |header| header.split(/,\s*/) }.flatten
+
+          # Return the first valid public IP from forwarded headers
+          forwarded_ips.each do |ip|
+            clean_ip = validate_ip_address(ip.strip)
+            next unless clean_ip
+
+            # Return first IP that's not from a trusted proxy
+            return clean_ip unless trusted_proxy?(clean_ip)
+          end
+
+          # Fallback to remote address if no valid forwarded IPs
+          remote_addr
+        end
+
+        # Mask X-Forwarded-For and related proxy headers
+        #
+        # Replaces forwarded IP headers with the masked IP to prevent leakage
+        # when downstream code (including Rack's request.ip) parses these headers.
+        #
+        # @param env [Hash] Rack environment
+        # @param masked_ip [String] The masked IP to use as replacement
+        def mask_forwarded_headers(env, masked_ip)
+          # Replace X-Forwarded-For with masked IP
+          # This prevents Rack::Request#ip from finding the real IP
+          env['HTTP_X_FORWARDED_FOR'] = masked_ip if env['HTTP_X_FORWARDED_FOR']
+          env['HTTP_X_REAL_IP'] = masked_ip if env['HTTP_X_REAL_IP']
+          env['HTTP_X_CLIENT_IP'] = masked_ip if env['HTTP_X_CLIENT_IP']
+
+          Otto.logger.debug "[IPPrivacyMiddleware] Masked forwarded headers" if Otto.debug
+        end
+
+        # Check if an IP is from a trusted proxy
+        #
+        # @param ip [String] IP address to check
+        # @return [Boolean] true if IP is from a trusted proxy
+        def trusted_proxy?(ip)
+          return false unless @security_config
+
+          @security_config.trusted_proxy?(ip)
+        end
+
+        # Validate and clean IP address
+        #
+        # @param ip [String, nil] IP address to validate
+        # @return [String, nil] Cleaned IP or nil if invalid
+        def validate_ip_address(ip)
+          return nil if ip.nil? || ip.empty?
+
+          # Remove any port number
+          clean_ip = ip.split(':').first
+
+          # Basic IPv4 format validation
+          return nil unless clean_ip.match?(/\A\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/)
+
+          # Validate each octet
+          octets = clean_ip.split('.')
+          return nil unless octets.all? { |octet| (0..255).cover?(octet.to_i) }
+
+          clean_ip
+        end
+
+        # Apply no-privacy settings (privacy explicitly disabled)
+        #
+        # When privacy is disabled, original IP is available for
+        # backward compatibility with code that requires it.
+        #
+        # @param env [Hash] Rack environment
+        def apply_no_privacy(env)
+          # Store original IP for explicit access
+          env['otto.original_ip'] = env['REMOTE_ADDR'].dup.force_encoding('UTF-8')
+
+          # env['REMOTE_ADDR'] remains unchanged (real IP)
+          # No fingerprint is created when privacy is disabled
+        end
+      end
+    end
+  end
+end

data/lib/otto/security.rb

@@ -0,0 +1,9 @@
+# lib/otto/security.rb
+
+require_relative 'security/authentication/strategy_result'
+require_relative 'security/config'
+require_relative 'security/configurator'
+require_relative 'security/middleware/csrf_middleware'
+require_relative 'security/middleware/validation_middleware'
+require_relative 'security/middleware/rate_limit_middleware'
+require_relative 'security/middleware/ip_privacy_middleware'

data/lib/otto/version.rb

@@ -3,5 +3,5 @@
 # lib/otto/version.rb
 
 class Otto
-  VERSION = '2.0.0.pre2'
+  VERSION = '2.0.0.pre3'
 end

data/lib/otto.rb

@@ -11,29 +11,19 @@ require 'rack/request'
 require 'rack/response'
 require 'rack/utils'
 
-require_relative 'otto/security/authentication/strategy_result'
 require_relative 'otto/route_definition'
 require_relative 'otto/route'
 require_relative 'otto/static'
-require_relative 'otto/helpers/request'
-require_relative 'otto/helpers/response'
+require_relative 'otto/helpers'
 require_relative 'otto/response_handlers'
 require_relative 'otto/route_handlers'
-require_relative 'otto/version'
-require_relative 'otto/security/config'
-require_relative 'otto/security/middleware/csrf_middleware'
-require_relative 'otto/security/middleware/validation_middleware'
-require_relative 'otto/security/authentication/authentication_middleware'
-require_relative 'otto/security/middleware/rate_limit_middleware'
-require_relative 'otto/mcp/server'
-require_relative 'otto/core/router'
-require_relative 'otto/core/file_safety'
-require_relative 'otto/core/configuration'
-require_relative 'otto/core/error_handler'
-require_relative 'otto/core/uri_generator'
-require_relative 'otto/core/middleware_stack'
-require_relative 'otto/security/configurator'
+require_relative 'otto/locale/config'
+require_relative 'otto/mcp'
+require_relative 'otto/core'
+require_relative 'otto/privacy'
+require_relative 'otto/security'
 require_relative 'otto/utils'
+require_relative 'otto/version'
 
 # Otto is a simple Rack router that allows you to define routes in a file
 # with built-in security features including CSRF protection, input validation,
@@ -56,37 +46,6 @@ require_relative 'otto/utils'
 #   otto.enable_csp!
 #   otto.enable_frame_protection!
 #
-# Configuration Data class to replace OpenStruct
-# Configuration class to replace OpenStruct
-class ConfigData
-  def initialize(**kwargs)
-    @data = kwargs
-  end
-
-  # Dynamic attribute accessors
-  def method_missing(method_name, *args)
-    if method_name.to_s.end_with?('=')
-      # Setter
-      attr_name = method_name.to_s.chomp('=').to_sym
-      @data[attr_name] = args.first
-    elsif @data.key?(method_name)
-      # Getter
-      @data[method_name]
-    else
-      super
-    end
-  end
-
-  def respond_to_missing?(method_name, include_private = false)
-    method_name.to_s.end_with?('=') || @data.key?(method_name) || super
-  end
-
-  # Convert to hash for compatibility
-  def to_h
-    @data.dup
-  end
-end
-
 class Otto
   include Otto::Core::Router
   include Otto::Core::FileSafety
@@ -102,25 +61,11 @@ class Otto
            else
              defined?(Otto::Utils) ? Otto::Utils.yes?(ENV.fetch('OTTO_DEBUG', nil)) : false
            end
-  @logger        = Logger.new($stdout, Logger::INFO)
-  @global_config = nil
-
-  # Global configuration for all Otto instances (Ruby 3.2+ pattern matching)
-  def self.configure
-    config = case @global_config
-             in Hash => h
-               # Transform string keys to symbol keys for ConfigData compatibility
-               symbol_hash = h.transform_keys(&:to_sym)
-               ConfigData.new(**symbol_hash)
-             else
-               ConfigData.new
-             end
-    yield config
-    @global_config = config.to_h
-  end
+  @logger = Logger.new($stdout, Logger::INFO)
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route,
-              :security_config, :locale_config, :auth_config, :route_handler_factory, :mcp_server, :security, :middleware
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option,
+              :static_route, :security_config, :locale_config, :auth_config,
+              :route_handler_factory, :mcp_server, :security, :middleware
   attr_accessor :not_found, :server_error
 
   def initialize(path = nil, opts = {})
@@ -131,27 +76,76 @@ class Otto
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
+
+    # Build the middleware app once after all initialization is complete
+    build_app!
+
+    # Configuration freezing is deferred until first request to support
+    # multi-step initialization (e.g., multi-app architectures).
+    # This allows adding auth strategies, middleware, etc. after Otto.new
+    # but before processing requests.
+    @freeze_mutex = Mutex.new
+    @configuration_frozen = false
   end
   alias options option
 
   # Main Rack application interface
   def call(env)
-    # Apply middleware stack
-    base_app = ->(e) { handle_request(e) }
-
-    # Use the middleware stack as the source of truth
-    app = @middleware.build_app(base_app, @security_config)
+    # Freeze configuration on first request (thread-safe)
+    # Skip in test environment to allow test flexibility
+    unless defined?(RSpec) || @configuration_frozen
+      Otto.logger.debug '[Otto] Lazy freezing check: configuration not yet frozen' if Otto.debug
+
+      @freeze_mutex.synchronize do
+        unless @configuration_frozen
+          Otto.logger.info '[Otto] Freezing configuration on first request (lazy freeze)'
+          freeze_configuration!
+          @configuration_frozen = true
+          Otto.logger.debug '[Otto] Configuration frozen successfully' if Otto.debug
+        end
+      end
+    end
 
     begin
-      app.call(env)
+      # Use pre-built middleware app (built once at initialization)
+      @app.call(env)
     rescue StandardError => e
       handle_error(e, env)
     end
   end
 
+  # Builds the middleware application chain
+  # Called once at initialization and whenever middleware stack changes
+  #
+  # IMPORTANT: If you have routes with auth requirements, you MUST add session
+  # middleware to your middleware stack BEFORE Otto processes requests.
+  #
+  # Session middleware is required for RouteAuthWrapper to correctly persist
+  # session changes during authentication. Common options include:
+  # - Rack::Session::Cookie (requires rack-session gem)
+  # - Rack::Session::Pool
+  # - Rack::Session::Memcache
+  # - Any Rack-compatible session middleware
+  #
+  # Example:
+  #   use Rack::Session::Cookie, secret: ENV['SESSION_SECRET']
+  #   otto = Otto.new('routes.txt')
+  #
+  def build_app!
+    base_app = method(:handle_request)
+    @app = @middleware.wrap(base_app, @security_config)
+  end
+
   # Middleware Management
   def use(middleware, ...)
+    ensure_not_frozen!
     @middleware.add(middleware, ...)
+
+    # NOTE: If build_app! is triggered during a request (via use() or
+    # middleware_stack=), the @app instance variable could be swapped
+    # mid-request in a multi-threaded environment.
+
+    build_app! if @app  # Rebuild app if already initialized
   end
 
   # Compatibility method for existing tests
@@ -163,6 +157,7 @@ class Otto
   def middleware_stack=(stack)
     @middleware.clear!
     Array(stack).each { |middleware| @middleware.add(middleware) }
+    build_app! if @app  # Rebuild app if already initialized
   end
 
   # Compatibility method for middleware detection
@@ -179,6 +174,7 @@ class Otto
   # @example
   #   otto.enable_csrf_protection!
   def enable_csrf_protection!
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::CSRFMiddleware)
 
     @security_config.enable_csrf_protection!
@@ -191,6 +187,7 @@ class Otto
   # @example
   #   otto.enable_request_validation!
   def enable_request_validation!
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::ValidationMiddleware)
 
     @security_config.input_validation = true
@@ -206,6 +203,7 @@ class Otto
   # @example
   #   otto.enable_rate_limiting!(requests_per_minute: 50)
   def enable_rate_limiting!(options = {})
+    ensure_not_frozen!
     return if @middleware.includes?(Otto::Security::Middleware::RateLimitMiddleware)
 
     @security.configure_rate_limiting(options)
@@ -222,7 +220,7 @@ class Otto
   # @example
   #   otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })
   def add_rate_limit_rule(name, options)
-    @security_config.rate_limiting_config[:custom_rules] ||= {}
+    ensure_not_frozen!
     @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
   end
 
@@ -234,6 +232,7 @@ class Otto
   #   otto.add_trusted_proxy('10.0.0.0/8')
   #   otto.add_trusted_proxy(/^172\.16\./)
   def add_trusted_proxy(proxy)
+    ensure_not_frozen!
     @security_config.add_trusted_proxy(proxy)
   end
 
@@ -247,6 +246,7 @@ class Otto
   #     'strict-transport-security' => 'max-age=31536000'
   #   })
   def set_security_headers(headers)
+    ensure_not_frozen!
     @security_config.security_headers.merge!(headers)
   end
 
@@ -259,6 +259,7 @@ class Otto
   # @example
   #   otto.enable_hsts!(max_age: 86400, include_subdomains: false)
   def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+    ensure_not_frozen!
     @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
   end
 
@@ -269,6 +270,7 @@ class Otto
   # @example
   #   otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
   def enable_csp!(policy = "default-src 'self'")
+    ensure_not_frozen!
     @security_config.enable_csp!(policy)
   end
 
@@ -278,6 +280,7 @@ class Otto
   # @example
   #   otto.enable_frame_protection!('DENY')
   def enable_frame_protection!(option = 'SAMEORIGIN')
+    ensure_not_frozen!
     @security_config.enable_frame_protection!(option)
   end
 
@@ -288,20 +291,10 @@ class Otto
   # @example
   #   otto.enable_csp_with_nonce!(debug: true)
   def enable_csp_with_nonce!(debug: false)
+    ensure_not_frozen!
     @security_config.enable_csp_with_nonce!(debug: debug)
   end
 
-  # Enable authentication middleware for route-level access control.
-  # This will automatically check route auth parameters and enforce authentication.
-  #
-  # @example
-  #   otto.enable_authentication!
-  def enable_authentication!
-    return if @middleware.includes?(Otto::Security::Authentication::AuthenticationMiddleware)
-
-    use Otto::Security::Authentication::AuthenticationMiddleware, @auth_config
-  end
-
   # Add a single authentication strategy
   #
   # @param name [String] Strategy name
@@ -309,12 +302,83 @@ class Otto
   # @example
   #   otto.add_auth_strategy('custom', MyCustomStrategy.new)
   def add_auth_strategy(name, strategy)
+    ensure_not_frozen!
     # Ensure auth_config is initialized (handles edge case where it might be nil)
     @auth_config = { auth_strategies: {}, default_auth_strategy: 'noauth' } if @auth_config.nil?
 
     @auth_config[:auth_strategies][name] = strategy
+  end
 
-    enable_authentication!
+  # Disable IP privacy to access original IP addresses
+  #
+  # IMPORTANT: By default, Otto masks public IP addresses for privacy.
+  # Private/localhost IPs (127.0.0.0/8, 10.0.0.0/8, etc.) are never masked.
+  # Only disable this if you need access to original public IPs.
+  #
+  # When disabled:
+  # - env['REMOTE_ADDR'] contains the real IP address
+  # - env['otto.original_ip'] also contains the real IP
+  # - No PrivateFingerprint is created
+  #
+  # @example
+  #   otto.disable_ip_privacy!
+  def disable_ip_privacy!
+    ensure_not_frozen!
+    @security_config.ip_privacy_config.disable!
+  end
+
+
+  # Enable full IP privacy (mask ALL IPs including private/localhost)
+  #
+  # By default, Otto exempts private and localhost IPs from masking for
+  # better development experience. Call this method to mask ALL IPs
+  # regardless of type.
+  #
+  # @example Enable full privacy (mask all IPs)
+  #   otto = Otto.new(routes_file)
+  #   otto.enable_full_ip_privacy!
+  #   # Now 127.0.0.1 → 127.0.0.0, 192.168.1.100 → 192.168.1.0
+  #
+  # @return [void]
+  # @raise [FrozenError] if called after configuration is frozen
+  def enable_full_ip_privacy!
+    ensure_not_frozen!
+    @security_config.ip_privacy_config.mask_private_ips = true
+  end
+
+  # Configure IP privacy settings
+  #
+  # Privacy is enabled by default. Use this method to customize privacy
+  # behavior without disabling it entirely.
+  #
+  # @param octet_precision [Integer] Number of octets to mask (1 or 2, default: 1)
+  # @param hash_rotation [Integer] Seconds between key rotation (default: 86400)
+  # @param geo [Boolean] Enable geo-location resolution (default: true)
+  # @param redis [Redis] Redis connection for multi-server atomic key generation
+  #
+  # @example Mask 2 octets instead of 1
+  #   otto.configure_ip_privacy(octet_precision: 2)
+  #
+  # @example Disable geo-location
+  #   otto.configure_ip_privacy(geo: false)
+  #
+  # @example Custom hash rotation
+  #   otto.configure_ip_privacy(hash_rotation: 24.hours)
+  #
+  # @example Multi-server with Redis
+  #   redis = Redis.new(url: ENV['REDIS_URL'])
+  #   otto.configure_ip_privacy(redis: redis)
+  def configure_ip_privacy(octet_precision: nil, hash_rotation: nil, geo: nil, redis: nil)
+    ensure_not_frozen!
+    config = @security_config.ip_privacy_config
+
+    config.octet_precision = octet_precision if octet_precision
+    config.hash_rotation_period = hash_rotation if hash_rotation
+    config.geo_enabled = geo unless geo.nil?
+    config.instance_variable_set(:@redis, redis) if redis
+
+    # Validate configuration
+    config.validate!
   end
 
   # Enable MCP (Model Context Protocol) server support
@@ -326,6 +390,7 @@ class Otto
   # @example
   #   otto.enable_mcp!(http: true, endpoint: '/api/mcp')
   def enable_mcp!(options = {})
+    ensure_not_frozen!
     @mcp_server ||= Otto::MCP::Server.new(self)
 
     @mcp_server.enable!(options)
@@ -350,6 +415,14 @@ class Otto
     # Initialize @auth_config first so it can be shared with the configurator
     @auth_config       = { auth_strategies: {}, default_auth_strategy: 'noauth' }
     @security          = Otto::Security::Configurator.new(@security_config, @middleware, @auth_config)
+    @app               = nil  # Pre-built middleware app (built after initialization)
+
+    # Add IP Privacy middleware first in stack (privacy by default for public IPs)
+    # Private/localhost IPs are automatically exempted from masking
+    @middleware.add_with_position(
+      Otto::Security::Middleware::IPPrivacyMiddleware,
+      position: :first
+    )
   end
 
   def initialize_options(_path, opts)
@@ -375,7 +448,7 @@ class Otto
   end
 
   class << self
-    attr_accessor :debug, :logger, :global_config # rubocop:disable ThreadSafety/ClassAndModuleAttributes
+    attr_accessor :debug, :logger # rubocop:disable ThreadSafety/ClassAndModuleAttributes
   end
 
   # Class methods for Otto framework providing singleton access and configuration
@@ -400,6 +473,28 @@ class Otto
     def env? *guesses
       !guesses.flatten.select { |n| ENV['RACK_ENV'].to_s == n.to_s }.empty?
     end
+
+    # Test-only method to unfreeze Otto configuration
+    #
+    # This method resets the @configuration_frozen flag, allowing tests
+    # to bypass the ensure_not_frozen! check. It does NOT actually unfreeze
+    # Ruby objects (which is impossible once frozen).
+    #
+    # IMPORTANT: Only works when RSpec is defined. Raises an error otherwise
+    # to prevent accidental use in production.
+    #
+    # @param otto [Otto] The Otto instance to unfreeze
+    # @return [Otto] The unfrozen Otto instance
+    # @raise [RuntimeError] if RSpec is not defined (not in test environment)
+    # @api private
+    def unfreeze_for_testing(otto)
+      unless defined?(RSpec)
+        raise 'Otto.unfreeze_for_testing is only available in RSpec test environment'
+      end
+
+      otto.instance_variable_set(:@configuration_frozen, false)
+      otto
+    end
   end
   extend ClassMethods
 end

data/otto.gemspec

@@ -16,6 +16,9 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
+  spec.add_dependency 'ipaddr', '~> 1', '< 2.0'
+  spec.add_dependency 'concurrent-ruby', '~> 1.3', '< 2.0'
+
   # Logger is not part of the default gems as of Ruby 3.5.0
   spec.add_dependency 'logger', '~> 1', '< 2.0'