otto 2.0.0.pre2 → 2.0.0.pre7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6215d43a8ce52d332bc046b6d51e8474c243e804bb146381fcd617fa8aebd1f
-  data.tar.gz: 7d73de1613bdd0f2450c2b3e16c8ef0b7020ce417f38b506c70c9b05d414d561
+  metadata.gz: 69a46d80f1fcc3f2472c44554fd7102645226e264befdd23af9871ad4f5fafaf
+  data.tar.gz: 54d8b433d49b549e17d3406aa011b6f4f80c50eefc5a6fa51dde1772fde8b8f2
 SHA512:
-  metadata.gz: 4f04484aadab6fd972ecc261ed7da8291996e1623ae5df198b08550f82afa86e7d651beb7448d75b690b7505ae5d4d8443dd24c2a98bec7bb4621bcbb8b23950
-  data.tar.gz: bdfe655d0f597f92bfacaf89342aa0d026ecf2e89d1975ebc1835b2521a38f3bec8ba57cce94992ab0ac2eae4f01ce0080f849f82d08bb15e3473c8794fa9667
+  metadata.gz: b518140043ad7ab983fb99e85ac9643ca4527385930d77a4b01e2b241b7212854fbc5e8875bc58b17e3d17c66fcfc6455b85587d023ceec13006876bec79a0d9
+  data.tar.gz: f64b842b58acc746ad39d58eac0fb57c245f1db29755f89d259d64bd127db3043034a9e8ada0ee19c04d969ec1bb34b515f5dfc1fcf36c80ceaeb9123ac2de6e

data/.github/workflows/ci.yml

@@ -28,8 +28,6 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - ruby: "3.2"
-            experimental: false
           - ruby: "3.3"
             experimental: false
           - ruby: "3.4"
@@ -47,7 +45,7 @@ jobs:
           bundler-cache: ${{ !matrix.experimental }}
 
       - name: Setup tmate session
-        uses: mxschmitt/action-tmate@7b6a61a73bbb9793cb80ad69b8dd8ac19261834c # v3
+        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
         if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
         with:
           detached: true

data/.github/workflows/claude-code-review.yml

@@ -2,13 +2,8 @@ name: Claude Code Review
 
 on:
   pull_request:
-    types: [opened, synchronize]
-    # Optional: Only run on specific file changes
-    # paths:
-    #   - "src/**/*.ts"
-    #   - "src/**/*.tsx"
-    #   - "src/**/*.js"
-    #   - "src/**/*.jsx"
+    types: [opened, synchronize, labeled]
+  workflow_dispatch:
 
 jobs:
   claude-review:
@@ -19,6 +14,11 @@ jobs:
     #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
 
     runs-on: ubuntu-latest
+    if: |
+      (github.event.action == 'opened') ||
+      (github.event.action == 'labeled' && github.event.label.name == 'claude-review') ||
+      (github.event.action == 'synchronize' && contains(github.event.pull_request.labels.*.name, 'claude-review'))
+
     permissions:
       contents: read
       pull-requests: read
@@ -33,10 +33,12 @@ jobs:
 
       - name: Run Claude Code Review
         id: claude-review
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@beta
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
-          prompt: |
+
+          # Direct prompt for automated review (no @claude mention needed)
+          direct_prompt: |
             Please review this pull request and provide feedback on:
             - Code quality and best practices
             - Potential bugs or issues
@@ -46,8 +48,22 @@ jobs:
 
             Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
 
-            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
+          # Use sticky comments to reuse the same comment on subsequent pushes to the same PR
+          use_sticky_comment: true
 
-          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
-          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
-          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'
+      - name: Remove claude-review label
+        # Remove label whether success or failure - prevents getting stuck
+        if: always() && github.event.action != 'opened'
+        uses: actions/github-script@v8
+        with:
+          script: |
+            try {
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                name: 'claude-review'
+              });
+            } catch (error) {
+              console.log('Label not found or already removed');
+            }

data/.github/workflows/code-smells.yml

@@ -0,0 +1,146 @@
+# .github/workflows/code-smells.yml
+---
+name: Code Smells
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write # Needed to post comments on PRs
+
+jobs:
+  reek-analysis:
+    name: Reek Code Analysis
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4
+          bundler-cache: true
+
+      - name: Configure Bundler for secure gem installation
+        run: |
+          bundle config set --local path 'vendor/bundle'
+          bundle config set --local deployment 'false'
+
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+
+      - name: Run Reek analysis
+        run: |
+          echo "=== Running Reek code analysis ==="
+          echo "This analysis identifies code smells and potential improvements."
+          echo "Results are informational and won't fail the build."
+          echo ""
+
+          # Run reek and capture output (don't fail on warnings)
+          # Use success-exit-code to prevent failures from stopping the analysis
+          bundle exec reek --format=text --success-exit-code 0 --failure-exit-code 0 || true
+
+          echo ""
+          echo "=== Reek analysis complete ==="
+        continue-on-error: true # Don't fail the build on code smells
+
+      - name: Generate Reek report
+        run: |
+          echo "=== Generating detailed Reek report ==="
+
+          # Generate JSON report for potential future processing
+          bundle exec reek --format=json --success-exit-code 0 --failure-exit-code 0 > reek-report.json || true
+
+          # If no JSON was generated, create an empty valid JSON array
+          if [ ! -s reek-report.json ]; then
+            echo "[]" > reek-report.json
+            echo "No code smells detected - created empty report"
+          else
+            echo "Reek JSON report generated: $(wc -l < reek-report.json) lines"
+            echo "Top code smell types found:"
+            jq -r '.[].smells[].smell_type' reek-report.json 2>/dev/null | sort | uniq -c | sort -rn | head -10 || echo "Unable to parse JSON report"
+          fi
+
+          # Also generate a human-readable HTML report for easier viewing
+          bundle exec reek --format=html --success-exit-code 0 --failure-exit-code 0 > reek-report.html || echo "<!-- No code smells detected -->" > reek-report.html
+        continue-on-error: true
+
+      - name: Upload Reek report as artifact
+        uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: reek-report
+          path: |
+            reek-report.json
+            reek-report.html
+          if-no-files-found: ignore
+          retention-days: 30
+
+  additional-checks:
+    name: Additional Quality Checks
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4
+          bundler-cache: true
+
+      - name: Configure Bundler for secure gem installation
+        run: |
+          bundle config set --local path 'vendor/bundle'
+          bundle config set --local deployment 'false'
+
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+
+      - name: Check for TODO/FIXME comments
+        run: |
+          echo "=== Scanning for TODO/FIXME comments ==="
+          echo "This helps track technical debt and action items."
+          echo ""
+
+          # Find TODO/FIXME comments (excluding vendor and tmp directories)
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            xargs grep -Hn -i -E "(TODO|FIXME|HACK|XXX|NOTE):" 2>/dev/null | \
+            head -20 || echo "No TODO/FIXME comments found"
+        continue-on-error: true
+
+      - name: Check Ruby file syntax
+        run: |
+          echo "=== Checking Ruby syntax ==="
+          echo "Validates that all Ruby files have correct syntax."
+          echo ""
+
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            while read -r file; do
+              if ! ruby -c "$file" > /dev/null 2>&1; then
+                echo "Syntax error in: $file"
+                ruby -c "$file"
+              fi
+            done
+        continue-on-error: true
+
+      - name: Check for long lines
+        run: |
+          echo "=== Checking for long lines (>120 characters) ==="
+          echo "Identifies potentially hard-to-read code lines."
+          echo ""
+
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            xargs grep -Hn "^.\{121,\}$" | \
+            head -10 || echo "No overly long lines found"
+        continue-on-error: true

data/.gitignore

@@ -11,8 +11,12 @@
 .*.json
 !LICENSE.txt
 !spec/fixtures/*.txt
+!examples/**/*.md
+!README.md
+!CLAUDE.md
 .ruby-version
 appendonlydir
+data/
 etc/config
 log
 tmp

data/.pre-commit-config.yaml

@@ -96,12 +96,12 @@ repos:
 
   # Commit message issue tracking integration
   - repo: https://github.com/avilaton/add-msg-issue-prefix-hook
-    rev: v0.0.12
+    rev: v0.0.13
     hooks:
       - id: add-msg-issue-prefix
         stages: [prepare-commit-msg]
         description: Automatically prefix commits with issue numbers
         args:
           - "--default="
-          - '--pattern=(?:i18n(?=\/)|[a-zA-Z0-9]{0,10}-?[0-9]{1,5})'
+          - "--pattern=(i18n(?=/)|([a-zA-Z0-9]{0,10}-?[0-9]{1,5}))"
           - "--template=[#{}]"

data/.reek.yml

@@ -0,0 +1,99 @@
+# .reek.yml
+#
+# Reek configuration for Otto
+#
+# Basic commands:
+#   bundle exec reek                           # Analyze all Ruby files
+#   bundle exec reek lib/                      # Analyze specific directory
+#   bundle exec reek lib/otto.rb               # Analyze specific file
+#   bundle exec reek --help                    # Show all options
+#   bundle exec reek --docs                    # Open documentation
+#
+# Advanced usage:
+#   bundle exec reek --format=html > report.html     # Generate HTML report
+#   bundle exec reek --format=json                   # JSON output for CI
+#   bundle exec reek --config .reek.yml              # Use specific config
+#   bundle exec reek --show-docs IrresponsibleModule # Explain specific smell
+#   bundle exec reek --failure-exit-code 1           # Exit with error on smells (for CI)
+
+---
+detectors:
+  # Disable some detectors for initial adoption
+  # You can gradually enable these as you clean up the codebase
+
+  # Class/Module Structure
+  IrresponsibleModule:
+    enabled: false # Modules without documentation - start with this disabled
+
+  # Method Complexity
+  TooManyStatements:
+    enabled: true
+    max_statements: 15 # Default is 5, relaxed for initial adoption
+
+  TooManyMethods:
+    enabled: true
+    max_methods: 25 # Default is 15, relaxed for ORMs which often have many methods
+
+  LongParameterList:
+    enabled: true
+    max_params: 4 # Default is 3, slightly relaxed
+
+  # Data Classes and Feature Envy
+  DataClump:
+    enabled: true
+
+  FeatureEnvy:
+    enabled: true
+
+  # Control Structure
+  NestedIterators:
+    enabled: true
+    max_allowed_nesting: 2 # Default is 1, relaxed for data processing
+
+  # Variable and Constant Usage
+  UnusedParameters:
+    enabled: true
+
+  InstanceVariableAssumption:
+    enabled: true
+
+  # Naming
+  UncommunicativeParameterName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter names
+      - "/[0-9]$/" # Names ending in numbers
+      - "/^_/" # Names starting with underscore (common Ruby pattern)
+    accept: []
+
+  UncommunicativeVariableName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter names
+      - "/[0-9]$/" # Names ending in numbers
+    accept:
+      - e # Exception variable
+      - id # Common identifier
+      - db # Database connection
+      - op # Operation
+      - io # Input/output
+
+  UncommunicativeMethodName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter method names
+      - "/[0-9]$/" # Methods ending in numbers
+    accept:
+      - "<<" # Common Ruby operator overload
+
+# Directory and file exclusions
+exclude_paths:
+  - "vendor/**/*.rb"
+  - "tmp/**/*.rb"
+  - "try/**/*.rb" # Test files using tryouts framework
+  - "examples/**/*.rb" # Example code files
+  - "bin/*" # Executable scripts
+  - "*.gemspec" # Gem specification files
+
+# Note: For limiting warnings output, use CLI: bundle exec reek | head -50
+# Note: For failure exit codes, use CLI: bundle exec reek --failure-exit-code 1

data/CHANGELOG.rst

@@ -7,6 +7,95 @@ The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.1.0/>`
 
    <!--scriv-insert-here-->
 
+.. _changelog-2.0.0.pre6:
+
+2.0.0.pre6 — TBD
+================
+
+Changed
+-------
+
+- **BREAKING**: ``Otto.on_request_complete`` is now an instance method instead of a class method. This fixes duplicate callback invocations in multi-app architectures (e.g., Rack::URLMap with multiple Otto instances). Each Otto instance now maintains its own isolated set of callbacks that only fire for requests processed by that specific instance.
+
+  **Migration**: Change ``Otto.on_request_complete { |req, res, dur| ... }`` to ``otto.on_request_complete { |req, res, dur| ... }``
+
+- **Logging**: Eliminated duplicate error logging in route handlers. Previously, errors produced two log lines ("Handler execution failed" + "Unhandled error in request"). Now produces a single comprehensive error log with all context (handler, duration, error_id). Lambda handlers now use centralized error handling for consistency. #86
+
+Fixed
+-----
+
+- Fixed issue #84 where ``on_request_complete`` callbacks would fire N times per request in multi-app architectures, causing duplicate logging and metrics
+- Fixed ``Otto.structured_log`` to respect ``Otto.debug`` flag - debug logs are now properly skipped when ``Otto.debug = false``
+
+AI Assistance
+-------------
+
+- This enhancement was developed with assistance from Claude Code (Opus 4.1)
+
+.. _changelog-2.0.0.pre5:
+
+2.0.0.pre5 — 2025-10-21
+=======================
+
+Added
+-----
+
+- Added ``Otto::LoggingHelpers.log_timed_operation`` for automatic timing and error handling of operations
+- Added ``Otto::LoggingHelpers.log_backtrace`` for consistent backtrace logging with correlation fields
+- Added microsecond-precision timing to configuration freeze process
+- Added unique error ID generation for nested error handler failures (links via ``original_error_id``)
+
+Changed
+-------
+
+- Timing precision standardization: All timing calculations now use microsecond precision instead of milliseconds. This affects authentication duration tracking and request lifecycle timing. Duration values are now reported in microseconds as integers (e.g., ``15200`` instead of ``15.2``).
+- Request completion hooks API improvement: ``Otto.on_request_complete`` callbacks now receive a ``Rack::Response`` object instead of the raw ``[status, headers, body]`` tuple. This provides a more developer-friendly API consistent with ``Rack::Request``, allowing clean access via ``res.status``, ``res.headers``, and ``res.body`` instead of array indexing.
+- All timing now uses microseconds (``Otto::Utils.now_in_μs``) for consistency
+- Configuration freeze process now logs detailed timing metrics
+
+Documentation
+-------------
+
+- Added example application demonstrating three new logging patterns (``examples/logging_improvements.rb``)
+- Documented base context pattern for downstream projects to inject custom correlation fields
+- Added output examples for both structured and standard loggers
+
+AI Assistance
+-------------
+
+- This enhancement was developed with assistance from Claude Code (Opus 4.1)
+
+   .. _changelog-2.0.0.pre4:
+
+
+2.0.0.pre4 — 2025-10-20
+=======================
+Changed
+-------
+- Authentication moved from middleware to RouteAuthWrapper at handler level (executes after routing)
+- RouteAuthWrapper now wraps all routes and provides session persistence, security headers, strategy caching, and pattern matching (exact, prefix, fallback)
+- env['otto.strategy_result'] now guaranteed present on all routes (authenticated or anonymous)
+- Renamed MiddlewareStack#build_app to #wrap (reflects per-request wrapping vs one-time initialization)
+
+Removed
+-------
+- AuthenticationMiddleware (executed before routing)
+- enable_authentication! (RouteAuthWrapper handles auth automatically)
+- Defensive nil fallback from LogicClassHandler (no longer needed)
+
+Fixed
+-----
+- Session persistence: env['rack.session'] now references same object as strategy_result.session
+- Security headers included on all auth failure responses (401/302)
+- Anonymous routes now receive StrategyResult with IP metadata
+
+Documentation
+-------------
+- Updated CLAUDE.md with RouteAuthWrapper architecture
+- Updated env_keys.rb to document strategy_result guarantee
+- Added tests for anonymous route handling
+
+
 .. _changelog-2.0.0.pre2:
 
 2.0.0.pre2 — 2025-10-11
@@ -60,6 +149,7 @@ AI Assistance
 - Comprehensive migration of Logic classes and documentation with AI guidance for consistency
 - Automated test validation and intelligent file organization following Ruby conventions
 
+
 .. _changelog-2.0.0-pre1:
 
 2.0.0-pre1 — 2025-09-10

data/CLAUDE.md

@@ -1,56 +1,127 @@
 # CLAUDE.md
 
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+This file provides essential guidance to Claude Code when working with Otto.
+
+## Error Handler Registration
+
+Register handlers for expected business logic errors to avoid logging them as 500 errors:
+
+```ruby
+otto = Otto.new('routes.txt')
+otto.register_error_handler(YourApp::NotFound, status: 404, log_level: :info)
+otto.register_error_handler(YourApp::RateLimited, status: 429, log_level: :warn)
+```
+
+Must be registered before first request (before configuration freezing).
+
+## Authentication Architecture
+
+Authentication is handled by `RouteAuthWrapper` at the handler level, NOT by middleware.
+
+### Basic Configuration
+
+```ruby
+otto.add_auth_strategy('session', SessionStrategy.new)
+otto.add_auth_strategy('apikey', APIKeyStrategy.new)
+```
+
+- Strategy names must be unique
+- Routes with `auth` requirements are automatically wrapped
+- Must be configured before first request
+
+### Multi-Strategy Authentication
+
+Routes support multiple strategies with OR logic:
+
+```ruby
+# Routes file
+GET /api/data  DataLogic#show  auth=session,apikey,oauth
+```
+
+- Strategies execute left-to-right
+- First success wins (remaining strategies skipped)
+- Returns 401 only if all strategies fail
+- Put fastest/most-common strategies first
+
+### Two-Layer Authorization
+
+**Layer 1: Route-Level (RouteAuthWrapper)**
+- Use `auth=` for authentication strategies
+- Use `role=` for role-based access (OR logic: `role=admin,editor`)
+- Fast execution (no database queries)
+- Returns 401 (authentication) or 403 (authorization)
+
+**Layer 2: Resource-Level (Logic classes)**
+- Handled in `raise_concerns` method
+- Checks ownership, relationships, resource attributes
+- Raises `Otto::Security::AuthorizationError` for 403 response
+
+```ruby
+# Route-level
+GET /admin/users  AdminLogic  auth=session role=admin
+
+# Resource-level in Logic class
+def raise_concerns
+  @post = Post.find(params[:id])
+  unless @post.user_id == @context.user_id
+    raise Otto::Security::AuthorizationError, "Cannot edit another user's post"
+  end
+end
+```
+
+## Configuration Freezing
+
+Otto automatically freezes all configuration after first request to prevent runtime security bypasses. Multi-step initialization must complete before first request.
+
+## IP Privacy (Privacy by Default)
+
+Otto automatically masks public IP addresses while preserving private/localhost IPs for development:
+
+- `IPPrivacyMiddleware` runs FIRST in middleware stack
+- Replaces `env` values directly (REMOTE_ADDR, HTTP_USER_AGENT, HTTP_REFERER)
+- Public IPs masked (192.0.2.100 → 192.0.2.0)
+- Private IPs never masked (127.0.0.1, 192.168.x.x, 10.x.x.x)
+- Supports proxy resolution with trusted proxy configuration
+
+For multi-app architectures, add to common middleware stack before logging/monitoring.
+
+## Structured Logging
+
+Use explicit structured logging with timing:
+
+```ruby
+Otto.structured_log(:debug, "Route matched",
+  Otto::LoggingHelpers.request_context(env).merge(
+    type: 'literal',
+    handler: route.definition
+  )
+)
+
+# For timed operations
+Otto::LoggingHelpers.log_timed_operation(:info, "Operation", env, key: value) do
+  perform_operation()
+end
+```
+
+- All timing in microseconds via `Otto::Utils.now_in_μs`
+- Use `request_context(env).merge()` pattern for consistency
+- Avoid abstraction layers or event classes
 
 ## Development Commands
 
-### Setup
 ```bash
-# Install development and test dependencies
-bundle config set with 'development test'
 bundle install
-
-# Lint code
 bundle exec rubocop
-
-# Run tests
 bundle exec rspec
-
-# Run a specific test
-bundle exec rspec spec/path/to/specific_spec.rb
-# rspec settings in .rspec
 ```
 
-## Project Overview
-
-### Core Components
-- Ruby Rack-based web framework for defining web applications
-- Focuses on security and simplicity
-- Supports internationalization and optional security features
-
-### Key Features
-- Plain-text routes configuration
-- Automatic locale detection
-- Optional security features:
-  - CSRF protection
-  - Input validation
-  - Security headers
-  - Trusted proxy configuration
-
-### Test Frameworks
-- RSpec for unit and integration testing
-- Tryouts for behavior-driven testing
-
-### Development Tools
-- Rubocop for linting
-- Debug gem for debugging
-- Tryouts for alternative testing approach
-
-### Ruby Version Requirements
-- Ruby 3.2+
-- Rack 3.1+
-
-### Important Notes
-- Always validate and sanitize user inputs
-- Leverage built-in security features
-- Use locale helpers for internationalization support
+## Key Architecture Principles
+
+- **Security by Default**: IP privacy, configuration freezing, backtrace sanitization
+- **Privacy by Default**: Public IP masking, no original value storage
+- **Explicit over Implicit**: Direct logging calls, clear configuration
+- **Handler-Level Auth**: Not middleware-based authentication
+- **Two-Layer Authorization**: Route-level + resource-level separation
+- **Rack Integration**: Standard Rack patterns and compatibility
+
+See `docs/` directory for comprehensive documentation.

data/Gemfile

@@ -14,6 +14,7 @@ gem 'rackup'
 group :test do
   gem 'rack-test'
   gem 'rspec', '~> 3.13'
+  gem 'user_agent_parser', '~> 2.18' # Validate anonymized UAs preserve semantic info
 end
 
 # bundle config set with 'optional'
@@ -21,16 +22,18 @@ group :development, :test, optional: true do
   # Keep gems that need to be in both environments
   gem 'json_schemer'
   gem 'rack-attack'
+  gem 'reek', '~> 6.5'
 end
 
 group :development do
+  gem 'benchmark'
   gem 'debug'
-  gem 'rubocop', '~> 1.81.1', require: false
+  gem 'rubocop', '~> 1.81.7', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false
   gem 'rubocop-thread_safety', require: false
   gem 'ruby-lsp', require: false
   gem 'stackprof', require: false
   gem 'syntax_tree', require: false
-  gem 'tryouts', '~> 3.6.0', require: false
+  gem 'tryouts', '~> 3.7.1', require: false
 end