otto 2.0.0.pre3 → 2.0.0.pre8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: abc8be5b60ac2a33d84dd0b89aec0e30797d36a995fdc26db7d9d2e65b28553f
-  data.tar.gz: 003a6c148c47011bbdc185c0035d9788f319b34eaa4bd2067cf06199749abf46
+  metadata.gz: b094c2fc179b84631bf53b1e4b7f3cbcd661f83e1f8a88ab6c1f22d3e8b11cbd
+  data.tar.gz: 70a7588c86b8b3f31968b577a298f05c09cad5ef5d9fcf028f0feece2963e8fb
 SHA512:
-  metadata.gz: 0b27bf0132a8648a0b7ba14c33e1c1553196447a34a826463572c2fb005c644cdcbadd9987b1b71787c41cc70332771034ac52bda39e76aaa2947c0b73138470
-  data.tar.gz: c45a50e6420a3a6a072abdbb03177228132359cc52193fdcbac230ea0b6f6aac8c86613190d4cb6be192125db6999510467a3a4a5abe0f1fee46e07e202448aa
+  metadata.gz: c9e8f2f46cf51bc0799dd6030e52a48c1665b9978efb8bc686977be722e61b3c553f17db91d9fd795447b5b4882ac95af404a71e14f9b65d3935a992ecb768f1
+  data.tar.gz: d0c6f98edf2f468297dcb19bb9743b1a2858f2497cf40d2fc4332550a883542f2b7e1a1de8ac4b9f9d352b40c53e974d6c99aecee2679abc6b38868c02ae5bd6

data/.github/workflows/ci.yml

@@ -45,7 +45,7 @@ jobs:
           bundler-cache: ${{ !matrix.experimental }}
 
       - name: Setup tmate session
-        uses: mxschmitt/action-tmate@7b6a61a73bbb9793cb80ad69b8dd8ac19261834c # v3
+        uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
         if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
         with:
           detached: true

data/.github/workflows/claude-code-review.yml

@@ -54,7 +54,7 @@ jobs:
       - name: Remove claude-review label
         # Remove label whether success or failure - prevents getting stuck
         if: always() && github.event.action != 'opened'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             try {

data/.github/workflows/code-smells.yml

@@ -0,0 +1,143 @@
+# .github/workflows/code-smells.yml
+---
+name: Code Smells
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write # Needed to post comments on PRs
+
+jobs:
+  reek-analysis:
+    name: Reek Code Analysis
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4
+
+      - name: Install dependencies with optional groups
+        run: |
+          bundle config set --local path 'vendor/bundle'
+          bundle config set --local with 'development test'
+          bundle install --jobs 4 --retry 3
+
+      - name: Run Reek analysis
+        run: |
+          echo "=== Running Reek code analysis ==="
+          echo "This analysis identifies code smells and potential improvements."
+          echo "Results are informational and won't fail the build."
+          echo ""
+
+          # Run reek and capture output (don't fail on warnings)
+          # Use success-exit-code to prevent failures from stopping the analysis
+          bundle exec reek --format=text --success-exit-code 0 --failure-exit-code 0 || true
+
+          echo ""
+          echo "=== Reek analysis complete ==="
+        continue-on-error: true # Don't fail the build on code smells
+
+      - name: Generate Reek report
+        run: |
+          echo "=== Generating detailed Reek report ==="
+
+          # Generate JSON report for potential future processing
+          bundle exec reek --format=json --success-exit-code 0 --failure-exit-code 0 > reek-report.json || true
+
+          # If no JSON was generated, create an empty valid JSON array
+          if [ ! -s reek-report.json ]; then
+            echo "[]" > reek-report.json
+            echo "No code smells detected - created empty report"
+          else
+            echo "Reek JSON report generated: $(wc -l < reek-report.json) lines"
+            echo "Top code smell types found:"
+            jq -r '.[].smells[].smell_type' reek-report.json 2>/dev/null | sort | uniq -c | sort -rn | head -10 || echo "Unable to parse JSON report"
+          fi
+
+          # Also generate a human-readable HTML report for easier viewing
+          bundle exec reek --format=html --success-exit-code 0 --failure-exit-code 0 > reek-report.html || echo "<!-- No code smells detected -->" > reek-report.html
+        continue-on-error: true
+
+      - name: Upload Reek report as artifact
+        uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: reek-report
+          path: |
+            reek-report.json
+            reek-report.html
+          if-no-files-found: ignore
+          retention-days: 30
+
+  additional-checks:
+    name: Additional Quality Checks
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.4
+          bundler-cache: true
+
+      - name: Configure Bundler for secure gem installation
+        run: |
+          bundle config set --local path 'vendor/bundle'
+          bundle config set --local deployment 'false'
+
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+
+      - name: Check for TODO/FIXME comments
+        run: |
+          echo "=== Scanning for TODO/FIXME comments ==="
+          echo "This helps track technical debt and action items."
+          echo ""
+
+          # Find TODO/FIXME comments (excluding vendor and tmp directories)
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            xargs grep -Hn -i -E "(TODO|FIXME|HACK|XXX|NOTE):" 2>/dev/null | \
+            head -20 || echo "No TODO/FIXME comments found"
+        continue-on-error: true
+
+      - name: Check Ruby file syntax
+        run: |
+          echo "=== Checking Ruby syntax ==="
+          echo "Validates that all Ruby files have correct syntax."
+          echo ""
+
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            while read -r file; do
+              if ! ruby -c "$file" > /dev/null 2>&1; then
+                echo "Syntax error in: $file"
+                ruby -c "$file"
+              fi
+            done
+        continue-on-error: true
+
+      - name: Check for long lines
+        run: |
+          echo "=== Checking for long lines (>120 characters) ==="
+          echo "Identifies potentially hard-to-read code lines."
+          echo ""
+
+          find . -name "*.rb" -not -path "./vendor/*" -not -path "./tmp/*" | \
+            xargs grep -Hn "^.\{121,\}$" | \
+            head -10 || echo "No overly long lines found"
+        continue-on-error: true

data/.gitignore

@@ -11,8 +11,12 @@
 .*.json
 !LICENSE.txt
 !spec/fixtures/*.txt
+!examples/**/*.md
+!README.md
+!CLAUDE.md
 .ruby-version
 appendonlydir
+data/
 etc/config
 log
 tmp

data/.pre-commit-config.yaml

@@ -96,12 +96,12 @@ repos:
 
   # Commit message issue tracking integration
   - repo: https://github.com/avilaton/add-msg-issue-prefix-hook
-    rev: v0.0.12
+    rev: v0.0.13
     hooks:
       - id: add-msg-issue-prefix
         stages: [prepare-commit-msg]
         description: Automatically prefix commits with issue numbers
         args:
           - "--default="
-          - '--pattern=(?:i18n(?=\/)|[a-zA-Z0-9]{0,10}-?[0-9]{1,5})'
+          - "--pattern=(i18n(?=/)|([a-zA-Z0-9]{0,10}-?[0-9]{1,5}))"
           - "--template=[#{}]"

data/.reek.yml

@@ -0,0 +1,99 @@
+# .reek.yml
+#
+# Reek configuration for Otto
+#
+# Basic commands:
+#   bundle exec reek                           # Analyze all Ruby files
+#   bundle exec reek lib/                      # Analyze specific directory
+#   bundle exec reek lib/otto.rb               # Analyze specific file
+#   bundle exec reek --help                    # Show all options
+#   bundle exec reek --docs                    # Open documentation
+#
+# Advanced usage:
+#   bundle exec reek --format=html > report.html     # Generate HTML report
+#   bundle exec reek --format=json                   # JSON output for CI
+#   bundle exec reek --config .reek.yml              # Use specific config
+#   bundle exec reek --show-docs IrresponsibleModule # Explain specific smell
+#   bundle exec reek --failure-exit-code 1           # Exit with error on smells (for CI)
+
+---
+detectors:
+  # Disable some detectors for initial adoption
+  # You can gradually enable these as you clean up the codebase
+
+  # Class/Module Structure
+  IrresponsibleModule:
+    enabled: false # Modules without documentation - start with this disabled
+
+  # Method Complexity
+  TooManyStatements:
+    enabled: true
+    max_statements: 15 # Default is 5, relaxed for initial adoption
+
+  TooManyMethods:
+    enabled: true
+    max_methods: 25 # Default is 15, relaxed for ORMs which often have many methods
+
+  LongParameterList:
+    enabled: true
+    max_params: 4 # Default is 3, slightly relaxed
+
+  # Data Classes and Feature Envy
+  DataClump:
+    enabled: true
+
+  FeatureEnvy:
+    enabled: true
+
+  # Control Structure
+  NestedIterators:
+    enabled: true
+    max_allowed_nesting: 2 # Default is 1, relaxed for data processing
+
+  # Variable and Constant Usage
+  UnusedParameters:
+    enabled: true
+
+  InstanceVariableAssumption:
+    enabled: true
+
+  # Naming
+  UncommunicativeParameterName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter names
+      - "/[0-9]$/" # Names ending in numbers
+      - "/^_/" # Names starting with underscore (common Ruby pattern)
+    accept: []
+
+  UncommunicativeVariableName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter names
+      - "/[0-9]$/" # Names ending in numbers
+    accept:
+      - e # Exception variable
+      - id # Common identifier
+      - db # Database connection
+      - op # Operation
+      - io # Input/output
+
+  UncommunicativeMethodName:
+    enabled: true
+    reject:
+      - "/^.$/" # Single letter method names
+      - "/[0-9]$/" # Methods ending in numbers
+    accept:
+      - "<<" # Common Ruby operator overload
+
+# Directory and file exclusions
+exclude_paths:
+  - "vendor/**/*.rb"
+  - "tmp/**/*.rb"
+  - "try/**/*.rb" # Test files using tryouts framework
+  - "examples/**/*.rb" # Example code files
+  - "bin/*" # Executable scripts
+  - "*.gemspec" # Gem specification files
+
+# Note: For limiting warnings output, use CLI: bundle exec reek | head -50
+# Note: For failure exit codes, use CLI: bundle exec reek --failure-exit-code 1

data/CHANGELOG.rst

@@ -7,6 +7,161 @@ The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.1.0/>`
 
    <!--scriv-insert-here-->
 
+.. _changelog-2.0.0.pre8:
+
+2.0.0.pre8 — 2025-11-27
+=======================
+
+Fixed
+-----
+
+- Routes declaring ``response=json`` now return 401 JSON errors instead of 302 redirects when authentication fails, regardless of Accept header. The route's explicit configuration takes precedence over content negotiation.
+
+.. _changelog-2.0.0.pre7:
+
+2.0.0.pre7 — 2025-11-24
+=======================
+
+Added
+-----
+
+- Error handler registration system for expected business logic errors. Register handlers with ``otto.register_error_handler(ErrorClass, status: 404, log_level: :info)`` to return proper HTTP status codes and avoid logging expected errors as 500s with backtraces. Supports custom response handlers via blocks for complete control over error responses.
+
+Changed
+-------
+
+- Backtrace logging now always logs at ERROR level (was DEBUG) with sanitized file paths for security. Backtraces for unhandled 500 errors are always logged regardless of ``OTTO_DEBUG`` setting, with paths sanitized to prevent exposing system information (project files show relative paths, gems show ``[GEM] name-version/path``, Ruby stdlib shows ``[RUBY] filename``).
+- Increased backtrace limit from 10 to 20 lines for critical errors to provide better debugging context.
+
+AI Assistance
+-------------
+
+- Implemented error handler registration architecture with comprehensive test coverage (17 test cases) using sequential thinking to work through security implications and design decisions. AI assisted with path sanitization strategy, error classification patterns, and ensuring backward compatibility with existing error handling.
+
+Improved backtrace sanitization security and readability
+--------------------------------------------------------
+
+**Security Enhancements:**
+
+- Fixed bundler gem path detection to correctly sanitize git-based gems
+- Now properly handles nested gem paths like ``/gems/3.4.0/bundler/gems/otto-abc123/``
+- Strips git hash suffixes from bundler gems (``otto-abc123def456`` → ``otto``)
+- Removes version numbers from regular gems (``rack-3.2.4`` → ``rack``)
+- Prevents exposure of absolute paths, usernames, and project names in logs
+
+**Improvements:**
+
+- Bundler gems now show as ``[GEM] otto/lib/otto/route.rb:142`` instead of ``[GEM] 3.4.0/bundler/gems/...``
+- Regular gems show cleaner output: ``[GEM] rack/lib/rack.rb:20`` instead of ``[GEM] rack-3.2.4/lib/rack.rb:20``
+- Multi-hyphenated gem names handled correctly (``active-record-import-1.5.0`` → ``active-record-import``)
+- Better handling of version-only directory names in gem paths
+
+**Documentation:**
+
+- Added comprehensive backtrace sanitization section to CLAUDE.md
+- Documented security guarantees and sanitization rules
+- Added examples showing before/after path transformations
+- Created comprehensive test suite for backtrace sanitization
+
+**Rationale:**
+
+Raw backtraces expose sensitive information:
+- Usernames (``/Users/alice/``, ``/home/admin/``)
+- Project structure and internal organization
+- Gem installation paths and Ruby versions
+- System architecture details
+
+This improvement ensures all backtraces are sanitized automatically, preventing accidental leakage of sensitive system information while maintaining readability for debugging.
+
+.. _changelog-2.0.0.pre6:
+
+2.0.0.pre6
+==========
+
+Changed
+-------
+
+- **BREAKING**: ``Otto.on_request_complete`` is now an instance method instead of a class method. This fixes duplicate callback invocations in multi-app architectures (e.g., Rack::URLMap with multiple Otto instances). Each Otto instance now maintains its own isolated set of callbacks that only fire for requests processed by that specific instance.
+
+  **Migration**: Change ``Otto.on_request_complete { |req, res, dur| ... }`` to ``otto.on_request_complete { |req, res, dur| ... }``
+
+- **Logging**: Eliminated duplicate error logging in route handlers. Previously, errors produced two log lines ("Handler execution failed" + "Unhandled error in request"). Now produces a single comprehensive error log with all context (handler, duration, error_id). Lambda handlers now use centralized error handling for consistency. #86
+
+Fixed
+-----
+
+- Fixed issue #84 where ``on_request_complete`` callbacks would fire N times per request in multi-app architectures, causing duplicate logging and metrics
+- Fixed ``Otto.structured_log`` to respect ``Otto.debug`` flag - debug logs are now properly skipped when ``Otto.debug = false``
+
+AI Assistance
+-------------
+
+- This enhancement was developed with assistance from Claude Code (Opus 4.1)
+
+.. _changelog-2.0.0.pre5:
+
+2.0.0.pre5 — 2025-10-21
+=======================
+
+Added
+-----
+
+- Added ``Otto::LoggingHelpers.log_timed_operation`` for automatic timing and error handling of operations
+- Added ``Otto::LoggingHelpers.log_backtrace`` for consistent backtrace logging with correlation fields
+- Added microsecond-precision timing to configuration freeze process
+- Added unique error ID generation for nested error handler failures (links via ``original_error_id``)
+
+Changed
+-------
+
+- Timing precision standardization: All timing calculations now use microsecond precision instead of milliseconds. This affects authentication duration tracking and request lifecycle timing. Duration values are now reported in microseconds as integers (e.g., ``15200`` instead of ``15.2``).
+- Request completion hooks API improvement: ``Otto.on_request_complete`` callbacks now receive a ``Rack::Response`` object instead of the raw ``[status, headers, body]`` tuple. This provides a more developer-friendly API consistent with ``Rack::Request``, allowing clean access via ``res.status``, ``res.headers``, and ``res.body`` instead of array indexing.
+- All timing now uses microseconds (``Otto::Utils.now_in_μs``) for consistency
+- Configuration freeze process now logs detailed timing metrics
+
+Documentation
+-------------
+
+- Added example application demonstrating three new logging patterns (``examples/logging_improvements.rb``)
+- Documented base context pattern for downstream projects to inject custom correlation fields
+- Added output examples for both structured and standard loggers
+
+AI Assistance
+-------------
+
+- This enhancement was developed with assistance from Claude Code (Opus 4.1)
+
+   .. _changelog-2.0.0.pre4:
+
+
+2.0.0.pre4 — 2025-10-20
+=======================
+Changed
+-------
+- Authentication moved from middleware to RouteAuthWrapper at handler level (executes after routing)
+- RouteAuthWrapper now wraps all routes and provides session persistence, security headers, strategy caching, and pattern matching (exact, prefix, fallback)
+- env['otto.strategy_result'] now guaranteed present on all routes (authenticated or anonymous)
+- Renamed MiddlewareStack#build_app to #wrap (reflects per-request wrapping vs one-time initialization)
+
+Removed
+-------
+- AuthenticationMiddleware (executed before routing)
+- enable_authentication! (RouteAuthWrapper handles auth automatically)
+- Defensive nil fallback from LogicClassHandler (no longer needed)
+
+Fixed
+-----
+- Session persistence: env['rack.session'] now references same object as strategy_result.session
+- Security headers included on all auth failure responses (401/302)
+- Anonymous routes now receive StrategyResult with IP metadata
+
+Documentation
+-------------
+- Updated CLAUDE.md with RouteAuthWrapper architecture
+- Updated env_keys.rb to document strategy_result guarantee
+- Added tests for anonymous route handling
+
+
 .. _changelog-2.0.0.pre2:
 
 2.0.0.pre2 — 2025-10-11
@@ -60,6 +215,7 @@ AI Assistance
 - Comprehensive migration of Logic classes and documentation with AI guidance for consistency
 - Automated test validation and intelligent file organization following Ruby conventions
 
+
 .. _changelog-2.0.0-pre1:
 
 2.0.0-pre1 — 2025-09-10