otto 2.0.1 → 2.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f3bb450ec316b56ed419765cc0453d9a1b00584a071e77ee03ec14b2deea1f7
-  data.tar.gz: 5a9f16d21067b4ce3287902c4da6342820414d1f8156470e410ed74ad672faef
+  metadata.gz: fabc1e8d6f7eef1d982b1f298fd0fe68382417aedd4b250ded28e5c7ba39a588
+  data.tar.gz: 02f4509daad92151895100c75339d82e3f8b76106dbcaa04b2db34f7b4d39976
 SHA512:
-  metadata.gz: 98313ac7cdf3f6f00fbe2d93422c2f464c45663bb52135c4baeb85a61cd33d90702394ba50284f84099cfce1f6e32bcf6605520fe38434653ded9c762e94ac15
-  data.tar.gz: b81b1c05ea9258f3d57286411f926959562a78daf377e8fad924de83d376e2fd6d8f342bd175b4b0d135b5e57321775d354c1b8bd06a08d13dae011686e4e4ac
+  metadata.gz: 2c5f1958418f70a429bfc2379f7407387ca4a1a6cdd129160ff6bf3e416f33a637c0d14049bd97ab0c7abce02ab5b11eb943aff330b5c1c0425d55c387ff3351
+  data.tar.gz: '08e5ec5c3278adeced0dd3c1cffb7452129a12ad742c381b29a29bd569be4d013a67a660ad111bfe51631672e21d96cf2c0f39c69ab595758aa0e7e1d562ed32'

data/.github/workflows/ci.yml

@@ -22,20 +22,45 @@ jobs:
   test:
     timeout-minutes: 10
     runs-on: ubuntu-24.04
-    name: "RSpec Tests (Ruby ${{ matrix.ruby }})"
+    name: "RSpec Tests (Ruby ${{ matrix.ruby }}, ${{ matrix.lockfile }})"
     continue-on-error: ${{ matrix.experimental }}
     strategy:
       fail-fast: false
       matrix:
+        # Each Ruby runs twice: once against the committed Gemfile.lock
+        # (floor of the declared version range, reproducible) and once
+        # with the lockfile removed so Bundler resolves fresh inside the
+        # gemspec's pessimistic constraints (ceiling, what a downstream
+        # user will actually hit). The unlocked cells catch upstream
+        # releases that satisfy `~> X.Y` but break Otto at load time -
+        # e.g. facets 3.2.0 shipping a self-referential
+        # `require_relative 'file/write.rb'` against a file deleted in
+        # the same release, the reason 2.0.2 exists.
         include:
           - ruby: "3.3"
             experimental: false
+            lockfile: "locked"
           - ruby: "3.4"
             experimental: false
+            lockfile: "locked"
           - ruby: "3.5"
             experimental: true
+            lockfile: "locked"
           - ruby: "4.0"
             experimental: true
+            lockfile: "locked"
+          - ruby: "3.3"
+            experimental: false
+            lockfile: "unlocked"
+          - ruby: "3.4"
+            experimental: false
+            lockfile: "unlocked"
+          - ruby: "3.5"
+            experimental: true
+            lockfile: "unlocked"
+          - ruby: "4.0"
+            experimental: true
+            lockfile: "unlocked"
 
     steps:
       - uses: actions/checkout@v6
@@ -44,7 +69,9 @@ jobs:
         continue-on-error: ${{ matrix.experimental }}
         with:
           ruby-version: ${{ matrix.ruby }}
-          bundler-cache: ${{ !matrix.experimental }}
+          # Bundler cache keys off Gemfile.lock, so only enable it on the
+          # locked matrix cells. Unlocked cells need a fresh resolve each run.
+          bundler-cache: ${{ !matrix.experimental && matrix.lockfile == 'locked' }}
 
       - name: Setup tmate session
         uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3
@@ -56,12 +83,23 @@ jobs:
         continue-on-error: ${{ matrix.experimental }}
         env:
           EXPERIMENTAL: ${{ matrix.experimental }}
+          LOCKFILE: ${{ matrix.lockfile }}
         run: |
           bundle config path vendor/bundle
+          # Enable the optional :development, :test group (json_schemer,
+          # rack-attack) that specs depend on. `bundle install --with` was
+          # removed in Bundler 2.7, which ships with Ruby 4.0.
+          bundle config set --local with 'development test'
           if [ "$EXPERIMENTAL" = "true" ]; then
             bundle config set --local force_ruby_platform true
           fi
-          bundle install --jobs 4 --retry 3 --with test
+          if [ "$LOCKFILE" = "unlocked" ]; then
+            # Drop the committed lockfile so Bundler resolves fresh inside
+            # the gemspec's pessimistic constraints. This surfaces the gap
+            # between "version range we declare" and "version range we test."
+            rm -f Gemfile.lock
+          fi
+          bundle install --jobs 4 --retry 3
 
       - name: Verify setup
         run: |

data/CHANGELOG.rst

@@ -7,6 +7,26 @@ The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.1.0/>`
 
    <!--scriv-insert-here-->
 
+.. _changelog-2.0.2:
+
+2.0.2 — 2026-04-15
+==================
+
+- Load failure under facets 3.2.0. ``Otto::Security::ValidationHelpers`` no
+  longer requires ``facets/file``, whose aggregator in 3.2.0 does
+  ``require_relative 'file/write.rb'`` against a file deleted in the same
+  release. The one function Otto borrowed from facets — ``File.sanitize`` —
+  is now inlined as a private method on the helper module (with credit in
+  the source comment), and the ``facets`` runtime dependency is removed
+  from the gemspec entirely. Applications depending on facets directly are
+  unaffected.
+
+- CI now runs the RSpec suite twice for each Ruby in the matrix: once
+  against the committed ``Gemfile.lock`` and once with the lockfile removed
+  so Bundler resolves fresh inside the gemspec's pessimistic constraints.
+  The unlocked cells catch upstream releases that satisfy ``~> X.Y`` but
+  break Otto at load time.
+
 .. _changelog-2.0.1:
 
 2.0.1 — 2026-04-15

data/Gemfile

@@ -9,8 +9,6 @@ source 'https://rubygems.org'
 
 gemspec
 
-gem 'rackup'
-
 group :test do
   gem 'rack-test'
   gem 'rspec', '~> 3.13'
@@ -28,6 +26,7 @@ end
 group :development do
   gem 'benchmark'
   gem 'debug'
+  gem 'rackup' # Used to boot examples/ apps; not needed by specs
   gem 'rubocop', '~> 1.81.7', require: false
   gem 'rubocop-performance', require: false
   gem 'rubocop-rspec', require: false

data/Gemfile.lock

@@ -1,9 +1,8 @@
 PATH
   remote: .
   specs:
-    otto (2.0.1)
+    otto (2.0.2)
       concurrent-ruby (~> 1.3, < 2.0)
-      facets (~> 3.1)
       ipaddr (~> 1, < 2.0)
       logger (~> 1, < 2.0)
       loofah (~> 2.20)
@@ -54,7 +53,6 @@ GEM
       dry-logic (~> 1.4)
       zeitwerk (~> 2.6)
     erb (5.1.1)
-    facets (3.1.0)
     hana (1.3.7)
     io-console (0.8.1)
     ipaddr (1.2.8)

data/lib/otto/helpers/validation.rb

@@ -3,12 +3,20 @@
 # frozen_string_literal: true
 
 require 'loofah'
-require 'facets/file'
 
 class Otto
   module Security
     # Validation helper methods providing input validation and sanitization
     module ValidationHelpers
+      # Replace filesystem-unsafe characters with an underscore. Borrowed
+      # verbatim from facets 3.1.0's `File.sanitize` (lib/core/facets/file/
+      # sanitize.rb, credit: George Moschovitis) and inlined here so Otto
+      # doesn't take a runtime dep on the whole facets grab-bag for one
+      # 12-line function. See commit message for 2.0.2 for context.
+      FILENAME_SANITIZE_PATTERN = /[^a-zA-Z0-9.\-+_]/
+      FILENAME_DOT_ONLY         = /^\.+$/
+      private_constant :FILENAME_SANITIZE_PATTERN, :FILENAME_DOT_ONLY
+
       def validate_input(input, max_length: 1000, allow_html: false)
         return input if input.nil?
 
@@ -42,20 +50,16 @@ class Otto
         return nil if filename.nil?
         return 'file' if filename.empty?
 
-        # Use Facets File.sanitize for basic filesystem-safe filename
-        clean_name = File.sanitize(filename.to_s)
+        clean_name = basic_filename_sanitize(filename.to_s)
 
-        # Handle edge cases and improve on Facets behavior to match test expectations
         if clean_name.nil? || clean_name.empty?
           clean_name = 'file'
         else
-          # Additional cleanup that Facets doesn't do but our tests expect
-          clean_name = clean_name.gsub(/_{2,}/, '_')        # Collapse multiple underscores
-          clean_name = clean_name.gsub(/^_+|_+$/, '')       # Remove leading/trailing underscores
-          clean_name = 'file' if clean_name.empty?          # Handle case where only underscores remain
+          clean_name = clean_name.gsub(/_{2,}/, '_')
+          clean_name = clean_name.gsub(/^_+|_+$/, '')
+          clean_name = 'file' if clean_name.empty? || clean_name.match?(FILENAME_DOT_ONLY)
         end
 
-        # Ensure reasonable length (255 is filesystem limit, leave some padding)
         clean_name = clean_name[0..99] if clean_name.length > 100
 
         clean_name
@@ -63,6 +67,17 @@ class Otto
 
       private
 
+      # Filesystem-safe basename. Port of facets 3.1.0's `File.sanitize`:
+      # strip directory components (handling backslashes for IE-uploaded
+      # paths), replace anything outside [A-Za-z0-9.\-+_] with '_', and
+      # prefix a leading '_' if the whole name is just dots ('.', '..').
+      def basic_filename_sanitize(filename)
+        name = File.basename(filename.gsub('\\', '/'))
+        name = name.gsub(FILENAME_SANITIZE_PATTERN, '_')
+        name = "_#{name}" if name.match?(FILENAME_DOT_ONLY)
+        name
+      end
+
       # Check if content looks like it contains HTML tags or entities
       def contains_html_like_content?(content)
         content.match?(/[<>&]/) || content.match?(/&\w+;/)

data/lib/otto/version.rb

@@ -3,5 +3,5 @@
 # frozen_string_literal: true
 
 class Otto
-  VERSION = '2.0.1'
+  VERSION = '2.0.2'
 end

data/otto.gemspec

@@ -31,7 +31,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'rexml', '~> 3.4'
 
   # Security dependencies
-  spec.add_dependency 'facets', '~> 3.1'
   spec.add_dependency 'loofah', '~> 2.20'
 
   # Optional MCP dependencies

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.0.2
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -117,20 +117,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
-- !ruby/object:Gem::Dependency
-  name: facets
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: loofah
   requirement: !ruby/object:Gem::Requirement