otto 1.5.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a50c097fe32fba3c0a6d84be84f95f68fffe385675f3fc353681b24f11aefa63
-  data.tar.gz: 9ad3e5c757531c10b1fbd60d304a07aa5ce84915491acb6c36b61656b8b6f6b3
+  metadata.gz: 0acf8247a8132f9e836ba841732a45bf265efbc0cae190c744e323a97229d913
+  data.tar.gz: 05fe0d3c74d9385e470ea45856e0c8cb2b081ff6eea63a83951039bd426219b3
 SHA512:
-  metadata.gz: c1be28acdcec40db91e12c39926a5197326b0c46b5d269187f8cc3114cfbcae6ae025f1fa69c6c8820faa076c2067c3200838a15818291c729df40271cca3b00
-  data.tar.gz: bfa3af6f70fd650464b935b8b30c687b2393b9a687b68837ab21ffcb2ffb710acc1dea85942e043a8307a4b2d6360b4037846e710f2fc43e47a66100dddea807
+  metadata.gz: 1f86dd56ef78a8f892d4e75046f2ac4560e951999773b668dba6a15a270d4f811aa0df56f618c0a8b1ce75af7b76799ca083b0b30788cc5733cc570107233f64
+  data.tar.gz: 6fd7fcc1008ed682dbcc7a4e400a220c55a8f1cd9d3081e7d089e761c14f883d11028ad1b0e279d7ea96c33e2ff4fc6afb0aabf69356d0c42ba8527eb2e4627d

data/.github/workflows/ci.yml

@@ -8,6 +8,12 @@ on:
   pull_request:
 
   workflow_dispatch:
+    inputs:
+      debug_enabled:
+        type: boolean
+        description: "Run the build with tmate debugging enabled (https://github.com/marketplace/actions/debugging-with-tmate)"
+        required: false
+        default: false
 
 permissions:
   contents: read
@@ -17,10 +23,19 @@ jobs:
     timeout-minutes: 10
     runs-on: ubuntu-24.04
     name: "RSpec Tests (Ruby ${{ matrix.ruby }})"
+    continue-on-error: ${{ matrix.experimental }}
     strategy:
-      fail-fast: true
+      fail-fast: false
       matrix:
-        ruby: ["3.2", "3.3", "3.4", "3.5"]
+        include:
+          - ruby: "3.2"
+            experimental: false
+          - ruby: "3.3"
+            experimental: false
+          - ruby: "3.4"
+            experimental: false
+          - ruby: "3.5"
+            experimental: true
 
     steps:
       - uses: actions/checkout@v4
@@ -30,5 +45,29 @@ jobs:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
 
-      - name: Run RSpec tests
-        run: bundle exec rspec
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@7b6a61a73bbb9793cb80ad69b8dd8ac19261834c # v3
+        if: ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
+        with:
+          detached: true
+
+      - name: Install dependencies
+        continue-on-error: ${{ matrix.experimental }}
+        run: |
+          bundle config path vendor/bundle
+          bundle install --jobs 4 --retry 3 --with test
+
+      - name: Verify setup
+        run: |
+          bundle exec which rspec || echo "rspec not found"
+          bundle list | grep -E "(rspec|rake|test)"
+          ls -la bin/ || echo "No bin directory"
+
+      - name: Run test specs
+        env:
+          REDIS_URL: "redis://127.0.0.1:2121/0"
+        run: |
+          mkdir tmp && bundle exec rspec \
+            --format progress \
+            --format json \
+            --out tmp/rspec_results.json

data/.rubocop.yml

@@ -135,7 +135,7 @@ Style/BlockDelimiters:
   Enabled: true
 
 Naming/PredicateMethod:
-  Enabled: true
+  Enabled: false
   Mode: "conservative"
   AllowedMethods:
     - validate!

data/Gemfile

@@ -1,13 +1,22 @@
+# Gemfile
+
 source 'https://rubygems.org'
 
 gemspec
 
-group :development, :test do
+group :test do
   gem 'rack-test'
   gem 'rspec', '~> 3.12'
 end
 
-group 'development' do
+# bundle config set with 'optional'
+group :development, :test, optional: true do
+  # Keep gems that need to be in both environments
+  gem 'json_schemer'
+  gem 'rack-attack'
+end
+
+group :development do
   gem 'pry-byebug', require: false
   gem 'rubocop', require: false
   gem 'rubocop-performance', require: false
@@ -16,5 +25,5 @@ group 'development' do
   gem 'ruby-lsp', require: false
   gem 'stackprof', require: false
   gem 'syntax_tree', require: false
-  gem 'tryouts', '~> 3.3.1', require: false
+  gem 'tryouts', '~> 3.3.2', require: false
 end

data/Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    otto (1.5.0)
+    otto (1.6.0)
+      facets (~> 3.1)
+      loofah (~> 2.20)
       ostruct
       rack (~> 3.1, < 4.0)
       rack-parser (~> 0.7)
@@ -11,22 +13,51 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
+    bigdecimal (3.2.2)
     byebug (12.0.0)
     coderay (1.1.3)
+    concurrent-ruby (1.3.5)
+    crass (1.0.6)
     date (3.4.1)
     diff-lcs (1.6.2)
     erb (5.0.2)
+    facets (3.1.0)
+    hana (1.3.7)
     io-console (0.8.1)
     irb (1.15.2)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.13.2)
+    json_schemer (2.4.0)
+      bigdecimal
+      hana (~> 1.3)
+      regexp_parser (~> 2.0)
+      simpleidn (~> 0.2)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
+    loofah (2.24.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
     method_source (1.1.0)
     minitest (5.25.5)
+    nokogiri (1.18.9-aarch64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-aarch64-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm-linux-musl)
+      racc (~> 1.4)
+    nokogiri (1.18.9-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-linux-gnu)
+      racc (~> 1.4)
+    nokogiri (1.18.9-x86_64-linux-musl)
+      racc (~> 1.4)
     ostruct (0.6.3)
     parallel (1.27.0)
     parser (3.3.9.0)
@@ -50,6 +81,8 @@ GEM
       stringio
     racc (1.8.1)
     rack (3.2.0)
+    rack-attack (6.7.0)
+      rack (>= 1.0, < 4)
     rack-parser (0.7.0)
       rack
     rack-test (2.2.0)
@@ -60,7 +93,7 @@ GEM
     rdoc (6.14.2)
       erb
       psych (>= 4.0.0)
-    regexp_parser (2.11.0)
+    regexp_parser (2.11.2)
     reline (0.6.2)
       io-console (~> 0.5)
     rexml (3.4.1)
@@ -77,7 +110,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.4)
-    rubocop (1.79.1)
+    rubocop (1.79.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -107,11 +140,13 @@ GEM
       prism (>= 1.2, < 2.0)
       rbs (>= 3, < 5)
     ruby-progressbar (1.13.0)
+    simpleidn (0.2.3)
     stackprof (0.2.27)
     stringio (3.1.7)
     syntax_tree (6.3.0)
       prettier_print (>= 1.2.0)
-    tryouts (3.3.1)
+    tryouts (3.3.2)
+      concurrent-ruby (~> 1.0)
       irb
       minitest (~> 5.0)
       pastel (~> 0.8)
@@ -127,12 +162,20 @@ GEM
     unicode-emoji (4.0.4)
 
 PLATFORMS
-  arm64-darwin-24
-  ruby
+  aarch64-linux-gnu
+  aarch64-linux-musl
+  arm-linux-gnu
+  arm-linux-musl
+  arm64-darwin
+  x86_64-darwin
+  x86_64-linux-gnu
+  x86_64-linux-musl
 
 DEPENDENCIES
+  json_schemer
   otto!
   pry-byebug
+  rack-attack
   rack-test
   rspec (~> 3.12)
   rubocop
@@ -142,7 +185,7 @@ DEPENDENCIES
   ruby-lsp
   stackprof
   syntax_tree
-  tryouts (~> 3.3.1)
+  tryouts (~> 3.3.2)
 
 BUNDLED WITH
-   2.6.9
+   2.7.1

data/bin/rspec

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rspec' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rspec-core", "rspec")

data/examples/mcp_demo/app.rb

@@ -0,0 +1,56 @@
+#!/usr/bin/env ruby
+
+# Example Otto application with MCP support
+# This demonstrates Phase 1 & 2 implementation
+
+require_relative '../../lib/otto'
+
+class UserAPI
+  def self.mcp_list_users
+    {
+      users: [
+        { id: 1, name: 'Alice', email: 'alice@example.com' },
+        { id: 2, name: 'Bob', email: 'bob@example.com' }
+      ]
+    }.to_json
+  end
+
+  def self.mcp_create_user(arguments, env)
+    # Tool handler that creates a user
+    name = arguments['name'] || 'Anonymous'
+    email = arguments['email'] || "#{name.downcase}@example.com"
+
+    new_user = {
+      id: rand(1000..9999),
+      name: name,
+      email: email,
+      created_at: Time.now.iso8601
+    }
+
+    "Created user: #{new_user.to_json}"
+  end
+end
+
+# Initialize Otto with MCP support
+otto = Otto.new('routes', {
+  mcp_enabled: true,
+  auth_tokens: ['demo-token-123'],  # Simple token auth
+  requests_per_minute: 10,          # Lower for demo
+  tools_per_minute: 5
+})
+
+# Enable MCP with authentication tokens
+otto.enable_mcp!({
+  auth_tokens: ['demo-token-123', 'another-token-456'],
+  enable_validation: true,
+  enable_rate_limiting: true
+})
+
+puts "Otto MCP Demo Server starting..."
+puts "MCP endpoint: POST /_mcp"
+puts "Auth tokens: demo-token-123, another-token-456"
+puts "Usage: curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\"
+puts "       -d '{\"jsonrpc\":\"2.0\",\"method\":\"initialize\",\"id\":1,\"params\":{}}' \\"
+puts "       http://localhost:9292/_mcp"
+
+otto

data/examples/mcp_demo/config.ru

@@ -0,0 +1,68 @@
+#!/usr/bin/env ruby
+
+require_relative '../../lib/otto'
+
+class DemoApp
+  def self.index(req, res)
+    res.body = <<-HTML
+      <h1>Otto MCP Demo</h1>
+      <p>MCP endpoint available at: <code>POST /_mcp</code></p>
+      <p>Auth tokens: <code>demo-token-123</code>, <code>another-token-456</code></p>
+
+      <h2>Test MCP Initialize</h2>
+      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
+  -d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{}}' \\
+  http://localhost:9292/_mcp</pre>
+
+      <h2>List Resources</h2>
+      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
+  -d '{"jsonrpc":"2.0","method":"resources/list","id":2}' \\
+  http://localhost:9292/_mcp</pre>
+
+      <h2>List Tools</h2>
+      <pre>curl -H 'Authorization: Bearer demo-token-123' -H 'Content-Type: application/json' \\
+  -d '{"jsonrpc":"2.0","method":"tools/list","id":3}' \\
+  http://localhost:9292/_mcp</pre>
+    HTML
+  end
+
+  def self.health(req, res)
+    res.body = 'OK'
+  end
+end
+
+class UserAPI
+  def self.mcp_list_users
+    {
+      users: [
+        { id: 1, name: 'Alice', email: 'alice@example.com' },
+        { id: 2, name: 'Bob', email: 'bob@example.com' }
+      ]
+    }.to_json
+  end
+
+  def self.mcp_create_user(arguments, env)
+    # Tool handler that creates a user
+    name = arguments['name'] || 'Anonymous'
+    email = arguments['email'] || "#{name.downcase}@example.com"
+
+    new_user = {
+      id: rand(1000..9999),
+      name: name,
+      email: email,
+      created_at: Time.now.iso8601
+    }
+
+    "Created user: #{new_user.to_json}"
+  end
+end
+
+# Initialize Otto with MCP support
+otto = Otto.new('routes', {
+  mcp_enabled: true,
+  auth_tokens: ['demo-token-123', 'another-token-456'],
+  requests_per_minute: 60,
+  tools_per_minute: 20
+})
+
+run otto

data/examples/mcp_demo/routes

@@ -0,0 +1,9 @@
+# Basic HTTP routes
+GET     /           DemoApp.index
+GET     /health     DemoApp.health
+
+# MCP Resources - provide read-only data
+MCP     /users       UserAPI.mcp_list_users
+
+# MCP Tools - provide actions/operations
+TOOL    /create_user UserAPI.mcp_create_user

data/lib/concurrent_cache_store.rb

@@ -0,0 +1,68 @@
+# lib/concurrent_cache_store.rb
+
+require 'concurrent-ruby'
+
+# Thread-safe cache store with TTL support for Rack::Attack
+# Provides ActiveSupport::Cache::MemoryStore-compatible interface
+#
+# Usage:
+#
+#   Rack::Attack.cache.store = ConcurrentCacheStore.new(default_ttl: 300)
+#
+class ConcurrentCacheStore
+ # @param default_ttl [Integer] Default time-to-live in seconds for cache entries
+ def initialize(default_ttl: 300)
+   @store       = Concurrent::Map.new
+   @default_ttl = default_ttl
+ end
+
+ # Retrieves a value from the cache
+ # @param key [String] The cache key
+ # @return [Object, nil] The cached value or nil if expired/missing
+ def read(key)
+   entry = @store[key]
+   return nil unless entry
+
+   if Time.now > entry[:expires_at]
+     @store.delete(key)
+     nil
+   else
+     entry[:value]
+   end
+ end
+
+ # Stores a value in the cache with expiration
+ # @param key [String] The cache key
+ # @param value [Object] The value to store
+ # @param expires_in [Integer] TTL in seconds (optional)
+ # @return [Object] The stored value
+ def write(key, value, expires_in: @default_ttl)
+   @store[key] = {
+     value: value,
+     expires_at: Time.now + expires_in,
+   }
+   value
+ end
+
+ # Atomically increments a numeric value, creating if missing
+ # @param key [String] The cache key
+ # @param amount [Integer] Amount to increment by
+ # @param expires_in [Integer] TTL in seconds for new entries
+ # @return [Integer] The new value after increment
+ def increment(key, amount = 1, expires_in: @default_ttl)
+   @store.compute(key) do |_, entry|
+     if entry && Time.now <= entry[:expires_at]
+       entry[:value] += amount
+       entry
+     else
+       { value: amount, expires_at: Time.now + expires_in }
+     end
+   end[:value]
+ end
+
+ # Removes all entries from the cache
+ # @return [void]
+ def clear
+   @store.clear
+ end
+end

data/lib/otto/helpers/validation.rb

@@ -0,0 +1,83 @@
+# lib/otto/helpers/validation.rb
+
+class Otto
+  module Security
+    module ValidationHelpers
+      def validate_input(input, max_length: 1000, allow_html: false)
+        return input if input.nil?
+
+        input_str = input.to_s
+        return input_str if input_str.empty?
+
+        # Check length
+        if input_str.length > max_length
+          raise Otto::Security::ValidationError, "Input too long (#{input_str.length} > #{max_length})"
+        end
+
+        # Use Loofah for HTML sanitization and validation
+        unless allow_html
+          # Check for script injection first (these should always be rejected)
+          if looks_like_script_injection?(input_str)
+            raise Otto::Security::ValidationError, 'Dangerous content detected'
+          end
+
+          # Use Loofah to sanitize less dangerous HTML content
+          sanitized_input = Loofah.fragment(input_str).scrub!(:whitewash).to_s
+          input_str       = sanitized_input
+        end
+
+        # Always check for SQL injection
+        ValidationMiddleware::SQL_INJECTION_PATTERNS.each do |pattern|
+          if input_str.match?(pattern)
+            raise Otto::Security::ValidationError, 'Potential SQL injection detected'
+          end
+        end
+
+        input_str
+      end
+
+      def sanitize_filename(filename)
+        return nil if filename.nil?
+        return 'file' if filename.empty?
+
+        # Use Facets File.sanitize for basic filesystem-safe filename
+        clean_name = File.sanitize(filename.to_s)
+
+        # Handle edge cases and improve on Facets behavior to match test expectations
+        if clean_name.nil? || clean_name.empty?
+          clean_name = 'file'
+        else
+          # Additional cleanup that Facets doesn't do but our tests expect
+          clean_name = clean_name.gsub(/_{2,}/, '_')        # Collapse multiple underscores
+          clean_name = clean_name.gsub(/^_+|_+$/, '')       # Remove leading/trailing underscores
+          clean_name = 'file' if clean_name.empty?          # Handle case where only underscores remain
+        end
+
+        # Ensure reasonable length (255 is filesystem limit, leave some padding)
+        clean_name = clean_name[0..99] if clean_name.length > 100
+
+        clean_name
+      end
+
+      private
+
+      # Check if content looks like it contains HTML tags or entities
+      def contains_html_like_content?(content)
+        content.match?(/[<>&]/) || content.match?(/&\w+;/)
+      end
+
+      # Detect likely script injection attempts that should be rejected
+      def looks_like_script_injection?(content)
+        dangerous_patterns = [
+          /javascript:/i,
+          /<script[^>]*>/i,
+          /on\w+\s*=/i,  # event handlers like onclick=
+          /expression\s*\(/i,
+          /data:.*base64/i,
+        ]
+
+        dangerous_patterns.any? { |pattern| content.match?(pattern) }
+      end
+    end
+  end
+end

data/lib/otto/mcp/auth/token.rb

@@ -0,0 +1,76 @@
+require 'json'
+
+class Otto
+  module MCP
+    module Auth
+      class TokenAuth
+        def initialize(tokens)
+          @tokens = Array(tokens).to_set
+        end
+
+        def authenticate(env)
+          token = extract_token(env)
+          return false unless token
+
+          @tokens.include?(token)
+        end
+
+        private
+
+        def extract_token(env)
+          # Try Authorization header first (Bearer token)
+          auth_header = env['HTTP_AUTHORIZATION']
+          if auth_header&.start_with?('Bearer ')
+            return auth_header[7..]
+          end
+
+          # Try X-MCP-Token header
+          env['HTTP_X_MCP_TOKEN']
+        end
+      end
+
+      class TokenMiddleware
+        def initialize(app, security_config = nil)
+          @app             = app
+          @security_config = security_config
+        end
+
+        def call(env)
+          # Only apply to MCP endpoints
+          return @app.call(env) unless mcp_endpoint?(env)
+
+          # Get auth instance from security config
+          auth = @security_config&.mcp_auth
+          if auth && !auth.authenticate(env)
+            return unauthorized_response
+          end
+
+          @app.call(env)
+        end
+
+        private
+
+        def mcp_endpoint?(env)
+          endpoint = env['otto.mcp_http_endpoint'] || '/_mcp'
+          path     = env['PATH_INFO'].to_s
+          path.start_with?(endpoint)
+        end
+
+        def unauthorized_response
+          body = JSON.generate({
+            jsonrpc: '2.0',
+            id: nil,
+            error: {
+              code: -32_000,
+              message: 'Unauthorized',
+              data: 'Valid token required',
+            },
+          },
+                              )
+
+          [401, { 'content-type' => 'application/json' }, [body]]
+        end
+      end
+    end
+  end
+end