otto 1.6.0 → 2.0.0.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0acf8247a8132f9e836ba841732a45bf265efbc0cae190c744e323a97229d913
-  data.tar.gz: 05fe0d3c74d9385e470ea45856e0c8cb2b081ff6eea63a83951039bd426219b3
+  metadata.gz: a3de0a572bb6389f8e3f6b64d3295630c1d2f9872734d5840c5c2e5dc89f1fd4
+  data.tar.gz: 41caaa99c08d5646d576b5c15d4392757e541ae00218dd7a3831d4532ee7a30c
 SHA512:
-  metadata.gz: 1f86dd56ef78a8f892d4e75046f2ac4560e951999773b668dba6a15a270d4f811aa0df56f618c0a8b1ce75af7b76799ca083b0b30788cc5733cc570107233f64
-  data.tar.gz: 6fd7fcc1008ed682dbcc7a4e400a220c55a8f1cd9d3081e7d089e761c14f883d11028ad1b0e279d7ea96c33e2ff4fc6afb0aabf69356d0c42ba8527eb2e4627d
+  metadata.gz: bbef30e2f11091b5b74c7c20aeead0b118b22bd5a52b77cc23c8901f8dcc58f9465748b1d3c46ae1c2cf0a75b7736d07248d9150a6b9fe28ddc02ef23543ca83
+  data.tar.gz: 765a1cc021e278ca5ff484dd55e49695176c8aac998a3374677026857c27643c237088347fd3b04bbae69f4d6eae2ffec089bffbb7019f339c43c85f6e035668

data/.github/workflows/ci.yml

@@ -38,7 +38,7 @@ jobs:
             experimental: true
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/.github/workflows/claude-code-review.yml

@@ -0,0 +1,53 @@
+name: Claude Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    # Optional: Only run on specific file changes
+    # paths:
+    #   - "src/**/*.ts"
+    #   - "src/**/*.tsx"
+    #   - "src/**/*.js"
+    #   - "src/**/*.jsx"
+
+jobs:
+  claude-review:
+    # Optional: Filter by PR author
+    # if: |
+    #   github.event.pull_request.user.login == 'external-contributor' ||
+    #   github.event.pull_request.user.login == 'new-developer' ||
+    #   github.event.pull_request.author_association == 'FIRST_TIME_CONTRIBUTOR'
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code Review
+        id: claude-review
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+          prompt: |
+            Please review this pull request and provide feedback on:
+            - Code quality and best practices
+            - Potential bugs or issues
+            - Performance considerations
+            - Security concerns
+            - Test coverage
+
+            Use the repository's CLAUDE.md for guidance on style and conventions. Be constructive and helpful in your feedback.
+
+            Use `gh pr comment` with your Bash tool to leave your review as a comment on the PR.
+
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
+          claude_args: '--allowed-tools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*)"'

data/.github/workflows/claude.yml

@@ -0,0 +1,49 @@
+name: Claude Code
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened, assigned]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    if: |
+      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
+      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
+      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+      issues: read
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@v1
+        with:
+          claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
+
+          # This is an optional setting that allows Claude to read CI results on PRs
+          additional_permissions: |
+            actions: read
+
+          # Optional: Give a custom prompt to Claude. If this is not specified, Claude will perform the instructions specified in the comment that tagged it.
+          # prompt: 'Update the pull request description to include a summary of changes.'
+
+          # Optional: Add claude_args to customize behavior and configuration
+          # See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
+          # or https://docs.anthropic.com/en/docs/claude-code/sdk#command-line for available options
+          # claude_args: '--model claude-opus-4-1-20250805 --allowed-tools Bash(gh pr:*)'

data/.gitignore

@@ -8,6 +8,7 @@
 *.log
 *.md
 *.txt
+.*.json
 !LICENSE.txt
 !spec/fixtures/*.txt
 .ruby-version
@@ -20,3 +21,5 @@ vendor
 .ruby-lsp
 .rspec_status
 .mcp.json
+.claude
+.serena

data/.rubocop.yml

@@ -8,410 +8,89 @@
 # refer to the RuboCop documentation:
 # https://docs.rubocop.org/rubocop/cops.html
 #
-
 plugins:
+  - rubocop-rspec
   - rubocop-performance
   - rubocop-thread_safety
-  - rubocop-rspec
 
 AllCops:
   NewCops: enable
-  DisabledByDefault: false # flip to true for a good autocorrect time
   UseCache: true
   MaxFilesInCache: 100
   TargetRubyVersion: 3.2
   Exclude:
-    - "spec/**/*.rb"
+    - "spec/**/*"
     - "vendor/**/*"
 
-Layout/CaseIndentation:
-  Enabled: true
-  EnforcedStyle: end # case, end
-  IndentOneStep: false
-  IndentationWidth: 2
-
-Layout/CommentIndentation:
-  Enabled: true
-
-Layout/MultilineMethodCallBraceLayout:
-  Enabled: true
-  EnforcedStyle: new_line # symmetrical, new_line, same_line
-
-Layout/TrailingWhitespace:
-  Enabled: true
-
-Layout/SpaceAroundEqualsInParameterDefault:
-  Enabled: true
-
-Layout/SpaceAroundOperators:
-  Enabled: false
-
-# Use parentheses around a logical expression if it makes easier to read.
-Style/RedundantParentheses:
-  Enabled: false
-
-Lint/UnusedMethodArgument:
-  Enabled: true
-
-Lint/UselessAssignment:
-  Enabled: true
-
-Lint/DuplicateBranch:
-  Enabled: true
-  IgnoreLiteralBranches: false
-  IgnoreConstantBranches: false
-  IgnoreDuplicateElseBranch: false
-
-# Offense count: 3
-# Configuration parameters: AllowedMethods, AllowedPatterns.
-Metrics/PerceivedComplexity:
-  Max: 20
-
-# Offense count: 186
-# Configuration parameters: AllowedConstants.
-Style/Documentation:
-  Enabled: false
-
-Style/RescueStandardError:
-  Enabled: true
-  EnforcedStyle: explicit
-
-# When true: Use match? instead of =~ when MatchData is not used. True is preferred but not for autocorrection. Regexs are too picky. Need to manually check every time.
-Performance/RegexpMatch:
-  Enabled: false
-
+#
+# Trailing commas
 Style/TrailingCommaInHashLiteral:
-  Enabled: true
   EnforcedStyleForMultiline: comma
-
-Style/StringLiterals:
-  Enabled: true
-  EnforcedStyle: single_quotes
-
-# The Style/DoubleNegation cop is disabled because double negation provides
-# a concise, idiomatic way to convert values to boolean in Ruby. Alternative
-# approaches like ternary expressions or comparison with nil create unnecessary
-# verbosity without adding clarity. In cases where boolean coercion is the
-# explicit intent, !! clearly communicates this purpose to other Ruby developers.
-Style/DoubleNegation:
-  Enabled: false
-
-# Offense count: non-0
-Style/FormatString:
-  EnforcedStyle: format
   Enabled: true
 
-Style/FormatStringToken:
-  EnforcedStyle: unannotated
-  Enabled: true
-
-Style/RedundantReturn:
-  Enabled: true
-  AllowMultipleReturnValues: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-# We prefer `extend self` and `class << self`.
-Style/ModuleFunction:
-  Enabled: true
-  AutoCorrect: false
-  EnforcedStyle: extend_self
-
-# Prefer 3 line if/else over one-liner
-Style/GuardClause:
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
   Enabled: true
-  MinBodyLength: 3
-  AllowConsecutiveConditionals: false
 
-Style/SymbolArray:
-  EnforcedStyle: brackets
+Style/TrailingCommaInArguments:
   Enabled: true
 
-Style/StringLiteralsInInterpolation:
+Style/TrailingCommaInBlockArgs:
   Enabled: true
 
-Style/BlockDelimiters:
+Lint/TrailingCommaInAttributeDeclaration:
   Enabled: true
 
-Naming/PredicateMethod:
-  Enabled: false
-  Mode: "conservative"
-  AllowedMethods:
-    - validate!
-    - migrate
-
-# We use class instance variables quite a bit, mostly for readonly values set
-# at boot time. Except for our models with have redis-rb Redis instances
-# connected on their associated db via ModelClass.dbclient. We're well aware
-# so keeping this disabled reduces warning noise.
-ThreadSafety/ClassInstanceVariable:
-  Enabled: false
-
-Naming/RescuedExceptionsVariableName:
-  Enabled: true
-  PreferredName: ex # Default is 'e'
-
-Naming/PredicatePrefix:
-  Enabled: true
-  ForbiddenPrefixes: [is_, has_, have_]
-  AllowedMethods: [
-      has_passphrase?, # correlates with the REST API field `has_passphrase`
-    ]
-
-Layout/MultilineMethodCallIndentation:
-  EnforcedStyle: indented
-  IndentationWidth: 2
-
 Gemspec/DeprecatedAttributeAssignment:
   Enabled: true
 
 Gemspec/DevelopmentDependencies:
   Enabled: true
 
-Layout/ElseAlignment:
-  Enabled: false
-
-Layout/EndAlignment:
-  Enabled: false
-  # Severity: low
-  # SupportedStylesAlignWith: 2
-  # Leave commented out. When we set align with, endless "error occurred"
-  # EnforcedStyle: keyword # keyword, variable, start_of_line
-
-Layout/ExtraSpacing:
-  Enabled: true
-  AllowForAlignment: true
-  AllowBeforeTrailingComments: true
-  ForceEqualSignAlignment: true
-
-Layout/IndentationConsistency:
-  EnforcedStyle: indented_internal_methods
-  Enabled: true
-
-Layout/IndentationWidth:
-  # We don't want to enforce indentation width because it's doing weird things
-  # with if/else statements that capture values. The `if` expression is aligned
-  # with the right side of the `test` but the `else` expression is aligned with
-  # the start of the line.
-  Width: 2
-  Enabled: false
-
 Layout/HashAlignment:
-  Enabled: true
-
-Layout/FirstHashElementIndentation:
-  Enabled: true
+  Enabled: false
 
 Lint/Void:
-  Enabled: true
-
-Lint/CopDirectiveSyntax:
-  Enabled: true
+  Enabled: false
 
-# Offense count: 122
-# Assignment Branch Condition size
 Metrics/AbcSize:
   Enabled: false
   Max: 20
 
-# Offense count: 217
-Layout/LineLength:
-  Enabled: false
-  AllowHeredoc: true
-  AllowURI: true
-  URISchemes:
-    - https
-  IgnoreCopDirectives: true
-  AllowedPatterns: []
-  SplitStrings: false
-  Max: 100
-
-# Align the arguments of a method call if they span more than one line.
-Layout/ArgumentAlignment:
-  Enabled: true
-  EnforcedStyle: with_fixed_indentation # with_first_argument, with_fixed_indentation
-  IndentationWidth: 2
-
-Layout/EmptyLineAfterGuardClause:
-  Enabled: true
-
-Layout/EmptyLineBetweenDefs:
-  Enabled: true
-
-Layout/EmptyLines:
-  Enabled: true
-
-Layout/EmptyLinesAroundAccessModifier:
-  Enabled: true
-
-Layout/EmptyLinesAroundAttributeAccessor:
-  Enabled: true
-
-Layout/EmptyLinesAroundBlockBody:
-  Enabled: true
-
-Layout/EmptyLinesAroundClassBody:
-  Enabled: true
-
-Layout/EmptyLinesAroundExceptionHandlingKeywords:
-  Enabled: true
-
-Layout/EmptyLinesAroundMethodBody:
-  Enabled: true
-
-Layout/EmptyLinesAroundModuleBody:
-  Enabled: true
-
 Metrics/ClassLength:
   Enabled: true
-  Max: 350
+  Max: 200
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
 
-# Offense count: non-0
 Metrics/MethodLength:
   Enabled: true
-  Max: 50
+  Max: 40
   CountAsOne: ["method_call"]
 
 Metrics/ModuleLength:
   Enabled: true
-  Max: 350
+  Max: 250
   CountAsOne: ["method_call"]
 
 Performance/Size:
   Enabled: true
-  Exclude: []
-
-Naming/AsciiIdentifiers:
-  Enabled: true
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
+  Exclude:
+  #   - lib/example.rb
 
 Style/NegatedIfElseCondition:
   Enabled: true
 
-Style/TrailingCommaInArguments:
-  Enabled: true
-  EnforcedStyleForMultiline: comma
-
-Style/TrailingCommaInArrayLiteral:
-  Enabled: true
-  EnforcedStyleForMultiline: comma
-
-# Use #empty? when testing for objects of length 0.
-Style/ZeroLengthPredicate:
-  Enabled: true
-  Safe: true
-
-Style/MethodDefParentheses:
-  Enabled: true
-
-Style/FrozenStringLiteralComment:
-  Enabled: true
-  EnforcedStyle: never
-
-Style/SuperArguments:
-  Enabled: true
-
-# Offense count: non-0
-ThreadSafety/ClassAndModuleAttributes:
-  Description: Avoid mutating class and module attributes.
-  Enabled: true
-  ActiveSupportClassAttributeAllowed: false
-
-ThreadSafety/DirChdir:
-  Description: Avoid using `Dir.chdir` due to its process-wide effect.
-  Enabled: true
-  AllowCallWithBlock: false
-
-# Do not assign mutable objects to class instance variables.
-ThreadSafety/MutableClassInstanceVariable:
-  Description:
-  Enabled: true
-  EnforcedStyle: literals # one of literals, strict
-  SafeAutoCorrect: false
-
-# Avoid starting new threads. Let a framework like Sidekiq handle the threads.
-ThreadSafety/NewThread:
-  Enabled: true
-
-# Avoid instance variables in Rack middleware.
-ThreadSafety/RackMiddlewareInstanceVariable:
-  Description:
-  Enabled: true
-  Include:
-    - lib/middleware/*.rb
-    - lib/middleware/onetime/*.rb
-
-# Unsafe autocorrect:
-Performance/MapCompact:
-  Enabled: false
-Performance/StringInclude:
-  Enabled: false
-Style/ClassAndModuleChildren:
-  Enabled: false
-Style/GlobalStdStream:
-  Enabled: false
-Style/HashConversion:
-  Enabled: false
-Style/HashEachMethods:
-  Enabled: false
-Style/IdenticalConditionalBranches:
-  Enabled: false
-Style/MinMaxComparison:
-  Enabled: false
-Style/MutableConstant:
-  Enabled: false
-Style/NumericPredicate:
-  Enabled: false
-Style/RaiseArgs:
-  Enabled: false
-Style/RedundantInterpolation:
-  Enabled: false
-Style/SafeNavigation:
-  Enabled: false
-Style/SpecialGlobalVars:
-  Enabled: false
-Style/StringConcatenation:
-  Enabled: false
-Style/SymbolProc:
+Naming/AsciiIdentifiers:
   Enabled: false
 
-# warnings
-Lint/RedundantCopDisableDirective:
-  Enabled: false
-Lint/AssignmentInCondition:
+Style/FrozenStringLiteralComment:
   Enabled: false
 
-# Manual corrections
-Metrics/BlockLength:
-  Enabled: false
-Metrics/BlockNesting:
-  Enabled: false
-Metrics/ParameterLists:
-  Enabled: false
-Naming/AccessorMethodName:
-  Enabled: false
-Naming/MethodParameterName:
-  Enabled: false
-Performance/CollectionLiteralInLoop:
-  Enabled: false
-Style/OptionalBooleanParameter:
+Naming/MemoizedInstanceVariableName:
   Enabled: false
 
-# warnings
-Lint/DuplicateMethods:
-  Enabled: false
-Lint/UselessOr:
-  Enabled: false
-Lint/UnreachableLoop:
-  Enabled: false
-Lint/MissingCopEnableDirective:
-  Enabled: false
-Lint/MissingSuper:
-  Enabled: false
-Lint/EmptyFile:
-  Enabled: false
-Lint/RescueException:
+# We use class instance vars sparingly at load time
+ThreadSafety/ClassInstanceVariable:
   Enabled: false

data/CHANGELOG.rst

@@ -0,0 +1,83 @@
+CHANGELOG.rst
+=============
+
+All notable changes to Otto are documented here.
+
+The format is based on `Keep a
+Changelog <https://keepachangelog.com/en/1.1.0/>`__, and this project
+adheres to `Semantic
+Versioning <https://semver.org/spec/v2.0.0.html>`__.
+
+.. raw:: html
+
+   <!--scriv-insert-here-->
+
+.. _changelog-2.0.0-pre1:
+
+2.0.0-pre1 — 2025-09-10
+=======================
+
+Added
+-----
+
+- Comprehensive test coverage for error handling methods (handle_error, secure_error_response,
+json_error_response)
+- Test coverage for private configuration methods (configure_locale, configure_security,
+configure_authentication, configure_mcp)
+- Expanded MCP functionality test coverage including route parsing and server initialization
+- Security header validation in all error responses
+- Content negotiation testing for JSON vs plain text error responses
+- Development vs production mode error handling verification
+
+- ``Otto::Security::Configurator`` class for consolidated security configuration
+- ``Otto::Core::MiddlewareStack`` class for enhanced middleware management
+- Unified ``security.configure()`` method for streamlined security setup
+- Middleware introspection capabilities via ``middleware_list`` and ``middleware_details`` methods
+
+Changed
+-------
+
+- **BREAKING**: Direct middleware_stack manipulation no longer supported. Use ``otto.use()`` instead
+of ``otto.middleware_stack <<``. See `migration guide <docs/migrating/v2.0.0-pre1.md>`__ for upgrade
+path.
+
+- Refactored main Otto class from 767 lines to 348 lines using composition pattern (#29)
+- Modernized initialization method with helper functions while maintaining backward compatibility
+- Applied Ruby 3.2+ features including pattern matching and anonymous block forwarding
+- Improved method organization and separation of concerns
+
+- Refactored security configuration methods to use new ``Otto::Security::Configurator`` facade
+- Enhanced middleware stack management with better registration and execution interfaces
+- Improved separation of concerns between security configuration and middleware handling
+
+- Unified middleware stack implementation for improved performance and consistency
+- Optimized middleware lookup and registration with O(1) Set-based tracking
+- Memoized middleware list to reduce array creation overhead
+- Improved middleware registration to handle varied argument scenarios
+
+Documentation
+-------------
+
+- Added changelog management system with Scriv configuration
+- Created comprehensive changelog process documentation
+
+AI Assistance
+-------------
+
+- Comprehensive test suite development covering 76 new test cases across 3 test files
+- Error handling analysis and edge case identification
+- Configuration method testing strategy development
+- MCP functionality testing with proper mocking and stubbing techniques
+- Test quality assurance ensuring all 460 examples pass with 0 failures
+
+- Extracted core Otto class functionality into 5 focused modules (Router, FileSafety, Configuration,
+ErrorHandler, UriGenerator) using composition pattern for improved maintainability while preserving
+complete API backward compatibility (#28)
+
+- Comprehensive refactoring implementation developed with AI assistance
+- Systematic approach to maintaining backward compatibility during modernization
+- Full test suite validation ensuring zero breaking changes across 460 test cases
+
+- Comprehensive refactoring of middleware stack management
+- Performance optimization and code quality improvements
+- Developed detailed migration guide for smooth transition