rhales 0.4.0 → 0.5.3

data/lib/rhales/core/context.rb

@@ -0,0 +1,354 @@
+# lib/rhales/context.rb
+#
+# frozen_string_literal: true
+
+require_relative '../configuration'
+require_relative '../adapters/base_auth'
+require_relative '../adapters/base_session'
+require_relative '../adapters/base_request'
+require_relative '../security/csp'
+
+module Rhales
+    # RSFCContext provides a clean interface for RSFC templates to access
+    # server-side data. Follows the established pattern from InitScriptContext
+    # and EnvironmentContext for focused, single-responsibility context objects.
+    #
+    # The context provides three layers of data:
+    # 1. Request: Framework-provided data (CSRF tokens, authentication, config)
+    # 2. Server: Template-only variables (page titles, HTML content, etc.)
+    # 3. Client: Application data that gets serialized to window state
+    #
+    # Request data and server data are accessible in templates.
+    # Client data takes precedence over server data for variable resolution.
+    # Only client data is serialized to the browser via <schema> sections.
+    #
+    # One RSFCContext instance is created per page render and shared across
+    # the main template and all partials to maintain security boundaries.
+    class Context
+      attr_reader :req, :client, :server, :config
+
+      def initialize(req, client: {}, server: {}, config: nil)
+        @req           = req
+        @config        = config || Rhales.configuration
+
+        # Normalize keys to strings for consistent access and expose with clean names
+        @client_data = normalize_keys(client).freeze
+        @client = @client_data  # Public accessor
+
+        # Build context layers (three-layer model: request + server + client)
+        # Server data is merged with built-in request/app data
+        @server_data = build_app_data.merge(normalize_keys(server)).freeze
+        @server = @server_data  # Public accessor
+
+        # Pre-compute all_data before freezing
+        # Client takes precedence over server, and add app namespace for backward compatibility
+        @all_data = @server_data.merge(@client_data).merge({ 'app' => @server_data }).freeze
+
+        # Make context immutable after creation
+        freeze
+      end
+
+      # Get variable value with dot notation support (e.g., "user.id", "features.account_creation")
+      def get(variable_path)
+        path_parts    = variable_path.split('.')
+        current_value = all_data
+
+        path_parts.each do |part|
+          case current_value
+          when Hash
+            if current_value.key?(part)
+              current_value = current_value[part]
+            elsif current_value.key?(part.to_sym)
+              current_value = current_value[part.to_sym]
+            else
+              return nil
+            end
+          when Object
+            if current_value.respond_to?(part)
+              current_value = current_value.public_send(part)
+            elsif current_value.respond_to?("#{part}?")
+              current_value = current_value.public_send("#{part}?")
+            else
+              return nil
+            end
+          else
+            return nil
+          end
+
+          return nil if current_value.nil?
+        end
+
+        current_value
+      end
+
+      # Get all available data (runtime + business + computed)
+      attr_reader :all_data
+
+      # Check if variable exists
+      def variable?(variable_path)
+        !get(variable_path).nil?
+      end
+
+      # Get list of all available variable paths (for validation)
+      def available_variables
+        collect_variable_paths(all_data)
+      end
+
+      # Resolve variable (alias for get method for hydrator compatibility)
+      def resolve_variable(variable_path)
+        get(variable_path)
+      end
+
+      # Add accessor for request data (maps to @server_data for 'app' namespace compatibility)
+      def request
+        @server_data
+      end
+
+      # Get session from request
+      #
+      # Requires: Request object must respond to #session
+      # Provided by: Rack::Request extension in Onetime
+      #
+      # @return [Hash, AnonymousSession] Rack session hash or anonymous session
+      def sess
+        return Adapters::AnonymousSession.new unless req.respond_to?(:session)
+
+        session = req.session
+        # If session doesn't have authenticated? method, wrap it in AnonymousSession
+        # This handles both Hash and Rack::Session hash-like objects after hot reload
+        return Adapters::AnonymousSession.new unless session.respond_to?(:authenticated?)
+
+        session
+      end
+
+      # Get user from request
+      #
+      # Requires: Request object must respond to #user
+      # Provided by: Rack::Request extension in Onetime
+      #
+      # @return [Object, AnonymousAuth] User object or anonymous auth
+      def user
+        return Adapters::AnonymousAuth.new unless req&.respond_to?(:user)
+
+        req.user
+      end
+
+      # Get locale from request
+      #
+      # Parses locale from HTTP_ACCEPT_LANGUAGE or rhales.locale env variable
+      #
+      # @return [String] Locale code
+      def locale
+        return @config.default_locale unless req
+
+        if req.respond_to?(:env) && req.env
+          # Check for custom rhales.locale first, then HTTP_ACCEPT_LANGUAGE
+          custom_locale = req.env['rhales.locale']
+          return custom_locale if custom_locale
+
+          # Parse HTTP_ACCEPT_LANGUAGE header
+          accept_language = req.env['HTTP_ACCEPT_LANGUAGE']
+          if accept_language
+            # Extract first locale from Accept-Language header (e.g., "en-US,en;q=0.9" -> "en-US")
+            first_locale = accept_language.split(',').first&.strip&.split(';')&.first
+            return first_locale if first_locale && !first_locale.empty?
+          end
+
+          @config.default_locale
+        else
+          @config.default_locale
+        end
+      end
+
+      # Create a new context with updated client data
+      def with_client(new_client_data)
+        self.class.new(
+          @req,
+          client: normalize_keys(new_client_data),
+          server: @server_data,
+          config: @config,
+        )
+      end
+
+      # Create a new context with updated server data
+      def with_server(new_server_data)
+        self.class.new(
+          @req,
+          client: @client_data,
+          server: normalize_keys(new_server_data),
+          config: @config,
+        )
+      end
+
+      # Create a new context with merged client data
+      def merge_client(additional_client_data)
+        self.class.new(
+          @req,
+          client: @client_data.merge(normalize_keys(additional_client_data)),
+          server: @server_data,
+          config: @config,
+        )
+      end
+
+    private
+
+      # Build framework-provided server data
+      def build_app_data
+        app = {}
+
+        # Request context (from current runtime_data)
+        if req && req.respond_to?(:env) && req.env
+          app['csrf_token'] = req.env.fetch(@config.csrf_token_name, nil)
+          app['nonce'] = get_or_generate_nonce
+          app['request_id'] = req.env.fetch('request_id', nil)
+          app['domain_strategy'] = req.env.fetch('domain_strategy', :default)
+          app['display_domain'] = req.env.fetch('display_domain', nil)
+        else
+          # Generate nonce even without request if CSP is enabled
+          app['nonce'] = get_or_generate_nonce
+        end
+
+        # Configuration (from both layers)
+        app['environment'] = @config.app_environment
+        app['api_base_url'] = @config.api_base_url
+        app['features'] = @config.features
+        app['development'] = @config.development?
+
+        # Authentication & UI (from current computed_data)
+        app['authenticated'] = authenticated?
+        app['theme_class'] = determine_theme_class
+
+        app
+      end
+
+      # Determine theme class for CSS
+      def determine_theme_class
+        # Default theme logic - can be overridden by business data
+        if @client_data['theme']
+          "theme-#{@client_data['theme']}"
+        elsif user && user.respond_to?(:theme_preference)
+          "theme-#{user.theme_preference}"
+        else
+          'theme-light'
+        end
+      end
+
+      # Check if user is authenticated
+      def authenticated?
+        # Try Otto strategy_result first (framework integration)
+        if req&.respond_to?(:env)
+          strategy_result = req.env['otto.strategy_result']
+          if strategy_result&.respond_to?(:authenticated?)
+            return strategy_result.authenticated? && valid_user_present?
+          end
+        end
+
+        # Fall back to checking session and user directly
+        sess&.authenticated? && valid_user_present?
+      end
+
+      # Check if we have a valid (non-anonymous) user
+      def valid_user_present?
+        user && !user.anonymous?
+      end
+
+      # Get or generate CSP nonce
+      def get_or_generate_nonce
+        # Try to get existing nonce from request env
+        if req && req.respond_to?(:env) && req.env
+          existing_nonce = req.env.fetch(@config.nonce_header_name, nil)
+          return existing_nonce if existing_nonce
+        end
+
+        # Generate new nonce if auto_nonce is enabled or CSP is enabled
+        return CSP.generate_nonce if @config.auto_nonce || (@config.csp_enabled && csp_nonce_required?)
+
+        # Return nil if nonce is not needed
+        nil
+      end
+
+      # Check if CSP policy requires nonce
+      def csp_nonce_required?
+        return false unless @config.csp_enabled
+
+        csp = CSP.new(@config)
+        csp.nonce_required?
+      end
+
+
+
+      # Normalize hash keys to strings recursively
+      def normalize_keys(data)
+        case data
+        when Hash
+          data.each_with_object({}) do |(key, value), result|
+            result[key.to_s] = normalize_keys(value)
+          end
+        when Array
+          data.map { |item| normalize_keys(item) }
+        else
+          data
+        end
+      end
+
+      # Recursively collect all variable paths from nested data
+      def collect_variable_paths(data, prefix = '')
+        paths = []
+
+        case data
+        when Hash
+          data.each do |key, value|
+            current_path = prefix.empty? ? key.to_s : "#{prefix}.#{key}"
+            paths << current_path
+
+            if value.is_a?(Hash) || value.is_a?(Object)
+              paths.concat(collect_variable_paths(value, current_path))
+            end
+          end
+        when Object
+          # For objects, collect method names that look like attributes
+          data.public_methods(false).each do |method|
+            method_name = method.to_s
+            next if method_name.end_with?('=') # Skip setters
+            next if method_name.start_with?('_') # Skip private-ish methods
+
+            current_path = prefix.empty? ? method_name : "#{prefix}.#{method_name}"
+            paths << current_path
+          end
+        end
+
+        paths
+      end
+
+      # Minimal request object for testing that supports required methods
+      class MinimalRequest
+        attr_reader :env, :session, :user, :locale, :nonce
+
+        def initialize(env = {}, session: {}, user: nil, locale: 'en', nonce: 'test-nonce')
+          @env = env
+          @session = session
+          @user = user
+          @locale = locale
+          @nonce = nonce
+        end
+
+        def authenticated?
+          @user && (!@user.respond_to?(:anonymous?) || !@user.anonymous?)
+        end
+      end
+
+      class << self
+        # Create context with business data for a specific view
+        def for_view(req, client: {}, server: {}, config: nil, **additional_client)
+          all_client = client.merge(additional_client)
+          new(req, client: all_client, server: server, config: config)
+        end
+
+        # Create minimal context for testing with optional env override
+        def minimal(client: {}, server: {}, config: nil, env: nil)
+          req = env ? MinimalRequest.new(env) : nil
+          new(req, client: client, server: server, config: config)
+        end
+      end
+  end
+end

data/lib/rhales/{rue_document.rb → core/rue_document.rb}

@@ -1,6 +1,8 @@
 # lib/rhales/rue_document.rb
+#
+# frozen_string_literal: true
 
-require_relative 'parsers/rue_format_parser'
+require_relative '../parsers/rue_format_parser'
 
 module Rhales
   # High-level interface for parsed .rue files
@@ -32,12 +34,12 @@ module Rhales
     class InvalidSyntaxError < ParseError; end
 
     # At least one of these sections must be present
-    REQUIRES_ONE_OF_SECTIONS = %w[data template].freeze
-    KNOWN_SECTIONS = %w[data template logic].freeze
+    REQUIRES_ONE_OF_SECTIONS = %w[schema template].freeze
+    KNOWN_SECTIONS = %w[schema template logic].freeze
     ALL_SECTIONS = KNOWN_SECTIONS.freeze
 
-    # Known data section attributes
-    KNOWN_DATA_ATTRIBUTES = %w[window merge layout].freeze
+    # Known schema section attributes
+    KNOWN_SCHEMA_ATTRIBUTES = %w[lang version envelope window merge layout extends].freeze
 
     attr_reader :content, :file_path, :grammar, :ast
 
@@ -97,7 +99,7 @@ module Rhales
         content = convert_nodes_to_string(node.value[:content])
         "{{#each #{items}}}#{content}{{/each}}"
       when :handlebars_expression
-        # Handle legacy format for data sections
+        # Handle raw handlebars expressions
         if node.value[:raw]
           "{{{#{node.value[:content]}}}"
         else
@@ -112,24 +114,41 @@ module Rhales
       sections[name]
     end
 
-    def data_attributes
-      @data_attributes ||= {}
+    def layout
+      schema_attributes['layout']
     end
 
-    def window_attribute
-      data_attributes['window'] || 'data'
+    # Schema section accessors
+    def schema_attributes
+      @schema_attributes ||= {}
     end
 
-    def schema_path
-      data_attributes['schema']
+    def schema_lang
+      schema_attributes['lang']
     end
 
-    def merge_strategy
-      data_attributes['merge']
+    def schema_version
+      schema_attributes['version']
     end
 
-    def layout
-      data_attributes['layout']
+    def schema_envelope
+      schema_attributes['envelope']
+    end
+
+    def schema_window
+      schema_attributes['window'] || 'data'
+    end
+
+    def schema_merge_strategy
+      schema_attributes['merge']
+    end
+
+    def schema_layout
+      schema_attributes['layout']
+    end
+
+    def schema_extends
+      schema_attributes['extends']
     end
 
     def section?(name)
@@ -153,12 +172,8 @@ module Rhales
       extract_variables_from_section('template', exclude_partials: true)
     end
 
-    def data_variables
-      extract_variables_from_section('data')
-    end
-
     def all_variables
-      (template_variables + data_variables).uniq
+      template_variables.uniq
     end
 
     private
@@ -186,7 +201,7 @@ module Rhales
         when :unless_block, :each_block
           extract_partials_from_content_nodes(content_node.value[:content], partials)
         when :handlebars_expression
-          # Handle old format for data sections
+          # Handle handlebars expressions
           content = content_node.value[:content]
           if content.start_with?('>')
             partials << content[1..].strip
@@ -226,10 +241,10 @@ module Rhales
           # Skip partials if requested
           next if exclude_partials
         when :text
-          # Extract handlebars expressions from text content (for data sections)
+          # Extract handlebars expressions from text content
           extract_variables_from_text(node.value, variables, exclude_partials: exclude_partials)
         when :handlebars_expression
-          # Handle old format for data sections
+          # Handle handlebars expressions
           content = node.value[:content]
 
           # Skip partials if requested
@@ -259,31 +274,34 @@ module Rhales
     end
 
     def parse_data_attributes!
-      data_section     = @grammar.sections['data']
-      @data_attributes = {}
-
-      if data_section
-        @data_attributes = data_section.value[:attributes].dup
+      schema_section = @grammar.sections['schema']
+      @schema_attributes = {}
 
+      if schema_section
+        @schema_attributes = schema_section.value[:attributes].dup
         # Validate attributes and warn about unknown ones
-        validate_data_attributes!
-      end
+        validate_schema_attributes!
+        # Set default window attribute for schema section
+        @schema_attributes['window'] ||= 'data'
 
-      # Set default window attribute
-      @data_attributes['window'] ||= 'data'
+        # Schema sections require lang attribute
+        unless @schema_attributes['lang']
+          raise ParseError, "Schema section requires 'lang' attribute (e.g., lang=\"ts-zod\")"
+        end
+      end
     end
 
-    def validate_data_attributes!
-      unknown_attributes = @data_attributes.keys - KNOWN_DATA_ATTRIBUTES
+    def validate_schema_attributes!
+      unknown_attributes = @schema_attributes.keys - KNOWN_SCHEMA_ATTRIBUTES
 
       unknown_attributes.each do |attr|
-        warn_unknown_attribute(attr)
+        warn_unknown_schema_attribute(attr)
       end
     end
 
-    def warn_unknown_attribute(attribute)
+    def warn_unknown_schema_attribute(attribute)
       file_info = @file_path ? " in #{@file_path}" : ''
-      warn "Warning: data section encountered '#{attribute}' attribute - not yet supported, ignoring#{file_info}"
+      warn "Warning: schema section encountered '#{attribute}' attribute - not yet supported, ignoring#{file_info}"
     end
 
     class << self