rhales 0.7.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc4ab2b108b173b1781fb48ada4b2cfba22547d79d0ecc4659838a67c2407363
-  data.tar.gz: 59f4e4b981c3166722d3ddebeba27861dc949575719c8eaa53d23b4e6a41f8d2
+  metadata.gz: 3ebdcf7b19495050ab5d3af3ba3eda23b719391602816c752afd4dac1110c47c
+  data.tar.gz: 976de2823a3d79923937fc19232968ed01e4b6b21623065a2b0136e8d85b9b8e
 SHA512:
-  metadata.gz: 06547d4e90656b20b5dd8dee5f6b468ea5ff63fc1f76becdca3b48889af7f62a42793acca89ced4f32f91017eb026f18862d772ffa1c606582a4aa0ad8fbb490
-  data.tar.gz: 1d5eb58558b5b45c3c24c95f2ee0f26ba171e6c11553e3b55d41aa598c41f2f53573b7e05c36abd52865d7b884aa571a076698183a4a1b135f31ec1a29b3319c
+  metadata.gz: 1ccd2220b6a56c25f6f3f22a4c10726a2e82617bdfe3f0a18deab925a13a715e5f6deb0836b9c44570ca3af2b8fb1d512984f3928c9dcadda7a3cc53cb42fa4b
+  data.tar.gz: bf62c3740a25ece5609af328afcc8d6e30eea2e07dffce4e55d59c493aad0455177c3edadb2a978de19f57d8d15ac3ff2ff29d3a544eb98a4286712997167184

data/.github/workflows/claude-code-review.yml

@@ -37,6 +37,10 @@ jobs:
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
+          # Fall back to a current model when the action's default model id is
+          # unavailable (the previous default 404s: "model: claude-sonnet-4-20250514")
+          fallback_model: "claude-sonnet-4-6"
+
           # Direct prompt for automated review (no @claude mention needed)
           direct_prompt: |
             Please review this pull request and provide feedback on:

data/.github/workflows/claude.yml

@@ -36,6 +36,10 @@ jobs:
         with:
           claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
 
+          # Fall back to a current model when the action's default model id is
+          # unavailable (the previous default 404s: "model: claude-sonnet-4-20250514")
+          fallback_model: "claude-sonnet-4-6"
+
           # This is an optional setting that allows Claude to read CI results on PRs
           additional_permissions: |
             actions: read

data/CHANGELOG.md

@@ -7,6 +7,43 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.1] - 2026-06-22
+
+### Security
+- Validate the schema `window` attribute against a JavaScript identifier pattern
+  (`/\A[a-zA-Z_][a-zA-Z0-9_]*\z/`) at parse time; invalid names raise
+  `RueDocument::ParseError` (#57).
+- Escape the window name at every hydration render site as defense in depth:
+  HTML-escape it in `data-window` / `data-hydration-target` attributes and
+  JSON-encode it (`JSONSerializer.dump_html_safe`) in `window[...]` script
+  contexts, in both `View` and `LinkBasedInjectionDetector`. Previously an
+  unescaped window name could break out of the HTML attribute or JS string (#57).
+- Stop logging the raw CSP nonce value. `CSP.generate_nonce` and
+  `CSP#build_header` now log only length/entropy/usage metadata, never the
+  per-response secret itself (#57).
+- Escape the remaining interpolated config values in `LinkBasedInjectionDetector`
+  for the same reason: `endpoint_url` / `template_name` (HTML-escaped in `href` /
+  `data-lazy-src`, JSON-encoded in `fetch(...)` / `import` / loader calls) and the
+  lazy `mount_selector` (JSON-encoded in `document.querySelector(...)`), so a
+  single/double quote in those config values can no longer break out of its
+  context (#59 review).
+- Validate template names in `View#resolve_template_path` to prevent path
+  traversal. Names may still use forward slashes for subdirectories, but
+  parent-directory references (`..`), embedded null bytes, and absolute paths
+  are rejected with `View::TemplateNotFoundError`. This matters because
+  `HydrationEndpoint` is designed to be wired to an API route, so a
+  request-derived template name can no longer escape the configured template
+  directories to read arbitrary files (#22).
+
+### Performance
+- `MountPointDetector#detect` now scans the rendered HTML a single time using
+  one combined alternation pattern built from all selectors, instead of
+  re-scanning the whole document once per selector. Results are memoized per
+  detector instance keyed by `[template_html, selectors]`, and `View` reuses a
+  single detector, so repeated detection on identical HTML reuses the prior
+  result and its `SafeInjectionValidator` work. Selection semantics
+  (selector-priority tie-breaking, earliest safe position) are unchanged (#22).
+
 ## [0.7.0] - 2026-06-21
 
 ### Security

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rhales (0.7.0)
+    rhales (0.7.1)
       json_schemer (~> 2)
       logger
       tilt (~> 2)

data/lib/rhales/core/rue_document.rb

@@ -41,6 +41,11 @@ module Rhales
     # Known schema section attributes
     KNOWN_SCHEMA_ATTRIBUTES = %w[lang version envelope window merge layout extends src].freeze
 
+    # The window attribute names a global JavaScript property and is interpolated
+    # into HTML attribute and <script> contexts during hydration. Restrict it to a
+    # valid JavaScript identifier so it cannot break out of either context (issue #57).
+    WINDOW_ATTRIBUTE_PATTERN = /\A[a-zA-Z_][a-zA-Z0-9_]*\z/
+
     attr_reader :content, :file_path, :grammar, :ast
 
     def initialize(content, file_path = nil)
@@ -289,6 +294,7 @@ module Rhales
         validate_schema_attributes!
         # Set default window attribute for schema section
         @schema_attributes['window'] ||= 'data'
+        validate_window_attribute!
 
         # Schema sections require lang attribute
         unless @schema_attributes['lang']
@@ -305,6 +311,15 @@ module Rhales
       end
     end
 
+    def validate_window_attribute!
+      window = @schema_attributes['window']
+      return if window.is_a?(String) && window.match?(WINDOW_ATTRIBUTE_PATTERN)
+
+      raise ParseError,
+        "Invalid window attribute #{window.inspect}: must be a valid JavaScript " \
+        "identifier matching #{WINDOW_ATTRIBUTE_PATTERN.source}"
+    end
+
     def warn_unknown_schema_attribute(attribute)
       file_info = @file_path ? " in #{@file_path}" : ''
       warn "Warning: schema section encountered '#{attribute}' attribute - not yet supported, ignoring#{file_info}"

data/lib/rhales/core/view.rb

@@ -229,6 +229,8 @@ module Rhales
 
     # Resolve template path
     def resolve_template_path(template_name)
+      validate_template_name!(template_name)
+
       # Check configured template paths first
       if config && config.template_paths && !config.template_paths.empty?
         config.template_paths.each do |path|
@@ -254,6 +256,28 @@ module Rhales
       end
     end
 
+    # Guard against path-traversal in template names.
+    #
+    # Template names may contain forward slashes to address subdirectories
+    # (e.g. "web/homepage"), but must not reference parent directories, embed
+    # null bytes, or be absolute paths. HydrationEndpoint exposes template
+    # names to API callers, so a name derived from request input must never be
+    # able to escape the configured template directories and read arbitrary
+    # files off disk.
+    def validate_template_name!(template_name)
+      unless template_name.is_a?(String) && !template_name.empty?
+        raise TemplateNotFoundError, "Invalid template name: #{template_name.inspect}"
+      end
+
+      absolute  = template_name.start_with?('/') || template_name.match?(/\A[a-zA-Z]:[\\\/]/)
+      null_byte = template_name.bytes.include?(0)
+      traversal = template_name.split(%r{[\\/]}).include?('..')
+
+      if absolute || null_byte || traversal
+        raise TemplateNotFoundError, "Unsafe template name: #{template_name.inspect}"
+      end
+    end
+
     # Get templates root directory
     def templates_root
       boot_root = File.expand_path('../../..', __dir__)
@@ -317,8 +341,14 @@ module Rhales
       return nil unless config&.hydration
 
       custom_selectors = config.hydration.mount_point_selectors || []
-      detector = MountPointDetector.new
-      detector.detect(template_html, custom_selectors)
+      mount_point_detector.detect(template_html, custom_selectors)
+    end
+
+    # Memoized mount point detector. Reusing one instance lets its per-instance
+    # result cache avoid rebuilding a SafeInjectionValidator and re-scanning
+    # identical rendered HTML across calls within this view's lifetime.
+    def mount_point_detector
+      @mount_point_detector ||= MountPointDetector.new
     end
 
     # Build view composition for the given template
@@ -387,26 +417,31 @@ module Rhales
         unique_id = "rsfc-data-#{SecureRandom.hex(8)}"
         nonce_attr = nonce_attribute
 
+        # Escape the window name for its two output contexts (issue #57). Parse-time
+        # validation already restricts it to a JS identifier; this is defense in depth.
+        window_attr_html = ERB::Util.html_escape(window_attr)
+        window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+
         # Create JSON script tag with optional reflection attributes
-        json_attrs = reflection_enabled? ? " data-window=\"#{window_attr}\"" : ''
+        json_attrs = reflection_enabled? ? " data-window=\"#{window_attr_html}\"" : ''
         json_script = <<~HTML.strip
           <script#{nonce_attr} id="#{unique_id}" type="application/json"#{json_attrs}>#{JSONSerializer.dump_html_safe(data)}</script>
         HTML
 
         # Create hydration script with optional reflection attributes
-        hydration_attrs = reflection_enabled? ? " data-hydration-target=\"#{window_attr}\"" : ''
+        hydration_attrs = reflection_enabled? ? " data-hydration-target=\"#{window_attr_html}\"" : ''
         hydration_script = if reflection_enabled?
           <<~HTML.strip
             <script#{nonce_attr}#{hydration_attrs}>
             var dataScript = document.getElementById('#{unique_id}');
-            var targetName = dataScript.getAttribute('data-window') || '#{window_attr}';
+            var targetName = dataScript.getAttribute('data-window') || #{window_attr_js};
             window[targetName] = JSON.parse(dataScript.textContent);
             </script>
           HTML
         else
           <<~HTML.strip
             <script#{nonce_attr}#{hydration_attrs}>
-            window['#{window_attr}'] = JSON.parse(document.getElementById('#{unique_id}').textContent);
+            window[#{window_attr_js}] = JSON.parse(document.getElementById('#{unique_id}').textContent);
             </script>
           HTML
         end

data/lib/rhales/hydration/link_based_injection_detector.rb

@@ -3,7 +3,9 @@
 # frozen_string_literal: true
 
 require 'strscan'
+require 'erb'
 require_relative 'safe_injection_validator'
+require_relative '../utils/json_serializer'
 
 module Rhales
   # Generates link-based hydration strategies that use browser resource hints
@@ -47,12 +49,16 @@ module Rhales
 
     def generate_basic_link(template_name, window_attr, nonce)
       endpoint_url = "#{@api_endpoint_path}/#{template_name}"
+      window_attr_html = ERB::Util.html_escape(window_attr)
+      window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+      endpoint_url_html = ERB::Util.html_escape(endpoint_url)
+      endpoint_url_js   = JSONSerializer.dump_html_safe(endpoint_url)
 
-      link_tag = %(<link href="#{endpoint_url}" type="application/json">)
+      link_tag = %(<link href="#{endpoint_url_html}" type="application/json">)
 
       script_tag = <<~HTML.strip
-        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr}">
-        // Load hydration data for #{window_attr}
+        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr_html}">
+        // Load hydration data
         window.__rhales__ = window.__rhales__ || {};
         if (!window.__rhales__.loadData) {
           window.__rhales__.loadData = function(target, url) {
@@ -61,7 +67,7 @@ module Rhales
               .then(data => window[target] = data);
           };
         }
-        window.__rhales__.loadData('#{window_attr}', '#{endpoint_url}');
+        window.__rhales__.loadData(#{window_attr_js}, #{endpoint_url_js});
         </script>
       HTML
 
@@ -71,12 +77,16 @@ module Rhales
     def generate_prefetch_link(template_name, window_attr, nonce)
       endpoint_url = "#{@api_endpoint_path}/#{template_name}"
       crossorigin_attr = @crossorigin_enabled ? ' crossorigin' : ''
+      window_attr_html = ERB::Util.html_escape(window_attr)
+      window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+      endpoint_url_html = ERB::Util.html_escape(endpoint_url)
+      endpoint_url_js   = JSONSerializer.dump_html_safe(endpoint_url)
 
-      link_tag = %(<link rel="prefetch" href="#{endpoint_url}" as="fetch"#{crossorigin_attr}>)
+      link_tag = %(<link rel="prefetch" href="#{endpoint_url_html}" as="fetch"#{crossorigin_attr}>)
 
       script_tag = <<~HTML.strip
-        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr}">
-        // Prefetch hydration data for #{window_attr}
+        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr_html}">
+        // Prefetch hydration data
         window.__rhales__ = window.__rhales__ || {};
         if (!window.__rhales__.loadPrefetched) {
           window.__rhales__.loadPrefetched = function(target, url) {
@@ -85,7 +95,7 @@ module Rhales
               .then(data => window[target] = data);
           };
         }
-        window.__rhales__.loadPrefetched('#{window_attr}', '#{endpoint_url}');
+        window.__rhales__.loadPrefetched(#{window_attr_js}, #{endpoint_url_js});
         </script>
       HTML
 
@@ -95,19 +105,23 @@ module Rhales
     def generate_preload_link(template_name, window_attr, nonce)
       endpoint_url = "#{@api_endpoint_path}/#{template_name}"
       crossorigin_attr = @crossorigin_enabled ? ' crossorigin' : ''
+      window_attr_html = ERB::Util.html_escape(window_attr)
+      window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+      endpoint_url_html = ERB::Util.html_escape(endpoint_url)
+      endpoint_url_js   = JSONSerializer.dump_html_safe(endpoint_url)
 
-      link_tag = %(<link rel="preload" href="#{endpoint_url}" as="fetch"#{crossorigin_attr}>)
+      link_tag = %(<link rel="preload" href="#{endpoint_url_html}" as="fetch"#{crossorigin_attr}>)
 
       script_tag = <<~HTML.strip
-        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr}">
+        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr_html}">
         // Preload strategy - high priority fetch
-        fetch('#{endpoint_url}')
+        fetch(#{endpoint_url_js})
           .then(r => r.json())
           .then(data => {
-            window['#{window_attr}'] = data;
+            window[#{window_attr_js}] = data;
             // Dispatch ready event
             window.dispatchEvent(new CustomEvent('rhales:hydrated', {
-              detail: { target: '#{window_attr}', data: data }
+              detail: { target: #{window_attr_js}, data: data }
             }));
           })
           .catch(err => console.error('Rhales hydration error:', err));
@@ -119,18 +133,22 @@ module Rhales
 
     def generate_modulepreload_link(template_name, window_attr, nonce)
       endpoint_url = "#{@api_endpoint_path}/#{template_name}.js"
+      window_attr_html = ERB::Util.html_escape(window_attr)
+      window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+      endpoint_url_html = ERB::Util.html_escape(endpoint_url)
+      endpoint_url_js   = JSONSerializer.dump_html_safe(endpoint_url)
 
-      link_tag = %(<link rel="modulepreload" href="#{endpoint_url}">)
+      link_tag = %(<link rel="modulepreload" href="#{endpoint_url_html}">)
 
       script_tag = <<~HTML.strip
-        <script type="module"#{nonce_attribute(nonce)} data-hydration-target="#{window_attr}">
+        <script type="module"#{nonce_attribute(nonce)} data-hydration-target="#{window_attr_html}">
         // Module preload strategy
-        import data from '#{endpoint_url}';
-        window['#{window_attr}'] = data;
+        import data from #{endpoint_url_js};
+        window[#{window_attr_js}] = data;
 
         // Dispatch ready event
         window.dispatchEvent(new CustomEvent('rhales:hydrated', {
-          detail: { target: '#{window_attr}', data: data }
+          detail: { target: #{window_attr_js}, data: data }
         }));
         </script>
       HTML
@@ -141,28 +159,33 @@ module Rhales
     def generate_lazy_loading(template_name, window_attr, nonce)
       endpoint_url = "#{@api_endpoint_path}/#{template_name}"
       mount_selector = @hydration_config.lazy_mount_selector || '#app'
+      window_attr_html = ERB::Util.html_escape(window_attr)
+      window_attr_js   = JSONSerializer.dump_html_safe(window_attr)
+      endpoint_url_html = ERB::Util.html_escape(endpoint_url)
+      endpoint_url_js   = JSONSerializer.dump_html_safe(endpoint_url)
+      mount_selector_js = JSONSerializer.dump_html_safe(mount_selector)
 
       # No link tag for lazy loading - purely script-driven
       script_tag = <<~HTML.strip
-        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr}" data-lazy-src="#{endpoint_url}">
+        <script#{nonce_attribute(nonce)} data-hydration-target="#{window_attr_html}" data-lazy-src="#{endpoint_url_html}">
         // Lazy loading strategy with intersection observer
         window.__rhales__ = window.__rhales__ || {};
         window.__rhales__.initLazyLoading = function() {
-          const mountElement = document.querySelector('#{mount_selector}');
+          const mountElement = document.querySelector(#{mount_selector_js});
           if (!mountElement) {
-            console.warn('Rhales: Mount element "#{mount_selector}" not found for lazy loading');
+            console.warn('Rhales: Mount element ' + #{mount_selector_js} + ' not found for lazy loading');
             return;
           }
 
           const observer = new IntersectionObserver((entries) => {
             entries.forEach(entry => {
               if (entry.isIntersecting) {
-                fetch('#{endpoint_url}')
+                fetch(#{endpoint_url_js})
                   .then(r => r.json())
                   .then(data => {
-                    window['#{window_attr}'] = data;
+                    window[#{window_attr_js}] = data;
                     window.dispatchEvent(new CustomEvent('rhales:hydrated', {
-                      detail: { target: '#{window_attr}', data: data }
+                      detail: { target: #{window_attr_js}, data: data }
                     }));
                   })
                   .catch(err => console.error('Rhales lazy hydration error:', err));

data/lib/rhales/hydration/mount_point_detector.rb

@@ -21,43 +21,92 @@ module Rhales
   #
   # Default selectors are checked: ['#app', '#root', '[data-rsfc-mount]', '[data-mount]']
   # Custom selectors can be added via configuration and are combined with defaults.
+  #
+  # ## Performance
+  #
+  # Detection scans the HTML a single time using one combined alternation
+  # pattern built from all selectors, rather than re-scanning the whole
+  # document once per selector. Results are memoized per instance keyed by
+  # [template_html, selectors], so repeated detection on the same rendered
+  # HTML (e.g. across renders that reuse the detector) reuses the prior result
+  # and its SafeInjectionValidator work instead of recomputing.
   class MountPointDetector
     DEFAULT_SELECTORS = ['#app', '#root', '[data-rsfc-mount]', '[data-mount]'].freeze
 
+    def initialize
+      @cache = {}
+    end
+
     def detect(template_html, custom_selectors = [])
       selectors = (DEFAULT_SELECTORS + Array(custom_selectors)).uniq
-      scanner = StringScanner.new(template_html)
+      cache_key = [template_html, selectors]
+      return @cache[cache_key] if @cache.key?(cache_key)
+
+      @cache[cache_key] = compute_detection(template_html, selectors)
+    end
+
+    private
+
+    def compute_detection(template_html, selectors)
       validator = SafeInjectionValidator.new(template_html)
-      mount_points = []
-
-      selectors.each do |selector|
-        scanner.pos = 0
-        pattern = build_pattern(selector)
-
-        while scanner.scan_until(pattern)
-          # Calculate position where the full tag starts
-          tag_start_pos = find_tag_start(scanner, template_html)
-
-          # Only include mount points that are safe for injection
-          safe_position = find_safe_injection_position(validator, tag_start_pos)
-
-          if safe_position
-            mount_points << {
-              selector: selector,
-              position: safe_position,
-              original_position: tag_start_pos,
-              matched: scanner.matched
-            }
-          end
-        end
+      pattern   = combined_pattern(selectors)
+      scanner   = StringScanner.new(template_html)
+      matches   = []
+
+      # Single pass over the HTML: the combined alternation finds every
+      # selector occurrence in document order, and the matching capture-group
+      # index tells us which selector produced it.
+      while scanner.scan_until(pattern)
+        selector  = selectors[matched_group_index(scanner, selectors.length)]
+        tag_start = find_tag_start(scanner, template_html)
+
+        # Only include mount points that are safe for injection
+        safe_position = find_safe_injection_position(validator, tag_start)
+        next unless safe_position
+
+        matches << {
+          selector: selector,
+          position: safe_position,
+          original_position: tag_start,
+          matched: scanner.matched,
+        }
       end
 
-      # Return earliest mount point by position
-      mount_points.min_by { |mp| mp[:position] }
+      # Preserve the original selection semantics: matches are considered in
+      # selector-priority order (then document order within a selector), and
+      # the earliest injection position wins. Ordering the matches this way
+      # before min_by reproduces the previous per-selector tie-breaking.
+      ordered = selectors.flat_map { |selector| matches.select { |mp| mp[:selector] == selector } }
+      ordered.min_by { |mp| mp[:position] }
     end
 
-    private
+    # Build one alternation pattern from all selectors. Each selector's
+    # sub-pattern is wrapped in a capture group so the matched group index
+    # identifies which selector matched. None of the sub-patterns introduce
+    # their own capture groups, so group N corresponds to selector N-1.
+    def combined_pattern(selectors)
+      union = selectors.map { |selector| "(#{build_pattern(selector).source})" }.join('|')
+      Regexp.new(union, Regexp::IGNORECASE)
+    end
+
+    def matched_group_index(scanner, count)
+      count.times { |index| return index if scanner[index + 1] }
+
+      # Unreachable in normal operation: after a successful scan_until against
+      # combined_pattern exactly one wrapped selector group has captured. If
+      # none has, a build_pattern sub-pattern introduced its own capturing
+      # group and shifted the numbering, so fail loudly rather than silently
+      # attributing the match to the first selector.
+      raise 'MountPointDetector: no selector capture group matched; ' \
+            'build_pattern sub-patterns must not contain capturing groups'
+    end
 
+    # Build the regex fragment that matches a single selector.
+    #
+    # INVARIANT: sub-patterns must not contain capturing groups. combined_pattern
+    # wraps each fragment in exactly one capture group and maps that group's
+    # index back to a selector, so any stray `(...)` here would shift the
+    # numbering and misattribute matches. Use non-capturing groups `(?:...)`.
     def build_pattern(selector)
       case selector
       when /^#(.+)$/

data/lib/rhales/security/csp.rb

@@ -47,10 +47,10 @@ module Rhales
 
       header = policy_directives.join('; ')
 
-      # Log CSP header generation for security audit
+      # Log CSP header generation for security audit. The nonce is a per-response
+      # secret, so log only whether one was used, never its value (issue #57).
       log_with_metadata(Rhales.logger, :debug, "CSP header generated",
         nonce_used: nonce_used,
-        nonce: @nonce,
         directive_count: policy_directives.size,
         header_length: header.length
       )
@@ -62,8 +62,9 @@ module Rhales
     def self.generate_nonce
       nonce = SecureRandom.hex(16)
 
-      # Log nonce generation for security audit trail
-      Rhales.logger.debug("CSP nonce generated: nonce=#{nonce} length=#{nonce.length} entropy_bits=#{nonce.length * 4}")
+      # Log nonce generation for security audit trail. Never log the nonce value
+      # itself — it is a per-response secret (issue #57).
+      Rhales.logger.debug("CSP nonce generated: length=#{nonce.length} entropy_bits=#{nonce.length * 4}")
 
       nonce
     end

data/lib/rhales/version.rb

@@ -5,6 +5,6 @@
 module Rhales
   # Version information for the RSFC gem
   unless defined?(Rhales::VERSION)
-    VERSION = '0.7.0'
+    VERSION = '0.7.1'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rhales
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.7.1
 platform: ruby
 authors:
 - delano