stipa 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4808a7cc4235af581c6e5bf34b072562ef8c3992d05b51d82659a9462e1c3395
-  data.tar.gz: ba5bf60d232d22a9e49a4cbb496e34f5272a85aaa4148b319269c6ae4df3258a
+  metadata.gz: cae685e56a311306ac9de5e6590a97811aeb1037c37c16c8fc1678414853df71
+  data.tar.gz: f5fe15523b603ec40905a278e78790b963498ee0aef45b3d431a16723a63493e
 SHA512:
-  metadata.gz: f9eea7112fdfda768ec2c5eb8272155b5eb5bf5b0ce8e4ac1be6b365574a2f727415372852cdefa5ac81d926d67c3004a3c24992d2ea5128e551bfbb067cf773
-  data.tar.gz: 12af42c56b74b227918e3c786c145bb71a17754a6f0a41192a2a451d352c949f88458d5212665e63ccb7d176d81fa4a6ddd0c69b0c2b2211757a568b1bd3470b
+  metadata.gz: 4eb79042d8771b8384f37191f0aa99ee5fc63a82b62fc0201be0d074b460c4d066484d6710b5fc659ec6ec0dd6a6be1d21bee6a97035f88155d3ff38a92f94bc
+  data.tar.gz: 3db21d82f8e03e20d343fb65092f12bf5f92034dac1eb15289e702c1f23ca62e18e28d4222f091839b33903df077ad18454e9c4674d36374408224b2631ca6e7

data/CHANGELOG.md

@@ -5,6 +5,37 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.5] - 2026-03-20
+
+### Added
+
+- **Hot reload** (`STIPA_RELOAD=1`) — background thread watches project `.rb` files and
+  restarts the process via `exec` when a change is detected
+- **Syntax guard** — if a changed file has a syntax error, the reloader logs the
+  problem and keeps watching; it will not restart until the error is fixed, preventing
+  the process from dying on a bad save
+- **`.gitignore` generation** — `stipa new` now writes a `.gitignore` covering Ruby,
+  Node/npm, OS artefacts, and Vue build output
+- **Automatic git init** — `stipa new` runs `git init && git add . && git commit` after
+  scaffolding so the project starts with a clean history
+- **`interface Window { _t0?: number }`** added to the generated `shims-vue.d.ts`
+
+### Fixed
+
+- **CORS header injection** — `Middleware::Cors` no longer reflects an arbitrary
+  `Origin` request header. Wildcard config sends the literal `*`; an explicit allowlist
+  only echoes origins that are in the list
+- **`instance_variable_set` removed** — the generated `MethodOverride` middleware now
+  uses the public `req.method =` setter instead of reaching into private state
+- **Shell-form `system()` calls** — all internal `git` invocations in the generator now
+  use array form (`system('git', 'init', '-q')`) so no shell is spawned and there is no
+  injection surface
+- **Default bind address changed from `0.0.0.0` to `127.0.0.1`** — the server and
+  generated templates now bind localhost-only by default; pass `host: '0.0.0.0'` to
+  expose on all interfaces
+- **`BadRequest` details no longer sent to the client** — the error message is logged
+  server-side; the response body is now the generic string `'Bad Request'`
+
 ## [0.1.0] - 2024-03-18
 
 ### Added

data/README.md

@@ -52,7 +52,7 @@ app.start(port: 3710)
 
 ```bash
 ruby server.rb
-# => Stīpa listening on 0.0.0.0:3710
+# => Stīpa listening on 127.0.0.1:3710
 ```
 
 ---
@@ -96,6 +96,16 @@ npm run build                    # compile Vue components
 bundle exec ruby server.rb
 ```
 
+Hot reload during development:
+
+```bash
+STIPA_RELOAD=1 bundle exec ruby server.rb
+```
+
+The reloader watches all `.rb` files under the project root. When a change is saved it
+restarts the process automatically. If the changed file has a syntax error the reloader
+logs the problem and keeps watching — the process will not die on a bad save.
+
 ---
 
 ## Routing
@@ -283,16 +293,17 @@ Build: `npm run build` → outputs `public/components/Counter.js`.
 
 ```ruby
 app.start(
-  host:              '0.0.0.0',
+  host:              '127.0.0.1', # default; use '0.0.0.0' to bind all interfaces
   port:              3710,
-  pool_size:         32,       # worker threads
-  queue_depth:       64,       # max queued jobs before backpressure
-  drain_timeout:     30,       # graceful shutdown wait (seconds)
+  pool_size:         32,          # worker threads
+  queue_depth:       64,          # max queued jobs before backpressure
+  drain_timeout:     30,          # graceful shutdown wait (seconds)
   keepalive_timeout: 5,
-  max_requests:      100,      # per connection
+  max_requests:      100,         # per connection
   max_body_size:     1_048_576,
-  backpressure:      :drop,    # :drop (503) or :block
+  backpressure:      :drop,       # :drop (503) or :block
   log_level:         :info,
+  reload:            false,       # or set STIPA_RELOAD=1 in the environment
 )
 ```
 
@@ -300,6 +311,19 @@ Handles `SIGTERM` / `SIGINT` with graceful drain.
 
 ---
 
+## Security notes
+
+- **Bind address** — the default `host: '127.0.0.1'` exposes the server only on
+  localhost. Set `host: '0.0.0.0'` (or the specific interface IP) when running behind a
+  reverse proxy or in a container.
+- **CORS** — `Middleware::Cors` never reflects an arbitrary `Origin` header back to the
+  client. Wildcard config (`origins: ['*']`) sends the literal `*`; an explicit list
+  only allows origins that are in the list.
+- **Hot reload** — `STIPA_RELOAD=1` is intended for development only. Do not enable it
+  in production.
+
+---
+
 ## License
 
 MIT

data/lib/stipa/connection.rb

@@ -146,8 +146,9 @@ module Stipa
     rescue BadRequest => e
       # Protocol violation — send 400 and close the connection.
       # Closing prevents further requests on a potentially corrupt stream.
+      @logger.warn("bad request peer=#{@peer}: #{e.message}")
       res.status = 400
-      res.body   = "Bad Request: #{e.message}"
+      res.body   = 'Bad Request'
       false
     rescue => e
       req_id = req.id || '-'

data/lib/stipa/generators/api.rb

@@ -52,7 +52,7 @@ module Stipa
 
           Routes.draw(app)
 
-          app.start(host: '0.0.0.0', port: 3710)
+          app.start(host: '127.0.0.1', port: 3710)
         RUBY
       end
 

data/lib/stipa/generators/base.rb

@@ -46,9 +46,9 @@ module Stipa
         return unless git_available?
 
         Dir.chdir(target) do
-          system('git init -q')
-          system('git add .')
-          system("git commit -q -m 'Initial commit'")
+          system('git', 'init', '-q')
+          system('git', 'add', '.')
+          system('git', 'commit', '-q', '-m', 'Initial commit')
         end
         say '  git     initialized repository with initial commit'
       rescue => e
@@ -62,7 +62,7 @@ module Stipa
       end
 
       def git_available?
-        system('git --version > /dev/null 2>&1')
+        system('git', '--version', out: File::NULL, err: File::NULL)
       end
 
       # ── Shared templates ───────────────────────────────────────────────────────
@@ -103,7 +103,7 @@ module Stipa
                 h[k] = URI.decode_www_form_component(v.to_s) if k
               end
               override = form['_method']&.upcase
-              req.instance_variable_set(:@method, override) if %w[PUT PATCH DELETE].include?(override)
+              req.method = override if %w[PUT PATCH DELETE].include?(override)
             end
             next_app.call(req, res)
           end

data/lib/stipa/generators/vue.rb

@@ -169,7 +169,7 @@ module Stipa
             res.json({ status: 'ok', framework: 'Stipa', version: Stipa::VERSION, ts: Time.now.utc.iso8601 })
           end
 
-          app.start(host: '0.0.0.0', port: 3710)
+          app.start(host: '127.0.0.1', port: 3710)
         RUBY
       end
 

data/lib/stipa/middleware.rb

@@ -102,16 +102,22 @@ module Stipa
       end
 
       def call(req, res)
-        origin  = req['origin'] || '*'
-        allowed = @origins.include?('*') || @origins.include?(origin)
+        origin  = req['origin']
+        wildcard = @origins.include?('*')
+        allowed  = wildcard || (origin && @origins.include?(origin))
 
         if allowed
-          res.set_header('Access-Control-Allow-Origin',  origin)
+          # Never reflect an arbitrary Origin back. When the allowlist is '*',
+          # set the header to the literal '*'. When using an explicit list, only
+          # echo origins that are actually in the list (already guaranteed by
+          # the `allowed` check above).
+          res.set_header('Access-Control-Allow-Origin',
+                         wildcard ? '*' : origin)
           res.set_header('Access-Control-Allow-Methods', @methods)
           res.set_header('Access-Control-Allow-Headers',
                          'Content-Type, Authorization, X-Request-Id')
           # Vary tells caches that the response differs by Origin
-          res.set_header('Vary', 'Origin')
+          res.set_header('Vary', 'Origin') unless wildcard
         end
 
         # OPTIONS preflight: respond immediately without hitting the router

data/lib/stipa/reloader.rb

@@ -44,21 +44,31 @@ module Stipa
     def watch_loop
       loop do
         sleep @interval
-        if changed?
+        dirty = dirty_files
+        next if dirty.empty?
+
+        bad = dirty.select { |f| f.end_with?('.rb') && !syntax_ok?(f) }
+        if bad.any?
+          bad.each { |f| @logger.warn("syntax error in #{f} — fix and save to restart") }
+          # Advance mtime only for clean files so bad ones stay dirty until fixed
+          (dirty - bad).each { |f| @mtimes[f] = mtime(f) }
+        else
+          dirty.each { |f| @mtimes[f] = mtime(f) }
           @logger.warn('file change detected — restarting')
           $stdout.flush
           $stderr.flush
-          exec($0, *ARGV)
+          perform_restart
         end
       end
     rescue => e
       @logger.error("reloader crashed: #{e.class}: #{e.message}")
     end
 
-    # Collect the current set of watched files: everything Ruby has loaded
-    # plus any extra paths the user specified.
+    # Watch only .rb files under the project root (Dir.pwd), plus any extra
+    # paths the user supplied. Avoids polling hundreds of gem files.
     def watched_files
-      ($LOADED_FEATURES + @extra).uniq
+      project_files = Dir.glob(File.join(Dir.pwd, '**', '*.rb'))
+      (project_files + @extra).uniq
     end
 
     def snapshot!
@@ -67,13 +77,25 @@ module Stipa
       end
     end
 
+    # Returns files whose mtime has changed since the last snapshot, without
+    # updating @mtimes (callers decide when to advance the snapshot).
+    def dirty_files
+      watched_files.select { |path| mtime(path) != @mtimes[path] }
+    end
+
+    # Kept for backwards compatibility with tests / external callers.
     def changed?
-      watched_files.any? do |path|
-        current = mtime(path)
-        previous = @mtimes[path]
-        @mtimes[path] = current
-        current != previous
-      end
+      dirty = dirty_files
+      dirty.each { |f| @mtimes[f] = mtime(f) }
+      dirty.any?
+    end
+
+    def syntax_ok?(path)
+      system(RbConfig.ruby, '-c', path, out: File::NULL, err: File::NULL)
+    end
+
+    def perform_restart
+      exec(RbConfig.ruby, $0, *ARGV)
     end
 
     def mtime(path)

data/lib/stipa/request.rb

@@ -23,8 +23,8 @@ module Stipa
     MAX_BODY_SIZE   = 1 * 1024 * 1024   #  1 MB default; configurable per-server
     VALID_METHODS   = %w[GET POST PUT PATCH DELETE HEAD OPTIONS TRACE CONNECT].freeze
 
-    attr_accessor :id, :params
-    attr_reader   :method, :path, :query_string, :http_version,
+    attr_accessor :id, :params, :method
+    attr_reader   :path, :query_string, :http_version,
                   :headers, :body, :bytes_in
 
     # Factory — called by Connection after reading the header block.

data/lib/stipa/server.rb

@@ -39,7 +39,7 @@ module Stipa
   #   3. server socket is closed in the ensure block of start
   class Server
     DEFAULT_CONFIG = {
-      host:                '0.0.0.0',
+      host:                '127.0.0.1',
       port:                3710,
       pool_size:           32,
       queue_depth:         64,

data/lib/stipa/version.rb

@@ -1,3 +1,3 @@
 module Stipa
-  VERSION = '0.1.3'
+  VERSION = '0.1.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stipa
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - Pedro Harbs