tina4ruby 0.5.2 → 3.2.1

data/lib/tina4/rack_app.rb

@@ -1,34 +1,39 @@
 # frozen_string_literal: true
 require "json"
+require "securerandom"
 
 module Tina4
   class RackApp
     STATIC_DIRS = %w[public src/public src/assets assets].freeze
 
-    # Pre-built frozen responses for zero-allocation fast paths
-    CORS_HEADERS = {
-      "access-control-allow-origin" => "*",
-      "access-control-allow-methods" => "GET, POST, PUT, PATCH, DELETE, OPTIONS",
-      "access-control-allow-headers" => "Content-Type, Authorization, Accept",
-      "access-control-max-age" => "86400"
-    }.freeze
+    # CORS is now handled by Tina4::CorsMiddleware
 
-    OPTIONS_RESPONSE = [204, CORS_HEADERS, [""]].freeze
+    # Framework's own public directory (bundled static assets like the logo)
+    FRAMEWORK_PUBLIC_DIR = File.expand_path("public", __dir__).freeze
 
     def initialize(root_dir: Dir.pwd)
       @root_dir = root_dir
       # Pre-compute static roots at boot (not per-request)
-      @static_roots = STATIC_DIRS.map { |d| File.join(root_dir, d) }
-                                  .select { |d| Dir.exist?(d) }
-                                  .freeze
+      # Project dirs are checked first; framework's bundled public dir is the fallback
+      project_roots = STATIC_DIRS.map { |d| File.join(root_dir, d) }
+                                 .select { |d| Dir.exist?(d) }
+      fallback = Dir.exist?(FRAMEWORK_PUBLIC_DIR) ? [FRAMEWORK_PUBLIC_DIR] : []
+      @static_roots = (project_roots + fallback).freeze
     end
 
     def call(env)
       method = env["REQUEST_METHOD"]
       path = env["PATH_INFO"] || "/"
+      request_start = Process.clock_gettime(Process::CLOCK_MONOTONIC)
 
-      # Fast-path: OPTIONS preflight (zero allocation)
-      return OPTIONS_RESPONSE if method == "OPTIONS"
+      # Fast-path: OPTIONS preflight
+      return Tina4::CorsMiddleware.preflight_response(env) if method == "OPTIONS"
+
+      # Dev dashboard routes (handled before anything else)
+      if path.start_with?("/__dev")
+        dev_response = Tina4::DevAdmin.handle_request(env)
+        return dev_response if dev_response
+      end
 
       # Fast-path: API routes skip static file + swagger checks entirely
       unless path.start_with?("/api/")
@@ -49,12 +54,43 @@ module Tina4
       result = Tina4::Router.find_route(path, method)
       if result
         route, path_params = result
-        handle_route(env, route, path_params)
+        rack_response = handle_route(env, route, path_params)
+        matched_pattern = route.path
       else
-        handle_404(path)
+        rack_response = handle_404(path)
+        matched_pattern = nil
+      end
+
+      # Capture request for dev inspector
+      if dev_mode? && !path.start_with?("/__dev")
+        duration_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - request_start) * 1000).round(3)
+        Tina4::DevAdmin.request_inspector.capture(
+          method: method,
+          path: path,
+          status: rack_response[0],
+          duration: duration_ms
+        )
+      end
+
+      # Inject dev overlay button for HTML responses in dev mode
+      if dev_mode? && !path.start_with?("/__dev")
+        status, headers, body_parts = rack_response
+        content_type = headers["content-type"] || ""
+        if content_type.include?("text/html")
+          request_info = {
+            method: method,
+            path: path,
+            matched_pattern: matched_pattern || "(no match)",
+          }
+          joined = body_parts.join
+          overlay = inject_dev_overlay(joined, request_info)
+          rack_response = [status, headers, [overlay]]
+        end
       end
+
+      rack_response
     rescue => e
-      handle_500(e)
+      handle_500(e, env)
     end
 
     private
@@ -63,14 +99,42 @@ module Tina4
       # Auth check
       if route.auth_handler
         auth_result = route.auth_handler.call(env)
-        return handle_403 unless auth_result
+        return handle_403(env["PATH_INFO"] || "/") unless auth_result
       end
 
       request = Tina4::Request.new(env, path_params)
       response = Tina4::Response.new
 
-      # Execute handler
-      result = route.handler.call(request, response)
+      # Run per-route middleware
+      if route.respond_to?(:run_middleware)
+        unless route.run_middleware(request, response)
+          return [403, { "content-type" => "text/html" }, ["403 Forbidden"]]
+        end
+      end
+
+      # Execute handler — support (), (response), (request), or (request, response) signatures
+      # When 1 param: if named :request or :req, pass request; otherwise pass response
+      result = case route.handler.arity
+      when 0
+        route.handler.call
+      when 1
+        param_name = route.handler.parameters.first&.last
+        if param_name == :request || param_name == :req
+          route.handler.call(request)
+        else
+          route.handler.call(response)
+        end
+      else
+        route.handler.call(request, response)
+      end
+
+      # Template rendering: when a template is set and the handler returned a Hash,
+      # render the template with the hash as data and return the HTML response.
+      if route.template && result.is_a?(Hash)
+        html = Tina4::Template.render(route.template, result)
+        response.html(html)
+        return response.to_rack
+      end
 
       # Skip auto_detect if handler already returned the response object
       final_response = result.equal?(response) ? result : Tina4::Response.auto_detect(result, response)
@@ -129,22 +193,262 @@ module Tina4
       [200, { "content-type" => "application/json; charset=utf-8" }, [@openapi_json]]
     end
 
-    def handle_403
-      body = Tina4::Template.render_error(403) rescue "403 Forbidden"
+    def handle_403(path = "")
+      body = Tina4::Template.render_error(403, { "path" => path }) rescue "403 Forbidden"
       [403, { "content-type" => "text/html" }, [body]]
     end
 
     def handle_404(path)
-      Tina4::Debug.warning("404 Not Found: #{path}")
-      body = Tina4::Template.render_error(404) rescue "404 Not Found"
+      # Show landing page for GET "/" when no user route or template index exists
+      if path == "/" && should_show_landing_page?
+        return render_landing_page
+      end
+
+      Tina4::Log.warning("404 Not Found: #{path}")
+      body = Tina4::Template.render_error(404, { "path" => path }) rescue "404 Not Found"
       [404, { "content-type" => "text/html" }, [body]]
     end
 
-    def handle_500(error)
-      Tina4::Debug.error("500 Internal Server Error: #{error.message}")
-      Tina4::Debug.error(error.backtrace&.first(10)&.join("\n"))
-      body = Tina4::Template.render_error(500) rescue "500 Internal Server Error: #{error.message}"
+    def should_show_landing_page?
+      # Check if any index template exists in src/templates/
+      templates_dir = File.join(@root_dir, "src", "templates")
+      %w[index.html index.twig index.erb].none? { |f| File.file?(File.join(templates_dir, f)) }
+    end
+
+    def render_landing_page
+      port = ENV["PORT"] || "7145"
+
+      # Check deployed state for each gallery item
+      project_src = File.join(@root_dir, "src")
+      gallery_items = [
+        { id: "rest-api", name: "REST API", desc: "A simple JSON API with GET and POST endpoints", icon: "🚀", accent: "red", try_url: "/api/gallery/hello", file_check: "routes/api/gallery_hello.rb" },
+        { id: "orm", name: "ORM", desc: "Product model with CRUD endpoints", icon: "🗃", accent: "green", try_url: "/api/gallery/products", file_check: "routes/api/gallery_products.rb" },
+        { id: "auth", name: "Auth", desc: "JWT login form with token display", icon: "🔒", accent: "purple", try_url: "/gallery/auth", file_check: "routes/api/gallery_auth.rb" },
+        { id: "queue", name: "Queue", desc: "Background job producer and consumer", icon: "⚡", accent: "red", try_url: "/api/gallery/queue/produce", file_check: "routes/api/gallery_queue.rb" },
+        { id: "templates", name: "Templates", desc: "Twig template with dynamic data", icon: "📄", accent: "green", try_url: "/gallery/page", file_check: "routes/gallery_page.rb" },
+        { id: "database", name: "Database", desc: "Raw SQL queries with the Database class", icon: "📡", accent: "purple", try_url: "/api/gallery/db/tables", file_check: "routes/api/gallery_db.rb" },
+        { id: "error-overlay", name: "Error Overlay", desc: "See the rich debug error page with stack trace", icon: "💥", accent: "red", try_url: "/api/gallery/crash", file_check: "routes/api/gallery_crash.rb" }
+      ]
+
+      gallery_cards = gallery_items.map do |item|
+        deployed = File.file?(File.join(project_src, item[:file_check]))
+        deployed_badge = deployed ? '<span style="position:absolute;top:0.75rem;right:0.75rem;background:#22c55e;color:#fff;font-size:0.65rem;padding:0.15rem 0.5rem;border-radius:0.25rem;font-weight:600;">DEPLOYED</span>' : ''
+        try_btn = if deployed
+                    %(<a href="#{item[:try_url]}" class="gbtn gbtn-try" target="_blank">Try It</a>)
+                  else
+                    %(<button class="gbtn gbtn-deploy" onclick="deployGallery('#{item[:id]}','#{item[:try_url]}')">Deploy &amp; Try</button>)
+                  end
+        view_btn = %(<button class="gbtn gbtn-view" onclick="viewGallery('#{item[:id]}')">View</button>)
+
+        <<~CARD
+          <div class="gallery-card">
+              <div class="accent accent-#{item[:accent]}"></div>
+              #{deployed_badge}
+              <div class="icon">#{item[:icon]}</div>
+              <h3>#{item[:name]}</h3>
+              <p>#{item[:desc]}</p>
+              <div style="display:flex;gap:0.5rem;margin-top:0.75rem;">#{try_btn}#{view_btn}</div>
+          </div>
+        CARD
+      end.join
+
+      html = <<~HTML
+        <!DOCTYPE html>
+        <html lang="en">
+        <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>Tina4Ruby</title>
+        <style>
+        *{margin:0;padding:0;box-sizing:border-box}
+        body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;background:#0f172a;color:#e2e8f0;min-height:100vh;display:flex;flex-direction:column;align-items:center;position:relative}
+        .bg-watermark{position:fixed;bottom:-5%;right:-5%;width:45%;opacity:0.04;pointer-events:none;z-index:0}
+        .hero{text-align:center;z-index:1;padding:3rem 2rem 2rem}
+        .logo{width:120px;height:120px;margin-bottom:1.5rem}
+        h1{font-size:3rem;font-weight:700;margin-bottom:0.25rem;letter-spacing:-1px}
+        .tagline{color:#64748b;font-size:1.1rem;margin-bottom:2rem}
+        .actions{display:flex;gap:0.75rem;justify-content:center;flex-wrap:wrap;margin-bottom:2.5rem}
+        .btn{padding:0.6rem 1.5rem;border-radius:0.5rem;font-size:0.9rem;font-weight:600;cursor:pointer;text-decoration:none;transition:all 0.15s;border:1px solid #334155;color:#94a3b8;background:transparent;min-width:140px;text-align:center;display:inline-block}
+        .btn:hover{border-color:#64748b;color:#e2e8f0}
+        .status{display:flex;gap:2rem;justify-content:center;align-items:center;color:#64748b;font-size:0.85rem;margin-bottom:1.5rem}
+        .status .dot{width:8px;height:8px;border-radius:50%;background:#22c55e;display:inline-block;margin-right:0.4rem}
+        .footer{color:#334155;font-size:0.8rem;letter-spacing:0.5px}
+        .section{z-index:1;width:100%;max-width:800px;padding:0 2rem;margin-bottom:2.5rem}
+        .card{background:#1e293b;border-radius:0.75rem;padding:2rem;border:1px solid #334155}
+        .card h2{font-size:1.4rem;font-weight:600;margin-bottom:1.25rem;color:#e2e8f0}
+        .code-block{background:#0f172a;border-radius:0.5rem;padding:1.25rem;overflow-x:auto;font-family:'SF Mono',SFMono-Regular,Consolas,'Liberation Mono',Menlo,monospace;font-size:0.85rem;line-height:1.6;color:#4ade80;border:1px solid #1e293b}
+        .gallery{z-index:1;width:100%;max-width:900px;padding:0 2rem;margin-bottom:3rem}
+        .gallery h2{font-size:1.4rem;font-weight:600;margin-bottom:1.25rem;color:#e2e8f0;text-align:center}
+        .gallery-card{background:#1e293b;border:1px solid #334155;border-radius:0.75rem;padding:1.5rem;position:relative;overflow:hidden}
+        .gallery-card .accent{position:absolute;top:0;left:0;right:0;height:3px}
+        .gallery-card .accent-red{background:#CC342D}
+        .gallery-card .accent-green{background:#22c55e}
+        .gallery-card .accent-purple{background:#a78bfa}
+        .gallery-card .icon{font-size:1.5rem;margin-bottom:0.75rem}
+        .gallery-card h3{font-size:1rem;font-weight:600;margin-bottom:0.5rem;color:#e2e8f0}
+        .gallery-card p{font-size:0.85rem;color:#94a3b8;line-height:1.5}
+        .gbtn{padding:0.35rem 0.75rem;border-radius:0.375rem;font-size:0.75rem;font-weight:600;cursor:pointer;text-decoration:none;border:none;transition:all 0.15s}
+        .gbtn-try{background:#22c55e;color:#fff}
+        .gbtn-try:hover{background:#16a34a}
+        .gbtn-deploy{background:#CC342D;color:#fff}
+        .gbtn-deploy:hover{background:#a12a24}
+        .gbtn-view{background:transparent;color:#94a3b8;border:1px solid #334155}
+        .gbtn-view:hover{border-color:#64748b;color:#e2e8f0}
+        .view-modal{display:none;position:fixed;top:0;left:0;right:0;bottom:0;background:rgba(0,0,0,0.7);z-index:10000;align-items:center;justify-content:center}
+        .view-modal.active{display:flex}
+        .view-modal-content{background:#1e293b;border:1px solid #334155;border-radius:0.75rem;padding:2rem;max-width:700px;width:90%;max-height:80vh;overflow-y:auto;position:relative}
+        .view-modal-close{position:absolute;top:0.75rem;right:1rem;color:#94a3b8;cursor:pointer;font-size:1.25rem;background:none;border:none}
+        .view-modal-close:hover{color:#e2e8f0}
+        </style>
+        </head>
+        <body>
+        <img src="/images/tina4-logo-icon.webp" class="bg-watermark" alt="">
+        <div class="hero">
+            <img src="/images/tina4-logo-icon.webp" class="logo" alt="Tina4">
+            <h1>Tina4Ruby</h1>
+            <p class="tagline">This is not a framework</p>
+            <div class="actions">
+                <a href="https://tina4.com/ruby" class="btn" target="_blank">Website</a>
+                <a href="/__dev" class="btn">Dev Admin</a>
+                <a href="#gallery" class="btn">Gallery</a>
+                <a href="https://github.com/tina4stack/tina4-ruby" class="btn" target="_blank">GitHub</a>
+                <a href="https://github.com/tina4stack/tina4-ruby/stargazers" class="btn" target="_blank">&#11088; Star</a>
+            </div>
+            <div class="status">
+                <span><span class="dot"></span>Server running</span>
+                <span>Port #{port}</span>
+                <span>v#{Tina4::VERSION}</span>
+            </div>
+            <p class="footer">Zero dependencies &middot; Convention over configuration</p>
+        </div>
+        <div class="section">
+            <div class="card">
+                <h2>Getting Started</h2>
+                <pre class="code-block"><code><span style="color:#64748b"># app.rb</span>
+        <span style="color:#c084fc">require</span> <span style="color:#4ade80">"tina4"</span>
+
+        Tina4::Router.<span style="color:#38bdf8">get</span>(<span style="color:#4ade80">"/hello"</span>) <span style="color:#c084fc">do</span> |request, response|
+          response.<span style="color:#38bdf8">json</span>({ <span style="color:#fbbf24">message:</span> <span style="color:#4ade80">"Hello World!"</span> })
+        <span style="color:#c084fc">end</span>
+
+        Tina4::WebServer.new(<span style="color:#fbbf24">port:</span> <span style="color:#38bdf8">7145</span>).start  <span style="color:#64748b"># starts on port 7145</span></code></pre>
+            </div>
+        </div>
+        <div class="gallery">
+            <h2 id="gallery">Gallery</h2>
+            <div style="display:grid;grid-template-columns:repeat(auto-fit,minmax(280px,1fr));gap:1rem;">
+                #{gallery_cards}
+            </div>
+        </div>
+        <div class="view-modal" id="viewModal">
+            <div class="view-modal-content">
+                <button class="view-modal-close" onclick="document.getElementById('viewModal').classList.remove('active')">&times;</button>
+                <h3 id="viewModalTitle" style="margin-bottom:1rem;color:#e2e8f0;"></h3>
+                <div id="viewModalBody"></div>
+            </div>
+        </div>
+        <script>
+        function deployGallery(name, tryUrl) {
+            if (!confirm('Deploy the "' + name + '" gallery example into your project?')) return;
+            var btn = event.target;
+            btn.disabled = true;
+            btn.textContent = 'Deploying...';
+            fetch('/__dev/api/gallery/deploy', {
+                method: 'POST',
+                headers: {'Content-Type': 'application/json'},
+                body: JSON.stringify({ name: name })
+            }).then(function(r) { return r.json(); }).then(function(d) {
+                if (d.error) {
+                    alert('Deploy failed: ' + d.error);
+                    btn.disabled = false;
+                    btn.textContent = 'Deploy & Try';
+                } else {
+                    window.location.href = tryUrl;
+                }
+            }).catch(function(e) {
+                alert('Deploy error: ' + e.message);
+                btn.disabled = false;
+                btn.textContent = 'Deploy & Try';
+            });
+        }
+        function viewGallery(name) {
+            fetch('/__dev/api/gallery').then(function(r) { return r.json(); }).then(function(d) {
+                var item = (d.gallery || []).find(function(g) { return g.id === name; });
+                if (!item) { alert('Gallery item not found'); return; }
+                var title = document.getElementById('viewModalTitle');
+                var body = document.getElementById('viewModalBody');
+                title.textContent = item.name + ' — ' + item.description;
+                var html = '<p style="color:#94a3b8;margin-bottom:1rem;">Files that will be deployed:</p><ul style="list-style:none;padding:0;">';
+                (item.files || []).forEach(function(f) {
+                    html += '<li style="padding:0.25rem 0;color:#4ade80;font-family:monospace;font-size:0.85rem;">src/' + f + '</li>';
+                });
+                html += '</ul>';
+                if (item.try_url) {
+                    html += '<p style="color:#94a3b8;margin-top:1rem;">Try URL: <code style="color:#38bdf8;">' + item.try_url + '</code></p>';
+                }
+                body.innerHTML = html;
+                document.getElementById('viewModal').classList.add('active');
+            });
+        }
+        document.getElementById('viewModal').addEventListener('click', function(e) {
+            if (e.target === this) this.classList.remove('active');
+        });
+        </script>
+        </body>
+        </html>
+      HTML
+
+      [200, { "content-type" => "text/html; charset=utf-8" }, [html]]
+    end
+
+    def handle_500(error, env = nil)
+      Tina4::Log.error("500 Internal Server Error: #{error.message}")
+      Tina4::Log.error(error.backtrace&.first(10)&.join("\n"))
+      if dev_mode?
+        # Rich error overlay with stack trace, source context, and line numbers
+        body = Tina4::ErrorOverlay.render(error, request: env)
+      else
+        body = Tina4::Template.render_error(500, {
+          "error_message" => "#{error.message}\n#{error.backtrace&.first(10)&.join("\n")}",
+          "request_id" => SecureRandom.hex(6)
+        }) rescue "500 Internal Server Error: #{error.message}"
+      end
       [500, { "content-type" => "text/html" }, [body]]
     end
+
+    def dev_mode?
+      Tina4::Env.truthy?(ENV["TINA4_DEBUG"])
+    end
+
+    def inject_dev_overlay(body, request_info)
+      version = Tina4::VERSION
+      method = request_info[:method]
+      path = request_info[:path]
+      matched_pattern = request_info[:matched_pattern]
+      request_id = Tina4::Log.request_id || "-"
+      route_count = Tina4::Router.routes.length
+
+      toolbar = <<~HTML.strip
+        <div id="tina4-dev-toolbar" style="position:fixed;bottom:0;left:0;right:0;background:#333;color:#fff;font-family:monospace;font-size:12px;padding:6px 16px;z-index:99999;display:flex;align-items:center;gap:16px;">
+            <span style="color:#d32f2f;font-weight:bold;">Tina4 v#{version}</span>
+            <span style="color:#4caf50;">#{method}</span>
+            <span>#{path}</span>
+            <span style="color:#666;">&rarr; #{matched_pattern}</span>
+            <span style="color:#ffeb3b;">req:#{request_id}</span>
+            <span style="color:#90caf9;">#{route_count} routes</span>
+            <span style="color:#888;">Ruby #{RUBY_VERSION}</span>
+            <a href="#" onclick="(function(e){e.preventDefault();var p=document.getElementById('tina4-dev-panel');if(p){p.style.display=p.style.display==='none'?'block':'none';return;}var c=document.createElement('div');c.id='tina4-dev-panel';c.style.cssText='position:fixed;bottom:2rem;right:1rem;width:min(90vw,1200px);height:min(80vh,700px);z-index:99998;transition:all 0.2s';var f=document.createElement('iframe');f.src='/__dev';f.style.cssText='width:100%;height:100%;border:1px solid #CC342D;border-radius:0.5rem;box-shadow:0 8px 32px rgba(0,0,0,0.5);background:#0f172a';c.appendChild(f);document.body.appendChild(c);})(event)" style="color:#ef9a9a;margin-left:auto;text-decoration:none;cursor:pointer;">Dashboard &#8599;</a>
+            <span onclick="this.parentElement.style.display='none'" style="cursor:pointer;color:#888;margin-left:8px;">&#10005;</span>
+        </div>
+      HTML
+
+      if body.include?("</body>")
+        body.sub("</body>", "#{toolbar}\n</body>")
+      else
+        body + "\n" + toolbar
+      end
+    end
+
+
   end
 end

data/lib/tina4/rate_limiter.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+module Tina4
+  class RateLimiter
+    DEFAULT_LIMIT = 100
+    DEFAULT_WINDOW = 60 # seconds
+
+    attr_reader :limit, :window
+
+    def initialize(limit: nil, window: nil)
+      @limit = (limit || ENV["TINA4_RATE_LIMIT"] || DEFAULT_LIMIT).to_i
+      @window = (window || ENV["TINA4_RATE_WINDOW"] || DEFAULT_WINDOW).to_i
+      @store = {}    # ip => [timestamps]
+      @mutex = Mutex.new
+      @last_cleanup = Time.now
+    end
+
+    # Check if the given IP is rate limited.
+    # Returns a hash with rate limit info:
+    #   { allowed: true/false, limit:, remaining:, reset:, retry_after: }
+    def check(ip)
+      now = Time.now
+      cleanup_if_needed(now)
+
+      @mutex.synchronize do
+        @store[ip] ||= []
+        entries = @store[ip]
+
+        # Remove expired entries (sliding window)
+        cutoff = now - @window
+        entries.reject! { |t| t < cutoff }
+
+        if entries.length >= @limit
+          # Rate limited
+          oldest = entries.first
+          reset_at = (oldest + @window).to_i
+          retry_after = [(oldest + @window - now).ceil, 1].max
+
+          {
+            allowed: false,
+            limit: @limit,
+            remaining: 0,
+            reset: reset_at,
+            retry_after: retry_after
+          }
+        else
+          entries << now
+
+          {
+            allowed: true,
+            limit: @limit,
+            remaining: @limit - entries.length,
+            reset: (now + @window).to_i,
+            retry_after: nil
+          }
+        end
+      end
+    end
+
+    # Convenience predicate
+    def rate_limited?(ip)
+      !check(ip)[:allowed]
+    end
+
+    # Apply rate limit headers to a response object and return 429 if exceeded.
+    # Returns [status, headers_hash] or nil if allowed.
+    def apply(ip, response)
+      result = check(ip)
+
+      # Always set rate limit headers
+      response.headers["X-RateLimit-Limit"] = result[:limit].to_s
+      response.headers["X-RateLimit-Remaining"] = result[:remaining].to_s
+      response.headers["X-RateLimit-Reset"] = result[:reset].to_s
+
+      unless result[:allowed]
+        response.headers["Retry-After"] = result[:retry_after].to_s
+        response.status_code = 429
+        response.headers["content-type"] = "application/json; charset=utf-8"
+        response.body = JSON.generate({
+          error: "Too Many Requests",
+          retry_after: result[:retry_after]
+        })
+        return false
+      end
+
+      true
+    end
+
+    # Reset tracking for a specific IP (useful for testing)
+    def reset!(ip = nil)
+      @mutex.synchronize do
+        if ip
+          @store.delete(ip)
+        else
+          @store.clear
+        end
+      end
+    end
+
+    # Returns current entry count (for monitoring)
+    def entry_count
+      @mutex.synchronize { @store.length }
+    end
+
+    private
+
+    # Clean up expired entries periodically (every window interval)
+    def cleanup_if_needed(now)
+      return if now - @last_cleanup < @window
+
+      @mutex.synchronize do
+        return if now - @last_cleanup < @window
+
+        cutoff = now - @window
+        @store.delete_if do |_ip, entries|
+          entries.reject! { |t| t < cutoff }
+          entries.empty?
+        end
+        @last_cleanup = now
+      end
+    end
+  end
+end