tina4ruby 3.13.3 → 3.13.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6806b64505d23caba2d53a7b08b1411aa1e0ca924ea883d660dedae1c81f5766
-  data.tar.gz: e168b0a72f99e8cab66c1532a0909d480e10e330c65104749ec8dafb4e26837d
+  metadata.gz: f5a305c0c2ee88795cac09fabe5c275165fb83d6da1d83bc301a8097660d711c
+  data.tar.gz: 68ee188aef588fd0e09d7779771de3eb47ed7ab5d9cfe426d3840b3015000064
 SHA512:
-  metadata.gz: fd1d7d614b01886cb2e70ffcd04503ce3155073350f70dc92e6414816c5993a39b63b91965f49c30ea3275a6c72b62eea510ba64db74db0384ad925d7bdb0b76
-  data.tar.gz: 745992728883c28e11d3716977a9bb9e5f58d4a043b7aa285c6dc8113b8c95d3ffef10ac7b52aa339ef0172c308687f6c3004926af1daf1f4a3737601c008994
+  metadata.gz: af2cb8dd1b51f7569d864aa41c4f0c52105696bea48e6c6fb50dd76b1d9bd11cf5e724cfdccb717bf5d42e2e84f032e10af1ada89ce9a3b74e660bc0a6f7c4f0
+  data.tar.gz: 75b8d8f25a7efcfb38606414e1457b3bdbf0bedbe3d1ee0ec3b5dea2ee0a58ddb5292a9f1078dc212a9cc43df0625122e3a288d2fb78437479cd15bc26efeecd

data/lib/tina4/frond.rb

@@ -21,6 +21,33 @@ module Tina4
   end
 
   class Frond
+    # -- Class-level registries ------------------------------------------------
+    # Persist globals, filters, and tests across hot-reloads and across module
+    # boundaries. When app.rb does ``Tina4::Frond.add_filter("money") { ... }``
+    # at startup before any instance exists, the registration sits here. Every
+    # subsequent ``Tina4::Frond.new`` drains these into its instance-local
+    # registries — so hot-reloads (which re-execute ``frond = Frond.new``) and
+    # late-constructed engines automatically inherit prior registrations.
+    #
+    # The same-name dual-callable (class + instance) methods below let callers
+    # write either ``Tina4::Frond.add_filter(...)`` (class-level only) or
+    # ``frond.add_filter(...)`` (updates both the class registry and the
+    # instance's live filter map). Parity with tina4-python's
+    # ``_ClassOrInstanceMethod`` descriptor.
+    @@class_filters = {}
+    @@class_globals = {}
+    @@class_tests   = {}
+
+    # Clear the class-level globals/filters/tests registries.
+    #
+    # Useful in test fixtures to prevent leaking state between tests. Does
+    # NOT affect built-in filters or globals — only user-registered ones.
+    def self.clear_registry
+      @@class_filters = {}
+      @@class_globals = {}
+      @@class_tests   = {}
+    end
+
     # -- Token types ----------------------------------------------------------
     TEXT    = :text
     VAR     = :var      # {{ ... }}
@@ -187,6 +214,16 @@ module Tina4
 
       # Built-in global functions
       register_builtin_globals
+
+      # Drain class-level registries into this instance. Filters and tests
+      # registered via ``Tina4::Frond.add_filter`` BEFORE this instance was
+      # constructed flow in here. Globals likewise. This is the key to the
+      # static-facade: ``app.rb`` registers once at startup, and every
+      # Frond instance created later (including those born from hot-reloads)
+      # automatically inherits the registration. Parity with tina4-python.
+      @filters.merge!(@@class_filters)
+      @globals.merge!(@@class_globals)
+      @tests.merge!(@@class_tests)
     end
 
     # Render a template file with data. Uses token caching for performance.
@@ -249,19 +286,61 @@ module Tina4
       @dotted_split_cache.clear
     end
 
+    # Register a custom filter on the class registry only.
+    #
+    # Callable as ``Tina4::Frond.add_filter("money") { |v| ... }`` at app
+    # startup BEFORE any instance exists. The registration is remembered at
+    # class level so every later ``Tina4::Frond.new`` inherits it. To also
+    # update a live instance's filter map, use the instance method form.
+    def self.add_filter(name, &blk)
+      @@class_filters[name.to_s] = blk
+    end
+
+    # Register a custom test on the class registry only.
+    #
+    # Same dual-callable semantics as ``add_filter`` — see that method for
+    # the static-facade pattern.
+    def self.add_test(name, &blk)
+      @@class_tests[name.to_s] = blk
+    end
+
+    # Register a global variable on the class registry only.
+    #
+    # Same dual-callable semantics as ``add_filter`` — see that method for
+    # the static-facade pattern.
+    def self.add_global(name, value)
+      @@class_globals[name.to_s] = value
+    end
+
     # Register a custom filter.
+    #
+    # Updates BOTH the class registry (so future ``Tina4::Frond.new`` picks
+    # the filter up) AND this instance's live filter map (so the change is
+    # visible to subsequent renders on the current engine).
     def add_filter(name, &blk)
+      self.class.add_filter(name, &blk)
       @filters[name.to_s] = blk
+      self
     end
 
     # Register a custom test.
+    #
+    # Updates BOTH the class registry and this instance's live tests map.
+    # See ``add_filter`` for the dual-write semantics.
     def add_test(name, &blk)
+      self.class.add_test(name, &blk)
       @tests[name.to_s] = blk
+      self
     end
 
     # Register a global variable available in all templates.
+    #
+    # Updates BOTH the class registry and this instance's live globals map.
+    # See ``add_filter`` for the dual-write semantics.
     def add_global(name, value)
+      self.class.add_global(name, value)
       @globals[name.to_s] = value
+      self
     end
 
     # Enable sandbox mode.

data/lib/tina4/mcp.rb

@@ -612,8 +612,12 @@ module Tina4
         line = err_lines.first.strip
         # Strip the absolute project_root prefix so the error reads
         # as "src/routes/foo.rb:3: syntax error, ..." instead of the
-        # full /Users/... path.
-        line.sub("#{project_root}/", "")
+        # full /Users/... path. Use gsub because Ruby 3.2's MRI parser
+        # double-prints the path — once as the file label prefix and
+        # once inside the (SyntaxError) reference — and the test asserts
+        # the absolute path appears nowhere in import_error.
+        # See: spec/mcp_spec.rb defensive file_write test (CI Ruby 3.2).
+        line.gsub("#{project_root}/", "")
       end
 
       redact_env = lambda do |key, value|

data/lib/tina4/rack_app.rb

@@ -108,22 +108,29 @@ module Tina4
       else
         # RFC 9110 conformance — before falling through to 404, check whether
         # the PATH is known to the router under any OTHER method.
-        #   - OPTIONS request → 204 with Allow header (§9.3.7)
+        #   - OPTIONS request → 204 with Allow header (§9.3.7). Bare OPTIONS
+        #     on an unknown path also returns 204 (empty Allow header) —
+        #     OPTIONS is a discovery method; rejecting unknown probes with
+        #     404 confuses link checkers and monitoring tools and breaks
+        #     CORS preflight that lacks the Origin/ACRM headers our earlier
+        #     fast-path requires. Matches PHP/Node behaviour. Fixes
+        #     spec/rack_app_spec.rb OPTIONS preflight.
         #   - Any other method (PUT on GET-only, TRACE, CONNECT, etc.)
-        #     → 405 with Allow header (§15.5.6 + §10.2.1)
+        #     → 405 with Allow header (§15.5.6 + §10.2.1) when the path
+        #     exists; → 404 when nothing about the path is known.
         allowed = Tina4::Router.methods_allowed_for_path(path)
-        if !allowed.empty?
+        if method.to_s.upcase == "OPTIONS"
+          allow_header = allowed.empty? ? "" : allowed.join(", ")
+          rack_response = [204, { "allow" => allow_header, "content-length" => "0" }, [""]]
+          matched_pattern = nil
+        elsif !allowed.empty?
           allow_header = allowed.join(", ")
-          if method.to_s.upcase == "OPTIONS"
-            rack_response = [204, { "allow" => allow_header, "content-length" => "0" }, [""]]
-          else
-            body = %({"error":"Method Not Allowed","path":"#{path}","method":"#{method}","allow":[#{allowed.map { |m| %("#{m}") }.join(",")}],"status":405})
-            rack_response = [405, {
-              "allow" => allow_header,
-              "content-type" => "application/json",
-              "content-length" => body.bytesize.to_s
-            }, [body]]
-          end
+          body = %({"error":"Method Not Allowed","path":"#{path}","method":"#{method}","allow":[#{allowed.map { |m| %("#{m}") }.join(",")}],"status":405})
+          rack_response = [405, {
+            "allow" => allow_header,
+            "content-type" => "application/json",
+            "content-length" => body.bytesize.to_s
+          }, [body]]
           matched_pattern = nil
         else
           rack_response = handle_404(path)
@@ -317,19 +324,43 @@ module Tina4
         end
       end
 
-      # Execute handler — inject path params by name, then request/response
+      # Build the route-handler call as a lambda so function-style
+      # middleware can wrap it. Path params are still bound by name —
+      # the continuation just forwards the (possibly-mutated)
+      # request/response pair the outer middleware chose to pass in.
       handler_params = route.handler.parameters.map(&:last)
       route_params = path_params || {}
-      args = handler_params.map do |name|
-        if route_params.key?(name)
-          route_params[name]
-        elsif name == :request || name == :req
-          request
-        else
-          response
+      invoke_handler = lambda do |req, resp|
+        args = handler_params.map do |name|
+          if route_params.key?(name)
+            route_params[name]
+          elsif name == :request || name == :req
+            req
+          else
+            resp
+          end
+        end
+        args.empty? ? route.handler.call : route.handler.call(*args)
+      end
+
+      # Fold any function-style middleware on this route into a
+      # Russian-doll chain wrapping the handler. First declared is the
+      # outermost layer — it receives the request first, calls
+      # next_handler to descend, and runs its "after" code on the way
+      # out. Class-based middleware (before_*/after_*) is handled
+      # separately by run_middleware above and never goes through here.
+      # tina4-book#141 PY-10-01 (cross-framework parity).
+      fn_mws = route.respond_to?(:function_middleware) ? route.function_middleware : []
+      if fn_mws.empty?
+        result = invoke_handler.call(request, response)
+      else
+        chain = invoke_handler
+        fn_mws.reverse_each do |mw|
+          inner = chain
+          chain = lambda { |req, resp| mw.call(req, resp, inner) }
         end
+        result = chain.call(request, response)
       end
-      result = args.empty? ? route.handler.call : route.handler.call(*args)
 
       # Template rendering: when a template is set and the handler returned a Hash,
       # render the template with the hash as data and return the HTML response.

data/lib/tina4/request.rb

@@ -35,6 +35,63 @@ module Tina4
     end
   end
 
+  # Hash subclass for HTTP headers — string keys are case-insensitive.
+  #
+  # HTTP header field-names are case-insensitive per RFC 7230 §3.2. With
+  # this class, request.headers["Content-Type"], .headers["content-type"],
+  # and .headers["CONTENT-TYPE"] all return the same value. Keys are
+  # stored lowercase internally.
+  #
+  # Cross-framework parity: same behaviour ships in tina4-python
+  # (CaseInsensitiveDict), tina4-php (Tina4\Request), tina4-nodejs
+  # (Tina4Request). tina4-book#141 PY-10-03 — chapter 10 examples
+  # documented headers["Content-Type"] for years; this makes them work.
+  class CaseInsensitiveHash < Hash
+    def [](key)
+      super(normalize_key(key))
+    end
+
+    def []=(key, value)
+      super(normalize_key(key), value)
+    end
+
+    def fetch(key, *args, &block)
+      super(normalize_key(key), *args, &block)
+    end
+
+    def key?(key)
+      super(normalize_key(key))
+    end
+    alias has_key? key?
+    alias include?  key?
+    alias member?   key?
+
+    def delete(key, &block)
+      super(normalize_key(key), &block)
+    end
+
+    def store(key, value)
+      super(normalize_key(key), value)
+    end
+
+    def merge(other)
+      result = dup
+      other.each { |k, v| result[k] = v }
+      result
+    end
+
+    def merge!(other)
+      other.each { |k, v| self[k] = v }
+      self
+    end
+
+    private
+
+    def normalize_key(key)
+      key.is_a?(String) ? key.downcase : key
+    end
+  end
+
   class Request
     attr_reader :env, :method, :path, :query_string, :content_type,
                 :path_params, :ip
@@ -139,7 +196,10 @@ module Tina4
     end
 
     def header(name)
-      headers[name.to_s.downcase.gsub("-", "_")]
+      # Headers are stored in a CaseInsensitiveHash keyed by lowercase-
+      # dashed names ("content-type", "x-api-key"). The hash normalises
+      # the lookup case automatically, so pass the dashed form through.
+      headers[name.to_s.tr("_", "-")]
     end
 
     def json_body
@@ -169,12 +229,22 @@ module Tina4
     end
 
     def extract_headers
-      h = {}
+      h = CaseInsensitiveHash.new
       @env.each do |key, value|
         if key.start_with?("HTTP_")
-          h[key[5..-1].downcase] = value
+          # Rack normalises "Content-Type" to "HTTP_CONTENT_TYPE" — we
+          # store as "content-type" (lowercase, dashed) so both
+          # headers["Content-Type"] and the legacy headers["content_type"]
+          # via the `header()` helper resolve to the same value. The
+          # CaseInsensitiveHash handles the case-insensitive part.
+          h[key[5..-1].tr("_", "-").downcase] = value
         end
       end
+      # CONTENT_TYPE / CONTENT_LENGTH live at the top level of the Rack
+      # env (no HTTP_ prefix per the Rack spec) — surface them too so
+      # request.headers["Content-Type"] works for POST bodies.
+      h["content-type"] = @env["CONTENT_TYPE"] if @env["CONTENT_TYPE"] && !@env["CONTENT_TYPE"].empty?
+      h["content-length"] = @env["CONTENT_LENGTH"] if @env["CONTENT_LENGTH"] && !@env["CONTENT_LENGTH"].to_s.empty?
       h
     end
 

data/lib/tina4/router.rb

@@ -17,9 +17,11 @@ module Tina4
       @swagger_meta = swagger_meta
       @middleware = middleware.freeze
       @template = template&.freeze
-      # Write routes are secure by default, unless custom middleware is registered
-      # (developer handles auth themselves via middleware)
-      @auth_required = %w[POST PUT PATCH DELETE].include?(@method) && middleware.empty?
+      # Write routes are secure by default — bearer-token auth is enforced
+      # on POST/PUT/PATCH/DELETE regardless of attached middleware.
+      # Middleware is additive, never an auth bypass. tina4-book#141
+      # PY-10-02. Call .no_auth on the route to opt out explicitly.
+      @auth_required = %w[POST PUT PATCH DELETE].include?(@method)
       @cached = false
       @param_names = []
       @path_regex = compile_pattern(@path)
@@ -50,13 +52,18 @@ module Tina4
     # Dual-mode: getter (no args) returns the middleware array;
     # setter (with args) appends middleware and returns self for chaining.
     # Router.post("/api") { ... }.middleware(AuthMiddleware)
+    #
+    # Middleware is purely additive — registering middleware NEVER flips
+    # @auth_required off. The secure-by-default gate for write methods
+    # (POST/PUT/PATCH/DELETE) stays in effect; if a route truly wants to
+    # opt out of the built-in bearer check, call .no_auth explicitly.
+    # tina4-book#141 PY-10-02 — previously, attaching ANY middleware
+    # silently turned off auth_required, which let attackers bypass auth
+    # by routing through a logging middleware. Cross-framework parity.
     def middleware(*middleware_classes)
       return @middleware if middleware_classes.empty?
 
       @middleware = @middleware.dup + middleware_classes
-      # Custom middleware means developer handles auth — disable built-in gate
-      # unless .secure was explicitly called.
-      @auth_required = false unless @auth_required
       self
     end
 
@@ -83,15 +90,50 @@ module Tina4
       end
     end
 
-    # Run per-route middleware chain; returns true if all pass
+    # Run per-route CLASS-based middleware. Function-style middleware
+    # (Proc/Lambda taking 3+ args: req, resp, next_handler) is skipped
+    # here — it's dispatched separately via #function_middleware which
+    # wraps the route handler in a continuation chain (see rack_app.rb).
+    #
+    # Returns true if all class-based middleware passed, false if any
+    # returned literal false (halt request).
     def run_middleware(request, response)
       @middleware.each do |mw|
+        next if Route.function_middleware?(mw)
         result = mw.call(request, response)
         return false if result == false
       end
       true
     end
 
+    # Function-style middleware attached to this route, in declaration
+    # order. The route dispatcher folds them into a Russian-doll
+    # continuation chain — first declared is the OUTERMOST layer (runs
+    # first on the way in, last on the way out). tina4-book#141
+    # PY-10-01 — chapter 10 documented 8+ examples of function middleware
+    # for years; before this fix the framework silently ignored them.
+    def function_middleware
+      @middleware.select { |mw| Route.function_middleware?(mw) }
+    end
+
+    # Detect Express/FastAPI-style function middleware.
+    #
+    # A Proc/Lambda/Method whose arity indicates 3+ positional params
+    # (req, resp, next_handler). Ruby arity quirk: required-args-only
+    # arity is non-negative; if the callable accepts a splat or
+    # optionals, arity is negated (-required-1). We treat arity >= 3
+    # OR arity <= -4 as function-style. Anything else (a class with
+    # before_*/after_* methods, or a 2-arg callable) is treated as
+    # class-style and goes through #run_middleware.
+    def self.function_middleware?(mw)
+      return false if mw.is_a?(Class) || mw.is_a?(Module)
+      return false unless mw.respond_to?(:arity)
+      ar = mw.arity
+      ar >= 3 || ar <= -4
+    rescue StandardError
+      false
+    end
+
     private
 
     def normalize_path(path)

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.13.3"
+  VERSION = "3.13.5"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.13.3
+  version: 3.13.5
 platform: ruby
 authors:
 - Tina4 Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-03 00:00:00.000000000 Z
+date: 2026-06-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack